Define a Sourcing Strategy for Your Development Team

  • Buy Link or Shortcode: {j2store}161|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Development
  • Parent Category Link: /development
  • Hiring quality development team resources is becoming increasingly difficult and costly in most domestic markets.
  • Firms are seeking to do more with less and increase their development team throughput.
  • Globalization and increased competition are driving a need for more innovation in your applications.
  • Firms want more cost certainty and tighter control of their development investment.

Our Advice

Critical Insight

  • Choosing the right sourcing strategy is not just a question of technical skills! Successful sourcing is based on matching your organization’s culture, knowledge, and experiences to the right choice of internal or external partnership.

Impact and Result

  • We will help you build a sourcing strategy document for your application portfolio.
  • We will examine your portfolio and organization from three different perspectives to enable you to determine the right approach:
    • From a business perspective, reliance on the business, strategic value of the product, and maturity of product ownership are critical.
    • From an organizational perspective, you must examine your culture for communication processes, conflict resolution methods, vendor management skills, and geographic coverage.
    • From a technical perspective, consider integration complexity, environmental complexity, and testing processes.

Define a Sourcing Strategy for Your Development Team Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Define a Sourcing Strategy for Your Development Team Storyboard – A guide to help you choose the right resourcing strategy to keep pace with your rapidly changing application and development needs.

This project will help you define a sourcing strategy for your application development team by assessing key factors about your products and your organization, including critical business, technical, and organizational factors. Use this analysis to select the optimal sourcing strategy for each situation.

  • Define a Sourcing Strategy for Your Development Team Storyboard

2. Define a Sourcing Strategy Workbook – A tool to capture the results of activities to build your sourcing strategy.

This workbook is designed to capture the results of the activities in the storyboard. Each worksheet corresponds with an activity from the deck. The workbook is also a living artifact that should be updated periodically as the needs of your team and organization change.

  • Define a Sourcing Strategy Workbook
[infographic]

Further reading

Define a Sourcing Strategy for Your Development Team

Choose the right resourcing strategy to keep pace with your rapidly changing application and development needs.

Analyst Perspective

Choosing the right sourcing strategy for your development team is about assessing your technical situation, your business needs, your organizational culture, and your ability to manage partners!

Photo of Dr. Suneel Ghei, Principal Research Director, Application Development, Info-Tech Research Group

Firms today are under continuous pressure to innovate and deliver new features to market faster while at the same time controlling costs. This has increased the need for higher throughput in their development teams along with a broadening of skills and knowledge. In the face of these challenges, there is a new focus on how firms source their development function. Should they continue to hire internally, offshore, or outsource? How do they decide which strategy is the right fit?

Info-Tech’s research shows that the sourcing strategy considerations have evolved beyond technical skills and costs. Identifying the right strategy has become a function of the characteristics of the organization, its culture, its reliance on the business for knowledge, its strategic value of the application, its vendor management skills, and its ability to internalize external knowledge. By assessing these factors firms can identify the best sourcing mix for their development portfolios.

Dr. Suneel Ghei
Principal Research Director, Application Development
Info-Tech Research Group

Executive Summary

Your Challenge
  • Hiring quality development team resources is becoming increasingly difficult and costly in most domestic markets.
  • Firms are seeking to do more with less and increase their development team throughput.
  • Globalization and increased competition is driving a need for more innovation in your applications.
  • Firms want more cost certainty and tighter control of their development investment.
Common Obstacles
  • Development leaders are encouraged to manage contract terms and SLAs rather than build long-term relationships.
  • People believe that outsourcing means you will permanently lose the knowledge around solutions.
  • Moving work outside of the current team creates motivational and retention challenges that can be difficult to overcome.
Info-Tech’s Approach
  • Looking at this from these three perspectives will enable you to determine the right approach:
    1. From a business perspective, reliance on the business, strategic value of the product, and maturity of product ownership are critical.
    2. From an organizational perspective, you must examine your culture for communication processes, conflict resolution methods, vendor management skills, and geographic coverage
    3. From a technical perspective, consider integration complexity, environment complexity, and testing processes.

Info-Tech Insight

Choosing the right sourcing strategy is not just a question of technical skills! Successful sourcing is based on matching your organization’s culture, knowledge, and experiences to the right choice of internal or external partnership.

Define a sourcing strategy for your development team

Business
  • Business knowledge/ expertise required
  • Product owner maturity
Technical
  • Complexity and maturity of technical environment
  • Required level of integration
Organizational
  • Company culture
  • Desired geographic proximity
  • Required vendor management skills
  1. Assess your current delivery posture for challenges and impediments.
  2. Decide whether to build or buy a solution.
  3. Select your desired sourcing strategy based on your current state and needs.
Example sourcing strategy with initiatives like 'Client-Facing Apps' and 'ERP Software' assigned to 'Onshore Dev', 'Outsource Team', 'Offshore Dev', 'Outsource App (Buy)', 'Outsource Dev', or 'Outsource Roles'.

Three Perspectives +

Three Steps =

Your Sourcing Strategy

Diverse sourcing is used by many firms

Many firms across all industries are making use of different sourcing strategies to drive innovation and solve business issues.

According to a report by ReportLinker the global IT services outsourcing market reached US$413.8 billion in 2021.

In a recent study of Canadian software firms, it was found that almost all firms take advantage of outside knowledge in their application development process. In most cases these firms also use outside resources to do development work, and about half the time they use externally built software packages in their products (Ghei, 2020)!

Info-Tech Insight

In today’s diverse global markets, firms that wish to stay competitive must have a defined ability to take advantage of external knowledge and to optimize their IT services spend.

Modeling Absorptive Capacity for Open Innovation in the Canadian Software Industry (Source: Ghei, 2020; n=54.)

56% of software development firms are sourcing applications instead of resources.

68% of firms are sourcing external resources to develop software products.

91% of firms are leveraging knowledge from external sources.

Internal sourcing models

Insourcing comes in three distinct flavors

Geospatial map giving example locations for the three internal sourcing models. In this example, 'Head Office' is located in North America, 'Onshore' is 'Located in the same area or even office as your core business resources. Relative Cost: $$$', 'Near Shore' is 'Typically, within 1-3 time zones for ease of collaboration where more favorable resource costs exist. Relative Cost: $$', and 'Offshore' is 'Located in remote markets where significant labor cost savings can be realized. Relative Cost: $'.

Info-Tech Insight

Insourcing allows you to stay close to more strategic applications. But choosing the right model requires a strong look inside your organization and your ability to provide business knowledge support to developers who may have different skills and cultures and are in different geographies.

Outsourcing models

External sourcing can be done to different degrees

Outsource Roles
  • Enables resource augmentation
  • Typically based on skills needs
  • Short-term outsourcing with eventual integration or dissolution
Outsource Teams (or Projects)
  • Use of a full team or multiple teams of vendor resources
  • Meant to be temporary, with knowledge transfer at the end of the project
Outsource Products
  • Use of a vendor to build, maintain, and support the full product
  • Requires a high degree of contract management skill

Info-Tech Insight

Outsourcing represents one of the most popular ways for organizations to source external knowledge and skills. The choice of model is a function of the organization’s ability to support the external resources and to absorb the knowledge back into the organization.

Defining your sourcing strategy

Follow the steps below to identify the best match for your organization

Review Your Current Situation

Review the issues and opportunities related to application development and categorize them based on the key factors.

Arrow pointing right. Assess Build Versus Buy

Before choosing a sourcing model you must assess whether a particular product or function should be bought as a package or developed.

Arrow pointing right. Choose the Right Sourcing Strategy

Based on the research, use the modeling tool to match the situation to the appropriate sourcing solution.

Step 1.1

Review Your Current Situation

Activities
  • 1.1.1 Identify and categorize your challenges

This step involves the following participants:

  • Product management team
  • Software development leadership team
  • Key stakeholders
Outcomes of this step

Review your current delivery posture for challenges and impediments.

Define a Sourcing Strategy for Your Development Team
Step 1.1 Step 1.2 Step 1.3

Review your situation

There are three key areas to examine in your current situation:

Business Challenges
  • Do you need to gain new knowledge to drive innovation?
  • Does your business need to enhance its software to improve its ability to compete in the market?
  • Do you need to increase your speed of innovation?

Technology Challenges

  • Are you being asked to take tighter control of your development budgets?
  • Does your team need to expand their skills and knowledge?
  • Do you need to increase your development speed and capacity?

Market Challenges

  • Is your competition seen as more innovative?
  • Do you need new features to attract new clients?
  • Are you struggling to find highly skilled and knowledgeable development resources?
Stock image of multi-colored arrows travelling in a line together before diverging.

Info-Tech Insight

Sourcing is a key tool to solve business and technical challenges and enhance market competitiveness when coupled with a robust definition of objectives and a way to measure success.

1.1.1 Identify and categorize your challenges

60 minutes

Output: List of the key challenges in your software lifecycle. Breakdown of the list into categories to identify opportunities for sourcing

Participants: Product management team, Software development leadership team, Key stakeholders

  1. What challenge is your firm is facing with respect to your software that you think sourcing can address? (20 minutes)
  2. Is the challenge related to a business outcome, development methodology, or technology challenge? (10 minutes)
  3. Is the challenge due to a skills gap, budget or resource challenge, throughput issue, or a broader organizational knowledge or process issue? (10 minutes)
  4. What is the specific objective for the team/leader in addressing this challenge? (15 minutes)
  5. How will you measure progress and achievement of this objective? (5 minutes)

Document results in the Define a Sourcing Strategy Workbook

Identify and categorize your challenges

Sample table for identifying and categorizing challenges, with column groups 'Challenge' and 'Success Measures' containing headers 'Issue, 'Category', 'Breadth', and 'Stakeholder' in the former, and 'Objective' and 'Measurement' in the latter.

Step 1.2

Assess Build Versus Buy

Activities
  • 1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

This step involves the following participants:

  • Product management team
  • Software development leadership team
  • Key stakeholders

Outcomes of this step

Understand in your context the benefits and drawbacks of build versus buy, leveraging Info-Tech’s recommended definitions as a starting point.

Define a Sourcing Strategy for Your Development Team

Step 1.1 Step 1.2 Step 1.3

Look vertically across the IT hierarchy to assess the impact of your decision at every level

IT Hierarchy with 'Enterprise' at the top, branching out to 'Portfolio', then to 'Solution' at the bottom. The top is 'Strategic', the bottom 'Operational'.

Regardless of the industry, a common and challenging dilemma facing technology teams is to determine when they should build software or systems in-house versus when they should rely wholly on an outside vendor for delivering on their technology needs.

The answer is not as cut and dried as one would expect. Any build versus buy decision may have an impact on strategic and operational plans. It touches every part of the organization, starting with individual projects and rolling up to the enterprise strategy.

Info-Tech Insight

Do not ignore the impact of a build or buy decision on the various management levels in an IT organization.

Deciding whether to build or buy

It is as much about what you gain as it is about what problem you choose to have

BUILD BUY

Multi-Source Best of Breed

Integrate various technologies that provide subset(s) of the features needed for supporting the business functions.

Vendor Add-Ons & Integrations

Enhance an existing vendor’s offerings by using their system add-ons either as upgrades, new add-ons, or integrations.
Pros
  • Flexibility in choice of tools
  • In some cases, cost may be lower
  • Easier to enhance with in-house teams
Cons
  • Introduces tool sprawl
  • Requires resources to understand tools and how they integrate
  • Some of the tools necessary may not be compatible with one another
Pros
  • Reduces tool sprawl
  • Supports consistent tool stack
  • Vendor support can make enhancement easier
  • Total cost of ownership may be lower
Cons
  • Vendor lock-in
  • The processes to enhance may require tweaking to fit tool capability

Multi-Source Custom

Integrate systems built in-house with technologies developed by external organizations.

Single Source

Buy an application/system from one vendor only.
Pros
  • Flexibility in choice of tools
  • In some cases, cost may be lower
  • Easier to enhance with in-house teams
Cons
  • May introduce tool sprawl
  • Requires resources to have strong technical skills
  • Some of the tools necessary may not be compatible with one another
Pros
  • Reduces tool sprawl
  • Supports consistent tool stack
  • Vendor support can make enhancement easier
  • Total cost of ownership may be lower
Cons
  • Vendor lock-in
  • The processes to enhance may require tweaking to fit tool capability

1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

30 minutes

Output: A common understanding of the different approaches to build versus buy applied to your organizational context

Participants: Product management team, Software development leadership team, Key stakeholders

  1. Look at the previous slide, Deciding whether to build or buy.
  2. Discuss the pros and cons listed for each approach.
    1. Do they apply in your context? Why or why not?
    2. Are there some approaches not applicable in terms of how you wish to work?
  3. Record the curated list of pros and cons for the different build/buy approaches.
  4. For each approach, arrange the pros and cons in order of importance.

Document results in the Define a Sourcing Strategy Workbook

Step 1.3

Choose the Right Sourcing Strategy

Activities
  • 1.3.1 Determine the right sourcing strategy for your needs

This step involves the following participants:

  • Product management team
  • Software development leadership team
  • Key stakeholders

Outcomes of this step

Choose your desired sourcing strategy based on your current state and needs.

Define a Sourcing Strategy for Your Development Team

Step 1.1 Step 1.2 Step 1.3

Choose the right sourcing strategy

  • Based on our research, finding the right sourcing strategy for a particular situation is a function of three key areas:
    • Business drivers
    • Organizational drivers
    • Technical drivers
  • Each area has key characteristics that must be assessed to confirm which strategy is best suited for the situation.
  • Once you have assessed the factors and ranked them from low to high, we can then match your results with the best-fit strategy.
Business
  • Business knowledge/ expertise required
  • Product owner maturity

Technical

  • Complexity and maturity of technical environment
  • Required level of integration

Organizational

  • Your culture
  • Desired geographic proximity
  • Required vendor management skills

Business drivers

To choose the right sourcing strategy, you need to assess your key drivers of delivery

Product Knowledge
  • The level of business involvement required to support the development team is a critical factor in determining the sourcing model.
  • Both the breadth and depth of involvement are critical factors.
Strategic Value
  • The strategic value of the application to the company is also a critical component.
  • The more strategic the application is to the company, the closer the sourcing should be maintained.
  • Value can be assessed based on the revenue derived from the application and the depth of use of the application by the organization.
Product Ownership Maturity
  • To support sourcing models that move further from organizational boundaries a strong product ownership function is required.
  • Product owners should ideally be fully allocated to the role and engaged with the development teams.
  • Product owners should be empowered to make decisions related to the product, its vision, and its roadmap.
  • The higher their allocation and empowerment, the higher the chances of success in external sourcing engagements.
Stock image of a person running up a line with a positive trend.

Case Study: The GoodLabs Studio Experience Logo for GoodLabs Studio.

INDUSTRY: Software Development | SOURCE: Interview with Thomas Lo, Co-Founder, GoodLabs Studio
Built to Outsource Development Teams
  • GoodLabs is an advanced software innovation studio that provides bespoke team extensions or turnkey digital product development with high-caliber software engineers.
  • Unlike other consulting firms, GoodLabs works very closely with its customers as a unified team to deliver the most significant impact on clients’ projects.
  • With this approach, it optimizes the delivery of strong software engineering skills with integrated product ownership from the client, enabling long-term and continued success for its clients.
Results
  • GoodLabs is able to attract top engineering talent by focusing on a variety of complex projects that materially benefit from technical solutions, such as cybersecurity, fraud detection, and AI syndrome surveillance.
  • Taking a partnership approach with the clients has led to the successful delivery of many highly innovative and challenging projects for the customers.

Organizational drivers

To choose the right sourcing strategy for a particular problem you need to assess the organization’s key capabilities

Stock photo of someone placing blocks with illustrated professionals one on top of the other. Vendor Management
  • Vendor management is a critical skill for effective external sourcing.
  • This can be assessed based on the organization’s ability to cultivate and grow long-term relationships of mutual value.
  • The longevity and growth of existing vendor relationships can be a good benchmark for future success.
Absorptive Capacity
  • To effectively make use of external sourcing models, the organization must have a well-developed track record of absorbing outside knowledge.
  • This can be assessed by looking at past cases where external knowledge was sourced and internalized, such as past vendor development engagements or use of open-source code.
Organizational Culture
  • Another factor in success of vendor engagements and long-term relationships is the matching of organizational cultures.
  • It is key to measure the organization’s current position on items like communication strategy, geographical dispersal, conflict resolution strategy, and hierarchical vs flat management.
  • These factors should be documented and matched with partners to determine the best fit.

Case Study: WCIRB California Logo for WCIRB California.

INDUSTRY: Workers Compensation Insurance | SOURCE: Interview with Roger Cottman, Senior VP and CIO, WCIRB California
Trying to Find the Right Match
  • WCIRB is finding it difficult to hire local resources in California.
  • Its application is a niche product. Since no off-the-shelf alternatives exist, the organization will require a custom application.
  • WCIRB is in the early stages of a digital platform project and is looking to bring in a partner to provide a full development team, with the goal of ideally bringing the application back in-house once it is built.
  • The organization is looking for a local player that will be able to integrate well with the business.
  • It has engaged with two mid-sized players but both have been slow to respond, so it is now considering alternative approaches.
Info-Tech’s Recommended Approach
  • WCIRB is finding that mid-sized players don’t fit its needs and is now looking for a larger player
  • Based on our research we have advised that WCIRB should ensure the partner is geographically close to its location and can be a strategic partner, not simply work on an individual project.

Technical drivers

To choose the right sourcing strategy for a particular problem you need to assess your technical situation and capabilities

Environment Complexity
  • The complexity of your technical environment is a hurdle that must be overcome for external sourcing models.
  • The number of environments used in the development lifecycle and the location of environments (physical, virtual, on-premises, or cloud) are key indicators.
Integration Requirements
  • The complexity of integration is another key technical driver.
  • The number of integrations required for the application is a good measuring stick. Will it require fewer than 5, 5-10, or more than 10?
Testing Capabilities
  • Testing of the application is a key technical driver of success for external models.
  • Having well-defined test cases, processes, and shared execution with the business are all steps that help drive success of external sourcing models.
  • Test automation can also help facilitate success of external models.
  • Measure the percentage of test cases that are standardized, the level of business involvement, and the percentage of test cases that are automated.
Stock image of pixelated light.

Case Study: Management Control Systems (MC Systems) Logo for MC Systems.

INDUSTRY: Technology Services | SOURCE: Interview with Kathryn Chin See, Business Development and Research Analyst, MC Systems
Seeking to Outsource Innovation
  • MC Systems is seeking to outsource its innovation function to get budget certainty on innovation and reduce costs. It is looking for a player that has knowledge of the application areas it is looking to enhance and that would augment its own business knowledge.
  • In previous outsourcing experiences with skills augmentation and application development the organization had issues related to the business depth and product ownership it could provide. The collaborations did not lead to success as MC Systems lacked product ownership and the ability to reintegrate the outside knowledge.
  • The organization is concerned about testing of a vendor-built application and how the application will be supported.
Info-Tech’s Recommended Approach
  • To date MC Systems has had success with its outsourcing approach when outsourcing specific work items.
  • It is now looking to expand to outsourcing an entire application.
  • Info-Tech’s recommendation is to seek partners who can take on development of the application.
  • MC Systems will still need resources to bring knowledge back in-house for testing and to provide operational support.

Choosing the right model


Legend for the table below using circles with quarters to represent Low (0 quarters) to High (4 quarters).
Determinant Key Questions to Ask Onshore Nearshore Offshore Outsource Role(s) Outsource Team Outsource Product(s)
Business Dependence How much do you rely on business resources during the development cycle? Circle with 4 quarters. Circle with 3 quarters. Circle with 1 quarter. Circle with 2 quarters. Circle with 1 quarter. Circle with 0 quarters.
Absorptive Capacity How successful has the organization been at bringing outside knowledge back into the firm? Circle with 0 quarters. Circle with 1 quarter. Circle with 1 quarter. Circle with 2 quarters. Circle with 1 quarter. Circle with 4 quarters.
Integration Complexity How many integrations are required for the product to function – fewer than 5, 5-10, or more than 10? Circle with 4 quarters. Circle with 3 quarters. Circle with 3 quarters. Circle with 2 quarters. Circle with 1 quarter. Circle with 0 quarters.
Product Ownership Do you have full-time product owners in place for the products? Do product owners have control of their roadmaps? Circle with 1 quarter. Circle with 2 quarters. Circle with 3 quarters. Circle with 2 quarters. Circle with 4 quarters. Circle with 4 quarters.
Organization Culture Fit What are your organization’s communication and conflict resolution strategies? Is your organization geographically dispersed? Circle with 1 quarter. Circle with 1 quarter. Circle with 3 quarters. Circle with 1 quarter. Circle with 3 quarters. Circle with 4 quarters.
Vendor Mgmt Skills What is your skill level in vendor management? How long are your longest-standing vendor relationships? Circle with 0 quarters. Circle with 1 quarter. Circle with 1 quarter. Circle with 2 quarters. Circle with 3 quarters. Circle with 4 quarters.

1.3.1 Determine the right sourcing strategy for your needs

60 minutes

Output: A scored matrix of the key drivers of the sourcing strategy

Participants: Development leaders, Product management team, Key stakeholders

Choose one of your products or product families and assess the factors below on a scale of None, Low, Medium, High, and Full.

  • 3.1 Assess the business factors that drive selection using these key criteria (20 minutes):
    • 3.1.1 Product knowledge
    • 3.1.2 Strategic value
    • 3.1.3 Product ownership
  • 3.2 Assess the organizational factors that drive selection using these key criteria (20 minutes):
    • 3.2.1 Vendor management
    • 3.2.2 Absorptive capacity
    • 3.2.3 Organization culture
  • 3.3 Assess the technical factors that drive selection using these key criteria (20 minutes):
    • 3.3.1 Environments
    • 3.3.2 Integration
    • 3.3.3 Testing

Document results in the Define a Sourcing Strategy Workbook

Things to Consider When Implementing

Once you have built your strategy there are some additional things to consider

Things to Consider Before Acting on Your Strategy

By now you understand what goes into an effective sourcing strategy. Before implementing one, there are a few key items you need to consider:

Example 'Sourcing Strategy for Your Portfolio' with initiatives like 'Client-Facing Apps' and 'ERP Software' assigned to 'Onshore Dev', 'Outsource Team', 'Offshore Dev', 'Outsource App (Buy)', 'Outsource Dev', or 'Outsource Roles'. Start with a pilot
  • Changing sourcing needs to start with one team.
  • Grow as skills develop to limit risk.
Build an IT workforce plan Enhance your vendor management skills Involve the business early and often
  • The business should feel they are part of the discussion.
  • See our Agile/DevOps Research Center for more information on how the business and IT can better work together.
Limit sourcing complexity
  • Having too many different partners and models creates confusion and will strain your ability to manage vendors effectively.

Bibliography

Apfel, Isabella, et al. “IT Project Member Turnover and Outsourcing Relationship Success: An Inverted-U Effect.” Developments, Opportunities and Challenges of Digitization, 2020. Web.

Benamati, John, and Rajkumar, T.M. “The Application Development Outsourcing Decision: An Application of the Technology Acceptance Model.” Journal of Computer Information Systems, vol. 42, no. 4, 2008, pp. 35-43. Web.

Benamati, John, and Rajkumar, T.M. “An Outsourcing Acceptance Model: An Application of TAM to Application Development Outsourcing Decisions.” Information Resources Management Journal, vol. 21, no. 2, pp. 80-102, 2008. Web.

Broekhuizen, T. L. J., et al. “Digital Platform Openness: Drivers, Dimensions and Outcomes.” Journal of Business Research, vol. 122, July 2019, pp. 902-914. Web.

Brook, Jacques W., and Albert Plugge. “Strategic Sourcing of R&D: The Determinants of Success.” Business Information Processing, vol. 55, Aug. 2010, pp. 26-42. Web.

Delen, G. P A.J., et al. “Foundations for Measuring IT-Outsourcing Success and Failure.” Journal of Systems and Software, vol. 156, Oct. 2019, pp. 113-125. Web.

Elnakeep, Eman, et al. “Models and Frameworks for IS Outsourcing Structure and Dimensions: A Holistic Study.” Lecture notes in Networks and Systems, 2019. Web.

Ghei, Suneel. Modeling Absorptive Capacity for Open Innovation in the Software Industry. 2020. Faculty of Graduate Studies, Athabasca University, 2020. DBA Dissertation.

“IT Outsourcing Market Research Report by Service Model, Organization Sizes, Deployment, Industry, Region – Global Forecast to 2027 – Cumulative Impact of COVID-19.” ReportLinker, April 2022. Web.

Jeong, Jongkil Jay, et al. “Enhancing the Application and Measurement of Relationship Quality in Future IT Outsourcing Studies.” 26th European Conference on Information Systems: Beyond Digitization – Facets of Socio-Tehcnical Change: Proceedings of ECIS 2018, Portsmouth, UK, June 23-28, 2018. Edited by Peter Bednar, et al., 2018. Web.

Könning, Michael. “Conceptualizing the Effect of Cultural Distance on IT Outsourcing Success.” Proceedings of Australasian Conference on Information Systems 2018, Sydney, Australia, Dec. 3-5, 2018. Edited by Matthew Noble, UTS ePress, 2018. Web.

Lee, Jae-Nam, et al. “Holistic Archetypes of IT Outsourcing Strategy: A Contingency Fit and Configurational Approach.” MIS Quarterly, vol. 43, no. 4, Dec. 2019, pp. 1201-1225. Web.

Loukis, Euripidis, et al. “Determinants of Software-as-a-Service Benefits and Impact on Firm Performance.” Decision Support Systems, vol. 117, Feb. 2019, pp. 38-47. Web.

Martensson, Anders. “Patterns in Application Development Sourcing in the Financial Industry.” Proceedings of the 13th European Conference of Information Systems, 2004. Web.

Martínez-Sánchez, Angel, et al. “The Relationship Between R&D, the Absorptive Capacity of Knowledge, Human Resource Flexibility and Innovation: Mediator Effects on Industrial Firms.” Journal of Business Research, vol. 118, Sept. 2020, pp. 431-440. Web.

Moreno, Valter, et al. “Outsourcing of IT and Absorptive Capacity: A Multiple Case Study in the Brazilian Insurance Sector.” Brazilian Business Review, vol. 17, no. 1, Jan.-Feb. 2020, pp. 97-113. Web.

Ozturk, Ebru. “The Impact of R&D Sourcing Strategies on Basic and Developmental R&D in Emerging Economies.” European Journal of Innovation Management, vol. 21, no. 7, May 2018, pp. 522-542. Web.

Ribas, Imma, et al. “Multi-Step Process for Selecting Strategic Sourcing Options When Designing Supply Chains.” Journal of Industrial Engineering and Management, vol. 14, no. 3, 2021, pp. 477-495. Web.

Striteska, Michaela Kotkova, and Viktor Prokop. “Dynamic Innovation Strategy Model in Practice of Innovation Leaders and Followers in CEE Countries – A Prerequisite for Building Innovative Ecosystems.” Sustainability, vol. 12, no. 9, May 2020. Web.

Thakur-Wernz, Pooja, et al. “Antecedents and Relative Performance of Sourcing Choices for New Product Development Projects.” Technovation, 2020. Web.

Quality Management

  • Buy Link or Shortcode: {j2store}45|cart{/j2store}
  • Related Products: {j2store}45|crosssells{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Service Planning and Architecture
  • Parent Category Link: /service-planning-and-architecture
Drive efficiency and agility with right-sized quality management

Implement an IT Chargeback System

  • Buy Link or Shortcode: {j2store}71|cart{/j2store}
  • member rating overall impact (scale of 10): 8.0/10 Overall Impact
  • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • member rating average days saved: Read what our members are saying
  • Parent Category Name: Cost & Budget Management
  • Parent Category Link: /cost-and-budget-management
  • Business units voraciously consume IT services and don’t understand the actual costs of IT. This is due to lack of IT cost transparency and business stakeholder accountability for consumption of IT services.
  • Business units perceive IT costs as uncompetitive, resulting in shadow IT and a negative perception of IT.
  • Business executives have decided to implement an IT chargeback program and IT must ensure the program succeeds.

Our Advice

Critical Insight

Price IT services so that business consumers find them meaningful, measurable, and manageable:

  • The business must understand what they are being charged for. If they can’t understand the value, you’ve chosen the wrong basis for charge.
  • Business units must be able to control and track their consumption levels, or they will feel powerless to control costs and you’ll never attain real buy-in.

Impact and Result

  • Explain IT costs in ways that matter to the business. Instead of focusing on what IT pays for, discuss the value that IT brings to the business by defining IT services and how they serve business users.
  • Develop a chargeback model that brings transparency to the flow of IT costs through to business value. Demonstrate how a good chargeback model can bring about fair “pay-for-value” and “pay-for-what-you-use” pricing.
  • Communicate IT chargeback openly and manage change effectively. Business owners will want to know how their profit and loss statements will be affected by the new pricing model.

Implement an IT Chargeback System Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should implement an IT chargeback program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Launch

Make the case for IT chargeback, then assess the financial maturity of the organization and identify a pathway to success. Create a chargeback governance model.

  • Implement IT Chargeback – Phase 1: Launch
  • IT Chargeback Kick-Off Presentation

2. Define

Develop a chargeback model, including identifying user-facing IT services, allocating IT costs to services, and setting up the chargeback program.

  • Implement IT Chargeback – Phase 2: Define
  • IT Chargeback Program Development & Management Tool

3. Implement

Communicate the rollout of the IT chargeback model and establish a process for recovering IT services costs from business units.

  • Implement IT Chargeback – Phase 3: Implement
  • IT Chargeback Communication Plan
  • IT Chargeback Rollout Presentation
  • IT Chargeback Financial Presentation

4. Revise

Gather and analyze feedback from business owners, making necessary modifications to the chargeback model and communicating the implications.

  • Implement IT Chargeback – Phase 4: Revise
  • IT Chargeback Change Communication Template
[infographic]

Workshop: Implement an IT Chargeback System

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Kick-Off IT Chargeback

The Purpose

Make the case for IT chargeback.

Identify the current and target state of chargeback maturity.

Establish a chargeback governance model.

Key Benefits Achieved

Investigated the benefits and challenges of implementing IT chargeback.

Understanding of the reasons why traditional chargeback approaches fail.

Identified the specific pathway to chargeback success.

Activities

1.1 Investigate the benefits and challenges of implementing IT chargeback

1.2 Educate business owners and executives on IT chargeback

1.3 Identify the current and target state of chargeback maturity

1.4 Establish chargeback governance

Outputs

Defined IT chargeback mandate

IT chargeback kick-off presentation

Chargeback maturity assessment

IT chargeback governance model

2 Develop the Chargeback Model

The Purpose

Develop a chargeback model.

Identify the customers and user-facing services.

Allocate IT costs.

Determine chargeable service units.

Key Benefits Achieved

Identified IT customers.

Identified user-facing services and generated descriptions for them.

Allocated IT costs to IT services.

Identified meaningful, measurable, and manageable chargeback service units.

Activities

2.1 Identify user-facing services and generate descriptions

2.2 Allocate costs to user-facing services

2.3 Determine chargeable service units and pricing

2.4 Track consumption

2.5 Determine service charges

Outputs

High-level service catalog

Chargeback model

3 Communicate IT Chargeback

The Purpose

Communicate the implementation of IT chargeback.

Establish a process for recovering the costs of IT services from business units.

Share the financial results of the charge cycle with business owners.

Key Benefits Achieved

Managed the transition to charging and recovering the costs of IT services from business units.

Communicated the implementation of IT chargeback and shared the financial results with business owners.

Activities

3.1 Create a communication plan

3.2 Deliver a chargeback rollout presentation

3.3 Establish a process for recovering IT costs from business units

3.4 Share the financial results from the charge cycle with business owners

Outputs

IT chargeback communication plan

IT chargeback rollout presentation

IT service cost recovery process

IT chargeback financial presentation

4 Review the Chargeback Model

The Purpose

Gather and analyze feedback from business owners on the chargeback model.

Make necessary modifications to the chargeback model and communicate implications.

Key Benefits Achieved

Gathered business stakeholder feedback on the chargeback model.

Made necessary modifications to the chargeback model to increase satisfaction and accuracy.

Managed changes by communicating the implications to business owners in a structured manner.

Activities

4.1 Address stakeholder pain points and highly disputed costs

4.2 Update the chargeback model

4.3 Communicate the chargeback model changes and implications to business units

Outputs

Revised chargeback model with business feedback, change log, and modifications

Chargeback change communication

Into the Metaverse

  • Buy Link or Shortcode: {j2store}95|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Innovation
  • Parent Category Link: /innovation
  • Define the metaverse.
  • Understand where Meta and Microsoft are going and what their metaverse looks like today.
  • Learn about other solution providers implementing the enterprise metaverse.
  • Identify risks in deploying metaverse solutions and how to mitigate them.

Our Advice

Critical Insight

  • A metaverse experience must combine the three Ps: user presence is represented, the world is persistent, and data is portable.

Impact and Result

  • Understand how Meta and Microsoft define the Metaverse and the coming challenges that enterprises will need to solve to harness this new digital capability.

Into the Metaverse Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Into the Metaverse – A deck that examines how IT can prepare for the new digital world

Push past the hype and understand what the metaverse really means for IT.

  • Into the Metaverse Storyboard

Infographic

Further reading

Into the Metaverse

How IT can prepare for the new digital world.

Analyst Perspective

The metaverse is still a vision of the future.

Photo of Brian Jackson, Research Director, CIO, Info-Tech Research Group.

On October 28, 2021, Mark Zuckerberg got up on stage and announced Facebook's rebranding to Meta and its intent to build out a new business line around the metaverse concept. Just a few days later, Microsoft's CEO Satya Nadella put forward his own idea of the metaverse at Microsoft Ignite. Seeing two of Silicon Valley's most influential companies pitch a vision of avatar-driven virtual reality collaboration sparked our collective curiosity. At the heart of it lies the question, "What is the metaverse, anyway?“

If you strip back the narrative of the companies selling you the solutions, the metaverse can be viewed as technological convergence. Years of development on mixed reality, AI, immersive digital environments, and real-time communication are culminating in a totally new user experience. The metaverse makes the digital as real as the physical. At least, that's the vision.

It will be years yet before the metaverse visions pitched to us from Silicon Valley stages are realized. In the meantime, understanding the individual technologies contributing to that vision can help CIOs realize business value today. Join me as we delve into the metaverse.

Brian Jackson
Research Director, CIO
Info-Tech Research Group

From pop culture to Silicon Valley

Sci-fi visionaries are directly involved in creating the metaverse concept

The term “metaverse” was coined by author Neal Stephenson in the 1992 novel “Snow Crash.” In the novel, main character Hiro Protagonist interacts with others in a digitally defined space. Twenty-five years after its release, the cult classic is influential among Silicon Valley's elite. Stephenson has played some key roles in Silicon Valley firms. He became the first employee at Blue Origin, the space venture founded by Jeff Bezos, in 2006, and later became chief futurist at augmented reality firm Magic Leap in 2014. Stephenson also popularized the Hindu concept "avatar" in his writing, paving the way for people to embody digitally rendered models to participate in the metaverse (Vanity Fair, 2017).

Even earlier concepts of the metaverse were examined in the 1980s, with William Gibson’s “Neuromancer” exploring the same idea as cyberspace. Gibson's novel was influenced by his time in Seattle, where friend and Microsoft executive Eileen Gunn took him to hacker bars where he'd eavesdrop on "the poetics of the technological subculture" (Medium, 2022). Other visions of a virtual reality mecca were brought to life in the movies, including the 1982 Disney release “Tron,” the 1999 flick “The Matrix,” and 2018’s “Ready Player One.”

There's a common set of traits among these sci-fi narratives that help us understand what Silicon Valley tech firms are now set to commercialize: users interact with one another in a digitally rendered virtual world, with a sense of presence provided through the use of a head-mounted display.

Cover of the book Snow Crash by Neal Stephenson.

Image courtesy nealstephenson.com

Meta’s view of the metaverse

CEO Mark Zuckerberg rebranded Facebook to make his intent clear

Mark Zuckerberg is all in on the metaverse, announcing October 28, 2021, that Facebook would be rebranded to Meta. The new brand took effect on December 1, and Facebook began trading under the new stock ticker MVRS on certain exchanges. On February 15, 2022, Zuckerberg announced at a company meeting that his employees will be known as Metamates. The company's new values are to live in the future, build awesome things, and focus on long-term impact. Its motto is simply "Meta, Metamates, me" (“Out With the Facebookers. In With the Metamates,” The New York Times, 2022).

Meta's Reality Labs division will be responsible for developing its metaverse product, using Meta Quest, its virtual reality head-mounted displays. Meta's early metaverse environment, Horizon Worlds, rolled out to Quest users in the US and Canada in early December 2021. This drove a growth in its monthly user base by ten times, to 300,000 people. The product includes Horizon Venues, tailored to attending live events in VR, but not Horizon Workrooms, a VR conferencing experience that remains invite-only. Horizon Worlds provides users tools to construct their own 3D digital environments and had been used to create 10,000 separate worlds by mid-February 2022 (“Meta’s Social VR Platform Horizon Hits 300,000 Users,“ The Verge, 2022).

In the future, Meta plans to amplify the building tools in its metaverse platform with generative AI. For example, users can give speech commands to create scenes and objects in VR. Project CAIRaoke brings a voice assistant to an augmented reality headset that can help users complete tasks like cooking a stew. Zuckerberg also announced Meta is working on a universal speech translator across all languages (Reuters, 2022).

Investment in the metaverse:
$10 billion in 2021

Key People:
CEO Mark Zuckerberg
CTO Andrew Bosworth
Chief Product Officer Chris Cox

(Source: “Meta Spent $10 Billion on the Metaverse in 2021, Dragging Down Profit,” The New York Times, 2022)

Microsoft’s view of the metaverse

CEO Satya Nadella showcased a mixed reality metaverse at Microsoft Ignite

In March 2021 Microsoft announced Mesh, an application that allows organizations to build out a metaverse environment. Mesh is being integrated into other Microsoft hardware and software, including its head-mounted display, the HoloLens, a mixed reality device. The Mesh for HoloLens experience allows users to collaborate around digital content projected into the real world. In November, Microsoft announced a Mesh integration with Microsoft Teams. This integration brings users into an immersive experience in a fully virtual world. This VR environment makes use of AltspaceVR, a VR application Microsoft first released in May 2015 (Microsoft Innovation Stories, 2021).

Last Fall, Microsoft also announced it is rebranding its Dynamics 365 Connected Store solution to Dynamics 365 Connected Spaces, signaling its expansion from retail to all spaces. The solution uses cognitive vision to create a digital twin of an organization’s physical space and generate analytics about people’s behavior (Microsoft Dynamics 365 Blog, 2021).

In the future, Microsoft wants to make "holoportation" a part of its metaverse experience. Under development at Microsoft Research, the technology captures people and things in photorealistic 3D to be projected into mixed reality environments (Microsoft Research, 2022). It also has plans to offer developers AI-powered tools for avatars, session management, spatial rendering, and synchronization across multiple users. Open standards will allow Mesh to be accessed across a range of devices, from AR and VR headsets, smartphones, tablets, and PCs.

Microsoft has been developing multi-user experiences in immersive 3D environments though its video game division for more than two decades. Its capabilities here will help advance its efforts to create metaverse environments for the enterprise.

Investment in the metaverse:
In January 2022, Microsoft agreed to acquire Activision Blizzard for $68.7 billion. In addition to acquiring several major gaming studios for its own gaming platforms, Microsoft said the acquisition will play a key role in the development of its metaverse.

Key People:
CEO Satya Nadella
CEO of Microsoft Gaming Phil Spencer
Microsoft Technical Research Fellow Alex Kipman

Current state of metaverse applications from Meta and Microsoft

Meta

  • Horizon Worlds (formerly Facebook Horizon). Requires an Oculus Rift S or Quest 2 headset to engage in an immersive 3D world complete with no-code building tools for users to construct their own environments. Users can either interact in the space designed by Meta or travel to other user-designed worlds through the plaza.
  • Horizon Workrooms (beta, invite only). An offshoot of Horizon Worlds but more tailored for business collaboration. Users can bring in their physical desks and keyboards and connect to PC screens from within the virtual setting. Integrates with Facebook’s Workplace solution.

Microsoft

  • Dynamics 365 Connected Spaces (preview). Cognitive vision combined with surveillance cameras provide analytics on people's movement through a facility.
  • Mesh for Microsoft Teams (not released). Collaborate with your colleagues in a virtual reality space using personalized avatars. Use new 2D and 3D meeting experiences.
  • Mesh App for HoloLens (preview). Interact with colleagues virtually in a persistent digital environment that is overlaid on top of the real world.
  • AltspaceVR. A VR space accessible via headset or desktop computer that's been available since 2015. Interact through use of an avatar to participate in daily events

Current providers of an “enterprise metaverse”

Other providers designing mixed reality or digital twin tools may not have used the “metaverse” label but provide the same capabilities via platforms

Logo for NVIDIA Omniverse. Logo for TeamViewer.
NVIDIA Omniverse
“The metaverse for engineers,” Omniverse is a developer toolset to allow organizations to build out their own unique metaverse visions.
  • Omniverse Nucleus is the platform database that allows clients to publish digital assets or subscribe to receive changes to them in real-time.
  • Omniverse Connectors are used to connect to Nucleus and publish or subscribe to individual assets and entire worlds.
  • NVIDIA’s core physics engine provides a scalable and physically accurate world simulation.
TeamViewer’s Remote as a Service Platform
Initially focusing on providing workers remote connectivity to work desktops, devices, and robotics, TeamViewer offers a range of software as a service products. Recent acquisitions to this platform see it connecting enterprise workflows to frontline workers using mixed reality headsets and adding more 3D visualization development tools to create digital twins. Clients include Coca-Cola and BMW.

“The metaverse matters in the future. TeamViewer is already making the metaverse tangible in terms of the value that it brings.” (Dr. Hendrik Witt, Chief Product Officer, TeamViewer)

The metaverse is a technological convergence

The metaverse is a platform combining multiple technologies to enable social and economic activity in a digital world that is connected to the physical world.

A Venn diagram with four circles intersecting and one circle unconnected on the side, 'Blockchain, Emerging'. The four circles, clock-wise from top, are 'Artificial Intelligence', 'Real-Time Communication', 'Immersive Digital Space', and 'Mixed Reality'. The two-circle crossover sections, clock-wise from top-right are AI + RTC: 'Smart Agent-Facilitated Communication', RTC + IDS: 'Avatar-Based Social Interaction', IDS + MR: 'Digital Immersive UX', and MR + AI: 'Perception AI'. There are only two three-circle crossover sections labelled, AI + RTC + MR: 'Generative Sensory Environments' and RTC + IDS + MR: 'Presence'. The main cross-section is 'METAVERSE'.

Info-Tech Insight

A metaverse experience must combine the three P’s: user presence is represented, the world is persistent, and data is portable.

Mixed reality provides the user experience (UX) for the metaverse

Both virtual and augmented reality will be part of the picture

Mixed reality encompasses both virtual reality and augmented reality. Both involve allowing users to immerse themselves in digital content using a head-mounted device or with a smartphone for a less immersive effect. Virtual reality is a completely digital world that is constructed as separate from the physical world. VR headsets take up a user's entire field of vision and must also have a mechanism to allow the user to interact in their virtual environment. Augmented reality is a digital overlay mapped on top of the real world. These headsets are transparent, allowing the user to clearly see their real environment, and projects digital content on top of it. These headsets must have a way to map the surrounding environment in 3D in order to project digital content in the right place and at the right scale.

Meta’s Plans

Meta acquired virtual reality developer Oculus VR Inc. and its set of head-mounted displays in 2014. It continues to develop new hardware under the Oculus brand, most recently releasing the Oculus Quest 2. Oculus Quest hardware is required to access Meta's early metaverse platform, Horizon Worlds.

Microsoft’s Plans

Microsoft's HoloLens hardware is a mixed reality headset. Its visor that can project digital content into the main portion of the user's field of vision and speakers capable of spatial audio. The HoloLens has been deployed at enterprises around the world, particularly in scenarios where workers typically have their hands busy. For example, it can be used to view digital schematics of a machine while a worker is performing maintenance or to allow a remote expert to "see through the eyes" of a worker.

Microsoft's Mesh metaverse platform, which allows for remote collaboration around digital content, was demonstrated on a HoloLens at Microsoft Ignite in November 2021. Mesh is also being integrated into AltspaceVR, an application that allows companies to hold meetings in VR with “enterprise-grade security features including secure sign-ins, session management and privacy compliance" (Microsoft Innovation Stories, 2021).

Immersive digital environments provide context in the metaverse

The interactive environment will be a mix of digital and physical worlds

If you've played a video game in the past decade, you've experienced an immersive 3D environment, perhaps even in a multiplayer environment with many other users at the same time. The video game industry grew quickly during the pandemic, with users spending more time and money on video games. Massive multiplayer online games like Fortnite provide more than a gaming environment. Users socialize with their friends and attend concerts featuring famous performers. They also spend money on different appearances or gestures to express themselves in the environment. When they are not playing the game, they are often watching other players stream their experience in the game. In many ways, the consumer metaverse already exists on platforms like Fortnite. At the same time, gaming developers are improving the engines for these experiences and getting closer to approximating the real world both visually and in terms of physics.

In the enterprise space, immersive 3D environments are also becoming more popular. Manufacturing firms are building digital twins to represent entire factories, modeling their real physical environments in digital space. For example, BMW’s “factory of the future” uses NVIDIA Omniverse to create a digital twin of its assembly system, simulated down to the detail of digital workers. BMW uses this simulation to plan reconfiguration of its factory to accommodate new car models and to train robots with synthetic data (“NVIDIA Omniverse,” NVIDIA, 2021).

Meta’s Plans

Horizon Workrooms is Meta's business-focused application of Horizon Worlds. It facilitates a VR workspace where colleagues can interact with others’ avatars, access their computer, use videoconferencing, and sketch out ideas on a whiteboard. With the Oculus Quest 2 headset, passthrough mode allows users to add their physical desk to the virtual environment (Oculus, 2022).

Microsoft’s Plans

AltspaceVR is Microsoft's early metaverse environment and it can be accessed with Oculus, HTC Vive, Windows Mixed Reality, or in desktop mode. Separately, Microsoft Studios has been developing digital 3D environments for its Xbox video game platform for yeas. In January 2022, Microsoft acquired games studio Activision Blizzard for $68.7 billion, saying the games studio would play a key role in the development of the metaverse.

Real-time communications allow for synchronous collaboration

Project your voice to a room full of avatars for a presentation or whisper in someone’s ear

If the metaverse is going to be a good place to collaborate, then communication must feel as natural as it does in the real world. At the same time, it will need to have a few more controls at the users’ disposal so they can focus in on the conversation they choose. Audio will be a major part of the communication experience, augmented by expressive avatars and text.

Mixed reality headsets come with integrated microphones and speakers to enable voice communications. Spatial audio will also be an important component of voice exchange in the metaverse. When you are in a videoconference conversation with 50 participants, every one of those people will sound as though they are sitting right next to you. In the metaverse, each person will sound louder or quieter based on how distant their avatar is from you. This will allow large groups of people to get together in one digital space and have multiple conversations happening simultaneously. In some situations, there will also be a need for groups to form a “party” as they navigate the metaverse, meaning they would stay linked through a live audio connection even if their avatars were not in the same digital space. Augmented reality headsets also allow remote users to “see through the eyes” of the person wearing the headset through a front-facing camera. This is useful for hands-on tasks where expert guidance is required.

People will also need to communicate with people not in the metaverse. More conventional videoconference windows or chat boxes will be imported into these environments as 2D panels, allowing users to integrate them into the context of their digital space.

Meta’s Plans

Facebook Messenger is a text chat and video chat application that is already integrated into Facebook’s platform. Facebook also owns WhatsApp, a messaging platform that offers group chat and encrypted messaging.

Microsoft’s Plans

Microsoft Teams is Microsoft’s application that combines presence-based text chat and videoconferencing between individuals and groups. Dynamics 365 Remote Assist is its augmented reality application designed for HoloLens wearers or mobile device users to share their real-time view with experts.

Generative AI will fill the metaverse with content at the command of the user

No-code and low-code creation tools will be taken to the next level in the metaverse

Metaverse platforms provide users with no-code and low-code options to build out their own environments. So far this looks like playing a game of Minecraft. Users in the digital environment use native tools to place geometric shapes and add textures. Other metaverse platforms allow users to design models or textures with tools outside the platform, often even programming behaviors for the objects, and then import them into the metaverse. These tools can be used effectively, but it can be a tedious way to create a customized digital space.

Generative AI will address that by taking direction from users and quickly generating content to provide the desired metaverse setting. Generative AI can create content that’s meaningful based on natural inputs like language or visual information. For example, a user might give voice commands to a smart assistant and have a metaverse environment created or take photos of a real-world object from different angles to have its likeness digitally imported.

Synthetic data will also play a role in the metaverse. Instead of relying only on people to create a lot of relevant data to train AI, metaverse platform providers will also use simulated data to provide context. NVIDIA’s Omniverse Replicator engine provides this capability and can be used to train self-driving cars and manipulator robots for a factory environment (NVIDIA Newsroom, 2021).

Meta’s Plans

Meta is planning to use generative AI to allow users to construct their VR environments. It will allow users to describe a world to a voice assistant and have it created for them. Users could also speak to each other in different languages with the aid of a universal translator. Separately, Project CAIRaoke combines cognitive vision with a voice assistant to help a user cook dinner. It keeps track of where the ingredients are in the kitchen and guides the user through the steps (Reuters, 2022).

Microsoft’s Plans

Microsoft Mesh includes AI resources to help create natural interactions through speech and vision learning models. HoloLens 2 already uses AI models to track users’ hands and eye movements as well as map content onto the physical world. This will be reinforced in the cloud through Microsoft Azure’s AI capabilities (Microsoft Innovation Stories, 2021).

Blockchain will provide a way to manage digital identity and assets across metaverse platforms

Users will want a way to own their metaverse identity and valued digital possessions

Blockchain technology provides a decentralized digital ledger that immutably records transactions. A specific blockchain can either be permissioned, with one central party determining who gets access, or permissionless, in which anyone with the means can transact on the blockchain. The permissionless variety emerged in 2008 as the foundation of Bitcoin. It's been a disruptive force in the financial industry, with Bitcoin inspiring a long list of offshoot cryptocurrencies, and now even central banks are examining moving to a digital currency standard.

In the past couple of years, blockchain has spurred a new economy around digital assets. Smart contracts can be used to create a token on a blockchain and bind it to a specific digital asset. These assets are called non-fungible tokens (NFTs). Owners of NFTs can prove their chain of ownership and sell their tokens to others on a variety of marketplaces.

Blockchain could be useful in the metaverse to track digital identity, manage digital assets, and enable data portability. Users could register their own avatars as NFTs to prove they are the real person behind their digital representation. They may also want a way to verify they own a virtual plot of land or demonstrate the scarcity of the digital clothing they are wearing in the metaverse. If users want to leave a certain metaverse platform, they could export their avatar and digital assets to a digital wallet and transfer them to another platform that supports the same standards.

In the past, centralized platforms that create economies in a virtual world were able to create digital currencies and sell specific assets to users without the need for blockchain. Second Life is a good example, with Linden Labs providing a virtual token called Linden Dollars that users can exchange to buy goods and services from each other within the virtual world. Second Life processes 345 million transactions a year for virtual goods and reports a GDP of $650 million, which would put it ahead of some countries (VentureBeat, 2022). However, the value is trapped within Second Life and can't be exported elsewhere.

Meta’s Plans

Meta ended its Diem project in early 2022, winding down its plan to offer a digital currency pegged to US dollars. Assets were sold to Silvergate Bank for $182 million. On February 24, blockchain developer Atmos announced it wanted to bring the project back to life. Composed of many of the original developers that created Diem while it was still a Facebook project, the firm plans to raise funds based on the pitch that the new iteration will be "Libra without Facebook“ (CoinDesk, 2022).

Microsoft’s Plans

Microsoft expanded its team of blockchain developers after its lead executive in this area stated the firm is closely watching cryptocurrencies and NFTs. Blockchain Director York Rhodes tweeted on November 8, 2021, that he was expanding his team and was interested to connect with candidates "obsessed with Turing complete, scarce programmable objects that you can own & transfer & link to the real world through a social contract.”

The enterprise metaverse holds implications for IT across several functional areas

Improve maturity in these four areas first

  • Infrastructure & Operations
    • Lay the foundation
  • Security & Risk
    • Mitigate the risks
  • Apps
    • Deploy the precursors
  • Data & BI
    • Prepare to integrate
Info-Tech and COBIT5's IT Management & Governance Framework with processes arranged like a periodic table. Highlighted process groups are 'Infrastructure & Operations', 'Security & Risk', 'Apps', and 'Data & BI'.

Infrastructure & Operations

Make space for the metaverse

Risks

  • Network congestion: Connecting more devices that will be delivering highly graphical content will put new pressures on networks. Access points will have more connections to maintain and transit pathways more bandwidth to accommodate.
  • Device fragmentation: Currently many different vendors are selling augmented reality headsets used in the enterprise, including Google, Epson, Vuzix, and RealWear. More may enter soon, creating various types of endpoints that have different capabilities and different points of failure.
  • New workflows: Enterprises will only be able to benefit from deploying mixed reality devices if they're able to make them very useful to workers. Serving up relevant information in the context of a hands-free interface will become a new competency for enterprises to master.

Mitigations

  • Dedicated network: Some companies are avoiding the congestion issue by creating a separate network for IoT devices on different infrastructure. For example, they might complement the Wi-Fi network with a wireless network on 5G or LoRaWAN standards.
  • Partner with systems integrators: Solutions vendors bringing metaverse solutions to the enterprise are already working with systems integrator partners to overcome integration barriers. These vendors are solving the problems of delivering enterprise content to a variety of new mixed reality touchpoints and determining just the right information to expose to users, at the right time.

Security & Risk

Mitigate metaverse risks before they take root

Risks

  • Broader attack surface: Adding new mixed reality devices to the enterprise network will create more potential points of ingress for a cyberattack. Previous enterprise experiences with IoT in the enterprise have seen them exploited as weak points and used to create botnets or further infiltrate company networks.
  • More data in transit: Enterprise data will be flowing between these new devices and sometimes outside the company firewall to remote connections. Data from industrial IoT could also be integrated into these solutions and exposed.
  • New fraud opportunities: When Web 1.0 was first rolling out, not every company was able to secure the rights to the URL address matching its brand. Those not quick enough on the draw saw "domain squatters" use their brand equity to negotiate for a big pay day or, worse yet, to commit fraud. With blockchain opening up similar new digital real estate in Web3, the same risk arises.

Mitigations

  • Mobile device management (MDM): New mixed reality headsets can be secured using existing MDM solutions on the market.
  • Encryption: Encrypting data end to end as it flows between IoT devices ensures that even if it does leak, it's not likely to be useful to a hacker.
  • Stake your claim: Claiming your brand's name in new Web3 domains may seems tedious, but it is likely to be cheap and might save you a headache down the line.

Apps

Deploy to your existing touchpoints

Risks

  • Learning curves: Using new metaverse applications to complete tasks and collaborate with colleagues won’t be a natural progression for everyone. New headsets, gesture-based controls, and learning how to navigate the metaverse will present hurdles for users to overcome before they can be productive.
  • Is there a dress code in the metaverse? Avatars in the metaverse won’t necessarily look like the people behind the controls. What new norms will be needed to ensure avatars are appropriate for a work setting?
  • Fragmentation: Metaverse experiences are already creating islands. Users of Horizon Worlds can’t connect with colleagues using AltspaceVR. Similar to the challenges around different videoconferencing software, users could find they are divided by applications.

Mitigations

  • Introduce concepts over time: Ask users to experiment with meeting in a VR context in a small group before expanding to a companywide conference event. Or have them use a headset for a simple video chat before they use it to complete a task in the field.
  • Administrative controls: Ensure that employees have some boundaries when designing their avatars, enforced either through controls placed on the software or through policies from HR.
  • Explore but don’t commit: It’s early days for these metaverse applications. Explore opportunities that become available through free trials and new releases to existing software suites but maintain flexibility to pivot should the need arise.

Data & BI

Deploy to your existing touchpoints

Risks

  • Interoperability: There is no established standard for digital objects or behaviors in the metaverse. Meta and Microsoft say they are committed to open standards that will ensure portability of data across platforms, but how that will be executed isn’t clear yet.
  • Privacy: Sending data to another platform carries risks that it will be exfiltrated and stored elsewhere, presenting some challenges for companies that need to be compliant with legislation such as GDPR.
  • High-fidelity models: 3D models with photorealistic textures will come with high CPU requirements to render properly. Some head-mounted displays will run into limitations.

Mitigations

  • Adopt standard interfaces: Using open APIs will be the most common path to integrating enterprise systems to metaverse applications.
  • Maintain compliance: The current approach enterprises take to creating data lakes and presenting them to platforms will extend to the metaverse. Building good controls and anonymizing data that resides in these locations will enable firms to interact in new platforms and remain compliant.
  • Right-sized rendering: Providing enough data to a device to make it useful without overburdening the CPU will be an important consideration. For example, TeamViewer uses polygon reduction to display 3D models on lower-powered head-mounted displays.

More Info-Tech research to explore

CIO Priorities 2022
Priorities to compete in the digital economy.

Microsoft Teams Cookbook
Recipes for best practices and use cases for Microsoft Teams.

Run Better Meetings
Hybrid, virtual, or in person – set meeting best practices that support your desired meeting norms.

Double Your Organization’s Effectiveness With a Digital Twin
Digital twin: A living, breathing reflection.

Contributing experts

Photo of Dr. Hendrik Witt, Chief Product Officer, TeamViewer

Dr. Hendrik Witt
Chief Product Officer,
TeamViewer

Photo of Kevin Tucker, Principal Research Director, Industry Practice, INFO-TECH RESEARCH GROUP

Kevin Tucker
Principal Research Director, Industry Practice,
INFO-TECH RESEARCH GROUP

Bibliography

Cannavò, Alberto, and F. Lamberti. “How Blockchain, Virtual Reality and Augmented Reality Are Converging, and Why.” IEEE Consumer Electronics Magazine, vol. 10, no. 5, Sept. 2020, pp. 6-13. IEEE Xplore. Web.

Culliford, Elizabeth. “Meta’s Zuckerberg Unveils AI Projects Aimed at Building Metaverse Future.” Reuters, 24 Feb. 2022. Web.

Davies, Nahla. “Cybersecurity and the Metaverse: Pioneering Safely into a New Digital World.” GlobalSign Blog, 10 Dec. 2021. GlobalSign by GMO. Web.

Doctorow, Cory. “Neuromancer Today.” Medium, 10 Feb. 2022. Web.

Heath, Alex. “Meta’s Social VR Platform Horizon Hits 300,000 Users.” The Verge, 17 Feb. 2022. Web.

“Holoportation™.” Microsoft Research, 22 Feb. 2022. Microsoft. Accessed 3 March 2022.

Isaac, Mike. “Meta Spent $10 Billion on the Metaverse in 2021, Dragging down Profit.” The New York Times, 2 Feb. 2022. Web.

Isaac, Mike, and Sheera Frenkel. “Out With the Facebookers. In With the Metamates.” The New York Times, 15 Feb. 2022. Web.

Langston, Jennifer. “‘You Can Actually Feel like You’re in the Same Place’: Microsoft Mesh Powers Shared Experiences in Mixed Reality.” Microsoft Innovation Stories, 2 Mar. 2021. Microsoft. Web.

“Maple Leaf Sports & Entertainment and AWS Team Up to Transform Experiences for Canadian Sports Fans.” Amazon Press Center, 23 Feb. 2022. Amazon.com. Accessed 24 Feb. 2022. Web.

Marquez, Reynaldo. “How Microsoft Will Move To The Web 3.0, Blockchain Division To Expand.” Bitcoinist.com, 8 Nov. 2021. Web.

Metinko, Chris. “Securing The Metaverse—What’s Needed For The Next Chapter Of The Internet.” Crunchbase News, 6 Dec. 2021. Web.

Metz, Rachel Metz. “Why You Can’t Have Legs in Virtual Reality (Yet).” CNN, 15 Feb. 2022. Accessed 16 Feb. 2022.

“Microsoft to Acquire Activision Blizzard to Bring the Joy and Community of Gaming to Everyone, across Every Device.” Microsoft News Center, 18 Jan. 2022. Microsoft. Web.

Nath, Ojasvi. “Big Tech Is Betting Big on Metaverse: Should Enterprises Follow Suit?” Toolbox, 15 Feb. 2022. Accessed 24 Feb. 2022.

“NVIDIA Announces Omniverse Replicator Synthetic-Data-Generation Engine for Training AIs.” NVIDIA Newsroom, 9 Nov. 2021. NVIDIA. Accessed 9 Mar. 2022.

“NVIDIA Omniverse - Designing, Optimizing and Operating the Factory of the Future. 2021. YouTube, uploaded by NVIDIA, 13 April 2021. Web.

Peters, Jay. “Disney Has Appointed a Leader for Its Metaverse Strategy.” The Verge, 15 Feb. 2022. Web.

Robinson, Joanna. The Sci-Fi Guru Who Predicted Google Earth Explains Silicon Valley’s Latest Obsession.” Vanity Fair, 23 June 2017. Accessed 13 Feb. 2022.

Scoble, Robert. “New Startup Mixes Reality with Computer Vision and Sets the Stage for an Entire Industry.” Scobleizer, 17 Feb. 2022. Web.

Seward, Zack. “Ex-Meta Coders Raising $200M to Bring Diem Blockchain to Life: Sources.” CoinDesk, 24 Feb. 2022. Web.

Shrestha, Rakesh, et al. “A New Type of Blockchain for Secure Message Exchange in VANET.” Digital Communications and Networks, vol. 6, no. 2, May 2020, pp. 177-186. ScienceDirect. Web.

Sood, Vishal. “Gain a New Perspective with Dynamics 365 Connected Spaces.” Microsoft Dynamics 365 Blog, 2 Nov. 2021. Microsoft. Web.

Takahashi, Dean. “Philip Rosedale’s High Fidelity Cuts Deal with Second Life Maker Linden Lab.” VentureBeat, 13 Jan. 2022 Web.

“TeamViewer Capital Markets Day 2021.” TeamViewer, 10 Nov. 2021. Accessed 22 Feb. 2022.

VR for Work. Oculus.com. Accessed 1 Mar. 2022.

Wunderman Thompson Intelligence. “New Trend Report: Into the Metaverse.” Wunderman Thompson, 14 Sept. 2021. Accessed 16 Feb. 2022.

COVID-19 Work Status Tracking Guide

  • Buy Link or Shortcode: {j2store}594|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Manage & Coach
  • Parent Category Link: /manage-coach
  • Keeping track of the multiple and frequently changing work arrangements on your team.
  • Ensuring you have a fast and easy way to keep an up-to-date record of where and how employees are working.

Our Advice

Critical Insight

  • During these critical times, keeping track of employees’ work status doesn’t have to be complicated – the right tool is one that does the job.
  • Keeping track of your employees is a health and safety issue – deployed well, it is an aid in keeping the business running and an additional communication channel, not a sign of lack of trust.

Impact and Result

  • An Excel spreadsheet is all you need to ensure you have a way to record work arrangements that can change by the day.
  • An easy-to-use tool means minimal administrative overhead to ensuring you have this critical information at hand.

COVID-19 Work Status Tracking Guide Research & Tools

Start here – read the Work Status Tracking Guide

Read our recommendations and use the accompanying tool to quickly get a handle on your team’s work arrangements.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

  • COVID-19 Work Status Tracking Guide Storyboard
  • COVID-19 Work Status Tracking Tool
[infographic]

Evaluate Your Vendor Account Team to Optimize Vendor Relations

  • Buy Link or Shortcode: {j2store}222|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Vendor Management
  • Parent Category Link: /vendor-management
  • Understand how important your account is to the vendor and how it is classified.
  • Understand how informed the account team is about your company and your industry.
  • Understand how long the team has been with the vendor. Have they been around long enough to have developed a “brand” or trust within their organization?
  • Understand and manage the relationships and influence the account team has within your organization to maintain control of the relationship.

Our Advice

Critical Insight

Conducting the appropriate due diligence on your vendor’s account team is as important as the due diligence you put into the vendor. Ongoing management of the account team should follow the lifecycle of the vendor relationship.

Impact and Result

Understanding your vendor team’s background, experience, and strategic approach to your account is key to the management of the relationship, the success of the vendor agreement, and, depending on the vendor, the success of your business.

Evaluate Your Vendor Account Team to Optimize Vendor Relations Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Evaluate Your Vendor Account Team to Optimize Vendor Relations Deck – Understand the value of knowing your account team’s influence in their organization, and yours, to drive results.

Learn how to best qualify that you have the right team for your business needs, using the accompanying tools to measure and monitor success throughout the relationship.

  • Evaluate Your Vendor Account Team to Optimize Vendor Relations Storyboard

2. Vendor Rules of Engagement Template – Use this template to create a vendor rules of engagement document for inclusion in your company website, RFPs, and contracts.

The Vendor Rules of Engagement template will help you develop your written expectations for the vendor for how they will interact with your business and stakeholders.

  • Vendor Rules of Engagement

3. Evalu-Rate Your Account Team – Use this tool to develop criteria to evaluate your account team and gain feedback from your stakeholders.

Evaluate your vendor account teams using this template to gather stakeholder feedback on vendor performance.

  • Evalu-Rate Your Account Team
[infographic]

Further reading

Evaluate Your Vendor Account Team to Optimize Vendor Relations

Understand the value of knowing your account team’s influence in their organization, and yours, to drive results.

Analyst Perspective

Having the wrong account team has consequences for your business.

IT professionals interact with vendor account teams on a regular basis. You may not give it much thought, but do you have a good understanding of your rep’s ability to support/service your account, in the manner you expect, for the best possible outcome? The consequences to your business of an inappropriately assigned and poorly trained account team can have a disastrous impact on your relationship with the vendor, your business, and your budget. Doing the appropriate due diligence with your account team is as important as the due diligence you should put into the vendor. And, of course, ongoing management of the account team relationship is vital. Here we will share how best to qualify that you have the right team for your business needs as well as how to measure and monitor success throughout the relationship.

Photo of Donna Glidden, Research Director, Vendor Management, Info-Tech Research Group.

Donna Glidden
Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Your Challenge
  • Understand how important your account is to the vendor and how it is classified.
  • Understand how informed the account team is about your company and your industry.
  • Understand how long the team has been with the vendor. Have they been around long enough to have developed a “brand” or trust within their organization?
  • Understand and manage the relationships and influence the account team has within your organization to maintain control of the relationship.
Common Obstacles
  • The vendor account team “came with the deal.”
  • The vendor account team has limited training and experience.
  • The vendor account team has close relationships within your organization outside of Procurement.
  • Managing your organization’s vendors is ad hoc and there is no formalized process for vendors to follow.
  • Your market position with the vendor is not optimal.
Info-Tech’s Approach
  • Establish a repeatable, consistent vendor management process that focuses on the account team to maintain control of the relationship and drive the results you need.
  • Create a questionnaire for gaining stakeholder feedback to evaluate the account team on a regular basis.
  • Consider adding a vendor rules of engagement exhibit to your contracts and RFXs.

Info-Tech Insight

Understanding your vendor team’s background, their experience, and their strategic approach to your account is key to the management of the relationship, the success of the vendor agreement, and, depending on the vendor, the success of your business.

Blueprint benefits

IT Benefits

  • Clear lines of communication
  • Correct focus on the specific needs of IT
  • More accurate project scoping
  • Less time wasted

Mutual IT and
Business Benefits

  • Reduced time to implement
  • Improved alignment between IT & business
  • Improved vendor performance
  • Improved vendor relations

Business Benefits

  • Clear relationship guidelines based on mutual understanding
  • Improved communications between the parties
  • Mutual understanding of roles/goals
  • Measurable relationship criteria

Insight Summary

Overarching insight

Conducting the appropriate due diligence on your vendor’s account team is as important as the due diligence you put into the vendor. Ongoing management of the account team should follow the lifecycle of the vendor relationship.

Introductory/RFP phase
  • Track vendor contacts with your organization.
  • Qualify the account team as you would the vendor:
    • Background
    • Client experience
  • Consider including vendor rules of engagement as part of your RFP process.
  • How does the vendor team classify your potential account?
Contract phase
  • Set expectations with the account team for the ongoing relationship.
  • Include a vendor rules of engagement exhibit in the contract.
  • Depending on your classification of the vendor, establish appropriate account team deliverables, meetings, etc.
Vendor management phase
  • “Evalu-rate” your account team by using a stakeholder questionnaire to gain measurable feedback.
  • Identify the desired improvements in communications and service delivery.
  • Use positive reinforcements that result in positive behavior.
Tactical insight

Don’t forget to look at your organization’s role in how well the account team is able to perform to your expectations.

Tactical insight

Measure to manage – what are the predetermined criteria that you will measure the account team’s success against?

Lack of adequate sales training and experience can have a negative impact on the reps’ ability to support your needs adequately

  • According to Forbes (2012), 55% of salespeople lack basic sales skills.
  • 58% of buyers report that sales reps are unable to answer their questions effectively.
  • According to a recent survey, 84% of all sales training is lost after 90 days. This is due to the lack of information retention among sales personnel.
  • 82% of B2B decision-makers think sales reps are unprepared.
  • At least 50% of prospects are not a good fit for the product or service that vendors are selling (Sales Insights Lab).
  • It takes ten months or more for a new sales rep to be fully productive.

(Source: Spotio)

Info-Tech Insight

Remember to examine the inadequacies of vendor training as part of the root cause of why the account team may lack substance.

Why it matters

1.8 years

is the average tenure for top ten tech companies

2.6 years is the average experience required to hire.

2.4 years is the average account executive tenure.

44% of reps plan to leave their job within two years.

The higher the average contract value, the longer the tenure.

More-experienced account reps tend to stay longer.

(Source: Xactly, 2021)
Image of two lightbulbs labeled 'skill training' with multiple other buzzwords on the glass.

Info-Tech Insight

You are always going to be engaged in training your rep, so be prepared.

Before you get started…

  • Take an inward look at how your company engages with vendors overall:
    • Do you have a standard protocol for how initial vendor inquiries are handled (emails, phone calls, meeting invitations)?
    • Do you have a standard protocol for introductory vendor meetings?
    • Are vendors provided the appropriate level of access to stakeholders/management?
    • Are you prompt in your communications with vendors?
    • What is the quality of the data provided to vendors? Do they need to reach out repeatedly for more/better data?
    • How well are you able to forecast your needs?
    • Is your Accounts Payable team responsive to vendor inquiries?
    • Are Procurement and stakeholders on the same page regarding the handling of vendors?
  • While you may not have a formal vendor management initiative in place, try to understand how important each of your vendors are to your organization, especially before you issue an RFP, so you can set the right expectations with potential vendor teams.
  • Classify vendors as strategic, operational, tactical, or commodity.
    • This will help you focus your time appropriately and establish the right meeting cadence according to the vendor’s place in your business.
    • See Info-Tech’s research on vendor classification.
When you formalize your expectations regarding vendor contact with your organization and create structure around it, vendors will take notice.

Consider a standard intake process for fielding vendor inquiries and responding to requests for meetings to save yourself the headaches that come with trying to keep up with them.

Stakeholder teams, IT, and Procurement need to be on the same page in this regard to avoid missteps in the important introductory phase of dealing with vendors and the resulting confusion on the part of vendor account teams when they get mixed messages and feel “passed around.”

1. Introductory Phase

If vendors know you have no process to track their activities, they’ll call who they want when they want, and the likelihood of them having more information about your business than you about theirs is significant.

Vendor contacts are made in several ways:

  • Cold calls
  • Emails
  • Website
  • Conferences
  • Social introductions

Things to consider:

  • Consider having a link on your company website to your Sourcing & Procurement team, including:
    • An email address for vendor inquiries.
    • Instructions to vendors on how to engage with you and what information they should provide.
    • A link to your Vendor Rules of Engagement.
  • Track vendor inquiries so you have a list of potential respondents to future RFPs.
  • Work with stakeholders and gain their buy-in on how vendor inquiries are to be routed and handled internally.
Not every vendor contact will result in an “engagement” such as invitation to an RFP or a contract for business. As such, we recommend that you set up an intake process to track/manage supplier inquiries so that when you are ready to engage, the vendor teams will be set up to work according to your expectations.

2. RFP/Contract Phase

What are your ongoing expectations for the account team?
  • Understand how your business will be qualified by the vendor. Where you fit in the market space regarding spend, industry, size of your business, etc., determines what account team(s) you will have access to.
  • Add account team–specific questions to your RFP(s) to gain an understanding of their capabilities and experience up front.
  • How have you classified the vendor/solution? Strategic, tactical, operational, or commodity?
    • Depending on the classification/criticality (See Info-Tech’s Vendor Classification Tool) of the vendor, set the appropriate expectation for vendor review meetings, e.g. weekly, monthly, quarterly, annually.
    • Set the expectation that their support of your account will be regularly measured/monitored by your organization.
    • Consider including a set of vendor rules of engagement in your RFPs and contracts so vendors will know up front what your expectations are for how to engage with Procurement and stakeholders.
Stock image of smiling coworkers.

3. Ongoing Vendor Management

Even if you don’t have a vendor management initiative in place, consider these steps to manage both new and legacy vendor relationships:
  • Don’t wait until there is an issue to engage the account team. Develop an open, honest relationship with vendors and get to know their key players.
  • Seek regular feedback from stakeholders on both parties’ performance against the agreement, based on agreed-upon criteria.
  • Measure vendor performance using the Evalu-Rate Your Account Team tool included with this research.
  • Based on vendor criticality, set a regular cadence of vendor meetings to discuss stakeholder feedback, both positive feedback as well as areas needing improvement and next steps, if applicable.
Stock image of smiling coworkers.

Info-Tech Insight

What your account team doesn’t say is equally important as what they do say. For example, an account rep with high influence says, “I can get that for you” vs. “I'll get back to you.” Pay attention to the level of detail in their responses to you – it references how well they are networked within their own organization.

How effective is your rep?

The Poser
  • Talks so much they forget to listen
  • Needs to rely on the “experts”
  • Considers everyone a prospect
Icons relating to the surrounding rep categories. Ideal Team Player
  • Practices active listening
  • Understands the product they are selling
  • Asks great questions
  • Is truthful
  • Approaches sales as a service to others
The Bulldozer
  • Unable to ask the right questions
  • If push comes to shove, they keep pushing until you push back
  • Has a sense of entitlement
  • Lacks genuine social empathy
Skillful Politician
  • Focuses on the product instead of people
  • Goes by gut feel
  • Fears rejection and can’t roll with the punches

Characteristics of account reps

Effective
  • Is truthful
  • Asks great questions
  • Practices active listening
  • Is likeable and trustworthy
  • Exhibits emotional intelligence
  • Is relatable and knowledgeable
  • Has excellent interpersonal skills
  • Has a commitment to personal growth
  • Approaches sales as a service to others
  • Understands the product they are selling
  • Builds authentic connections with clients
  • Is optimistic and has energy, drive, and confidence
  • Makes an emotional connection to whatever they are selling
  • Has the ability to put themselves in the position of the client
  • Builds trust by asking the right questions; listens and provides appropriate solutions without overpromising and underdelivering
Ineffective
  • Goes by gut feel
  • Has a sense of entitlement
  • Lacks genuine social empathy.
  • Considers everyone a prospect
  • Is unable to ask the right questions.
  • Is not really into sales – it’s “just a job”
  • Focuses on the product instead of people
  • Loves to talk so much they forget to listen
  • Fears rejection and can’t roll with the punches
  • If push comes to shove, they keep pushing until you push back
  • Is clueless about their product and needs to rely on the “experts”

How to support an effective rep

  • Consider being a reference account.
  • Say thank you as a simple way to boost morale and encourage continued positive behavior.
  • If you can, provide opportunities to increase business with the vendor – that is the ultimate thanks.
  • Continue to support open, honest communication between the vendor and your team.
  • Letters or emails of recognition to the vendor team’s management have the potential to boost the rep’s image within their own organization and shine a spotlight on your organization as a good customer.
  • Supplier awards for exemplary service and support may be awarded as part of a more formal vendor management initiative.
  • Refer to the characteristics of an effective rep – which ones best represent your account team?
A little recognition goes a long way in reinforcing a positive vendor relationship.

Info-Tech Insight

Don’t forget to put the relationship in vendor relationship management – give a simple “Thank you for your support” to the account team from executive management.

How to support an ineffective rep

An ineffective rep can take your time and attention away from more important activities.
  • Understand what role, if any, you and/or your stakeholders may play in the rep’s lack of performance by determining the root cause:
    • Unrealistic expectations
    • Unclear and incomplete instructions
    • Lack of follow through by your stakeholders to provide necessary information
    • Disconnects between Sourcing/Procurement/IT that lead to poor communication with the vendor team (lack of vendor management)
  • Schedule more frequent meetings with the team to address the issues and measure progress.
  • Be open to listening to your rep(s) and ask them what they need from you in order to be effective in supporting your account.
  • Be sure to document in writing each instance where the rep has underperformed and include the vendor team’s leadership on all communications and meetings.
  • Refer to the characteristics of an ineffective rep – which ones best describe your ineffective vendor rep?
“Addressing poor performance is an important aspect of supplier management, but prevention is even more so.” (Logistics Bureau)

Introductory questions to ask vendor reps

  • What is the vendor team’s background, particularly in the industry they are representing? How did they get to where they are?
    • Have they been around long enough to have developed credibility throughout their organization?
    • Do they have client references they are willing to share?
  • How long have they been in this position with the vendor?
    • Remember, the average rep has less than 24 months of experience.
    • If they lack depth of experience, are they trainable?
  • How long have they been in the industry?
    • Longevity and experience matters.
  • What is their best customer experience?
    • What are they most proud of from an account rep perspective?
  • What is their most challenging customer experience?
    • What is their biggest weakness?
  • How are their relationships with their delivery and support teams?
    • Can they get the job done for you by effectively working their internal relationships?
  • What are their goals with this account?
    • Besides selling a lot.
  • What relationships do they have within your organization?
    • Are they better situated within your organization than you are?
Qualify the account team as you would the vendor – get to know their background and history.

Vendor rules of engagement

Articulate your vendor expectations in writing

Clearly document your expectations via formal rules of engagement for vendor teams in order to outline how they are expected to interact with your business and stakeholders. This can have a positive impact on your vendor and stakeholder relationships and enable you to gain control of:

  • Onsite visits and meetings.
  • Submission of proposals, quotes, contracts.
  • Communication between vendors, stakeholders and Procurement.
  • Expectations for ongoing relationship management.

Include the rules in your RFXs and contracts to formalize your expectations.

See the Vendor Rules of Engagement template included with this research.

Download the Vendor Rules of Engagement template

Sample of the Vendor Rules of Engagement template.

Evalu-rate your vendor account team

Measure stakeholder feedback to ensure your account team is on target to meet your needs. Sample of the Evalu-Rate Your Account Team tool.

Download the Evalu-Rate Your Account Team tool

  • Use a measurable, repeatable process for evaluations.
  • Include feedback from key stakeholders engaged in the relationship.
  • Keep the feedback fact based and have backup.

Final thoughts: Do’s and don’ts

DO

  • Be friendly, approachable.
  • Manage the process by which vendors contact your organization – take control!
  • Understand your market position when sourcing goods/services to establish how much leverage you have with vendors.
  • Set vendor meetings according to their criticality to your business.
  • Evaluate your account teams to understand their strengths/weaknesses.
  • Gain stakeholder buy-in to your vendor processes.

DON'T

  • Don’t be “friends.”
  • Don’t criticize in public.
  • Don’t needlessly escalate.
  • Don’t let the process of vendors communicating with your stakeholders “just happen.”
  • Don’t accept poor performance or attitude.

Summary of Accomplishment

Problem Solved

Upon completion of this blueprint, Guided Implementation, or workshop, your team should have a comprehensive, well-defined, end-to-end approach to evaluating and managing your account team. Leveraging Info-Tech’s industry-proven tools and templates provides your organization with an effective approach to establishing, maintaining, and evaluating your vendor account team; improving your vendor and stakeholder communications; and maintaining control of the client/vendor relationship.

Additionally, your team will have a foundation to execute your vendor management principles. These principles will assist your organization in ensuring you receive the perceived value from the vendor as a result of your vendor account team evaluation process.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Bibliography

“14 Essential Qualities of a Good Salesperson.” Forbes, 5 Oct. 2021. Accessed 11 March 2022.

“149 Eye-Opening Sales Stats to Consider.” Spotio, 30 Oct. 2018. Accessed 11 March 2022.

“35 Sales Representative Interview Questions and Answers.” Indeed, 29 Oct. 2021. Accessed 8 March 2022.

“8 Intelligent Questions for Evaluating Your Sales Reps Performance” Inc., 16 Aug. 2016. Accessed 9 March 2022.

Altschuler, Max. “Reality Check: You’re Probably A Bad Salesperson If You Possess Any Of These 11 Qualities.” Sales Hacker, 9 Jan. 2018. Accessed 4 May 2022.

Bertuzzi, Matt. “Account Executive Data Points in the SaaS Marketplace.” Treeline, April 12, 2017. Accessed 9 March 2022. “Appreciation Letter to Vendor – Example, Sample & Writing Tips.” Letters.org, 10 Jan. 2020. Web.

D’Entremont, Lauren. “Are Your Sales Reps Sabotaging Your Customer Success Without Realizing It?” Proposify, 4 Dec. 2018. Accessed 7 March 2022.

Freedman, Max. “14 Important Traits of Successful Salespeople.” Business News Daily, 14 April 2022. Accessed 10 April 2022.

Hansen, Drew. “6 Tips For Hiring Your Next Sales All-Star.” Forbes, 16 Oct. 2012. Web.

Hulland, Ryan. “Getting Along with Your Vendors.” MonMan, 12 March 2014. Accessed 9 March 2022.

Lawrence, Jess. “Talking to Vendors: 10 quick tips for getting it right.” Turbine, 30 Oct. 2018. Accessed 11 March 2022.

Lucero, Karrie. “Sales Turnover Statistics You Need To Know.” Xactly, 24 Aug. 2021. Accessed 9 March 2022.

Noyes, Jesse. “4 Qualities to Look For in Your Supplier Sales Representative.” QSR, Nov. 2017. Accessed 9 March 2022.

O’Byrne, Rob. “How To Address Chronic Poor Supplier Performance.” Logistics Bureau, 26 July 2016. Accessed 4 May 2022.

O'Brien, Jonathan. Supplier Relationship Management: Unlocking the Hidden Value in Your Supply Base. Kogan Page, 2014.

Short, Alex. “Three Things You Should Consider to Become A Customer of Choice.” Vizibl, 29 Oct. 2021. Web.

Wayshak, Marc. “18 New Sales Statistics for 2022 from Our Groundbreaking Study!” Sales Insights Lab, 28 March 2022. Web.

“What Does a Good Customer Experience Look Like In Technology?” Virtual Systems, 23 June 2021. Accessed 10 March 2022.

2021 Q3 Research Highlights

  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: The Briefs
  • Parent Category Link: /the-briefs
Our research team is a prolific bunch! Every quarter we produce lots of research to help you get the most value out of your organization. This PDF contains a selection of our most compelling research from the third quarter of 2021.

It wasn't me

  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Security and Risk
  • Parent Category Link: /security-and-risk

You heard the message before, and yet....  and yet it does not sink in.

In july 2019 already, according to retruster:

  • The average financial cost of a data breach is $3.86m (IBM)
  • Phishing accounts for 90% of data breaches
  • 15% of people successfully phished will be targeted at least one more time within the year
  • BEC scams accounted for over $12 billion in losses (FBI)
  • Phishing attempts have grown 65% in the last year
  • Around 1.5m new phishing sites are created each month (Webroot)
  • 76% of businesses reported being a victim of a phishing attack in the last year
  • 30% of phishing messages get opened by targeted users (Verizon)

This is ... this means we, as risk professionals may be delivering our messsage the wrong way. So, I really enjoyed my colleague Nick Felix (who got it from Alison Francis) sending me the URL of this video: Enjoy, but mostly: learn, because we want our children to enjoy the fruits of our work.

Register to read more …

Application Development Quality

  • Buy Link or Shortcode: {j2store}26|cart{/j2store}
  • Related Products: {j2store}26|crosssells{/j2store}
  • member rating overall impact (scale of 10): 10.0/10
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Applications
  • Parent Category Link: /applications
Apply quality assurance across your critical development process steps to secure quality to product delivery

Integrate Physical Security and Information Security

  • Buy Link or Shortcode: {j2store}383|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Security Processes & Operations
  • Parent Category Link: /security-processes-and-operations

Physical security is often managed by facilities, not by IT security, resulting in segmented security systems. Integrating physical and information security introduces challenges in:

  • Understanding the value proposition of investment in governing and managing integrated systems, including migration costs, compared to separated security systems.
  • Addressing complex risks and vulnerabilities of an integrated security system.
  • Operationalizing enhanced capabilities created by adoption of emerging and disruptive technologies.

Our Advice

Critical Insight

  • Integrate security in people, process, and technology to improve your overall security posture. Having siloed systems running security is not beneficial. Many organizations are realizing the benefits of consolidating into a single platform across physical security, cybersecurity, HR, legal, and compliance.
  • Plan and engage stakeholders. Assemble the right team to ensure the success of your integrated security ecosystem, decide the governance model, and clearly define the roles and responsibilities.
  • Enhance strategy and risk management. Strategically, we want a physical security system that is interoperable with most technologies, flexible with minimal customization, functional, and integrated, despite the challenges of proprietary configurations, complex customization, and silos.

Impact and Result

Info-Tech's approach is a modular, incremental, and repeatable process to integrate physical and information security to:

  • Ensure the integration will meet the business' needs and determine effort and technical requirements.
  • Establish GRC processes that include integrated risk management and compliance.
  • Design and deploy an integrated security architecture.
  • Establish security metrics of effectiveness and efficiency for senior management and leadership.

Integrate Physical Security and Information Security Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Integrate Physical Security and Information Security Storyboard – A step-by-step document that walks you through how to integrate physical security and information security.

Info-Tech provides a three-phased framework for integrating physical security and information security: Plan, Enhance, and Monitor & Optimize.

  • Integrate Physical Security and Information Security Storyboard

2. Integrate Physical Security and Information Security Requirements Gathering Tool – A tool to map organizational goals to IT goals, facilities goals, OT goals (if applicable), and integrated security goals.

This tool serves as a repository for information about security integration elements, compliance, and other factors that will influence your integration of physical security and information security.

  • Integrate Physical Security and Information Security Requirements Gathering Tool

3. Integrate Physical Security and Information Security RACI Chart Tool – A tool to identify and understand the owners of various security integration stakeholders across the organization.

Populating a RACI chart (Responsible, Accountable, Consulted, and Informed) is a critical step that will assist you in organizing roles for carrying out integration steps. Complete this tool to assign tasks to suitable roles.

  • Integrate Physical Security and Information Security RACI Chart Tool

4. Integrate Physical Security and Information Security Communication Deck – A tool to present your findings in a prepopulated document that summarizes the work you have completed.

Complete this template to effectively communicate your integrated security plan to stakeholders.

  • Integrate Physical Security and Information Security Communication Deck
[infographic]

Further reading

Integrate Physical Security and Information Security

Securing information security, physical security, or personnel security in silos may not secure much

Analyst Perspective

Ensure integrated security success with close and continual collaboration

From physical access control systems (PACS) such as electronic locks and fingerprint biometrics to video surveillance systems (VSS) such as IP cameras to perimeter intrusion detection and prevention to fire and life safety and beyond: physical security systems pose unique challenges to overall security. Additionally, digital transformation of physical security to the cloud and the convergence of operational technology (OT), internet of things (IoT), and industrial IoT (IIoT) increase both the volume and frequency of security threats.

These threats can be safety, such as the health impact when a gunfire attack downed wastewater pumps at Duke Energy Substation, North Carolina, US, in 2022. The threats can also be economic, such as theft of copper wire, or they can be reliability, such as when a sniper attack on Pacific Gas & Electric’s Metcalf Substation in California, US, damaged 17 out of 21 power transformers in 2013.

Considering the security risks organizations face, many are unifying physical, cyber, and information security systems to gain the long-term overall benefits a consolidated security strategy provides.

Ida Siahaan
Ida Siahaan

Research Director, Security and Privacy Practice
Info-Tech Research Group

Executive Summary

Your Challenge

Physical security is often managed by facilities, not by IT security, resulting in segmented security systems. Meanwhile, integrating physical and information security introduces challenges in:

  • Value proposition of investment in governing and managing integrated systems including the migration costs compared to separated security systems.
  • Addressing complex risks and vulnerabilities of an integrated security system.
  • Operationalizing on enhanced capabilities created by adoption of emerging and disruptive technologies.

Common Obstacles

Physical security systems integration is complex due to various components such as proprietary devices and protocols and hybrid systems of analog and digital technology. Thus, open architecture with comprehensive planning and design is important.

However, territorial protection by existing IT and physical security managers may limit security visibility and hinder security integration.

Additionally, integration poses challenges in staffing, training and awareness programs, and dependency on third-party technologies and their migration plans.

Info-Tech's Approach

Info-Tech’s approach is a modular, incremental, and repeatable process to integrate physical and information security that enables organizations to:

  • Determine effort and technical requirements to ensure the integration will meet the business needs.
  • Establish GRC processes including integrated risk management and compliance.
  • Design and deploy integrated security architecture.
  • Establish metrics to monitor the effectiveness and efficiency of the security program.

Info-Tech Insight

An integrated security architecture, including people, process, and technology, will improve your overall security posture. These benefits are leading many organizations to consolidate their siloed systems into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Existing information security models are not comprehensive

Current security models do not cover all areas of security, especially if physical systems and personnel are involved and safety is also an important property required.

  • The CIA triad (confidentiality, integrity, availability) is a well-known information security model that focuses on technical policies related to technology for protecting information assets.
  • The US Government’s Five Pillars of Information Assurance includes CIA, authentication, and non-repudiation, but it does not cover people and processes comprehensively.
  • The AAA model, created by the American Accounting Association, has properties of authentication, authorization, and accounting but focuses only on access control.
  • Donn Parker expanded the CIA model with three more properties: possession, authenticity, and utility. This model, which includes people and processes, is known as the Parkerian hexad. However, it does not cover physical and personnel security.

CIA Triad

The CIA Triad for Information Security: Confidentiality, Integrity, Availability


Parkerian Hexad

The Parkerian Hexad for Security: Confidentiality, Possession, Utility, Availability, Authenticity and Integrity

Sources: Parker, 1998; Pender-Bey, 2012; Cherdantseva and Hilton, 2015

Adopt an integrated security model

Adopt an integrated security model which consists of information security, physical security, personnel security, and organizational security.

The security ecosystem is shifting from segregation to integration

Security ecosystem is shifting from the past proprietary model to open interfaces and future open architecture

Sources: Cisco, n.d.; Preparing for Technology Convergence in Manufacturing, Info-Tech Research Group, 2018

Physical security includes:

  • Securing physical access,
    e.g. facility access control, alarms, surveillance cameras
  • Securing physical operations
    (operational technology – OT), e.g. programmable logic controllers (PLCs), SCADA

Info-Tech Insight

Why is integrating physical and information security gaining more and more traction? Because the supporting technologies are becoming more matured. This includes, for example, migration of physical security devices to IP-based network and open architecture.

Reactive responses to physical security incidents

April 1995

Target: Alfred P. Murrah Federal Building, Oklahoma, US. Method: Bombing. Impact: Destroyed structure of 17 federal agencies, 168 casualties, over 800 injuries. Result: Creation of Interagency Security Committee (ISC) in Executive Order 12977 and “Vulnerability Assessment of Federal Facilities” standard.
(Source: Office of Research Services, 2017)

April 2013

Target: Pacific Gas & Electric’s Metcalf Substation, California, US. Method: Sniper attack. Impact: Out of 21 power transformers, 17 were damaged. Result: Creation of Senate Bill No. 699 and NERC- CIP-014 standard.
(Source: T&D World, 2023)

Sep. 2022

Target: Nord Stream gas pipelines connecting Russia to Germany, Baltic sea. Method: Detonations. Impact: Methane leaks (~300,000 tons) at four exclusive economic zones (two in Denmark and two in Sweden). Result: Sweden’s Security Service investigation.
(Source: CNBC News, 2022)

Dec. 2022

Target: Duke Energy Substation, North Carolina, US. Method: Gunfire. Impact: Power outages of ~40,000 customers and wastewater pumps in sewer lift stations down. Result: State of emergency was declared.
(Source: CBS News, 2022)

Info-Tech Insight

When it comes to physical security, we have been mostly reactive. Typically the pattern starts with physical attacks. Next, the impacted organization mitigates the incidents. Finally, new government regulatory measures or private sector or professional association standards are put in place. We must strive to change our pattern to become more proactive.

Physical security market forecast and top physical security challenges

Physical security market forecast
(in billions USD)

A forecast by MarketsandMarkets projected growth in the physical security market, using historical data from 2015 until 2019, with a CAGR of 6.4% globally and 5.2% in North America.

A forecast by MarketsandMarkets projected growth in the physical security market, using historical data from 2015 until 2019, with a CAGR of 6.4% globally and 5.2% in North America.

Source: MarketsandMarkets, 2022

Top physical security challenges

An Ontic survey (N=359) found that threat data management (40%) was the top physical security challenge in 2022, up from 33% in 2021, followed by physical security threats to the C-suite and company leadership (35%), which was a slight increase from 2021. An interesting decrease is data protection and privacy (32%), which dropped from 36% in 2021.

An Ontic survey (N=359) found that threat data management (40%) was the top physical security challenge in 2022, up from 33% in 2021, followed by physical security threats to the C-suite and company leadership (35%), which was a slight increase from 2021. An interesting decrease is data protection and privacy (32%), which dropped from 36% in 2021.

Source: Ontic Center for Protective Intelligence, 2022

Info-Tech Insight

The physical security market is growing in systems and services, especially the integration of threat data management with cybersecurity.

Top physical security initiatives and operations integration investments

We know the physical security challenges and how the physical security market is growing, but what initiatives are driving this growth? These are the top physical security initiatives and top investments for physical security operations integration:

Top physical security initiatives

The number one physical security initiative is integrating physical security systems. Other initiatives with similar concerns included data and cross-functional integration

A survey by Brivo asked 700 security professionals about their top physical security initiatives. The number one initiative is integrating physical security systems. Other initiatives with similar concerns included data and cross-functional integration.

Source: Brivo, 2022

Top investments for physical security operations integration

The number one investment is on access control systems with software to identify physical threat actors. Another area with similar concern is integration of digital physical security with cybersecurity.

An Ontic survey (N=359) on areas of investment for physical security operations integration shows the number one investment is on access control systems with software to identify physical threat actors. Another area with similar concern is integration of digital physical security with cybersecurity.

Source: Ontic Center for Protective Intelligence, 2022

Evaluate security integration opportunities with these guiding principles

Opportunity focus

  • Identify the security integration problems to solve with visible improvement possibilities
  • Don’t choose technology for technology’s sake
  • Keep an eye to the future
  • Use strategic foresight

Piece by piece

  • Avoid taking a big bang approach
  • Test technologies in multiple conditions
  • Run inexpensive pilots
  • Increase flexibility
  • Build a technology ecosystem

Buy-in

  • Collaborate with stakeholders
  • Gain and sustain support
  • Maintain transparency
  • Increase uptake of open architecture

Key Recommendations:

Focus on your master plan

Build a technology ecosystem

Engage stakeholders

Info-Tech Insight

When looking for a quick win, consider learning the best internal or external practice. For example, in 1994 IBM reorganized its security operation by bringing security professionals and non-security professionals in one single structure, which reduced costs by approximately 30% in two years.

Sources: Create and Implement an IoT Strategy, Info-Tech Research Group, 2022; Baker and Benny, 2013; Erich Krueger, Omaha Public Power District (contributor); Doery Abdou, March Networks Corporate (contributor)

Case Study

4Wall Entertainment – Asset Owner

Industry: Architecture & Engineering
Source: Interview

4Wall Entertainment is quite mature in integrating its physical and information security; physical security has always been under IT as a core competency.

4Wall Entertainment is a provider of entertainment lighting and equipment to event venues, production companies, lighting designers, and others, with a presence in 18 US and UK locations.

After many acquisitions, 4Wall Entertainment needed to standardize its various acquired systems, including physical security systems such as access control. In its integrated security approach, IT owns the integrated security, but they interface with related entities such as HR, finance, and facilities management in every location. This allows them to obtain information such as holidays, office hours, and what doors need to be accessed as inputs to the security system and to get sponsorship in budgeting.

In the past, 4Wall Entertainment tried delegating specific physical security to other divisions, such as facilities management and HR. This approach was unsuccessful, so IT took back the responsibility and accountability.

Currently, 4Wall Entertainment works with local vendors, and its biggest challenge is finding third-party vendors that can provide nationwide support.

In the future, 4Wall Entertainment envisions physical security modernization such as camera systems that allow more network accessibility, with one central system to manage and IoT device integration with SIEM and MDR.

Results

Lessons learned in integrating security from 4Wall Entertainment include:

  • Start with forming relationships with related divisions such as HR, finance, and facilities management to build trust and encourage sponsorship across management.
  • Create policies, procedures, and standards to deploy in various systems, especially when acquiring companies with low maturity in security.
  • Select third-party providers that offer the required functionalities, good customer support, and standard systems interoperability.
  • Close skill gaps by developing training and awareness programs for users, especially for newly acquired systems and legacy systems, or by acquiring expertise from consulting services.
  • Complete cost-benefit analysis for solutions on legacy systems to determine whether to keep them and create interfacing with other systems, upgrade them, or replace them entirely with newer systems.
  • Delegate maintenance of specific highly regulated systems, such as fire alarms and water sprinklers, to facilities management.
Integration of Physical and Information Security Framework. Inputs: Integrated Items, Stakeholders, and Security Components. Phases, Outcomes and Benefits: Plan, Enhance and Monitor & Optimize.

Tracking progress of physical and information security integration

Physical security is often part of facilities management. As a result, there are interdependencies with both internal departments (such as IT, information security, and facilities) and external parties (such as third-party vendors). IT leaders, security leaders, and operational leaders should keep the big picture in mind when designing and implementing integration of physical and information security. Use this checklist as a tool to track your security integration journey.

Plan

  • Engage stakeholders and justify value for the business.
  • Define roles and responsibilities.
  • Establish/update governance for integrated security.
  • Identify integrated elements and compliance obligations.

Enhance

  • Determine the level of security maturity and update security strategy for integrated security.
  • Assess and treat risks of integrated security.
  • Establish/update integrated physical and information security policies and procedures.
  • Update incident response, disaster recovery, and business continuity plan.

Monitor & Optimize

  • Identify skill requirements and close skill gaps for integrating physical and information security.
  • Design and deploy integrated security architecture and controls.
  • Establish, monitor, and report integrated security metrics on effectiveness and efficiency.

Benefits of the security integration framework

Today’s matured technology makes security integration possible. However, the governance and management of single integrated security presents challenges. These can be overcome using a multi-phased framework that enables a modular, incremental, and repeatable integration process, starting with planning to justify the value of investment, then enhancing the integrated security based on risks and open architecture. This is followed by using metrics for monitoring and optimization.

  1. Modular

    • Implementing a consolidated security strategy is complex and involves the integration of process, software, data, hardware, and network and infrastructure.
    • A modular framework will help to drive value while putting in appropriate guardrails.
  2. Incremental

    • Integration of physical security and information security involves many components such as security strategy, risk management, and security policies.
    • An incremental framework will help track, manage, and maintain each step while providing appropriate structure.
  3. Repeatable

    • Integration of physical security and information security is a journey that can be approached with a pilot program to evaluate effectiveness.
    • A repeatable framework will help to ensure quick time to value and enable immediate implementation of controls to meet operational and security requirements.

Potential risks of the security integration framework

Just as medicine often comes with side effects, our Integration of Physical and Information Security Framework may introduce risks too. However, as John F. Kennedy, thirty-fifth president of the United States, once said, "There are risks and costs to a program of action — but they are far less than the long-range cost of comfortable inaction."

Plan Phase

  • Lack of transparency in the integration process can lead to lack of trust among stakeholders.
  • Lack of support from leadership results in unclear governance or lack of budget or human resources.
  • Key stakeholders leave the organization during the engagement and their replacements do not understand the organization’s operation yet.

Enhance Phase

  • The risk assessment conducted focuses too much on IT risk, which may not always be applicable to physical security systems nor OT systems.
  • The integrated security does not comply with policies and regulations.

Monitor and Optimize Phase

  • Lack of knowledge, training, and awareness.
  • Different testing versus production environments.
  • Lack of collected or shared security metrics.

Data

  • Data quality issues and inadequate data from physical security, information security, and other systems, e.g. OT, IoT.
  • Too much data from too many tools are complex and time consuming to process.

Develop an integration of information security, physical security, and personnel security that meets your organization’s needs

Integrate security in people, process, and technology to improve your overall security posture

Having siloed systems running security is not beneficial. Many organizations are realizing the benefits of consolidating into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Plan and engage stakeholders

Assemble the right team to ensure the success of your integrated security ecosystem, decide the governance model, and clearly define the roles and responsibilities.

Enhance strategy and risk management

Strategically, we want a physical security system that is interoperable with most technologies, flexible with minimal customization, functional, and integrated, despite the challenges of proprietary configurations, complex customization, and silos.

Monitor and optimize

Find the most optimized architecture that is strategic, realistic, and based on risk. Next, perform an evaluation of the security systems and program by understanding what, where, when, and how to measure and to report the relevant metrics.

Focus on master plan

Identify the security integration problems to solve with visible improvement possibilities, and don’t choose technology for technology’s sake. Design first, then conduct market research by comparing products or services from vendors or manufacturers.

Build a technology ecosystem

Avoid a big bang approach and test technologies in multiple conditions. Run inexpensive pilots and increase flexibility to build a technology ecosystem.

Deliverables

Each step of this framework is accompanied by supporting deliverables to help you accomplish your goals:

Integrate Physical Security and Information Security Requirements Gathering Tool

Map organizational goals to IT goals, facilities goals, OT goals (if applicable), and integrated security goals. Identify your security integration elements and compliance.

Integrate Physical Security and Information Security RACI Chart Tool

Identify various security integration stakeholders across the organization and assign tasks to suitable roles.

Key deliverable:

Integrate Physical Security and Information Security Communication Deck

Present your findings in a prepopulated document that summarizes the work you have completed.

Plan

Planning is foundational to engage stakeholders. Start with justifying the value of investment, then define roles and responsibilities, update governance, and finally identify integrated elements and compliance obligations.

Plan

Engage stakeholders

  • To initiate communication between the physical and information security teams and other related divisions, it is important to identify the entities that would be affected by the security integration and involve them in the process to gain support from planning to delivery and maintenance.
  • Possible stakeholders:
    • Executive leadership, Facilities Management leader and team, IT leader, Security & Privacy leader, compliance officer, Legal, Risk Management, HR, Finance, OT leader (if applicable)
  • A successful security integration depends on aligning your security integration initiatives and migration plan to the organization’s objectives by engaging the right people to communicate and collaborate.

Info-Tech Insight

It is important to speak the same language. Physical security concerns safety and availability, while information security concerns confidentiality and integrity. Thus, the two systems have different goals and require alignment.

Similarly, taxonomy of terminologies needs to be managed,1 e.g. facility management with an emergency management background may have a different understanding from a CISO with an information security background when discussing the same term. For example:

In emergency management prevention means “actions taken to eliminate the impact of disasters in order to protect lives, property and the environment, and to avoid economic disruption.”2

In information security prevention is “preventing the threats by understanding the threat environment and the attack surfaces, the risks, the assets, and by maintaining a secure system.”3

Sources: 1 Owen Yardley, Omaha Public Power District (contributor); 2 Translation Bureau, Government of Canada, n.d.; 3 Security Intelligence, 2020


Map organizational goals to integrated security goals

Input

  • Corporate, IT, and Facilities strategies

Output

  • Your goals for the integrated security strategy

Materials

  • Integrate Physical Security and Information Security Requirements Gathering Tool

Participants

  • Executive leadership
  • Facilities Management leader and team
  • IT leader
  • Security & Privacy leader
  • Compliance officer
  • Legal
  • Risk Management
  • HR & Finance
  • OT leader (if applicable)
  1. As a group, brainstorm organization goals.
    • Review relevant corporate, IT, and facilities strategies.
  2. Record the most important business goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool. Try to limit the number of business goals to no more than ten goals. This limitation will be critical to helping focus on your integrated security goals.
  3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

Download the Integrate Physical Security and Information Security Requirements Gathering Tool.

Record organizational goals

A table to identify Organization, IT, OT(if applicable), Facilities, and Security Goals Definitions.

Refer to the Integration of Physical and Information Security Framework when filling in the table.

  1. Record your identified organizational goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
  2. For each organizational goal, identify IT alignment goals.
  3. For each organizational goal, identify OT alignment goals (if applicable).
  4. For each organizational goal, identify Facilities alignment goals.
  5. For each organizational goal, select an integrated security goal from the drop-down menu.

Justify value for the business

Facilities in most cases have a team that is responsible for physical security installations such as access key controllers. Whenever there is an issue, they contact the provider to fix the error. However, with smart buildings and smart devices, the threat surface grows to include information security threats, and Facilities may not possess the knowledge and skills required to deal with them. At the same time, delegating physical security to IT may add more tasks to their already-too-long list of responsibilities. Consolidating security to a focused security team that covers both physical and information security can help.1 We need to develop the security integration business case beyond physical security "gates, guns, and guards" mentality.2

An example of a cost-benefit analysis for security integration:

Benefits

Metrics

Operational Efficiency and Cost Savings

  • Reduction in deployment, maintenance, and staff time in manual operations of physical security devices such as logs collection from analog cameras to be automated into digital.
  • Reduction in staffing costs by bringing physical security SOC and information security SOC in one single structure.

Reliability Improvements

  • Reduction in field crew time by identifying hardware that can be virtualized to have a centralized remote control.
  • Improvement of operating reliability through continuous and real-time monitoring of equipment such as door access control systems and camera surveillance systems.

Customers & Users Benefits

  • Improvement of customer safety for essential services such as access to critical locations only by authorized personnel.
  • Improvement of reliability of services and address human factor in adoption of change by introducing change as a friendly activity.

Cost

Metrics

Equipment and Infrastructure

  • Upgrade of existing physical security equipment, e.g. replacement of separated access control, video management system (VMS), and physical access control system (PACS) with a unified security platform.
  • Implementation of communication network equipment and labor to install, configure, and maintain the new network component.

Software and Commission

  • The software and maintenance fee as well as upgrade implementation project cost.
  • Labor cost of field commissioning and troubleshooting.
  • Integration with security systems, e.g. event and log management, continuous monitoring, and investigation.

Support and Resources

  • Cost to hire/outsource security FTEs for ongoing management and operation of security devices, e.g. SOC, MSSP.
  • Cost to hire/outsource FTEs to analyze, design, and deploy the integrated security architecture, e.g. consulting fee.

Sources: 1 Andrew Amaro, KLAVAN Security Services (contributor); 2 Baker and Benny, 2013;
Industrial Control System Modernization, Info-Tech Research Group, 2023; Lawrence Berkeley National Laboratory, 2021

Plan

Define roles and responsibilities

Input

  • List of relevant stakeholders

Output

  • Roles and responsibilities for the integration of physical and information security program

Materials

  • Integrate Physical Security and Information Security RACI Chart Tool

Participants

  • Executive leadership
  • Facilities Management leader and team
  • HR & Finance
  • IT leader and team
  • OT leader and team
  • Security & Privacy leader and team

Many factors impact an organization’s level of effectiveness as it relates to integration of physical and information security. How the team interacts, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, we need to identify stakeholders that are:

  • Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
  • Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.
  • Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).
  • Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download the Integrate Physical Security and Information Security RACI Chart Tool

Define RACI chart

Define Responsible, Accountable, Consulted, Informed (RACI) stakeholders.

  1. Customize the Work Units to best reflect your operation with applicable stakeholders.
  2. Customize the Action rows as required.

Integrate Physical Security and Information Security RACI Chart

Sources: ISC, 2015; ISC, 2021

Info-Tech Insight

The roles and responsibilities should be clearly defined. For example, IT Security should be responsible for the installation and configuration of all physical access controllers and devices, and facility managers should be responsible for the physical maintenance including malfunctioning such as access device jammed or physically broken.

Plan

Establish/update governance for integrated security

HR & Finance

HR provides information such as new hires and office hours as input to the security system. Finance assists in budgeting.

Security & Privacy

The security and privacy team will need to evaluate solutions and enforce standards on various physical and information security systems and to protect data privacy.

Business Leaders

Business stakeholders will provide clarity for their strategy and provide input into how they envision security furthering those goals.

IT Executives

IT stakeholders will be a driving force, ensuring all necessary resources are available and funded.

Facilities/ Operations

Operational plans will include asset management, monitoring, and support to meet functional goals and manage throughout the asset lifecycle.

Infrastructure & Enterprise Architects

Each solution added to the environment will need to be chosen and architected to meet business goals and security functions.

Info-Tech Insight

Assemble the right team to ensure the success of your integrated security ecosystem and decide the governance model, e.g. security steering committee (SSC) or a centralized single structure.

Adapted from Create and Implement an IoT Strategy, Info-Tech Research Group, 2022

What does the SSC do?

Ensuring proper governance over your security program is a complex task that requires ongoing care and feeding from executive management to succeed.

Your SSC should aim to provide the following core governance functions for your security program:

  1. Define Clarity of Intent and Direction

    How does the organization’s security strategy support the attainment of the business, IT, facilities management, and physical and information security strategies? The SSC should clearly define and communicate strategic linkage and provide direction for aligning security initiatives with desired outcomes.
  2. Establish Clear Lines of Authority

    Security programs contain many important elements that need to be coordinated. There must be clear and unambiguous authority, accountability, and responsibility defined for each element so lines of reporting/escalation are clear and conflicting objectives can be mediated.
  3. Provide Unbiased Oversight

    The SSC should vet the organization’s systematic monitoring processes to ensure there is adherence to defined risk tolerance levels and that monitoring is appropriately independent from the personnel responsible for implementing and managing the security program.
  4. Optimize Security Value Delivery

    Optimized value delivery occurs when strategic objectives for security are achieved and the organization’s acceptable risk posture is attained at the lowest possible cost. This requires constant attention to ensure controls are commensurate with any changes in risk level or appetite.

Adapted from Improve Security Governance With a Security Steering Committee , Info-Tech Research Group, 2018

Plan

Identify integrated elements and compliance obligations

To determine what elements need to be integrated, it’s important to scope the security integration program and to identify the consequences of integration for compliance obligations.

INTEGRATED ELEMENTS

What are my concerns?

Process integrations

Determine which processes need to be integrated and how

  • Examples: Security prevention, detection, and response; risk assessment

Software and data integration

Determine which software and data need to be integrated and how

  • Examples: Threat management tools, SIEM, IDPS, security event logs

Hardware integration

Determine which hardware needs to be integrated and how

  • Examples: Sensors, alarms, cameras, keys, locks, combinations, and card readers

Network and infrastructure

Determine which network and infrastructure components need to be integrated and how

  • Example: Network segmentation for physical access controllers.

COMPLIANCE

How can I address my concerns?

Regulations

Adhere to mandatory laws, directives, industry standards, specific contractual obligations, etc.

  • Examples: NERC CIP (North American Utilities), Network and Information Security (NIS) Directive (EU), Health and Safety at Work etc Act 1974 (UK), Occupational Safety and Health Act, 1970 (US), Emergency Management Act, 2007 (Canada)

Standards

Adhere to voluntary standards and obligations

  • Examples: NIST Cybersecurity Framework (CSF), The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (US), Cybersecurity Maturity Model Certification (CMMC), Service Organization Control (SOC 1 and 2)

Guidelines

Adopt guidelines that can improve the integrated security program

  • Examples: Best Practices for Planning and Managing Physical Security Resources (US Interagency Security Committee), Information Security Manual - Guidelines for Physical Security (Australian Cyber Security Centre), 1402-2021-Guide for Physical Security of Electric Power Substations (IEEE)

Record integrated elements

Scope and Boundaries from the Integrate Physical Security and Information Security Requirements Gathering Tool.

Refer to the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool when filling in the following elements.

  1. Record your integrated elements, i.e. process integration, software and data integration, hardware integration, network and infrastructure, and physical scope of your security integration, in the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
  2. For each of your scoping give the rationale for including them in the Comments column. Careful attention should be paid to any elements that are not in scope.

Record your compliance obligations

Refer to the “Compliance Obligations” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.

  1. Identify your compliance obligations. These can include both mandatory and voluntary obligations. Mandatory obligations include:
    • Laws
    • Government regulations
    • Industry standards
    • Contractual agreements
    Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your integrated security, include those that include physical security requirements.
  2. Record your compliance obligations, along with any notes, in your copy of the Integrate Physical Security and Information Security Requirements Gathering Tool.
  3. Refer to the “Compliance DB” tab for lists of standards/regulations/ guidelines.
The “Compliance Obligations” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.

Remediate third-party compliance gaps

If you have third-party compliance gaps, there are four primary ways to eliminate them:

  1. Find a New, Compliant Partner

    Terminate existing contract and find another organization to partner with.
  2. Bring the Capability In-House

    Expense permitting, this may be the best way to protect yourself.
  3. Demand Compliance

    Tell the third party they must become compliant. Make sure you set a deadline.
  4. Accept Noncompliance and Assume the Risk

    Sometimes remediation just isn’t cost effective and you have no choice.

Follow Contracting Best Practices to Mitigate the Risk of Future Third-Party Compliance Gaps

  1. Perform Initial Due Diligence: Request proof of third-party compliance prior to entering into a contract.
  2. Perform Ongoing Due Diligence: Request proof of third-party contractor compliance annually.
  3. Contract Negotiation: Insert clauses requesting periodic assertions of compliance.

View a sample contract provided by the US Department of Health and Human Services.

Source: Take Control of Compliance Improvement to Conquer Every Audit, Info-Tech Research Group, 2015

Pitfalls to avoid when planning security integration

  • No Resources Lineups

    Integration of security needs support from leadership, proper planning, and clear and consistent communication across the organization.
  • Not Addressing Holistic Security

    Create policies and procedures and follow standards that are holistic and based on threats and risks, e.g. consolidated access control policies.
  • Lack of Governance

    While the IT department is a critical partner in cybersecurity, the ownership of such a role sits squarely in the organizational C-suite, with regular reporting to the board of directors (if applicable).
  • Overlooking Business Continuity Effort

    IT and physical security are integral to business continuity and disaster recovery strategies.
  • Not Having Relevant Training and Awareness

    Provide a training and awareness program based on relevant attack vectors. Trained employees are key assets to the development of a safe and secure environment. They must form the base of your security culture.
  • Overbuilding or Underbuilding

    Select third-party providers that offer systems interoperability with other security tools. The intent is to promote a unified approach to security to avoid a cumbersome tooling zoo.

Sources: Real Time Networks, 2022; Andrew Amaro, KLAVAN Security Services (contributor)

Enhance

Enhancing is the development of an integrated security strategy, policies, procedures, BCP, DR, and IR based on the organization’s risks.

Enhance

Determine the level of security maturity and update the security strategy

  • Before updating your security strategies, you need to understand the organization’s business strategies, IT strategies, facilities strategies, and physical and information security strategies. The goal is to align your integrated security strategies to contribute to your organization’s success.
  • The integrated security leaders need to understand the direction of the organization. For example:
    • Growth expectation
    • Expansions or mergers anticipation
    • Product or service changes
    • Regulatory requirements
  • Wise security investments depend on aligning your security initiatives to the organization’s objectives by supporting operational performance and ensuring brand protection and shareholder values.
Integrated security strategies. Consists of an organization’s business strategies, IT strategies, facilities strategies, and physical and information security strategies.

Sources: Amy L. Meger, Platte River Power Authority (contributor); Baker and Benny, 2013; IFSEC Global, 2023; Security Priorities 2023, Info-Tech Research Group, 2023; Build an Information Security Strategy, Info-Tech Research Group, 2020; ISC, n.d.

Understanding security maturity

Maturity models are very effective for determining security states. This table provides examples of general descriptions for physical and information security maturity levels.

Determine which framework is suitable and select the description that most accurately reflects the ideal state for security in your organization.

Level 1

Level 2

Level 3

Level 4

Level 5

Minimum security with simple physical barriers. Low-level security to prevent and detect some unauthorized external activity. Medium security to prevent, detect, and assess most unauthorized external activity and some unauthorized internal activity. High-level security to prevent, detect, and assess most unauthorized external and internal activity. Maximum security to prevent, detect, assess, and neutralize all unauthorized external and internal activity.

Physical security maturity level1

Initial/Ad hoc security programs are reactive. Developing security programs can be effective at what they do but are not holistic. A defined security program is holistic, documented, and proactive. Managed security programs have robust governance and metrics processes. An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs).

Information security maturity level2

Sources: 1 Fennelly, 2013; 2 Build an Information Security Strategy, Info-Tech Research Group, 2020

Enhance

Assess and treat integrated security risks

The risk assessment conducted consists of analyzing existing inherent risks, existing pressure to the risks such as health and safety laws and codes of practice, new risks from the integration process, risk tolerance, and countermeasures.

  • Some organizations already integrate security into corporate security that consists of risk management, compliance, governance, information security, personnel security, and physical security. However, some organizations are still separating security components, especially physical security and information security, which limits security visibility and the organization’s ability to complete a comprehensive risks assessment.
  • Many vendors are also segregating physical security and information security solutions because their tools do well only on certain aspects. This forces organizations to combine multiple tools, creating a complex environment.
  • Additionally, risks related to people such as mental health issues must be addressed properly. The prevalence of hybrid work post-pandemic makes this aspect especially important.
  • Assess and treat risks based on the organization’s requirements, including its environments. For example, the US federal facility security organization is required to conduct risk assessments at least every five years for Level I (lowest risk) and Level II facilities and at least every three years for Level III, IV, and V (highest risk) facilities.

Sources: EPA, n.d.; America's Water Infrastructure Act (AWIA), 2018; ISC, 2021

“In 2022, 95% of US companies are consolidating into a single platform across physical security, cybersecurity, HR, legal and compliance.”

Source: Ontic Center for Protective Intelligence, 2022; N=359

Example risk levels

The risk assessment conducted is based on a combination of physical and information security factors such as certain facilities factors. The risk level can be used to determine the baseline level of protection (LOP). Next, the baseline LOP is customized to the achievable LOP. The following is an example for federal facilities determined by Interagency Security Committee (ISC).

Risk factor, points and score. Facility security level (FSL), level of risk, and baseline level of protection.

Source: ISC, 2021

Example assets

It is important to identify the organization’s requirements, including its environments (IT, IoT, OT, facilities, etc.), and to measure and evaluate its risks and threats using an appropriate risk framework and tools with the critical step of identifying assets prior to acquiring solutions.

Organizational requirements including its environments(IT, loT, OT, facilities, etc.)

Info-Tech Insight

Certain exceptions must be identified in risk assessment. Usually physical barriers such as gates and intrusion detection sensors are considered as countermeasures,1 however, under certain assessment, e.g. America's Water Infrastructure Act (AWIA),2 physical barriers are also considered assets and as such must also be assessed.

Compromising a fingerprint scanner

An anecdotal example of why physical security alone is not sufficient.

Biometrics: secure access and data security.

Image by Rawpixel.com on Freepik

Lessons learned from using fingerprints for authentication:

  • Fingerprint scanners can be physically circumvented by making a copy an authorized user’s fingerprint with 3D printing or even by forcefully amputating an authorized user’s finger.
  • Authorized users may not be given access when the fingerprint cannot be recognized, e.g. if the finger is covered by bandage due to injury.
  • Integration with information security may help detect unauthorized access, e.g. a fingerprint being scanned in a Canadian office when the same user was scanned at a close time interval from an IP in Europe will trigger an alert of a possible incident.

Info-Tech Insight

In an ideal world, we want a physical security system that is interoperable with all technologies, flexible with minimal customization, functional, and integrated. In the real world, we may have physical systems with proprietary configurations that are not easily customized and siloed.

Source: Robert Dang, Info-Tech Research Group

Use case: Microchip implant

Microchip implants can be used instead of physical devices such as key cards for digital identity and access management. Risks can be assessed using quantitative or qualitative approaches. In this use case a qualitative approach is applied to impact and likelihood, and a quantitative approach is applied to revenue and cost.

Asset: Microchip implant

Benefits

Impact

  • Improve user satisfaction by removing the need to carry key cards, IDs, etc.
  • Improve operating reliability by reducing the likelihood of losing physical devices such as key cards.
  • Improve reliability of services through continuous and real-time connection with other systems such as payment system.

Likelihood

  • Improve user satisfaction: High
  • Improve operating reliability: High
  • Improve reliability of services: High

Revenue

  • Acquire new customers or retain existing customers by making daily lives easier with no need to carry key cards, IDs, etc.
  • Cost reduction in staffing of security personnel, e.g. reducing the staffing of building guards or receptionist.

Risks

Impact

  • Security: issues such as biohacking of wearable technology and interconnected devices.
  • Safety: issues such as infections or reactions in the body's immune system.
  • Privacy: issues such as unauthorized surveillance and tracking of activities.

Likelihood

  • Biohacking: Medium
  • Infections: Low
  • Surveillance: High

Cost

  • Installation costs and hardware costs.
  • Overall lifecycle cost including estimated software and maintenance costs.
  • Estimated cost of training and estimated increase in productivity.

Sources: Business Insider, 2018; BBC News, 2022; ISC, 2015

Enhance

Update integrated security policies and procedures

Global policies with local implementation

This model works for corporate groups with a parent company. In this model, global security policies are developed by a parent company and local policies are applied to the unique business that is not supported by the parent company.

Update of existing security policies

This model works for organizations with sufficient resources. In this model, integrated security policies are derived from various policies. For example, physical security in smart buildings/devices (sensors, automated meters, HVAC, etc.) and OT systems (SCADA, PLCs, RTUs, etc.) introduce unique risk exposures, necessitating updates to security policies.

Customization of information security policies

This model works for smaller organizations with limited resources. In this model, integrated security policies are derived from information security policies. The issue is when these policies are not applicable to physical security systems or other environments, e.g. OT systems.

Sources: Kris Krishan, Waymo (contributor); Isabelle Hertanto, Info-Tech Research Group (contributor); Physical and Environmental Security Policy Template, Info-Tech Research Group, 2022.

Enhance

Update BCP, DR, IR

  • Physical threats such as theft of material, vandalism, loitering, and the like are also part of business continuity threats.
  • These threats can be carried out by various means such as vehicles breaching perimeter security, bolt cutters used for cutting wire and cable, and ballistic attack.
  • Issues may occur when security operations are owned separately by physical security or information security, thus lacking consistent application of best practices.
  • To overcome this issue, organizations need to update BCP, DR, and IR holistically based on a cost-benefit analysis and the level of security maturity, which can be defined based on the suitable framework.

Sources: IEEE, 2021; ISC, 2021

“The best way to get management excited about a disaster plan is to burn down the building across the street.”

Source: Dan Erwin, Security Officer, Dow Chemical Co., in Computerworld, 2022

Optimize

Optimizing means working to make the most effective and efficient use of resources, starting with identifying skill requirements and closing skill gaps, followed by designing and deploying integrated security architecture and controls, and finally monitoring and reporting integrated security metrics.

Optimize

Identify skill requirements and close skill gaps

  • The pandemic changed how people work and where they choose to work, and most people still want a hybrid work model. Our survey in July 2022 (N=516) found that 55.8% of employees have the option to work offsite 2-3 days per week, 21.0% can work offsite 1 day per week, and 17.8% can work offsite 4 days per week.
  • The investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the costs didn’t end there; organizations needed to maintain the secure remote work infrastructure to facilitate the hybrid work model.
  • Moreover, roles are evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security and ops team might consist of an IT security specialist, a SCADA technician/engineer, and an OT/IIOT security specialist, where OT/IIOT security specialist is a new role.
Identify skill gaps that hinder the successful execution of the hybrid work security strategy. Use the identified skill gaps to define the technical skill requirements for current and future work roles. Conduct a skills assessment on your current workforce to identify employee skill gaps. Decide whether to train (including certification), hire, contract, or outsource to close each skill gap.

Strategic investment in internal security team

Internal security governance and management using in-house developed tools or off-the-shelf solutions, e.g. security information and event management (SIEM).

Security management using third parties

Internal security management using third-party security services, e.g. managed security service providers (MSSPs).

Outsourcing security management

Outsourcing the entire security functions, e.g. using managed detection and response (MDR).

Sources: Info-Tech Research Group’s Security Priorities 2023, Close the InfoSec Skills Gap, Build an IT Employee Engagement Program, and Grid Modernization

Select the right certifications

What are the options?

  • One issue in security certification is the complexity of relevancy in topics with respect to roles and levels.
  • The European Union Agency for Cybersecurity (ENISA) takes the approach of analyzing existing certifications of ICS/SCADA professionals' cybersecurity skills by orientation, scope, and supporting bodies that are grouped into specific certifications, relevant certifications, and safety certifications (ENISA, 2015).
  • This approach can also be applied to integrated security certifications.

Physical security certification

  • Examples: Industrial Security Professional Certification (NCMS-ISP); Physical Security Professional (ASIS-PSP); Physical Security Certification (CDSE-PSC); ISC I-100, I-200, I-300, and I-400

Cyber physical system security certification

  • Examples: Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course

Information security certification

  • Examples: Network and Information Security (NIS) Driving License, ISA/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP)

Safety Certifications

  • Examples: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organizations (ENSHPO)
Table showing options for Certification orientation, scope and supporting bodies.

Optimize

Design and deploy integrated security architecture and controls

  • A survey by Brivo found that 38% of respondents have partly centralized security platforms, 25% have decentralized platforms, and 36% have centralized platforms (Brivo, 2022; N=700).
  • If your organization’s security program is still decentralized or partly centralized and your organization is planning to establish an integrated security program, then the recommendation is to perform a holistic risk assessment based on probability and impact assessments on threats and vulnerabilities.
  • The impacted factors, for example, are customers served, criticality of services, equipment present inside the building, personnel response time for operational recovery and the mitigation of hazards, and costs.
  • Frameworks such as Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and Related Technologies (COBIT), and The Open Group Architecture Framework (TOGAF) can be used to build security architecture that aligns security goals with business goals.
  • Finally, analyze the security design against the design criteria.

Sources: ISA and Honeywell Integrated Security Technology Lab, n.d.; IEEE, 2021

“As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one.”

Source: FedTech magazine, 2009

Analyze architecture design

Cloud, on-premises, or hybrid? During the pandemic, many enterprises were under tight deadlines to migrate to the cloud. Many did not refactor data and applications correctly for cloud platforms during migration, with the consequence of high cloud bills. This happened because the migrated applications cannot take advantage of on-premises capabilities such as autoscaling. Thus, in 2023, it is plausible that enterprises will bring applications and data back on-premises.

Below is an example of a security design analysis of platform architecture. Design can be assessed using quantitative or qualitative approaches. In this example, a qualitative approach is applied using high-level advantages and disadvantages.

Design criteria

Cloud

Hybrid

On-premises

Effort

Consumer effort is within a range, e.g. < 60%

Consumer effort is within a range e.g. < 80%

100% organization

Reliability

High reliability

High reliability

Medium reliability that depends on data centers

Cost

High cost when data and applications are not correctly designed for cloud

Optimized cost when data and applications are correctly designed either for cloud or native

Medium cost when data and applications take advantage of on-prem capabilities

Info-Tech Insight

It is important for organizations to find the most optimized architecture to support them, for example, a hybrid architecture of cloud and on-premises based on operations and cost-effectiveness. To help design a security architecture that is strategic, realistic, and based on risk, see Info-Tech’s Identify the Components of Your Cloud Security Architecture research.

Sources: InfoWorld, 2023; Identify the Components of Your Cloud Security Architecture , Info-Tech Research Group, 2021

Analyze equipment design

Below is an example case of a security design analysis of electronic security systems. Design can be assessed using quantitative or qualitative approaches. In this example a qualitative approach is applied using advantages and disadvantages.

Surveillance design criteria

Video camera

Motion detector

Theft of security system equipment

Higher economic loss Lower economic loss

Reliability

Positive detection of intrusion Spurious indication and lower reliability

Energy savings and bandwidth

Only record when motion is detected Detect and process all movement

Info-Tech Insight

Once the design has been analyzed, the next step is to conduct market research to analyze the solutions landscape, e.g. to compare products or services from vendors or manufacturers.

Sources: IEEE, 202; IEC, n.d.; IEC, 2013

Analyze off-the-shelf solutions

Criteria to consider when comparing solutions:

Criteria to consider when comparing solutions: 1 - Visibility and asset management. 2 - Threat detection, mitigation and response. 3 - Risk assessment and vulnerability management. 4 - Usability, architecture, Cost.

Visibility and Asset Management

Passively monitoring data using various protocol layers, actively sending queries to devices, or parsing configuration files of physical security devices, OT, IoT, and IT environments on assets, processes, and connectivity paths.

Threat Detection, Mitigation, and Response (+ Hunting)

Automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only in IT but also in relevant environments, e.g. physical, IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics.

Risk Assessment and Vulnerability Management

Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management.

Usability, Architecture, Cost

The user and administrative experience, multiple deployment options, extensive integration capabilities, and affordability.

Source: Secure IT/OT Convergence, Info-Tech Research Group, 2022

Optimize

Establish, monitor, and report integrated security metrics

Security metrics serve various functions in a security program.1 For example:

  • As audit requirements. For integrated security, the requirements are derived from mandatory or voluntary compliance, e.g. NERC CIP.
  • As an indicator of maturity level. For integrated security, maturity level is used to measure the state of security, e.g. C2M2, CMMC.
  • As a measurement of effectiveness and efficiency. Security metrics consist of operational metrics, financial metrics, etc.

Safety

Physical security interfaces with the physical world. Thus, metrics based on risks related to safety are crucial. These metrics motivate personnel by making clear why they should care about security.
Source: EPRI, 2017

Business Performance

The impact of security on the business can be measured with various metrics such as operational metrics, service level agreements (SLAs), and financial metrics.
Source: BMC, 2022

Technology Performance

Early detection leads to faster remediation and less damage. Metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability.
Source: Dark Reading, 2022

Security Culture

Measure the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.

Info-Tech Insight

Security failure can be avoided by evaluating the security systems and program. Security evaluation requires understanding what, where, when, and how to measure and to report the relevant metrics.

Related Info-Tech Research

Secure IT/OT Convergence

The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

Hence, IT and OT need to collaborate, starting with communication to build trust and to overcome their differences and followed by negotiation on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

Preparing for Technology Convergence in Manufacturing

Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

Bibliography

"1402-2021 - IEEE Guide for Physical Security of Electric Power Substations." IEEE, 2021. Accessed 25 Jan. 2023.

"2022 State of Protective Intelligence Report." Ontic Center for Protective Intelligence, 2022. Accessed 16 Jan. 2023.

"8 Staggering Statistics: Physical Security Technology Adoption." Brivo, 2022. Accessed 5 Jan. 2023.

"America's Water Infrastructure Act of 2018." The United States' Congress, 2018. Accessed 19 Jan. 2023.

Baker, Paul and Daniel Benny. The Complete Guide to Physical Security. Auerbach Publications. 2013

Bennett, Steve. "Physical Security Statistics 2022 - Everything You Need to Know." WebinarCare, 4 Dec. 2022. Accessed 30 Dec. 2022.

"Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide." Interagency Security Committee (ISC), Dec. 2015. Accessed 23 Jan. 2023.

Black, Daniel. "Improve Security Governance With a Security Steering Committee." Info-Tech Research Group, 23 Nov. 2018. Accessed 30 Jan. 2023.

Borg, Scott. "Don't Put Up Walls Between Your Security People." FedTech Magazine, 17 Feb. 2009. Accessed 15 Dec. 2022.

Burwash, John. “Preparing for Technology Convergence in Manufacturing.” Info-Tech Research Group, 12 Dec. 2018. Accessed 7 Dec. 2022.

Carney, John. "Why Integrate Physical and Logical Security?" Cisco. Accessed 19 Jan. 2023.

"Certification of Cyber Security Skills of ICS/SCADA Professionals." European Union Agency for Cybersecurity (ENISA), 2015. Accessed 27 Sep. 2022.

Cherdantseva, Yulia and Jeremy Hilton. "Information Security and Information Assurance. The Discussion about the Meaning, Scope and Goals." Organizational, Legal, and Technological Dimensions of IS Administrator, Almeida F., Portela, I. (eds.), pp. 1204-1235. IGI Global Publishing, 2013.

Cobb, Michael. "Physical security." TechTarget. Accessed 8 Dec. 2022.

“Conduct a Drinking Water or Wastewater Utility Risk Assessment.” United States Environmental Protection Agency (EPA), n.d. Web.

Conrad, Sandi. "Create and Implement an IoT Strategy." Info-Tech Research Group, 28 July 2022. Accessed 7 Dec. 2022.

Cooksley, Mark. "The IEC 62443 Series of Standards: A Product Manufacturer's Perspective." YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

"Cyber and physical security must validate their value in 2023." IFSEC Global, 12 Jan. 2023. Accessed 20 Jan. 2023.

"Cybersecurity Evaluation Tool (CSET®)." Cybersecurity and Infrastructure Security Agency (CISA). Accessed 23 Jan. 2023.

"Cybersecurity Maturity Model Certification (CMMC) 2.0." The United States' Department of Defense (DOD), 2021. Accessed 29 Dec. 2022.

“Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

Czachor, Emily. "Mass power outage in North Carolina caused by gunfire, repairs could take days." CBS News, 5 Dec. 2022. Accessed 20 Jan. 2023.

Dang, Robert, et al. “Secure IT/OT Convergence.” Info-Tech Research Group, 9 Dec. 2022. Web.

"Emergency Management Act (S.C. 2007, c. 15)." The Government of Canada, 2007. Accessed 19 Jan. 2023.

"Emergency management vocabulary." Translation Bureau, Government of Canada. Accessed 19 Jan. 2023.

Fennelly, Lawrence. Effective physical security. Butterworth-Heinemann, 2013.

Ghaznavi-Zadeh, Rassoul. "Enterprise Security Architecture - A Top-down Approach." The Information Systems Audit and Control Association (ISACA). Accessed 25 Jan. 2023.

"Good Practices for Security of Internet of Things." European Union Agency for Cybersecurity (ENISA), 2018. Accessed 27 Sep. 2022.

"Health and Safety at Work etc Act 1974." The United Kingdom Parliament. Accessed 23 Jan. 2023.

Hébert, Michel, et al. “Security Priorities 2023.” Info-Tech Research Group, 1 Feb. 2023. Web.

"History and Initial Formation of Physical Security and the Origin of Authority." Office of Research Services (ORS), National Institutes of Health (NIH). March 3, 2017. Accessed 19 Jan. 2023.

"IEC 62676-1-1:2013 Video surveillance systems for use in security applications - Part 1-1: System requirements - General." International Electrotechnical Commission (IEC), 2013. Accessed 9 Dec. 2022.

"Incident Command System (ICS)." ICS Canada. Accessed 17 Jan. 2023.

"Information Security Manual - Guidelines for Physical Security." The Australian Cyber Security Centre (ACSC), Dec. 2022. Accessed 13 Jan. 2023.

"Integrated Physical Security Framework." Anixter. Accessed 8 Dec. 2022.

"Integrating Risk and Security within a TOGAF® Enterprise Architecture." TOGAF 10, The Open Group. Accessed 11 Jan. 2023.

Latham, Katherine. "The microchip implants that let you pay with your hand." BBC News, 11 Apr. 2022. Accessed 12 Jan. 2023.

Linthicum, David. "2023 could be the year of public cloud repatriation." InfoWorld, 3 Jan. 2023. Accessed 10 Jan. 2023.

Ma, Alexandra. "Thousands of people in Sweden are embedding microchips under their skin to replace ID cards." Business Insider, 14 May 2018. Accessed 12 Jan. 2023.

Mendelssohn, Josh and Dana Tessler. "Take Control of Compliance Improvement to Conquer Every Audit." Info-Tech Research Group, 25 March 2015. Accessed 27 Jan. 2023.

Meredith, Sam. "All you need to know about the Nord Stream gas leaks - and why Europe suspects 'gross sabotage'." CNBC, 11 Oct. 2022. Accessed 20 Jan. 2023.

Nicaise, Vincent. "EU NIS2 Directive: what’s changing?" Stormshield, 20 Oct. 2022. Accessed 17 Nov. 2022.

"NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations." The National Institute of Standards and Technology (NIST), 13 Jul. 2022. Accessed 27 Jan. 2023.

"North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Series." NERC. Accessed 23 Jan. 2023.

"North America Physical Security Market - Global Forecast to 2026." MarketsandMarkets, June 2021. Accessed 30 Dec. 2022.

"NSTISSI No. 4011 National Training Standard For Information Systems Security (InfoSec) Professionals." The United States Committee on National Security Systems (CNSS), 20 Jun. 1994. Accessed 23 Jan. 2023.

"Occupational Safety and Health Administration (OSH) Act of 1970." The United States Department of Labor. Accessed 23 Jan. 2023.

Palter, Jay. "10 Mistakes Made in Designing a Physical Security Program." Real Time Networks, 7 Sep. 2022. Accessed 6 Jan. 2023.

Parker, Donn. Fighting Computer Crime. John Wiley & Sons, 1998.

Pathak, Parag. "What Is Threat Management? Common Challenges and Best Practices." Security Intelligence, 2020. Accessed 5 Jan. 2023.

Pender-Bey, Georgie. "The Parkerian Hexad." Lewis University, 2012. Accessed 24 Jan. 2023.

Philippou, Oliver. "2023 Trends to Watch: Physical Security Technologies." Omdia. Accessed 20 Jan. 2023.

Phinney, Tom. "IEC 62443: Industrial Network and System Security." ISA and Honeywell Integrated Security Technology Lab. Accessed 30 Jan. 2023.

"Physical Security Market, with COVID-19 Impact Analysis - Global Forecast to 2026." MarketsandMarkets, Jan. 2022. Accessed 30 Dec. 2022.

"Physical Security Professional (PSP)" ASIS International. Accessed 17 Jan. 2023.

"Physical Security Systems (PSS) Assessment Guide" The United States' Department of Energy (DOE), Dec. 2016. Accessed 23 Jan. 2023.

"Policies, Standards, Best Practices, Guidance, and White Papers." Interagency Security Committee (ISC). Accessed 23 Jan. 2023.

"Profiles, Add-ons and Specifications." ONVIF. Accessed 9 Dec. 2022.

"Protective Security Policy Framework (PSPF)." The Australian Attorney-General's Department (AGD). Accessed 13 Jan. 2023.

"Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

""Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

Satgunananthan, Niru. "Challenges in Security Convergence?" LinkedIn, 8 Jan. 2022. Accessed 20 Dec. 2022.

Sooknanan, Shastri and Isaac Kinsella. "Identify the Components of Your Cloud Security Architecture." Info-Tech Research Group, 12 March 2021. Accessed 26 Jan. 2023.

"TC 79 Alarm and electronic security systems." International Electrotechnical Commission (IEC), n.d. Accessed 9 Dec. 2022.

"The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard." Interagency Security Committee (ISC), 2021. Accessed 26 Jan. 2023.

"The Short Guide to Why Security Programs Can Fail." CyberTalk, 23 Sep. 2021. Accessed 30 Dec. 2022.

Verton, Dan. "Companies Aim to Build Security Awareness." Computerworld, 27 Nov. 2022. Accessed 26 Jan. 2023.

"Vulnerability Assessment of Federal Facilities." The United States' Department of Justice, 28 Jun. 1995. Accessed 19 Jan. 2023.

"What is IEC 61508?" 61508 Association. Accessed 23 Jan. 2023.

Wolf, Gene. "Better Include Physical Security With Cybersecurity." T&D World 5 Jan. 2023. Accessed 19 Jan. 2023.

Wood, Kate, and Isaac Kinsella. “Build an Information Security Strategy.” Info-Tech Research Group, 9 Sept. 2020. Web.

Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.

"Work Health and Safety Act 2011." The Australian Government. Accessed 13 Jan. 2023.

Wu, Jing. “Industrial Control System Modernization: Unlock the Value of Automation in Utilities.” Info-Tech Research Group, 6 April 2023. Web.

Research Contributors and Experts

Amy L. Meger, IGP

Information and Cyber Governance Manager
Platte River Power Authority

Andrew Amaro

Chief Security Officer (CSO) & Founder
KLAVAN Security

Bilson Perez

IT Security Manager
4Wall Entertainment

Dan Adams

VP of Information Technology
4Wall Entertainment

Doery Abdou

Senior Manager
March Networks Corporate

Erich Krueger

Manager of Security Engineering
Omaha Public Power District

Kris Krishan

Head of IT
Waymo

Owen Yardley

Director, Facilities Security Preparedness
Omaha Public Power District

Create an Agile-Friendly Project Gating and Governance Approach

  • Buy Link or Shortcode: {j2store}162|cart{/j2store}
  • member rating overall impact (scale of 10): 9.0/10 Overall Impact
  • member rating average dollars saved: $33,499 Average $ Saved
  • member rating average days saved: 57 Average Days Saved
  • Parent Category Name: Development
  • Parent Category Link: /development
  • Organizations often apply gating and governance to IT projects to ensure resources are being used efficiently and effectively.
  • Agile project teams often complain that traditional project gating and governance interfere with their ability to delivery because traditional gating and governance were designed for Waterfall delivery methods.

Our Advice

Critical Insight

Imposing a traditional gating and governance approach on an Agile project can eliminate the advantages that Agile delivery methods offer. Make sure to rework your traditional project gating and governance approach to be Agile friendly.

Impact and Result

  • Create a project gating and governance approach that is Agile friendly and helps your organization realize the most benefit from its Agile transformation.
  • Oversee your Agile projects with confidence by adjusting the level of support and oversight they receive based on their Agilometer score.
  • Define a revised set of project gating artifacts that support Agile delivery methods.
  • Adopt a “trust but verify” approach to Agile project gating that will reduce risk and help ensure value delivery.

Create an Agile-Friendly Project Gating and Governance Approach Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Create an Agile-Friendly Project Gating and Governance Approach Deck – A step-by-step guide to creating an Agile-friendly project gating and governance approach that will support Agile delivery methods in your organization.

This deck is a guide to creating your own Agile-friendly project gating and governance approach using Info-Tech’s Agile Gating Framework.

  • Create an Agile-Friendly Project Gating and Governance Approach – Phases 1-3

2. Your Gates 3 and 3A Checklists – The Gates 3 and 3A Checklists are used to determine when a project is ready to enter and exit the Risk Reduction & Value Confirmation phase.

Modify Info-Tech’s Gates 3 and 3A Checklists to meet your organization’s needs, and then use them to determine when Agile projects are ready to enter and exit the RRVC phase.

  • Gates 3 and 3A Checklists

3. Your Agilometer – The Agilometer is used to determine a project’s readiness to use an Agile delivery method.

Modify Info-Tech’s Agilometer to meet your organization’s needs, and then use it to determine the level of support and oversight the project will need.

  • Agilometer

4. Your Agile Project Status Report – An Agile Status Report will be used to monitor project progress.

Modify Info-Tech’s Agile Project Status Report to meet your organization’s needs, and then use it to monitor in-flight Agile projects.

  • Agile Project Status Report

5. Project Burndown Chart – A tool to let you monitor project burndown over time.

Use Info-Tech’s Project Burndown Chart to monitor the progress of your in-flight Agile projects.

  • Project Burndown Chart

6. Traditional to Agile Gating Artifact Mapping – A tool to help you rework your project gating artifacts to be Agile-friendly.

Use Info-Tech’s Traditional to Agile Gating Artifact Mapping tool to modify your gating artifacts for Agile projects.

  • Traditional to Agile Gating Artifact Mapping
[infographic]

Further reading

Create an Agile-Friendly Project Gating and Governance Approach

Use Info-Tech’s Agile Gating Framework as a guide to gating your Agile projects using a “trust but verify” approach.

Table of Contents

Analyst Perspective

Executive Summary

Phase 1: Establish Your Gating and Governance Purpose

Phase 2: Understand and Adapt Info-Tech’s Agile Gating Framework

Phase 3: Complete Your Agile Gating Framework

Where Do I Go Next?

Bibliography

Facilitator Slides

Analyst Perspective

Make your gating and governance process Agile friendly by following a “trust but verify” approach

Most project gating and governance approaches are designed for traditional (Waterfall) delivery methods. However, Agile delivery methods call for a different way of working that doesn’t align well with these approaches.

Applying traditional project gating and governance to Agile projects is like trying to fit a square peg in a round hole. Not only will it make Agile project delivery less efficient, but in the extreme, it can lead to outright project failure and even derail your organization’s Agile transformation.

If you want Agile to successfully take root in your organization, be prepared to rethink your current gating and governance practices. This document presents a framework that you can use to rework your approach to provide both effective oversight and support for your Agile projects.

Photo of Alex Ciraco, Principal Research Director, Application Delivery and Management, Info-Tech Research Group. Alex Ciraco
Principal Research Director,
Application Delivery and Management
Info-Tech Research Group

Executive Summary

Your Challenge
  • Many government organizations are adopting Agile project delivery methods because they have proven to be more effective than traditional delivery approaches at responding to today’s fast pace of change.
  • Government organizations have an obligation to govern projects to ensure effective use of public resources, regardless of the delivery method being used.
Common Obstacles
  • Most government gating and governance frameworks were designed around traditional (often called “Waterfall”) delivery methods.
  • Agile and Waterfall work in completely different ways, so imposing traditional gating and governance frameworks on Agile projects will stifle progress and can even lead to project failure.
  • Government organizations must adjust their gating and governance frameworks to accommodate Agile delivery methods.
Info-Tech’s Approach
  • Begin by understanding the fundamental purpose of project gating and governance.
  • Next, understand the major differences between Agile and Waterfall delivery methods.
  • Then, armed with this knowledge, use Info-Tech’s Agile Gating Framework to redefine your gating and governance approach to be Agile friendly.
Info-Tech Insight

Imposing a traditional governance approach on an Agile project can eliminate the advantages that Agile delivery methods offer. Make sure to rework your project gating and governance approach to be Agile friendly.

Info-Tech’s methodology for Creating an Agile-Friendly Project Gating and Governance Approach

1. Establish Your Gating and Governance Purpose 2. Understand and Adapt Info-Tech’s Agile Gating Framework 3. Complete your Agile Gating Framework
Phase Steps

1.1 Understand How We Gate and Govern Projects

1.2 Compare Traditional to Agile Delivery

1.3 Realize What Traditional Gating Looks Like and Why

2.1 Understand How Agile Manages Risk and Ensures Value Delivery

2.2 Introducing Info-Tech’s Agile Gating Framework

2.3 Create Your Agilometer

2.4 Create an Agile-Friendly Project Status Report

2.5 Select Your Agile Health Check Tool

3.1 Map Your Traditional Gating Artifacts to Agile Delivery

3.2 Determine Your Now, Next, Later Roadmap for Implementation

Phase Outcomes
  1. Your gating/governance purpose statement
  2. A fundamental understanding of the difference between traditional and Agile delivery methods.
  1. An understanding of Info-Tech’s Agile Gating Framework
  2. Your Gates 3 and 3A checklists
  3. Your Agilometer tool
  4. Your Agile project status report template
  5. Your Agile health check tool
  1. Artifact map for your Agile gating framework
  2. Roadmap for Agile gating implementation

Key Deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals, including:

Agilometer Tool

Create your customized Agilometer tool to determine project support and oversight needs.
Sample of the 'Agilometer Tool' deliverable.

Gates 3 and 3A Checklists

Create your customized checklists for projects at Gates 3 and 3A.
Sample of the 'Gates 3 and 3A Checklists' deliverable.

Agile-Friendly Project Status Report

Create your Agile-friendly project status report to monitor progress.
Sample of the 'Agile-Friendly Project Status Report' deliverable.

Artifact Mapping Tool

Map your traditional gating artifacts to their Agile replacements.
Sample of the 'Artifact Mapping Tool' deliverable.

Create an Agile-Friendly Project Gating and Governance Approach

Phase 1

Establish your gating and governance purpose

Phase 1

1.1 Understand How We Gate and Govern Projects

1.2 Compare Traditional to Agile Delivery

1.3 Realize What Traditional Gating Looks Like And Why

Phase 2

2.1 Understand How Agile Manages Risk and Ensures Value Delivery

2.2 Introducing Info-Tech’s Agile Gating Framework

2.3 Create Your Agilometer

2.4 Create Your Agile-Friendly Project Status Report

2.5 Select Your Agile Health Check Tool

Phase 3

3.1 Map Your Traditional Gating Artifacts to Agile Delivery

3.2 Determine Your Now, Next, Later Roadmap for Implementation

This phase will walk you through the following activities:

  • Understand why gating and governance are so important to your organization.
  • Compare and contrast traditional to Agile delivery.
  • Identify what form traditional gating takes in your organization.

This phase involves the following participants:

  • PMO/Gating Body
  • Delivery Managers
  • Delivery Teams
  • Other Interested Parties

Agile gating–related facts and figures

73% of organizations created their project gating framework before adopting or considering Agile delivery practices. (Athens Journal of Technology and Engineering)

71% of survey respondents felt an Agile-friendly gating approach improves both productivity and product quality. (Athens Journal of Technology and Engineering)

Moving to an Agile-friendly gating approach has many benefits:
  • Faster response to change
  • Improved productivity
  • Higher team morale
  • Better product quality
  • Faster releases
(Journal of Product Innovation Management)

Traditional gating approaches can undermine an Agile project

  • Most existing gating and governance frameworks (often referred to as phase-gate) impose requirements on projects that are anti-patterns to an Agile delivery approach
  • For example, any gating approach that requires a project to deliver a detailed requirements document before coding can begin will make it difficult or impossible for the project to use an Agile delivery method.
  • The same can be said for other common phase-gate requirements including:
    • Imposing a formal (and onerous) change control process on project requirements.
    • Requiring a detailed design document and/or detailed user acceptance test plan at the beginning of the project.
    • Asking the project to produce a detailed project plan.
(DZone)
Don’t make the mistake of asking an Agile project to follow a traditional phase-gate approach to project delivery!

Before reworking your gating approach, you need to consider two important questions

Answering these questions will help guide your new gating process to both be Agile friendly and meet your organization’s needs

  1. What is the fundamental purpose of gating? By examining the fundamental purpose of gating, you will be better able to adjust your approach to achieve the desired outcomes in an Agile context.
  2. How does Agile delivery differ from traditional? By understanding how Agile delivery differs from traditional, you will be better able to adjust your gating approach to support Agile delivery methods.

Stock image of speech bubbles hanging on string with a question mark and lightbulb drawn on them.

Advisory Call Outline: Software Selection Engagement

  • Buy Link or Shortcode: {j2store}609|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Selection & Implementation
  • Parent Category Link: /selection-and-implementation
  • Selection takes forever. Traditional software selection drags on for years, sometimes in perpetuity.
  • IT is viewed as a bottleneck and the business has taken control of software selection.
  • “Gut feel” decisions rule the day. Intuition, not hard data, guides selection, leading to poor outcomes.
  • Negotiations are a losing battle. Money is left on the table by inexperienced negotiators.
  • Overall: Poor selection processes lead to wasted time, wasted effort, and applications that continually disappoint.

Our Advice

Critical Insight

  • Adopt a formal methodology to accelerate and improve software selection results.
  • Improve business satisfaction by including the right stakeholders and delivering new applications on a truly timely basis.
  • Kill the “sacred cow” requirements that only exist because “it’s how we’ve always done it.”
  • Forget about “RFP” overload and hone in on the features that matter to your organization.
  • Skip the guesswork and validate decisions with real data.
  • Take control of vendor “dog and pony shows” with single-day, high-value, low-effort, rapid-fire investigative interviews.
  • Master vendor negotiations and never leave money on the table.

Impact and Result

  • Improving software selection is a critical project that will deliver huge value.
  • Hit a home run with your business stakeholders: use a data-driven approach to select the right application vendor for their needs – fast.
  • Shatter stakeholder expectations with truly rapid application selections.
  • Boost collaboration and crush the broken telephone with concise and effective stakeholder meetings.
  • Lock in hard savings and do not pay list price by using data-driven tactics.

Advisory Call Outline: Software Selection Engagement Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Advisory Call Outline

Info-Tech's expert analyst guidance will help you save money, align stakeholders, and speed up the application selection process.

  • Advisory Call Outline: Software Selection Engagement Deck

2. Workshop Overview

Info-Tech's workshop will help you implement a repeatable, data-driven approach that accelerates software selection efforts.

  • Rapid Software Selection Workshop Overview
[infographic]

Domino – Maintain, Commit to, or Vacate?

If you have a Domino/Notes footprint that is embedded within your business units and business processes and is taxing your support organization, you may have met resistance from the business and been asked to help the organization migrate away from the Lotus Notes platform. The Lotus Notes platform was long used by technology and businesses and a multipurpose solution that, over the years, became embedded within core business applications and processes.

Our Advice

Critical Insight

For organizations that are struggling to understand their options for the Domino platform, the depth of business process usage is typically the biggest operational obstacle. Migrating off the Domino platform is a difficult option for most organizations due to business process and application complexity. In addition, migrating clients have to resolve the challenges with more than one replaceable solution.

Impact and Result

The most common tactic is for the organization to better understand their Domino migration options and adopt an application rationalization strategy for the Domino applications entrenched within the business. Options include retiring, replatforming, migrating, or staying with your Domino platform.

Domino – Maintain, Commit to, or Vacate? Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Domino – Maintain, Commit to, or Vacate? – A brief deck that outlines key migration options for HCL Domino platforms.

This blueprint will help you assess the fit, purpose, and price of Domino options; develop strategies for overcoming potential challenges; and determine the future of Domino for your organization.

  • Domino – Maintain, Commit to, or Vacate? Storyboard

2. Application Rationalization Tool – A tool to understand your business-developed applications, their importance to business process, and the potential underlying financial impact.

Use this tool to input the outcomes of your various application assessments.

  • Application Rationalization Tool

Infographic

Further reading

Domino – Maintain, Commit to, or Vacate?

Lotus Domino still lives, and you have options for migrating away from or remaining with the platform.

Executive Summary

Info-Tech Insight

“HCL announced that they have somewhere in the region of 15,000 Domino customers worldwide, and also claimed that that number is growing. They also said that 42% of their customers are already on v11 of Domino, and that in the year or so since that version was released, it’s been downloaded 78,000 times. All of which suggests that the Domino platform is, in fact, alive and well.”
– Nigel Cheshire in Team Studio

Your Challenge

You have a Domino/Notes footprint embedded within your business units and business processes. This is taxing your support organization; you are meeting resistance from the business, and you are now asked to help the organization migrate away from the Lotus Notes platform. The Lotus Notes platform was long used by technology and businesses as a multipurpose solution that, over the years, became embedded within core business applications and processes.

Common Obstacles

For organizations that are struggling to understand their options for the Domino platform, the depth of business process usage is typically the biggest operational obstacle. Migrating off the Domino platform is a difficult option for most organizations due to business process and application complexity. In addition, migrating clients have to resolve the challenges with more than one replaceable solution.

Info-Tech Approach

The most common tactic is for the organization to better understand their Domino migration options and adopt an application rationalization strategy for the Domino applications entrenched within the business. Options include retiring, replatforming, migrating, or staying with your Domino platform.

Review

Is “Lotus” Domino still alive?

Problem statement

The number of member engagements with customers regarding the Domino platform has, as you might imagine, dwindled in the past couple of years. While many members have exited the platform, there are still many members and organizations that have entered a long exit program, but with how embedded Domino is in business processes, the migration has slowed and been met with resistance. Some organizations had replatformed the applications but found that the replacement target state was inadequate and introduced friction because the new solution was not a low-code/business-user-driven environment. This resulted in returning the Domino platform to production and working through a strategy to maintain the environment.

This research is designed for:

  • IT strategic direction decision-makers
  • IT managers responsible for an existing Domino platform
  • Organizations evaluating migration options for mission-critical applications running on Domino

This research will help you:

  1. Evaluate migration options.
  2. Assess the fit and purpose.
  3. Consider strategies for overcoming potential challenges.
  4. Determine the future of this platform for your organization.

The “everything may work” scenario

Adopt and expand

Believe it or not, Domino and Notes are still options to consider when determining a migration strategy. With HCL still committed to the platform, there are options organizations should seek to better understand rather than assuming SharePoint will solve all. In our research, we consider:

Importance to current business processes

  • Importance of use
  • Complexity in migrations
  • Choosing a new platform

Available tools to facilitate

  • Talent/access to skills
  • Economies of scale/lower cost at scale
  • Access to technology

Info-Tech Insight

With multiple options to consider, take the time to clearly understand the application rationalization process within your decision making.

  • Archive/retire
  • Application migration
  • Application replatform
  • Stay right where you are

Eliminate your bias – consider the advantages

“There is a lot of bias toward Domino; decisions are being made by individuals who know very little about Domino and more importantly, they do not know how it impacts business environment.”

– Rob Salerno, Founder & CTO, Rivet Technology Partners

Domino advantages include:

Modern Cloud & Application

  • No-code/low-code technology

Business-Managed Application

  • Business written and supported
  • Embrace the business support model
  • Enterprise class application

Leverage the Application Taxonomy & Build

  • A rapid application development platform
  • Develop skill with HCL training

HCL Domino is a supported and developed platform

Why consider HCL?

  • Consider scheduling a Roadmap Session with HCL. This is an opportunity to leverage any value in the mission and brand of your organization to gain insights or support from HCL.
  • Existing Domino customers are not the only entities seeking certainty with the platform. Software solution providers that support enterprise IT infrastructure ecosystems (backup, for example) will also be seeking clarity for the future of the platform. HCL will be managing these relationships through the channel/partner management programs, but our observations indicate that Domino integrations are scarce.
  • HCL Domino should be well positioned feature-wise to support low-code/NoSQL demands for enterprises and citizen developers.

Visualize Your Application Roadmap

  1. Focus on the application portfolio and crafting a roadmap for rationalization.
    • The process is intended to help you determine each application’s functional and technical adequacy for the business process that it supports.
  2. Document your findings on respective application capability heatmaps.
    • This drives your organization to a determination of application dispositions and provides a tool to output various dispositions for you as a roadmap.
  3. Sort the application portfolio into a disposition status (keep, replatform, retire, consolidate, etc.)
    • This information will be an input into any cloud migration or modernization as well as consolidation of the infrastructure, licenses, and support for them.

Our external support perspective

by Darin Stahl

Member Feedback

  • Some members who have remaining Domino applications in production – while the retire, replatform, consolidate, or stay strategy is playing out – have concerns about the challenges with ongoing support and resources required for the platform. In those cases, some have engaged external services providers to augment staff or take over as managed services.
  • While there could be existing support resources (in house or on retainer), the member might consider approaching an external provider who could help backstop the single resource or even provide some help with the exit strategies. At this point, the conversation would be helpful in any case. One of our members engaged an external provider in a Statement of Work for IBM Domino Administration focused on one-time events, Tier 1/Tier 2 support, and custom ad hoc requests.
  • The augmentation with the managed services enabled the member to shift key internal resources to a focus on executing the exit strategies (replatform, retire, consolidate), since the business knowledge was key to that success.
  • The member also very aggressively governed the Domino environment support needs to truly technical issues/maintenance of known and supported functionality rather than coding new features (and increasing risk and cost in a migration down the road) – in short, freezing new features and functionality unless required for legal compliance or health and safety.
  • There obviously are other providers, but at this point Info-Tech no longer maintains a market view or scan of those related to Domino due to low member demand.

Domino database assessments

Consider the database.

  • Domino database assessments should be informed through the lens of a multi-value database, like jBase, or an object system.
  • The assessment of the databases, often led by relational database subject matter experts grounded in normalized databases, can be a struggle since Notes databases must be denormalized.
Key/Value Column

Use case: Heavily accessed, rarely updated, large amounts of data
Data Model: Values are stored in a hash table of keys.
Fast access to small data values, but querying is slow
Processor friendly
Based on amazon's Dynamo paper
Example: Project Voldemort used by LinkedIn

this is a Key/Value example

Use case: High availability, multiple data centers
Data Model: Storage blocks of data are contained in columns
Handles size well
Based on Google's BigTable
Example: Hadoop/Hbase used by Facebook and Yahoo

This is a Column Example
Document Graph

Use case: Rapid development, Web and programmer friendly
Data Model: Stores documents made up of tagged elements. Uses Key/Value collections
Better query abilities than Key/Value databases.
Inspired by Lotus Notes.
Example: CouchDB used by BBC

This is a Document Example

Use case: Best at dealing with complexity and relationships/networks
Data model: Nodes and relationships.
Data is processed quickly
Inspired by Euler and graph theory
Can easily evolve schemas
Example: Neo4j

This is a Graph Example

Understand your options

Archive/Retire

Store the application data in a long-term repository with the means to locate and read it for regulatory and compliance purposes.

Migrate

Migrate to a new version of the application, facilitating the process of moving software applications from one computing environment to another.

Replatform

Replatforming is an option for transitioning an existing Domino application to a new modern platform (i.e. cloud) to leverage the benefits of a modern deployment model.

Stay

Review the current Domino platform roadmap and understand HCL’s support model. Keep the application within the Domino platform.

Archive/retire

Retire the application, storing the application data in a long-term repository.

Abstract

The most common approach is to build the required functionality in whatever new application/solution is selected, then archive the old data in PDFs and documents.

Typically this involves archiving the data and leveraging Microsoft SharePoint and the new collaborative solutions, likely in conjunction with other software-as-a-service (SaaS) solutions.

Advantages

  • Reduce support cost.
  • Consolidate applications.
  • Reduce risk.
  • Reduce compliance and security concerns.
  • Improve business processes.

Considerations

  • Application transformation
  • eDiscovery costs
  • Legal implications
  • Compliance implications
  • Business process dependencies

Info-Tech Insights

Be aware of the costs associated with archiving. The more you archive, the more it will cost you.

Application migration

Migrate to a new version of the application

Abstract

An application migration is the managed process of migrating or moving applications (software) from one infrastructure environment to another.

This can include migrating applications from one data center to another data center, from a data center to a cloud provider, or from a company’s on-premises system to a cloud provider’s infrastructure.

Advantages

  • Reduce hardware costs.
  • Leverage cloud technologies.
  • Improve scalability.
  • Improve disaster recovery.
  • Improve application security.

Considerations

  • Data extraction, starting from the document databases in NSF format and including security settings about users and groups granted to read and write single documents, which is a powerful feature of Lotus Domino documents.
  • File extraction, starting from the document databases in NSF format, which can contain attachments and RTF documents and embedded files.
  • Design of the final relational database structure; this activity should be carried out without taking into account the original structure of the data in Domino files or the data conversion and loading, from the extracted format to the final model.
  • Design and development of the target-state custom applications based on the new data model and the new selected development platform.

Application replatform

Transition an existing Domino application to a new modern platform

Abstract

This type of arrangement is typically part of an application migration or transformation. In this model, client can “replatform” the application into an off-premises hosted provider platform. This would yield many benefits of cloud but in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux) and the associated application.

Two challenges are particularly significant when migrating or replatforming Domino applications:

  • The application functionality/value must be reproduced/replaced with not one but many applications, either through custom coding or a commercial-off-the-shelf/SaaS solution.
  • Notes “databases” are not relational databases and will not migrate simply to an SQL database while retaining the same business value. Notes databases are essentially NoSQL repositories and are difficult to normalize.

Advantages

  • Leverage cloud technologies.
  • Improve scalability.
  • Align to a SharePoint platform.
  • Improve disaster recovery.
  • Improve application security.

Considerations

  • Application replatform resource effort
  • Network bandwidth
  • New platform terms and conditions
  • Secure connectivity and communication
  • New platform security and compliance
  • Degree of complexity

Info-Tech Insights

There is a difference between a migration and a replatform application strategy. Determine which solution aligns to the application requirements.

Stay with HCL

Stay with HCL, understanding its future commitment to the platform.

Abstract

Following the announced acquisition of IBM Domino and up until around December 2019, HCL had published no future roadmap for the platform. The public-facing information/website at the time stated that HCL acquired “the product family and key lab services to deliver professional services.” Again, there was no mention or emphasis on upcoming new features for the platform. The product offering on their website at the time stated that HCL would leverage its services expertise to advise clients and push applications into four buckets:

  1. Replatform
  2. Retire
  3. Move to cloud
  4. Modernize

That public-facing messaging changed with release 11.0, which had references to IBM rebranded to HCL for the Notes and Domino product – along with fixes already inflight. More information can be found on HCL’s FAQ page.

Advantages

  • Known environment
  • Domino is a supported platform
  • Domino is a developed platform
  • No-code/low-code optimization
  • Business developed applications
  • Rapid application framework

This is the HCL Domino Logo

Understand your tools

Many tools are available to help evaluate or migrate your Domino Platform. Here are a few common tools for you to consider.

Notes Archiving & Notes to SharePoint

Summary of Vendor

“SWING Software delivers content transformation and archiving software to over 1,000 organizations worldwide. Our solutions uniquely combine key collaborative platforms and standard document formats, making document production, publishing, and archiving processes more efficient.”*

Tools

Lotus Notes Data Migration and Archiving: Preserve historical data outside of Notes and Domino

Lotus Note Migration: Replacing Lotus Notes. Boost your migration by detaching historical data from Lotus Notes and Domino.

Headquarters

Croatia

Best fit

  • Application archive and retire
  • Migration to SharePoint

This is an image of the SwingSoftware Logo

* swingsoftware.com

Domino Migration to SharePoint

Summary of Vendor

“Providing leading solutions, resources, and expertise to help your organization transform its collaborative environment.”*

Tools

Notes Domino Migration Solutions: Rivit’s industry-leading solutions and hardened migration practice will help you eliminate Notes Domino once and for all.

Rivive Me: Migrate Notes Domino applications to an enterprise web application

Headquarters

Canada

Best fit

  • Application Archive & Retire
  • Migration to SharePoint

This is an image of the RiVit Logo

* rivit.ca

Lotus Notes to M365

Summary of Vendor

“More than 300 organizations across 40+ countries trust skybow to build no-code/no-compromise business applications & processes, and skybow’s community of customers, partners, and experts grows every day.”*

Tools

SkyBow Studio: The low-code platform fully integrated into Microsoft 365

Headquarters:

Switzerland

Best fit

  • Application Archive & Retire
  • Migration to SharePoint

This is an image of the SkyBow Logo

* skybow.com | About skybow

Notes to SharePoint Migration

Summary of Vendor

“CIMtrek is a global software company headquartered in the UK. Our mission is to develop user-friendly, cost-effective technology solutions and services to help companies modernize their HCL Domino/Notes® application landscape and support their legacy COBOL applications.”*

Tools

CIMtrek SharePoint Migrator: Reduce the time and cost of migrating your IBM® Lotus Notes® applications to Office 365, SharePoint online, and SharePoint on premises.

Headquarters

United Kingdom

Best fit

  • Application replatform
  • Migration to SharePoint

This is an image of the CIMtrek Logo

* cimtrek.com | About CIMtrek

Domino replatform/Rapid application selection framework

Summary of Vendor

“4WS.Platform is a rapid application development tool used to quickly create multi-channel applications including web and mobile applications.”*

Tools

4WS.Platform is available in two editions: Community and Enterprise.
The Platform Enterprise Edition, allows access with an optional support pack.

4WS.Platform’s technical support provides support services to the users through support contracts and agreements.

The platform is a subscription support services for companies using the product which will allow customers to benefit from the knowledge of 4WS.Platform’s technical experts.

Headquarters

Italy

Best fit

  • Application replatform

This is an image of the 4WS PLATFORM Logo

* 4wsplatform.org

Activity

Understand your Domino options

Application Rationalization Exercise

Info-Tech Insight

Application rationalization is the perfect exercise to fully understand your business-developed applications, their importance to business process, and the potential underlying financial impact.

This activity involves the following participants:

  • IT strategic direction decision-makers.
  • IT managers responsible for an existing Domino platform
  • Organizations evaluating platforms for mission-critical applications.

Outcomes of this step:

  • Completed Application Rationalization Tool

Application rationalization exercise

Use this Application Rationalization Tool to input the outcomes of your various application assessments

In the Application Entry tab:

  • Input your application inventory or subset of apps you intend to rationalize, along with some basic information for your apps.

In the Business Value & TCO Comparison tab, determine rationalization priorities.

  • Input your business value scores and total cost of ownership (TCO) of applications.
  • Review the results of this analysis to determine which apps should require additional analysis and which dispositions should be prioritized.

In the Disposition Selection tab:

  • Add to or adapt our list of dispositions as appropriate.

In the Rationalization Inputs tab:

  • Add or adapt the disposition criteria of your application rationalization framework as appropriate.
  • Input the results of your various assessments for each application.

In the Disposition Settings tab:

  • Add or adapt settings that generate recommended dispositions based on your rationalization inputs.

In the Disposition Recommendations tab:

  • Review and compare the rationalization results and confirm if dispositions are appropriate for your strategy.

In the Timeline Considerations tab:

  • Enter the estimated timeline for when you execute your dispositions.

In the Portfolio Roadmap tab:

  • Review and present your roadmap and rationalization results.

Follow the instructions to generate recommended dispositions and populate an application portfolio roadmap.

This image depicts a scatter plot graph where the X axis is labeled Business Value, and the Y Axis is labeled Cost. On the graph, the following datapoints are displayed: SF; HRIS; ERP; ALM; B; A; C; ODP; SAS

Info-Tech Insight

Watch out for misleading scores that result from poorly designed criteria weightings.

Related Info-Tech Research

Build an Application Rationalization Framework

Manage your application portfolio to minimize risk and maximize value.

Embrace Business-Managed Applications

Empower the business to implement their own applications with a trusted business-IT relationship.

Satisfy Digital End Users With Low- and No-Code

Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.

Maximize the Benefits from Enterprise Applications with a Center of Excellence

Optimize your organization’s enterprise application capabilities with a refined and scalable methodology.

Drive Successful Sourcing Outcomes With a Robust RFP Process

Leverage your vendor sourcing process to get better results.

Research Authors

Darin Stahl, Principal Research Advisor, Info-Tech Research Group

Darin Stahl, Principal Research Advisor,
Info-Tech Research Group

Darin is a Principal Research Advisor within the Infrastructure practice, leveraging 38+ years of experience. His areas of focus include IT operations management, service desk, infrastructure outsourcing, managed services, cloud infrastructure, DRP/BCP, printer management, managed print services, application performance monitoring, managed FTP, and non-commodity servers (zSeries, mainframe, IBM i, AIX, Power PC).

Troy Cheeseman, Practice Lead, Info-Tech Research Group

Troy Cheeseman, Practice Lead,
Info-Tech Research Group

Troy has over 24 years of experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) startups.

Research Contributors

Rob Salerno, Founder & CTO, Rivit Technology Partners

Rob Salerno, Founder & CTO, Rivit Technology Partners

Rob is the Founder and Chief Technology Strategist for Rivit Technology Partners. Rivit is a system integrator that delivers unique IT solutions. Rivit is known for its REVIVE migration strategy which helps companies leave legacy platforms (such as Domino) or move between versions of software. Rivit is the developer of the DCOM Application Archiving solution.

Bibliography

Cheshire, Nigel. “Domino v12 Launch Keeps HCL Product Strategy On Track.” Team Studio, 19 July 2021. Web.

“Is LowCode/NoCode the best platform for you?” Rivit Technology Partners, 15 July 2021. Web.

McCracken, Harry. “Lotus: Farewell to a Once-Great Tech Brand.” TIME, 20 Nov. 2012. Web.

Sharwood, Simon. “Lotus Notes refuses to die, again, as HCL debuts Domino 12.” The Register, 8 June 2021. Web.

Woodie, Alex. “Domino 12 Comes to IBM i.” IT Jungle, 16 Aug. 2021. Web.

External audit company

External IT audit of your company

Based on experience
Implementable advice
human-based and people-oriented

Do you seek an external expert to help you prepare for a thorough IT audit of your company? Tymans Group serves as a consulting company with extensive expertise in helping small and medium enterprises. Read on and learn more about how our consulting firm can help your company with an external IT audit.

Why should you organize an external IT audit of your company?

Regularly preparing for an IT audit of your company with the help of of an experienced consultancy company like Tymans Group is a great way to discover any weaknesses within your IT and data security management systems, as well as your applications and data architecture, before the real audits by your regulator happen After all, you can only tackle any possible issues when you know their exact nature and origin. Additionally, the sooner you are aware of any security threats in your company thanks to an external audit, the smaller the chances outside forces will be able to take advantage of these threats to harm your business.

Security and risk management

Our security and risk services

Security strategy

Security Strategy

Embed security thinking through aligning your security strategy to business goals and values

Read more

Disaster Recovery Planning

Disaster Recovery Planning

Create a disaster recovey plan that is right for your company

Read more

Risk Management

Risk Management

Build your right-sized IT Risk Management Program

Read more

Check out all our services

Receive practical solutions when using our guides to prepare you for an external audit.

If you hire our consultancy firm to prepare for an external IT audit in your firm, our guides will allow you to thoroughly analyze your systems and protocols to discover flaws and threats. Based on this analysis, your firm will receive concrete advice and practical solutions on dealing with the findings of in advance of an external audit. Besides identifying threats, the findings of will also offer your business insights in possible optimizations and processes which could benefit from automation. As such, you benefit from our consultancy company’s extensive experience in corporate security management and IT.

Book an appointment with our consultancy company to get ahead of an external audit.

If you hire our consulting company to help you prepare for an IT audit of your firm, you will receive guides that enable you to make a critical analysis of your IT security, as well as practical solutions based on our holistic approach. We are happy to tell you more about our services for small and medium business and to offer insights into any issues you may be facing. Our help is available offline and online, through one-hour talks with our expert Gert Taeymans. Contact us to set up an appointment online or on-site now.

Continue reading

Reduce Shadow IT With a Service Request Catalog

  • Buy Link or Shortcode: {j2store}302|cart{/j2store}
  • member rating overall impact (scale of 10): 10.0/10 Overall Impact
  • member rating average dollars saved: $129,999 Average $ Saved
  • member rating average days saved: 35 Average Days Saved
  • Parent Category Name: Asset Management
  • Parent Category Link: /asset-management
  • Shadow IT: The IT team is regularly surprised to discover new products within the organization, often when following up on help desk tickets or requests for renewals from business users or vendors.
  • Renewal Management: The contracts and asset teams need to be aware of upcoming renewals and have adequate time to review renewals.
  • Over-purchasing: Contracts may be renewed without a clear picture of usage, potentially renewing unused applications.

Our Advice

Critical Insight

There is a direct correlation between service delivery dissatisfaction and increases in shadow IT. Whether the goal is to reduce shadow IT or gain control, improved customer service and fast delivery are key to making lasting changes.

Impact and Result

Our blueprint will help you design a service that draws the business to use it. If it is easier for them to buy from IT than it is to find their own supplier, they will use IT.

A heavy focus on customer service, design optimization, and automation will provide a means for the business to get what they need, when they need it, and provide visibility to IT and security to protect organizational interests.

This blueprint will help you:

  • Design the request service
  • Design the request catalog
  • Build the request catalog
  • Market the service

Reduce Shadow IT With a Service Request Catalog Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Reduce Shadow IT With a Service Request Catalog – A step-by-step document that walks you through creation of a request service management program.

Use this blueprint to create a service request management program that provides immediate value.

  • Reduce Shadow IT With a Service Request Catalog Storyboard

2. Nonstandard Request Assessment – A template for documenting requirements for vetting and onboarding new applications.

Use this template to define what information is needed to vet and onboard applications into the IT environment.

  • Nonstandard Request Assessment

3. Service Request Workflows – A library of workflows used as a starting point for creating and fulfilling requests for applications and equipment.

Use this library of workflows as a starting point for creating and fulfilling requests for applications and equipment in a service catalog.

  • Service Request Workflows

4. Application Portfolio – A template to organize applications requested by the business and identify which items are published in the catalog.

Use this template as a starting point to create an application portfolio and request catalog.

  • Application Portfolio

5. Reduce Shadow IT With a Service Request Catalog Communications Template – A presentation and communications plan to announce changes to the service and introduce a catalog.

Use this template to create a presentation and communications plan for launching the new service and service request catalog.

  • Reduce Shadow IT with a Service Request Catalog Communications Template
[infographic]

Workshop: Reduce Shadow IT With a Service Request Catalog

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Design the Service

The Purpose

Collaborate with the business to determine service model.

Collaborate with IT teams to build non-standard assessment process.

Key Benefits Achieved

Designed a service for service requests, including new product intake.

Activities

1.1 Identify challenges and obstacles.

1.2 Complete customer journey map.

1.3 Design process for nonstandard assessments.

Outputs

Nonstandard process.

2 Design the Catalog

The Purpose

Design the service request catalog management process.

Key Benefits Achieved

Ensure the catalog is kept current and is integrated with IT service catalog if applicable.

Activities

2.1 Determine what will be listed in the catalog.

2.2 Determine process to build and maintain the catalog, including roles, responsibilities, and workflows.

2.3 Define success and determine metrics.

Outputs

Catalog scope.

Catalog design and maintenance plan.

Defined success metrics

3 Build and Market the Catalog

The Purpose

Determine catalog contents and how requests will be fulfilled.

Key Benefits Achieved

Catalog framework and service level agreements will be defined.

Create communications documents.

Activities

3.1 Determine how catalog items will be displayed.

3.2 Complete application categories for catalog.

3.3 Create deployment categories and SLAs.

3.4 Design catalog forms and deployment workflows.

3.5 Create roadmap.

3.6 Create communications plan.

Outputs

Catalog workflows and SLAs.

Roadmap.

Communications deck.

4 Breakout Groups – Working Sessions

The Purpose

Create an applications portfolio.

Prepare to populate the catalog.

Key Benefits Achieved

Portfolio and catalog contents created.

Activities

4.1 Using existing application inventory, add applications to portfolio and categorize.

4.2 Determine which applications should be in the catalog.

4.3 Determine which applications are packaged and can be easily deployed.

Outputs

Application Portfolio.

List of catalog items.

Further reading

Reduce Shadow IT With a Service Request Catalog

Foster business partnerships with sourcing-as-a-service.

Analyst Perspective

Improve the request management process to reduce shadow IT.

In July 2022, Ivanti conducted a study on the state of the digital employee experience, surveying 10,000 office workers, IT professionals, and C-suite executives. Results of this study indicated that 49% of employees are frustrated by their tools, and 26% of employees were considering quitting their jobs due to unsuitable tech. 42% spent their own money to gain technology to improve their productivity. Despite this, only 21% of IT leaders prioritized user experience when selecting new tools.

Any organization’s workers are expected to be productive and contribute to operational improvements or customer experience. Yet those workers don’t always have the tools needed to do the job. One option is to give the business greater control, allowing them to choose and acquire the solutions that will make them more productive. Info-Tech's blueprint Embrace Business-Managed Applications takes you down this path.

However, if the business doesn’t want to manage applications, but just wants have access to better ones, IT is positioned to provide services for application and equipment sourcing that will improve the employee experience while ensuring applications and equipment are fully managed by the asset, service, and security teams.

Improving the request management and deployment practice can give the business what they need without forcing them to manage license agreements, renewals, and warranties.

Photo of Sandi Conrad

Sandi Conrad
ITIL Managing Professional
Principal Research Director, IT Infrastructure & Operations,
Info-Tech Research Group

Your challenge

This research is designed to help organizations that are looking to improve request management processes and reduce shadow IT.

Shadow IT: The IT team is regularly surprised to discover new products within the organization, often when following up on help desk tickets or requests for renewals from business users or vendors.

Renewal management: The contracts and asset teams need to be aware of upcoming renewals and have adequate time to review renewals.

Over-purchasing and over-spending: Contracts may be renewed without a clear picture of utilization, potentially renewing unused applications. Applications or equipment may be purchased at retail price where corporate, government, or educational discounts exist.

Info-Tech Insight

To increase the visibility of the IT environment, IT needs to transform the request management process to create a service that makes it easier for the business to access the tools they need rather than seeking them outside of the organization.

609
Average number of SaaS applications in large enterprises

40%
On average, only 60% of provisioned SaaS licenses are used, with the remaining 40% unused.

— Source: Zylo, SaaS Trends for IT Leaders, 2022

Common obstacles

Too many layers of approvals and a lack of IT workers makes it difficult to rethink service request fulfillment.

Delays: The business may not be getting the applications they need from IT to do their jobs or must wait too long to get the applications approved.

Denials: Without IT’s support, the business is finding alternative options, including SaaS applications, as they can be bought and used without IT’s input or knowledge.

Threats: Applications that have not been vetted by security or installed without their knowledge may present additional threats to the organization.

Access: Self-serve isn’t mature enough to support an applications catalog.

A diagram that shows the number of SaaS applications being acquired outside of IT is increasing year over year, and that business units are driving the majority of SaaS spend.

8: average number of applications entering the organization every 30 days

— Source: Zylo, SaaS Trends for Procurement, 2022

Info-Tech’s approach

Improve the request management process to create sourcing-as-a-service for the business.

  • Improve customer service
  • Reduce shadow IT
  • Gain control in a way that keeps the business happy

1. Design the service

Collaborate with the business

Identify the challenges and obstacles

Gain consensus on priorities

Design the service

2. Design the catalog

Determine catalog scope

Create a process to build and maintain the catalog

Define metrics for the request management process

3. Build the catalog

Determine descriptions for catalog items

Create definitions for license types, workflows, and SLAs

Create application portfolio

Design catalog forms and workflows

4. Market the service

Create a roadmap

Determine messaging

Build a communications plan

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Communications Presentation

Photo of Communications Presentation

Application Portfolio

Photo of Application Portfolio

Visio Library

Photo of Visio Library

Nonstandard Request Assessment

Photo of Nonstandard Request Assessment

Create a request management process and service catalog to improve delivery of technology to the business

Manage Requirements in an Agile Environment

  • Buy Link or Shortcode: {j2store}522|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Requirements & Design
  • Parent Category Link: /requirements-and-design

The process of navigating from waterfall to Agile can be incredibly challenging. Even more problematic; how do you operate your requirements management practices once there? There traditionally isn’t a role for a business analyst, the traditional keeper of requirements. It isn’t like switching on a light.

You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they’ve leveraged Agile.

But you aren’t here for assurances. You’re here for answers and help.

Our Advice

Critical Insight

Agile and requirements management are complementary, not competitors.

Impact and Result

Info-Tech’s advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. How can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?

Manage Requirements in an Agile Environment is your guide.

Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.

Manage Requirements in an Agile Environment Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Manage Requirements in an Agile Environment Blueprint – Agile and Requirements Management are complementary, not competitors

Provides support and guidance for organizations struggling with their requirements management practices in Agile environments.

  • Manage Requirements in an Agile Environment Storyboard

2. Agile Requirements Playbook – A practical playbook for aligning your teams, and articulating the guidelines for managing your requirements in Agile.

The Agile Requirements Playbook becomes THE artifact for your Agile requirements practices. Great for onboarding, reviewing progress, and ensuring a shared understanding of your ways of working.

  • Agile Requirements Playbook

3. Documentation Calculator – A tool for determining the right level of documentation for your organization, and whether you’re spending too much, or even not enough, on Agile Requirements documentation.

The Documentation Calculator can inform your documentation decison making, ensuring you're investing just the right amount of time, money, and effort.

  • Documentation Calculator

4. Agile Requirements Workbook – Supporting tools and templates in advancing your Agile Requirements practice, to be used in conjunction with the Agile Requirements Blueprint, and the Playbook.

This workbook is designed to capture the results of your exercises in the Manage Requirements in an Agile Environment Storyboard. Each worksheet corresponds to an exercise in the storyboard. This is a tool for you, so customize the content and layout to best suit your product. The workbook is also a living artifact that should be updated periodically as the needs of your team and organization change.

  • Agile Requirements Workbook

5. Agile Requirements Assessment – Establishes your current Agile requirements maturity, defines your target maturity, and supports planning to get there.

The Agile Requirements Assessment is a great tool for determining your current capabilities and maturity in Agile and Business Analysis. You can also articulate your target state, which enables the identification of capability gaps, the creation of improvement goals, and a roadmap for maturing your Agile Requirements practice.

  • Agile Requirements Assessment

Infographic

Workshop: Manage Requirements in an Agile Environment

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Framing Agile and Business Analysis

The Purpose

Sets the context for the organization, to ensure a shared understanding of the benefits of both Agile and business analysis/requirements management.

Key Benefits Achieved

Have a shared definition of Agile and business analysis / requirements.

Understand the current state of Agile and business analysis in your organization.

Activities

1.1 Define what Agile and business analysis mean in your organization.

1.2 Agile requirements assessment.

Outputs

Alignment on Agile and business analysis / requirements in your organization.

A current and target state assessment of Agile and business analysis in your organization.

2 Tailoring Your Approach

The Purpose

Confirm you’re going the right way for effective solution delivery.

Key Benefits Achieved

Confirm the appropriate delivery methodology.

Activities

2.1 Confirm your selected methodology.

Outputs

Confidence in your selected project delivery methodology.

3 Defining Your Requirements Thresholds

The Purpose

Provides the guardrails for your Agile requirements practice, to define a high-level process, roles and responsibilities, governance and decision-making, and how to deal with change.

Key Benefits Achieved

Clearly defined interactions between the BA and their partners

Define a plan for management and governance at the project team level

Activities

3.1 Define your agile requirements process.

3.2 Define your agile requirements RACI.

3.3 Define your governance.

3.4 Define your change and backlog refinement plan.

Outputs

Agile requirements process.

Agile requirements RACI.

A governance and documentation plan.

A change and backlog refinement approach.

4 Planning Your Next Steps

The Purpose

Provides the action plan to achieve your target state maturity

Key Benefits Achieved

Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization.

Establish a roadmap for next steps to mature your Agile requirements practice.

Activities

4.1 Define your stakeholder communication plan.

4.2 Identify your capability gaps.

4.3 Plan your agile requirements roadmap.

Outputs

A stakeholder communication plan.

A list of capability gaps to achieve your desired target state.

A prioritized roadmap to achieve the target state.

5 Agile Requirements Techniques (Optional)

The Purpose

To provide practical guidance on technique usage, which can enable an improved experience with technical elements of the blueprint.

Key Benefits Achieved

An opportunity to learn new tools to support your Agile requirements practice.

Activities

5.1 Managing requirements' traceability.

5.2 Creating and managing user stories.

5.3 Managing your requirements backlog.

5.4 Maintaining a requirements library.

Outputs

Support and advice for leveraging a given tool or technique.

Support and advice for leveraging a given tool or technique.

Support and advice for leveraging a given tool or technique.

Support and advice for leveraging a given tool or technique.

Further reading

Manage Requirements in an Agile Environment

Agile and requirements management are complementary, not competitors

Analyst's Perspective

The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business then you have failed, regardless of how fast you've gone.

Delivery in Agile doesn't mean you stop needing solid business analysis. In fact, it's even more critical, to ensure your products and projects are adding value. With the rise of Agile, the role of the business analyst has been misunderstood.

As a result, we often throw out the analysis with the bathwater, thinking we'll be just fine without analysis, documentation, and deliberate action, as the speed and dexterity of Agile is enough.

Consequently, what we get is wasted time, money, and effort, with solutions that fail to deliver value, or need to be re-worked to get it right.

The best organizations find balance between these two forces, to align, and gain the benefits of both Agile and business analysis, working in tandem to manage requirements that bring solutions that are "just right".

This is a picture of Vincent Mirabelli

Vincent Mirabelli
Principal Research Director, Applications Delivery and Management
Info-Tech Research Group

EXECUTIVE BRIEF

Executive Summary

Your Challenge

The process of navigating from waterfall to Agile can be incredibly challenging. And even more problematic; how do you operate your requirements management practices once there? Since there traditionally isn't a role for a business analyst; the traditional keeper of requirements. it isn't like switching on a light.

You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they've leveraged Agile.

But you aren't here for assurances. You're here for answers and help.

Common Obstacles

many organizations and teams face is that there are so busy doing Agile that they fail to be Agile.

Agile was supposed to be the saving grace of project delivery but is misguided in taking the short-term view of "going quickly" at the expense of important elements, such as team formation and interaction, stakeholder engagement and communication, the timing and sequencing of analysis work, decision-making, documentation, and dealing with change.

The idea that good requirements just happen because you have user stories is wrong. So, requirements remain superficial, as you "can iterate later"…but sometimes later never comes, or doesn't come fast enough.

Organizations need to be very deliberate when aligning their Agile and requirements management practices. The work is the same. How the work is done is what changes.

Info-Tech's Approach

Infotech's advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. And how can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?

Manage Requirements in an Agile Environment is your guide.

Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.

Info-Tech Insight

Agile and requirements management are complementary, not competitors.

The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone.

Insight summary

Overarching insight

Agile and requirements management are complementary, not competitors.

The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone

Phase 1 insight

  • The purpose of requirements in waterfall is for approval. The purpose in Agile is for knowledge management, as Agile has no memory.
  • When it comes to the Agile manifesto, "over" does not mean "instead of".
  • In Agile, the what of business analysis does doesn't change. What does change is the how and when that work happens.

Phase 2 insight

  • Understand your uncertainties; it's a great way to decide what level of Agile (if any) is needed.
  • Finding your "Goldilocks" zone will take time. Be patient.

Phase 3 insight

  • Right-size your governance, based on team dynamics and project complexity. A good referee knows when to step in, and when to let the game flow.
  • Agile creates a social contract amongst the team, and with their leaders and organization.
  • Documentation needs to be valuable. Do what is acceptable and necessary to move work to future steps. Not documenting also comes with a cost, but one you pay in the future. And that bill will come due, with interest (aka, technical debt, operational inefficiencies, etc.).
  • A lack of acceptable documentation makes it more difficult to have agility. You're constantly revalidating your current state (processes, practices and structure) and re-arguing decisions already made. This slows you down more than maintaining documentation ever would.

Phase 4 insight

  • Making Agile predictable is hard, because people are not predictable; people are prone to chaos.

There have been many challenges with waterfall delivery

It turns out waterfall is not that great at reducing risk and ensuring value delivery after all

  • Lack of flexibility
  • Difficulty in measuring progress
  • Difficulties with scope creep
  • Limited stakeholder involvement
  • Long feedback loops

48%
Had project deadlines more than double

85%
Exceeded their original budget by at least 20%

25%
At least doubled their original budget

This is an image of the waterfall project results

Source: PPM Express.

Agile was meant to address the shortcomings of waterfall

The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution, became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stay with the status quo. Given that organizations evolve at a rapid pace, what was a pain at the beginning of an initiative may not be so even 6 months later.

Agile became the answer.

Since its' first appearance nearly 20 years ago, Agile has become the methodology of choice for a many of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.

Adopting Agile led to challenges with requirements

Requirements analysis, design maturity, and management are critical for a successful Agile transformation.

"One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
– "Large Scale IT Projects – From Nightmare to Value Creation"

"Requirements maturity is more important to project outcomes than methodology."
– "Business Analysis Benchmark: Full Report"

"Mature Agile practices spend 28% of their time on analysis and design."
– "Quantitative Analysis of Agile Methods Study (2017): Twelve Major Findings"

"There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
– "The Business Case for Agile Business Analysis" - Requirements Engineering Magazine

Strong stakeholder satisfaction with requirements results in higher satisfaction in other areas

This is an image of a bar graph comparing the percentage of respondents with high stakeholder satisfaction, to the percentage of respondents with low stakeholder satisfaction for four different categories.  these include: Availability of IT Capacity to Complete Projects; Overall IT Projects; IT Projects Meet Business Needs; Overall IT Satisfaction

N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.

Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.

Info-Tech's Agile requirements framework

This is an image of Info-Tech's Agile requirements framework.  The three main categories are: Sprint N(-1); Sprint N; Sprint N(+1)

Agile requirements are a balancing act

Collaboration

Many subject matter experts are necessary to create accurate requirements, but their time is limited too.

Communication

Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.

Documentation

Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.

Control

Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.

What changes for the business analyst?

In Agile, the what of business analysis does not change.

What does change is the how and when that work happens.

Business analysts need to focus on six key elements when managing requirements in Agile.

  • Team formation and interaction
  • Stakeholder engagement and communication
  • The timing and sequencing of their work
  • Decision-making
  • Documentation
  • Dealing with change

Where does the business analysis function fit on an Agile team?

Team formation is key, as Agile is a team sport

A business analyst in an Agile team typically interacts with several different roles, including:

  • The product owner,
  • The Sponsor or Executive
  • The development team,
  • Other stakeholders such as customers, end-users, and subject matter experts
  • The Design team,
  • Security,
  • Testing,
  • Deployment.

This is an image the roles who typically interact with a Business Analyst.

How we do our requirements work will change

  • Team formation and interaction
  • Stakeholder engagement and communication
  • The timing and sequencing of their work
  • Decision-making
  • Documentation
  • Dealing with change

As a result, you'll need to focus on;

  • Emphasizing flexibility
  • Enabling continuous delivery
  • Enhancing collaboration and communication
  • Developing a user-centered approach

Get stakeholders on board with Agile requirements

  1. Stakeholder feedback and management support are key components of a successful Agile Requirements.
  2. Stakeholders can see a project's progression and provide critical feedback about its success at critical milestones.
  3. Management helps teams succeed by trusting them to complete projects with business value at top of mind and by removing impediments that are inhibiting their productivity.
  4. Agile will bring a new mindset and significant numbers of people, process, and technology changes that stakeholders and management may not be accustomed to. Working through these issues in requirements management enables a smoother rollout.
  5. Management will play a key role in ensuring long-term Agile requirements success and ultimately rolling it out to the rest of the organization.
  6. The value of leadership involvement has not changed even though responsibilities will. The day-to-day involvement in projects will change but continual feedback will ultimately dictate the success or failure of a project.

Measuring your success

Tracking metrics and measuring your progress

As you implement the actions from this Blueprint, you should see measurable improvements in;

  • Team and stakeholder satisfaction
  • Requirements quality
  • Documentation cost

Without sacrificing time to delivery

Metric Description and motivation
Team satisfaction (%) Expect team satisfaction to increase as a result of clearer role delineation and value contribution.
Stakeholder satisfaction (%) Expect Stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value
Requirements rework Measures the quality of requirements from your Agile Projects. Expect that the Requirements Rework will decrease, in terms of volume/frequency.
Cost of documentation Quantifies the cost of documentation, including Elicitation, Analysis, Validation, Presentation, and Management
Time to delivery Balancing Metric. We don't want improvements in other at the expense of time to delivery

Info-Tech's methodology for Agile requirements

1. Framing Agile and Business Analysis

2. Tailoring Your Approach

3. Defining Your Requirements Thresholds

4. Planning Your Next Steps

Phase Activities

1.1 Understand the benefits and limitations of Agile and business analysis

1.2 Align Agile and business analysis within your organization

2.1 Decide the best-fit approach for delivery

2.2 Manage your requirements backlog

3.1 Define project roles and responsibilities

3.2 Define your level of acceptable documentation

3.3 Manage requirements as an asset

3.4 Define your requirements change management plan

4.1 Preparing new ways of working

4.2 Develop a roadmap for next steps

Phase Outcomes

Recognize the benefits and detriments of both Agile and BA.

Understand the current state of Agile and business analysis in your organization.

Confirm the appropriate delivery methodology.

Manage your requirements backlog.

Connect the business need to user story.

Clearly defined interactions between the BA and their partners.

Define a plan for management and governance at the project team level.

Documentation and tactics that are right-sized for the need.

Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization.

Establish a roadmap for next steps to mature your Agile requirements practice.

Blueprint tools and templates

Key deliverable:

This is a screenshot from the Agile Requirements Playbook

Agile Requirements Playbook

A practical playbook for aligning your teams and articulating the guidelines for managing your requirements in Agile

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

This is a screenshot from the Documentation Calculator

Documentation Calculator

A tool to help you answer the question: What is the right level of Agile requirements documentation for my organization?

This is a screenshot from the Agile Requirements Assessment

Agile Requirements Assessment

Establishes your current maturity level, defines your target state, and supports planning to get there.

This is a screenshot from the Agile Requirements Workbook

Agile Requirements Workbook

Supporting tools and templates in advancing your Agile requirements practice, to be used with the Agile Requirements Blueprint and Playbook.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Day 1 Day 2 Day 3 Day 4 Day 5
1. Framing Agile and Business Analysis / 2. Tailoring Your Approach 3. Defining Your Requirements
Thresholds
3. Defining Your Requirements Thresholds / 4. Planning Your Next Steps (OPTIONAL) Agile Requirements Techniques (a la carte) Next Steps and Wrap-Up (Offsite)

Activities

What does Agile mean in your organization? What do requirements mean in your organization?

Agile Requirements Assessment

Confirm your selected methodology

Define your Agile requirements process

Define your Agile requirements RACI (Optional)

Define your Agile requirements governance

Defining your change management plan

Define your

communication plan

Capability gap list

Planning your Agile requirements roadmap

Managing requirements traceability

Creating and managing user stories

Managing your requirements backlog

Maintaining a requirements library

Develop Agile Requirements Playbook

Complete in-progress deliverables from previous four days.

Set up review time for workshop deliverables and next steps

Outcomes

Shared definition of Agile and business analysis / requirements

Understand the current state of Agile and business analysis in your organization

Agile requirements process

Agile requirements RACI (Optional)

Defined Agile requirements governance and documentation plan

Change and backlog refinement plan

Stakeholder communication plan

Action plan and roadmap for maturing your Agile requirements practice

Practical knowledge and practice about various tactics and techniques in support of your Agile requirements efforts

Completed Agile Requirements Playbook

Guided Implementation

Phase 1 Phase 2 Phase 3 Phase 4

Call #1: Scope objectives, and your specific challenges.

Call #4: Define your approach to project delivery.

Call #6: Define your Agile requirements process.

Call #9: Identify gaps from current to target state maturity.

Call #2: Assess current maturity.

Call #5: Managing your requirements backlog.

Call #7: Define roles and responsibilities.

Call #10: Pprioritize next steps to mature your Agile requirements practice.

Call #3: Identify target-state capabilities.

Call #8: Define your change and backlog refinement approach.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 10 calls over the course of 4 to 6 months.

Framing Agile and Business Analysis

Phase 1

Framing Agile and Business Analysis

Phase 1Phase 2Phase 3Phase 4

1.1 Understand the benefits and limitations of Agile and business analysis

1.2 Align Agile and business analysis within your organization

2.1 Confirm the best-fit approach for delivery

2.2 manage your requirements backlog

3.1 Define project roles and responsibilities

3.2 define your level of acceptable documentation

3.3 Manage requirements as an asset

3.4 Define your requirements change management plan

4.1 Preparing new ways of working

4.2 Develop a roadmap for next steps

This phase will walk you through the following activities:

  • EXERCISE: What do Agile and requirements mean in your organization?
  • ASSESSMENT: Agile requirements assessment
  • KEY DELIVERABLE: Agile Requirements Playbook

This phase involves the following participants:

  • Business analyst and project team
  • Stakeholders
  • Sponsor/Executive

Managing Requirements in an Agile Environment

Step 1.1

Understand the benefits and limitations of Agile and business analysis

Activities

1.1.1 Define what Agile and business analysis mean in your organization

This step involves the following participants:

  • Business analyst and project team
  • Sponsor/Executive

Outcomes of this step

  • Recognize the benefits and detriments of both Agile and business analysis

Framing Agile and Business Analysis

There have been many challenges with waterfall delivery

It turns out waterfall is not that great at reducing risk and ensuring value delivery after all

  • Lack of flexibility
  • Difficulty in measuring progress
  • Difficulties with scope creep
  • Limited stakeholder involvement
  • Long feedback loops

48%
Had project deadlines more than double

85%
Exceeded their original budget by at least 20%

25%
At least doubled their original budget

This is an image of the Waterfall Project Results

Source: PPM Express.

Business analysis had a clear home in waterfall

Business analysts had historically been aligned to specific lines of business, in support of their partners in their respective domains. Somewhere along the way, the function was moved to IT. Conceptually this made sense, in that it allowed BAs to provide technical solutions to complex business problems. This had the unintended result of lost domain knowledge, and connection to the business.

It all starts with the business. IT enables business goals. The closer you can get to the business, the better.

Business analysts were the main drivers of helping to define the business requirements, or needs, and then decompose those into solution requirements, to develop the best option to solve those problems, or address those needs. And the case for good analysis was clear. The later a poor requirement was caught, the more expensive it was to fix. And if requirements were poor, there was no way to know until much later in the project lifecycle, when the cost to correct them was exponentially higher, to the tune of 10-100x the initial cost.

This is an image of a graph showing the cost multiplier for Formulating Requirements, Architecture Design, Development, Testing and, Operations

Adapted from PPM Express. "Why Projects Fail: Business Analysis is the Key".

Agile was meant to address the shortcomings of waterfall

The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stand pat in the current state. And besides, organizations evolve at a rapid pace. What was a pain at the beginning of an initiative may not be so even six months later.

Agile became the answer.

Since its first appearance nearly 20 years ago, Agile has become the methodology of choice for a huge swathe of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.

To say that's significant is an understatement.

The four core values of Agile helped shift focus

According to the Agile manifesto, "We value. . ."

This is an image of what is valued according to the Agile Manifesto.

"…while there is value in the items on the right, we value the items on the left more."

Source: Agilemanifesto, 2001

Agile has made significant inroads in IT and beyond

94% of respondents report using Agile practices in their organization

according to Digital.AI's "The 15th State of Agile Report"

That same report notes a steady expansion of Agile outside of IT, as other areas of the organization seek to benefit from increased agility and responsiveness, including Human Resources, Finance and Marketing.

While it addressed some problems…

This is an image of the Waterfall Project Results, compared to Agile Product Results.

"Agile projects are 37% faster to market than [the] industry average"

(Requirements Engineering Magazine, 2017)

  • Business requirements documents are massive and unreadable
  • Waterfall erects barriers and bottlenecks between the business and the development team
  • It's hard to define the solution at the outset of a project
  • There's a long turnaround between requirements work and solution delivery
  • Locking in requirements dictates an often-inflexible solution. And the costs to make changes tend to add up.

…Implementing Agile led to other challenges

This is an image of a series of thought bubbles, each containing a unique challenge resulting from implementing Agile.

Adopting Agile led to challenges with requirements

Requirements analysis, design maturity, and management are critical for a successful Agile transformation.

"One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
– BCG, 2015

"Requirements maturity is more important to project outcomes than methodology."
– IAG Consulting, 2009.

"Mature Agile practices spend 28% of their time on analysis and design."
– InfoQ, 2017."

"There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
– Requirements Engineering Magazine, 2017

Strong stakeholder satisfaction with requirements results in higher satisfaction in other areas

This is an image of a bar graph comparing the percentage of respondents with high stakeholder satisfaction, to the percentage of respondents with low stakeholder satisfaction for four different categories.  these include: Availability of IT Capacity to Complete Projects; Overall IT Projects; IT Projects Meet Business Needs; Overall IT Satisfaction

N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.

Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.

Agile is being misinterpreted as an opportunity to bypass planning and analysis activities

Agile is a highly effective tool.

This isn't about discarding Agile. It is being used for things completely outside of what was originally intended. When developing products or code, it is in its element. However, outside of that realm, its being used to bypass business analysis activities, which help define the true customer and business need.

Business analysts were forced to adapt and shift focus. Overnight they morphed into product owners, or no longer had a place on the team. Requirements and analysis took a backseat.

The result?

Increased rework, decreased stakeholder satisfaction, and a lot of wasted money and effort.

"Too often, the process of two-week sprints becomes the thing, and the team never gets the time and space to step back and obsess over what is truly needed to delight customers."
Harvard Business Review, 9 April 2021.

Info-Tech Insight

Requirements in Agile are the same, but the purpose of requirements changes.

  • The purpose of requirements in waterfall is for stakeholder approval.
  • The purpose of requirements in Agile is knowledge management; to maintain a record of the current state.

Many have misinterpreted the spirit of Agile and waterfall

The stated principles of waterfall say nothing of how work is to be linear.

This is an image of a comparison between using Agile and Being Prescriptive.This is an image of Royce's 5 principles for success.

Source: Royce, Dr. Winston W., 1970.

For more on Agile methodology, check out Info-Tech's Agile Research Centre

How did the pendulum swing so far?

Shorter cycles of work made requirements management more difficult. But the answer isn't to stop doing it.

Organizations went from engaging business stakeholders up front, and then not until solution delivery, to forcing those partners to give up their resources to the project. From taking years to deliver a massive solution (which may or may not even still fit the need) to delivering in rapid cycles called sprints.

This tug-of-war is costing organizations significant time, money, and effort.

Your approach to requirements management needs to be centered. We can start to make that shift by better aligning our Agile and business analysis practices. Outside of the product space, Agile needs to be combined with other disciplines (Harvard Business Review, 2021) to be effective.

Agility is important. Though it is not a replacement for approach or strategy (RCG Global Services, 2022). In Agile, team constraints are leveraged because of time. There is a failure to develop new capabilities to address the business needs Harvard Business Review, 2021).

Agility needs analysis.

Agile requirements are a balancing act

Collaboration

Many subject matter experts are necessary to create accurate requirements, but their time is limited too.

Communication

Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.

Documentation

Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.

Control

Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.

Start by defining what the terms mean in your organization

We do this because there isn't even agreement by the experts on what the terms "Agile" and "business analysis" mean, so let's establish a definition within the context of your organization.

1.1.1 What do Agile and business analysis mean in your organization?

Estimated time: 30 Minutes

  1. Explore the motivations behind the need for aligning Agile with business analysis. Are there any current challenges related to outputs, outcomes, quality? How can the team and organization align the two more effectively for the purposes of requirements management?
  2. Gather the appropriate stakeholders to discuss their definition of the terms "Agile" and "business analysis" It can be related to their experience, practice, or things they've read or heard.
  3. Brainstorm and document all shared thoughts and perspectives.
  4. Synthesize those thoughts and perspectives into a shared definition of each term, of a sentence or two.
  5. Revisit this definition as needed, and as your Agile requirements efforts evolve.

Input

  • Challenges and experiences/perspectives related to Agile and business requirements

Output

  • A shared definition of Agile and business analysis, to help guide alignment on Agile requirements management

Materials

  • Agile Requirements Workbook

Participants

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Build your Agile Requirements Playbook

Keep the outcomes of this blueprint in a single document

Share at the beginning of a new project, as part of team member onboarding, and revisit as your practice matures.

This is a series of three screenshots from the Agile Requirements Playbook.

Your Agile Requirements Playbook will include

  • Your shared definition of Agile and business analysis for your organization
  • The Agile Requirements Maturity Assessment
  • A Methodology Selection Matrix
  • Agile requirements RACI
  • A defined Agile requirements process
  • Documentation Calculator
  • Your Requirements Repository Information
  • Capability Gap List (from current to target state)
  • Target State Improvement Roadmap and Action Plan

Step 1.2

Align Agile and Business Analysis Within Your Organization

Activities

1.2.1 Assess your Agile requirements maturity

This step involves the following participants:

  • Business Analyst and Project Team
  • Stakeholders
  • Sponsor/Executive

Outcomes of this step

  • Complete the Agile Requirements Maturity Assessment to establish your current and target states

Framing Agile and Business Analysis

Consider the question: "Why Agile?"

What is the driving force behind that decision?

There are many reasons to leverage the power of Agile within your organization, and specifically as part of your requirements management efforts. And it shouldn't just be to improve productivity. That's only one aspect.
Begin by asking, "Why Agile?" Are you looking to improve:

  • Time to market
  • Team engagement
  • Product quality
  • Customer satisfaction
  • Stakeholder engagement
  • Employee satisfaction
  • Consistency in delivery of value
  • Predictably of your releases

Or a combination of the above?

Info-Tech Insight

Project delivery methodologies aren't either/or. You don't have to be 100% waterfall or 100% Agile. Select the right approach for your project, product, or service.

In the end, your business partners don't want projects delivered faster, they want value faster!

For more on understanding Agile, check out the Implement Agile Practices That Work Blueprint

Responses to a 2019 KPMG survey:

13% said that their top management fully supports Agile transformation.

76% of organizations did not agree that their organization supports Agile culture.

62% of top management believe Agile has no implications for them.

What changes for the business analyst?

Business analysts need to focus on six key elements when managing requirements in Agile.

  • Team formation and interaction
  • Stakeholder engagement and communication
  • The timing and sequencing of their work
  • Decision-making
  • Documentation
  • Dealing with change

In Agile, the what of business analysis does not change.

What does change is the how and when that work happens.

1.2.1 Assess your Agile requirements maturity

This is a series of screenshots from the Agile Requirements Maturity Assessment.

1.2.1 Assess your Agile requirements maturity

Estimated time: 30 Minutes

    1. Using the Agile Requirements Maturity Assessment, gather all appropriate stakeholders, and discuss and score the current state of your practice. Scoring can be done by:
      1. Consensus: Generally better with a smaller group, where the group agrees the score and documents the result
      2. Average: Have everyone score individually, and aggregate the results into an average, which is then entered.
      3. Weighted Average: As above, but weight the individual scores by individual or line of business to get a weighted average.
    2. When current state is complete, revisit to establish target state (or hold as a separate session) using the same scoring approach as in current state.
      1. Recognize that there is a cost to maturity, so don't default to the highest score by default.
      2. Resist the urge at this early stage to generate ideas to navigate from current to target state. We will re-visit this exercise in Phase 4, once we've defined other pieces of our process and practice.

Input

  • Participant knowledge and experience

Output

  • A current and target state assessment of your Agile requirements practice

Materials

  • Agile Requirements Maturity Assessment

Participants

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Tailoring Your Approach

Phase 2

Phase 1Phase 2Phase 3Phase 4

1.1 Understand the benefits and limitations of Agile and business analysis

1.2 Align Agile and business analysis within your organization

2.1 Confirm the best-fit approach for delivery

2.2 manage your requirements backlog

3.1 Define project roles and responsibilities

3.2 define your level of acceptable documentation

3.3 Manage requirements as an asset

3.4 Define your requirements change management plan

4.1 Preparing new ways of working

4.2 Develop a roadmap for next steps

This phase will walk you through the following activities:

  • Selecting the appropriate delivery methodology
  • Managing your requirements backlog
  • Tracing from business need to user story

This phase involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Managing Requirements in an Agile Environment

Step 2.1

Confirm the Best-fit Approach for Delivery

Activities

2.1.1 Confirm your methodology

This step involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Outcomes of this step

  • A review of potential delivery methodologies to select the appropriate, best-fit approach to your projects

Confirming you're using the best approach doesn't have be tricky

Selecting the right approach (or confirming you're on the right track) is easier when you assess two key inputs to your project; your level of certainty about the solution, and the level of complexity among the different variables and inputs to your project, such as team experience and training, the number of impacted stakeholders or context. lines of business, and the organizational

Solution certainty refers to the level of understanding of the problem and the solution at the start of the project. In projects with high solution certainty, the requirements and solutions are well defined, and the project scope is clear. In contrast, projects with low solution certainty have vague or changing requirements, and the solutions are not well understood.

Project complexity refers to the level of complexity of the project, including the number of stakeholders, the number of deliverables, and the level of technical complexity. In projects with high complexity, there are many stakeholders with different priorities, many deliverables, and high technical complexity. In contrast, projects with low complexity have fewer stakeholders, fewer deliverables, and lower technical complexity.

"Agile is a fantastic approach when you have no clue how you're going to solve a problem"

  • Ryan Folster, Consulting Services Manager, Business Analysis, Dimension Data

Use Info-Tech's methodology selection matrix

Waterfall methodology is best suited for projects with high solution certainty and high complexity. This is because the waterfall model follows a linear and sequential approach, where each phase of the project is completed before moving on to the next. This makes it ideal for projects where the requirements and solutions are well-defined, and the project scope is clear.

On the other hand, Agile methodology is best suited for projects with low solution certainty. Agile follows an iterative and incremental approach, where the requirements and solutions are detailed and refined throughout the project. This makes it ideal for projects where the requirements and solutions are vague or changing.

Note that there are other models that exist for determining which path to take, should this approach not fit within your organization.

Use info-tech's-methodology-selection-matrix

This is an image of Info-Tech’s methodology selection matrix

Adapted from The Chaos Report, 2015 (The Standish Group)

Download the Agile Requirements Workbook

2.1.1 Confirm your methodology

Estimated time: 30 Minutes

  1. Using the Agile Requirements Workbook, find the tab labelled "Methodology Assessment" and answer the questions to establish your complexity and certainty scores, where;

1 = Strongly disagree
2 = Disagree
3 = Neutral
4 = Agree
5 = Strongly agree.

  1. In the same workbook, plot the results in the grid on the tab labelled "Methodology Matrix".
  2. Projects falling into Green are good fits for Agile. Yellow are viable. And Red may not be a great fit for Agile.
  3. Note: Ultimately, the choice of methodology is yours. Recognize there may be additional challenges when a project is too complex, or uncertainty is high.

Input

  • Current project complexity and solution certainty

Output

  • A clear choice of delivery methodology

Materials

  • Agile Requirements Workbook

Participants

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Step 2.2

Manage Your Requirements Backlog

Activities

2.2.1 Create your user stories

This step involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Outcomes of this step

  • Understand how to convert requirements into user stories, which populate the Requirements Backlog.

Tailoring Your Approach

There is a hierarchy to requirements

This is a pyramid, with the base being: Solution Requirements; The middle being: Stakeholder Requirements; and the Apex being: Business Requirements.
  • Higher-level statements of the goals, objectives, or needs of the enterprise.
  • Business requirements focus on the needs of the organization, and not the stakeholders within it.

Defines

Intended benefits and outcomes

  • Statements of the needs of a particular stakeholder or class of stakeholders, and how that stakeholder will interact with a solution.

Why it is needed, and by who

  • Describes the characteristics of a solution that meets business requirements and stakeholder requirements. Functional describes the behavior and information that the solution will manage. They describe capabilities the system will be able to perform in terms of behaviors or operations. Non-functional represents constraints on the ultimate solution and tends to be less negotiable.

What is needed, and how its going to be achieved

Connect the dots with a traceability matrix

Business requirements describe what a company needs in order to achieve its goals and objectives. Solution requirements describe how those needs will be met. User stories are a way to express the functionality that a solution will provide from the perspective of an end user.

A traceability matrix helps clearly connect and maintain your requirements.

To connect business requirements to solution requirements, you can start by identifying the specific needs that the business has and then determining how those needs can be met through technology or other solutions; or what the solution needs to do to meet the business need. So, if the business requirement is to increase online sales, a solution requirement might include implementing a shopping cart feature on your company website.

Once you have identified the solution requirements, you can then use those to create user stories. A user story describes a specific piece of functionality that the solution will provide from the perspective of a user.

For example, "As a customer, I want to be able to add items to my shopping cart so that I can purchase them." This user story is directly tied to the solution requirement of implementing a shopping cart feature.

Tracing from User Story back up to Business Requirement is essential in ensuring your solutions support your organization's strategic vison and objectives.

This is an image of a traceability matrix for Business Requirements.

Download the Info-Tech Requirements Traceability Matrix

Improve the quality of your solution requirements

A solution requirement is a statement that clearly outlines the functional capability that the business needs from a system or application.

There are several attributes to look for in requirements:

Verifiable

Unambiguous

Complete

Consistent

Achievable

Traceable

Unitary

Agnostic

Stated in a way that can be easily tested

Free of subjective terms and can only be interpreted in one way

Contains all relevant information

Does not conflict with other requirements

Possible to accomplish with budgetary and technological constraints

Trackable from inception through to testing

Addresses only one thing and cannot be decomposed into multiple requirements

Doesn't pre-suppose a specific vendor or product

For more on developing high quality requirements, check out the Improve Requirements Gathering Blueprint

Prioritize your requirements

When everything is a priority, nothing is a priority.

Prioritization is the process of ranking each requirement based on its importance to project success. Each requirement should be assigned a priority level. The delivery team will use these priority levels to ensure efforts are targeted toward the proper requirements as well as to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order your requirements.

The MoSCoW Model of Prioritization

This is an image of The MoSCoW Model of Prioritization

The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994

(Source: ProductPlan).

Base your prioritization on the right set of criteria

Criteria Description
Regulatory and legal compliance These requirements will be considered mandatory.
Policy compliance Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory.
Business value significance Give a higher priority to high-value requirements.
Business risk Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early.
Likelihood of success Especially in proof-of-concept projects, it is recommended that requirements have good odds.
Implementation complexity Give a higher priority to low implementation difficulty requirements.
Alignment with strategy Give a higher priority to requirements that enable the corporate strategy.
Urgency Prioritize requirements based on time sensitivity.
Dependencies A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.

Info-Tech Insight

It is easier to prioritize requirements if they have already been collapsed, resolved, and rewritten. There is no point in prioritizing every requirement that is elicited up front when some of them will eventually be eliminated.

Manage solution requirements in a Product backlog

What is a backlog?

Agile teams are familiar with the use of a Sprint Backlog, but in Requirements Management, a Product Backlog is a more appropriate choice.

A product backlog and a Sprint backlog are similar in that they are both lists of items that need to be completed in order to deliver a product or project, but there are some key differences between the two.

A product backlog is a list of all the features, user stories, and requirements that are needed for a product or project. It is typically created and maintained by the business analyst or product owner and is used to prioritize and guide the development of the product.

A Sprint backlog, on the other hand, is a list of items specifically for an upcoming sprint, which is an iteration of work in Scrum. The Sprint backlog is created by the development team and is used to plan and guide the work that will be done during the sprint. The items in the Sprint backlog are typically taken from the product backlog and are prioritized based on their importance and readiness.

For more on building effective product backlogs, visit Deliver on Your Digital Product Vision

A backlog stores and organizes requirements at various stages

Your backlog must give you a holistic understanding of demand for change in the product.

A well-formed backlog can be thought of as a DEEP backlog

Detailed appropriately: Requirements are broken down and refined as necessary

Emergent: The backlog grows and evolves over time as requirements are added and removed.

Estimated: The effort to deliver a requirement is estimated at each tier.

Prioritized: A requirement's value and priority are determined at each tier.

This is an image of an inverted funnel, with the top being labeled: Ideas; The middle being labeled: Qualified; and the bottom being labeled: Ready.

Adapted from Essential Scrum

Ensure requests and requirements are ready for development

Clearly define what it means for a requirement, change, or maintenance request to be ready for development.

This will help ensure the value and scope of each functionality and change are clear and well understood by both developers and stakeholders before the start of the sprint. The definition of ready should be two-fold: ready for the backlog, and ready for coding.

  1. Create a checklist that indicates when a requirement or request is ready for the development backlog. Consider the following questions:
    1. Is the requirement or request in the correct format?
    2. Does the desired functionality or change have significant business value?
    3. Can the requirement or request be reasonably completed within defined release timelines under the current context?
    4. Does the development team agree with the budget and points estimates?
    5. Is there an understanding of what the requirement or request means from the stakeholder or user perspective?
  2. Create a checklist that indicates when a requirement or request is ready for development. Consider the following questions:
    1. Have the requirements and requests been prioritized in the backlog?
    2. Has the team sufficiently collaborated on how the desired functionality or change can be completed?
    3. Do the tasks in each requirement or request contain sufficient detail and direction to begin development?
    4. Can the requirement or request be broken down into smaller pieces?

Converting solution requirements into user stories

Define the user

Who will be interacting with the product or feature being developed? This will help to focus the user story on the user's needs and goals.

Create the story

Create the user story using the following template: "As a [user], I want [feature] so that [benefit]."
This helps articulate the user's need and the value that the requirement will provide.

Decompose

User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.

Prioritize

User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.

2.2.1 Create your user stories

Estimated time: 60 Minutes

  1. Gather the project team and relevant stakeholders. Have access to your current list of solution requirements.
  2. Leverage the approach on previous slide "Converting Solution Requirements into User Stories" to generate a collection of user stories.

NOTE: There is not a 1:1 relationship between requirements and user stories.
It is possible that a single requirement will have multiple user stories, and similarly, that a single user story will apply to multiple solution requirements.

Input

  • Requirements
  • Use Case Template

Output

  • A collection of user stories

Materials

  • Current Requirements

Participants

  • Business Analyst(s)
  • Project Team
  • Relevant Stakeholders

Use the INVEST model to create good user stories

At this point your requirements should be high-level stories. The goal is to refine your backlog items, so they are . . .

A vertical image of the Acronym: INVEST, taken from the first letter of each bolded word in the column to the right of the image.

Independent: Ideally your user stories can be built in any order (i.e. independent from each other). This allows you to prioritize based on value and not get caught up in sequencing and prerequisites.
Negotiable: As per the Agile principle, collaboration over contracts. Your user stories are meant to facilitate collaboration between the developer and the business. Therefore, they should be built to allow negotiation between all parties.
Valuable: A user story needs to state the value so it can be effectively prioritized, but also so developers know what they are building.
Estimable: As opposed to higher-level approximation given to epics, user stories need more accuracy in their estimates in order to, again, be effectively prioritized, but also so teams can know what can fit into a sprint or release plans.
Small: User stories should be small enough for a number of them to fit into a sprint. However, team size and velocity will impact how many can be completed. A general guideline is that your teams should be able to deliver multiple stories in a sprint.
Testable: Your stories need to be testable, which means they must have defined acceptance criteria and any related test cases as defined in your product quality standards.
Source: Agile For All

Defining Your Requirements Thresholds

Phase 3

Defining Your Requirements Thresholds

Phase 1Phase 2Phase 3Phase 4

1.1 Understand the benefits and limitations of Agile and business analysis

1.2 Align Agile and business analysis within your organization

2.1 Confirm the best-fit approach for delivery

2.2 manage your requirements backlog

3.1 Define project roles and responsibilities

3.2 define your level of acceptable documentation

3.3 Manage requirements as an asset

3.4 Define your requirements change management plan

4.1 Preparing new ways of working

4.2 Develop a roadmap for next steps

This phase will walk you through the following activities:

  • Assigning roles and responsibilities optional (Tool: RACI)
  • Define your Agile requirements process
  • Calculate the cost of your documentation (Tool: Documentation Calculator)
  • Define your backlog refinement plan

This phase involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Managing Requirements in an Agile Environment

Step 3.1

Define Project Roles and Responsibilities

Activities

3.1.1 Define your Agile requirements RACI (optional)

3.1.2 Define your Agile requirements process

Defining Your Requirements Thresholds

This step involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Outcomes of this step

  • A defined register of roles and responsibilities, along with a defined process for how Agile requirements work is to be done.

Defining Your Requirements Thresholds

Where does the BA function fit on an Agile team?

Team formation is key, as Agile is a team sport

A business analyst in an Agile team typically interacts with several different roles, including the product owner, development team, and many other stakeholders throughout the organization.

This is an image the roles who typically interact with a Business Analyst.

  • The product owner, to set the priorities and direction of the project, and to gather requirements and ensure they are being met. Often, but not always, the BA and product owner are the same individual.
  • The development team, to provide clear and concise requirements that they can use to build and test the product.
  • Other stakeholders, such as customers, end-users, and subject matter experts to gather their requirements, feedback and validate the solution.
    • Design, to ensure that the product meets user needs. They may provide feedback and ensure that the design is aligned with requirements.
    • Security, to ensure that the solution meets all necessary security requirements and to identify potential risks and appropriate use of controls.
    • Testing, to ensure that the solution is thoroughly tested before it is deployed. They may create test cases or user scenarios that validate that everything is working as intended.
    • Deployment, to ensure that the necessary preparations have been made, including testing, security, and user acceptance.

Additionally, during the sprint retrospectives, the team will review their performance and find ways to improve for the next sprint. As a team member, the business analyst helps to identify areas where the team could improve how they are working with requirements and understand how the team can improve communication with stakeholders.

3.1.1 (Optional) Define Your Agile Requirements RACI

Estimated Time: 60 Minutes

  1. Identify the project deliverables: The first step is to understand the project deliverables and the tasks that are required to complete them. This will help you to identify the different roles and responsibilities that need to be assigned.
  2. Define the roles and responsibilities: Identify the different roles that will be involved in the project and their associated responsibilities. These roles may include project manager, product owner, development team, stakeholders, and any other relevant parties.
  3. Assign RACI roles: Assign a RACI role to each of the identified tasks. The RACI roles are:
    1. Responsible: the person or team who is responsible for completing the task
    2. Accountable: the person who is accountable for the task being completed on time and to the required standard
    3. Consulted: the people or teams who need to be consulted to ensure the task is completed successfully
    4. Informed: the people or teams who need to be informed of the task's progress and outcome
  4. Create the RACI chart: Use the information gathered in the previous steps to create a matrix or chart that shows the tasks, the roles, and the RACI roles assigned to each task.
  5. Review and refine: Review the RACI chart with the project team and stakeholders to ensure that it accurately reflects the roles and responsibilities of everyone involved. Make any necessary revisions and ensure that all parties understand their roles and responsibilities.
  6. Communicate and implement: Communicate the RACI chart to all relevant parties and ensure that it is used as a reference throughout the project. This will help to ensure that everyone understands their role and that tasks are completed on time and to the required standard.

Input

  • A list of required tasks and activities
  • A list of stakeholders

Output

  • A list of defined roles and responsibilities for your project

Materials

  • Agile Requirements Workbook

Participants

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

A Case Study in Team Formation

Industry: Anonymous Organization in the Energy sector
Source: Interview

Challenge

Agile teams were struggling to deliver within a defined sprint, as there were consistent delays in requirements meeting the definition of ready for development. As such, sprints were often delayed, or key requirements were descoped and deferred to a future sprint.

During a given two-week sprint cycle, the business analyst assigned to the team would be working along multiple horizons, completing elicitation, analysis, and validation, while concurrently supporting the sprint and dealing with stakeholder changes.

Solution

As a part of addressing this ongoing pain, a pilot program was run to add a second business analyst to the team.

The intent was, as one is engaged preparing requirements through elicitation, analysis, and validation for a future sprint, the second is supporting the current sprint cycle, and gaining insights from stakeholders to refine the requirements backlog.

Essentially, these two were leap-frogging each other in time. At all times, one BA was focused on the present, and one on the future.

Result

A happier team, more satisfied stakeholders, and consistent delivery of features and functions by the Agile teams. The pilot team outperformed all other Agile teams in the organization, and the "2 BA" approach was made the new standard.

Understanding the Agile requirements process

Shorter cycles make effective requirements management more necessary, not less

Short development cycles can make requirements management more difficult because they often result in a higher rate of change to the requirements. In a shorter timeframe, there is less time to gather and verify requirements, leading to a higher likelihood of poor or incomplete requirements. Additionally, there may be more pressure to make decisions quickly, which can lead to less thorough analysis and validation of requirements. This can make it more challenging to ensure that the final solution meets the needs of the stakeholders.
When planning your requirements cycles, it's important to consider;

  • Your sprint logistics (how long?)
  • Your release plan (at the end of every sprint, monthly, quarterly?)
  • How the backlog will be managed (as tickets, on a visual medium, such as a Kanban board?)
  • How will you manage communication?
  • How will you monitor progress?
  • How will future sprint planning happen?

Info-Tech's Agile requirements framework

Sprint N(-1)

Sprint N

Sprint N(+1)

An image of Sprint N(-1) An image of Sprint N An image of Sprint N(+1)

Changes from waterfall to Agile

Gathering and documenting requirements: Requirements are discovered and refined throughout the project, rather than being gathered and documented up front. This can be difficult for business analysts who are used to working in a waterfall environment where all requirements are gathered and documented before development begins.
Prioritization of requirements: Requirements are prioritized based on their value to the customer and the team's ability to deliver them. This can be difficult for business analysts who are used to prioritizing requirements based on the client's needs or their own understanding of what is important.

Defining acceptance criteria: Acceptance criteria are defined for each user story to ensure that the team understands what needs to be delivered. Business analysts need to understand how to write effective acceptance criteria and how to use them to ensure that the team delivers what the customer needs.
Supporting Testing and QA: The business analyst plays a role in ensuring that testing (and test cases) are completed and of proper quality, as defined in the requirements.

Managing changing requirements: It is expected that requirements will change throughout the project. Business analysts need to be able to adapt quickly to changing requirements and ensure that the team is aware of the changes and how they will impact the project.
Collaboration with stakeholders: Requirements are gathered from a variety of stakeholders, including customers, users, and team members. Business analysts need to be able to work effectively with all stakeholders to gather and refine requirements and ensure that the team is building the right product.

3.1.2 Define your Agile requirements process

Estimated time: 60 Minutes

  1. Gather all relevant stakeholders to discuss and define your process for requirements management.
  2. Have a team member facilitate the session to define the process. The sample in the Agile Requirements Workbook can be used optionally as a starting point. You can also use any existing processes and procedures as a baseline.
  3. Gain agreement on the process from all involved stakeholders.
  4. Revisit the process periodically to review its performance and make adjustments as needed.

NOTE: The process is intended to be at a high enough level to leave space and flexibility for team members to adapt and adjust, but at a sufficient depth that everyone understands the process and workflows. In other words, the process will be both flexible and rigid, and the two are not mutually exclusive.

Input

  • Project team and RACI
  • Existing Process (if available)

Output

  • A process for Agile requirements that is flexible yet rigid

Materials

  • Agile Requirements Workbook

Participants

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Establish the right level of governance and decision-making

Establishing the right level of governance and decision making is important in Agile requirements because there is a cost to decision making, as time plays an important factor. Even the failure to decide can have significant impacts.

Good governance and decision-making practices can help to minimize risks, ensure that requirements are well understood and managed, and that project progress is tracked and reported effectively.

In Agile environments, this often involves establishing clear roles and responsibilities, implementing effective communication and collaboration practices, and ensuring that decision-making processes are efficient and effective.

Good requirements management practices can help to ensure that projects are aligned with organizational goals and strategy, that stakeholders' needs are understood and addressed, and that deliverables are of high quality and meet the needs of the business.

By ensuring that governance and decision-making is effective, organizations can improve the chances of project success, and deliver value to the business. Risks and costs can be mitigated by staying small and nimble.

Check out Make Your IT Governance Adaptable

Develop an adaptive governance process

A pyramid, with the number 4 at the apex, and the number 1 at the base.  In order from base-apex, the following titles are found to the right of the pyramid: Ad-Hoc governance; Controlled Governance; Agile Governance; Embedded/Automated governance.

Maturing governance is a journey

Organizations should look to progress in their governance stages. Ad-hoc and controlled governance tends to be slow, expensive, and a poor fit for modern practices.

The goal as you progress through your stages is to delegate governance and empower teams to make optimal decisions in real-time, knowing that they are aligned with the understood best interests of the organization.

Automate governance for optimal velocity, while mitigating risks and driving value.

This puts your organization in the best position to be adaptive and able to react effectively to volatility and uncertainty.

A graph charting Trust and empowerment on the x-axis, and Progress Integration on the Y axis.

Five key principles for building an adaptive governance framework

Delegate and empower

Decision making must be delegated down within the organization, and all resources must be empowered and supported to make effective decisions.

Define outcomes

Outcomes and goals must be clearly articulated and understood across the organization to ensure decisions are in line and stay within reasonable boundaries.

Make risk- informed decisions

Integrated risk information must be available with sufficient data to support decision making and design approaches at all levels of the organization.

Embed / automate

Governance standards and activities need to be embedded in processes and practices. Optimal governance reduces its manual footprint while remaining viable. This also allows for more dynamic adaptation.

Establish standards and behavior

Standards and policies need to be defined as the foundation for embedding governance practices organizationally. These guardrails will create boundaries to reinforce delegated decision making.

Sufficient decision-making power should be given to your Agile teams

Push the decision-making process down to your pilot teams.

  • Bring your business stakeholders and subject matter experts together to identify the potential high-level risks.
  • Bring your business stakeholders and subject matter experts together to identify the potential high-level risks.
  • Discuss with the business the level of risk they are willing to accept.
  • Define the level of authority project teams have in making critical decisions.

"Push the decision making down as far as possible, down to the point where sprint teams completely coordinate all the integration, development, and design. What I push up the management chain is risk taking. [Management] decides what level of risk they are willing to take and [they] demonstrate that by the amount of decision making you push down."
– Senior Manager, Canadian P&C Insurance Company, Info-Tech Interview

Step 3.2

Define Your Level of Acceptable Documentation

Activities

3.2.1 Calculate the cost of documentation

This step involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Relevant Stakeholders

Outcomes of this step

  • Quantified cost of documentation produced for your Agile project.

Defining Your Requirements Thresholds

Right-size Your Documentation

Why do we need it, and what purpose does it serve?

Before creating any documentation, consider why; why are you creating documentation, and what purpose is it expected to serve?
Is it:

  • … to gain approval?
  • … to facilitate decision-making?
  • .. to allow the team to think through a challenge or compare solution options?

Next, consider what level of documentation would be acceptable and 'enough' for your stakeholders. Recognize that 'enough' will depend on your stakeholder's personal definition and perspective.
There may also be considerations for maintaining documentation for the purposes of compliance, and auditability in some contexts and industries.
The point is not to eliminate all documentation, but rather, to question why we're producing it, so that we can create just enough to deliver value.

"What does the next person need to do their work well, to gain or create a shared understanding?"
- Filip Hendrickx, Innovating BA and Founder, altershape

Documentation comes at a cost

We need to quantify the cost of documentation, against the expected benefit

All things take time, and that would imply that all things have an inherent cost. We often don't think in these terms, as it's just the work we do, and costs are only associated with activities requiring additional capital expenditure. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.

When creating documentation, we are making a decision. There is an opportunity cost of investing time to create, and concurrently, not working on other activities. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.

In order to make better informed decisions about the types, quantity and even quality of the documentation we are producing, we need to capture that data. To ensure we are receiving good value for our documentation, we should compare the expected costs to the expected benefits of a sprint or project.

3.2.1 Calculate the cost of documentation

Estimated time: as needed

  1. Use this tool to quantify the cost of creating and maintaining current state documentation for your Agile requirements team. It provides an indication, via the Documentation Cost Index, of when your project is documenting excessively, relative to the expected benefits of the sprint or project.
  2. In Step 1, enter the hourly rate for the person (or persons) completing the business analysis function for your Agile team. NB: This does not have to be a person with the title of business analyst. If there are multiple people fulfilling this role, enter the average rate (if their rates are same or similar) or a weighted average (if there is a significant range in the hourly rate)
  3. In Step 2, enter the expected benefit (in $) for the sprint or project.
  4. In Step 3, enter the total number of hours spent on each task/activity during the sprint or project. Use blank spaces as needed to add tasks and activities not listed.
  5. In Step 4, you'll find the Documentation Cost Index, which compares your total documentation cost to the expected benefits. The cell will show green when the value is < 0.8, yellow between 0.8 and 1, and red when >1.
  6. Use the information to plan future sprints and documentation needs, identify opportunities for improvement in your requirements practice, and find balance in "just enough" documentation.

Input

  • Project team and RACI
  • Existing Process (if available)

Output

  • A process for Agile requirements that is flexible yet rigid

Materials

  • Agile Requirements Workbook

Participants

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Lack of documentation also comes at a cost

Lack of documentation can bring costs to Agile projects in a few different ways.

  • Onboarding new team members
  • Improving efficiency
  • Knowledge management
  • Auditing and compliance
  • Project visibility
  • Maintaining code

Info-Tech Insight

Re-using deliverables (documentation, process, product, etc.) is important in maintaining the velocity of work. If you find yourself constantly recreating your current state documentation at the start of a project, it's hard to deliver with agility.

Step 3.3

Manage Requirements as an Asset

Activities

3.3.1 Discuss your current perspectives on requirements as assets

This step involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Relevant Stakeholders

Outcomes of this step

  • Awareness of the value in, and tactics for enabling effective management of requirements as assets

Defining Your Requirements Thresholds

What do we mean by "assets"?

And when do requirements become assets?

In order to delivery with agility, you need to maximize the re-usability of artifacts. These artifacts could take the form of current state documentation, user stories, test cases, and yes, even requirements for re-use.
Think of it like a library for understanding where your organization is today. Understanding the people, processes, and technology, in one convenient location. These artifacts become assets when we choose to retain them, rather than discard them at the end of a project, when we think they'll no longer be needed.
And just like finding a single book in a vast library, we need to ensure our assets can be found when we need them. And this means making them searchable.
We can do this by establishing criteria for requirements and artifact reuse;

  • What business need and benefit is it aligned to?
  • What metadata needs to be attached, related to source, status, subject, author, permissions, type, etc.?
  • Where will it be stored for ease of retrieval?

Info-Tech Insight

When writing requirements for products or services, write them for the need first, and not simply for what is changing.

The benefits of managing requirements as assets

Retention of knowledge in a knowledge base that allows the team to retain current business requirements, process documentation, business rules, and any other relevant information.
A clearly defined scope to reduce stakeholder, business, and compliance conflicts.
Impact analysis of changes to the current organizational assets.

Source: Requirement Engineering Magazine, 2017.

A case study in creating an asset repository

Industry: Anonymous Organization in the Government sector
Source: Interview

Challenge

A large government organization faced a challenge with managing requirements, processes, and project artifacts with any consistency.

Historically, their documentation was lacking, with multiple versions existing in email sent folders and manila folders no one could find. Confirming the current state at any given time meant the heavy lift of re-documenting and validating, so that effort was avoided for an excessive period.

Then there was a request for audit and compliance, to review their existing documentation practices. With nothing concrete to show, drastic recommendations were made to ensure this practice would end.

Solution

A small but effective team was created to compile and (if not available) document all existing project and product documentation, including processes, requirements, artifacts, business cases, etc.

A single repository was built and demonstrated to key stakeholders to ensure it would satisfy the needs of the audit and compliance group.

Result

A single source of truth for the organization, which was;

  • Accessible (view access to the entire organization).
  • Transparent (anyone could see and understand the process and requirements as intended).
  • A baseline for continuous improvement, as it was clear what the one defined "best way" was.
  • Current, where no one retained current documentation outside of this library.

3.3.1 Discuss your current perspectives on requirements as assets

Estimated time: 30 Minutes

  1. Gather all relevant stakeholder to share perspectives on the use of requirements as assets, historically in the organization.
  2. Have a team member facilitate the session. It is optional to document the findings.
  3. After looking at the historical use of requirements as assets, discuss the potential uses, benefits, and drawbacks of managing as assets in the target state.

Input

  • Participant knowledge and experience

Output

  • A shared perspective and history on requirements as assets

Materials

  • A method for data capture (optional)

Participants

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Apply changes to baseline documentation

Baseline + Release Changes = New Baseline

  • Start from baseline documentation dramatically to reduce cost and risk
  • Treat all scope as changes to baseline requirements
  • Sum of changes in the release scope
  • Sum of changes and original baseline becomes the new baseline
  • May take additional time and effort to maintain accurate baseline

What is the right tool?

While an Excel spreadsheet is great to start off, its limitations will become apparent as your product delivery process becomes more complex. Look at these solutions to continue your journey in managing your Agile requirements:

Step 3.4

Define Your Requirements Change Management Plan

Activities

3.4.1 Triage your requirements

This step involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Relevant Stakeholders

Outcomes of this step

  • An approach for determining the appropriate level of governance over changes to requirements.

Expect and embrace change

In Agile development, change is expected and embraced. Instead of trying to rigidly follow a plan that may become outdated, Agile teams focus on regularly reassessing their priorities and adapting their plans accordingly. This means that the requirements can change often, and it's important for the team to have a process in place for managing these changes.

A common approach to managing change in Agile is to use a technique called "backlog refinement." Where previously we populated our backlog with requirements to get them ready for development and deployment, this involves regularly reviewing and updating the list of work to be done. The team will prioritize the items on the evolving backlog, and the prioritized items will be worked on during the next sprint. This allows the team to quickly respond to changes in requirements and stay focused on the most important work.

Another key aspect of managing change in Agile is effective communication. The team should have regular meetings, such as daily stand-up meetings or weekly sprint planning meetings, to discuss any changes in requirements and ensure that everyone is on the same page.

Best practices in change and backlog refinement

Communicate

Clearly communicate your change process, criteria, and any techniques, tools, and templates that are part of your approach.

Understand impacts/risks

Maintain consistent control and communication and ensure that an impact assessment is completed. This is key to managing risks.

Leverage tools

Leverage tools when you have them available. This could be a Requirements Management system, a defect/change log, or even by turning on "track changes" in your documents.

Cross-reference

For every change, define the source of the change, the reason for the change, key dates for decisions, and any supporting documentation.

Communicate the reason, and stay on message throughout the change

Leaders of successful change spend considerable time developing a powerful change message: a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff. They create the change vision with staff to build ownership and commitment.

  • The change message should:
  • Explain why the change is needed.
  • Summarize the things that will stay the same.
  • Highlight the things that will be left behind.
  • Emphasize the things that are being changed.
  • Explain how the change will be implemented.
  • Address how the change will affect the various roles in the organization.
  • Discuss staff's role in making the change successful.

The five elements of communicating the reason for the change:

An image of a cycle, including the five elements for communicating the reason for change.  these include: What will the role be for each department and individual?; What is the change?; Why are we doing it?; How are we going to go about it?; How long will it take us?

How to make the management of changes more effective

Key decisions and considerations

How will changes to requirements be codified?
How will intake happen?

  • What is the submission process?
  • Who has approval to submit?
  • What information is needed to submit a request?

How will potential changes be triaged and evaluated?

  • What criteria will be used to assess the impact and urgency of the potential change?
  • How will you treat material and non-material changes?

What is the review and approval process?

  • How will acceptance or rejection status be communicated to the submitter?

3.4.1 Triage Your requirements

An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact.  To the right of the image, are text boxes elaborating on each heading.

If there's no material impact, update and move on

An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact. To the right of the image, is a cycle including the following terms: Validate change; Update requirements; Track change (log); Package and communicate

Material changes require oversight and approval

An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact. To the right of the image, is a cycle including the following terms: Define impact; Revise; Change control needed?; Implement change.

Planning Your Next Steps

Phase 4

Planning Your Next Steps

Phase 1Phase 2Phase 3Phase 4

1.1 Understand the benefits and limitations of Agile and business analysis

1.2 Align Agile and business analysis within your organization

2.1 Confirm the best-fit approach for delivery

2.2 manage your requirements backlog

3.1 Define project roles and responsibilities

3.2 define your level of acceptable documentation

3.3 Manage requirements as an asset

3.4 Define your requirements change management plan

4.1 Preparing new ways of working

4.2 Develop a roadmap for next steps

This phase will walk you through the following activities:

  • Completing Your Agile Requirements Playbook
  • EXERCISE: Capability Gap List

This phase involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Managing Requirements in an Agile Environment

Step 4.1

Preparing New Ways of Working

Activities

4.1.1 Define your communication plan

Planning Your Next Steps

This step involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Outcomes of this step

  • Recognize the changes required on the team and within the broader organization, to bring stakeholders on board.

How we do requirements work will change

  • Team formation and interaction
  • Stakeholder engagement and communication
  • The timing and sequencing of their work
  • Decision-making
  • Documentation
  • Dealing with change

As a result, you'll need to focus on;

Emphasizing flexibility: In Agile organizations, there is a greater emphasis on flexibility and the ability to adapt to change. This means that requirements may evolve over time and may not be fully defined at the beginning of the project.
Enabling continuous delivery: Agile organizations often use continuous delivery methods, which means that new features and functionality are delivered to users on a regular basis. This requires a more iterative approach to requirements management, as new requirements may be identified and prioritized during the delivery process.
Enhancing collaboration and communication: Agile organizations place a greater emphasis on collaboration and communication between team members, stakeholders, and customers.
Developing a user-centered approach: Agile organizations often take a user-centered approach to requirements gathering, which means that the needs and goals of the end-user are prioritized.

Change within the team, and in the broader organization

How to build an effective blend Agile and requirements management

Within the team

  • Meetings should happen as needed
  • Handoffs should be clear and concise
  • Interactions should add value
  • Stand-ups should similarly add value, and shouldn't be for status updates

Within the organization

  • PMO inclusion, to ensure alignment across the organization
  • Business/Operating areas, to recognize what they are committing to for time, resources, etc.
  • Finance, for how your project or product is funded
  • Governance and oversight, to ensure velocity is maintained

"Whether in an Agile environment or not, collaboration and relationships are still required and important…how you collaborate, communicate, and how you build relationships are key."
- Paula Bell, CEO, Paula A. Bell Consulting

Get stakeholders on board with Agile requirements

  1. Stakeholder feedback and management support are key components of successful Agile requirements.
  2. Stakeholders can see a project's progression and provide critical feedback about its success at critical milestones.
  3. Management helps teams succeed by trusting them to complete projects with business value at top of mind and by removing impediments that are inhibiting their productivity.
  4. Agile will bring a new mindset and significant amounts of people, process, and technology changes that stakeholders and management may not be accustomed to. Working through these issues in requirements management enables a smoother rollout.
  5. Management will play a key role in ensuring long-term Agile requirements success and ultimately rolling it out to the rest of the organization.
  6. The value of leadership involvement has not changed even though responsibilities will. The day-to-day involvement in projects will change but continual feedback will ultimately dictate the success or failure of a project.

4.1.1 Define your communication plan

Estimated time: 60 Minutes

    1. Gather all relevant stakeholder to create a communication plan for project or product stakeholders.
    2. Have a team member facilitate the session.
    3. Identify
    4. ;
      1. Each stakeholder
      2. The nature of information they are interested in
      3. The channel or medium best to communicate with them
      4. The frequency of communication
    5. (Optional) Consider validating the results with the stakeholders, if not present.
    6. Document the results in the Agile Requirements Workbook and include in Agile Requirements Playbook.
    7. Revisit as needed, whether at the beginning of a new initiative, or over time, to ensure the content is still valid.

Input

  • Participant knowledge and experience

Output

  • A plan for communicating with stakeholders

Materials

  • Agile Requirements Workbook

Participants

  • Business Analyst(s)
  • Project Team

Step 4.2

Develop a Roadmap for Next Steps

Activities

4.2.1 Develop your Agile requirements action plan

4.2.2 Prioritize with now, next, later

This step involves the following participants:

  • Business Analyst(s)
  • Project Team
  • Sponsor/Executive
  • Relevant Stakeholders

Outcomes of this step

  • A comprehensive and prioritized list of opportunities and improvements to be made to mature the Agile requirements practice.

Planning Your Next Steps

Identify opportunities to improve and close gaps

Maturing at multiple levels

With a mindset of continuous improvement, there is always some way we can get better.

As you mature your Agile requirements practice, recognize that those gaps for improvement can come from multiple levels, from the organizational down to the individual.

Each level will bring challenges and opportunities.

The organization

  • Organizational culture
  • Organizational behavior
  • Political will
  • Unsupportive stakeholders

The team

  • Current ways of working
  • Team standards, norms and values

The individual

  • Practitioner skills
  • Practitioner experience
  • Level of training received

Make sure your organization is ready to transition to Agile requirements management

A cycle is depicted, with the following Terms: Learning; Automation; Integrated teams; Metrics and governance; Culture.

Learning:

Agile is a radical change in how people work
and think. Structured, facilitated learning is required throughout the transformation to
help leaders and practitioners go from

doing Agile to being Agile.

Automation:

While Agile is tool-agnostic at its roots, Agile work management tools and DevOps inspired SDLC tools that have become a key part of Agile practices.

Integrated Teams:


While temporary project teams can get some benefits from Agile, standing, self-organizing teams that cross business, delivery, and operations are essential to gain the full benefits of Agile.

Metrics and Governance:

Successful Agile implementations
require the disciplined use

of delivery and operations
metrics that support governance focused on developing better teams.

Culture:

Agile teams believe that value is best created by standing, self-organizing cross-functional teams who deliver sustainably in frequent,
short increments supported by leaders
who coach them through challenges.

Info-Tech Insight

Agile gaps may only have a short-term, perceived benefit. For example, coding without a team mindset can allow for maximum speed to market for a seasoned developer. Post-deployment maintenance initiatives, however, often lock the single developer as no one else understands the rationale for the decisions that were made.

4.2.1 Develop your Agile requirements action plan

Estimated time: 60 Minutes

  1. Gather all relevant stakeholder to create a road map and action plan for requirements management.
  2. Have a team member facilitate the session using the results of the Agile Requirements Maturity Assessment.
  3. Identify gaps from current to future state and brainstorm possible actions that can be taken to address those gaps. Resist the urge to analyze or discuss the feasibility of each idea at this stage. The intent is idea generation.
  4. When the group has exhausted all ideas, the facilitator should group like ideas together, with support from participants. Discuss any ideas that are unclear or ambiguous.
  5. Document the results in the Agile Requirements Workbook.

Note: the feasibility and timing of the ideas will happen in the following "Now, Next, Later" exercise.

Prioritize your roadmap

Taking steps to mature your Agile requirements practice.

An image of the Now; Next; Later technique.

The "Now, Next, Later" technique is a method for prioritizing and planning improvements or tasks. This involves breaking down a list of tasks or improvements into three categories:

  • "Now" tasks are those that must be completed immediately. These tasks are usually urgent or critical, and they must be completed to keep the project or organization running smoothly.
  • "Next" tasks are those that should be completed soon. These tasks are not as critical as "now" tasks, but they are still important and should be tackled relatively soon.
  • "Later" tasks are those that can be completed later. These tasks are less critical and can be deferred without causing major problems.

By using this technique, you can prioritize and plan the most important tasks first, while also allowing for flexibility and the ability to adjust plans as necessary.
This process also helps you get a clear picture on what needs to be done first and what can be done later. This way you can work on the most important things first, and keep track of what you need to do next, for keeping the development/improvement process smooth and efficient.

Monitor your progress

Monitoring progress is important in achieving your target state. Be deliberate with your actions, to continue to mature your Agile requirements practice.

As you navigate toward your target state, continue to monitor your progress, your successes, and your challenges. As your Agile requirements practice matures, you should see improvements in the stated metrics below.

Establish a cadence to review these metrics, as well as how you are progressing on your roadmap, against the plan.

This is not about adding work, but rather, about ensuring you're heading in the right direction; finding the balance in your Agile requirements practice.

Metric
Team satisfaction (%) Expect team satisfaction to increase as a result of clearer role delineation and value contribution.
Stakeholder satisfaction (%) Expect stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value.
Requirements rework Measures the quality of requirements from your Agile projects. Expect that the requirements rework will decrease, in terms of volume/frequency.
Cost of documentation Quantifies the cost of documentation, including elicitation, analysis, validation, presentation, and management.
Time to delivery Balancing metric. We don't want improvements in other at the expense of time to delivery.

Appendix

Research Contributors and Experts

This is a picture of Emal Bariali

Emal Bariali
Business Architect & Business Analyst
Bariali Consulting

Emal Bariali is a Senior Business Analyst and Business Architect with 17 years of experience, executing nearly 20 projects. He has experience in both waterfall and Agile methodologies and has delivered solutions in a variety of forms, including custom builds and turnkey projects. He holds a Master's degree in Information Systems from the University of Toronto, a Bachelor's degree in Information Technology from York University, and a post-diploma in Software & Database Development from Seneca College.

This is a picture of Paula Bell

Paula Bell
Paula A. Bell Consulting, LLC

Paula Bell is the CEO of Paula A Bell Consulting, LLC. She is a Business Analyst, Leadership and Career Development coach, consultant, speaker, and author with 21+ years of experience in corporate America in project roles including business analyst, requirements manager, business initiatives manager, business process quality manager, technical writer, project manager, developer, test lead, and implementation lead. Paula has experience in a variety of industries including media, courts, manufacturing, and financial. Paula has led multiple highly-visible multi-million-dollar technology and business projects to create solutions to transform businesses as either a consultant, senior business analyst, or manager.

Currently she is Director of Operations for Bridging the Gap, where she oversees the entire operation and their main flagship certification program.

This is a picture of Ryan Folster

Ryan Folster
Consulting Services Manager, Business Analysis
Dimension Data

Ryan Folster is a Business Analyst Lead and Product Professional from Johannesburg, South Africa. His strong focus on innovation and his involvement in the business analysis community have seen Ryan develop professionally from a small company, serving a small number of users, to large multi-national organizations. Having merged into business analysis through the business domain, Ryan has developed a firm grounding and provides context to the methodologies applied to clients and projects he is working on. Ryan has gained exposure to the Human Resources, Asset Management, and Financial Services sectors, working on projects that span from Enterprise Line of Business Software to BI and Compliance.

Ryan is also heavily involved in the local chapter of IIBA®; having previously served as the chapter president, he currently serves as a non-executive board member. Ryan is passionate about the role a Business Analyst plays within an organization and is a firm believer that the role will develop further in the future and become a crucial aspect of any successful business.

This is a picture of Filip Hendrickx

Filip Hendrickx
Innovating BA, Visiting Professor @ VUB
altershape

Filip loves bridging business analysis and innovation and mixes both in his work as speaker, trainer, coach, and consultant.

As co-founder of the BA & Beyond Conference and IIBA Brussels Chapter president, Filip helps support the BA profession and grow the BA community in and around Belgium. For these activities, Filip received the 2022 IIBA® EMEA Region Volunteer of the Year Award.

Together with Ian Richards, Filip is the author ofBrainy Glue, a business novel on business analysis, innovation and change. Filip is also co-author of the BCS book Digital Product Management and Cycles, a book, method and toolkit enabling faster innovation.

This is a picture of Fabricio Laguna

Fabricio Laguna
Professional Speaker, Consultant, and Trainer
TheBrazilianBA.com

Fabrício Laguna, aka The Brazilian BA, is the main reference on business analysis in Brazil. Author and producer of videos, articles, classes, lectures, and playful content, he can explain complex things in a simple and easy-to-understand way. IIBA Brazil Chapter president between 2012-2022. CBAP, AAC, CPOA, PMP, MBA. Consultant and instructor for more than 25 years working with business analysis, methodology, solution development, systems analysis, project management, business architecture, and systems architecture. His online courses are approved by students from 65 countries.

This is a picture of Ryland Leyton

Ryland Leyton
Business Analyst and Agile Coach
Independent Consultant

Ryland Leyton, CBAP, PMP, CSM, is an avid Agile advocate and coach, business analyst, author, speaker, and educator. He has worked in the technology sector since 1998, starting off with database and web programming, gradually moving through project management and finding his passion in the BA and Agile fields. He has been a core team member of the IIBA Extension to the BABOK and the IIBA Agile Analysis Certification. Ryland has written popular books on agility, business analysis, and career. He can be reached at www.RylandLeyton.com.

This is a picture of Steve Jones

Steve Jones
Supervisor, Market Support Business Analysis
ISO New England

Steve is a passionate analyst and BA manager with more than 20 years of experience in improving processes, services and software, working across all areas of software development lifecycle, business change and business analysis. He rejoices in solving complex business problems and increasing process reproducibility and compliance through the application of business analysis tools and techniques.

Steve is currently serving as VP of Education for IIBA Hartford. He is a CBAP, certified SAFe Product Owner/Product Manager, Six Sigma Green Belt, and holds an MS in Information Management and Communications.

This is a picture of Angela Wick

Angela Wick
Founder
BA-Squared and BA-Cube

Founder of BA-Squared and BA-Cube.com, Angela is passionate about teaching practical, modern product ownership and BA skills. With over 20 years' experience she takes BA skills to the next level and into the future!
Angela is also a LinkedIn Learning instructor on Agile product ownership and business analysis, an IC-Agile Authorized Trainer, Product Owner and BA highly-rated trainer, highly-rated speaker, sought-after workshop facilitator, and contributor to many industry publications, including:

  • IIBA BABOK v3 Core Team, leading author on the BABOK v3
  • Expert Reviewer, IIBA Agile Extension to the BABOK
  • PMI BA Practice Guide – Expert Reviewer
  • PMI Requirements Management Practice Guide – Expert Reviewer
  • IIBA Competency Model – Lead Author and Team Lead, V1, V2, and V3.

This is a picture of Rachael Wilterdink

Rachael Wilterdink
Principal Consultant
Infotech Enterprises

Rachael Wilterdink is a Principal Consultant with Infotech Enterprises. With over 25 years of IT experience, she holds multiple business analysis and Agile certifications. As a consultant, Rachael has served clients in the financial, retail, manufacturing, healthcare, government, non-profit, and insurance industries. Giving back to the professional community, Ms. Wilterdink served on the boards of her local IIBA® and PMI® chapters. As a passionate public speaker, Rachael presents various topics at conferences and user groups across the country and the world. Rachael is also the author of the popular eBook "40 Agile Transformation Pain Points (and how to avoid or manage them)."

Bibliography

"2021 Business Agility Report: Rising to the Challenge." Business Agility, 2021. Accessed 13 June 2022.
Axure. "The Pitfalls of Agile and How We Got Here". Axure. Accessed 14 November 2022.
Beck, Kent, et al. "Manifesto for Agile Software Development." Agilemanifesto. 2001.
Brock, Jon, et al. "Large-Scale IT Projects: From Nightmare to Value Creation." BCG, 25 May 2015.
Bryar, Colin and Bill Carr. "Have We Taken Agile Too Far?" Harvard Business Review, 9 April 2021. Accessed 11 November, 2022.
Clarke, Thomas. "When Agile Isn't Responsive to Business Goals" RCG Global Services, Accessed 14 November 2022.
Digital.ai "The 15th State of Agile Report". Digital.ai. Accessed 21 November 2022.
Hackshall, Robin. "Product Backlog Refinement." Scrum Alliance. 9 Oct. 2014.
Hartman, Bob. "New to Agile? INVEST in good user stories." Agile For All.
IAG Consulting. "Business Analysis Benchmark: Full Report." IAG Consulting, 2009.
Karlsson, Johan. "Backlog Grooming: Must-Know Tips for High-Value Products." Perforce. 18 May 2018
KPMG. Agile Transformation (2019 Survey on Agility). KPMG. Accessed November 29.
Laguna, Fabricio "REQM guidance matrix: A framework to drive requirements management", Requirements Engineering Magazine. 12 September 2017. Accessed 10 November 2022.
Miller, G. J. (2013). Agile problems, challenges, & failures. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.
Product Management: MoSCoW Prioritization." ProductPlan, n.d. Web.
Podeswa, Howard "The Business Case for Agile Business Analysis" Requirements Engineering Magazine. 21 February 2017. Accessed 7 November 2022.
PPM Express. "Why Projects Fail: Business Analysis is the Key". PPM Express. Accessed 16 November 2022.
Reifer, Donald J. "Quantitative Analysis of Agile Methods Study: Twelve Major Findings." InfoQ, 6 February, 2017.
Royce, Dr. Winston W. "Managing the Development of Large Software Systems." Scf.usc.edu. 1970. (royce1970.pdf (usc.edu))
Rubin, Kenneth S. Essential Scrum: A Practical Guide to the Most Popular Agile Process. Pearson Education. 2012.
Singer, Michael. "15+ Surprising Agile Statistics: Everything You Need To Know About Agile Management". Enterprise Apps Today. 22 August 2022.
The Standish Group. The Chaos Report, 2015. The Standish Group.

Where do I go next?

Improve Requirements Gathering

Back to basics: great products are built on great requirements.

Make the Case for Product Delivery

Align your organization on the practices to deliver what matters most.

Requirements for Small and Medium Enterprises

Right-size the guidelines of your requirements gathering process.

Implement Agile Practices that Work

Improve collaboration and transparency with the business to minimize project failure.

Create an Agile-Friendly Gating and Governance Model

Use Info-Tech's Agile Gating Framework as a guide to gating your Agile projects following a "trust but verify" approach.

Make Your IT Governance Adaptable

Governance isn't optional, so keep it simple and make it flexible.

Deliver on Your Digital Product Vision

Build a product vision your organization can take from strategy through execution.

Modernize Your SDLC

  • Buy Link or Shortcode: {j2store}148|cart{/j2store}
  • member rating overall impact (scale of 10): 9.5/10 Overall Impact
  • member rating average dollars saved: $30,263 Average $ Saved
  • member rating average days saved: 39 Average Days Saved
  • Parent Category Name: Development
  • Parent Category Link: /development
  • Today’s rapidly scaling and increasingly complex products create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality.
  • Many organizations lack the critical capabilities and resources needed to satisfy their growing backlog, jeopardizing product success.

Our Advice

Critical Insight

  • Delivery quality and throughput go hand in hand. Focus on meeting minimum process and product quality standards first. Improved throughput will eventually follow.
  • Business integration is not optional. The business must be involved in guiding delivery efforts, and ongoing validation and verification product changes.
  • The software development lifecycle (SDLC) must deliver more than software. Business value is generated through the products and services delivered by your SDLC. Teams must provide the required product support and stakeholders must be willing to participate in the product’s delivery.

Impact and Result

  • Standardize your definition of a successful product. Come to an organizational agreement of what defines a high-quality and successful product. Accommodate both business and IT perspectives in your definition.
  • Clarify the roles, processes, and tools to support business value delivery and satisfy stakeholder expectations. Indicate where and how key roles are involved throughout product delivery to validate and verify work items and artifacts. Describe how specific techniques and tools are employed to meet stakeholder requirements.
  • Focus optimization efforts on most affected stages. Reveal the health of your SDLC from the value delivery, business and technical practice quality standards, discipline, throughput, and governance perspectives with a diagnostic. Identify and roadmap the solutions to overcome the root causes of your diagnostic results.

Modernize Your SDLC Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should modernize your SDLC, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Set your SDLC context

State the success criteria of your SDLC practice through the definition of product quality and organizational priorities. Define your SDLC current state.

  • Modernize Your SDLC – Phase 1: Set Your SDLC Context
  • SDLC Strategy Template

2. Diagnose your SDLC

Build your SDLC diagnostic framework based on your practice’s product and process objectives. Root cause your improvement opportunities.

  • Modernize Your SDLC – Phase 2: Diagnose Your SDLC
  • SDLC Diagnostic Tool

3. Modernize your SDLC

Learn of today’s good SDLC practices and use them to address the root causes revealed in your SDLC diagnostic results.

  • Modernize Your SDLC – Phase 3: Modernize Your SDLC
[infographic]

Workshop: Modernize Your SDLC

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Set Your SDLC Context

The Purpose

Discuss your quality and product definitions and how quality is interpreted from both business and IT perspectives.

Review your case for strengthening your SDLC practice.

Review the current state of your roles, processes, and tools in your organization.

Key Benefits Achieved

Grounded understanding of products and quality that is accepted across the organization.

Clear business and IT objectives and metrics that dictate your SDLC practice’s success.

Defined SDLC current state people, process, and technologies.

Activities

1.1 Define your products and quality.

1.2 Define your SDLC objectives.

1.3 Measure your SDLC effectiveness.

1.4 Define your current SDLC state.

Outputs

Product and quality definitions.

SDLC business and technical objectives and vision.

SDLC metrics.

SDLC capabilities, processes, roles and responsibilities, resourcing model, and tools and technologies.

2 Diagnose Your SDLC

The Purpose

Discuss the components of your diagnostic framework.

Review the results of your SDLC diagnostic.

Key Benefits Achieved

SDLC diagnostic framework tied to your SDLC objectives and definitions.

Root causes to your SDLC issues and optimization opportunities.

Activities

2.1 Build your diagnostic framework.

2.2 Diagnose your SDLC.

Outputs

SDLC diagnostic framework.

Root causes to SDLC issues and optimization opportunities.

3 Modernize Your SDLC

The Purpose

Discuss the SDLC practices used in the industry.

Review the scope and achievability of your SDLC optimization initiatives.

Key Benefits Achieved

Knowledge of good practices that can improve the effectiveness and efficiency of your SDLC.

Realistic and achievable SDLC optimization roadmap.

Activities

3.1 Learn and adopt SDLC good practices.

3.2 Build your optimization roadmap.

Outputs

Optimization initiatives and target state SDLC practice.

SDLC optimization roadmap, risks and mitigations, and stakeholder communication flow.

Innovation

  • Buy Link or Shortcode: {j2store}21|cart{/j2store}
  • Related Products: {j2store}21|crosssells{/j2store}
  • Teaser Video: Visit Website
  • Teaser Video Title: Digital Ethics = Data Equity
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • sidebar graphic: Visit Link
  • Parent Category Name: Strategy and Governance
  • Parent Category Link: /strategy-and-governance
Innovation is the at heart of every organization, especially in these fast moving times. It does not matter if you are in a supporting or "traditional" sector.  The company performing the service in a faster, better and more efficient way, wins.

innovation

Legacy Active Directory Environment

  • Buy Link or Shortcode: {j2store}471|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Cloud Strategy
  • Parent Category Link: /cloud-strategy

You are looking to lose your dependency on Active Directory (AD), and you need to tackle infrastructure technical debt, but there are challenges:

  • Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
  • You are unaware of what processes depend on AD and how integrated they are.
  • Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.

Our Advice

Critical Insight

  • Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
  • With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
  • Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

Impact and Result

Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.

Legacy Active Directory Environment Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Legacy Active Directory Environment Deck – Legacy AD was never built for modern infrastructure. Understand the history and future of Active Directory and what alternatives are in the market.

Build all new systems with cloud integration in mind. Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code.

  • Legacy Active Directory Environment Storyboard
[infographic]

Further reading

Legacy Active Directory Environment

Kill the technical debt of your legacy Active Directory environment.

Analyst Perspective

Understand what Active Directory is and why Azure Active Directory does not replace it.

It’s about Kerberos and New Technology LAN Manager (NTLM).

The image contains a picture of John Donovan.

Many organizations that want to innovate and migrate from on-premises applications to software as a service (SaaS) and cloud services are held hostage by their legacy Active Directory (AD). Microsoft did a good job taking over from Novell back in the late 90s, but its hooks into businesses are so deep that many have become dependent on AD services to manage devices and users, when in fact AD falls far short of needed capabilities, restricting innovation and progress.

Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD. While Azure AD is a secure authentication store that can contain users and groups, that is where the similarities end. In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially for businesses that have an in-house footprint of servers and applications.

If you are a greenfield business and intend to take advantage of software, infrastructure, and platform as a service (SaaS, IaaS, and PaaS), as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

John Donovan
Principal Director, I&O Practice
Info-Tech Research Group

Insight Summary

Legacy AD was never built for modern infrastructure

When Microsoft built AD as a free component for the Windows Server environment to replace Windows NT before the demise of Novell Directory Services in 2001, it never meant Active Directory to work outside the corporate network with Microsoft apps and devices. While it began as a central managing system for users and PCs on Microsoft operating systems, with one user per PC, the IT ecosystem has changed dramatically over the last 20 years, with cloud adoption, SaaS, IaaS, PaaS, and everything as a service. To make matters worse, work-from-anywhere has become a serious security challenge.

Build all new systems with cloud integration in mind

Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code. Ensure you are engaged when the business is assessing new apps. Stop the practice of the business purchasing apps without IT’s involvement; for example, if your marketing department is asking you for your Domain credentials for a vendor when you were not informed of this purchase.

Hybrid AD is a solution but not a long-term goal

Economically, Microsoft has no interest in replacing AD anytime soon. Microsoft wants that revenue and has built components like Azure AD Connect to mitigate the AD dependency issue, which is basically holding your organization hostage. In fact, Microsoft has advised that a hybrid solution will remain because, as we will investigate, Azure AD is not legacy AD.

Executive Summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

You are looking to lose your dependency on Active Directory, and you need to tackle infrastructure technical debt, but there are challenges.

  • Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
  • You are unaware of what processes depend on AD and how integrated they are.
  • Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.
  • Legacy applications can prevent you from upgrading servers or may need to be isolated due to security concerns related to inadequate patching and upgrades.
  • You do not see any return on investment in AD maintenance.
  • Mergers and acquisitions can prevent you from migrating away from AD if one company is dependent on AD and the other is fully in the cloud. This increases technical debt.
  • Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
  • With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
  • Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

Info-Tech Insight

Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.

The history of Active Directory

The evolution of your infrastructure environment

From NT to the cloud

AD 2001 Exchange Server 2003 SharePoint 2007 Server 2008 R2 BYOD Security Risk All in Cloud 2015
  • Active Directory replaces NT and takes over from Novell as the enterprise access and control plane.
  • With slow WAN links, no cellphones, no tablets, and very few laptops, security was not a concern in AD.
  • In 2004, email becomes business critical.
  • This puts pressure on links, increases replication and domains, and creates a need for multiple identities.
  • Collaboration becomes pervasive.
  • Cross domain authentication becomes prevalent across the enterprise.
  • SharePoint sites need to be connected to multiple Domain AD accounts. More multiple identities are required.
  • Exchange resource forest rolls out, causing the new forest functional level to be a more complex environment.
  • Fine-grained password policies have impacted multiple forests, forcing them to adhere to the new password policies.
  • There are powerful Domain controllers, strong LAN and WAN connections, and an increase in smartphones and laptops.
  • Audits and compliance become a focus, and mergers and acquisitions add complexity. Security teams are working across the board.
  • Cloud technology doesn’t work well with complicated, messy AD environment. Cloud solutions need simple, flat AD architecture.
  • Technology changes after 15+ years. AD becomes the backbone of enterprise infrastructure. Managers demand to move to cloud, building complexity again.

Organizations depend on AD

AD is the backbone of many organizations’ IT infrastructure

73% of organizations say their infrastructure is built on AD.

82% say their applications depend on AD data.

89% say AD enables authenticated access to file servers.

90% say AD is the main source for authentication.

Source: Dimensions research: Active Directory Modernization :

Info-Tech Insight

Organizations fail to move away from AD for many reasons, including:

  • Lack of time, resources, budget, and tools.
  • Difficulty understanding what has changed.
  • Migrating from AD being a low priority.

Active Directory components

Physical and logical structure

Authentication, authorization, and auditing

The image contains a screenshot of the active directory components.

Active Directory has its hooks in!

AD creates infrastructure technical debt and is difficult to migrate away from.

The image contains a screenshot of an active directory diagram.

Info-Tech Insight

Due to the pervasive nature of Active Directory in the IT ecosystem, IT organizations are reluctant to migrate away from AD to modernize and innovate.

Migration to Microsoft 365 in Azure has forced IT departments’ hand, and now that they have dipped their toe in the proverbial cloud “lake,” they see a way out of the mounting technical debt.

AD security

Security is the biggest concern with Active Directory.

Neglecting Active Directory security

98% of data breaches came from external sources.

Source: Verizon, Data Breach Report 2022

85% of data breach took weeks or even longer to discover.

Source: Verizon Data Breach Report, 2012

The biggest challenge for recovery after an Active Directory security breach is identifying the source of the breach, determining the extent of the breach, and creating a safe and secure environment.

Info-Tech Insight

Neglecting legacy Active Directory security will lead to cyberattacks. Malicious users can steal credentials and hijack data or corrupt your systems.

What are the security risks to legacy AD architecture?

  • It's been 22 years since AD was released by Microsoft, and it has been a foundational technology for most businesses over the years. However, while there have been many innovations over those two decades, like Amazon, Facebook, iPhones, Androids, and more, Active Directory has remained mostly unchanged. There hasn’t been a security update since 2016.
  • This lack of security innovation has led to several cyberattacks over the years, causing businesses to bolt on additional security measures and added complexity. AD is not going away any time soon, but the security dilemma can be addressed with added security features.

AD event logs

84% of organizations that had a breach had evidence of that breach in their event logs.

Source: Verizon Data Breach Report, 2012

What is the business risk

How does AD impact innovation in your business?

It’s widely estimated that Active Directory remains at the backbone of 90% of Global Fortune 1000 companies’ business infrastructure (Lepide, 2021), and with that comes risk. The risks include:

  • Constraints of AD and growth of your digital footprint
  • Difficulty integrating modern technologies
  • Difficulty maintaining consistent security policies
  • Inflexible central domains preventing innovation and modernization
  • Inability to move to a self-service password portal
  • Vulnerability to being hacked
  • BYOD not being AD friendly

AD is dependent on Windows Server

  1. Even though AD is compliant with LDAP, software vendors often choose optional features of LDAP that are not supported by AD. It is possible to implement Kerberos in a Unix system and establish trust with AD, but this is a difficult process and mistakes are frequent.
  2. Restricting your software selection to Windows-based systems reduces innovation and may hamper your ability to purchase best-in-class applications.

Azure AD is not a replacement for AD

AD was designed for an on-premises enterprise

The image contains a screenshot of a Azure AD diagram.

  • Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD.
  • In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially those businesses that have an in-house footprint of servers and applications.
  • If you are a greenfield business and intend to take advantage of SaaS, IaaS, and PaaS, as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

"Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.

That’s why there is no actual ‘migration’ path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc."

– Gregory Hall,
Brand Representative for Microsoft
(Source: Spiceworks)

The hybrid model for AD and Azure AD

How the model works

The image contains a screenshot of a hybrid model for AD and Azure AD.

Note: AD Federated Services (ADFS) is not a replacement for AD. It’s a bolt-on that requires maintenance, support, and it is not a liberating service.

Many companies are:

  • Moving to SaaS solutions for customer relationship management, HR, collaboration, voice communication, file storage, and more.
  • Managing non-Windows devices.
  • Moving to a hybrid model of work.
  • Enabling BYOD.

Given these trends, Active Directory is becoming obsolete in terms of identity management and permissions.

The difference between AD Domain Services and Azure AD DS

One of the core principles of Azure AD is that the user is the security boundary, not the network.

Kerberos is the default authentication and authorization protocol for AD. Kerberos is involved in nearly everything from the time you log on to accessing Sysvol, which is used to deliver policy and logon scripts to domain members from the Domain Controller.

Info-Tech Insight

If you are struggling to get away from AD, Kerberos and NTML are to blame. Working around them is difficult. Azure AD uses SAML2.0 OpenID Connect and OAuth2.0.

Feature Azure AD DS Self-managed AD DS
Managed service
Secure deployments Administrator secures the deployment
DNS server ✓ (managed service)
Domain or Enterprise administrator privileges
Domain join
Domain authentication using NTLM and Kerberos
Kerberos-constrained delegation Resource-based Resource-based and account-based
Custom OU structure
Group Policy
Schema extensions
AD domain/forest trusts ✓ (one-way outbound forest trusts only)
Secure LDAP (LDAPS)
LDAP read
LDAP write ✓ (within the managed domain)
Geo-distributed deployments

Source: “Compare self-managed Active Directory Domain Services...” Azure documentation, 2022

Impact of work-from-anywhere

How AD poses issues that impact the user experience

IT organizations are under pressure to enable work-from-home/work-from-anywhere.

  • IT teams regard legacy infrastructure, namely Active Directory, as inadequate to securely manage remote workloads.
  • While organizations previously used VPNs to access resources through Active Directory, they now have complex webs of applications that do not reside on premises, such as AWS, G-Suite, and SaaS customer relationship management and HR management systems, among others. These resources live outside the Windows ecosystem, complicating user provisioning, management, and security.
  • The work environment has changed since the start of COVID-19, with businesses scrambling to enable work-from-home. This had a huge impact on on-premises identity management tools such as AD, exposing their limitations and challenges. IT admins are all too aware that AD does not meet the needs of work-from-home.
  • As more IT organizations move infrastructure to the cloud, they have the opportunity to move their directory services to the cloud as well.
    • JumpCloud, OneLogin, Okta, Azure AD, G2, and others can be a solution for this new way of working and free up administrators from the overloaded AD environment.
    • Identity and access management (IAM) can be moved to the cloud where the modern infrastructure lives.
    • Alternatives for printers using AD include Google Cloud Print, PrinterOn, and PrinterLogic.

How AD can impact your migration to Microsoft 365

The beginning of your hybrid environment

  • Businesses that have a large on-premises footprint have very few choices for setting up a hybrid environment that includes their on-premises AD and Azure AD synchronization.
  • Microsoft 365 uses Azure AD in the background to manage identities.
  • Azure AD Connect will need to be installed, along with IdFix to identify errors such as duplicates and formatting problems in your AD.
  • Password hash should be implemented to synchronize passwords from on-premises AD so users can sign in to Azure without the need for additional single sign-on infrastructure.
  • Azure AD Connect synchronizes accounts every 30 minutes and passwords within two minutes.

Alternatives to AD

When considering retiring Active Directory from your environment, look at alternatives that can assist with those legacy application servers, handle Kerberos and NTML, and support LDAP.

  • JumpCloud: Cloud-based directory services. JumpCloud provides LDAP-as-a-Service and RADIUS-as-a-Service. It authenticates, authorizes, and manages employees, their devices, and IT applications. However, domain name changes are not supported.
  • Apache Directory Studio Pro: Written in Java, it supports LDAP v3–certified directory services. It is certified by Eclipse-based database utilities. It also supports Kerberos, which is critical for legacy Microsoft AD apps authentication.
  • Univention Corporate Server (UCS): Open-source Linux-based solution that has a friendly user interface and gets continuous security and feature updates. It supports Kerberos V5 and LDAP, works with AD, and is easy to sync. It also supports DNS server, DHCP, multifactor authentication and single sign-on, and APIs and REST APIs. However, it has a limited English knowledgebase as it is a German tool.

What to look for

If you are embedded in Windows systems but looking for an alternative to AD, you need a similar solution but one that is capable of working in the cloud and on premises.

Aside from protocols and supporting utilities, also consider additional features that can help you retire your Active Directory while maintaining highly secure access control and a strong security posture.

These are just a few examples of the many alternatives available.

Market drivers to modernize your infrastructure

The business is now driving your Active Directory migration

What IT must deal with in the modern world of work:

  • Leaner footprint for evolving tech trends
  • Disaster recovery readiness
  • Dynamic compliance requirements
  • Increased security needs
  • The need to future-proof
  • Mergers and acquisitions
  • Security extending the network beyond Windows

Organizations are making decisions that impact Active Directory, from enabling work-from-anywhere to dealing with malicious threats such as ransomware. Mergers and acquisitions also bring complexity with multiple AD domains.
The business is putting pressure on IT to become creative with security strategies, alternative authentication and authorization, and migration to SaaS and cloud services.

Activity

Build a checklist to migrate off Active Directory.

Discovery

Assessment

Proof of Concept

Migration

Cloud Operations

☐ Catalog your applications.

☐ Define your users, groups and usage.

☐ Identify network interdependencies and complexity.

☐ Know your security and compliance regulations.

☐ Document your disaster recovery plan and recovery point and time objectives (RPO/RTO).

☐ Build a methodology for migrating apps to IaaS.

☐ Develop a migration team using internal resources and/or outsourcing.

☐ Use Microsoft resources for specific skill sets.

☐ Map on-premises third-party solutions to determine how easily they will migrate.

☐ Create a plan to retire and archive legacy data.

☐ Test your workload: Start small and prove value with a phased approach.

☐ Estimate cloud costs.

☐ Determine the amount and size of your compute and storage requirements.

☐ Understand security requirements and the need for network and security controls.

☐ Assess network performance.

☐ Qualify and test the tools and solutions needed for the migration.

☐ Create a blueprint of your desired cloud environment.

☐ Establish a rollback plan.

☐ Identify tools for automating migration and syncing data.

☐ Understand the implications of the production-day data move.

☐ Keep up with the pace of innovation.

☐ Leverage 24/7 support via skilled Azure resources.

☐ Stay on top of system maintenance and upgrades.

☐ Consider service-level agreement requirements, governance, security, compliance, performance, and uptime.

Related Info-Tech Research

Manage the Active Directory in the Service Desk

  • Build and maintain your Active Directory with good data.
  • Actively maintaining the Active Directory is a difficult task that only gets more difficult with issues like stale accounts and privilege creep.

SoftwareReviews: Microsoft Azure Active Directory

  • The Azure Active Directory (Azure AD) enterprise identity service provides SSO and multifactor authentication to help protect your users from 99.9% of cybersecurity attacks

Define Your Cloud Vision

  • Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud-first isn’t always the way to go.

Bibliography

“2012 Data Breach Investigations Report.” Verizon, 2012. Web.
“2022 Data Breach Investigations Report.” Verizon, 2012. Web.
“22 Best Alternatives to Microsoft Active Directory.” The Geek Page, 16 Feb 2022. Accessed 12 Sept. 2022.
Altieri, Matt. “Infrastructure Technical Debt.” Device 42, 20 May 2019. Accessed Sept 2022.
“Are You Ready to Make the Move from ADFS to Azure AD?’” Steeves and Associates, 29 April 2021. Accessed 28 Sept. 2022.
Blanton, Sean. “Can I Replace Active Directory with Azure AD? No, Here’s Why.” JumpCloud, 9 Mar 2021. Accessed Sept. 2022.
Chai, Wesley, and Alexander S. Gillis. “What is Active Directory and how does it work?” TechTarget, June 2021. Accessed 10 Sept. 2022.
Cogan, Sam. “Azure Active Directory is not Active Directory!” SamCogan.com, Oct 2020. Accessed Sept. 2022.
“Compare Active Directory to Azure Active Directory.” Azure documentation, Microsoft Learn, 18 Aug. 2022. Accessed 12 Sept. 2022.
"Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services." Azure documentation, Microsoft Learn, 23 Aug. 2022. Accessed Sept. 2022.
“Dimensional Research, Active Directory Modernization: A Survey of IT Professionals.” Quest, 2017. Accessed Sept 2022.
Grillenmeier, Guido. “Now’s the Time to Rethink Active Directory Security.“ Semperis, 4 Aug 2021. Accessed Oct. 2013.
“How does your Active Directory align to today’s business?” Quest Software, 2017, accessed Sept 2022
Lewis, Jack “On-Premises Active Directory: Can I remove it and go full cloud?” Softcat, Dec.2020. Accessed 15 Sept 2022.
Loshin, Peter. “What is Kerberos?” TechTarget, Sept 2021. Accessed Sept 2022.
Mann, Terry. “Why Cybersecurity Must Include Active Directory.” Lepide, 20 Sept. 2021. Accessed Sept. 2022.
Roberts, Travis. “Azure AD without on-prem Windows Active Directory?” 4sysops, 25 Oct. 2021. Accessed Sept. 2022.
“Understanding Active Directory® & its architecture.” ActiveReach, Jan 2022. Accessed Sept. 2022.
“What is Active Directory Migration?” Quest Software Inc, 2022. Accessed Sept 2022.

Pandemic Preparation – The People Playbook

  • Buy Link or Shortcode: {j2store}513|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Lead
  • Parent Category Link: /lead
  • Keeping employees safe – limiting exposure of employees to the virus and supporting them in the event they become ill.
  • Reducing potential disruption to business operations through employee absenteeism and travel restrictions.

Our Advice

Critical Insight

  • Communication of facts and definitive action plans from credible leaders is the key to maintaining some stability during a time of uncertainty.
  • Remote work is no longer a remote possibility – implementing alternative temporary work arrangements that keep large groups of employees from congregating reduce risk of employee exposure and operational downtime.
  • Pandemic travel protocols are necessary to support staff and their continuation of work while traveling for business and/or if stuck in a high-risk, restricted area.

Impact and Result

  • Assign accountability of key planning decisions to members of a pandemic response team.
  • Craft key messages in preparation for communicating to employees.
  • Cascade communications from credible sources in a way that will establish pandemic travel protocols.

Pandemic Preparation – The People Playbook Research & Tools

Start here. Read the Pandemic Preparation: The People Playbook

Read our concise Playbook to find out how you can immediately prepare for the people side of pandemic planning.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

  • Pandemic Preparation: The People Playbook
[infographic]

Select a Marketing Management Suite

  • Buy Link or Shortcode: {j2store}533|cart{/j2store}
  • member rating overall impact (scale of 10): 10.0/10 Overall Impact
  • member rating average dollars saved: $6,560 Average $ Saved
  • member rating average days saved: 50 Average Days Saved
  • Parent Category Name: Customer Relationship Management
  • Parent Category Link: /customer-relationship-management
  • Time, money, and effort are wasted on channels and campaigns that are not resonating with your customer base.
  • Email marketing, social marketing, and/or lead management alone are often not enough to meet more sophisticated marketing needs.
  • Many organizations struggle with taking a systematic approach to selection that pairs functional requirements with specific marketing workflows, and as a result they choose a marketing management suite (MMS) that is not well aligned to their needs, wasting resources and causing end-user frustration.
  • For IT managers or marketing professionals, the task to incorporate MMS technology into the organization requires not only receiving the buy-in for the MMS investment but also determining the vendor and solution that best fit the organization’s particular marketing management needs.

Our Advice

Critical Insight

  • An MMS enables complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.
  • Selecting an MMS has become increasingly difficult because the number of players in the marketplace has ballooned. Moreover, picking the wrong marketing solution has a direct impact on revenue.
  • Determine whether the investment in an MMS is worthwhile or the funds are better allocated elsewhere. For organizations with a large audience or varied product offerings, an MMS enables complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.

Impact and Result

  • Maximize your success and credibility with a proposal that emphasizes the areas relevant to your situation.
  • Perform more effective customer targeting and campaign management. Having an MMS equips marketers with the tools they need to make informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention. This means more revenue.
  • Maximize marketing impact with analytics-based decision making. Understanding users’/customers’ behaviors and preferences will allow you to run effective marketing initiatives.

Select a Marketing Management Suite Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out how to approach selecting an MMS, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Launch the MMS project and collect requirements

Assess the organization’s fit for MMS technology and structure the MMS selection project.

  • Select a Marketing Management Suite – Phase 1: Launch the MMS Project and Collect Requirements
  • MMS Readiness Assessment Checklist

2. Shortlist marketing management suites

Produce a vendor shortlist for your MMS.

  • Select a Marketing Management Suite – Phase 2: Shortlist Marketing Management Suites

3. Select vendor and communicate decision to stakeholders

Evaluate RFPs, conduct vendor demonstrations, and select an MMS.

  • Select a Marketing Management Suite – Phase 3: Select Vendor and Communicate Decision to Stakeholders
  • MMS Requirements Picklist Tool
  • MMS Request for Proposal Template
  • MMS Vendor Demo Script
  • MMS Selection Executive Presentation Template
[infographic]

Workshop: Select a Marketing Management Suite

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Launch the MMS Project and Collect Requirements

The Purpose

Determine a “right-size” approach to marketing enablement applications.

Key Benefits Achieved

Confirmation of the goals, objectives, and direction of the organization is marketing application strategy.

Activities

1.1 Assess the value and identify the organization’s fit for MMS technology.

1.2 Understand the art of the possible.

1.3 Understand CXM strategy and identify your fit for MMS technology.

1.4 Build procurement team and project customer experience management (CXM) strategy.

1.5 Identify your MMS requirements.

Outputs

Project team list.

Preliminary requirements list.

2 Shortlist Marketing Management Suites

The Purpose

Enumerate relevant marketing management suites and point solutions.

Key Benefits Achieved

List of marketing enablement applications based on requirements articulated in the preliminary requirements list strategy.

Activities

2.1 Identify relevant use cases.

2.2 Discuss the vendor landscape.

Outputs

Vendor shortlist.

3 Select Vendor and Communicate Decision to Stakeholders

The Purpose

Develop a rationale for selecting a specific MMS vendor.

Key Benefits Achieved

MMS Vendor decision.

A template to communicate the decision to executives.

Activities

3.1 Create a procurement strategy.

3.2 Discuss the executive presentation.

3.3 Plan the procurement process.

Outputs

Executive/stakeholder PowerPoint presentation.

Selection of an MMS.

Further reading

Select a Marketing Management Suite

A best-fit solution balances needs, cost, and capability.

Table of contents

  1. Project Rationale
  2. Execute the Project/DIY Guide
  3. Appendices

ANALYST PERSPECTIVE

Navigate the complexity of a vast ecosystem by taking a structured approach to marketing management suite (MMS) selection.

Marketing applications are in high demand, but it is difficult to select a suite that is right for your organization. Market offerings have grown from 50 vendors to over 800 in the past five years. Much of the process of identifying an appropriate vendor is not about the vendor at all, but rather about having a comprehensive understanding of internal needs. There are instances where a smaller-point solution is necessary to satisfy requirements and a full marketing management suite is an overinvestment.

Likewise, a partner with differentiating features such as AI-driven workflows and a mobile software development kit can act as a powerful extension of an overall customer experience management strategy. It is crucial to make the right decision; missing the mark on an MMS selection will have a direct impact on the business’ bottom line.

Ben Dickie
Research Director, Enterprise Applications
Info-Tech Research Group

Phase milestones

Launch the MMS Project and Collect Requirements — Phase 1

  • Understand the MMS market space.
  • Assess organizational and project readiness for MMS selection.
  • Structure your MMS selection and implementation project by refining your MMS roadmap.
  • Align organizational use-case fit with market use cases.
  • Collect, prioritize, and document MMS requirements.

Shortlist MMS Tool — Phase 2

  • Review MMS market leaders and players within your aligned use case.
  • Review MMS vendor profiles and capabilities.
  • Shortlist MMS vendors based on organizational fit.

Select an MMS — Phase 3

  • Submit request for proposal (RFP) to shortlisted vendors.
  • Evaluate vendor responses and develop vendor demonstration scripts.
  • Score vendor demonstrations and select the final product.

Stop! Are you ready for this project?

This Research Is Designed For:
  • IT applications directors and business analysts supporting their marketing teams in selecting and implementing a robust marketing solution.
  • Any organization looking to procure an MMS tool that will allow it to automate its marketing processes or learn more about the MMS vendor landscape.
This Research Will Help You:
  • Understand today’s MMS market, specific to marketing automation, marketing intelligence, and social marketing use-case scenarios.
  • Understand MMS functionality as well as marketing terminology.
  • Follow best practices to prepare for and execute on selection, including requirements gathering and vendor evaluation.
This Research Will Also Assist:
  • Marketing managers, brand managers, and any marketing professional looking to build a cohesive marketing platform.
  • MMS project teams or working groups tasked with managing an RFP process for vendor selection.
This Research Will Help Them
  • Assess organizational and project readiness for embarking on MMS selection.
  • Draft an RFP, manage the vendor and product review process, and select a vendor.

Executive summary

Situation

The MMS market is a landscape of vendors offering campaign management, multichannel support, analytics, and publishing tools. Many vendors specialize in some of these areas but not all. Sometimes multiple products are necessary – but determining which feature sets the organization truly needs can be a challenging task. The right technology stack is critical in order to bring automation to marketing initiatives.

Complication

  • The first challenge is deciding whether to implement a full marketing suite or a point solution.
  • The number of marketing suites and point solutions has increased from 50 to more than 800 just in the past five years.
  • IT is receiving a growing number of marketing analytics requests and must be prepared to speak intelligently about marketing management vendor selection.

Resolution

  • Leverage Info-Tech’s comprehensive three-phase approach to MMS selection projects: assess your organization’s preparedness to go into the selection stage, move through technology selection, and present decisions to stakeholders.
  • Conduct an MMS project preparedness assessment to ensure you maximize the value of your time, effort, and spend.
  • Determine whether your organization’s needs will best be met by a marketing management suite or a point solution.
  • Determine which use case your organization fits into and review the relevant vendor landscape, common capability, and areas of product differentiation. Consult Info-Tech’s market analysis to shortlist vendors for your RFP process.
  • Take advantage of traceable and auditable selection tools to run an effective evaluation and selection process. Be prepared to answer the retroactive question “Why this MMS?” with documentation of your selection process and outputs.

Info-Tech Insight

  1. The new MMS market. Selecting a marketing management solution has become increasingly difficult, with the number of players in the marketplace ballooning to meet buyer demand.
  2. Direct translation to revenue. Picking the wrong marketing solution has a direct impact on the bottom line. However, the right MMS can lead to a 7.3x greater year-over-year increase in annual revenue.
  3. Don’t buy best-of-breed; buy best-for-you. Base your vendor selection on your requirements and use case, not on the vendor’s overall performance.

MMS is a key piece of the CRM puzzle

In order to optimize cross-sell opportunities and marketing effectiveness, there needs to be a master customer database, which belongs in the customer relationship management (CRM) suite.

When it comes to marketing automation capabilities, using CRM is like building a car from a kit. All the parts are there, but you need the time and skill to put it all together. Using marketing automation is like buying the car you want or need, with all the features you want already installed and some gas in the tank, ready to drive. In either case, you still need to know how to drive and where you want to go.” (Mac McIntosh, Marketo Inc.) 'CRM' surrounded by its components with 'MMS' highlighted. A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue.

Understand what an MMS can do for you

Take time to learn the capabilities of modern marketing applications. Understanding the “art of the possible” will help you to get the most out of your MMS.

MMS helps marketers in two primary ways:
  1. It allows them to efficiently execute and manage campaigns across dozens of channels and products.
  2. It allows them to analyze the outcomes of campaigns.
Marketing suites accomplish these tasks by:
  • Leveraging workflow automation to reduce the amount of time spent creating marketing campaigns
  • Using internal or third-party data to increase conversion effectiveness from customer databases across the organization
A strong MMS provides marketers with the data they need for actionable insights about their customers.
A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.)

Review Info-Tech’s vendor profiles of the MMS market to identify vendors that meet your requirements

Logos of multiple vendors including 'Hubspot', 'IBM', 'Salesforce marketing cloud', etc.

Use Info-Tech’s MMS implementation methodology as a starting point for your organization’s MMS selection

Info-Tech’s implementation methodology is not a step-by-step approach to vendor selection, but rather it highlights the pertinent considerations for MMS selection at each of the five steps outlined below.

1

2

3

4

5

Establish Resources Gather Requirements Write and Assemble RFP Exercise Due Diligence Evaluate Candidate Solutions
  • Determine work initiative dependencies and project milestones.
  • Establish the project timeline.
  • Designate project resources.
  • Prioritize rollout of functionality.
  • Link business goals with the MMS selection project.
  • Determine user roles and profiles.
  • Conduct stakeholder interviews.
  • Build communication and change management plan.
  • Draft an RFP.
  • Make a plan for soliciting feedback and publishing the RFP.
  • Customize a vendor demo script and scorecard.
  • Conduct vendor demos.
  • Speak with vendor references.
  • Evaluate nonfunctional requirements.
  • Understand upgrade schedules.
  • Define a vendor evaluation framework.
  • Prepare the final evaluation.
  • Prepare a presentation for management.

Contact your account representative or email Workshops@InfoTech.com for more information.

Professional services provider engages Info-Tech to guide it through its MMS selection journey

CASE STUDY

Industry: Professional Services | Source: Info-Tech Consulting

Challenge

A large professional services firm specializing in knowledge development was looking to modernize an outdated marketing services stack.

Previous investments in marketing tools ranging from email automation to marketing analytics led to system fragmentation. As a result, there was no 360-degree overview of marketing operations and no way to run campaigns at scale.

To satisfy the organization’s aspirations, a comprehensive marketing management suite had to be selected that met needs for the foreseeable future.

Solution

The Info-Tech consulting team was brought in to assist in the MMS selection process.

After meeting with several stakeholders, MMS requirements were developed and weighted. An RFP was then created from these requirements.

Following a market scan, four vendors were selected to complete the organization’s RFP. Demonstration scripts were then developed as the RFPs were completed by vendors.

Shortlisted vendors progressed to the demonstration phase.

Results

Vendor scorecards were utilized during the two-day demonstrations with the core project team to score each vendor.

During the scoring process the team also identified the need to replace the organization’s core customer repository (a legacy CRM).

The decision was made to select a CRM before finalizing the MMS selection. Doing so ensured uniform system architecture and strong interoperability between the firm’s MMS and its CRM.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Select a Marketing Management Suite – project overview

1. Launch the MMS Project and Collect Requirements 2. Shortlist Marketing Management Suites 3. Select Vendor and Communicate Decision to Stakeholders
Supporting Tool icon

Best-Practice Toolkit

1.1 Assess the value and identify your organization’s fit for MMS technology.

1.2 Build your procurement team and project customer experience management (CXM) strategy.

1.3 Identify your MMS requirements.

2.1 Produce your shortlist

3.1 Select your MMS

3.2 Present selection

Guided Implementations

  • Understand CXM strategy and identify your fit for MMS technology.
  • Identify staffing needs.
  • Plan requirements gathering steps.
  • Discuss use-case fit assessment results.
  • Discuss vendor landscape.
  • Create a procurement strategy.
  • Discuss executive presentation.
  • Conduct a proposal review.
Associated Activity icon

Onsite Workshop

Module 1:
Launch Your MMS Selection Project
Module 2:
Analyze MMS Requirements and Shortlist Vendors
Module 3:
Plan Your Procurement Process
Phase 1 Outcome:
  • Launch of MMS selection project
Phase 2 Outcome:
  • Shortlist of vendors
Phase 3 Outcome:
  • Selection of MMS

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

A small monochrome icon of a wrench and screwdriver creating an X.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

A small monochrome icon depicting a person in front of a blank slide.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members who will come onsite to facilitate a workshop for your organization.

A small monochrome icon depicting a descending bar graph.

This icon denotes a slide that pertains directly to the Info-Tech vendor profiles on marketing management technology. Use these slides to support and guide your evaluation of the MMS vendors included in the research.

Select a Marketing Management Suite

PHASE 1

Launch the MMS Project and Collect Requirements

Phase 1 outline

Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Launch Your MMS Project and Collect Requirements

Proposed Time to Completion: 3 weeks
Step 1.2: Structure the Project Step 1.3: Gather Requirements
Start with an analyst kick-off call:
  • Review readiness requirements for an MMS project.
  • Understand the work initiatives involved in MMS selection.
Review findings with analyst:
  • Determine use case based on your organizational alignment.
  • Discuss core MMS requirements.
Then complete these activities…
  • Conduct an organizational MMS readiness assessment.
Then complete these activities…
  • Identify best-fit use case.
  • Elicit, capture, and prioritize requirements.
With these tools & templates:
  • MMS Readiness Assessment Checklist
With these tools & templates:
  • MMS Requirements Picklist Tool
Phase 1 Results:
  • Completed readiness assessment.
  • Refined project plan to incorporate selection and implementation.

Phase 1 milestones

Launch the MMS Project and Collect Requirements — Phase 1

  • Understand the MMS market space.
  • Assess organizational and project readiness for MMS selection.
  • Structure your MMS selection and implementation project by refining your MMS roadmap.
  • Align organizational use-case fit with market use cases.
  • Collect, prioritize, and document MMS requirements.

Shortlist MMS Tool — Phase 2

  • Review MMS market leaders and players within your aligned use case.
  • Review MMS vendor profiles and capabilities.
  • Shortlist MMS vendors based on organizational fit.

Select an MMS — Phase 3

  • Submit request for proposal (RFP) to shortlisted vendors.
  • Evaluate vendor responses and develop vendor demonstration scripts.
  • Score vendor demonstrations and select the final product.

Step 1.1: Understand the MMS market

1.1

1.2

1.3

Understand the MMS Market Structure the Project Gather MMS Requirements

This step will walk you through the following activities:

  • MMS market overview

This step involves the following participants:

  • Project team
  • Project manager
  • Project sponsor

Outcomes of this step

  • An understanding of the evolution of the MMS market space and how it helps today’s organizations.
  • An evaluation of new and upcoming trends sought by MMS clients.
  • Verification of whether an MMS is a fit with your organization.

Speak the same language as the marketing department to deliver the most business value

Marketing Management Suite Glossary

Analytics The practice of measuring marketing performance to improve return on investment (ROI). It is often carried out through the visualization of meaningful patterns in data as a result of marketing initiatives.
Channels The different places where marketers can reach customers (e.g. social media, print mail, television).
Click-through rate The percentage of individuals who proceed (click-through) from one part of a marketing campaign to the next.
Content management Curating, creating, editing, and keeping track of content and client-facing assets.
Customer relationship management (CRM) A core enterprise application that provides a broad feature set for supporting customer interaction processes. The CRM frequently serves as a core customer data repository.
Customer experience management (CXM) The holistic management of customer interaction processes across marketing, sales, and customer service to create valuable, mutually beneficial customer experiences.
Engagement rate A social media metric used to describe the amount of likes, comments, shares, etc., that a piece of content receives.
Lead An individual or organization who has shown interest in the product or service being marketed.
Omnichannel The portfolio of interaction channels you use.

MMS is a key piece of the customer experience ecosystem

Within the broader CXM ecosystem, an MMS typically lives within the CRM platform. Interfacing with the CRM’s master customer database allows an MMS to optimize cross-sell opportunities and marketing effectiveness.

A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue.

If you have customer records in multiple places, you risk missing customer opportunities and potentially upsetting clients. For example, if a client has communicated preferences or disinterest through one channel, and this is not effectively recorded throughout the organization, another representative is likely to contact them in the same method again – possibly alienating the customer for good.

A master database requires automatic synchronization with all point solutions, POS, billing systems, agencies, etc. If you don’t have up-to-the-minute information, you can’t score prospects effectively and you lose out on the benefits of the MMS.

'CRM' surrounded by its components with 'MMS' highlighted.
Focus on the fundamentals before proceeding. Secure organizational readiness to reduce project risk using Info-Tech’s Build a Strong Technology Foundation for CXM and Select and Implement a CRM Platform blueprints.

Understanding the “art of the possible”

The world of marketing technology changes rapidly! Understand how modern marketing management suites are used in most organizations.

An MMS helps marketers in two primary ways:

  1. It allows them to efficiently execute and manage campaigns across dozens of channels and products.
  2. It allows them to analyze the outcomes of campaigns.

Marketing suites accomplish these tasks by:

  • Leveraging workflow automation to reduce the amount of time spent creating marketing campaigns.
  • Using internal or third-party data to increase conversion effectiveness from customer databases across the organization.

A strong MMS provides marketers with the data they need for actionable insights about their customers.

A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.)

Inform your way of thinking by understanding the capabilities of modern marketing applications.

A tree with icons related to knowledge.

Expect the marketing department to drive suite adoption, but don’t count out the benefits MMS will also provide to IT

MMS adoption is driven by the need for better campaign execution and marketing intelligence. MMS technologies are adopted to create faster, easier, more intelligent, and more measurable campaigns and make managing complex channels easy and repeatable.

Top Drivers for Adopting Marketing Management Technologies

Bar chart of top drivers for adopting marketing management technology. The first four bars are highlighted and the largest, they are labelled 'Campaign Measurement & Effectiveness', 'Execute Multi-channel Campaigns', 'Shorten Marketing Campaign Cycle', and 'Reduce Manual Campaign Creation'.
(Source: Info-Tech Research Group; N=23)

The key drivers for MMS are business-related, not IT-related. However, this does not mean that there are no benefits to IT. In fact, the IT department will see numerous benefits, including time and resource savings. Further, not having an MMS creates more work for your IT department. IT must serve as a valued partner for selection and implementation.

Additional benefits to IT driven by MMS

Marketing management suites are ideal for large organizations with multiple product lines in complex marketing environments. IT is often more centralized than its counterparts in the business, making it uniquely positioned to encourage greater coordination by helping the business units understand the shared goals and the benefits of working together to roll out suites for marketing workflow management, intelligence, and channel management.

Cross-Segmentation Additional Revenue Generation Real-Time Capabilities Lead Growth/ Conversion Rate
Business Value
  • Share resources between brands and product lines.
  • Increase database size with populated client data.
  • Track customer lifetime value.
  • Increase average deal size.
  • Decrease time to execute campaigns.
  • Decrease lead acquisition costs while collecting higher quality leads.
  • Improve retention rates.
  • Reduce cost to serve.
  • Increase customer retention due to effective service.
  • Higher campaign and response rates.
  • Track, measure, and prove the value of marketing activities.
  • Broaden reach through social channels.
IT Value
  • Reduce reliance on IT for routine tasks such as list creation and data cleansing.
  • Free up IT resources for the sectors of the business where the ROI is greatest.
  • Reduce need for IT to cleanse, modify, or merge data lists because most suites include CRM connectors.
  • Reduce need for constant customization on status reports on lead value and campaign success.

Info-Tech Insight

Don’t forget that MMS technologies deliver on the overarching suite value proposition: a robust solution within one integrated offering. Without an MMS in play, organizations in need of this functionality are forced to piece together point solutions (or ad hoc management). This not only increases costs but also is an integration nightmare for IT.

Step 1.2: Structure the project

1.1

1.2

1.3

Understand the MMS MarketStructure the ProjectGather MMS Requirements

This step will walk you through the following activities:

  • Determine if you are ready to kick off the MMS selection project.
  • Align project goals with CXM strategy and business goals.

This step involves the following participants:

  • Core project team
  • Project manager
  • Project sponsor

Outcomes of this step

  • Assurance that you have completed adequate preparation, obtained stakeholder and sponsor buy-in, secured sufficient resources, and completed strategy and planning activities to move forward with selection.
  • An approach to remedy organizational readiness to prepare for MMS selection.
  • An understanding of stakeholder goals.

Identify the scope and purpose of your MMS selection process

Vendor Profiles icon

Sample Project Overview

[Organization] plans to select and implement a marketing management suite in order to introduce better campaign management to the business’ processes. This procurement and implementation of an MMS tool will enable the business to improve the efficiency and effectiveness of marketing campaign execution.

This project will oversee the assessment and shortlisting of MMS vendors, selection of an MMS tool, the configuration of the solution, and the implementation of the technology into the business environment.

Rationale Behind the Project

Consider the business drivers behind the interest in MMS technology.

Be specific to business units impacted and identify key considerations (both opportunities and risks).

Business Drivers

  • Organizational productivity
  • Customer satisfaction
  • Marketing management costs
  • Risk management

Info-Tech Insights

Creating repeatable and streamlined marketing processes is a common overarching business objective that is driven by multiple factors. To ensure this objective is achieved, confirm that the primary drivers are following the implementation of the first automated marketing channels.

Activity: Understand your business’ goals for MMS by parsing your formal CXM strategy

Associated Activity icon 1.2.1 1 hour

INPUT: Stakeholder user stories

OUTPUT: Understanding of ideal outcomes from MMS implementation

MATERIALS: Whiteboard and marker or sticky notes

PARTICIPANTS: Project sponsor, Project stakeholders, Business analysts, Business unit reps

Instructions

  1. Outline the purpose of the future MMS tool and the drivers behind this business decision with the project’s key stakeholders.
  2. Document plans to ensure that these drivers are taken into consideration and realized following implementation. Example:
    Improve Reduce/Eliminate KPIs
    Multichannel marketing Duplication of effort Number of customer interaction channels supported
    Social integration Process inefficiencies Number of social signals received (likes, shares, etc.)

If you do not have a well-defined CXM strategy, leverage Info-Tech’s research to Build a Strong Technology Foundation for Customer Experience Management.

Understanding marketing suites

Vendor Profiles icon

This blueprint focuses on complete, integrated marketing management suites

An integrated suite is a single product that is designed to assist with multiple marketing processes. Information from these suites is deeply connected to the core CRM. Changing a piece of information for one process will update all affected.

'MMS' surrounded by its integrated processes, including 'Marketing Operations Management', 'Breadth of Channel Support', 'Marketing Asset Management', etc.

Understanding marketing point solutions

Vendor Profiles icon

A point solution typically interfaces with a single customer interaction channel with minimal CRM integration.

Why use a marketing point solution?

  1. A marketing point solution is a standalone application used to manage a unique process.
  2. Point solutions can be implemented and updated relatively quickly.
  3. They cost less than full-feature, integrated marketing suites.
  4. Some point solutions integrate with CRM platforms or MMS platforms.

Refer to Phase 2 for a bird’s-eye view of the point solution marketplace.

Marketing Point Solutions

  • Twitter Analytics
  • Search Engine Optimization
  • Customer Portals
  • Livechat
  • Marketing Attribution
  • Demand Side Platform

Determine if MMS is right for your organization

Vendor Profiles icon

Adopt an MMS if:

  1. Your organization is actively pursuing a multichannel marketing strategy, particularly if its marketing campaigns are complex and multifaceted, involving consumer-specific conditional messaging.
  2. Your enterprise serves a high volume of customers and marketing needs extend to formally managing budgets and resources, lead generation and segmentation, and measuring channel effectiveness.
  3. Your organizations has multiple product lines and is interested in increasing cross-sale opportunities.

Bypass an MMS if:

  • Your organization does not participate in multichannel campaigns and is primarily using email or web channels to generate leads. You may find the advanced features and capabilities of an MMS to be overkill and should consider lead marketing automation (LMA) or email marketing services first.
  • You are a small to midsize business (SMB) with a limited budget or fewer than five marketing professionals. Don’t buy what you don’t need; organizations with fewer than five people in the marketing department are unlikely to need an MMS.
  • Sales generation is not a priority for the business or a primary goal for the marketing department.

Info-Tech Insight

Using an MMS is ideal for organizations with multiple brands and product portfolios (e.g. consumer packaged goods). Ad hoc management and email marketing services are best for small organizations with a client base that requires only bare bones engagement.

Determine if you are ready to kick off your MMS selection and implementation project

Supporting Tool icon 1.2.2 MMS Readiness Assessment Checklist
Use Info-Tech’s MMS Readiness Assessment Checklist to determine if your organization has sufficient process and campaign maturity to warrant the investment in a consolidated marketing management suite.

Sections of the Tool:

  1. Goals & Objectives
  2. Project Team
  3. Current State Understanding
  4. Future State Vision
  5. Business Process Improvement
  6. Project Metrics
  7. Executive Sponsorship
  8. Stakeholder Buy-In & Change Management
  9. Risk Management
  10. Cost & Budget

INFO-TECH DELIVERABLE

Sample of Info-Tech's MMS Readiness Assessment Checklist.

Complete the MMS Readiness Assessment Checklist by following the instructions in Activity 1.2.3.

Activity: Determine if you are ready to kick off your MMS selection project

Associated Activity icon 1.2.3 30 minutes

INPUT: MMS foundation, MMS strategy

OUTPUT: Readiness remediation approach, Validation of MMS project readiness

MATERIALS: Info-Tech’s MMS Readiness Assessment Checklist

PARTICIPANTS: Project sponsor, Core project team

Instructions

  1. Download the MMS Readiness Assessment Checklist.
  2. Review Section 1 of the checklist with the core project team and/or project sponsor, item by item. For completed items, tick the relative checkbox.
  3. Once the whole checklist has been reviewed, document all incomplete items in the table under Section 1 in the first table column (“Incomplete Readiness Item”).
  4. For each incomplete item, use your discretion to determine whether its completion is critical in preparation for MMS selection and implementation. This may vary given the complexity of your MMS project. If the item is critical to the project, indicate this with “Y” in the second column (“Criticality (Y/N)”).
  5. For each critical item, reflect on the barriers that have prevented or are preventing its completion. Possible barriers include incomplete task dependencies, low value-to-effort determination, lack of organizational knowledge or resources, pressure of deadlines, etc. Document these barriers in the third column (“Barriers to Completion”).
  6. Based on the barriers determined in Step 5, determine a remediation approach for each item. Document the approach in the fourth column (“Remediation Approach”).
  7. For each remediation activity, designate a due date and remediation owner. Document this in the fifth column (“Due Date & Owner”).
  8. Carry out the remediation of critical tasks and return to this blueprint to kickstart your selection and implementation project.

Step 1.3: Gather MMS requirements

1.1

1.2

1.3

Understand the MMS MarketStructure the ProjectGather MMS Requirements

This step will walk you through the following activities:

  • Understand your MMS use case.
  • Elicit and capture your MMS requirements.
  • Prioritize your solution requirements.

This step involves the following participants:

  • Core project team
  • Project manager
  • Business analysts
  • Procurement subject-matter experts (SMEs)

Outcomes of this step

  • Project alignment with MMS market use case.
  • Inventory of categorized and prioritized MMS business requirements.

Understand the dominant use-case scenarios for MMS across organizations

Vendor Profiles icon

USE CASES

While an organization may be product- or service-centric, most fall into one of the three use cases described on this slide.

1) Marketing Automation

Workflow Management

Managing complex marketing campaigns and building and tracking marketing workflows are the mainstay responsibilities of brand managers and other senior marketing professionals. In this category, we evaluated vendors that provide marketers with comprehensive tools for marketing campaign automation, workflow building and tracking, lead management, and marketing resource planning for campaigns that need to reach a large segment of customers.

Omnichannel Management

The proliferation of marketing channels has created significant challenges for many organizations. In this use case, we executed a special evaluation of vendors that are well suited for the intricacies of juggling multiple channels, particularly mobile, social, and email marketing.

2) Marketing Intelligence

Sifting through data from a myriad of sources and coming up with actionable intelligence and insights remains a critical activity for marketing departments, particularly for market researchers. In this category, we evaluated solutions that aggregate, analyze, and visualize complex marketing data from multiple sources to allow decision makers to execute informed decisions.

3) Social Marketing

The proliferation of social networks, customer data, and use cases has made ad hoc social media management challenging. In this category we evaluated vendors that bring uniformity to an organization’s social media capabilities and contribute to a 360-degree customer view.

Activity: Understand which type of MMS you need

Associated Activity icon 1.3.1 30 minutes

INPUT: Use-case breakdown

OUTPUT: Project use-case alignments

Materials: Whiteboard, markers

Participants: Project manager, Core project team (optional)

Instructions

  1. Familiarize your team with Info-Tech’s MMS use-case breakdown from the previous slide.
  2. Determine which use case is best aligned with your organization’s MMS project objectives. If you need assistance with this, consider the relevance of the cases studies and statements on the following slides.
  3. If your team agrees with most or all statements under a given use case, this indicates strong alignment towards that use case. It is possible for an organization to align with more than one use case. Your use-case alignment will guide you in creating a vendor shortlist later in this project.

Use Info-Tech’s vendor research and use-case scenarios to support your organization’s vendor analysis

The use-case view of vendor and product performance provides multiple opportunities for vendors to fit into your application architecture depending on their product and market performance. The use cases selected are based on market research and client demand.

Determining your use case is crucial for:

  1. Selecting an application that is the right fit
  2. Establishing a business case for MMS

The following slides illustrate how the three most common use cases (marketing automation, marketing intelligence, and social marketing) align with business needs. As shown by the case studies, the right MMS can result in great benefits to your organization.

Use-case alignment and business need

Vendor Profiles icon

Marketing Automation

Marketing Need Manage customer experience across multiple channels Manage multiple campaigns simultaneously Integrate web-enabled devices (IoT) into marketing campaigns Run and track email marketing campaigns
A line of arrows pointing down.
Corresponding Feature End-to-end management of email marketing Visual workflow editor Customer journey mapping Business rules engine A/B tracking

The Portland Trail Blazers utilize an MMS to amplify their message with marketing automation technology

CASE STUDY

Industry: Entertainment | Source: Marketo

Challenge

The Portland Trail Blazers, an NBA franchise, were looking to expand their appeal beyond the city of Portland and into the greater Pacific Northwest Region.

The team’s management group also wanted to showcase the full range of events that were hosted in the team’s multipurpose stadium.

The Trail Blazers were looking to engage fans in a more targeted fashion than their CRM allowed for. Ultimately, they hoped to move from “batch and blast” email campaigns to an automated and targeted approach.

Solution

The Trail Blazers implemented an MMS that allowed it to rapidly build different types of campaigns. These campaigns could be executed across a variety of channels and target multiple demographics at various points in the fan journey.

Contextual ads were implemented using the marketing suite’s automated customer journey mapping feature. Targeted ads were served based on a fan’s location in the journey and interactions with the Trail Blazers’ online collateral.

Results

The automated campaigns led to a 75% email open rate, which contributed to a 96% renewal rate for season ticket holders – a franchise record.

Other benefits resulting from the improved conversion rate included an increased cohesion between the Trail Blazers’ marketing, analytics, and ticket sales operations.

Use-case alignment and business need

Vendor Profiles icon

Marketing Intelligence

Marketing Need Capture marketing- and customer-related data from multiple sources Analyze large quantities of marketing data Visualize marketing-related data in a manner that is easy for decision makers to consume Perform trend and predictive analysis
A line of arrows pointing down.
Corresponding Feature Integrate data across customer segments Analysis through machine learning Assign attributers to unstructured data Displays featuring data from external sources Create complex customer data visualizations

Chico’s FAS uses marketing intelligence to drive customer loyalty

CASE STUDY

Industry: Retail | Source: SAS

Challenge

Women’s apparel retailer Chico’s FAS was looking to capitalize on customer data from in-store and online experiences.

Chico’s hoped to consolidate customer data from multiple online and brick-and-mortar retail channels to get a complete view of the customer.

Doing so would satisfy Chico’s need to create more highly segmented, cost-effective marketing campaigns

Solution

Chico’s selected an MMS with strong marketing intelligence, analysis, and data visualization capability.

The MMS could consolidate and analyze customer and transactional information. The suite’s functionality enabled Chico’s marketing team to work directly with the data, without help from statisticians or IT staff.

Results

The approach to marketing indigence led to customers getting deals on products that were actually relevant to them, increasing sales and brand loyalty.

Moreover, the time it took to perform data consolidation decreased dramatically, from 17 hours to two hours, allowing the process to be performed daily instead of weekly.

Use-case alignment and business need

Vendor Profiles icon

Social Marketing

Marketing Need Understand customers' likes and dislikes Manage and analyze social media channels like Facebook and Twitter Foster a conversation around specific products Engage international audiences through regional messaging apps
A line of arrows pointing down.
Corresponding Feature Social listening capabilities Tools for curating customer community content Ability to aggregate social data Integration with popular social networks Ability to conduct trend reporting

Bayer leverages MMS technology to cultivate a social presence

CASE STUDY

Industry: Life Sciences | Source: Adobe

Challenge

Bayer, a Fortune 500 health and life sciences company, was looking for a new way to communicate its complex medical breakthroughs to the general public.

The decision was made to share the science behind its products via social channels in order to generate excitement.

Bayer needed tools to publish content across a variety of social media platforms while fostering conversations that were more focused on the science behind products.

Solution

Based on the requirements, Bayer decided that an MMS would be the best fit.

After conducting a market scan, the company selected an MMS with a comprehensive social media suite.

The suite included tools for social listening and moderation and tools to guide conversations initiated by both marketers and customers.

Results

The MMS provided Bayer with the toolkit to engage its audience.

Bayer took control of the conversation about its products by serving potential customers with relevant video content on social media.

Its social strategy coupled with advanced engagement tools resulted in new business opportunities and more than 65,000 views on YouTube and more than 87,000 Facebook views in a single month.

Leverage Info-Tech’s requirements gathering framework to serve as the basis for capturing your MMS requirements

An important step in selecting an MMS that will have widespread user adoption is creating archetypal customer personas. This will enable you to talk concretely about them as consumers of the application you select and allow you to build buyer scenarios around them.
REQUIREMENTS GATHERING
Info-Tech’s requirements gathering framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework ensures that the application created will capture the needs of all stakeholders and deliver business value. Develop and right-size a proven standard operating procedure for requirements gathering with Info-Tech’s blueprint Build a Strong Approach to Business Requirements Gathering.
Stock photo of a Jenga tower with title: Build a Strong Approach to Business Requirements Gathering
KEY INPUTS TO MMS REQUIREMENTS GATHERING
Requirements Gathering Methodology

Sample of Requirements Gathering Blueprint.

Requirements Gathering Blueprint Slide 25: Understand the best-practice framework for requirements gathering for enterprise applications projects.

Requirements Gathering SOP

Sample of Requirements Gathering Blueprint.

Requirements Gathering Blueprint Activities 1.2.2-1.2.5, 2.1.1, 2.1.2, 3.1.1, 3.2.1, 4.1.1-4.1.3, 4.2.2: Consolidate outputs to right-size a best-practice SOP for your organization.

Project Level Selection Tool

Sample of Requirements Gathering Blueprint.

Requirements Gathering Blueprint Activity 1.2.4: Determine project-level selection guidelines to inform the due diligence required in your MMS requirements gathering.

Activity: Elicit and capture your MMS requirements

Associated Activity icon 1.3.2 Varies

INPUT: MMS tool user expertise, MMS Requirements Picklist Tool

OUTPUT: A list of needs from the MMS tool user perspective

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: MMS users in the organization, MMS selection committee

Instructions

  1. Identify stakeholders for the requirements gathering exercise. Consider holding one-on-one sessions or large focus groups with key stakeholders or the project sponsor to gather business requirements for an MMS.
  2. Use the MMS Requirements Picklist Tool as a starting point for conducting the requirements elicitation session(s).
  3. Begin by reading the instructions in the template and then move to the “Requirements” worksheet. Read each defined requirement in the worksheet and indicate in the “Requirement Status” column whether the requirement is a “Must,” “High,” or “Low.” Confirming the status is an important part of the exercise. The status will help filter vendors for final selection later on in the process.
  4. Decide whether additional requirements are necessary by asking the MMS tool users. If so, add the requirements to the bottom of the “Requirements” worksheet and indicate their “Requirement Status.”

Download the MMS Requirements Picklist Tool to help with completing this activity.

Show the measurable benefits of MMS with metrics

The return on investment (ROI) and perceived value of the organization’s marketing solution will be a critical indication of the likelihood of success of the suite’s selection and implementation.

EXAMPLE
METRICS

MMS and Technology Adoption

Marketing Performance Metrics
Average revenue gain per campaign Quantity and quality of marketing insights
Average time to execute a campaign Customer acquisition rates
Savings from automated processes Marketing cycle times
User Adoption and Business Feedback Metrics
User satisfaction feedback User satisfaction survey with the technology
Business adoption rates Application overhead cost reduction

Info-Tech Insight

Even if marketing metrics are difficult to track right now, the implementation of an MMS brings access to valuable customer intelligence from data that was once kept in silos.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

Book a workshop with our Info-Tech analysts:

Photo of an Info-Tech analyst.
  • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
  • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
  • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

1.2.1

Sample of activity 1.2.1 'Understand your business' goals for MMS by parsing your formal CXM strategy'. Align the CXM strategy value proposition to MMS capabilities

Our facilitator will help your team identify the IT CXM strategy and marketing goals. The analyst will then work with the team to map the strategy to technological drivers available in the MMS market.

1.3.2

Sample of activity 1.3.2 'Elicit and capture your MMS requirements'. Define the needs of MMS users

Our facilitator will work with your team to identify user requirements for the MMS Requirements Picklist Tool. The analyst will facilitate a discussion with your team to prioritize identified requirements.

Select a Marketing Management Suite

PHASE 2

Shortlist Marketing Management Suites

Phase 2 outline

Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Shortlist Marketing Management Suites

Proposed Time to Completion: 1-3 months
Step 2.1: Analyze and Shortlist MMS Vendors
Start with an analyst kick-off call:
  • Review requirements gathering findings.
  • Review the MMS market space.
Then complete these activities…
  • Review vendor profiles and analysis.
  • Weigh the evaluation criteria’s importance in product capabilities and vendor characteristics.
  • Shortlist MMS vendors.
With these tools & templates:
Phase 2 Results:
  • Shortlist of MMS tools

Phase 2 milestones

Launch the MMS Project and Collect Requirements — Phase 1

  • Understand the MMS market space.
  • Assess organizational and project readiness for MMS selection.
  • Structure your MMS selection and implementation project by refining your MMS roadmap.
  • Align organizational use-case fit with market use cases.
  • Collect, prioritize, and document MMS requirements.

Shortlist MMS Tool — Phase 2

  • Review MMS market leaders and players within your aligned use case.
  • Review MMS vendor profiles and capabilities.
  • Shortlist MMS vendors based on organizational fit.

Select an MMS — Phase 3

  • Submit request for proposal (RFP) to shortlisted vendors.
  • Evaluate vendor responses and develop vendor demonstration scripts.
  • Score vendor demonstrations and select the final product.

Step 2.1: Analyze and shortlist MMS vendors

2.1

Analyze and Shortlist MMS Vendors

This step will walk you through the following activities:

  • Review MMS vendor landscape.
  • Take note of relevant point solutions.
  • Shortlist vendors for the RFP process.

This step involves the following participants:

  • Core project team

Outcomes of this step

  • Understanding of Info-Tech’s use-case scenarios for MMS: marketing automation, marketing intelligence, and social marketing.
  • Familiarity with the MMS vendor landscape.
  • Shortlist of MMS vendors for RFP process.

Familiarize yourself with the MMS market: How it got here

Vendor Profiles icon

Loosely Tied Together

Originally the sales and marketing enterprise application space was highly fragmented, with disparate best-of-breed point solutions patched together. Soon after, vendors in the late 1990s started bundling automation technologies into a single suite offering. Marketing capabilities of CRM suites were minimal at best and often restricted to web and email only.

Limited to Large Enterprises

Many vendors started to combine all marketing tools into a single, comprehensive marketing suite, but cost and complexity limited them to large enterprises and marketing agencies.

Best-of-breed solutions targeting new channels and new goals, like closed-loop sales and marketing, continued driving new marketing software genres, like dedicated lead management suites.

In today’s volatile business environment, judgment built from past experience is increasingly unreliable. With consumer behaviors in flux, once-valid assumptions (e.g. ‘older consumers don’t use Facebook or send text messages’) can quickly become outdated.” (SAS Magazine)

Info-Tech Insight

As the market evolves, capabilities that were once cutting edge become default and new functionality becomes differentiating. Some features, like basic CRM integration, have become table stakes capabilities. Focus on advanced analytics features and omnichannel integration capabilities to get the best fit for your requirements.

Familiarize yourself with the MMS market: Where it’s going

Vendor Profiles icon

AI and Machine Learning

Vendors are beginning to offer AI capabilities across MMS for data-driven customer engagement scoring and social listening insights. Machine learning capability is being leveraged to determine optimal customer journey and suggest next steps to users.

Marketplace Fragmentation

The number of players in the marketing application space has grown exponentially. The majority of these new vendors offer point solutions rather than full-blown marketing suites. Fragmentation is leading to tougher choices when looking to augment an existing platform with specific functionality.

Improving Application Integration

MMS vendors are fostering deeper integrations between their marketing products and core CRM products, leading to improved data hygiene. At the same time, vendors are improving flexibility in the marketing suite so that new channels can be added easily.

Greater Self-Service

Vendors have an increased emphasis on application usability. Their goal is to enable marketers to execute campaigns without relying on specialists.

There’s a firehose of customer data coming at marketers today, and with more interconnected devices emerging (wearables, smart watches, etc.), cultivating a seamless customer experience is likely to grow even more challenging.

Building out a data-driven marketing strategy and technology stack that enables you to capture behaviors across channels is key.” (IBM, Ideas for Exceeding Customer Expectations)

Review Info-Tech’s vendor profiles of the MMS market to identify vendors that meet your requirements

Vendors & Products Evaluated

Vendor logos including 'Adobe', 'ORACLE', and 'IBM'.

VENDOR PROFILES

Review the MMS Vendor Evaluation

Large icon of a descending bar graph for vendor profiles title page.

Table stakes are the minimum standard; without these, a product doesn’t even get reviewed

Vendor Profiles icon

TABLE STAKES

Feature Table Stake Functionality
Basic Workflow Automation Simple automation of common marketing tasks (e.g. handling inbound leads).
Basic Channel Integration Integration with minimum two or more marketing channels (e.g. email and direct mail).
Customizable User Interface A user interface that can be changed and optimized to users’ preferences. This includes customizable dashboards for displaying relevant marketing metrics.
Basic Mobile UX Accessible from a mobile device in some fashion.
Cloud Compatibility Able to offer integration within pre-existing or proprietary cloud server. Many vendors only have SaaS products.

What does this mean?

The products assessed in these vendor profiles meet, at the very least, the requirements outlined as table stakes.

Many of the vendors go above and beyond the outlined table stakes; some even do so in multiple categories. This section aims to highlight the products’ capabilities in excess of the criteria listed here.

Info-Tech Insight

If table stakes are all you need from your MMS, determine whether your existing CRM platform already satisfies your requirements. Otherwise, dig deeper to find the best price-to-value ratio for your needs.

Take a holistic approach to vendor and product evaluation

Almost – or equally – as important as evaluating vendor feature capabilities is the need to evaluate vendor viability and non-functional aspects of the MMS. Include an evaluation of the following criteria in your vendor scoring methodology:

Vendor Attribute Description
Vendor Stability and Variability The vendor’s proven ability to execute on constant product improvement, deliberate strategic direction, and overall commitment to research and development efforts in responding to emerging trends.
Security Model The potential to integrate the application to existing security models and the vendor's approach to handling customer data.
Deployment Style The choice to deploy a single or multi-tenant SaaS environment via a perpetual license.
Ease of Customization The relative ease with which a system can be customized to accommodate niche or industry-specific business or functional needs.
Vendor Support Options The availability of vendor support options, including selection consulting, application development resources, implementation assistance, and ongoing support resources.
Size of Partner Ecosystem The quantity of enterprise applications and third-party add-ons that can be linked to the MMS, as well as the number of system integrators available.
Ease of Data Integration The relative ease with which the system can be integrated with an organization’s existing application environment, including legacy systems, point solutions, and other large enterprise applications.

Info-Tech Insight

Evaluate vendor capabilities, not just product capabilities. An MMS is typically a long-term commitment; ensure that your organization is teaming up with a vendor or provider that you feel you can work well with and depend on.

Advanced features are the capabilities that allow for granular differentiation of market players and use-case performance

Vendor Profiles icon

Evaluation Methodology

These product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case.

Feature Advanced Functionality
Advanced Campaign Management End-to-end marketing campaign management: customer journey mapping, campaign initiation, monitoring, and dynamic reporting and adjustment.
Marketing Asset Management Content repository functionality (or tight ECM integration) for marketing assets and campaign collateral (static, multimedia, e-commerce–related, etc.).
Marketing Analytics
  • Predictive analytics; machine learning; capabilities for data ingestion and visualization across various marketing research/marketing intelligence categories (demographic, psychographic, etc.).
  • Data segmentation; drill-down ability to assign attributes to unstructured data; ability to construct complex customer/competitive data visualizations from segmented data.
Breadth of Channel Support Ability to support and manage a wide range of marketing channels (e-commerce, SEO/SEM, paid advertising, email, traditional [print, multimedia], etc.).
Marketing Workflow Management Visual workflow editors and business rules engine creation.

Advanced features are the capabilities that allow for granular differentiation of market players and use-case performance

Vendor Profiles icon

Evaluation Methodology

These product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case.

Feature Advanced Functionality
Community Marketing Management Branded customer communities (e.g. community support forums) and DMB/DSP.
Email Marketing Automation End-to-end management of email marketing: email templates, email previews, spam testing, A/B tracking, multivariate testing, and email metrics tracking.
Social Marketing Ability to integrate with popular social media networks and manage social properties and to aggregate and analyze social data for trend reporting.
Mobile Marketing Ability to manage SMS, push, and mobile application marketing.
Marketing Operations Management Project management tools for marketers (timelines, performance indicators, budgeting/resourcing tools, etc.).

Use the information in the MMS vendor profiles to streamline your vendor analysis process

Vendor Profiles icon This section includes profiles of the vendors evaluated against the previously outlined framework.
Review the use-case scenarios relevant to your organization’s use case to identify a vendor’s fit to your organization’s MMS needs.
  • L = Use-case leader
  • P = Use-case player
Three column headers: 'Marketing Automation', 'Marketing Intelligence', and 'Social Media Marketing'.
Understand your organization’s size and whether it falls within the product’s market focus.
  • Large enterprise: 2,000+ employees and revenue of $250M+
  • Small-medium enterprise: 30-2,000 employees and revenue of $25M-$250M
Column header 'MARKET FOCUS' with row headers 'Small-Medium' and 'Large Enterprise'.
Review the differentiating features to identify where the application performs best. A list of features.
Colors signify a feature’s performance. A key for color-coding: Blue - 'Best of Breed', Green - 'Present: Competitive Strength', Yellow-Green - 'Present: Competitive Parity', Yellow - 'Semi-Present', Grey - 'Absent'.

Adobe Marketing Cloud

Vendor Profiles icon
Logo for Adobe. FUNCTIONAL SPOTLIGHT

Creative Cloud Integration: To make for a more seamless cross-product experience, projects can be sent between Marketing Cloud and Creative Cloud apps such as Photoshop and After Effects.

Sensei: Adobe has revamped its machine learning and AI platform in an effort to integrate AI into all of its marketing applications. Sensei includes data from Microsoft in a new partnership program.

Anomaly Detection: Adobe’s Anomaly Detection contextualizes data and provides a statistical method to determine how a given metric has changed in relation to previous metrics.

USE-CASE PERFORMANCE
Marketing
Automation
Marketing
Intelligence
Social
Marketing

L

L

P

MARKET FOCUS
Small-Medium
Large Enterprise
Adobe’s goal with Marketing Cloud is to help businesses provide customers with cohesive, seamless experiences by surfacing customer profiles in relevant situations quickly. Adobe Marketing Cloud has traditionally been used in the B2C space but has seen an increase in B2C use cases driven by the finance and technology sectors. FEATURES
Color-coded ranking of each feature for Adobe.
Employees (2018): 17,000 Presence: Global Founded: 1982 NASDAQ: ADBE

HubSpot

Vendor Profiles icon

Logo for Hubspot.FUNCTIONAL SPOTLIGHT

Content Optimization System (COS): The fully integrated system stores assets and serves them to their designated channels at relevant times. The COS is integrated into HubSpot's marketing platform.

Email Automation: HubSpot provides basic email that can be linked to a specific part of an organization’s marketing funnel. These emails can also be added to pre-existing automated workflows.

Email Deliverability Tool: HubSpot identifies HTML or content that will be flagged by spam filters. It also validates links and minimizes email load times.

USE-CASE PERFORMANCE
Marketing
Automation
Marketing
Intelligence
Social
Marketing

P

P

P

MARKET FOCUS
Small-Medium
Large Enterprise
Hubspot’s primary focus has been on email marketing campaigns. It has put effort into developing solid “click not code” email marketing capabilities. Also, Hubspot has an official integration with Salesforce for expanded operations management and analytics capabilities. FEATURES
Color-coded ranking of each feature for Hubspot.
Employees (2018): 1,400 Presence: Global Founded: 2006 NYSE: HUBS

IBM Marketing Cloud

Vendor Profiles icon

Logo for IBM.FUNCTIONAL SPOTLIGHT

Watson: IBM is leveraging its popular Watson AI brand to generate marketing insights for automated campaigns.

Weather Effects: Set campaign rules based on connections between weather conditions and customer behavior relative to zip code made by Watson.

Real-Time Personalization: IBM has made efforts to remove campaign interaction latency and optimize live customer engagement by acting on information about what customers are doing in the current moment.

USE-CASE PERFORMANCE
Marketing
Automation
Marketing
Intelligence
Social
Marketing

L

L

P

MARKET FOCUS
Small-Medium
Large Enterprise
IBM has remained ahead of the curve by incorporating its well-known AI technology throughout Marketing Cloud. The application’s integration with the wide array of IBM products makes it a powerful tool for users already in the IBM ecosystem. FEATURES
Color-coded ranking of each feature for IBM.
Employees (2018): 380,000 Presence: Global Founded: 1911 NYSE: IBM

Marketo

Vendor Profiles icon

Logo for Marketo.FUNCTIONAL SPOTLIGHT

Content AI: Marketo has leveraged its investments in machine learning to intelligently fetch marketing assets and serve them to customers based on their interactions with a campaign.

Email A/B Testing: To improve lead generation from email campaigns, Marketo features the ability to execute A/B testing for customized campaigns.

Partnership with Google: Marketo is now hosted on Google’s cloud platform, enabling it to provide support for larger enterprise clients and improve GDPR compliance.

USE-CASE PERFORMANCE
Marketing
Automation
Marketing
Intelligence
Social
Marketing

P

P

P

MARKET FOCUS
Small-Medium
Large Enterprise
Marketo has strong capabilities for lead management but has recently bolstered its analytics capabilities. Marketo is hoping to capture some of the analytics application market share by offering tools with varying complexity and to cater to firms with a wide range of analytics needs. FEATURES
Color-coded ranking of each feature for Marketo.
Employees (2018): 1,000 Presence: Global Founded: 2006 Private Corporation

Oracle Marketing Cloud

Vendor Profiles icon

Logo for Oracle.FUNCTIONAL SPOTLIGHT

Data Visualization: To make for a more seamless cross-product experience, marketing projects can be sent between Marketing Cloud and Creative Cloud apps such as Dreamweaver.

ID Graph: Use ID Graph to unite disparate data sources to form a singular profile of leads, making the personalization and contextualization of campaigns more efficient.

Interest-Based Messaging: Pause a campaign to update a segment or content based on aggregated customer activity and interaction data.

USE-CASE PERFORMANCE
Marketing
Automation
Marketing
Intelligence
Social
Marketing

P

P

P

MARKET FOCUS
Small-Medium
Large Enterprise
Oracle Marketing Cloud is known for its balance between campaigns and analytics products. Oracle has taken the lead on expanding its marketing channel mix to include international options such as WeChat. Users already using Oracle’s CRM/CEM products will derive the most value from Marketing Cloud. FEATURES
Color-coded ranking of each feature for Oracle.
Employees (2018): 138,000 Presence: Global Founded: 1977 NYSE: ORCL

Salesforce Marketing Cloud

Vendor Profiles icon

Logo for Salesforce Marketing Cloud.FUNCTIONAL SPOTLIGHT

Einstein: Salesforce is putting effort into integrating AI into all of its applications. The Einstein AI platform provides marketers with predictive analytics and insights into customer behavior.

Mobile Studio: Salesforce has a robust mobile marketing offering that encompasses SMS/MMS, in-app engagement, and group messaging platforms.

Journey Builder: Salesforce created Journey Builder, which is a workflow automation tool. Its user-friendly drag-and-drop interface makes it easy to automate responses to customer actions.

USE-CASE PERFORMANCE
Marketing
Automation
Marketing
Intelligence
Social
Marketing

L

P

L

MARKET FOCUS
Small-Medium
Large Enterprise
Salesforce Marketing Cloud is primarily used by organizations in the B2C space. It has strong Sales Cloud CRM integration. Pardot is positioning itself as a tool for sales teams in addition to marketers. FEATURES
Color-coded ranking of each feature for Salesforce Marketing Cloud.
Employees (2018): 1,800 Presence: Global Founded: 2000 NYSE: CRM

Salesforce Pardot

Vendor Profiles icon

Logo for Salesforce Pardot.FUNCTIONAL SPOTLIGHT

Engagement Studio: Salesforce is putting marketing capabilities in the hands of sales reps by giving them access to a team email engagement platform.

Einstein: Salesforce’s Einstein AI platform helps marketers and sales reps identify the right accounts to target with predictive lead scoring.

Program Steps: Salesforce developed a distinct own workflow building tool for Pardot. Workflows are made of “Program Steps” that have the functionality to initiate campaigns based on insights from Einstein.

USE-CASE PERFORMANCE
Marketing
Automation
Marketing
Intelligence
Social
Marketing

P

P

-

MARKET FOCUS
Small-Medium
Large Enterprise
Pardot is Salesforce’s B2B marketing solution. Pardot has focused on developing tools that enable sales teams and marketers to work in lockstep in order to achieve lead-generation goals. Pardot has deep integration with Salesforce’s CRM and customer service management products. FEATURES
Color-coded ranking of each feature for Salesforce Pardot.
Employees (2018): 1,800 Presence: Global Founded: 2000 NYSE: CRM

SAP Hybris Marketing

Vendor Profiles icon

Logo for SAP.FUNCTIONAL SPOTLIGHT

CMO Dashboard: The specialized dashboard is aimed at providing overviews for the executive level. It includes the ability to coordinate marketing activities and project budgets, KPIs, and timelines.

Loyalty Management: SAP features in-app tools to manage campaigns specifically geared toward customer loyalty with digital coupons and iBeacons.

Customer Segmentation: SAP’s predictive capabilities dynamically suggest relevant customer profiles for new campaigns.

USE-CASE PERFORMANCE
Marketing
Automation
Marketing
Intelligence
Social
Marketing

P

L

P

MARKET FOCUS
Small-Medium
Large Enterprise
SAP Hybris Marketing Cloud optimizes marketing strategies in real time with accurate attribution and measurements. SAP’s operations management capabilities are robust, including the ability to view consolidated data streams from ongoing marketing plans, performance targets, and budgets. FEATURES
Color-coded ranking of each feature for SAP.
Employees (2018): 84,000 Presence: Global Founded: 1972 NYSE: SAP

SAS Marketing Intelligence

Vendor Profiles icon

Logo for SAS.FUNCTIONAL SPOTLIGHT

Activity Map: A user-friendly workflow builder that can be used to execute campaigns. Multiple activities can be simultaneously A/B tested within the Activity Map UI. The outcome of the test can automatically adjust the workflow.

Spots: A native digital asset manager that can store property that is part of existing and future campaigns.

Viya: A framework for fully integrating third-party data sources into SAS Marketing Intelligence. Viya assists with pairing on-premises databases with a cloud platform for use with the SAS suite.

USE-CASE PERFORMANCE
Marketing
Automation
Marketing
Intelligence
Social
Marketing

P

L

MARKET FOCUS
Small-Medium
Large Enterprise
SAS has been a leading BI and analytics provider for more than 35 years. Rooted in statistical analysis of data, SAS products provide forward-looking strategic insights. Organizations that require extensive customer intelligence capabilities and the ability to “slice and dice” segments should have SAS on their shortlist. FEATURES
Color-coded ranking of each feature for SAS.
Employees (2018): 14,000 Presence: Global Founded: 1976 Private Corporation

Consider alternative MMS vendors not included in Info-Tech’s vendor profiles

Info-Tech evaluated only a portion of vendors in the MMS market. In order for a vendor to be included in this landscape, the company needed to meet three baseline criteria:
  1. Our clients must be talking about the solution.
  2. Our analysts must believe the solution will play well within the evaluation.
  3. The vendor must meet table stakes criteria.
Below is a list of notable vendors in the space that did not meet all of Info-Tech’s inclusion requirements.

Additional vendors in the MMS market:

Logo for act-on. Logo for SharpSpring.

See the next slides for suggested point solutions.

Leverage Info-Tech’s WXM and SMMP vendor landscapes to select platforms that fit with your CXM strategy

Web experience management (WXM) and social media management platforms (SMMP) act in concert with your MMS to execute complex campaigns.

Social Media Management

Info-Tech’s SMMP selection guide enables you to find a solution that satisfies your objectives across marketing, sales, public relations, HR, and customer service. Create a unified framework for driving successful implementation and adoption of your SMMP that fully addresses CRM and marketing automation integration, end-user adoption, and social analytics with Info-Tech’s blueprint Select and Implement a Social Media Management Platform.

Stock image with the title Select and Implement a Social Media Management Platform.
Web Experience Management

Info-Tech’s approach to WXM ensures you have the right suite of tools for web content management, experience design, and web analytics. Put your best foot forward by conducting due diligence as the selection project advances. Ensure that your organization will see quick results with Info-Tech’s blueprint Select and Implement a Web Experience Management Solution.

Stock image with the title Select and Implement a Web Experience Management Solution.

POINT SOLUTION PROFILES

Review this cursory list of point solutions by use case

Consider point solutions if a full suite is not required

Large icon of a target for point solution profiles title page.

Consider point solutions if a full suite is not required

Email Marketing

Logos of companies for Email Marketing including MailChimp and emma.

Consider point solutions if a full suite is not required

Search Engine Optimization (SEO)

Logos of companies for Search Engine Optimization including SpyFu and SerpStat.

Consider point solutions if a full suite is not required

Demand-Side Platform (DSP)

Logos of companies for Demand-Side Platform including MediaMath and rocketfuel.

Consider point solutions if a full suite is not required

Customer Portal Software

Logos of companies for Customer Portal Software including LifeRay and lithium.

Select a Marketing Management Suite

PHASE 3

Select Vendor and Communicate Decision to Stakeholders

Phase 3 outline

Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 3: Plan Your MMS Implementation

Proposed Time to Completion: 2 weeks
Step 3.1: Select Your MMS Step 3.2: Communicate the Decision to Stakeholders
Start with an analyst kick-off call:
  • Review the MMS shortlist.
  • Discuss how to link RFP questions and demo script scenarios to gathered requirements.
Review findings with analyst:
  • Review the alignment between MMS capability and the business’ CXM strategy.
  • Discuss how to present the decision to stakeholders.
Then complete these activities…
  • Build a vendor response template.
  • Evaluate RFP responses from vendors.
  • Build demo scripts and set up product demonstrations.
  • Establish evaluation criteria.
  • Select MMS product and vendor.
Then complete these activities…
  • Present decision rationale to stakeholders.
With these tools & templates:
  • MMS Request for Proposal Template
  • MMS Vendor Demo Script
With these tools & templates:
  • MMS Selection Executive Presentation Template
Phase 3 Results
  • Select an MMS that meets requirements and is approved by stakeholders.

Phase 3 milestones

Launch the MMS Project and Collect Requirements — Phase 1

  • Understand the MMS market space.
  • Assess organizational and project readiness for MMS selection.
  • Structure your MMS selection and implementation project by refining your MMS roadmap.
  • Align organizational use-case fit with market use cases.
  • Collect, prioritize, and document MMS requirements.

Shortlist MMS Tool — Phase 2

  • Review MMS market leaders and players within your aligned use case.
  • Review MMS vendor profiles and capabilities.
  • Shortlist MMS vendors based on organizational fit.

Select an MMS — Phase 3

  • Submit request for proposal (RFP) to shortlisted vendors.
  • Evaluate vendor responses and develop vendor demonstration scripts.
  • Score vendor demonstrations and select the final product.

Step 2.1: Analyze and shortlist MMS vendors

3.1

3.2

Select Your MMS Communicate Decision to Stakeholders

This step will walk you through the following activities:

  • Build a response template to standardize potential vendor responses and streamline your evaluation process.
  • Evaluate the RFPs you receive with a clear scoring process and evaluation framework.
  • Build a demo script to evaluate product demonstrations by vendors.
  • Select your solution.

This step involves the following participants:

  • Core project team
  • Procurement SMEs
  • Project sponsor

Outcomes of this step

  • Completed MMS RFP vendor response template
  • Completed MMS demo script(s)
  • Established product and vendor evaluation criteria
  • Final MMS selection

Activity: Shortlist vendors for the RFP process

Associated Activity icon 3.1.1 30 minutes

INPUT: Organizational use-case fit

OUTPUT: MMS vendor shortlist

Materials: Info-Tech’s MMS use cases, Info-Tech’s vendor profiles, Whiteboard, markers

Participants: Core project team

Instructions

  1. Collectively with the core project team, determine any knock-out criteria for shortlisting MMS vendors. For example, if your team is executing on a strategy that favors mobile deployment, vendors who do not have a mobile offering may be off the table.
  2. Based on the results in Activity 1.3.2, write a longlist of vendors. In most cases, this list will consist of all the vendors that fall into your organization’s use-case scenario. If your organization fits into more than one use case (e.g. your organization has both product-centric and service-centric MMS needs), look for the overlap of vendors between the use cases.
  3. Review the profiles of the vendors that fall into your use-case scenario. Based on your knock-out criteria established in Step 1, eliminate any vendors as applicable.
  4. Finalize and record your shortlist of MMS vendors.

Use Info-Tech’s MMS Request for Proposal Template to document and communicate your requirements to vendors

Supporting Tool icon 3.1.2 MMS Request for Proposal Template

Use the MMS Request for Proposal Template as a step-by-step guide on how to request interested vendors to submit written proposals that meet your set of requirements.

If interested in bidding for your project, vendors will respond with a description of the techniques they would employ to address your organizational challenges and meet your requirements, along with a plan of work and detailed budget for the project.

The RFP is an important piece of setting and aligning your expectations with the vendors’ product offerings. Make sure to address the following elements in the RFP:

Sections of the Tool:

  1. Statement of work
  2. General information
  3. Proposal preparation instructions
  4. Scope of work, specifications, and requirements
  5. Vendor qualifications and references
  6. Budget and estimated pricing
  7. Additional terms and conditions
  8. Vendor certification

INFO-TECH DELIVERABLE

Sample of Info-Tech's MMS Request Proposal Template.

Complete the MMS Request for Proposal Template by following the instructions in Activity 3.1.3.

Activity: Create an RFP to submit to MMS vendors

Associated Activity icon 3.1.3 1-2 hours

INPUT: Business requirements document, Procurement procedures

OUTPUT: MMS RFP

Materials: Internal RFP tools or templates (if available), Info-Tech’s MMS Request for Proposal Template (optional)

Participants: Procurement SMEs, Project manager, Core project team (optional)

Instructions

  1. Download Info-Tech’s MMS Request for Proposal Template or prepare internal best-practice RFP tools.
  2. Build your RFP:
    1. Complete the statement of work and general information sections to provide organizational context to your longlisted vendors.
    2. Outline the organization’s procurement instructions for vendors, including due diligence, assessment criteria, and dates.
    3. Input the business requirements document as created in Activity 1.3.2.
    4. Create a scenario overview to provide vendors with an opportunity to give an estimate price.
  3. Obtain approval for your RFP. Each organization has a unique procurement process; follow your own organization’s process as you submit your RFPs to vendors. Ensure compliance with your organization’s standards and gain approval for submitting your RFP.

Establish vendor evaluation criteria

Vendor demonstrations are an integral part of the selection process. Having clearly defined selection criteria will help with setting up relevant demos as well as inform the vendor scorecards.

EXAMPLE EVALUATION CRITERIAPie chart indicating the weight of each 'Vendor Evaluation Criteria': 'Functionality, 30%', 'Ease of Use, 25%', 'Cost, 15%', 'Vendor, 15%', and 'Technology, 15%'.
Functionality (30%)
  • Breadth of capability
  • Tactical capability
  • Operational capability
Ease of Use (25%)
  • End-user usability
  • Administrative usability
  • UI attractiveness
  • Self-service options
Cost (15%)
  • Maintenance
  • Support
  • Licensing
  • Implementation (internal and external costs)
Vendor (15%)
  • Support model
  • Customer base
  • Sustainability
  • Product roadmap
  • Proof of concept
  • Implementation model
Technology (15%)
  • Configurability options
  • Customization requirements
  • Deployment options
  • Security and authentication
  • Integration environment
  • Ubiquity of access (mobile)

Info-Tech Insight

Base your vendor evaluations not on the capabilities of the solutions but instead on how the solutions align with your organization’s process automation requirements and considerations.

Vendor demonstrations

Examine how the vendor’s solution performs against your evaluation framework.

What is the value of a vendor demonstration?

Vendor demonstrations create a valuable opportunity for your organization to confirm that the vendor’s claims in the RFP are actually true.

A display of the vendor’s functional capabilities and its execution of the scenarios given in your demo script will help to support your assessment of whether a vendor aligns with your MMS requirements.

What should be included in a vendor demonstration?

  1. Vendor’s display of its solution for the scenarios provided in the demo script.
  2. Display of functional capabilities of the tool.
  3. Briefing on integration capabilities.

Activity: Invite top performing vendors for product demonstrations

Associated Activity icon 3.1.4 1-2 hours

INPUT: Business requirements document, Logistical considerations, Usage scenarios by functional area

OUTPUT: MMS demo script

Materials: Info-Tech’s MMS Vendor Demo Script

Participants: Procurement SMEs, Core project team

Instructions

  1. Have your evaluation team (selected at the onset of the project) present to evaluate each vendor’s presentation. In some cases you may choose to bring in a subject matter expert (SME) to evaluate a specific area of the tool.
  2. Outline the logistics of the demonstration in the Introduction section of the template. Be sure to outline the total length of the demo and the amount of time that should be dedicated to the following:
    • Product demonstration in response to the demo script
    • Showcase of unique product elements, not reflective of the demo script
    • Question and answer session
    • Breaks and other potential interruptions
  3. Provide prompts for the vendor to display the capabilities by listing and describing usage scenarios by functional area. For example, when asking a vendor to demo financial and accounting management capabilities, you may break scenarios out by task (e.g. general ledger, accounts payable) or user role (e.g. finance manager, administrator).

Info-Tech Insight

Challenge vendor project teams during product demonstrations. Asking the vendor to make adjustments or customizations on the fly will allow you to get an authentic feel of product capability and flexibility, as well as of the degree of adaptability of the vendor project team. Ask the vendor to demonstrate how to do things not listed in your user scenarios, such as change system visualizations or design, change underlying data, add additional datasets, demonstrate analytics capabilities, or channel specific automation.

Use Info-Tech’s MMS Vendor Demo Script template to set expectations for vendor product demonstration

Vendor Profiles icon MMS Vendor Demo Script

Customize and use Info-Tech’s MMS Vendor Demo Script to help identify how a vendor’s solution will fit your organization’s particular business capability needs.

This tool assists with outlining logistical considerations for the demo itself and the scenarios with which the vendors should script their demonstration.

Sections of the Tool:

  1. Introduction
  2. Demo scenarios by functional area

Info-Tech Best Practice

Avoid providing vendors with a rigid script for product demonstration; instead, provide user scenarios. Part of the value of a vendor demonstration is the opportunity to assess whether or not the vendor project team has a solid understanding of your organization’s MMS challenges and requirements and can work with your team to determine the best solution possible. A rigid script may result in your inability to assess whether the vendor will adjust for and scale with your project and organization as a technology partner.

INFO-TECH DELIVERABLE

Sample of Info-Tech's MMS Vendor Demo Script.

Use the MMS Vendor Demo Script by following the instructions in Activity 3.1.4.

Leverage Info-Tech’s vendor selection and negotiation models as the basis for a streamlined MMS selection process

Design a procurement process that is robust, ruthless, and reasonable. Rooting out bias during negotiation is vital to making unbiased vendor selections.

Vendor Selection

Info-Tech’s approach to vendor selection gets you to design a procurement process that is robust, ruthless, and reasonable. This approach enables you to take control of vendor communications. Implement formal processes with an engaged team to achieve the right price, the right functionality, and the right fit for the organization with Info-Tech's blueprint Implement a Proactive and Consistent Vendor Selection Process.

Stock image with the title Implement a Proactive and Consistent Vendor Selection Process.
Vendor Negotiation

Info-Tech’s SaaS negotiation strategy focuses on taking control of implementation from the beginning. The strategy allows you to work with your internal stakeholders to make sure they do not team up with the vendor instead of you. Reach an agreement with your vendor that takes into account both parties’ best interests with Info-Tech’s blueprint Negotiate SaaS Agreements That Are Built to Last.

Stock image with the title Negotiate SaaS Agreements That Are Built to Last.

Step 3.2: Communicate decision to stakeholders

3.1

3.2

Select Your MMS Communicate Decision to Stakeholders

This step will walk you through the following activities:

  • Collect project rationale documentation.
  • Create a presentation to communicate your selection decision to stakeholders.

This step involves the following participants:

  • Core project team
  • Procurement SMEs
  • Project sponsor
  • Business stakeholders
  • Relevant management

Outcomes of this step

  • Completed MMS Selection Executive Presentation Template
  • Affirmation of MMS selection by stakeholders

Inform internal stakeholders of the final decision

Ensure traceability from the selected tool to the needs identified in the first phase. Internal stakeholders must understand the reasoning behind the final selection and see the alignment to their defined requirements and needs.

Document the selection process to show how the selected tool aligns to stakeholder needs:

A large arrow labelled 'Application Benefits', underlaid beneath two smaller arrows labelled 'MMS stakeholder needs' and 'MMS technology needs', all pointing to the right.

Documentation will assist with:

  1. Adopting the selected MMS.
  2. Demonstrating that proper due diligence was performed during the selection process.
  3. Providing direct traceability between the selected applications and internal stakeholder needs.

Activity: Prepare a presentation deck to communicate the selection process and decision to internal stakeholders

Associated Activity icon 3.2.1 1 week

INPUT: MMS tool selection committee expertise

OUTPUT: Decision to invest or not invest in an MMS tool

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: MMS tool selection committee

Instructions

  1. Download Info-Tech’s MMS Selection Executive Presentation Template.
  2. Read the instructions on slide 2 of the template. Then, on slide 3, decide if any portion of the selection process should be removed from the communication. Discuss with the team and make adjustments to slide 3 as necessary.
  3. Work with the MMS selection committee to populate the slides that remain after the adjustments. Follow the instructions on each slide to help complete the content.
  4. Refer to the square brackets on each slide (e.g. [X.X]) to identify the activity numbers in this storyboard that correspond to the slide in the MMS Selection Executive Presentation Template. Use the outputs produced from the corresponding activities in this deck and populate each slide in the MMS Selection Executive Presentation Template.
  5. Use the completed template to present to internal stakeholders.

Info-Tech Insight

Documenting the process of how the selection decision was made will avoid major headaches down the road. Without a documented process, internal stakeholders and even vendors can challenge and discredit the selection process.

Vendor participation

Vendors Who Briefed with Info-Tech Research Group

Logos of vendors who participated in this blueprint: Salesforce Pardot, SAS, Adobe, Marketo, and Salesforce Marketing Cloud.

Professionals Who Contributed to Our Evaluation and Research

  • Sara Camden, Digital Change Agent, Equifax
  • Caren Carrasco, Lifecycle Marketing and Automation, Benjamin David Group
  • 10 anonymous contributors participated in the vendor briefings

Works cited

Adobe Systems Incorporated. “Bayer builds understanding, socially.” Adobe.com, 2017. Web.

IBM Corporation, “10 Key Marketing Trends for 2017.” IBM.com, 2017. Web.

Marketo, Inc. “The Definitive Guide to Marketing Automation.” Marketo.com, 2013. Web.

Marketo, Inc. “NBA franchise amplifies its message with help from Marketo’s marketing automation technology.” Marketo.com, 2017. Web.

Salesforce Pardot. “Marketing Automation & Your CRM: The Dynamic Duo.” Pardot.com, 2017. Web.

SAS Institute Inc. “Marketing Analytics: How, why and what’s next.” SAS Magazine, 2013. Web.

SAS Institute Inc. “Give shoppers offers they’ll love.” SAS.com, 2017. Web.

Cybersecurity Priorities in Times of Pandemic

  • Buy Link or Shortcode: {j2store}381|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Security Processes & Operations
  • Parent Category Link: /security-processes-and-operations
  • Novel coronavirus 2019 (COVID-19) has thrown organizations around the globe into chaos as they attempt to continue operations while keeping employees safe.
  • IT needs to support business continuity – juggling available capacity and ensuring that services are available to end users – without clarity of duration, amid conditions that change daily, on a scale never seen before.
  • Security has never been more important than now. But…where to start? What are the top priorities? How do we support remote work while remaining secure?

Our Advice

Critical Insight

  • There is intense pressure to enable employees to work remotely, as soon as possible. IT is scrambling to enable access, source equipment to stage, and deploy products to employees, many of whom are unfamiliar with working from home.
  • There is either too much security to allow people to be productive or too little security to ensure that the organization remains protected and secure.
  • These events are unprecedented, and no plan currently exists to sufficiently maintain a viable security posture during this interim new normal.

Impact and Result

  • Don’t start from scratch. Leverage your current security framework, processes, and mechanisms but tailor them to accommodate the new way of remote working.
  • Address priority security items related to remote work capability and its implications in a logical sequence. Some security components may not be as time sensitive as others.
  • Remain diligent! Circumstances may have changed, but the importance of security has not. In fact, IT security is likely more important now than ever before.

Cybersecurity Priorities in Times of Pandemic Research & Tools

Start here – read our Cybersecurity Priorities research.

Our recommendations and the accompanying checklist tool will help you quickly get a handle on supporting a remote workforce while maintaining security in your organization.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

  • Cybersecurity Priorities in Times of Pandemic Storyboard
  • Cybersecurity Priorities Checklist Tool
[infographic]

IT Operations Consulting

Operations... make sure that the services and products you offer your clients are delivered in the most efficient way possible. IT Operations makes sure that the applications and infrastructure that your delivery depends on is solid.

Gert Taeymans has over 20 years experience in directing the implementation and management of mission-critical services for businesses in high-volume international markets. Strong track record in risk management, crisis management including disaster recovery, service delivery and change & config management.

Continue reading

Streamline Application Maintenance

  • Buy Link or Shortcode: {j2store}402|cart{/j2store}
  • member rating overall impact (scale of 10): 9.5/10 Overall Impact
  • member rating average dollars saved: 20 Average Days Saved
  • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • Parent Category Name: Maintenance
  • Parent Category Link: /maintenance
  • Application maintenance teams are accountable for the various requests and incidents coming from a variety business and technical sources. The sheer volume and variety of requests create unmanageable backlogs.
  • The increasing complexity and reliance on technology within the business has set unrealistic expectations on maintenance teams. Stakeholders expect teams to accommodate maintenance without impact on project schedules.

Our Advice

Critical Insight

  • Improving maintenance’s focus and attention may mean doing less but more valuable work. Teams need to be realistic about what can be committed and be prepared to justify why certain requests have to be pushed down the backlog (e.g. lack of business value, high risks).
  • Maintenance must be treated like any other development activity. The same intake and prioritization practices and quality standards must be upheld, and best practices followed.

Impact and Result

  • Justify the necessity of streamlined maintenance. Gain a grounded understanding of stakeholder objectives and concerns, and validate their achievability against the current state of the people, process, and technologies involved in application maintenance.
  • Strengthen triaging and prioritization practices. Obtain a holistic picture of the business and technical impacts, risks, and urgencies of each accepted maintenance requests in order to justify its prioritization and relevance within your backlog. Identify opportunities to bundle requests together or integrate them within project commitments to ensure completion.
  • Establish and govern a repeatable process. Develop a maintenance process with well-defined stage gates, quality controls, and roles and responsibilities, and instill development best practices to improve the success of delivery.

Streamline Application Maintenance Research & Tools

Start here – read the Executive Brief

Read our Executive Brief to understand the common struggles found in application maintenance, their root causes, and the Info-Tech methodology to overcoming these hurdles.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Understand your maintenance priorities

Understand the stakeholder priorities driving changes in your application maintenance practice.

  • Streamline Application Maintenance – Phase 1: Assess the Current Maintenance Landscape
  • Application Maintenance Operating Model Template
  • Application Maintenance Resource Capacity Assessment
  • Application Maintenance Maturity Assessment

2. Instill maintenance governance

Identify the appropriate level of governance and enforcement to ensure accountability and quality standards are upheld across maintenance practices.

  • Streamline Application Maintenance – Phase 2: Develop a Maintenance Release Schedule

3. Enhance triaging and prioritization practices

Build a maintenance triage and prioritization scheme that accommodates business and IT risks and urgencies.

  • Streamline Application Maintenance – Phase 3: Optimize Maintenance Capabilities

4. Streamline maintenance delivery

Define and enforce quality standards in maintenance activities and build a high degree of transparency to readily address delivery challenges.

  • Streamline Application Maintenance – Phase 4: Streamline Maintenance Delivery
  • Application Maintenance Business Case Presentation Document
[infographic]

Workshop: Streamline Application Maintenance

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Understand Your Maintenance Priorities

The Purpose

Understand the business and IT stakeholder priorities driving the success of your application maintenance practice.

Understand any current issues that are affecting your maintenance practice.

Key Benefits Achieved

Awareness of business and IT priorities.

An understanding of the maturity of your maintenance practices and identification of issues to alleviate.

Activities

1.1 Define priorities for enhanced maintenance practices.

1.2 Conduct a current state assessment of your application maintenance practices.

Outputs

List of business and technical priorities

List of the root-cause issues, constraints, and opportunities of current maintenance practice

2 Instill Maintenance Governance

The Purpose

Define the processes, roles, and points of communication across all maintenance activities.

Key Benefits Achieved

An in-depth understanding of all maintenance activities and what they require to function effectively.

Activities

2.1 Modify your maintenance process.

2.2 Define your maintenance roles and responsibilities.

Outputs

Application maintenance process flow

List of metrics to gauge success

Maintenance roles and responsibilities

Maintenance communication flow

3 Enhance Triaging and Prioritization Practices

The Purpose

Understand in greater detail the process and people involved in receiving and triaging a request.

Define your criteria for value, impact, and urgency, and understand how these fit into a prioritization scheme.

Understand backlog management and release planning tactics to accommodate maintenance.

Key Benefits Achieved

An understanding of the stakeholders needed to assess and approve requests.

The criteria used to build a tailored prioritization scheme.

Tactics for efficient use of resources and ideal timing of the delivery of changes.

A process that ensures maintenance teams are always working on tasks that are valuable to the business.

Activities

3.1 Review your maintenance intake process.

3.2 Define a request prioritization scheme.

3.3 Create a set of practices to manage your backlog and release plans.

Outputs

Understanding of the maintenance request intake process

Approach to assess the impact, urgency, and severity of requests for prioritization

List of backlog management grooming and release planning practices

4 Streamline Maintenance Delivery

The Purpose

Understand how to apply development best practices and quality standards to application maintenance.

Learn the methods for monitoring and visualizing maintenance work.

Key Benefits Achieved

An understanding of quality standards and the scenarios for where they apply.

The tactics to monitor and visualize maintenance work.

Streamlined maintenance delivery process with best practices.

Activities

4.1 Define approach to monitor maintenance work.

4.2 Define application quality attributes.

4.3 Discuss best practices to enhance maintenance development and deployment.

Outputs

Taskboard structure and rules

Definition of application quality attributes with user scenarios

List of best practices to streamline maintenance development and deployment

5 Finalize Your Maintenance Practice

The Purpose

Create a target state built from appropriate metrics and attainable goals.

Consider the required items and steps for the implementation of your optimization initiatives.

Key Benefits Achieved

A realistic target state for your optimized application maintenance practice.

A well-defined and structured roadmap for the implementation of your optimization initiatives.

Activities

5.1 Refine your target state maintenance practices.

5.2 Develop a roadmap to achieve your target state.

Outputs

Finalized application maintenance process document

Roadmap of initiatives to achieve your target state

Implement and Mature Your User Experience Design Practice

  • Buy Link or Shortcode: {j2store}430|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Requirements & Design
  • Parent Category Link: /requirements-and-design

Many organizations want to get to market quickly and on budget but don’t know the steps to get the right product/service to satisfy the users and business. This may be made apparent through uninformed decisions leading to lack of adoption of your product or service, rework due to post-implementation user feedback, or the competition discovering new approaches that outshine yours.

Our Advice

Critical Insight

Ensure your practice has a clear understanding of the design problem space – not just the solution. An understanding of the user is critical to this.

Impact and Result

  • Create a practice that is focused on human outcomes; it starts and ends with the people you are designing for. This includes:
    • Establishing a practice with a common vision.
    • Enhancing the practice through four design factors.
    • Communicating a roadmap to improve your business through design.
  • Create a practice that develops solutions specific to the needs of users, customers, and stakeholders.

Implement and Mature Your User Experience Design Practice Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should implement an experience design practice, review Info-Tech’s methodology, and understand the four dimensions we recommend using to mature your practice.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Build the foundation

Motivate your team with a common vision, mission, and goals.

  • Design Roadmap Workbook
  • User Experience Practice Roadmap

2. Review the design dimensions

Examine your practice – from the perspectives of organizational alignment, business outcomes, design perspective, and design integration – to determine what it takes to improve your maturity.

3. Build your roadmap and communications

Bring it all together – determine your team structure, the roadmap for the practice maturity, and communication plan.

[infographic]

Workshop: Implement and Mature Your User Experience Design Practice

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Answer “So What?”

The Purpose

Make the case for UX. Bring the team together with a common mission, vision, and goals.

Key Benefits Achieved

Mission, vision, and goals for design

Activities

1.1 Define design practice goals.

1.2 Generate the vision statement.

1.3 Develop the mission statement.

Outputs

Design vision statement

Design mission statement

Design goals

2 Examine Design Dimensions

The Purpose

Review the dimensions that help organizations to mature, and assess what next steps make sense for your organization.

Key Benefits Achieved

Develop initiatives that are right-sized for your organization.

Activities

2.1 Examine organizational alignment.

2.2 Establish priorities for initiatives.

2.3 Identify business value sources.

2.4 Identify design perspective.

2.5 Brainstorm design integration.

2.6 Complete UCD-Canvas.

Outputs

Documented initiatives for design maturity

Design canvas framework

3 Create Structure and Initiatives

The Purpose

Make your design practice structure right for you.

Key Benefits Achieved

Examine patterns and roles for your organization.

Activities

3.1 Structure your design practice.

Outputs

Design practice structure with patterns

4 Roadmap and Communications

The Purpose

Define the communications objectives and audience for your roadmap.

Develop your communication plan.

Sponsor check-in.

Key Benefits Achieved

Complete in-progress deliverables from previous four days.

Set up review time for workshop deliverables and to discuss next steps.

Activities

4.1 Define the communications objectives and audience for your roadmap.

4.2 Develop your communication plan.

Outputs

Communication Plan and Roadmap

Enhance Your Solution Architecture Practices

  • Buy Link or Shortcode: {j2store}157|cart{/j2store}
  • member rating overall impact (scale of 10): 9.0/10 Overall Impact
  • member rating average dollars saved: $33,359 Average $ Saved
  • member rating average days saved: 11 Average Days Saved
  • Parent Category Name: Development
  • Parent Category Link: /development
  • In today’s world, business agility is essential to stay competitive. Quick responses to business needs through efficient development and deployment practices is critical for business value delivery.
  • A mature solution architecture practice is the basic necessity for a business to have technical agility.

Our Advice

Critical Insight

Don’t architect for normal situations. That is a shallow approach and leads to decisions that may seem “right” but will not be able to stand up to system elasticity needs.

Impact and Result

  • Understand the different parts of a continuous security architecture framework and how they may apply to your decisions.
  • Develop a solution architecture for upcoming work (or if there is a desire to reduce tech debt).

Enhance Your Solution Architecture Practices Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Solution Architecture Practices Deck – A deck to help you develop an approach for or validate existing solution architecture capability.

Translate stakeholder objectives into architecture requirements, solutions, and changes. Incorporate architecture quality attributes in decisions to increase your architecture’s life. Evaluate your solution architecture from multiple views to obtain a holistic perspective of the range of issues, risks, and opportunities.

  • Enhance Your Solution Architecture Practices – Phases 1-3

2. Solution Architecture Template – A template to record the results from the exercises to help you define, detail, and make real your digital product vision.

Identify and detail the value maps that support the business, and discover the architectural quality attribute that is most important for the value maps. Brainstorm solutions for design decisions for data, security, scalability, and performance.

  • Solution Architecture Template
[infographic]

Workshop: Enhance Your Solution Architecture Practices

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Vision and Value Maps

The Purpose

Document a vision statement for the solution architecture practice (in general) and/or a specific vision statement, if using a single project as an example.

Document business architecture and capabilities.

Decompose capabilities into use cases.

Key Benefits Achieved

Provide a great foundation for an actionable vision and goals that people can align to.

Develop a collaborative understanding of business capabilities.

Develop a collaborative understanding of use cases and personas that are relevant for the business.

Activities

1.1 Develop vision statement.

1.2 Document list of value stream maps and their associated use cases.

1.3 Document architectural quality attributes needed for use cases using SRME.

Outputs

Solution Architecture Template with sections filled out for vision statement canvas and value maps

2 Continue Vision and Value Maps, Begin Phase 2

The Purpose

Map value stream to required architectural attributes.

Prioritize architecture decisions.

Discuss and document data architecture.

Key Benefits Achieved

An understanding of architectural attributes needed for value streams.

Conceptual understanding of data architecture.

Activities

2.1 Map value stream to required architectural attributes.

2.2 Prioritize architecture decisions.

2.3 Discuss and document data architecture.

Outputs

Solution Architecture Template with sections filled out for value stream and architecture attribute mapping; a prioritized list of architecture design decisions; and data architecture

3 Continue Phase 2, Begin Phase 3

The Purpose

Discuss security and threat assessment.

Discuss resolutions to threats via security architecture decisions.

Discuss system’s scalability needs.

Key Benefits Achieved

Decisions for security architecture.

Decisions for scalability architecture.

Activities

3.1 Discuss security and threat assessment.

3.2 Discuss resolutions to threats via security architecture decisions.

3.3 Discuss system’s scalability needs.

Outputs

Solution Architecture Template with sections filled out for security architecture and scalability design

4 Continue Phase 3, Start and Finish Phase 4

The Purpose

Discuss performance architecture.

Compile all the architectural decisions into a solutions architecture list.

Key Benefits Achieved

A complete solution architecture.

A set of principles that will form the foundation of solution architecture practices.

Activities

4.1 Discuss performance architecture.

4.2 Compile all the architectural decisions into a solutions architecture list.

Outputs

Solution Architecture Template with sections filled out for performance and a complete solution architecture

Further reading

Enhance Your Solution Architecture Practice

Ensure your software systems solution is architected to reflect stakeholders’ short- and long-term needs.

Analyst Perspective

Application architecture is a critical foundation for supporting the growth and evolution of application systems. However, the business is willing to exchange the extension of the architecture’s life with quality best practices for the quick delivery of new or enhanced application functionalities. This trade-off may generate immediate benefits to stakeholders, but it will come with high maintenance and upgrade costs in the future, rendering your system legacy early.

Technical teams know the importance of implementing quality attributes into architecture but are unable to gain approval for the investments. Overcoming this challenge requires a focus of architectural enhancements on specific problem areas with significant business visibility. Then, demonstrate how quality solutions are vital enablers for supporting valuable application functionalities by tracing these solutions to stakeholder objectives and conducting business and technical risk and impact assessments through multiple business and technical perspectives.

this is a picture of Andrew Kum-Seun

Andrew Kum-Seun
Research Manager, Applications
Info-Tech Research Group

Enhance Your Solution Architecture

Ensure your software systems solution is architected to reflect stakeholders’ short- and long-term needs.

EXECUTIVE BRIEF

Executive Summary

Your Challenge

  • Most organizations have some form of solution architecture; however, it may not accurately and sufficiently support the current and rapidly changing business and technical environments.
  • To enable quick delivery, applications are built and integrated haphazardly, typically omitting architecture quality practices.

Common Obstacles

  • Failing to involve development and stakeholder perspectives in design can lead to short-lived architecture and critical development, testing, and deployment constraints and risks being omitted.
  • Architects are experiencing little traction implementing solutions to improve architecture quality due to the challenge of tracing these solutions back to the right stakeholder objectives.

Info-Tech's Approach

  • Translate stakeholder objectives into architecture requirements, solutions, and changes. Incorporate architecture quality attributes in decisions to increase your architecture’s life.
  • Evaluate your solution architecture from multiple views to obtain a holistic perspective of the range of issues, risks, and opportunities.
  • Regularly review and recalibrate your solution architecture so that it accurately reflects and supports current stakeholder needs and technical environments.

Info-Tech Insight

Well-received applications can have poor architectural qualities. Functional needs often take precedence over quality architecture. Quality must be baked into design, execution, and decision-making practices to ensure the right tradeoffs are made.

A badly designed solution architecture is the root of all technical evils

A well-thought-through and strategically designed solution architecture is essential for the long-term success of any software system, and by extension, the organization because:

  1. It will help achieve quality attribute requirements (security, scalability, performance, usability, resiliency, etc.) for a software system.
  2. It can define and refine architectural guiding principles. A solution architecture is not only important for today but also a vision for the future of the system’s ability to react positively to changing business needs.
  3. It can help build usable (and reusable) services. In a fast-moving environment, the convenience of having pre-made plug-and-play architectural objects reduces the risk incurred from knee-jerk reactions in response to unexpected demands.
  4. It can be used to create a roadmap to an IT future state. Architectural concerns support transition planning activities that can lead to the successful implementation of a strategic IT plan.

Demand for quick delivery makes teams omit architectural best practices, increasing downstream risks

In its need for speed, a business often doesn’t see the value in making sure architecture is maintainable, reusable, and scalable. This demand leads to an organizational desire for development practices and the procurement of vendors that favor time-to-market over long-term maintainability. Unfortunately, technical teams are pushed to omit design quality and validation best practices.

What are the business impacts of omitting architecture design practices?

Poor quality application architecture impedes business growth opportunities, exposes enterprise systems to risks, and consumes precious IT budgets in maintenance that could otherwise be used for innovation and new projects.

Previous estimations indicate that roughly 50% of security problems are the result of software design. […] Flaws in the architecture of a software system can have a greater impact on various security concerns in the system, and as a result, give more space and flexibility for malicious users.(Source: IEEE Software)

Errors in software requirements and software design documents are more frequent than errors in the source code itself according to Computer Finance Magazine. Defects introduced during the requirements and design phase are not only more probable but also more severe and more difficult to remove. (Source: iSixSigma)

Design a solution architecture that can be successful within the constraints and complexities set before you

APPLICATION ARCHITECTURE…

… describes the dependencies, structures, constraints, standards, and development guidelines to successfully deliver functional and long-living applications. This artifact lays the foundation to discuss the enhancement of the use and operations of your systems considering existing complexities.

Good architecture design practices can give you a number of benefits:

Lowers maintenance costs by revealing key issues and risks early. The Systems Sciences Institute at IBM has reported that the cost to fix an error found after product release was 4 to 5 times as much as one uncovered during design.(iSixSigma)

Supports the design and implementation activities by providing key insights for project scheduling, work allocation, cost analysis, risk management, and skills development.(IBM: developerWorks)

Eliminates unnecessary creativity and activities on the part of designers and implementers, which is achieved by imposing the necessary constraints on what they can do and making it clear that deviation from constraints can break the architecture.(IBM: developerWorks)

Use Info-Tech’s Continuous Solution Architecture (CSA) Framework for designing adaptable systems

Solution architecture is not a one-size-fits-all conversation. There are many design considerations and trade-offs to keep in mind as a product or services solution is conceptualized, evaluated, tested, and confirmed. The following is a list of good practices that should inform most architecture design decisions.

Principle 1: Design your solution to have at least two of everything.

Principle 2: Include a “kill switch” in your fault-isolation design. You should be able to turn off everything you release.

Principle 3: If it can be monitored, it should be. Use server and audit logs where possible.

Principle 4: Asynchronous is better than synchronous. Asynchronous design is more complex but worth the processing efficiency it introduces.

Principle 5: Stateless over stateful: State data should only be used if necessary.

Principle 6: Go horizonal (scale out) over vertical (scale up).

Principle 7: Good architecture comes in small packages.

Principle 8: Practice just-in-time architecture. Delay finalizing an approach for as long as you can.

Principle 9: X-ilities over features. Quality of an architecture is the foundation over which features exist. A weak foundation can never be obfuscated through shiny features.

Principle 10: Architect for products not projects. A product is an ongoing concern, while a project is short lived and therefore only focused on what is. A product mindset forces architects to think about what can or should be.

Principle 11: Design for rollback: When all else fails, you should be able to stand up the previous best state of the system.

Principle 12: Test the solution architecture like you test your solution’s features.

CSA should be used for every step in designing a solution’s architecture

Solution architecture is a technical response to a business need, and like all complex evolutionary systems, must adapt its design for changing circumstances.

The triggers for changes to existing solution architectures can come from, at least, three sources:

  1. Changing business goals
  2. Existing backlog of technical debt
  3. Solution architecture roadmap

A solution’s architecture is cross-cutting and multi-dimensional and at the minimum includes:

  • Product Portfolio Strategy
  • Application Architecture
  • Data Architecture
  • Information Architecture
  • Operational Architecture

along with several qualitative attributes (also called non-functional requirements).

This image contains a chart which demonstrates the relationship between changing hanging business goals, Existing backlog of technical debt, Solution architecture roadmap, and Product Portfolio Strategy, Application Architecture, Data Architecture, Information Architecture and, Operational Architecture

Related Research: Product Portfolio Strategy

Integrate Portfolios to Create Exceptional Customer Value

  • Define an organizing principle that will structure your projects and applications in a way that matters to your stakeholders.
  • Bridge application and project portfolio data using the organizing principle that matters to communicate with stakeholders across the organization.
  • Create a dashboard that brings together the benefits of both project and application portfolio management to improve visibility and decision making.

Deliver on Your Digital Portfolio Vision

  • Recognize that a vision is only as good as the data that backs it up. Lay out a comprehensive backlog with quality built in that can be effectively communicated and understood through roadmaps.
  • Your intent is only a dream if it cannot be implemented ; define what goes into a release plan via the release canvas.
  • Define a communication approach that lets everyone know where you are heading.

Related Research: Data, Information & Integration Architecture

Build a Data Architecture Roadmap

  • Have a framework in place to identify the appropriate solution for the challenge at hand. Our three-phase practical approach will help you build a custom and modernized data architecture.
  • Identify and prioritize the business drivers in which data architecture changes would create the largest overall benefit and determine the corresponding data architecture tiers that need to be addressed.
  • Discover the best-practice trends, measure your current state, and define the targets for your data architecture tactics.
  • Build a cohesive and personalized roadmap for restructuring your data architecture. Manage your decisions and resulting changes.

Build a Data Pipeline for Reporting and Analytics

  • Understand your high-level business capabilities and interactions across them – your data repositories and flows should be just a digital reflection thereof.
  • Divide your data world in logical verticals overlaid with various speed data progression lanes, i.e. build your data pipeline – and conquer it one segment at a time.
  • Use the most appropriate database design pattern for a given phase/component in your data pipeline progression.

Related Research:Operational Architecture

Optimize Application Release Management

  • Acquire release management ownership. Ensure there is appropriate accountability for the speed and quality of the releases passing through the entire pipeline.
  • A release manager has oversight over the entire release process and facilitates the necessary communication between business stakeholders and various IT roles.
  • Instill holistic thinking. Release management includes all steps required to push release and change requests to production along with the hand-off to Operations and Support. Increase the transparency and visibility of the entire pipeline to ensure local optimizations do not generate bottlenecks in other areas.
  • Standardize and lay a strong release management foundation. Optimize the key areas where you are experiencing the most pain and continually improve.

Build Your Infrastructure Roadmap

  • Increased communication. More information being shared to more people who need it.
  • Better planning. More accurate information being shared.
  • Reduced lead times. Less due diligence or discovery work required as part of project implementations.
  • Faster delivery times. Less low-value work, freeing up more time for project work.

Related Research:Security Architecture

Identify Opportunities to Mature the Security Architecture

  • A right-sized security architecture can be created by assessing the complexity of the IT department, the operations currently underway for security, and the perceived value of a security architecture within the organization. This will bring about a deeper understanding of the organizational infrastructure.
  • Developing a security architecture should also result in a list of opportunities (i.e. initiatives) that an organization can integrate into a roadmap. These initiatives will seek to improve security operations and strengthen the IT department’s understanding of security’s role within the organization.
  • A better understanding of the infrastructure will help to save time on determining the correct technologies required from vendors, and therefore, cut down on the amount of vendor noise.
  • Creating a defensible roadmap will assist with justifying future security spend.

Key deliverable:

Solution Architecture Template
Record the results from the exercises to help you define, detail, and make real your digital product vision.

Blueprint Deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

This image contains screenshots of the deliverables which will be discussed later in this blueprint

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.

Guided Implementation

Our team knows that we need to fix a process, but we need assistance to determine where to focus. some check-ins along the way would help keep us on track

Workshop

We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place

Consulting

Our team does not have the time or the knowledge to take this project on. we need assistance through the entirety of this project.

Diagnostics and consistent frameworks are used throughout all four options

Workshop Overview

Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

Day 1 Day 2 Day 3 Day 4
Exercises
  1. Articulate an architectural vision
  2. Develop dynamic value stream maps
  1. Create a conceptual map between the value stream, use case, and required architectural attribute
  2. Create a prioritized list of architectural attributes
  3. Develop a data architecture that supports transactional and analytical needs
  1. Document security architecture risks and mitigations
  2. Document scalability architecture
  1. Document performance-enhancing architecture
  2. Bring it all together
Outcomes
  1. Architecture vision
  2. Dynamic value stream maps (including user stories/personas)
  1. List of required architectural attributes
  2. Architectural attributes prioritized
  3. Data architecture design decisions
  1. Security threat and risk analysis
  2. Security design decisions
  3. Scalability design decisions
  1. Performance design decisions
  2. Finalized decisions

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
This GI is between 8 to 10 calls over the course of approximately four to six months.

Phase 1 Phase 2 Phase 2
Call #1:
Articulate an architectural vision.
Call #4:
Continue discussion on value stream mapping and related use cases.
Call #6:
Document security design decisions.
Call #2:
Discuss value stream mapping and related use cases.
Call #5:
  • Map the value streams to required architectural attribute.
  • Create a prioritized list of architectural attributes.
Call #7:
  • Document scalability design decisions.
  • Document performance design decisions.
Call #3:
Continue discussion on value stream mapping and related use cases.
Call #8:
Bring it all together.

Phase 1: Visions and Value Maps

Phase 1

1.1 Articulate an Architectural Vision
1.2 Develop Dynamic Value Stream Maps
1.3 Map Value Streams, Use Cases, and Required Architectural Attributes
1.4 Create a Prioritized List of Architectural Attributes

Phase 2

2.1 Develop a Data Architecture That Supports Transactional and Analytical Needs
2.2 Document Security Architecture Risks and Mitigations

Phase 3

3.1 Document Scalability Architecture
3.2 Document Performance Enhancing Architecture
3.3 Combine the Different Architecture Design Decisions Into a Unified Solution Architecture

This phase will walk you through the following activities:

  • Determine a vision for architecture outcomes
  • Draw dynamic value stream maps
  • Derive architectural design decisions
  • Prioritize design decisions

This phase involves the following participants:

  • Business Architect
  • Product Owner
  • Application Architect
  • Integration Architect
  • Database Architect
  • Enterprise Architect

Enhance Your Solution Architecture Practice

Let’s get this straight: You need an architectural vision

If you start off by saying I want to architect a system, you’ve already lost. Remember what a vision is for!

An architectural vision...

… is your North Star

Your product vision serves as the single fixed point for product development and delivery.

… aligns stakeholders

It gets everyone on the same page.

… helps focus on meaningful work

There is no pride in being a rudderless ship. It can also be very expensive.

And eventually...

… kick-starts your strategy

We know where to go, we know who to bring along, and we know the steps to get there. Let’s plan this out.

An architectural vision is multi-dimensional

Who is the target customer (or customers)?

What is the key benefit a customer can get from using our service or product?

Why should they be engaged with you?

What makes our service or product better than our competitors?

(Adapted from Crossing the Chasm)

Info-Tech Insight

It doesn’t matter if you are delivering value to internal or external stakeholders, you need a product vision to ensure everyone understands the “why.”

Use a canvas as the dashboard for your architecture

The solution architecture canvas provides a single dashboard to quickly define and communicate the most important information about the vision. A canvas is an effective tool for aligning teams and providing an executive summary view.

This image contains a sample canvas for you to use as the dashboard for your architecture. The sections are: Solution Name, Tracking Info, Vision, Business Goals, Metrics, Personas, and Stakeholders.

Leverage the solution architecture canvas to state and inform your architecture vision

This image contains the sample canvas from the previous section, with annotations explaining what to do for each of the headings.

1.1 Craft a vision statement for your solution’s architecture

  1. Use the product canvas template provided for articulating your solution’s architecture.

*If needed, remove or add additional data points to fit your purposes.

There are different statement templates available to help form your product vision statements. Some include:

  • For [our target customer], who [customer’s need], the [product] is a [product category or description] that [unique benefits and selling points]. Unlike [competitors or current methods], our product [main differentiators].
  • We believe (in) a [noun: world, time, state, etc.] where [persona] can [verb: do, make, offer, etc.], for/by/with [benefit/goal].
  • To [verb: empower, unlock, enable, create, etc.] [persona] to [benefit, goal, future state].
  • Our vision is to [verb: build, design, provide] the [goal, future state] to [verb: help, enable, make it easier to...] [persona].

(Adapted from Crossing the Chasm)

Download the Solution Architecture Template and document your vision statement.

Input

  • Business Goals
  • Product Portfolio Vision

Output

  • Solution Architecture Vision

Materials

  • Whiteboard/Flip Charts

Participants

  • Business Architect
  • Product Owner
  • IT Leadership
  • Business Leadership

Solution Architecture Canvas: Refine your vision statement

This image contains a screenshot of the canvas from earlier in the blueprint, with only the annotation for Solution Name: Vision, unique value proposition, elevator pitch, or positioning statement.

Understand your value streams before determining your solution’s architecture

Business Strategy

Sets and communicates the direction of the entire organization.

Value Stream

Segments, groups, and creates a coherent narrative as to how an organization creates value.

Business Capability Map

Decomposes an organization into its component parts to establish a common language across the organization.

Execution

Implements the business strategy through capability building or improvement projects.

Identify your organization’s goals and define the value streams that support them

Goal

Revenue Growth

Value Streams

Stream 1- Product Purchase
Stream 2- Customer Acquisition
stream 3- Product Financing

There are many techniques that help with constructing value streams and their capabilities.

Domain-driven design is a technique that can be used for hypothesizing the value maps, their capabilities, and associated solution architecture.

Read more about domain-driven design here.

Value streams can be external (deliver value to customers) or internal (support operations)

    External Perspective

  1. Core value streams are mostly externally facing: they deliver value to either an external/internal customer and they tie to the customer perspective of the strategy map.
  • E.g. customer acquisition, product purchase, product delivery

Internal Perspective

  • Support value streams are internally facing: they provide the foundational support for an organization to operate.
    • E.g. employee recruitment to retirement

    Key Questions to Ask While Evaluating Value Streams

    • Who are your customers?
    • What benefits do we deliver to them?
    • How do we deliver those benefits?
    • How does the customer receive the benefits?
    This image contains an example of value streams. The main headings are: Customer Acquisitions, Product Purchase, Product Delivery, Confirm Order, Product Financing, and Product Release.

    Value streams highlight the what, not the how

    Value chains set a high-level context, but architectural decisions still need to be made to deal with the dynamism of user interaction and their subsequent expectations. User stories (and/or use cases) and themes are great tools for developing such decisions.

    Product Delivery

    1. Order Confirmation
    2. Order Dispatching
    3. Warehouse Management
    4. Fill Order
    5. Ship Order
    6. Deliver Order

    Use Case and User Story Theme: Confirm Order

    This image shows the relationship between confirming the customer's order online, and the Online Buyer, the Online Catalog, the Integrated Payment, and the Inventory Lookup.

    The use case Confirming Customer’s Online Order has four actors:

    1. An Online Buyer who should be provided with a catalog of products to purchase from.
    2. An Online Catalog that is invoked to display its contents on demand.
    3. An Integrated Payment system for accepting an online form of payment (credit card, Bitcoins, etc.) in a secure transaction.
    4. An Inventory Lookup module that confirms there is stock available to satisfy the Online Buyer’s order.

    Info-Tech Insight

    Each use case theme links back to a feature(s) in the product backlog.

    Related Research

    Deliver on Your Digital Portfolio Vision

    • Recognize that a vision is only as good as the data that backs it up. Lay out a comprehensive backlog with quality built in that can be effectively communicated and understood through roadmaps.
    • Your intent is only a dream if it cannot be implemented – define what goes into a release plan via the release canvas.
    • Define a communication approach that lets everyone know where you are heading.

    Document Your Business Architecture

    • Recognize the opportunity for architecture work, analyze the current and target states of your business strategy, and identify and engage the right stakeholders.
    • Model the business in the form of architectural blueprints.
    • Apply business architecture techniques such as strategy maps, value streams, and business capability maps to design usable and accurate blueprints of the business.
    • Drive business architecture forward to promote real value to the organization.
    • Assess your current projects to determine if you are investing in the right capabilities. Conduct business capability assessments to identify opportunities and to prioritize projects.

    1.2 Document dynamic value stream maps

    1. Create value stream maps that support your business objectives.
    • The value stream maps could belong to existing or new business objectives.
  • For each value stream map:
    • Determine use case(s), the actors, and their expected activity.

    *Refer to the next slide for an example of a dynamic value stream map.

    Download the Solution Architecture Template for documentation of dynamic value stream map

    Input

    • Business Goals
    • Some or All Existing Business Processes
    • Some or All Proposed New Business Processes

    Output

    • Dynamic Value Stream Maps for Multiple Use Roles and Use Cases

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect

    Example: Dynamic value stream map

    Loan Provision*

    *Value Stream Name: Usually has the same name as the capability it illustrates.

    Loan Application**; Disbursement of Fund**; Risk Management**; Service Accounts**

    **Value Stream Components: Specific functions that support the successful delivery of a value stream.

    Disbursement of Funds

    This image shows the relationship between depositing the load into the applicant's bank account, and the Applicant's bank, the Loan Applicant, and the Loan Supplier.

    Style #1:

    The use case Disbursement of Funds has three actors:

    1. A Loan Applicant who applied for a loan and got approved for one.
    2. A Loan Supplier who is the source for the funds.
    3. The Applicant’s Bank that has an account into which the funds are deposited.

    Style # 2:

    Loan Provision: Disbursement of Funds
    Use Case Actors Expectation
    Deposit Loan Into Applicant’s Bank Account
    1. Loan Applicant
    2. Loan Supplier
    3. Applicant’s Bank
    1. Should be able to see deposit in bank account
    2. Deposit funds into account
    3. Accept funds into account

    Mid-Phase 1 Checkpoint

    By now, the following items are ideally completed:

    • Mid-Phase 1 Checkpoint

    Start with an investigation of your architecture’s qualitative needs

    Quality attributes can be viewed as the -ilities (e.g. scalability, usability, reliability) that a software system needs to provide. A system not meeting any of its quality attribute requirements will likely not function as required. Examples of quality attributes are:

    1. Slow system response time
    2. Security breaches that result in loss of personal data
    3. A product feature upgrade that is not compatible with previous versions
    Examples of Qualitative Attributes
    Performance Compatibility Usability Reliability Security Maintainability
    • Response Time
    • Resource Utilization
    • System Capacity
    • Interoperability
    • Accessibility
    • User Interface
    • Intuitiveness
    • Availability
    • Fault Tolerance
    • Recoverability
    • Integrity
    • Non-Repudiation
    • Modularity
    • Reusability
    • Modifiability
    • Testability

    Focus on quality attributes that are architecturally significant.

    • Not every system requires every quality attribute.
    • Pay attention to those attributes without which the solution will not be able to satisfy a user’s abstract* expectation.
    • This set can be considered Architecturally Significant Requirements (ASR). ASR concern scenarios have the most impact on the architecture of the software system.
    • ASR are fundamental needs of the system and changing them in the future can be a costly and difficult exercise.

    *Abstract since attributes like performance and reliability are not directly measurable by a user.

    Stimulus Response Measurement Environmental Context

    For applicable use cases: (*Adapted from S Carnegie Mellon University, 2000)

    1. Determine the Stimulus (temporal, external, or internal) that puts stress on the system. For example, a VPN-accessed hospital management system is used for nurses to login at 8am every weekday.
    2. Describe how the system should Respond to the stimulus. For example, the hospital management system should complete a nurse login under 10ms on initiation of the HTTPS request.
    3. Set a Measurement criteria for determining the success of the response to the stimulus. For example, the system should be able to successfully respond to 98% of the HTTPS requests the first time.
    4. Note the environmental context under which the stimulus occurs, including any unusual conditions in effect.
    • The hospital management system needs to respond in under 10ms under typical load or peak load?
    • What is the time variance of peak loads, for example, an e-commerce system during a Black Friday sale?
    • How big is the peak load?

    Info-Tech Insight

    Three out of four is bad. Don’t architect for normal situations because the solution will be fragile and prone to catastrophic failure under unexpected events.
    Read article: Retail sites crash under weight of online Black Friday shoppers.

    Discover and evaluate the qualitative attributes needed for use cases or user stories

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    User Loan Applicant
    Expectations On login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From System System creates a connection to the data source and renders it on the screen in under 10ms.
    Measurement Under Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute Required Required Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.
    Required Attribute # 2: Data Reliability
    • Design Decision: Use event-driven ETL pipelines.
    Required Attribute # 3: Scalability
    • Design Decision: Following Principle # 4 of the CSA (JIT Architecture), delay decision until necessary.

    Use cases developed in Phase 1.2 should be used here. (Adapted from the ATAM Utility Tree Method for Quality Attribute Engineering)

    Reduce technical debt while you are at it

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    UserLoan Applicant
    ExpectationsOn login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From SystemSystem creates a connection to the data source and renders it on the screen in under 10ms.
    MeasurementUnder Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute RequiredRequired Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.

    Required Attribute # 2: Data Reliability

    • Expected is 15ms or less under peak loads, but average latency is 21ms.
    • Design Decision: Use event-driven ETL pipelines.

    Required Attribute # 3: Scalability

    • Data should not be stale and should sync instantaneously, but in some zip codes data synchronization is taking 8 hours.
    • Design Decision: Investigate integrations and flows across application, database, and infrastructure. (Note: A dedicated section for discussing scalability is presented in Phase 2.)

    1.3 Create a conceptual map between the value streams, use cases, and required architectural attributes

    1. For selected use cases completed in Phase 1.2:
    • Map the value stream to its associated use cases.
    • For each use case, list the required architectural quality attributes.

    Download the Solution Architecture Template for mapping value stream components to their required architectural attribute.

    Input

    • Use Cases
    • User Roles
    • Stimulus to System
    • Response From System
    • Response Measurement

    Output

    • List of Architectural Quality Attributes

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Example for Phase 1.3

    Loan Provision

    Loan Application → Disbursement of Funds → Risk Management → Service Accounts

    Value Stream Component Use Case Required Architectural Attribute
    Loan Application UC1: Submit Loan Application
    UC2: Review Loan Application
    UC3: Approve Loan Application
    UCn: ……..
    UC1: Resilience, Data Reliability
    UC2: Data Reliability
    UC3: Scalability, Security, Performance
    UCn: …..
    Disbursement of Funds UC1: Deposit Funds Into Applicant’s Bank Account
    UCn: ……..
    UC1: Performance, Scalability, Data Reliability
    Risk Management ….. …..
    Service Accounts ….. …..

    1.2 Document dynamic value stream maps

    1. Create value stream maps that support your business objectives.
    • The value stream maps could belong to existing or new business objectives.
  • For each value stream map:
    • Determine use case(s), the actors, and their expected activity.

    *Refer to the next slide for an example of a dynamic value stream map.

    Download the Solution Architecture Template for documentation of dynamic value stream map

    Input

    • Business Goals
    • Some or All Existing Business Processes
    • Some or All Proposed New Business Processes

    Output

    • Dynamic Value Stream Maps for Multiple Use Roles and Use Cases

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect

    Example: Dynamic value stream map

    Loan Provision*

    *Value Stream Name: Usually has the same name as the capability it illustrates.

    Loan Application**; Disbursement of Fund**; Risk Management**; Service Accounts**

    **Value Stream Components: Specific functions that support the successful delivery of a value stream.

    Disbursement of Funds

    This image shows the relationship between depositing the load into the applicant's bank account, and the Applicant's bank, the Loan Applicant, and the Loan Supplier.

    Style #1:

    The use case Disbursement of Funds has three actors:

    1. A Loan Applicant who applied for a loan and got approved for one.
    2. A Loan Supplier who is the source for the funds.
    3. The Applicant’s Bank that has an account into which the funds are deposited.

    Style # 2:

    Loan Provision: Disbursement of Funds
    Use Case Actors Expectation
    Deposit Loan Into Applicant’s Bank Account
    1. Loan Applicant
    2. Loan Supplier
    3. Applicant’s Bank
    1. Should be able to see deposit in bank account
    2. Deposit funds into account
    3. Accept funds into account

    Mid-Phase 1 Checkpoint

    By now, the following items are ideally completed:

    • Mid-Phase 1 Checkpoint

    Start with an investigation of your architecture’s qualitative needs

    Quality attributes can be viewed as the -ilities (e.g. scalability, usability, reliability) that a software system needs to provide. A system not meeting any of its quality attribute requirements will likely not function as required. Examples of quality attributes are:

    1. Slow system response time
    2. Security breaches that result in loss of personal data
    3. A product feature upgrade that is not compatible with previous versions
    Examples of Qualitative Attributes
    Performance Compatibility Usability Reliability Security Maintainability
    • Response Time
    • Resource Utilization
    • System Capacity
    • Interoperability
    • Accessibility
    • User Interface
    • Intuitiveness
    • Availability
    • Fault Tolerance
    • Recoverability
    • Integrity
    • Non-Repudiation
    • Modularity
    • Reusability
    • Modifiability
    • Testability

    Focus on quality attributes that are architecturally significant.

    • Not every system requires every quality attribute.
    • Pay attention to those attributes without which the solution will not be able to satisfy a user’s abstract* expectation.
    • This set can be considered Architecturally Significant Requirements (ASR). ASR concern scenarios have the most impact on the architecture of the software system.
    • ASR are fundamental needs of the system and changing them in the future can be a costly and difficult exercise.

    *Abstract since attributes like performance and reliability are not directly measurable by a user.

    Stimulus Response Measurement Environmental Context

    For applicable use cases: (*Adapted from S Carnegie Mellon University, 2000)

    1. Determine the Stimulus (temporal, external, or internal) that puts stress on the system. For example, a VPN-accessed hospital management system is used for nurses to login at 8am every weekday.
    2. Describe how the system should Respond to the stimulus. For example, the hospital management system should complete a nurse login under 10ms on initiation of the HTTPS request.
    3. Set a Measurement criteria for determining the success of the response to the stimulus. For example, the system should be able to successfully respond to 98% of the HTTPS requests the first time.
    4. Note the environmental context under which the stimulus occurs, including any unusual conditions in effect.
    • The hospital management system needs to respond in under 10ms under typical load or peak load?
    • What is the time variance of peak loads, for example, an e-commerce system during a Black Friday sale?
    • How big is the peak load?

    Info-Tech Insight

    Three out of four is bad. Don’t architect for normal situations because the solution will be fragile and prone to catastrophic failure under unexpected events.
    Read article: Retail sites crash under weight of online Black Friday shoppers.

    Discover and evaluate the qualitative attributes needed for use cases or user stories

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    User Loan Applicant
    Expectations On login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From System System creates a connection to the data source and renders it on the screen in under 10ms.
    Measurement Under Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute Required Required Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.
    Required Attribute # 2: Data Reliability
    • Design Decision: Use event-driven ETL pipelines.
    Required Attribute # 3: Scalability
    • Design Decision: Following Principle # 4 of the CSA (JIT Architecture), delay decision until necessary.

    Use cases developed in Phase 1.2 should be used here. (Adapted from the ATAM Utility Tree Method for Quality Attribute Engineering)

    Reduce technical debt while you are at it

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    UserLoan Applicant
    ExpectationsOn login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From SystemSystem creates a connection to the data source and renders it on the screen in under 10ms.
    MeasurementUnder Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute RequiredRequired Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.

    Required Attribute # 2: Data Reliability

    • Expected is 15ms or less under peak loads, but average latency is 21ms.
    • Design Decision: Use event-driven ETL pipelines.

    Required Attribute # 3: Scalability

    • Data should not be stale and should sync instantaneously, but in some zip codes data synchronization is taking 8 hours.
    • Design Decision: Investigate integrations and flows across application, database, and infrastructure. (Note: A dedicated section for discussing scalability is presented in Phase 2.)

    1.3 Create a conceptual map between the value streams, use cases, and required architectural attributes

    1. For selected use cases completed in Phase 1.2:
    • Map the value stream to its associated use cases.
    • For each use case, list the required architectural quality attributes.

    Download the Solution Architecture Template for mapping value stream components to their required architectural attribute.

    Input

    • Use Cases
    • User Roles
    • Stimulus to System
    • Response From System
    • Response Measurement

    Output

    • List of Architectural Quality Attributes

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Prioritize architectural quality attributes to ensure a right-engineered solution

    Trade-offs are inherent in solution architecture. Scaling systems may impact performance and weaken security, while fault-tolerance and redundancy may improve availability but at higher than desired costs. In the end, the best solution is not always perfect, but balanced and right-engineered (versus over- or under-engineered).

    Loan Provision

    Loan Application → Disbursement of Funds → Risk Management → Service Accounts

    1. Map architecture attributes against the value stream components.
    • Use individual use cases to determine which attributes are needed for a value stream component.
    This image contains a screenshot of the table showing the importance of scalability, resiliance, performance, security, and data reliability for loan application, disbursement of funds, risk management, and service accounts.

    In our example, the prioritized list of architectural attributes are:

    • Security (4 votes for Very Important)
    • Data Reliability (2 votes for Very Important)
    • Scalability (1 vote for Very Important and 1 vote for Fairly Important) and finally
    • Resilience (1 vote for Very Important, 0 votes for Fairly Important and 1 vote for Mildly Important)
    • Performance (0 votes for Very Important, 2 votes for Fairly Important)

    1.4 Create a prioritized list of architectural attributes (from 1.3)

    1. Using the tabular structure shown on the previous slide:
    • Map each value stream component against architectural quality attributes.
    • For each mapping, indicate its importance using the green, blue, and yellow color scheme.

    Download the Solution Architecture Template and document the list of architectural attributes by priority.

    Input

    • List of Architectural Attributes From 1.3

    Output

    • Prioritized List of Architectural Attributes

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    End of Phase 1

    At the end of this Phase, you should have completed the following activities:

    • Documented a set of dynamic value stream maps along with selected use cases.
    • Using the SRME framework, identified quality attributes for the system under investigation.
    • Prioritized quality attributes for system use cases.

    Phase 2: Multi-Purpose Data and Security Architecture

    Phase 1

    1.1 Articulate an Architectural Vision
    1.2 Develop Dynamic Value Stream Maps
    1.3 Map Value Streams, Use Cases, and Required Architectural Attributes
    1.4 Create a Prioritized List of Architectural Attributes

    Phase 2

    2.1 Develop a Data Architecture That Supports Transactional and Analytical Needs
    2.2 Document Security Architecture Risks and Mitigations

    Phase 3

    3.1 Document Scalability Architecture
    3.2 Document Performance Enhancing Architecture
    3.3 Combine the Different Architecture Design Decisions Into a Unified Solution Architecture

    This phase will walk you through the following activities:

    • Understand the scalability, performance, resilience, and security needs of the business.

    This phase involves the following participants:

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect
    • Database Architect
    • Enterprise Architect

    Enhance Your Solution Architecture Practice

    Fragmented data environments need something to sew them together

    • A full 93% of enterprises have a multi-cloud strategy, with 87% having a hybrid-cloud environment in place.
    • On average, companies have data stored in 2.2 public and 2.2 private clouds as well as in various on-premises data repositories.
    This image contains a breakdown of the cloud infrastructure, including single cloud versus multi-cloud.

    Source: Flexera

    In addition, companies are faced with:

    • Access and integration challenges (Who is sending the data? Who is getting it? Can we trust them?)
    • Data format challenges as data may differ for each consumer and sender of data
    • Infrastructure challenges as data repositories/processors are spread out over public and private clouds, are on premises, or in multi-cloud and hybrid ecosystems
    • Structured vs. unstructured data

    A robust and reliable integrated data architecture is essential for any organization that aspires to be relevant and impactful in its industry.

    Data’s context and influence on a solution’s architecture cannot be overestimated

    Data used to be the new oil. Now it’s the life force of any organization that has serious aspirations of providing profit-generating products and services to customers. Architectural decisions about managing data have a significant impact on the sustainability of a software system as well as on quality attributes such as security, scalability, performance, and availability.

    Storage and Processing go hand in hand and are the mainstay of any data architecture. Due to their central position of importance, an architecture decision for storage and processing must be well thought through or they become the bottleneck in an otherwise sound system.

    Ingestion refers to a system’s ability to accept data as an input from heterogenous sources, in different formats, and at different intervals.

    Dissemination is the set of architectural design decisions that make a system’s data accessible to external consumers. Major concerns involve security for the data in motion, authorization, data format, concurrent requests for data, etc.

    Orchestration takes care of ensuring data is current and reliable, especially for systems that are decentralized and distributed.

    Data architecture requires alignment with a hybrid data management plan

    Most companies have a combination of data. They have data they own using on-premises data sources and on the cloud. Hybrid data management also includes external data, such as social network feeds, financial data, and legal information amongst many others.

    Data integration architectures have typically been put in one of two major integration patterns:

    Application to Application Integration (or “speed matters”) Analytical Data Integrations (or “send it to me when its all done”)
    • This domain is concerned with ensuring communication between processes.
    • Examples include patterns such as Service-Oriented Architecture, REST, Event Hubs and Enterprise Service Buses.
    • This domain is focused on integrating data from transactional processes towards enterprise business intelligence. It supports activities that require well-managed data to generate evidence-based insights.
    • Examples of this pattern are ELT, enterprise data warehouses, and data marts.

    Sidebar

    Difference between real-time, batch, and streaming data movements

    Real-Time

    • Reacts to data in seconds or even quicker.
    • Real-time systems are hard to implement.

    Batch

    • Batch processing deals with a large volume of data all at once and data-related jobs are typically completed simultaneously in non-stop, sequential order.
    • Batch processing is an efficient and low-cost means of data processing.
    • Execution of batch processing jobs can be controlled manually, providing further control over how the system treats its data assets.
    • Batch processing is only useful if there are no requirements for data to be fresh and current. Real-time systems are suited to processing data that requires these attributes.

    Streaming

    • Stream processing allows almost instantaneous analysis of data as it streams from one device to another.
    • Since data is analyzed quickly, storage may not be a concern (since only computed data is stored while raw data can be dispersed).
    • Streaming requires the flow of data into the system to equal the flow of data computing, otherwise issues of data storage and performance can rise.

    Modern data ingestion and dissemination frameworks keep core data assets current and accessible

    Data ingestion and dissemination frameworks are critical for keeping enterprise data current and relevant.

    Data ingestion/dissemination frameworks capture/share data from/to multiple data sources.

    Factors to consider when designing a data ingestion/dissemination architecture

    What is the mode for data movement?

    • The mode for data movement is directly influenced by the size of data being moved and the downstream requirements for data currency.
    • Data can move in real-time, as a batch, or as a stream.

    What is the ingestion/dissemination architecture deployment strategy?

    • Outside of critical security concerns, hosting on the cloud vs. on premises leads to a lower total cost of ownership (TCO) and a higher return on investment (ROI).

    How many different and disparate data sources are sending/receiving data?

    • Stability comes if there is a good idea about the data sources/recipient and their requirements.

    What are the different formats flowing through?

    • Is the data in the form of data blocks? Is it structured, semi-unstructured, or unstructured?

    What are expected performance SLAs as data flow rate changes?

    • Data change rate is defined as the size of changes occurring every hour. It helps in selecting the appropriate tool for data movement.
    • Performance is a derivative of latency and throughput, and therefore, data on a cloud is going to have higher latency and lower throughput then if it is kept on premises.
    • What is the transfer data size? Are there any file compression and/or file splits applied on the data? What is the average and maximum size of a block object per ingestion/dissemination operation?

    What are the security requirements for the data being stored?

    • The ingestion/dissemination framework should be able to work through a secure tunnel to collect/share data if needed.

    Sensible storage and processing strategy can improve performance and scalability and be cost-effective

    The range of options for data storage is staggering...

    … but that’s a good thing because the range of data formats that organizations must deal with is also richer than in the past.

    Different strokes for different workloads.

    The data processing tool to use may depend upon the workloads the system has to manage.

    Expanding upon the Risk Management use case (as part of the Loan Provision Capability), one of the outputs for risk assessment is a report that conducts a statistical analysis of customer profiles and separates those that are possibly risky. The data for this report is spread out across different data systems and will need to be collected in a master data management storage location. The business and data architecture team have discussed three critical system needs, noted below:

    Data Management Requirements for Risk Management Reporting Data Design Decision
    Needs to query millions of relational records quickly
    • Strong indexing
    • Strong caching
    • Message queue
    Needs a storage space for later retrieval of relational data
    • Data storage that scales as needed
    Needs turnkey geo-replication mechanism with document retrieval in milliseconds
    • Add NoSQL with geo-replication and quick document access

    Keep every core data source on the same page through orchestration

    Data orchestration, at its simplest, is the combination of data integration, data processing, and data concurrency management.

    Data pipeline orchestration is a cross-cutting process that manages the dependencies between your data integration tasks and scheduled data jobs.

    A task or application may periodically fail, and therefore, as a part of our data architecture strategy, there must be provisions for scheduling, rescheduling, replaying, monitoring, retrying, and debugging the entire data pipeline in a holistic way.

    Some of the functionality provided by orchestration frameworks are:

    • Job scheduling
    • Job parametrization
    • SLAs tracking, alerting, and notification
    • Dependency management
    • Error management and retries
    • History and audit
    • Data storage for metadata
    • Log aggregation
    Data Orchestration Has Three Stages
    Organize Transform Publicize
    Organizations may have legacy data that needs to be combined with new data. It’s important for the orchestration tool to understand the data it deals with. Transform the data from different sources into one standard type. Make transformed data easily accessible to stakeholders.

    2.1 Discuss and document data architecture decisions

    1. Using the value maps and associated use cases from Phase 1, determine the data system quality attributes.
    2. Use the sample tabular layout on the next slide or develop one of your own.

    Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Value Maps and Use Cases

    Output

    • Initial Set of Data Design Decisions

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Example: Data Architecture

    Data Management Requirements for Risk Management Reporting Data Design Decision
    Needs to query millions of relational records quickly
    • Strong indexing
    • Strong caching
    • Message queue
    Needs a storage space for later retrieval of relational data
    • Data storage that scales as needed
    Needs turnkey geo-replication mechanism with document retrieval in milliseconds
    • Add NoSQL with geo-replication and quick document access

    There is no free lunch when making the most sensible security architecture decision; tradeoffs are a necessity

    Ensuring that any real system is secure is a complex process involving tradeoffs against other important quality attributes (such as performance and usability). When architecting a system, we must understand:

    • Its security needs.
    • Its security threat landscape.
    • Known mitigations for those threats to ensure that we create a system with sound security fundamentals.

    The first thing to do when determining security architecture is to conduct a threat and risk assessment (TRA).

    This image contains a sample threat and risk assessment. The steps are Understand: Until we thoroughly understand what we are building, we cannot secure it. Structure what you are building, including: System boundary, System structure, Databases, Deployment platform; Analyze: Use techniques like STRIDE and attack trees to analyze what can go wrong and what security problems this will cause; Mitigate: The security technologies to use, to mitigate your concerns, are discussed here. Decisions about using single sign-on (SSO) or role-based access control (RBAC), encryption, digital signatures, or JWT tokens are made. An important part of this step is to consider tradeoffs when implementing security mechanisms; validate: Validation can be done by experimenting with proposed mitigations, peer discussion, or expert interviews.

    Related Research

    Optimize Security Mitigation Effectiveness Using STRIDE

    • Have a clear picture of:
      • Critical data and data flows
      • Organizational threat exposure
      • Security countermeasure deployment and coverage
    • Understand which threats are appropriately mitigated and which are not.
    • Generate a list of initiatives to close security gaps.
    • Create a quantified risk and security model to reassess program and track improvement.
    • Develop measurable information to present to stakeholders.

    The 3A’s of strong security: authentication, authorization, and auditing

    Authentication

    Authentication mechanisms help systems verify that a user is who they claim to be.

    Examples of authentication mechanisms are:

    • Two-Factor Authentication
    • Single Sign-On
    • Multi-Factor Authentication
    • JWT Over OAUTH

    Authorization

    Authorization helps systems limit access to allowed features, once a user has been authenticated.

    Examples of authentication mechanisms are:

    • RBAC
    • Certificate Based
    • Token Based

    Auditing

    Securely recording security events through auditing proves that our security mechanisms are working as intended.

    Auditing is a function where security teams must collaborate with software engineers early and often to ensure the right kind of audit logs are being captured and recorded.

    Info-Tech Insight

    Defects in your application software can compromise privacy and integrity even if cryptographic controls are in place. A security architecture made after thorough TRA does not override security risk introduced due to irresponsible software design.

    Examples of threat and risk assessments using STRIDE and attack trees

    STRIDE is a threat modeling framework and is composed of:

    • Spoofing or impersonation of someone other than oneself
    • Tampering with data and destroying its integrity
    • Repudiation by bypassing system identity controls
    • Information disclosure to unauthorized persons
    • Denial of service that prevents system or parts of it from being used
    • Elevation of privilege so that attackers get rights they should not have
    Example of using STRIDE for a TRA on a solution using a payment system This image contains a sample attack tree.
    Spoofing PayPal Bad actor can send fraudulent payment request for obtaining funds.
    Tampering PayPal Bad actor accesses data base and can resend fraudulent payment request for obtaining funds.
    Repudiation PayPal Customer claims, incorrectly, their account made a payment they did not authorize.
    Disclosure PayPal Private service database has details leaked and made public.
    Denial of Service PayPal Service is made to slow down through creating a load on the network, causing massive build up of requests
    Elevation of Privilege PayPal Bad actor attempts to enter someone else’s account by entering incorrect password a number of times.

    2.2 Document security architecture risks and mitigations

    1. Using STRIDE, attack tree, or any other framework of choice:
    • Conduct a TRA for use cases identified in Phase 1.2
  • For each threat identified through the TRA, think through the implications of using authentication, authorization, and auditing as a security mechanism.
  • Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Dynamic Value Stream Maps

    Output

    • Security Architecture Risks and Mitigations

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • Security Team
    • Application Architect
    • Integration Architect

    Examples of threat and risk assessments using STRIDE

    Example of using STRIDE for a TRA on a solution using a payment system
    Threat System Component Description Quality Attribute Impacted Resolution
    Spoofing PayPal Bad actor can send fraudulent payment request for obtaining funds. Confidentiality Authorization
    Tampering PayPal Bad actor accesses data base and can resend fraudulent payment request for obtaining funds. Integrity Authorization
    Repudiation PayPal Customer claims, incorrectly, their account made a payment they did not authorize. Integrity Authentication and Logging
    Disclosure PayPal Private service database has details leaked and made public. Confidentiality Authorization
    Denial of Service PayPal Service is made to slow down through creating a load on the network, causing massive build up of requests Availability N/A
    Elevation of Privilege PayPal Bad actor attempts to enter someone else’s account by entering incorrect password a number of times. Confidentiality, Integrity, and Availability Authorization

    Phase 3: Upgrade Your System’s Availability

    Phase 1

    1.1 Articulate an Architectural Vision
    1.2 Develop Dynamic Value Stream Maps
    1.3 Map Value Streams, Use Cases, and Required Architectural Attributes
    1.4 Create a Prioritized List of Architectural Attributes

    Phase 2

    2.1 Develop a Data Architecture That Supports Transactional and Analytical Needs
    2.2 Document Security Architecture Risks and Mitigations

    Phase 3

    3.1 Document Scalability Architecture
    3.2 Document Performance Enhancing Architecture
    3.3 Combine the Different Architecture Design Decisions Into a Unified Solution Architecture

    This phase will walk you through the following activities:

    • Examine architecture for scalable and performant system designs
    • Integrate all design decisions made so far into a solution design decision log

    This phase involves the following participants:

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect
    • Database Architect
    • Enterprise Architect

    Enhance Your Solution Architecture Practice

    In a cloud-inspired system architecture, scalability takes center stage as an architectural concern

    Scale and scope of workloads are more important now than they were, perhaps, a decade and half back. Architects realize that scalability is not an afterthought. Not dealing with it at the outset can have serious consequences should an application workload suddenly exceed expectations.

    Scalability is …

    … the ability of a system to handle varying workloads by either increasing or decreasing the computing resources of the system.

    An increased workload could include:

    • Higher transaction volumes
    • A greater number of users

    Architecting for scalability is …

    … not easy since organizations may not be able to accurately judge, outside of known circumstances, when and why workloads may unexpectedly increase.

    A scalable architecture should be planned at the:

    • Application Level
    • Infrastructure Level
    • Database Level

    The right amount and kind of scalability is …

    … balancing the demands of the system with the supply of attributes.

    If demand from system > supply from system:

    • Services and products are not useable and deny value to customers.

    If supply from system > demand from system:

    • Excess resources have been paid for that are not being used.

    When discussing the scalability needs of a system, investigate the following, at a minimum:

    • In case workloads increase due to higher transaction volumes, will the system be able to cope with the additional stress?
    • In situations where workloads increase, will the system be able to support the additional stress without any major modifications being made to the system?
    • Is the cost associated with handling the increased workloads reasonable for the benefit it provides to the business?
    • Assuming the system doesn’t scale, is there any mechanism for graceful degradation?

    Use evidence-based decision making to ensure a cost-effective yet appropriate scaling strategy

    The best input for an effective scaling strategy is previously gathered traffic data mapped to specific circumstances.

    In some cases, either due to lack of monitoring or the business not being sure of its needs, scalability requirements are hard to determine. In such cases, use stated tactical business objectives to design for scalability. For example, the business might state its desire to achieve a target revenue goal. To accommodate this, a certain number of transactions would need to be conducted, assuming a particular conversion rate.

    Scaling strategies can be based on Vertical or Horizontal expansion of resources.
    Pros Cons
    Vertical
    Scale up through use of more powerful but limited number of resources
    • May not require frequent upgrades.
    • Since data is managed through a limited number of resources, it is easier to share and keep current.
    • Costly upfront.
    • Application, database, and infrastructure may not be able to make optimal use of extra processing power.
    • As the new, more powerful resource is provisioned, systems may experience downtime.
    • Lacks redundancy due to limited points of failure.
    • Performance is constrained by the upper limits of the infrastructure involved.
    Horizontal
    Scale out through use of similarly powered but larger quantity of resources
    • Cost-effective upfront.
    • System downtime is minimal, when scaling is being performed.
    • More redundance and fault-tolerance is possible since there are many nodes involved, and therefore, can replace failed nodes.
    • Performance can scale out as more nodes are added.
    • Upgrades may occur more often than in vertical scaling.
    • Increases machine footprints and administrative costs over time.
    • Data may be partitioned on multiple nodes, leading to administrative and data currency challenges.

    Info-Tech Insight

    • Scalability is the one attribute that sparks a lot of trade-off discussions. Scalable solutions may have to compromise on performance, cost, and data reliability.
    • Horizontal scalability is mostly always preferable over vertical scalability.

    Sidebar

    The many flavors of horizontal scaling

    Traffic Shard-ing

    Through this mechanism, incoming traffic is partitioned around a characteristic of the workload flowing in. Examples of partitioning characteristics are user groups, geo-location, and transaction type.

    Beware of:

    • Lack of data currency across shards.

    Copy and Paste

    As the name suggests, clone the compute resources along with the underlying databases. The systems will use a load balancer as the first point of contact between itself and the workload flowing in.

    Beware of:

    • Though this is a highly scalable model, it does introduce risks related to data currency across all databases.
    • In case master database writes are frequent, it could become a bottleneck for the entire system.

    Productization Through Containers

    This involves breaking up the system into specific functions and services and bundling their business rules/databases into deployable containers.

    Beware of:

    • Too many containers introduce the need to orchestrate the distributed architecture that results from a service-oriented approach.

    Start a scalability overview with a look at the database(s)

    To know where to go, you must know where you are. Before introducing architectural changes to database designs, use the right metrics to get an insight into the root cause of the problem(s).

    In a nutshell, the purpose of scaling solutions is to have the technology stack do less work for the most requested services/features or be able to effectively distribute the additional workload across multiple resources.

    For databases, to ensure this happens, consider these techniques:

    • Reuse data through caching on the server and/or the client. This eliminates the need for looking up already accessed data. Examples of caching are:
      • In-memory caching of data
      • Caching database queries
    • Implement good data retrieval techniques like indexes.
    • Divide labor at the database level.
      • Through setting up primary-secondary distribution of data. In such a setup, the primary node is involved in writing data to itself and passes on requests to secondary nodes for fulfillment.
      • Through setting up database shards (either horizontally or vertically).
        • In a horizontal shard, a data table is broken into smaller pieces with the same data model but unique data in it. The sum total of the shared databases contains all the data in the primary data table.
        • In a vertical shard, a data table is broken into smaller pieces, but each piece may have a subset of the data columns. The data’s corresponding columns are put into the table where the column resides.

    Info-Tech Insight

    A non-scalable architecture has more than just technology-related ramifications. Hoping that load balancers or cloud services will manage scalability-related issues is bound to have economic impacts as well.

    Sidebar

    Caching Options

    CSA PRINCIPLE 5 applies to any decision that supports system scalability.
    “X-ilities Over Features”

    Database Caching
    Fetches and stores result of database queries in memory. Subsequent requests to the database for the same queries will investigate the cache before making a connection with the database.
    Tools like Memcached or Redis are used for database caching.

    Precompute Database Caching
    Unlike database caching, this style of caching precomputes results of queries that are popular and frequently used. For example, a database trigger could execute several predetermined queries and have them ready for consumption. The precomputed results may be stored in a database cache.

    Application Object Caching
    Stores computed results in a cache for later retrieval. For data sources, which are not changing frequently and are part of a computation output, application caching will remove the need to connect with a database.

    Proxy Caching
    Caches retrieved web pages on a proxy server and makes them available for the next time the page is requested.

    The intra- and inter-process communication of the systems middle tier can become a bottleneck

    To synchronize or not to synchronize?

    A synchronous request (doing one thing at a time) means that code execution will wait for the request to be responded to before continuing.

    • A synchronous request is a blocking event and until it is completed, all following requests will have to wait for getting their responses.
    • An increasing workload on a synchronous system may impact performance.
    • Synchronous interactions are less costly in terms of design, implementation, and maintenance.
    • Scaling options include:
    1. Vertical scale up
    2. Horizontal scale out of application servers behind a load balancer and a caching technique (to minimize data retrieval roundtrips)
    3. Horizonal scale out of database servers with data partitioning and/or data caching technique

    Use synchronous requests when…

    • Each request to a system sets the necessary precondition for a following request.
    • Data reliability is important, especially in real-time systems.
    • System flows are simple.
    • Tasks that are typically time consuming, such as I/O, data access, pre-loading of assets, are completed quickly.

    Asynchronous requests (doing many things at the same time) do not block the system they are targeting.

    • It is a “fire and forget” mechanism.
    • Execution on a server/processor is triggered by the request, however, additional technical components (callbacks) for checking the state of the execution must be designed and implemented.
    • Asynchronous interactions require additional time to be spent on implementation and testing.
    • With asynchronous interactions, there is no guarantee the request initiated any processing until the callbacks check the status of the executed thread.

    Use asynchronous requests when…

    • Tasks are independent in nature and don’t require inter-task communication.
    • Systems flows need to be efficient.
    • The system is using event-driven techniques for processing.
    • Many I/O tasks are involved.
    • The tasks are long running.

    Sidebar

    Other architectural tactics for inter-process communication

    STATELESS SERVICES VERSUS STATEFUL SERVICES
    • Does not require any additional data, apart from the bits sent through with the request.
    • Without implementing a caching solution, it is impossible to access the previous data trail for a transaction session.
    • In addition to the data sent through with the request, require previous data sent to complete processing.
    • Requires server memory to store the additional state data. With increasing workloads, this could start impacting the server’s performance.
    It is generally accepted that stateless services are better for system scalability, especially if vertical scaling is costly and there is expectation that workloads will increase.
    MICROSERVICES VERSUS SERVERLESS FUNCTIONS
    • Services are designed as small units of code with a single responsibility and are available on demand.
    • A microservices architecture is easily scaled horizontally by adding a load balancer and a caching mechanism.
    • Like microservices, these are small pieces of code designed to fulfill a single purpose.
    • Are provided only through cloud vendors, and therefore, there is no need to worry about provisioning of infrastructure as needs increase.
    • Stateless by design but the life cycle of a serverless function is vendor controlled.
    Serverless function is an evolving technology and tightly controlled by the vendor. As and when vendors make changes to their serverless products, your own systems may need to be modified to make the best use of these upgrades.

    A team that does not measure their system’s scalability is a team bound to get a 5xx HTTP response code

    A critical aspect of any system is its ability to monitor and report on its operational outcomes.

    • Using the principle of continuous testing, every time an architectural change is introduced, a thorough load and stress testing cycle should be executed.
    • Effective logging and use of insightful metrics helps system design teams make data-driven decisions.
    • Using principle of site reliability engineering and predictive analytics, teams can be prepared for any unplanned exaggerated stimulus on the system and proactively set up remedial steps.

    Any system, however well architected, will break one day. Strategically place kill-switches to counter any failures and thoroughly test their functioning before releasing to production.

    • Using Principles 2 and 9 of the CSA, (include kill-switches and architect for x-ilities over features), introduce tactics at the code and higher levels that can be used to put a system in its previous best state in case of failure.
    • Examples of such tactics are:
      • Feature flags for turning on/off code modules that impact x-ilities.
      • Implement design patterns like throttling, autoscaling, and circuit breaking.
      • Writing extensive log messages that bubble up as exceptions/error handling from the code base. *Logging can be a performance drag. Use with caution as even logging code is still code that needs CPU and data storage.

    Performance is a system’s ability to satisfy time-bound expectations

    Performance can also be defined as the ability for a system to achieve its timing requirements, using available resources, under expected full-peak load:

    (International Organization for Standardization, 2011)

    • Performance and scalability are two peas in a pod. They are related to each other but are distinct attributes. Where scalability refers to the ability of a system to initiate multiple simultaneous processes, performance is the system’s ability to complete the processes within a mandated average time period.
    • Degrading performance is one of the first red flags about a system’s ability to scale up to workload demands.
    • Mitigation tactics for performance are very similar to the tactics for scalability.

    System performance needs to be monitored and measured consistently.

    Measurement Category 1: System performance in terms of end-user experience during different load scenarios.

    • Response time/latency: Length of time it takes for an interaction with the system to complete.
    • Turnaround time: Time taken to complete a batch of tasks.
    • Throughput: Amount of workload a system is capable of handling in a unit time period.

    Measurement Category 2: System performance in terms of load managed by computational resources.

    • Resource utilization: The average usage of a resource (like CPU) over a period. Peaks and troughs indicate excess vs. normal load times.
    • Number of concurrent connections: Simultaneous user requests that a resource like a server can successfully deal with at once.
    • Queue time: The turnaround time for a specific interaction or category of interactions to complete.

    Architectural tactics for performance management are the same as those used for system scalability

    Application Layer

    • Using a balanced approach that combines CSA Principle 7 (Good architecture comes in small packages) and Principle 10 (Architect for products, not projects), a microservices architecture based on domain-driven design helps process performance. Microservices use lightweight HTTP protocols and have loose coupling, adding a degree of resilience to the system as well. *An overly-engineered microservices architecture can become an orchestration challenge.
    • The code design must follow standards that support performance. Example of standards is SOLID*.
    • Serverless architectures can run application code from anywhere – for example, from edge servers close to an end user – thereby reducing latency.

    Database Layer

    • Using the right database technologies for persistence. Relational databases have implicit performance bottlenecks (which get exaggerated as data size grows along with indexes), and document store database technologies (key-value or wide-column) can improve performance in high-read environments.
    • Data sources, especially those that are frequently accessed, should ideally be located close to the application servers. Hybrid infrastructures (cloud and on premises mixed) can lead to latency when a cloud-application is accessing on-premises data.
    • Using a data partitioning strategy, especially in a domain-driven design architecture, can improve the performance of a system.

    Performance modeling and continuous testing makes the SRE a happy engineer

    Performance modeling and testing helps architecture teams predict performance risks as the solution is being developed.
    (CSA Principle 12: Test the solution architecture like you test your solution’s features)

    Create a model for your system’s hypothetical performance testing by breaking an end-to-end process or use case into its components. *Use the SIPOC framework for decomposition.

    This image contains an example of modeled performance, showing the latency in the data flowing from different data sources to the processing of the data.

    In the hypothetical example of modeled performance above:

    • The longest period of latency is 15ms.
    • The processing of data takes 30ms, while the baseline was established at 25ms.
    • Average latency in sending back user responses is 21ms – 13ms slower than expected.

    The model helps architects:

    • Get evidence for their assumptions
    • Quantitatively isolate bottlenecks at a granular level

    Model the performance flow once but test it periodically

    Performance testing measures the performance of a software system under normal and abnormal loads.

    Performance testing process should be fully integrated with software development activities and as automated as possible. In a fast-moving Agile environment, teams should attempt to:

    • Shift-left performance testing activities.
    • Use performance testing to pinpoint performance bottlenecks.
    • Take corrective action, as quickly as possible.

    Performance testing techniques

    • Normal load testing: Verifies the system’s behavior under the expected normal load to ensure that its performance requirements are met. Load testing can be used to measure response time, responsiveness, turnaround time, and throughput.
    • Expected maximum load testing: Like the normal load testing process, ensures system meets its performance requirements under expected maximum load.
    • Stress testing: Evaluates system behavior when processing loads beyond the expected maximum.

    *In a real production scenario, a combination of these tests are executed on a regular basis to monitor the performance of the system over a given period.

    3.1-3.2 Discuss and document initial decisions made for architecture scalability and performance

    1. Use the outcomes from either or both Phases 1.3 and 1.4.
    • For each value stream component, list the architecture decisions taken to ensure scalability and performance at client-facing and/or business-rule layers.

    Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Output From Phase 1.3 and/or From Phase 1.4

    Output

    • Initial Set of Design Decisions Made for System Scalability and Performance

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Example: Architecture decisions for scalability and performance

    Value Stream Component Design Decision for User Interface Layer Design Decisions for Middle Processing Layer
    Loan Application Scalability: N/A
    Resilience: Include circuit breaker design in both mobile app and responsive websites.
    Performance: Cache data client.
    Scalability: Scale vertically (up) since loan application processing is very compute intensive.
    Resilience: Set up fail-over replica.
    Performance: Keep servers in the same geo-area.
    Disbursement of Funds *Does not have a user interface Scalability: Scale horizontal when traffic reaches X requests/second.
    Resilience: Create microservices using domain-driven design; include circuit breakers.
    Performance: Set up application cache; synchronous communication since order of data input is important.
    …. …. ….

    3.3 Combine the different architecture design decisions into a unified solution architecture

    Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Output From Phase 1.3 and/or From Phase 1.4
    • Output From Phase 2.1
    • Output From Phase 2.2
    • Output From 3.1 and 3.2

    Output

    • List of Design Decisions for the Solution

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Putting it all together is the bow that finally ties this gift

    This blueprint covered the domains tagged with the yellow star.

    This image contains a screenshot of the solution architecture framework found earlier in this blueprint, with stars next to Data Architecture, Security, Performance, and Stability.

    TRADEOFF ALERT

    The right design decision is never the same for all perspectives. Along with varying opinions, comes the “at odds with each other set” of needs (scalability vs. performance, or access vs. security).

    An evidence-based decision-making approach using a domain-driven design strategy is a good mix of techniques for creating the best (right?) solution architecture.

    This image contains a screenshot of a table that summarizes the themes discussed in this blueprint.

    Summary of accomplishment

    • Gained understanding and clarification of the stakeholder objectives placed on your application architecture.
    • Completed detailed use cases and persona-driven scenario analysis and their architectural needs through SRME.
    • Created a set of design decisions for data, security, scalability, and performance.
    • Merged the different architecture domains dealt with in this blueprint to create a holistic view.

    Bibliography

    Ambysoft Inc. “UML 2 Sequence Diagrams: An Agile Introduction.” Agile Modeling, n.d. Web.

    Bass, Len, Paul Clements, and Rick Kazman. Software Architecture in Practices: Third Edition. Pearson Education, Inc. 2003.

    Eeles, Peter. “The benefits of software architecting.” IBM: developerWorks, 15 May 2006. Web.

    Flexera 2020 State of the Cloud Report. Flexera, 2020. Web. 19 October 2021.

    Furdik, Karol, Gabriel Lukac, Tomas Sabol, and Peter Kostelnik. “The Network Architecture Designed for an Adaptable IoT-based Smart Office Solution.” International Journal of Computer Networks and Communications Security, November 2013. Web.

    Ganzinger, Matthias, and Petra Knaup. “Requirements for data integration platforms in biomedical research networks: a reference model.” PeerJ, 5 February 2015. (https://peerj.com/articles/755/).

    Garlan, David, and Mary Shaw. An Introduction to Software Architecture. CMU-CS-94-166, School of Computer Science Carnegie Mellon University, January 1994.

    Gupta, Arun. “Microservice Design Patterns.” Java Code Geeks, 14 April 2015. Web.

    How, Matt. The Modern Data Warehouse in Azure. O’Reilly, 2020.

    ISO/IEC 17788:2014: Information technology – Cloud computing, International Organization for Standardization, October 2014. Web.

    ISO/IEC 18384-1:2016: Information technology – Reference Architecture for Service Oriented Architecture (SOA RA), International Organization for Standardization, June 2016. Web.

    ISO/IEC 25010:2011(en) Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — System and software quality models. International Organization for Standardization, March 2011. Web.

    Kazman, R., M. Klein, and P. Clements. ATAM: Method for Architecture Evaluation. S Carnegie Mellon University, August 2000. Web.

    Microsoft Developer Network. “Chapter 16: Quality Attributes.” Microsoft Application Architecture Guide. 2nd Ed., 13 January 2010. Web.

    Microsoft Developer Network. “Chapter 2: Key Principles of Software Architecture.” Microsoft Application Architecture Guide. 2nd Ed., 13 January 2010. Web.

    Microsoft Developer Network. “Chapter 3: Architectural Patterns and Styles.” Microsoft Application Architecture Guide. 2nd Ed., 14 January 2010. Web.

    Microsoft Developer Network. “Chapter 5: Layered Application Guidelines.” Microsoft Application Architecture Guide. 2nd Ed., 13 January 2010. Web.

    Mirakhorli, Mehdi. “Common Architecture Weakness Enumeration (CAWE).” IEEE Software, 2016. Web.

    Moore, G. A. Crossing the Chasm, 3rd Edition: Marketing and Selling Disruptive Products to Mainstream Customers (Collins Business Essentials) (3rd ed.). Harper Business, 2014.

    OASIS. “Oasis SOA Reference Model (SOA RM) TC.” OASIS Open, n.d. Web.

    Soni, Mukesh. “Defect Prevention: Reducing Costs and Enhancing Quality.” iSixSigma, n.d. Web.

    The Open Group. TOGAF 8.1.1 Online, Part IV: Resource Base, Developing Architecture Views. TOGAF, 2006. Web.

    The Open Group. Welcome to the TOGAF® Standard, Version 9.2, a standard of The Open Group. TOGAF, 2018. Web.

    Watts, S. “The importance of solid design principles.” BMC Blogs, 15 June 2020. 19 October 2021.

    Young, Charles. “Hexagonal Architecture–The Great Reconciler?” Geeks with Blogs, 20 Dec 2014. Web.

    APPENDIX A

    Techniques to enhance application architecture.

    Consider the numerous solutions to address architecture issues or how they will impact your application architecture

    Many solutions exist for improving the layers of the application stack that may address architecture issues or impact your current architecture. Solutions range from capability changes to full stack replacement.

    Method Description Potential Benefits Risks Related Blueprints
    Business Capabilities:
    Enablement and enhancement
    • Introduce new business capabilities by leveraging unused application functionalities or consolidate redundant business capabilities.
    • Increase value delivery to stakeholders.
    • Lower IT costs through elimination of applications.
    • Increased use of an application could overload current infrastructure.
    • IT cannot authorize business capability changes.
    Use Info-Tech’s Document Your Business Architecture blueprint to gain better understanding of business and IT alignment.
    Removal
    • Remove existing business capabilities that don’t contribute value to the business.
    • Lower operational costs through elimination of unused and irrelevant capabilities.
    • Business capabilities may be seen as relevant or critical by different stakeholder groups.
    • IT cannot authorize business capability changes.
    Use Info-Tech’s Build an Application Rationalization Framework to rationalize your application portfolio.
    Business Process:
    Process integration and consolidation
    • Combine multiple business processes into a single process.
    • Improved utilization of applications in each step of the process.
    • Reduce business costs through efficient business processes.
    • Minimize number of applications required to execute a single process.
    • Significant business disruption if an application goes down and is the primary support for business processes.
    • Organizational pushback if process integration involves multiple business groups.
    Business Process (continued):
    Process automation
    • Automate manual business processing tasks.
    • Reduce manual processing errors.
    • Improve speed of delivery.
    • Significant costs to implement automation.
    • Automation payoffs are not immediate.
    Lean business processes
    • Eliminate redundant steps.
    • Streamline existing processes by focusing on value-driven steps.
    • Improve efficiency of business process through removal of wasteful steps.
    • Increase value delivered at the end of the process.
    • Stakeholder pushback from consistently changing processes.
    • Investment from business is required to fit documentation to the process.
    Outsource the process
    • Outsource a portion of or the entire business process to a third party.
    • Leverage unavailable resources and skills to execute the business process.
    • Loss of control over process.
    • Can be costly to bring the process back into the business if desired in the future.
    Business Process (continued):
    Standardization
    • Implement standards for business processes to improve uniformity and reusability.
    • Consistently apply the same process across multiple business units.
    • Transparency of what is expected from the process.
    • Improve predictability of process execution.
    • Process bottlenecks may occur if a single group is required to sign off on deliverables.
    • Lack of enforcement and maintenance of standards can lead to chaos if left unchecked.
    User Interface:
    Improve user experience (UX)
    • Eliminate end-user emotional, mechanical, and functional friction by improving the experience of using the application.
    • UX encompasses both the interface and the user’s behavior.
    • Increase satisfaction and adoption rate from end users.
    • Increase brand awareness and user retention.
    • UX optimizations are only focused on a few user personas.
    • Current development processes do not accommodate UX assessments
    Code:
    Update coding language
    Translate legacy code into modern coding language.
    • Coding errors in modern languages can have lesser impact on the business processes they support.
    • Modern languages tend to have larger pools of coders to hire.
    • Increase availability of tools to support modern languages.
    • Coding language changes can create incompatibilities with existing infrastructure.
    • Existing coding translation tools do not offer 100% guarantee of legacy function retention.
    Code (continued):
    Open source code
    • Download pre-built code freely available in open source communities.
    • Code is rapidly evolving in the community to meet current business needs.
    • Avoid vendor lock-in from proprietary software
    • Community rules may require divulgence of work done with open source code.
    • Support is primarily provided through community, which may not address specific concerns.
    Update the development toolchain
    • Acquire new or optimize development tools with increased testing, build, and deployment capabilities.
    • Increase developer productivity.
    • Increase speed of delivery and test coverage with automation.
    • Drastic IT overhauls required to implement new tools such as code conversion, data migration, and development process revisions.
    Update source code management
    • Optimize source code management to improve coding governance, versioning, and development collaboration.
    • Ability to easily roll back to previous build versions and promote code to other environments.
    • Enable multi-user development capabilities.
    • Improve conflict management.
    • Some source code management tools cannot support legacy code.
    • Source code management tools may be incompatible with existing development toolchain.
    Data:
    Outsource extraction
    • Outsource your data analysis and extraction to a third party.
    • Lower costs to extract and mine data.
    • Leverage unavailable resources and skills to translate mined data to a usable form.
    • Data security risks associated with off-location storage.
    • Data access and control risks associated with a third party.
    Update data structure
    • Update your data elements, types (e.g. transactional, big data), and formats (e.g. table columns).
    • Standardize on a common data definition throughout the entire organization.
    • Ease data cleansing, mining, analysis, extraction, and management activities.
    • New data structures may be incompatible with other applications.
    • Implementing data management improvements may be costly and difficult to acquire stakeholder buy-in.
    Update data mining and data warehousing tools
    • Optimize how data is extracted and stored.
    • Increase the speed and reliability of the data mined.
    • Perform complex analysis with modern data mining and data warehousing tools.
    • Data warehouses are regularly updated with the latest data.
    • Updating data mining and warehousing tools may create incompatibilities with existing infrastructure and data sets.
    Integration:
    Move from point-to-point to enterprise service bus (ESB)
    • Change your application integration approach from point-to-point to an ESB.
    • Increase the scalability of enterprise services by exposing applications to a centralized middleware.
    • Reduce the number of integration tests to complete with an ESB.
    • Single point of failure can cripple the entire system.
    • Security threats arising from centralized communication node.
    Leverage API integration
    • Leverage application programming interfaces (APIs) to integrate applications.
    • Quicker and more frequent transfers of lightweight data compared to extract, load, transfer (ETL) practices.
    • Increase integration opportunities with other modern applications and infrastructure (including mobile devices).
    • APIs are not as efficient as ETL when handling large data sets.
    • Changing APIs can break compatibility between applications if not versioned properly.

    Mentoring for Agile Teams

    • Buy Link or Shortcode: {j2store}154|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $187,599 Average $ Saved
    • member rating average days saved: 27 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Today’s realities are driving organizations to digitize faster and become more Agile.
    • Most hierarchical, command and control–style organizations are not yet well adapted to using Agile.
    • So-called textbook Agile practices often clash with traditional processes and practices.
    • Members must adapt their Agile practices to accommodate their organizational realities.

    Our Advice

    Critical Insight

    • There is no one-size-fits-all approach to Agile. Agile practices need to be adjusted to work in your organization based on a thoughtful diagnosis of the challenges and solutions tailored to the nature of your organization.

    Impact and Result

    • Identify your Agile challenges and success factors (both organization-wide and team-specific).
    • Leverage the power of research and experience to solve key Agile challenges and gain immediate benefits for your project.
    • Your Agile playbook will capture your findings so future projects can benefit from them.

    Mentoring for Agile Teams Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand how a Agile Mentoring can help your organization to successfully establish Agile practices within your context.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take the Info-Tech Agile Challenges and Success Factors Survey

    This tool will help you identify where your Agile teams are experiencing the most pain so you can create your Agile challenges hit list.

    • Agile Challenges and Success Factors Survey

    2. Review typical challenges and findings

    While each organization/team will struggle with its own individual challenges, many members find they face similar organizational/systemic challenges when adopting Agile. Review these typical challenges and learn from what other members have discovered.

    • Mentoring for Agile Teams – Typical Findings

    Infographic

    Workshop: Mentoring for Agile Teams

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Take the Agile Challenges and Success Factors Survey

    The Purpose

    Determine whether an Agile playbook is right for you.

    Broadly survey your teams to identify Agile challenges and success factors in your organization.

    Key Benefits Achieved

    Better understanding of common Agile challenges and success factors

    Identification of common Agile challenges and success factors are prevalent in your organization

    Activities

    1.1 Distribute survey and gather results.

    1.2 Consolidate survey results.

    Outputs

    Completed survey responses from across teams/organization

    Consolidated heat map of your Agile challenges and success factors

    2 Identify Your Agile Challenges Hit List

    The Purpose

    Examine consolidated survey results.

    Identify your most pressing challenges.

    Create a hit list of challenges to be resolved.

    Key Benefits Achieved

    Identification of the most serious challenges to your Agile transformation

    Attention focused on those challenge areas that are most impacting your Agile teams

    Activities

    2.1 Analyze and discuss your consolidated heat map.

    2.2 Prioritize identified challenges.

    2.3 Select your hit list of challenges to address.

    Outputs

    Your Agile challenges hit list

    3 Problem Solve

    The Purpose

    Address each challenge in your hit list to eliminate or improve it.

    Key Benefits Achieved

    Better Agile team performance and effectiveness

    Activities

    3.1 Work with Agile mentor to problem solve each challenge in your hit list.

    3.2 Apply these to your project in real time.

    Outputs

    4 Create Your Agile Playbook

    The Purpose

    Capture the findings and lessons learned while problem solving your hit list.

    Key Benefits Achieved

    Strategies and tactics for being successful with Agile in your organization which can be applied to future projects

    Activities

    4.1 For each hit list item, capture the findings and lessons learned in Module 3.

    4.2 Document these in your Agile Playbook.

    Outputs

    Your Agile Playbook deliverable

    Project Management

    • Buy Link or Shortcode: {j2store}48|cart{/j2store}
    • Related Products: {j2store}48|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.7/10
    • member rating average dollars saved: $303,499
    • member rating average days saved: 42
    • Parent Category Name: Project Portfolio Management and Projects
    • Parent Category Link: /ppm-and-projects

    The challenge

    • Ill-defined or even lack of upfront project planning will increase the perception that your IT department cannot deliver value because most projects will go over time and budget.
    • The perception is those traditional ways of delivering projects via the PMBOK only increase overhead and do not have value. This is less due to the methodology and more to do with organizations trying to implement best-practices that far exceed their current capabilities.
    • Typical best-practices are too clinical in their approach and place unrealistic burdens on IT departments. They fail to address the daily difficulties faces by staff and are not sized to fit your organization.
    • Take a flexible approach and ensure that your management process is a cultural and capacity fit for your organization. Take what fits from these frameworks and embed them tailored into your company.

    Our advice

    Insight

    • The feather-touch is often the right touch. Ensure that you have a lightweight approach for most of your projects while applying more rigor to the more complex and high-risk developments.
    • Pick the right tools. Your new project management processes need the right tooling to be successful. Pick a tool that is flexible enough o accommodate projects of all sizes without imposing undue governance onto smaller projects.
    • Yes, take what fits within your company from frameworks, but there is no cherry-picking. Ensure your processes stay in context: If you do not inform for effective decision-making, all will be in vain. Develop your methods such that guide the way to big-picture decision taking and support effective portfolio management.

    Impact and results 

    • The right amount of upfront planning is a function of the type of projects you have and your company. The proper levels enable better scope statements, better requirements gathering, and increased business satisfaction.
    • An investment in a formal methodology is critical to projects of all sizes. An effective process results in more successful projects with excellent business value delivery.
    • When you have a repeatable and consistent approach to project planning and execution, you can better communicate between the IT project managers and decision-makers.
    • Better communication improves the visibility of the overall project activity within your company.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started.

    Read our executive brief to understand why you should tailor project management practices to the type of projects you do and your company and review our methodology. We show you how we can support you.

    Lay the groundwork for project management success

    Assess your current capabilities to set the right level of governance.

    • Tailor Project Management Processes to Fit Your Projects – Phase 1: Lay the Groundwork for PM Success (ppt)
    • Project Management Triage Tool (xls)
    • COBIT BAI01 (Manage Programs and Projects) Alignment Workbook (xls)
    • Project Level Definition Matrix (xls)
    • Project Level Selection Tool (xls)
    • Project Level Assessment Tool (xls)
    • Project Management SOP Template (doc)

    Small project require a lightweight framework

    Increase small project's throughput.

    • Tailor Project Management Processes to Fit Your Projects – Phase 2: Build a Lightweight PM Process for Small Initiatives (ppt)
    • Level 1 Project Charter Template (doc)
    • Level 1 Project Status Report Template (doc)
    • Level 1 Project Closure Checklist Template (doc)

    Build the standard process medium and large-scale projects

    The standard process contains fully featured initiation and planning.

    • Tailor Project Management Processes to Fit Your Projects – Phase 3: Establish Initiation and Planning Protocols for Medium-to-Large Projects (ppt)
    • Project Stakeholder and Impact Assessment Tool (xls)
    • Level 2 Project Charter Template (doc)
    • Level 3 Project Charter Template (doc)
    • Kick-Off Meeting Agenda Template (doc)
    • Scope Statement Template (doc)
    • Project Staffing Plan(xls)
    • Communications Management Plan Template (doc)
    • Customer/Sponsor Project Status Meeting Template (doc)
    • Level 2 Project Status Report Template (doc)
    • Level 3 Project Status Report Template (doc)
    • Quality Management Workbook (xls)
    • Benefits Management Plan Template (xls)
    • Risk Management Workbook (xls)

    Build a standard process for the execution and closure of medium to large scale projects

    • Tailor Project Management Processes to Fit Your Projects – Phase 4: Develop Execution and Closing Procedures for Medium-to-Large Projects (ppt)
    • Project Team Meeting Agenda Template (doc)
    • Light Project Change Request Form Template (doc)
    • Detailed Project Change Request Form Template (doc)
    • Light Recommendation and Decision Tracking Log Template (xls)
    • Detailed Recommendation and Decision Tracking Log Template (xls)
    • Deliverable Acceptance Form Template (doc)
    • Handover to Operations Template (doc)
    • Post-Mortem Review Template (doc)
    • Final Sign-Off and Acceptance Form Template (doc)

    Implement your project management standard operating procedures (SOP)

    Develop roll-out and training plans, implement your new process and track metrics.

    • Tailor Project Management Processes to Fit Your Projects – Phase 5: Implement Your PM SOP (ppt)
    • Level 2 Project Management Plan Template (doc)
    • Project Management Process Costing Tool (xls)
    • Project Management Process Training Plan Template (doc)
    • Project Management Training Monitoring Tool (xls)
    • Project Management Process Implementation Timeline Tool (MS Project)
    • Project Management Process Implementation Timeline Tool (xls)

     

     

    Build a Robust and Comprehensive Data Strategy

    • Buy Link or Shortcode: {j2store}120|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $46,734 Average $ Saved
    • member rating average days saved: 29 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down.
    • At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing expectations and demands.

    Our Advice

    Critical Insight

    • As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
    • A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
    • Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

    Impact and Result

    • Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:
      • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy
      • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
      • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

    Build a Robust and Comprehensive Data Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data Strategy Research – A step-by-step document to facilitate the formulation of a data strategy that brings together the business context, data management foundation, people, and culture.

    Data should be at the foundation of your organization’s evolution. The transformational insights that executives and decision makers are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, trusted, and relevant data readily available to the users who need it.

    • Build a Robust and Comprehensive Data Strategy – Phases 1-3

    2. Data Strategy Stakeholder Interview Guide and Findings – A template to support you in your meetings or interviews with key stakeholders as you work on understanding the value of data within the various lines of business.

    This template will help you gather insights around stakeholder business goals and objectives, current data consumption practices, the types or domains of data that are important to them in supporting their business capabilities and initiatives, the challenges they face, and opportunities for data from their perspective.

    • Data Strategy Stakeholder Interview Guide and Findings

    3. Data Strategy Use Case Template – An exemplar template to demonstrate the business value of your data strategy.

    Data strategy optimization anchored in a value proposition will ensure that the data strategy focuses on driving the most valuable and critical outcomes in support of the organization’s enterprise strategy. The template will help you facilitate deep-dive sessions with key stakeholders for building use cases that are of demonstrable value not only to their relevant lines of business but also to the wider organization.

    • Data Strategy Use Case Template

    4. Chief Data Officer – A job description template that includes a detailed explication of the responsibilities and expectations of a CDO.

    Bring data to the C-suite by creating the Chief Data Officer role. This position is designed to bridge the gap between the business and IT by serving as a representative for the organization's data management practices and identifying how the organization can leverage data as a competitive advantage or corporate asset.

    • Chief Data Officer

    5. Data Strategy Document Template – A structured template to plan and document your data strategy outputs.

    Use this template to document and formulate your data strategy. Follow along with the sections of the blueprint Build a Robust and Comprehensive Data Strategy and complete the template as you progress.

    • Data Strategy Document Template
    [infographic]

    Workshop: Build a Robust and Comprehensive Data Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Context and Value: Understand the Current Business Environment

    The Purpose

    Establish the business context for the business strategy.

    Key Benefits Achieved

    Substantiates the “why” of the data strategy.

    Highlights the organization’s goals, objectives, and strategic direction the data must align with.

    Activities

    1.1 Data Strategy 101

    1.2 Intro to Tech’s Data Strategy Framework

    1.3 Data Strategy Value Proposition: Understand stakeholder’s strategic priorities and the alignment with data

    1.4 Discuss the importance of vision, mission, and guiding principles of the organization’s data strategy

    1.5 Understand the organization’s data culture – discuss Data Culture Survey results

    1.6 Examine Core Value Streams of Business Architecture

    Outputs

    Business context; strategic drivers

    Data strategy guiding principles

    Sample vision and mission statements

    Data Culture Diagnostic Results Analysis

    2 Business-Data Needs Discovery: Key Business Stakeholder Interviews

    The Purpose

    Build use cases of demonstrable value and understand the current environment.

    Key Benefits Achieved

    An understanding of the current maturity level of key capabilities.

    Use cases that represent areas of concern and/or high value and therefore need to be addressed.

    Activities

    2.1 Conduct key business stakeholder interviews to initiate the build of high-value business-data cases

    Outputs

    Initialized high-value business-data cases

    3 Understand the Current Data Environment & Practice: Analyze Data Capability and Practice Gaps and Develop Alignment Strategies

    The Purpose

    Build out a future state plan that is aimed at filling prioritized gaps and that informs a scalable roadmap for moving forward on treating data as an asset.

    Key Benefits Achieved

    A target state plan, formulated with input from key stakeholders, for addressing gaps and for maturing capabilities necessary to strategically manage data.

    Activities

    3.1 Understand the current data environment: data capability assessment

    3.2 Understand the current data practice: key data roles, skill sets; operating model, organization structure

    3.3 Plan target state data environment and data practice

    Outputs

    Data capability assessment and roadmapping tool

    4 Align Business Needs with Data Implications: Initiate Roadmap Planning and Strategy Formulation

    The Purpose

    Consolidate business and data needs with consideration of external factors as well as internal barriers and enablers to the success of the data strategy. Bring all the outputs together for crafting a robust and comprehensive data strategy.

    Key Benefits Achieved

    A consolidated view of business and data needs and the environment in which the data strategy will be operationalized.

    An analysis of the feasibility and potential risks to the success of the data strategy.

    Activities

    4.1 Analyze gaps between current- and target-state

    4.2 Initiate initiative, milestone and RACI planning

    4.3 Working session with Data Strategy Owner

    Outputs

    Data Strategy Next Steps Action Plan

    Relevant data strategy related templates (example: data practice patterns, data role patterns)

    Initialized Data Strategy on-a-Page

    Further reading

    Build a Robust and Comprehensive Data Strategy

    Key to building and fostering a data-driven culture.

    ANALYST PERSPECTIVE

    Data Strategy: Key to helping drive organizational innovation and transformation

    "In the dynamic environment in which we operate today, where we are constantly juggling disruptive forces, a well-formulated data strategy will prove to be a key asset in supporting business growth and sustainability, innovation, and transformation.

    Your data strategy must align with the organization’s business strategy, and it is foundational to building and fostering an enterprise-wide data-driven culture."

    Crystal Singh,

    Director – Research and Advisory

    Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • Chief data officers (CDOs), chief architects, VPs, and digital transformation directors and CIOs who are accountable for ensuring data can be leveraged as a strategic asset of the organization.

    This Research Will Help You:

    • Put a strategy in place to ensure data is available, accessible, well integrated, secured, of acceptable quality, and suitably visualized to fuel decision making by the organizations’ executives.
    • Align data management plans and investments with business requirements and the organization’s strategic plans.
    • Define the relevant roles for operationalizing your data strategy.

    This Research Will Also Assist:

    • Data architects and enterprise architects who have been tasked with supporting the formulation or optimization of the organization’s data strategy.
    • Business leaders creating plans for leveraging data in their strategic planning and business processes.
    • IT professionals looking to improve the environment that manages and delivers data.

    This Research Will Help Them:

    • Get a handle on the current situation of data within the organization.
    • Understand how the data strategy and its resulting initiatives will affect the operations, integration, and provisioning of data within the enterprise.

    Executive Summary

    Situation

    • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down. At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing and demanding expectations.

    Complication

    • As organizations pivot in response to industry disruptions and changing landscapes, a reactive and piecemeal approach leads to data architectures and designs that fail to deliver real and measurable value to the business.
    • Despite the growing focus on data, many organizations struggle to develop a cohesive business-driven strategy for effectively managing and leveraging their data assets.

    Resolution

    Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:

    • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy.
    • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
    • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

    Info-Tech Insight

    1. As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
    2. A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
    3. Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

    Why do you need a data strategy?

    Your data strategy is the vehicle for ensuring data is poised to support your organization’s strategic objectives.

    The dynamic marketplace of today requires organizations to be responsive in order to gain or maintain their competitive edge and place in their industry.

    Organizations need to have that 360-degree view of what’s going on and what’s likely to happen.

    Disruptive forces often lead to changes in business models and require organizations to have a level of adaptability to remain relevant.

    To respond, organizations need to make decisions and should be able to turn to their data to gain insights for informing their decisions.

    A well-formulated and robust data strategy will ensure that your data investments bring you the returns by meeting your organization’s strategic objectives.

    Organizations need to be in a position where they know what’s going on with their stakeholders and anticipate what their stakeholders’ needs are going to be.

    Data cannot be fully leveraged without a cohesive strategy

    Most organizations today will likely have some form of data management in place, supported by some of the common roles such as DBAs and data analysts.

    Most will likely have a data architecture that supports some form of reporting.

    Some may even have a chief data officer (CDO), a senior executive who has a seat at the C-suite table.

    These are all great assets as a starting point BUT without a cohesive data strategy that stitches the pieces together and:

    • Effectively leverages these existing assets
    • Augments them with additional and relevant key roles and skills sets
    • Optimizes and fills in the gaps around your current data management enablers and capabilities for the growing volume and variety of data you’re collecting
    • Fully caters to real, high-value strategic organizational business needs

    you’re missing the mark – you are not fully leveraging the incredible value of your data.

    Cross-industry studies show that on average, less than half of an organization’s structured data is actively used in making decisions

    And, less than 1% of its unstructured data is analyzed or used at all. Furthermore, 80% of analysts' time is spent simply discovering and preparing, data with over 70% of employees having access to data they should not. Source: HBR, 2017

    Organizational drivers for a data strategy

    Your data strategy needs to align with your organizational strategy.

    Main Organizational Strategic Drivers:

    1. Stakeholder Engagement/Service Excellence
    2. Product and Service Innovations
    3. Operational Excellence
    4. Privacy, Risk, and Compliance Management

    “The companies who will survive and thrive in the future are the ones who will outlearn and out-innovate everyone else. It is no longer ‘survival of the fittest’ but ‘survival of the smartest.’ Data is the element that both inspires and enables this new form of rapid innovation.– Joel Semeniuk, 2016

    A sound data strategy is the key to unlocking the value in your organization’s data.

    Data should be at the foundation of your organization’s evolution.

    The transformational insights that executives are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, well-integrated, trustworthy, relevant data readily available to the business users who need it.

    Whether hoping to gain a better understanding of your business, trying to become an innovator in your industry, or having a compliance and regulatory mandate that needs to be met, any organization can get value from its data through a well-formulated, robust, and cohesive data strategy.

    According to a leading North American bank, “More than one petabyte of new data, equivalent to about 1 million gigabytes” is entering the bank’s systems every month. – The Wall Street Journal, 2019

    “Although businesses are at many different stages in unlocking the power of data, they share a common conviction that it can make or break an enterprise.”– Jim Love, ITWC CIO and Chief Digital Officer, IT World Canada, 2018

    Data is a strategic organizational asset and should be treated as such

    The expression “Data is an asset” or any other similar sentiment has long been heard.

    With such hype, you would have expected data to have gotten more attention in the boardrooms. You would have expected to see its value reflected on financial statements as a result of its impact in driving things like acquisition, retention, product and service development and innovation, market growth, stakeholder satisfaction, relationships with partners, and overall strategic success of the organization.

    The time has surely come for data to be treated as the asset it is.

    “Paradoxically, “data” appear everywhere but on the balance sheet and income statement.”– HBR, 2018

    “… data has traditionally been perceived as just one aspect of a technology project; it has not been treated as a corporate asset.”– “5 Essential Components of a Data Strategy,” SAS

    According to Anil Chakravarthy, who is the CEO of Informatica and has a strong vantage point on how companies across industries leverage data for better business decisions, “what distinguishes the most successful businesses … is that they have developed the ability to manage data as an asset across the whole enterprise.”– McKinsey & Company, 2019

    How data is perceived in today’s marketplace

    Data is being touted as the oil of the digital era…

    But just like oil, if left unrefined, it cannot really be used.

    "Data is the new oil." – Clive Humby, Chief Data Scientist

    Source: Joel Semeniuk, 2016

    Enter your data strategy.

    Data is being perceived as that key strategic asset in your organization for fueling innovation and transformation.

    Your data strategy is what allows you to effectively mine, refine, and use this resource.

    “The world’s most valuable resource is no longer oil, but data.”– The Economist, 2017

    “Modern innovation is now dependent upon this data.”– Joel Semeniuk, 2016

    “The better the data, the better the resulting innovation and impact.”– Joel Semeniuk, 2016

    What is it in it for you? What opportunities can data help you leverage?

    GOVERNMENT

    Leveraging data as a strategic asset for the benefit of citizens.

    • The strategic use of data can enable governments to provide higher-quality services.
    • Direct resources appropriately and harness opportunities to improve impact.
    • Make better evidence-informed decisions and better understand the impact of programs so that funds can be directed to where they are most likely to deliver the best results.
    • Maintain legitimacy and credibility in an increasingly complex society.
    • Help workers adapt and be competitive in a changing labor market.
    • A data strategy would help protect citizens from the misuse of their data.

    Source: Privy Council Office, Government of Canada, 2018

    What is it in it for you? What opportunities can data help you leverage?

    FINANCIAL

    Leveraging data to boost traditional profit and loss levers, find new sources of growth, and deliver the digital bank.

    • One bank used credit card transactional data (from its own terminals and those of other banks) to develop offers that gave customers incentives to make regular purchases from one of the bank’s merchants. This boosted the bank’s commissions, added revenue for its merchants, and provided more value to the customer (McKinsey & Company, 2017).
    • In terms of enhancing productivity, a bank used “new algorithms to predict the cash required at each of its ATMs across the country and then combined this with route-optimization techniques to save money” (McKinsey & Company, 2017).

    A European bank “turned to machine-learning algorithms that predict which currently active customers are likely to reduce their business with the bank.” The resulting understanding “gave rise to a targeted campaign that reduced churn by 15 percent” (McKinsey & Company, 2017).

    A leading Canadian bank has built a marketplace around their data – they have launched a data marketplace where they have productized the bank’s data. They are providing data – as a product – to other units within the bank. These other business units essentially represent internal customers who are leveraging the product, which is data.

    Through the use of data and advanced analytics, “a top bank in Asia discovered unsuspected similarities that allowed it to define 15,000 microsegments in its customer base. It then built a next-product-to-buy model that increased the likelihood to buy three times over.” Several sets of big data were explored, including “customer demographics and key characteristics, products held, credit-card statements, transaction and point-of-sale data, online and mobile transfers and payments, and credit-bureau data” (McKinsey & Company, 2017).

    What is it in it for you? What opportunities can data help you leverage?

    HEALTHCARE

    Leveraging data and analytics to prevent deadly infections

    The fifth-largest health system in the US and the largest hospital provider in California uses a big data and advanced analytics platform to predict potential sepsis cases at the earliest stages, when intervention is most helpful.

    Using the Sepsis Bio-Surveillance Program, this hospital provider monitors 120,000 lives per month in 34 hospitals and manages 7,500 patients with potential sepsis per month.

    Collecting data from the electronic medical records of all patients in its facilities, the solution uses natural language processing (NLP) and a rules engine to continually monitor factors that could indicate a sepsis infection. In high-probability cases, the system sends an alarm to the primary nurse or physician.

    Since implementing the big data and predictive analytics system, this hospital provider has seen a significant improvement in the mortality and the length of stay in ICU for sepsis patients.

    At 28 of the hospitals which have been on the program, sepsis mortality rates have dropped an average of 5%.

    With patients spending less time in the ICU, cost savings were also realized. This is significant, as sepsis is the costliest condition billed to Medicare, the second costliest billed to Medicaid and the uninsured, and the fourth costliest billed to private insurance.

    Source: SAS, 2019

    What is it in it for you? What opportunities can data help you leverage?

    RETAIL

    Leveraging data to better understand customer preferences, predict purchasing, drive customer experience, and optimize supply and demand planning.

    Netflix is an example of a big brand that uses big data analytics for targeted advertising. With over 100 million subscribers, the company collects large amounts of data. If you are a subscriber, you are likely familiar with their suggestions messages of the next series or movie you should catch up on. These suggestions are based on your past search data and watch data. This data provides Netflix with insights into your interests and preferences for viewing (Mentionlytics, 2018).

    “For the retail industry, big data means a greater understanding of consumer shopping habits and how to attract new customers.”– Ron Barasch, Envestnet | Yodlee, 2019

    The business case for data – moving from platitudes to practicality

    When building your business case, consider the following:

    • What is the most effective way to communicate the business case to executives?
    • How can CDOs and other data leaders use data to advance their organizations’ corporate strategy?
    • What does your data estate look like? Are you looking to leverage and drive value from your semi-structured and unstructured data assets?
    • Does your current organizational culture support a data-driven one? Does the organization have a history of managing change effectively?
    • How do changing privacy and security expectations alter the way businesses harvest, save, use, and exchange data?

    “We’re the converted … We see the value in data. The battle is getting executive teams to see it our way.”– Ted Maulucci, President of SmartONE Solutions Inc. IT World Canada, 2018

    Where do you stack up? What is your current data management maturity?

    Info-Tech’s IT Maturity Ladder denotes the different levels of maturity for an IT department and its different functions. What is the current state of your data management capability?

    Innovator - Transforms the Business. Business Partner - Expands the Business. Trusted Operator - Optimizes the Business. Firefighter - Supports the Business. Unstable - Struggles to Support.

    Info-Tech Insight

    You are best positioned to successfully execute on a data strategy if you are currently at or above the Trusted Operator level. If you find yourself still at the Unstable or Firefighter stage, your efforts are best spent on ensuring you can fulfill your day-to-day data and data management demands. Improving this capability will help build a strong data management foundation.

    Guiding principles of a data strategy

    Value of Clearly Defined Data Principles

    • Guiding principles help define the culture and characteristics of your practice by describing your beliefs and philosophy.
    • Guiding principles act as the heart of your data strategy, helping to shape initiative plans and day-to-day behaviors related to the use and treatment of the organization’s data assets.

    “Organizational culture can accelerate the application of analytics, amplify its power, and steer companies away from risky outcomes.”– McKinsey, 2018

    Build a Robust and Comprehensive Data Strategy

    Business Strategy and Current Environment connect with the Data Strategy. Data Strategy includes: Organizational Drivers and Data Value, Data Strategy Objectives and Guiding Principles, Data Strategy Vision and Mission, Data Strategy Roadmap, People: Roles and Organizational Structure, Data Culture and Data Literacy, Data Management and Tools, Risk and Feasibility.

    Follow Info-Tech’s methodology for effectively leveraging the value out of your data

    Some say it’s the new oil. Or the currency of the new business landscape. Others describe it as the fuel of the digital economy. But we don’t need platitudes — we need real ways to extract the value from our data. – Jim Love, CIO and Chief Digital Officer, IT World Canada, 2018

    1. Business Context. 2. Data and Resources Foundation. 3. Effective Data Strategy

    Our practical step-by-step approach helps you to formulate a data strategy that delivers business value.

    1. Establish Business Context and Value: In this phase, you will determine and substantiate the business drivers for optimizing the data strategy. You will identify the business drivers that necessitate the data strategy optimization and examine your current organizational data culture. This will be key to ensuring the fruits of your optimization efforts are being used. You will also define the vision, mission, and guiding principles and build high-value use cases for the data strategy.
    2. Ensure You Have a Solid Data and Resources Foundation: This phase will help you ensure you have a solid data and resources foundation for operationalizing your data strategy. You will gain an understanding of your current environment in terms of data management enablers and the required resources portfolio of key people, roles, and skill sets.
    3. Formulate a Sustainable Data Strategy: In this phase, you will bring the pieces together for formulating an effective data strategy. You will evaluate and prioritize the use cases built in Phase 1, which summarize the alignment of organizational goals with data needs. You will also create your strategic plan, considering change management and communication.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks are used throughout all four options.

    Master the Art of Stakeholder Management in Small Enterprise Environments

    • Buy Link or Shortcode: {j2store}572|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Stakeholder Management
    • Parent Category Link: /stakeholder-management
    • IT hasn’t taken into account critical stakeholders and their concerns and preferences as they plan projects or operate on daily business.
    • It is difficult to tailor communication and messaging to all of the different personal and professional styles and motivations of stakeholders.
    • Access to stakeholders and getting an accurate understanding of their needs and concerns regarding IT can be difficult to obtain.

    Our Advice

    Critical Insight

    • Small enterprises have an advantage in stakeholder management. Less people and fewer barriers create opportunities for more productive interactions and stronger relationships.
    • The guiding principles for effective stakeholder management are common concepts, but unfortunately not common practice.
    • By stepping back and taking the time to thoughtfully consider the dynamics and needs of important IT stakeholders, you will be better able to position yourself and your department.

    Impact and Result

    • Info-Tech’s guiding principles provide clear and feasible recommendations for how to incorporate stakeholder management into daily interactions.
    • This blueprint’s guidance will enable IT leaders to tailor communication and interactions that will enable them to build stronger and more meaningful relationships with stakeholders.
    • Following this approach and its guiding principles will make IT projects be more successful by reducing their risk of failure due to issues of buy-in, misunderstanding of priorities, or a lack of support from critical stakeholders.

    Master the Art of Stakeholder Management in Small Enterprise Environments Research & Tools

    Executive Overview

    Use Info-Tech’s approach to stakeholder management to guide you in building stronger and more beneficial relationships, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Master the Art of Stakeholder Management in Small Enterprise Environments Storyboard
    • None
    • None

    1. Identify stakeholders

    Determine the stakeholders for an IT department of a singular initiative.

    • Stakeholder Management Analysis Tool

    2. Analyze stakeholders

    Use the guidance of this section to analyze stakeholders on both a professional and personal level.

    3. Manage stakeholders

    Use Info-Tech’s guiding principles of stakeholder management to direct how to best engage key stakeholders.

    4. Review case studies

    Use real-life experiences from Info-Tech’s analysts to understand how to use and apply stakeholder management techniques.

    [infographic]

    2020 IT Talent Trend Report

    • Buy Link or Shortcode: {j2store}512|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • IT is an employee’s market.
    • Automation, outsourcing, and emerging technologies are widening the skill gap and increasing the need for skilled staff.
    • IT departments must find new ways to attract and retain top talent.

    Our Advice

    Critical Insight

    • Improving talent management is the way forward, but many IT leaders are approaching it the wrong way.
    • Among the current climate of automating everything in the workplace, we need to bring the human element back into talent management.

    Impact and Result

    • Using talent management strategies that speak to employees as individuals, rather than cogs in a machine, produces more effective IT departments.
    • IT leaders who make use of these strategies see benefits across the talent lifecycle – from hiring, to training, to retention.

    2020 IT Talent Trend Report Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should focus on talent management and get an overview of what successful IT leaders are doing differently heading into 2020 – the six new talent management trends.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. IT takes ownership of talent acquisition

    IT leaders who get personally involved in recruitment see better results. Read this section to learn how leader are getting involved, and how to take the first steps.

    • 2020 IT Talent Trend Report – Trend 1: IT Takes Ownership of Talent Acquisition

    2. Flexible work becomes fluid work

    Heading into 2020, flexible work is table stakes. Read this section to learn what organizations offer and how you can take advantage of opportunities your competitors are missing.

    • 2020 IT Talent Trend Report – Trend 2: Flexible Work Becomes Fluid Work

    3. The age of radical transparency

    Ethics and transparency are emerging as key considerations for employees. How can you build a culture that supports this? Read this section to learn how.

    • 2020 IT Talent Trend Report – Trend 3: The Age of Radical Transparency

    4. People analytics is business analytics

    Your staff is the biggest line item in your budget, but are you using data to make decisions about your people they way you do in other areas of the business? Read this section to learn how analytics can be applied to the workforce no matter what level you are starting at.

    • 2020 IT Talent Trend Report – Trend 4: People Analytics Is Business Analytics

    5. IT departments become their own universities

    With the rapid pace of technological change, it is becoming increasingly harder to hire skilled people for critical roles. Read this section to learn how some IT departments are turning to in-house training to fill the skill gap.

    • 2020 IT Talent Trend Report – Trend 5: IT Departments Become Their Own Universities

    6. Offboarding: The missed opportunity

    What do an employee's last few days with your company look like? For most organizations, they are filled with writing rushed documentation, hosting last-minute training sessions and finishing up odd jobs. Read this section to understand the crucial opportunity most IT departments are missing when it comes to departing staff.

    • 2020 IT Talent Trend Report – Trend 6: Offboarding: The Missed Opportunity
    [infographic]

    Build a Security Metrics Program to Drive Maturity

    • Buy Link or Shortcode: {j2store}266|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $22,947 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.
    • Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
    • Because metrics can become very technical and precise,it's easy to think that they're inherently complicated (not true).

    Our Advice

    Critical Insight

    • The best metrics are tied to goals.
    • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

    Impact and Result

    • A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new more specific goals, and with them come more-specific metrics.
    • It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
    • A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training course).

    Build a Security Metrics Program to Drive Maturity Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a security metrics program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Link security metrics to goals to boost maturity

    Develop goals and KPIs to measure your progress.

    • Build a Security Metrics Program to Drive Maturity – Phase 1: Link Security Metrics to Goals to Boost Maturity
    • Security Metrics Determination and Tracking Tool
    • KPI Development Worksheets

    2. Adapt your reporting strategy for various metric types

    Learn how to present different types of metrics.

    • Build a Security Metrics Program to Drive Maturity – Phase 2: Adapt Your Reporting Strategy for Various Metric Types
    • Security Metrics KPX Dashboard
    • Board-Level Security Metrics Presentation Template
    [infographic]

    Workshop: Build a Security Metrics Program to Drive Maturity

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Current State, Initiatives, and Goals

    The Purpose

    Create a prioritized list of goals to improve the security program’s current state.

    Key Benefits Achieved

    Insight into the current program and the direct it needs to head in.

    Activities

    1.1 Discuss current state and existing approach to metrics.

    1.2 Review contract metrics already in place (or available).

    1.3 Determine security areas that should be measured.

    1.4 Determine what stakeholders are involved.

    1.5 Review current initiatives to address those risks (security strategy, if in place).

    1.6 Begin developing SMART goals for your initiative roadmap.

    Outputs

    Gap analysis results

    SMART goals

    2 KPI Development

    The Purpose

    Develop unique KPIs to measure progress against your security goals.

    Key Benefits Achieved

    Learn how to develop KPIs

    Prioritized list of security goals

    Activities

    2.1 Continue SMART goal development.

    2.2 Sort goals into types.

    2.3 Rephrase goals as KPIs and list associated metric(s).

    2.4 Continue KPI development.

    Outputs

    KPI Evolution Worksheet

    3 Metrics Prioritization

    The Purpose

    Determine which metrics will be included in the initial program launch.

    Key Benefits Achieved

    A set of realistic and manageable goals-based metrics.

    Activities

    3.1 Lay out prioritization criteria.

    3.2 Determine priority metrics (implementation).

    3.3 Determine priority metrics (improvement & organizational trend).

    Outputs

    Prioritized metrics

    Tool for tracking and presentation

    4 Metrics Reporting

    The Purpose

    Strategize presentation based around metric type to indicate organization’s risk posture.

    Key Benefits Achieved

    Develop versatile reporting techniques

    Activities

    4.1 Review metric types and discuss reporting strategies for each.

    4.2 Develop a story about risk.

    4.3 Discuss the use of KPXs and how to scale for less mature programs.

    Outputs

    Key Performance Index Tool and presentation materials

    Further reading

    Build a Security Metrics Program to Drive Maturity

    Good metrics come from good goals.

    ANALYST PERSPECTIVE

    Metrics are a maturity driver.

    "Metrics programs tend to fall into two groups: non-existent and unhelpful.

    The reason so many security professionals struggle to develop a meaningful metrics program is because they are unsure of what to measure or why.

    The truth is, for metrics to be useful, they need to be tied to something you care about – a state you are trying to achieve. In other words, some kind of goal. Used this way, metrics act as the scoreboard, letting you know if you’re making progress towards your goals, and thus, boosting your overall maturity."

    Logan Rohde, Research Analyst, Security Practice Info-Tech Research Group

    Executive summary

    Situation

    • Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.

    Complication

    • Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
    • Because metrics can become very technical and precise, it's easy to think they're inherently complicated (not true).

    Resolution

    • A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new, more specific goals, and with them comes more specific metrics.
    • It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
    • A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training).

    Info-Tech Insight

    1. Metrics lead to maturity, not vice versa
      • Tracking metrics helps you assess progress and regress in your security program. This helps you quantify the maturity gains you’ve made and continue to make informed strategic decisions.
    2. The best metrics are tied to goals
      • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

    Our understanding of the problem

    This Research is Designed For:

    • CISO

    This Research Will Help You:

    • Understand the value of metrics.
    • Right-size a metrics program based on your organization’s maturity and risk profile.
    • Tie metrics to goals to create meaningful KPIs.
    • Develop strategies to effectively communicate the right metrics to stakeholders.

    This Research Will Also Assist:

    • CIO
    • Security Manager
    • Business Professionals

    This Research Will Help Them:

    • Become informed on the metrics that matter to them.
    • Understand that investment in security is an investment in the business.
    • Feel confident in the progress of the organization’s security strategy.

    Info-Tech’s framework integrates several best practices to create a best-of-breed security framework

    Information Security Framework

    Governance

    • Context and Leadership
      • Information Security Charter
      • Information Security Organizational Structure
      • Culture and Awareness
    • Evaluation and Direction
      • Security Risk Management
      • Security Policies
      • Security Strategy and Communication
    • Compliance, Audit, and Review
      • Security Compliance Management
      • External Security Audit
      • Internal Security Audit
      • Management Review of Security

    Management

    • Prevention
      • Identity Security
        • Identity and Access Management
      • Data Security
        • Hardware Asset Management
        • Data Security & Privacy
      • Infrastructure Security
        • Network Security
        • Endpoint Security
        • Malicious Code
        • Application Security
        • Vulnerability Management
        • Cryptography Management
        • Physical Security
        • Cloud Security
      • HR Security
        • HR Security
      • Change and Support
        • Configuration and Change Management
        • Vendor Management
    • Detection
      • Security Threat Detection
      • Log and Event Management
    • Response and Recovery
      • Security Incident Management
      • Information Security in BCM
      • Security eDiscovery and Forensics
      • Backup and Recovery
    • Measurement
      • Metrics Program
      • Continuous Improvement

    Metrics help to improve security-business alignment

    While business leaders are now taking a greater interest in cybersecurity, alignment between the two groups still has room for improvement.

    Key statistics show that just...

    5% of public companies feel very confident that they are properly secured against a cyberattack.

    41% of boards take on cybersecurity directly rather than allocating it to another body (e.g. audit committee).

    19% of private companies do not discuss cybersecurity with the board.

    (ISACA, 2018)

    Info-Tech Insight

    Metrics help to level the playing field

    Poor alignment between security and the business often stems from difficulties with explaining how security objectives support business goals, which is ultimately a communication problem.

    However, metrics help to facilitate these conversations, as long as the metrics are expressed in practical, relatable terms.

    Security metrics benefit the business

    Executives get just as much out of management metrics as the people running them.

    1. Metrics assuage executives’ fears
      • Metrics help executives (and security leaders) feel more at ease with where the company is security-wise. Metrics help identify areas for improvement and gaps in the organization’s security posture that can be filled. A good metrics program will help identify deficiencies in most areas, even outside the security program, helping to identify what work needs to be done to reduce risk and increase the security posture of the organization.
    2. Metrics answer executives’ questions
      • Numbers either help ease confusion or signify other areas for improvement. Offering quantifiable evidence, in a language that the business can understand, offers better understanding and insight into the information security program. Metrics also help educate on types of threats, staff needed for security, and budget needs to decrease risk based on management’s threat tolerance. Metrics help make an organization more transparent, prepared, and knowledgeable.
    3. Metrics help to continually prove security’s worth
      • Traditionally, the security team has had to fight for a seat at the executive table, with little to no way to communicate with the business. However, the new trend is that the security team is now being invited before they have even asked to join. This trend allows the security team to better communicate on the organization’s security posture, describe threats and vulnerabilities, present a “plan of action,” and get a pulse on the organization’s risk tolerance.

    Common myths make security metrics seem challenging

    Security professionals have the perception that metrics programs are difficult to create. However, this attitude usually stems from one of the following myths. In reality, security metrics are much simpler than they seem at first, and they usually help resolve existing challenges rather than create new ones.

    Myth Truth
    1 There are certain metrics that are important to all organizations, based on maturity, industry, etc. Metrics are indications of change; for a metric to be useful it needs to be tied to a goal, which helps you understand the change you're seeing as either a positive or a negative. Industry and maturity have little bearing here.
    2 Metrics are only worthwhile once a certain maturity level is reached Metrics are a tool to help an organization along the maturity scale. Metrics help organizations measure progress of their goals by helping them see which tactics are and are not working.
    3 Security metrics should focus on specific, technical details (e.g. of systems) Metrics are usually a means of demonstrating, objectively, the state of a security program. That is, they are a means of communicating something. For this reason, it is better that metrics be phrased in easily digestible, non-technical terms (even if they are informed by technical security statistics).

    Tie your metrics to goals to make them worthwhile

    SMART metrics are really SMART goals.

    Specific

    Measurable

    Achievable

    Realistic

    Timebound

    Achievable: What is an achievable metric?

    When we say that a metric is “achievable,” we imply that it is tied to a goal of some kind – the thing we want to achieve.

    How do we set a goal?

    1. Determine what outcome you are trying to achieve.
      • This can be small or large (e.g. I want to determine what existing systems can provide metrics, or I want a 90% pass rate on our monthly phishing tests).
    2. Decide what indicates that you’ve achieved your goal.
      • At what point would you be satisfied with the progress made on the initiative(s) you’re working on? What conditions would indicate victory for you and allow you to move on to another goal?
    3. Develop a key performance indicator (KPI) to measure progress towards that goal.
      • Now that you’ve defined what you’re trying to achieve, find a way to indicate progress in relative or relational terms (e.g. percentage change from last quarter, percentage of implementation completed, ratio of programs in place to those still needing implementation).

    Info-Tech’s security metrics methodology is repeatable and iterative to help boost maturity

    Security Metric Lifecycle

    Start:

    Review current state and decide on priorities.

    Set a SMART goal for improvement.

    Develop an appropriate KPI.

    Use KPI to monitor program improvement.

    Present metrics to the board.

    Revise metrics if necessary.

    Metrics go hand in hand with your security strategy

    A security strategy is ultimately a large goal-setting exercise. You begin by determining your current maturity and how mature you need to be across all areas of information security, i.e. completing a gap analysis.

    As such, linking your metrics program to your security strategy is a great way to get your metrics program up and running – but it’s not the only way.

    Check out the following Info-Tech resource to get started today:

    Build an Information Security Strategy

    The value of security metrics goes beyond simply increasing security

    This blueprint applies to you whether you need to develop a metrics program from scratch or optimize and update your current strategy.

    Value of engaging in security metrics:

    • Increased visibility into your operations.
    • Improved accountability.
    • Better communication with executives as a result of having hard evidence of security performance.
    • Improved security posture through better understanding of what is working and what isn’t within the security program.

    Value of Info-Tech’s security metrics blueprint:

    • Doesn’t overwhelm you and allows you to focus on determining the metrics you need to worry about now without pressuring you to do it all at once.
    • Helps you develop a growth plan as your organization and metrics program mature, so you continue to optimize.
    • Creates effective communication. Prepares you to present the metrics that truly matter to executives rather than confusing them with unnecessary data. Pay attention to metric accuracy and reproducibility. No management wants inconsistent reporting.

    Impact

    Short term: Streamline your program. Based on your organization’s specific requirements and risk profile, figure out which metrics are best for now while also planning for future metrics as your organization matures.

    Long term: Once the program is in place, improvements will come with increased visibility into operations. Investments in security will be encouraged when more evidence is available to executives, contributing to overall improved security posture. Potential opportunities for eventual cost savings also exist as there is more informed security spending and fewer incidents.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked-off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Link Security Metrics to Goals to Boost Maturity – Project Overview

    1. Link Security Metrics to Goals to Boost Maturity 2. Adapt Your Reporting Strategy for Various Metric Types
    Best-Practice Toolkit

    1.1 Review current state and set your goals

    1.2 Develop KPIs and prioritize your goals

    1.3 Implement and monitor the KPI to track goal progress

    2.1 Review best practices for presenting metrics

    2.2 Strategize your presentation based on metric type

    2.3 Tailor presentation to your audience

    2.4 Use your metrics to create a story about risk

    2.5 Revise your metrics

    Guided Implementations
    • Call 1: Setting Goals
    • Call 2: KPI Development
    • Call 1: Best Practices and Reporting Strategy
    • Call 2: Build a Dashboard and Presentation Deck
    Onsite Workshop Module 1: Current State, Initiatives, Goals, and KPIs Module 2: Metrics Reporting

    Phase 1 Outcome:

    • KPI development and populated metrics tracking tool.

    Phase 2 Outcome:

    • Reporting strategy with dashboard and presentation deck.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Current State, Initiatives, and Goals

    • Discuss current state and existing approach to metrics.
    • Review contract metrics already in place (or available).
    • Determine security areas that should be measured.
    • Determine which stakeholders are involved.
    • Review current initiatives to address those risks (security strategy, if in place).
    • Begin developing SMART goals for your initiative roadmap.

    KPI Development

    • Continue SMART goal development.
    • Sort goals into types.
    • Rephrase goals as KPIs and list associated metric(s).
    • Continue KPI development.

    Metrics Prioritization

    • Lay out prioritization criteria.
    • Determine priority metrics (implementation).
    • Determine priority metrics (improvement & organizational trend).

    Metrics Reporting

    • Review metric types and discuss reporting strategies for each.
    • Develop a story about risk.
    • Discuss the use of KPXs and how to scale for less mature programs.

    Offsite Finalization

    • Review and finalization of documents drafted during workshop.
    Deliverables
    1. Gap analysis results
    1. Completed KPI development templates
    1. Prioritized metrics and tool for tracking and presentation.
    1. Key Performance Index tool and presentation materials.
    1. Finalization of completed deliverables

    Phase 1

    Link Security Metrics to Goals to Boost Maturity


    Phase 1

    1.1 Review current state and set your goals

    1.2 Develop KPIs and prioritize your goals

    1.3 Implement and monitor KPIs

    This phase will walk you through the following activities:

    • Current state assessment
    • Setting SMART goals
    • KPI development
    • Goals prioritization
    • KPI implementation

    This phase involves the following participants:

    • Security Team

    Outcomes of this phase

    • Goals-based KPIs
    • Security Metrics Determination and Tracking Tool

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of two to three advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Link Security Metrics to Goals to Boost Maturity

    Proposed Time to Completion: 2-4 weeks

    Step 1.1: Setting Goals

    Start with an analyst kick-off call:

    • Determine current and target maturity for various security programs.
    • Develop SMART Goals.

    Then complete these activities…

    • CMMI Assessment

    Step 1.2 – 1.3: KPI Development

    Review findings with analyst:

    • Prioritize goals
    • Develop KPIs to track progress on goals
    • Track associated metrics

    Then complete these activities…

    • KPI Development

    With these tools & templates:

    • KPI Development Worksheet
    • Security Metrics Determination and Tracking Tool

    Phase 1 Results & Insights:

    • Basic Metrics program

    1.1 Review current state and set your goals

    120 minutes

    Let’s put the security program under the microscope.

    Before program improvement can take place, it is necessary to look at where things are at presently (in terms of maturity) and where we need to get them to.

    In other words, we need to perform a security program gap analysis.

    Info-Tech Best Practice

    The most thorough way of performing this gap analysis is by completing Info-Tech’s Build an Information Security Strategy blueprint, as it will provide you with a prioritized list of initiatives to boost your security program maturity.

    Completing an abbreviated gap analysis...

    • Security Areas
    • Network Security
    • Endpoint Security
    • Vulnerability Management
    • Identity Access Management
    • Incident Management
    • Training & Awareness
    • Compliance, Audit, & Review
    • Risk Management
    • Business Alignment & Governance
    • Data Security
    1. Using the CMMI scale on the next slide, assess your maturity level across the security areas to the left, giving your program a score from 1-5. Record your assessment on a whiteboard.
    2. Zone in on your areas of greatest concern and choose 3 to 5 areas to prioritize for improvement.
    3. Set a SMART goal for improvement, using the criteria on goals slides.

    Use the CMMI scale to contextualize your current maturity

    Use the Capability Maturity Model Integration (CMMI) scale below to help you understand your current level of maturity across the various areas of your security program.

    1. Initial
      • Incident can be managed. Outcomes are unpredictable due to lack of a standard operating procedure.
    2. Repeatable
      • Process in place, but not formally implemented or consistently applied. Outcomes improve but still lack predictability.
    3. Defined
      • Process is formalized and consistently applied. Outcomes become more predictable, due to consistent handling procedure.
    4. Managed
      • Process shows signs of maturity and can be tracked via metrics. Moving towards a predictive approach to incident management.
    5. Optimizing
      • Process reaches a fully reliable level, though improvements still possible. Regularity allows for process to be automated.

    (Adapted from the “CMMI Institute Maturity Model”)

    Base your goals around the five types of metrics

    Choose goals that make sense – even if they seem simple.

    The most effective metrics programs are personalized to reflect the goals of the security team and the business they work for. Using goals-based metrics allows you to make incremental improvements that can be measured and reported on, which makes program maturation a natural process.

    Info-Tech Best Practice

    Before setting a SMART goal, take a moment to consider your maturity for each security area, and which metric type you need to collect first, before moving to more ambitious goals.

    Security Areas

    • Network Security
    • Endpoint Security
    • Vulnerability Management
    • Identity Access Management
    • Incident Management
    • Training & Awareness
    • Compliance, Audit & Review
    • Risk Management
    • Business Alignment & Governance
    • Data Security
    Metric Type Description
    Initial Probe Determines what can be known (i.e. what sources for metrics exist?).
    Baseline Testing Establishes organization’s normal state based on current metrics.
    Implementation Focuses on setting up a series of related processes to increase organizational security (i.e. roll out MFA).
    Improvement Sets a target to be met and then maintained based on organizational risk tolerance.
    Organizational Trends Culls together several metrics to track (sometimes predict) how various trends affect the organization’s overall security. Usually focuses on large-scale issues (e.g. likelihood of a data breach).

    Set SMART goals for your security program

    Specific

    Measurable

    Achievable

    Realistic

    Timebound

    Now that you have determined which security areas you’d like to improve, decide on a goal that meets the SMART criteria.

    Examples of possible goals for various maturity levels:

    1. Perform initial probe to determine number of systems capable of providing metrics by the end of the week.
    2. Take baseline measurements each month for three months to determine organization’s baseline state.
    3. Implement a vulnerability management program to improve baseline state by the end of the quarter.
    4. Improve deployment of critical patches by applying 90% of them within the set window by the end of the year.
    5. Demonstrate how vulnerability management affects broad organizational trends at quarterly report to senior leadership.

    Compare the bolded text in these examples with the metric types on the previous slide

    Record and assess your goals in the Security Metrics Determination and Tracking Tool

    1.1 Security Metrics Determination and Tracking Tool

    Use tab “2. Identify Security Goals” to document and assess your goals.

    To increase visibility into the cost, effort, and value of any given goal, assess them using the following criteria:

    • Initial Cost
    • Ongoing Cost
    • Initial Staffing
    • Ongoing Staffing
    • Alignment w/Business
    • Benefit

    Use the calculated Cost/Effort Rating, Benefit Rating, and Difference Score later in this project to help with goal prioritization.

    Info-Tech Best Practice

    If you have already completed a security strategy with Info-Tech resources, this work may likely have already been done. Consult your Information Security Program Gap Analysis Tool from the Build an Information Security Strategy research.

    1.2 Develop KPIs and prioritize your goals

    There are two paths to success.

    At this time, it is necessary to evaluate the priorities of your security program.

    Option 1: Progress to KPI Development

    • If you would like practice developing KPIs for multiple goals to get used to the process, move to KPI development and then assess which goals you can pursue now based on resources available, saving the rest for later.

    Option 2: Progress to Prioritization of Goals

    • If you are already comfortable with KPI development and do not wish to create extras for later use, then prioritize your goals first and then develop KPIs for them.

    Phase 1 Schematic

    • Gap Analysis
    • Set SMART Goals (You are here.)
      • Develop KPIs
    • Prioritize Goals
    • Implement KPI & Monitor
    • Phase 2

    Develop a key performance indicator (KPI)

    Find out if you’re meeting your goals.

    Terms like “key performance indicator” may make this development practice seem more complicated than it really is. A KPI is just a single metric used to measure success towards a goal. In relational terms (i.e. as a percentage, ratio, etc.) to give it context (e.g. % of improvement over last quarter).

    KPI development is about answering the question: what would indicate that I have achieved my goal?

    To develop a KPI follow these steps:

    1. Review the case study on the following slides to get a sense of how KPIs can start simple and general and get more specific and complex over time.
    2. Using the example to the right, sort your SMART goals from step 1.1 into the various metric types, then determine what success would look like for you. What outcome are you trying to achieve? How will you know when you’ve achieved it?
    3. Fill out the KPI Development Worksheets to create sample KPIs for each of the SMART goals you have created. Ensure that you complete the accompanying KPI Checklist.

    KPIs differ from goal to goal, but their forms follow certain trends

    Metric Type KPI Form
    Initial Probe Progress of probe (e.g. % of systems checked to see if they can supply metrics).
    Baseline Testing What current data shows (e.g. % of systems needing attention).
    Implementation Progress of the implementation (e.g. % of complete vulnerability management program implementation).
    Improvement The threshold or target to be achieved and maintained (e.g. % of incidents responded to within target window).
    Organizational Trends The interplay of several KPIs and how they affect the organization’s risk posture (e.g. assessing the likelihood for a data breach).

    Explore the five metric types

    1. Initial Probe

    Focused on determining how many sources for metrics exist.

    • Question: What am I capable of knowing?
    • Goal: To determine what level of insight we have into our security processes.
    • Possible KPI: % of systems for which metrics are available.
    • Decision: Do we have sufficient resources available to collect metrics?

    2. Baseline Testing

    Focused on gaining initial insights about the state of your security program (what are the measurements?).

    • Question: Does this data suggest areas for improvement?
    • Goal: To create a roadmap for improvement.
    • Possible KPI: % of systems that provide useful metrics to measure improvement.
    • Decision: Is it necessary to acquire tools to increase, enhance, or streamline the metrics-gathering process?

    Info-Tech Insight

    Don't lose hope if you lack resources to move beyond these initial steps. Even if you are struggling to pull data, you can still draw meaningful metrics. The percent or ratio of processes or systems you lack insight into can be very valuable, as it provides a basis to initiate a risk-based discussion with management about the organization's security blind spots.

    Explore the five metric types (cont’d)

    3. Program Implementation

    Focused on developing a basic program to establish basic maturity (e.g. implement an awareness and training program).

    • Question: What needs to be implemented to establish basic maturity?
    • Goal: To begin closing the gap between current and desired maturity.
    • Possible KPI: % of implementation completed.
    • Decision: Have we achieved a formalized and repeatable process?

    4. Improvement

    Focused on attaining operational targets to lower organizational risk.

    • Question: What other related activities could help to support this goal (e.g. regular training sessions)?
    • Goal: To have metrics operate above or below a certain threshold (e.g. lower phishing-test click rate to an average of 10% across the organization)
    • Possible KPI: Phishing click rate %
    • Decision: What other metrics should be tracked to provide insight into KPI fluctuations?

    Info-Tech Insight

    Don't overthink your KPI. In many cases it will simply be your goal rephrased to express a percentage or ratio. In others, like the example above, it makes sense for them to be identical.

    5. Organizational Impact

    Focused on studying several related KPIs (Key Performance Index, or KPX) in an attempt to predict risks.

    • Question: What risks does the organization need to address?
    • Goal: To provide high-level summaries of several metrics that suggest emerging or declining risks.
    • Possible KPI: Likelihood of a given risk (based on the trends of the KPX).
    • Decision: Accept the risk, transfer the risk, mitigate the risk?

    Case study: Healthcare example

    Let’s take a look at KPI development in action.

    Meet Maria, the new CISO at a large hospital that desperately needs security program improvements. Maria’s first move was to learn the true state of the organization’s security. She quickly learned that there was no metrics program in place and that her staff were unaware what, if any, sources were available to pull security metrics from.

    After completing her initial probe into available metrics and then investigating the baseline readings, she determined that her areas of greatest concern were around vulnerability and access management. But she also decided it was time to get a security training and awareness program up and running to help mitigate risks in other areas she can’t deal with right away.

    See examples of Maria’s KPI development on the next four slides...

    Info-Tech Insight

    There is very little variation in the kinds of goals people have around initial probes and baseline testing. Metrics in these areas are virtually always about determining what data sources are available to you and what that data actually shows. The real decisions start in determining what you want to do based on the measures you’re seeing.

    Metric development example: Vulnerability Management

    See examples of Maria’s KPI development on the next four slides...

    Implementation

    Goal: Implement vulnerability management program

    KPI: % increase of insight into existing vulnerabilities

    Associated Metric: # of vulnerability detection methods

    Improvement

    Goal: Improve deployment time for patches

    KPI: % of critical patches fully deployed within target window

    • Associated Metric 1: # of critical vulnerabilities not patched
    • Associated Metric 2: # of patches delayed due to lack of staff
    • Associated Metric X

    Metric development example: Identity Access Management

    Implementation

    Goal: Implement MFA for privileged accounts

    KPI: % of privileged accounts with MFA applied

    Associated Metric: # of privileged accounts

    Improvement

    Goal: Remove all unnecessary privileged accounts

    KPI: % of accounts with unnecessary privileges

    • Associated Metric 1: # of privileged accounts
    • Associated Metric 2: # of necessary privileged accounts
    • Associated Metric X

    Metric development example: Training and Awareness

    Implementation

    Goal: Implement training and awareness program

    KPI: % of organization trained

    Associated Metric: # of departments trained

    Improvement

    Goal: Improve time to report phishing

    KPI: % of phishing cases reported within target window

    • Associated Metric 1: # of phishing tests
    • Associated Metric 2: # of training sessions
    • Associated Metric X

    Metric development example: Key Performance Index

    Organizational Trends

    Goal: Predict Data Breach Likelihood

    • KPX 1: Insider Threat Potential
      • % of phishing cases reported within target window
        • Associated Metrics:
          • # of phishing tests
          • # of training sessions
      • % of critical patches fully deployed within target window
        • Associated Metrics:
          • # of critical vulnerabilities not patched
          • # of patches delayed due to lack of staff
      • % of accounts with unnecessary privileges
        • Associated Metrics:
          • # of privileged accounts
          • # of necessary privileged accounts
    • KPX 2: Data Leakage Issues
      • % of incidents related to unsecured databases
        • Associated Metrics:
          • # of unsecured databases
          • # of business-critical databases
      • % of misclassified data
        • Associated Metrics:
          • # of misclassified data reports
          • # of DLP false positives
      • % of incidents involving data-handling procedure violations.
        • Associated Metrics:
          • # of data processes with SOP
          • # of data processes without SOP
    • KPX 3: Endpoint Vulnerability Issues
      • % of unpatched critical systems
        • Associated Metrics:
          • # of unpatched systems
          • # of missed patches
      • % of incidents related to IoT
        • Associated Metrics:
          • # of IoT devices
          • # of IoT unsecure devices
      • % of incidents related to BYOD
        • Associated Metrics:
          • # of end users doing BYOD
          • # of BYOD incidents

    Develop Goals-Based KPIs

    1.2 120 minutes

    Materials

    • Info-Tech KPI Development Worksheets

    Participants

    • Security Team

    Output

    • List of KPIs for immediate and future use (can be used to populate Info-Tech’s KPI Development Tool).

    It’s your turn.

    Follow the example of the CISO in the previous slides and try developing KPIs for the SMART goals set in step 1.1.

    • To begin, decide if you are starting with implementation or improvement metrics.
    • Enter your goal in the space provided on the left-hand side and work towards the right, assigning a KPI to track progress towards your goal.
    • Use the associated metrics boxes to record what raw data will inform or influence your KPI.
      • Associated metrics are connected to the KPI box with a segmented line. This is because these associated metrics are not absolutely necessary to track progress towards your goal.
      • However, if a KPI starts trending in the wrong direction, these associated metrics would be used to determine where the problem has occurred.
    • If desired, bundle together several related KPIs to create a key performance index (KPX), which is used to forecast the likelihood of certain risks that would have a major business impact (e.g. potential for insider threat, or risk for a data breach).

    Record KPIs and assign them to goals in the Security Metrics Determination and Tracking Tool

    1.2 Security Metrics Determination and Tracking Tool

    Document KPI metadata in the tool and optionally assign them to a goal.

    Tab “3. Identify Goal KPIs” allows you to record each KPI and its accompanying metadata:

    • Source
    • Owner
    • Audience
    • KPI Target
    • Effort to Collect
    • Frequency of Collection
    • Comments

    Optionally, each KPI can be mapped to goals defined on tab “2. Identify Security Goals.”

    Info-Tech Best Practice

    Ensure your metadata is comprehensive, complete, and realistic. A different employee should be able to use only the information outlined in the metadata to continue collecting measurements for the program.

    Complete Info-Tech’s KPI Development Worksheets

    1.2 KPI Development Worksheet

    Use these worksheets to model the maturation of your metrics program.

    Follow the examples contained in this slide deck and practice creating KPIs for:

    • Implementation metrics
    • Improvement metrics
    • Organizational trends metrics

    As well as drafting associated metrics to inform the KPIs you create.

    Info-Tech Best Practice

    Keep your metrics program manageable. This exercise may produce more goals, metrics, and KPIs than you deal with all at once. But that doesn’t mean you can’t save some for future use.

    Build an effort map to prioritize your SMART goals

    1.2 120 minutes

    Materials

    • Whiteboard
    • Sticky notes
    • Laptop

    Participants

    • Security team
    • Other stakeholders

    Output

    • Prioritized list of SMART goals

    An effort map visualizes a cost and benefit analysis. It is a quadrant output that visually shows how your SMART goals were assessed. Use the calculated Cost/Effort Rating and Benefit Rating values from tab “2. Identify Security Goals” of the Security Metrics Determination and Tracking Tool to aid this exercise.

    Steps:

    1. Establish the axes and colors for your effort map:
      1. X-axis (horizontal) - Security benefit
      2. Y-axis (vertical) - Overall cost/effort
      3. Sticky color - Business alignment
    2. Create sticky notes for each SMART goal and place them onto the effort map based on your determined axes.
      • Goal # Example Security Goal - Benefit (1-12) - Cost (1-12)

    The image shows a matric with four quadrants. The X-axis is labelled Low Benefit on the left side and High benefit on the right side. The Y-axis is labelled Low cost at the top and High cost at the bottom. The top left quadrant is labelled Could Dos, the top right quadrant is labelled Must Dos, the lower left quadrant is labelled May Not Dos, and the lower right quadrant is Should Dos. On the right, there are three post-it style notes, the blue one labelled High Alignment, the yellow labelled Medium Alignment, and the pink labelled Low Alignment.

    1.3 Implement and monitor the KPI to track goal progress

    Let’s put your KPI into action!

    Now that you’ve developed KPIs to monitor progress on your goals, it’s time to use them to drive security program maturation by following these steps:

    1. Review the KPI Development Worksheets (completed in step 1.2) for your prioritized list of goals. Be sure that you are able to track all of the associated metrics you have identified.
    2. Track the KPI and associated metrics using Info-Tech’s KPI Development Tool (see following slide).
    3. Update the data as necessary according to your SMART criteria of your goal.

    A Word on Key Risk Indicators...

    The term key risk indicator (KRI) gets used in a few different ways. However, in most cases, KRIs are closely associated with KPIs.

    1. KPIs and KRIs are the same thing
      • A KPI, at its core, is really a measure of risk. Sometimes it is more effective to emphasize that risk rather than performance (i.e. the data shows you’re not meeting your goal).
    2. KRI is KPI going the wrong way
      • After achieving the desired threshold for an improvement goal, our new goal is usually to maintain such a state. When this balance is upset, it indicates that settled risk has once again become active.
    3. KRI as a predictor of emerging risks
      • When organizations reach a highly mature state, they often start assessing how events external to the organization can affect the optimal performance of the organization. They monitor such events or trends and try to predict when the organization is likely to face additional risks.

    Track KPIs in the Security Metrics Determination and Tracking Tool

    1.3 Security Metrics Determination and Tracking Tool

    Once a metric has been measured, you have the option of entering that data into tab “4. Track Metrics” of the Tool.

    Tracking metric data in Info-Tech's tool provides the following data visualizations:

    • Sparklines at the end of each row (on tab “4. Track Metrics”) for a quick sense of metric performance.
    • A metrics dashboard (on tab “5. Graphs”) with three graph options in two color variations for each metric tracked in the tool, and an overall metric program health gauge.

    Info-Tech Best Practice

    Be diligent about measuring and tracking your metrics. Record any potential measurement biases or comments on measurement values to ensure you have a comprehensive record for future use. In the tool, this can be done by adding a comment to a cell with a metric measurement.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Workshops offer an easy way to accelerate your project. While onsite, our analysts will work with you and your team to facilitate the activities outlined in the blueprint.

    Getting key stakeholders together to formalize the program, while getting started on data discovery and classification, allows you to kickstart the overall program.

    In addition, leverage over-the-phone support through Guided Implementations included in advisory memberships to ensure the continuous improvement of the classification program even after the workshop.

    Logan Rohde

    Research Analyst – Security, Risk & Compliance Info-Tech Research Group

    Ian Mulholland

    Senior Research Analyst – Security, Risk & Compliance Info-Tech Research Group

    Call 1-888-670-8889 for more information.

    Phase 2

    Adapt Your Reporting Strategy for Various Metric Types


    Phase 2

    2.1 Review best practices for presenting metrics

    2.2 Strategize your presentation based on metric type

    2.3 Tailor your presentation to your audience

    2.4 Use your metrics to create a story about risk

    2.5 Revise Metrics

    This phase will walk you through the following activities:

    • Develop reporting strategy
    • Use metrics to create a story about risk
    • Metrics revision

    This phase involves the following participants:

    • Security Team

    Outcomes of this phase

    • Metrics Dashboard
    • Metrics Presentation Deck

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of two to three advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Adapt Your Reporting Strategy for Various Metric Types

    Proposed Time to Completion: 2-4 weeks

    Step 2.1 – 2.3: Best Practices and Reporting Strategy

    Start with an analyst kick-off call:

    • Do’s and Don’ts of reporting metrics.
    • Strategize presentation based on metric type.

    Then complete these activities…

    • Strategy development for 3-5 metrics

    Step 2.4 – 2.5: Build a Dashboard and Presentation Deck

    Review findings with analyst:

    • Review strategies for reporting.
    • Compile a Key Performance Index.
    • Revise metrics.

    Then complete these activities…

    • Dashboard creation
    • Presentation development

    With these tools & templates:

    • Security Metrics Determination and Tracking Tool Template
    • Security Metrics KPX Dashboard Tool

    Phase 2 Results & Insights:

    • Completed reporting strategy with presentable dashboard

    2.1 Review best practices for presenting metrics

    Avoid technical details (i.e. raw data) by focusing on the KPI.

    • KPIs add context to understand the behavior and associated risks.

    Put things in terms of risk; it's the language you both understand.

    • This usually means explaining what will happen if not addressed and what you recommend.
    • There are always three options:
      • Address it completely
      • Address it partially
      • Do not address it (i.e. accept the risk)

    Explain why you’re monitoring metrics in terms of the goals you’re hoping to achieve.

    • This sets you up well to explain what you've been doing and why it's important for you to meet your goals.

    Choose between KPI or KRI as the presentation format.

    • Base your decision on whether you are trying to emphasize current success or risk.

    Match presentation with the audience.

    • Board presentations will be short; middle-management ones may be a bit longer.
    • Maximize your results by focusing on the minimum possible information to make sure you sufficiently get your point across.
    • With the board, plan on showing no more than three slides.

    Read between the lines.

    • It can be difficult to get time with the board, so you may find yourself in a trial and error position, so pay attention to cues or suggestions that indicate the board is interested in something.
    • If you can, make an ally to get the inside scoop on what the board cares about.

    Read the news if you’re stuck for content.

    • Board members are likely to have awareness (and interest) in large-scale risks like data breaches and ransomware.

    Present your metrics as a story.

    • Summarize how the security program looks to you and why the metrics lead you to see it this way.

    2.2 Strategize your presentation based on metric type (1 of 5)

    Metric Type: Initial Probe

    Scenario: Implementing your first metrics program.

    • All metrics programs start with determining what measurements you are capable of taking.

    Decisions: Do you have sufficient insight into the program? (i.e. do you need to acquire additional tools to collect metrics?)

    Strategy: If there are no barriers to this (e.g. budget), then focus your presentation on the fact that you are addressing the risk of not knowing what your organization's baseline state is and what potential issues exist but are unknown. This is likely the first phase of an improvement plan, so sketching the overall plan is a good idea too.

    • If budget is an issue, explain the risks associated with not knowing and what you would need to make it happen.

    Possible KPIs:

    • % of project complete.
    • % of systems that provide worthwhile metrics.

    Strategize your presentation based on metric type (2 of 5)

    Metric Type: Baseline Testing

    Scenario: You've taken the metrics to determine what your organization’s normal state is and you're now looking towards addressing your gaps or problem areas.

    Decisions: What needs to be prioritized first and why? Are additional resources required to make this happen?

    Strategy: Explain your impression of the organization's normal state and what you plan to do about it. In other words, what goals are you prioritizing and why? Be sure to note any challenges that may occur along the way (e.g. staffing).

    • If the board doesn't like to open their pocketbook, your best play is to explain what stands to happen (or is happening) if risks are not addressed.

    Possible KPIs:

    • % of goals complete.
    • % of metrics indicating urgent attention needed.

    Strategize your presentation based on metric type (3 of 5)

    Metric Type: Implementation

    Scenario: You are now implementing solutions to address your security priorities.

    Decisions: What, to you, would establish the basis of a program?

    Strategy: Focus on what you're doing to implement a certain security need, why, and what still needs to be done when you’re finished.

    • Example: To establish a training and awareness program, a good first step is to actually hold training sessions with each department. A single lecture is simple but something to build from. A good next step would be to hold regular training sessions or implement monthly phishing tests.

    Possible KPIs:

    • % of implementation complete (e.g. % of departments trained).

    Strategize your presentation based on metric type (4 of 5)

    Metric Type: Improvement

    Scenario: Now that a basic program has been established, you are looking to develop its maturity to boost overall performance (i.e. setting a new development goal).

    Decisions: What is a reasonable target, given the organization's risk tolerance and current state?

    Strategy: Explain that you're now working to tighten up the security program. Note that although things are improving, risk will always remain, so we need to keep it within a threshold that’s proportionate with our risk tolerance.

    • Example: Lower phishing-test click rate to 10% or less. Phishing will always be a risk, and just one slip up can have a huge effect on business (i.e. lost money).

    Possible KPIs:

    • % of staff passing the phishing test.
    • % of employees reporting phishing attempts within time window.

    Strategize your presentation based on metric type (5 of 5)

    Metric Type: Organizational Trends

    Scenario: You've reached a mature state and now how several KPIs being tracked. You begin to look at several KPIs together (i.e. a KPX) to assess the organization's exposure for certain broad risk trends.

    Decisions: Which KPIs can be used together to look at broader risks?

    Strategy: Focus on the overall likelihood of a certain risk and why you've chosen to assess it with your chosen KPIs. Spend some time discussing what factors affect the movement of these KPIs, demonstrating how smaller behaviors create a ripple effect that affects the organization’s exposure to large-scale risks.

    Possible KPX: Insider Threat Risk

    • % of phishing test failures.
    • % of critical patches missed.
    • % of accounts with unnecessary privileges.

    Change your strategy to address security challenges

    Even challenges can elicit useful metrics.

    Not every security program is capable of progressing smoothly through the various metric types. In some cases, it is impossible to move towards goals and metrics for implementation, improvement, or organizational trends because the security program lacks resources.

    Info-Tech Insight

    When your business is suffering from a lack of resources, acquiring these resources automatically becomes the goal that your metrics should be addressing. To do this, focus on what risks are being created because something is missing.

    When your security program is lacking a critical resource, such as staff or technology, your metrics should focus on what security processes are suffering due to this lack. In other words, what critical activities are not getting done?

    KPI Examples:

    • % of critical patches not deployed due to lack of staff.
    • % of budget shortfall to acquire vulnerability scanner.
    • % of systems with unknown risk due to lack of vulnerability scanner.

    2.3 Tailor presentation to your audience

    Metrics come in three forms...

    1. Raw Data

    • Taken from logs or reports, provides values but not context.
    • Useful for those with technical understanding of the organization’s security program.

    2. Management-Level

    • Raw data that has been contextualized and indicates performance of something (i.e. a KPI).
    • Useful for those with familiarity with the overall state of the security program but do not have a hands-on role.

    3. Board-Level

    • KPI with additional context indicating overall effect on the organization.
    • Useful for those removed from the security program but who need to understand the relationship between security, business goals, and cyber risk.

    For a metric to be useful it must...

    1. Be understood by the audience it’s being presented to.
      • Using the criteria on the left, choose which metric form is most appropriate.
    2. Indicate whether or not a certain target or goal is being met.
      • Don’t expect metrics to speak for themselves; explain what the indications and implications are.
    3. Drive some kind of behavioral or strategic change if that target or goal is not being met.
      • Metrics should either affirm that things are where you want them to be or compel you to take action to make an improvement. If not, it is not a worthwhile metric.

    As a general rule, security metrics should become decreasingly technical and increasingly behavior-based as they are presented up the organizational hierarchy.

    "The higher you travel up the corporate chain, the more challenging it becomes to create meaningful security metrics. Security metrics are intimately tied to their underlying technologies, but the last thing the CEO cares about is technical details." – Ben Rothke, Senior Information Security Specialist, Tapad.

    Plan for reporting success

    The future of your security program may depend on this presentation; make it count.

    Reporting metrics is not just another presentation. Rather, it is an opportunity to demonstrate and explain the value of security.

    It is also a chance to correct any misconceptions about what security does or how it works.

    Use the tips on the right to help make your presentation as relatable as possible.

    Info-Tech Insight

    There is a difference between data manipulation and strategic presentation: the goal is not to bend the truth, but to present it in a way that allows you to show the board what they need to see and to explain it in terms familiar to them.

    General Tips for a Successful Presentation

    Avoid jargon; speak in practical terms

    • The board won’t receive your message if they can’t understand you.
    • Explain things as simply as you can; they only need to know enough to make decisions about addressing cyber risk.

    Address compliance

    • Boards are often interested in compliance, so be prepared to talk about it, but clarify that it doesn't equal security.
    • Instead, use compliance as a bridge to discussing areas of the security program that need attention.

    Have solid answers

    • Try to avoid answering questions with the answer, “It depends.”
      • Depends on what?
      • Why?
      • What do you recommend?
    • The board is relying on you for guidance, so be prepared to clarify what the board is asking (you may have to read between the lines to do this).
    • Also address the pain points of board members and have answers to their questions about how to resolve them.

    2.4 Use your metrics to create a story about risk

    Become the narrator of your organization’s security program.

    Security is about managing risk. This is also its primary value to the organization. As such, risk should be the theme of the story you tell.

    "Build a cohesive story that people can understand . . . Raw metrics are valuable from an operations standpoint, but at the executive level, it's about a cohesive story that helps executives understand the value of the security program and keeps the company moving forward. "– Adam Ely, CSO and Co-Founder, Bluebox Security, qtd. by Tenable, 2016

    How to Develop Your Own Story...

    1. Review your security program goals and the metrics you’re using to track progress towards them. Then, decide which metrics best tell this story (i.e. what you’re doing and why).
      • Less is more when presenting metrics, so be realistic about how much your audience can digest in one sitting.
      • Three metrics is usually a safe number; choose the ones that are most representative of your goals.
    2. Explain why you chose the goals you did (i.e. what risks were you addressing?). Then, make an honest assessment of how the security program is doing as far as meeting those goals:
      • What’s going well?
      • What still needs improvement?
      • What about your metrics suggests this?
    3. Address how risks have changed and explain your new recommended course of action.
      • What risks were present when you started?
      • What risks remain despite your progress?
      • How do these risks affect the business operation and what can security do to help?

    Story arc for security metrics

    The following model encapsulates the basic trajectory of all story development.

    Use this model to help you put together your story about risk.

    Introduction: Overall assessment of security program.

    Initial Incident: Determination of the problems and associated risks.

    Rising Action: Creation of goals and metrics to measure progress.

    Climax: Major development indicated by metrics.

    Falling Action: New insights gained about organization’s risks.

    Resolution: Recommendations based on observations.

    Info-Tech Best Practice

    Follow this model to ensure that your metrics presentation follows a coherent storyline that explains how you assessed the problem, why you chose to address it the way you did, what you learned in doing so, and finally what should be done next to boost the security program’s maturity.

    Use a nesting-doll approach when presenting metrics

    Move from high-level to low-level to support your claims

    1. Avoid the temptation to emphasize technical details when presenting metrics. The importance of a metric should be clear from just its name.
    2. This does not mean that technical details should be disregarded entirely. Your digestible, high-level metrics should be a snapshot of what’s taking place on the security ground floor.
    3. With this in mind, we should think of our metrics like a nesting doll, with each metrics level being supported by the one beneath it.

    ...How do you know that?

    Board-Level KPI

    Mgmt.-Level KPI

    Raw Data

    Think of your lower-level metrics as evidence to back up the story you are telling.

    When you’re asked how you arrived at a given conclusion, you know it’s time to go down a level and to explain those results.

    Think of this like showing your work.

    Info-Tech Insight

    This approach is built into the KPX reporting format, but can be used for all metric types by drawing from your associated metrics and goals already achieved.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics Determination and Tracking Tool

    Choose the dashboard tool that makes the most sense for you.

    Info-Tech provides two options for metric dashboards to meet the varying needs of our members.

    If you’re just starting out, you’ll likely be inclined towards the dashboard within the Security Metrics Determination and Tracking Tool (seen here).

    The image shows a screenshot of the Security Metrics Determination and Tracking Tool.

    But if you’ve already got several KPIs to report on, you may prefer the Security Metrics KPX Dashboard Tool, featured on the following slides.

    Info-Tech Best Practice

    Not all graphs will be needed in all cases. When presenting, consider taking screenshots of the most relevant data and displaying them in Info-Tech’s Board-Level Security Metrics Presentation Template.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows a screenshot of the Definitions section of the Security Metrics KPX Dashboard

    1. Start by customizing the definitions on tab 1 to match your organization’s understanding of high, medium, and low risk across the three impact areas (functional, informational, and recoverability).
    2. Next, enter up to 5 business goals that your security program supports.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows a screenshot of tab 2 of the Security Metrics KPX Dashboard.

    1. On tab 2, enter the large-scale risk you are tracking
    2. Proceed by naming each of your KPXs after three broad risks that – to you – contribute to the large-scale risk.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image is the same screenshot from the previous section, of tab 2 of the Security Metrics KPX Dashboard.

    1. Then, add up to five KPIs aimed at managing more granular risks that contribute to the broad risk.
    2. Assess the frequency and impact associated with these more granular risks to determine how likely it is to contribute to the broad risk the KPX is tracking.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image is the same screenshot of tab 2 of the Security Metrics KPX Dashboard.

    1. Repeat as necessary for the other KPXs on tab 2.
    2. Repeat steps 3-7 for up to two more large-scale risks and associated KPXs on tabs 3 and 4.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows a chart titled Business Alignment, with sample Business Goals and KPXs filled in.

    1. If desired, complete the Business Alignment evaluation (located to the right of KPX 2 on tabs 2-4) to demonstrate how well security is supporting business goals.

    "An important key to remember is to be consistent and stick to one framework once you've chosen it. As you meet with the same audiences repeatedly, having the same framework for reference will ensure that your communications become smoother over time." – Caroline Wong, Chief Strategy Officer, Cobalt.io

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows a screenshot of the dashboard on tab 5 of the Security Metrics KPX Dashboard.

    1. Use the dashboard on tab 5 to help you present your security metrics to senior leadership.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows the same screenshot of Tab 2 of the Security Metrics KPX Dashboard that was shown in previous sections.

    Best Practice:

    This tool helps you convert your KPIs into the language of risk by assessing frequency and severity, which helps to make the risk relatable for senior leadership. However, it is still useful to track fluctuations in terms of percentage. To do this, track changes in the frequency, severity, and trend scores from quarter to quarter.

    Customize Info-Tech’s Security Metrics Presentation Template

    2.4 Board-Level Security Metrics Presentation Template

    Use the Board-Level Security Metrics Presentation Template deck to help structure and deliver your metrics presentation to the board.

    To make the dashboard slide, simply copy and paste the charts from the dashboard tool and arrange the images as needed.

    Adapt the status report and business alignment slides to reflect the story about risk that you are telling.

    2.5 Revise your metrics

    What's next?

    Now that you’ve made it through your metrics presentation, it’s important to reassess your goals with feedback from your audience in mind. Use the following workflow.

    The image shows a flowchart titled Metrics-Revision Workflow. The flowchart begins with the question Have you completed your goal? and then works through multiple potential answers.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Workshops offer an easy way to accelerate your project. While onsite, our analysts will work with you and your team to facilitate the activities outlined in the blueprint.

    Getting key stakeholders together to formalize the program, while getting started on data discovery and classification, allows you to kickstart the overall program.

    In addition, leverage over-the-phone support through Guided Implementations included in advisory memberships to ensure the continuous improvement of the classification program even after the workshop.

    Logan Rohde

    Research Analyst – Security, Risk & Compliance Info-Tech Research Group

    Ian Mulholland

    Senior Research Analyst – Security, Risk & Compliance Info-Tech Research Group

    Call 1-888-670-8889 for more information.

    Insight breakdown

    Metrics lead to maturity, not vice versa.

    • Tracking metrics helps you assess progress and regress in your security program, which helps you quantify the maturity gains you’ve made.

    Don't lose hope if you lack resources to move beyond baseline testing.

    • Even if you are struggling to pull data, you can still draw meaningful metrics. The percent or ratio of processes or systems you lack insight into can be very valuable, as it provides a basis to initiate a risk-based discussion with management about the organization's security blind spots.

    The best metrics are tied to goals.

    • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

    Summary of accomplishment

    Knowledge Gained

    • Current maturity assessment of security areas
    • Setting SMART goals
    • Metric types
    • KPI development
    • Goals prioritization
    • Reporting and revision strategies

    Processes Optimized

    • Metrics development
    • Metrics collection
    • Metrics reporting

    Deliverables Completed

    • KPI Development Worksheet
    • Security Metrics Determination and Tracking Tool
    • Security Metrics KPX Dashboard Tool
    • Board-Level Security Metrics Presentation Template

    Research contributors and experts

    Mike Creaney, Senior Security Engineer at Federal Home Loan Bank of Chicago

    Peter Chestna, Director, Enterprise Head of Application Security at BMO Financial Group

    Zane Lackey, Co-Founder / Chief Security Officer at Signal Sciences

    Ben Rothke, Senior Information Security Specialist at Tapad

    Caroline Wong, Chief Strategy Officer at Cobalt.io

    2 anonymous contributors

    Related Info-Tech research

    Build an Information Security Strategy

    Tailor best practices to effectively manage information security.

    Implement a Security Governance and Management Program

    Align security and business objectives to get the greatest benefit from both.

    Bibliography

    Capability Maturity Model Integration (CMMI). ISACA. Carnegie Mellon University.

    Ely, Adam. “Choose Security Metrics That Tell a Story.” Using Security Metrics to Drive Action: 33 Experts Share How to Communicate Security Program Effectiveness to Business Executives and the Board Eds. 2016. Web.

    https://www.ciosummits.com/Online_Assets_Tenable_eBook-_Using_Security_Metrics_to_Drive_Action.pdf

    ISACA. “Board Director Concerns about Cyber and Technology Risk.” CSX. 11 Sep. 2018. Web.

    Rothke, Ben. “CEOs Require Security Metrics with a High-Level Focus.” Using Security Metrics to Drive Action: 33 Experts Share How to Communicate Security Program Effectiveness to Business Executives and the Board Eds. 2016. Web.

    https://www.ciosummits.com/Online_Assets_Tenable_eBook-_Using_Security_Metrics_to_Drive_Action.pdf

    Wong, Caroline. Security Metrics: A Beginner’s Guide. McGraw Hill: New York, 2012.

    Get the Most Out of Your CRM

    • Buy Link or Shortcode: {j2store}537|cart{/j2store}
    • member rating overall impact (scale of 10): 9.7/10 Overall Impact
    • member rating average dollars saved: $31,749 Average $ Saved
    • member rating average days saved: 22 Average Days Saved
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • Application optimization is essential to stay competitive and productive in today’s digital environment.
    • Enterprise applications often involve large capital outlay, unquantified benefits, and high risk of failure.
    • Customer relationship management (CRM) application portfolios are often messy with multiple integration points, distributed data, and limited ongoing end-user training.
    • User dissatisfaction is common.

    Our Advice

    Critical Insight

    A properly optimized CRM ecosystem will reduce costs and increase productivity.

    Impact and Result

    • Build an ongoing optimization team to conduct application improvements.
    • Assess your CRM application(s) and the environment in which they exist. Take a business-first strategy to prioritize optimization efforts.
    • Validate CRM capabilities, user satisfaction, issues around data, vendor management, and costs to build out an optimization strategy.
    • Pull this all together to develop a prioritized optimization roadmap.

    Get the Most Out of Your CRM Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize your CRM, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Map current-state capabilities

    Gather information around the application:

    • Get the Most Out of Your CRM Workbook

    2. Assess your current state

    Assess CRM and related environment. Perform CRM process assessment. Assess user satisfaction across key processes, applications, and data. Understand vendor satisfaction

    • CRM Application Inventory Tool

    3. Build your optimization roadmap

    Build your optimization roadmap: process improvements, software capability improvements, vendor relationships, and data improvement initiatives.

    Infographic

    Workshop: Get the Most Out of Your CRM

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your CRM Application Vision

    The Purpose

    Define your CRM application vision.

    Key Benefits Achieved

    Develop an ongoing application optimization team.

    Realign CRM and business goals.

    Understand your current system state capabilities.

    Explore CRM and related costs.

    Activities

    1.1 Determine your CRM optimization team.

    1.2 Align organizational goals.

    1.3 Inventory applications and interactions.

    1.4 Define business capabilities.

    1.5 Explore CRM-related costs (optional).

    Outputs

    CRM optimization team

    CRM business model

    CRM optimization goals

    CRM system inventory and data flow

    CRM process list

    CRM and related costs

    2 Map Current-State Capabilities

    The Purpose

    Map current-state capabilities.

    Key Benefits Achieved

    Complete a CRM process gap analysis to understand where the CRM is underperforming.

    Review the CRM application portfolio assessment to understand user satisfaction and data concerns.

    Undertake a software review survey to understand your satisfaction with the vendor and product.

    Activities

    2.1 Conduct gap analysis for CRM processes.

    2.2 Perform an application portfolio assessment.

    2.3 Review vendor satisfaction.

    Outputs

    CRM process gap analysis

    CRM application portfolio assessment

    CRM software reviews survey

    3 Assess CRM

    The Purpose

    Assess CRM.

    Key Benefits Achieved

    Learn which processes you need to focus on.

    Uncover underlying user satisfaction issues to address these areas.

    Understand where data issues are occurring so that you can mitigate this.

    Investigate your relationship with the vendor and product, including that relative to others.

    Identify any areas for cost optimization (optional).

    Activities

    3.1 Explore process gaps.

    3.2 Analyze user satisfaction.

    3.3 Assess data quality.

    3.4 Understand product satisfaction and vendor management.

    3.5 Look for CRM cost optimization opportunities (optional).

    Outputs

    CRM process optimization priorities

    CRM vendor optimization opportunities

    CRM cost optimization

    4 Build the Optimization Roadmap

    The Purpose

    Build the optimization roadmap.

    Key Benefits Achieved

    Understanding where you need to improve is the first step, now understand where to focus your optimization efforts.

    Activities

    4.1 Identify key optimization areas.

    4.2 Build your CRM optimization roadmap and next steps.

    Outputs

    CRM optimization roadmap

    Further reading

    Get the Most Out of Your CRM

    In today’s connected world, continuous optimization of enterprise applications to realize your digital strategy is key.

    Get the Most Out of Your CRM

    In today’s connected world, continuous optimization of enterprise applications to realize your digital strategy is key.

    EXECUTIVE BRIEF

    Analyst Perspective

    Focus optimization on organizational value delivery.

    Customer relationship management (CRM) systems are at the core of a customer-centric strategy to drive business results. They are critical to supporting marketing, sales, and customer service efforts.

    CRM systems are expensive, their benefits are difficult to quantify, and they often suffer from poor user satisfaction. Post implementation, technology evolves, organizational goals change, and the health of the system is not monitored. This is complicated in today’s digital landscape with multiple integration points, siloed data, and competing priorities.

    Too often organizations jump into the selection of replacement systems without understanding the health of their current systems. IT leaders need to stop reacting and take a proactive approach to continually monitor and optimize their enterprise applications. Strategically realign business goals, identify business application capabilities, complete a process assessment, evaluate user adoption, and create an optimization roadmap that will drive a cohesive technology strategy that delivers results.

    This is a picture of Lisa Highfield

    Lisa Highfield
    Research Director,
    Enterprise Applications
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    In today’s connected world, continuous optimization of enterprise applications to realize your digital strategy is key.

    Enterprise applications often involve large capital outlay and unquantified benefits.

    CRM application portfolios are often messy. Add to that poor processes, distributed data, and lack of training – business results and user dissatisfaction is common.

    Technology owners are often distributed across the business. Consolidation of optimization efforts is key.

    Common Obstacles

    Enterprise applications involve large numbers of processes and users. Without a clear focus on organizational needs, decisions about what and how to optimize can become complicated.

    Competing and conflicting priorities may undermine optimization value by focusing on the approaches that would only benefit one line of business rather than the entire organization.

    Teams do not have a framework to illustrate, communicate, and justify the optimization effort in the language your stakeholders understand.

    Info-Tech’s Approach

    Build an ongoing optimization team to conduct application improvements.

    Assess your CRM application(s) and the environment in which they exist. Take a business-first strategy to prioritize optimization efforts.

    Validate CRM capabilities, user satisfaction, issues around data, vendor management, and costs to build out an optimization strategy

    Pull this all together to develop a prioritized optimization roadmap.

    Info-Tech Insight

    CRM implementation should not be a one-and-done exercise. A properly optimized CRM ecosystem will reduce costs and increase productivity.

    This is an image of the thought model: Get the Most Out of Your CRM

    Insight Summary

    Continuous assessment and optimization of customer relationship management (CRM) systems is critical to their success.

    • Applications and the environments in which they live are constantly evolving.
    • Get the Most Out of Your CRM provides business and application managers a method to complete a health assessment on their CRM systems to identify areas for improvement and optimization.
    • Put optimization practices into effect by:
      • Aligning and prioritizing key business and technology drivers.
      • Identifying CRM process classification, and performing a gap analysis.
      • Measuring user satisfaction across key departments.
      • Evaluating vendor relations.
      • Understanding how data fits.
      • Pulling it all together into an optimization roadmap.

    CRM platforms are the applications that provide functional capabilities and data management around the customer experience (CX).

    Marketing, sales, and customer service are enabled through CRM technology.

    CRM technologies facilitate an organization’s relationships with customers, service users, employees, and suppliers.

    CRM technology is critical to managing the lifecycle of these relationships, from lead generation, to sales opportunities, to ongoing support and nurturing of these relationships.

    Customer experience management (CXM)

    CRM platforms sit at the core of a well-rounded customer experience management ecosystem.

    Customer Relationship Management

    • Web Experience Management Platform
    • E-Commerce & Point-of-Sale Solutions
    • Social Media Management Platform
    • Customer Intelligence Platform
    • Customer Service Management Tools
    • Marketing Management Suite

    Customer relationship management suites are one piece of the overall customer experience management ecosystem, alongside tools such as customer intelligence platforms and adjacent point solutions for sales, marketing, and customer service. Review Info-Tech’s CXM blueprint to build a complete, end-to-end customer interaction solution portfolio that encompasses CRM alongside other critical components. The CXM blueprint also allows you to develop strategic requirements for CRM based on customer personas and external market analysis.

    CRM by the numbers

    1/3

    Statistical analysis of CRM projects indicate failures vary from 18% to 69%. Taking an average of those analyst reports, about one-third of CRM projects are considered a failure.
    Source: CIO Magazine, 2017

    85%

    Companies that apply the principles of behavioral economics outperform their peers by 85% in sales growth and more than 25% in gross margin.
    Source: Gallup, 2012

    40%

    In 2019, 40% of executives name customer experience the top priority for their digital transformation.
    Source: CRM Magazine, 2019

    CRM dissatisfaction

    Drivers of Dissatisfaction

    Business Data People and Teams Technology
    • Misaligned objectives
    • Product fit
    • Changing priorities
    • Lack of metrics
    • Access to data
    • Data hygiene
    • Data literacy
    • One view of the customer
    • User adoption
    • Lack of IT support
    • Training (use of data and system)
    • Vendor relations
    • Systems integration
    • Multichannel complexity
    • Capability shortfall
    • Lack of product support

    Info-Tech Insight

    While technology is the key enabler of building strong customer experiences, there are many other drivers of dissatisfaction. IT must stand shoulder to shoulder with the business to develop a technology framework for customer relationship management.

    Marketing, Sales, and Customer Service, along with IT, can only optimize CRM with the full support of each other. The cooperation of the departments is crucial when trying to improve CRM technology capabilities and customer interaction.

    Application optimization is risky without a plan

    Avoid the common pitfalls.

    • Not considering application optimization as a business and IT partnership that requires continuous formal engagement of all participants.
    • Not having a good understanding of current state, including integration points and data.
    • Not adequately accommodating feedback and changes after digital applications are deployed and employed.
    • Not treating digital applications as a motivator for potential future IT optimization effort, and not incorporating digital assets in strategic business planning.
    • Not involving department leads, management, and other subject matter experts to facilitate the organizational change digital applications bring.

    “A successful application optimization strategy starts with the business need in mind and not from a technological point of view. No matter from which angle you look at it, modernizing a legacy application is a considerable undertaking that can’t be taken lightly. Your best approach is to begin the journey with baby steps.”
    – Ernese Norelus, Sreeni Pamidala, and Oliver Senti
    Medium, 2020

    Info-Tech’s methodology for Get the Most Out of Your CRM

    1. Map Current-State Capabilities 2. Assess Your Current State 3. Build Your Optimization Roadmap
    Phase Steps
    1. Identify stakeholders and build your CRM optimization team
    2. Build a CRM strategy model
    3. Inventory current system state
    4. Define business capabilities
    1. Conduct a gap analysis for CRM processes
    2. Assess user satisfaction
    3. Review your satisfaction with the vendor and product
    1. Identify key optimization areas
    2. Compile optimization assessment results
    Phase Outcomes
    1. Stakeholder map
    2. CRM optimization team
    3. CRM business model
    4. Strategy alignment
    5. Systems inventory and diagram
    6. Business capabilities map
    7. Key CRM processes list
    1. Gap analysis for CRM-related processes
    2. Understanding of user satisfaction across applications and processes
    3. Insight into CRM data quality
    4. Quantified satisfaction with the vendor and product
    1. Application optimization plan

    Get the Most Out of Your CRM Workbook

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    Key deliverable:

    CRM Optimization Roadmap (Tab 8)

    This image contains a screenshot from Tab 9 of the Get the most out of your CRM WorkshopThis image contains a screenshot from Tab 9 of the Get the most out of your CRM Workshop

    Complete an assessment of processes, user satisfaction, data quality, and vendor management using the Workbook or the APA diagnostic.

    CRM Business Model (Tab 2)

    This image contains a screenshot from Tab 2 of the Get the most out of your CRM Workshop

    Align your business and technology goals and objectives in the current environment.

    Prioritized CRM Optimization Goals (Tab 3)

    This image contains a screenshot from Tab 3 of the Get the most out of your CRM Workshop

    Identify and prioritize your CRM optimization goals.

    Application Portfolio Assessment (APA)

    This image contains a screenshot of the Application Portfolio Assessment

    Assess IT-enabled user satisfaction across your CRM portfolio.

    Prioritized Process Assessment (Tab 5)

    This image contains a screenshot from Tab 5 of the Get the most out of your CRM Workshop

    Understand areas for improvement.

    Case Study

    Align strategy and technology to meet consumer demand.

    INDUSTRY - Entertainment
    SOURCE - Forbes, 2017

    Challenge

    Beginning as a mail-out service, Netflix offered subscribers a catalog of videos to select from and have mailed to them directly. Customers no longer had to go to a retail store to rent a video. However, the lack of immediacy of direct mail as the distribution channel resulted in slow adoption.

    Blockbuster was the industry leader in video retail but was lagging in its response to industry, consumer, and technology trends around customer experience

    Solution

    In response to the increasing presence of tech-savvy consumers on the internet, Netflix invested in developing its online platform as its primary distribution channel. The benefit of doing so was two-fold: passive brand advertising (by being present on the internet) and meeting customer demands for immediacy and convenience. Netflix also recognized the rising demand for personalized service and created an unprecedented, tailored customer experience.

    Results

    Netflix’s disruptive innovation is built on the foundation of great customer experience management. Netflix is now a $28-billion company, which is tenfold what Blockbuster was worth.

    Netflix used disruptive technologies to innovatively build a customer experience that put it ahead of the long-time, video rental industry leader, Blockbuster.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2:

    Build the CRM team.

    Align organizational goals.

    Call #4:

    Conduct gap analysis for CRM processes.

    Prepare application portfolio assessment.

    Call #5:

    Understand product satisfaction and vendor management.

    Look for CRM cost optimization opportunities (optional).

    Call #7:

    Identify key optimization areas.

    Build out optimization roadmap and next steps.

    Call #3:

    Map current state.

    Inventory CRM processes.

    Explore CRM-related costs.

    Call #6:

    Review APA results.

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Define Your CRM Application Vision Map Current-State Capabilities Assess CRM Build the Optimization Roadmap Next Steps and Wrap-Up (offsite)

    Activities

    1.1 Determine your CRM optimization team

    1.2 Align organizational goals

    1.3 Inventory applications and interactions

    1.4 Define business capabilities

    1.5 Explore CRM-related costs

    2.1 Conduct gap analysis for CRM processes

    2.2 Perform an application portfolio assessment

    2.3 Review vendor satisfaction

    3.1 Explore process gaps

    3.2 Analyze user satisfaction

    3.3 Assess data quality

    3.4 Understand product satisfaction and vendor management

    3.5 Look for CRM cost optimization opportunities (optional)

    4.1 Identify key optimization areas

    4.2 Build your CRM optimization roadmap and next steps

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables
    1. CRM optimization team
    2. CRM business model
    3. CRM optimization goals
    4. CRM system inventory and data flow
    5. CRM process list
    6. CRM and related costs
    1. CRM process gap analysis
    2. CRM application portfolio assessment
    3. CRM software reviews survey
    1. CRM process optimization priorities
    2. CRM vendor optimization opportunities
    3. CRM cost optimization
    1. CRM optimization roadmap

    Phase 1

    Map Current-State Capabilities

    • 1.1 Identify Stakeholders and Build Your Optimization Team
    • 1.2 Build a CRM Strategy Model
    • 1.3 Inventory Current System State
    • 1.4 Define Business Capabilities
    • 1.5 Understand CRM Costs

    Get the Most Out of Your CRM

    This phase will walk you through the following activities:

    • Align your organizational goals
    • Gain a firm understanding of your current state
    • Inventory CRM and related applications
    • Confirm the organization’s capabilities

    This phase involves the following participants:

    • Product Owners
    • CMO
    • Departmental leads – Sales, Marketing, Customer Service, or other
    • Applications Director
    • Senior Business Analyst
    • Senior Developer
    • Procurement Analysts

    Inventory of CRM and related systems

    Develop an integration map to specify which applications will interface with each other.

    This is an image of an integration map, integrating the following Terms to CRM: Telephony Systems; Directory Services; Email; Content Management; Point Solutions; ERP

    Integration is paramount: your CRM application often integrates with other applications within the organization. Create an integration map to reflect a system of record and the exchange of data. To increase customer engagement, channel integration is a must (i.e. with robust links to unified communications solutions, email, and VoIP telephony systems).

    CRM plays a key role in the more holistic customer experience framework. However, it is heavily influenced by and often interacts with many other platforms.

    Data is one key consideration that needs to be considered here. If customer information is fragmented, it will be nearly impossible to build a cohesive view of the customer. Points of integration (POIs) are the junctions between the CRM(s) and other applications where data is flowing to and from. They are essential to creating value, particularly in customer insight-focused and omnichannel-focused deployments.

    Customer expectations are on the rise

    CRM strategy is a critical component of customer experience (CX).

    CUSTOMER EXPERIENCE

    1. Thoughtfulness is in
      Connect with customers on a personal level
    2. Service over products
      The experience is more important than the product
    3. Culture is now number one
      Culture is the most overlooked piece of customer experience strategy
    4. Engineering and service finally join forces
      Companies are combining their technology and service efforts to create
      strong feedback loops
    5. The B2B world is inefficiently served
      B2B needs to step up with more tools and a greater emphasis placed on
      customer experience

    Source: Forbes, 2019

    Build a cohesive CRM strategy that aligns business goals with CRM capabilities.

    Info-Tech Insight

    Customers expect to interact with organizations through the channels of their choice. Now more than ever, you must enable your organization to provide tailored customer experiences.

    IT is critical to the success of your CRM strategy

    Today’s shared digital landscape of the CIO and CMO

    CIO

    • IT Operations
    • Service Delivery and Management
    • IT Support
    • IT Systems and Application
    • IT Strategy and Governance
    • Cybersecurity

    Collaboration and Partnership

    • Digital Strategy = Transformation
      Business Goals | Innovation | Leadership | Rationalization
    • Customer Experience
      Architecture | Design | Omnichannel Delivery | Management
    • Insight (Market Facing)
      Analytics | Business Intelligence | Machine Learning | AI
    • Marketing Integration + Operating Model
      Apps | Channels | Experiences | Data | Command Center
    • Master Data
      Customer | Audience | Industry | Digital Marketing Assets

    CMO

    • PEO Media
    • Brand Management
    • Campaign Management
    • Marketing Tech
    • Marketing Ops
    • Privacy, Trust, and Regulatory Requirements

    Info-Tech Insight

    Technology is the key enabler of building strong customer experiences: IT must stand shoulder to shoulder with the business to develop a technology framework for customer relationship management.

    Step 1.1

    Identify Stakeholders and Build Your Optimization Team

    Activities

    1.1.1 Identify the stakeholders whose support will be critical to success

    1.1.2 Select your CRM optimization team

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Identify CRM drivers and objectives.
    • Explore CRM challenges and pain points.
    • Discover CRM benefits and opportunities.
    • Align the CRM foundation with the corporate strategy.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Stakeholder map
    • CRM optimization team composition

    CRM optimization stakeholders

    Understand the roles necessary to get the most out of your CRM.

    Understand the role of each player within your optimization initiative. Look for listed participants on the activity slides to determine when each player should be involved.

    Info-Tech Insight

    Do not limit input or participation. Include subject matter experts and internal stakeholders at stages within the optimization initiative. Such inputs can be solicited on a one-off basis as needed. This ensures you take a holistic approach to creating your CRM optimization strategy.

    Title

    Roles Within CRM Optimization Initiative

    Optimization Sponsor

    • Owns the project at the management/C-suite level
    • Responsible for breaking down barriers and ensuring alignment with organizational strategy
    • CMO, VP od Marketing, VP of Sales, VP of Customer Care, or similar

    Optimization Initiative Manager

    • Typically IT individual(s) that oversee day-to-day operations
    • Responsible for preparing and managing the project plan and monitoring the project team’s progress
    • Applications Manager or other IT Manager, Business Analyst, Business Process Owner, or similar

    Business Leads/
    Product Owners

    • Works alongside the Optimization Initiative Manager to ensure that the strategy is aligned with business needs
    • In this case, likely to be a marketing, sales, or customer service lead
    • Product Owners
    • Sales Director, Marketing Director, Customer Care Director, or similar

    CRM Optimization Team

    • Comprised of individuals whose knowledge and skills are crucial to optimization success
    • Responsible for driving day-to-day activities, coordinating communication, and making process and design decisions
    • Project Manager, Business Lead, CRM Manager, Integration Manager, Application SMEs, Developers, Business Process Architects, and/or similar SMEs

    Steering Committee

    • Comprised of C-suite/management level individuals that act as the CRM optimization decision makers.
    • Responsible for validating goals and priorities, defining the optimization scope, enabling adequate resourcing, and managing change
    • Project Sponsor, Project Manager, Business Lead, CMO, Business Unit SMEs, or similar

    1.1.1 Identify stakeholders critical to success

    1 hour

    1. Hold a meeting to identify the stakeholders that should be included in the project’s steering committee.
    2. Finalize selection of steering committee members.
    3. Contact members to ensure their willingness to participate.
    4. Document the steering committee members and the milestone/presentation expectations for reporting project progress and results.

    Input

    • Stakeholder interviews
    • Business process owners list

    Output

    • CRM optimization stakeholders
    • Steering committee members

    Materials

    • N/A

    Participants

    • Product Owners
    • CMO
    • Departmental Leads – Sales, Marketing, Customer Service (and others)
    • Applications Director
    • Senior Business Analyst
    • Senior Developer
    • Procurement Analyst

    The CRM optimization team

    Consider the core team functions when composing the CRM optimization team. Form a cross-functional team (i.e. across IT, Marketing, Sales, Service, Operations) to create a well-aligned CRM optimization strategy.

    Don’t let your core team become too large when trying to include all relevant stakeholders. Carefully limiting the size of the optimization team will enable effective decision making while still including functional business units such as Marketing, Sales, Service, and Customer Service.

    Required Skills/Knowledge

    Suggested Optimization Team Members

    Business

    • Understanding of the customer
    • Departmental processes
    • Sales Manager
    • Marketing Manager
    • Customer Service Manager

    IT

    • Product Owner
    • Application developers
    • Enterprise architects
    • CRM Application Manager
    • Business Process Manager
    • Data Stewards
    Other
    • Operations
    • Administrative
    • Change management
    • Operations Manager
    • CFO
    • Change Management Manager

    1.1.2 Select your CRM optimization team

    30 minutes

    1. Have the CMO and other key stakeholders discuss and determine who will be involved in the CRM optimization project.
      • Depending on the initiative and the size of the organization the size of the team will vary.
      • Key business leaders in key areas – Sales, Marketing, Customer Service, and IT – should be involved.
    2. Document the members of your optimization team in the Get the Most Out of Your CRM Workbook, tab “1. Optimization Team.”
      • Depending on your initiative and size of your organization, the size of this team will vary.

    Get the Most Out of Your CRM Workbook

    Input

    • Stakeholders

    Output

    • List of CRM Optimization Team members

    Materials

    • Get the Most Out of Your CRM Workbook

    Participants

    • Product Owners
    • CMO
    • Departmental Leads – Sales, Marketing, Customer Service
    • Applications Director
    • Senior Business Analyst
    • Senior Developer
    • Procurement Analyst

    Step 1.2

    Build a CRM Strategy Model

    Activities

    • 1.2.1 Explore environmental factors and technology drivers
    • 1.2.2 Discuss challenges and pain points
    • 1.2.3 Discuss opportunities and benefits
    • 1.2.4 Align CRM strategy with organizational goals

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Identify CRM drivers and objectives.
    • Explore CRM challenges and pain points.
    • Discover the CRM benefits and opportunities.
    • Align the CRM foundation with the corporate strategy.

    This step involves the following participants:

    • CRM Optimization Team

    Outcomes of this step

    • CRM business model
    • Strategy alignment

    Align the CRM strategy with the corporate strategy

    Corporate Strategy

    Your corporate strategy:

    • Conveys the current state of the organization and the path it wants to take.
    • Identifies future goals and business aspirations.
    • Communicates the initiatives that are critical for getting the organization from its current state to the future state.

    Unified Strategy

    • The CRM optimization can be and should be linked, with metrics, to the corporate strategy and ultimate business objectives.

    CRM Strategy

    Your CRM Strategy:

    • Communicates the organization’s budget and spending on CRM.
    • Identifies IT initiatives that will support the business and key CRM objectives.
    • Outlines staffing and resourcing for CRM initiatives.

    CRM projects are more successful when the management team understands the strategic importance and the criticality of alignment. Time needs to be spent upfront aligning business strategies with CRM capabilities. Effective alignment between Sales, Marketing, Customer Service, Operations, IT, and the business should happen daily. Alignment doesn’t just need to occur at the executive level but at each level of the organization.

    Sample CRM objectives

    Increase Revenue

    Enable lead scoring

    Deploy sales collateral management tools

    Improve average cost per lead via a marketing automation tool

    Enhance Market Share

    Enhance targeting effectiveness with a CRM

    Increase social media presence via an SMMP

    Architect customer intelligence analysis

    Improve Customer Satisfaction

    Reduce time-to-resolution via better routing

    Increase accessibility to customer service with live chat

    Improve first contact resolution with customer KB

    Increase Customer Retention

    Use a loyalty management application

    Improve channel options for existing customers

    Use customer analytics to drive targeted offers

    Create Customer-Centric Culture

    Ensure strong training and user adoption programs

    Use CRM to provide 360-degree view of all customer interactions

    Incorporate the voice of the customer into product development

    Identifying organizational objectives of high priority will assist in breaking down business needs and CRM objectives. This exercise will better align the CRM systems with the overall corporate strategy and achieve buy-in from key stakeholders.

    CRM business model Template

    This image contains a screenshot of the CRM business model template

    Understand objectives for creating a strong CRM strategy

    Business Needs

    Business Drivers

    Technology Drivers

    Environmental Factors

    Definition A business need is a requirement associated with a particular business process. Business drivers can be thought of as business-level goals. These are tangible benefits the business can measure such as employee retention, operation excellence, and financial performance. Technology drivers are technological changes that have created the need for a new CRM enablement strategy. Many organizations turn to technology systems to help them obtain a competitive edge. External considerations are factors taking place outside of the organization that are impacting the way business is conducted inside the organization. These are often outside the control of the business.

    Examples

    • Audit tracking
    • Authorization levels
    • Business rules
    • Data quality
    • Employee engagement
    • Productivity
    • Operational efficiency
    • Deployment model (i.e. SaaS)
    • Integration
    • Reporting capabilities
    • Fragmented technologies
    • Economic and political factors, the labor market
    • Competitive influencers
    • Compliance regulations

    Info-Tech Insight

    One of the biggest drivers for CRM adoption is the ability to make decisions through consolidated data. This driver is a result of external considerations. Many industries today are highly competitive, uncertain, and rapidly changing. To succeed under these pressures, there needs to be timely information and visibility into all components of the organization.

    1.2.1 Explore environmental factors and technology drivers

    30 minutes

    1. Identify business drivers that are contributing to the organization’s need for CRM.
    2. Understand how the company is running today and what the organization’s future will look like. Try to identify the purpose for becoming an integrated organization. Use a whiteboard and markers to capture key findings.
    3. Consider environmental factors: external considerations, organizational drivers, technology drivers, and key functional requirements.
    4. Use the Get the Most Out of Your CRM Workbook, tab “2. Business Model,” to complete this exercise.

    Get the Most Out of Your CRM Workbook

    This is a screenshot of the CRM Business Model the following boxes highlighted in purple boxes.  CRM business Needs; Environmental Factors; Technology Drivers

    External Considerations

    Organizational Drivers

    Technology Considerations

    Functional Requirements

    • Funding Constraints
    • Regulations
    • Compliance
    • Scalability
    • Operational Efficiency
    • Data Accuracy
    • Data Quality
    • Better Reporting
    • Information Availability
    • Integration Between Systems
    • Secure Data

    Create a realistic CRM foundation by identifying the challenges and barriers to the project

    There are several different factors that may stifle the success of an CRM portfolio. Organizations creating an CRM foundation must scan their current environment to identify internal barriers and challenges.

    Common Internal Barriers

    Management Support

    Organizational Culture

    Organizational Structure

    IT Readiness

    Definition The degree of understanding and acceptance towards CRM technology and systems. The collective shared values and beliefs. The functional relationships between people and departments in an organization. The degree to which the organization’s people and processes are prepared for new CRM system(s.)

    Questions

    • Is a CRM project recognized as a top priority?
    • Will management commit time to the project?
    • Are employees resistant to change?
    • Is the organization highly individualized?
    • Is the organization centralized?
    • Is the organization highly formalized?
    • Is there strong technical expertise?
    • Is there strong infrastructure?
    Impact
    • Funding
    • Resources
    • Knowledge sharing
    • User acceptance
    • Flow of knowledge
    • Poor implementation
    • Need for reliance on consultants

    1.2.2 Discuss challenges and pain points

    30 minutes

    1. Identify challenges with current systems and processes.
    2. Brainstorm potential barriers to success. Use a whiteboard and markers to capture key findings.
    3. Consider the project barriers: functional gaps, technical gaps, process gaps, and barriers to CRM success.
    4. Use the Get the Most Out of Your CRM Workbook, tab “2. Business Model,” to complete this exercise.

    Get the Most Out of Your CRM Workbook

    This is a screenshot of the CRM Business Model the following boxes highlighted in purple boxes.  Barriers

    Functional Gaps

    Technical Gaps

    Process Gaps

    Barriers to Success

    • No sales tracking within core CRM
    • Inconsistent reporting – data quality concerns
    • Duplication of data
    • Lack of system integration
    • Cultural mindset
    • Resistance to change
    • Lack of training
    • Funding

    1.2.3 Discuss opportunities and benefits

    30 minutes

    1. Identify opportunities and benefits from an integrated system.
    2. Brainstorm potential enablers for successful CRM enablement and the ideal portfolio.
    3. Consider the project enablers: business benefits, IT benefits, organizational benefits, and enablers of CRM success.
    4. Use the Get the Most Out of Your CRM Workbook, tab “2. Business Model,” to complete this exercise.
    This is a screenshot of the CRM Business Model the following boxes highlighted in purple boxes.  Enablers

    Business Benefits

    IT Benefits

    Organizational Benefits

    Enablers of Success

    • Business-IT alignment
    • Compliance
    • Scalability
    • Operational Efficiency
    • Data Accuracy
    • Data Quality
    • Better Reporting
    • Change Management
    • Training
    • Alignment to Strategic Objectives

    1.2.4 Align CRM strategy with organizational goals

    1 hour

    1. Discuss your corporate objectives (organizational goals). Choose three to five corporate objectives that are a priority for the organization in the current year.
    2. Break into groups and assign each group one corporate objective.
    3. For each objective, produce several ways an optimized CRM system will meet the given objective.
    4. Think about the modules and CRM functions that will help you realize these benefits.
    5. Use the Get the Most Out of Your CRM Workbook, tab “2. Business Model,” to complete this exercise.
    Increase Revenue

    CRM Benefits

    • Increase sales by 5%
    • Expand to new markets
    • Offer new product
    • Identify geographies underperforming
    • Build out global customer strategy
    • Allow for customer segmentation
    • Create targeted marketing campaigns

    Input

    • Organizational goals
    • CRM strategy model

    Output

    • Optimization benefits map

    Materials

    • Get the Most Out of Your CRM Workbook

    Participants

    • Product Owners
    • CMO
    • Departmental Leads – Sales, Marketing, Customer Service
    • Applications Director
    • Senior Business Analyst
    • Senior Developer
    • Procurement Analyst

    Download the Get the Most Out of Your CRM Workbook

    Step 1.3

    Inventory Current System State

    Activities

    1.3.1 Inventory applications and interactions

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Inventory applications
    • Map interactions between systems

    This step involves the following participants:

    • CRM Optimization Team
    • Enterprise Architect
    • Data Architect

    Outcomes of this step

    • Systems inventory
    • Systems diagram

    1.3.1 Inventory applications and interactions

    1-3 hours

    1. Individually list all electronic systems involved in the organization. This includes anything related to customer information and interactions, such as CRM, ERP, e-commerce, finance, email marketing, and social media, etc.
    2. Document data flows into and out of each system to the ERP. Refer to the example on the next slide (CRM data flow).
    3. Review the processes in place (e.g. reporting, marketing, data moving into and out of systems). Document manual processes. Identify integration points. If flowcharts exist for these processes, it may be useful to provide these to the participants.
    4. If possible, diagram the system. Include information direction flow. Use the sample CRM map, if needed.

    This image contains an example of a CRM Data Flow

    CRM data flow

    This image contains an example of a CRM Data Flow

    Be sure to include enterprise applications that are not included in the CRM application portfolio. Popular systems to consider for POIs include billing, directory services, content management, and collaboration tools.

    When assessing the current application portfolio that supports CRM, the tendency will be to focus on the applications under the CRM umbrella, relating mostly to Marketing, Sales, and Customer Service. Be sure to include systems that act as input to, or benefit due to outputs from, the CRM or similar applications.

    Sample CRM map

    This image contains an example of a CRM map

    Step 1.4

    Define Business Capabilities

    Activities

    1.4.1 Define business capabilities

    1.4.2 List your key CRM processes

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Define your business capabilities
    • List your key CRM processes

    This step involves the following participants:

    • CRM Optimization Team
    • Business Architect

    Outcomes of this step

    • Business capabilities map
    • Key CRM processes list

    Business capability map (Level 0)

    This image contains a screenshot of a business capability map.  an Arrow labeled CRM points to the Revenue Generation section. Revenue Generation: Marketing; Sales; Customer Service.

    In business architecture, the primary view of an organization is known as a business capability map.

    A business capability defines what a business does to enable value creation, rather than how.

    Business capabilities:

    • Represent stable business functions.
    • Are unique and independent of each other.
    • Typically will have a defined business outcome.

    A business capability map provides details that help the business architecture practitioner direct attention to a specific area of the business for further assessment.

    Capability vs. process vs. feature

    Understanding the difference

    When examining CRM optimization, it is important we approach this from the appropriate layer.

    Capability:

    • The ability of an entity (e.g. organization or department) to achieve its objectives (APQC, 2017).
    • An ability that an organization, person, or system possesses. Typically expressed in general and high-level terms and typically require a combination of organization, people, processes, and technology to achieve (TOGAF).

    Process:

    • Can be manual or technology enabled. A process is a series of interrelated activities that convert inputs into results (outputs). Processes consume resources, require standards for repeatable performance, and respond to control systems that direct the quality, rate, and cost of performance. The same process can be highly effective in one circumstance and poorly effective in another with different systems, tools, knowledge, and people (APQC, 2017).

    Feature:

    • Is a distinguishing characteristic of a software item (e.g. performance, portability, or functionality) (IEEE, 2005).

    In today’s complex organizations, it can be difficult to understand where inefficiencies stem from and how performance can be enhanced.
    To fix problems and maximize efficiencies business capabilities and processes need to be examined to determine gaps and areas of lagging performance.

    Info-Tech’s CRM framework and industry tools such as the APQC’s Process Classification Framework can help make sense of this.

    1.4.1 Define business capabilities

    1-3 hours

    1. Look at the major functions or processes within the scope of CRM.
    2. Compile an inventory of current systems that interact with the chosen processes. In its simplest form, document your application inventory in a spreadsheet (see tab 3 of the CRM Application Inventory Tool). For large organizations, interview representatives of business domains to help create your list of applications.
    3. Make sure to include any processes that are manual versus automated.
    4. Use your current state drawing from activity 1.3.1 to link processes to applications for further effect.

    CRM Application Inventory Tool

    Input

    • Current systems
    • Key processes
    • APQC Framework
    • Organizational process map

    Output

    • List of key business processes

    Materials

    • CRM Application Inventory Tool
    • CRM APQC Framework
    • Whiteboard, PowerPoint, or flip charts
    • Pens/markers

    Participants

    • CRM Optimization Team

    CRM process mapping

    This image contains two screenshots.  one is of the business capability map seen earlier in this blueprint, and the other includes the following operating model: Objectives; Value Streams; Capabilities; Processes

    The operating model

    An operating model is a framework that drives operating decisions. It helps to set the parameters for the scope of CRM and the processes that will be supported. The operating model will serve to group core operational processes. These groupings represent a set of interrelated, consecutive processes aimed at generating a common output.

    The Value Stream

    Value Stream Defined

    Value Streams

    Design Product

    Produce Product

    Sell Product

    Customer Service

    • Manufacturers work proactively to design products and services that will meet consumer demand.
    • Products are driven by consumer demand and governmental regulations.
    • Production processes and labor costs are constantly analyzed for efficiencies and accuracies.
    • Quality of product and services are highly regulated through all levels of the supply chain.
    • Sales networks and sales staff deliver the product from the organization to the end consumer.
    • Marketing plays a key role throughout the value stream connecting consumers wants and needs to the product and services offered.
    • Relationships with consumers continue after the sale of a product and services.
    • Continued customer support and mining is important to revenue streams.

    Value streams connect business goals to the organization’s value realization activities in the marketplace. Those activities are dependent on the specific industry segment in which an organization operates.

    There are two types of value streams: core value streams and support value streams.

    • Core value streams are mostly externally facing. They deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map.
    • Support value streams are internally facing and provide the foundational support for an organization to operate.

    An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers.

    APQC Framework

    Help define your inventory of sales, marketing, and customer services processes.

    Operating Processes

    1. Develop Vision and Strategy
    2. Develop and Manage Products and Services
    3. Market and Sell Products and Services
    4. Deliver Physical Products
    5. Deliver Services

    Management and Support Processes

    1. Manage Customer Service
    2. Develop and Manage Human Capital
    3. Manage Information Technology (IT)
    4. Manage Financial Resources
    5. Acquire, Construct, and Manage Assets
    6. Manage Enterprise Risk, Compliance, Remediation, and Resiliency
    7. Manage External Relationships
    8. Develop and Manage Business Capabilities

    Source: APQC, 2020

    If you do not have a documented process model, you can use the APQC Framework to help define your inventory of sales business processes.

    APQC’s Process Classification Framework is a taxonomy of cross-functional business processes intended to allow the objective comparison of organizational performance within and among organizations.

    Go to this link

    Process mapping hierarchy

    This image includes explanations for the following PCF levels:  Level 1 - Category; Level 2 - Process Group; Level 3 - Process; Level 4 - Activity; Level 5 - Task

    APQC provides a process classification framework. It allows organizations to effectively define their processes and manage them appropriately.

    THE APQC PROCESS CLASSIFICATION FRAMEWORK (PCF)® was developed by non-profit APQC, a global resource for benchmarking and best practices, and its member companies as an open standard to facilitate improvement through process management and benchmarking, regardless of industry, size, or geography. The PCF organizes operating and management processes into 12 enterprise level categories, including process groups and over 1,000 processes and associated activities. To download the full PCF or industry-specific versions of the PCF as well as associated measures and benchmarking, visit www.apqc.org/pcf.

    Cross-industry classification framework

    Level 1 Level Level 3 Level 4

    Market and sell products and services

    Understand markets, customers, and capabilities Perform customer and market intelligence analysis Conduct customer and market research

    Market and sell products and services

    Develop sales strategy Develop sales forecast Gather current and historic order information

    Deliver services

    Manage service delivery resources Manage service delivery resource demand Develop baseline forecasts
    ? ? ? ?

    Info-Tech Insight

    Focus your initial assessment on the level 1 processes that matter to your organization. This allows you to target your scant resources on the areas of optimization that matter most to the organization and minimize the effort required from your business partners.

    You may need to iterate the assessment as challenges are identified. This allows you to be adaptive and deal with emerging issues more readily and become a more responsive partner to the business.

    1.4.2 List your key CRM processes

    1-3 hours

    1. Reflect on your organization’s CRM capabilities and processes.
    2. Refer to tab 4, “Process Importance,” in your Get the Most Out of Your CRM Workbook. You can use your own processes if you prefer. Consult tab 10. “Framework (Reference)” in the Workbook to explore additional capabilities.
    3. Use your CRM goals as a guide.

    Get the Most Out of Your CRM Workbook

    This is a screenshot from the APQC Cross-Industry Process Classification Framework, adapted to list key CRM processes

    *Adapted from the APQC Cross-Industry Process Classification Framework, 2019.

    Step 1.5

    Understand CRM Costs

    Activities

    1.5.1 List CRM-related costs (optional)

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Define your business capabilities
    • List your key CRM processes

    This step involves the following participants:

    • Finance Representatives
    • CRM Optimization Team

    Outcomes of this step

    • Current CRM and related operating costs

    1.5.1 List CRM-related costs (optional)

    3+ hours

    Before you can make changes and optimization decisions, you need to understand the high-level costs associated with your current application architecture. This activity will help you identify the types of technology and people costs associated with your current systems.

    1. Identify the types of technology costs associated with each current system:
      1. System Maintenance
      2. Annual Renewal
      3. Licensing
    2. Identify the cost of people associated with each current system:
      1. Full-Time Employees
      2. Application Support Staff
      3. Help Desk Tickets
    3. Use the Get the Most Out of Your CRM Workbook, tab “9. Costs (Optional),” to complete this exercise.

    This is a screenshot of an example of a table which lays out CRM and Associated Costs.

    Get the Most Out of Your CRM Workbook

    Phase 2

    Assess Your Current State

    • 2.1 Conduct a Gap Analysis for CRM Processes
    • 2.2 Assess User Satisfaction
    • 2.3 Review Your Satisfaction With the Vendor and Product

    Get the Most Out of Your CRM

    This phase will guide you through the following activities:

    • Determine process relevance
    • Perform a gap analysis
    • Perform a user satisfaction survey
    • Assess software and vendor satisfaction

    This phase involves the following participants:

    • CRM optimization team
    • Users across functional areas of your CRM and related technologies

    Step 2.1

    Conduct a Gap Analysis for CRM Processes

    Activities

    • 2.1.1 Determine process relevance
    • 2.1.2 Perform process gap analysis

    Assess Your Current State

    This step will walk you through the following activities:

    • Determine process relevance
    • Perform a gap analysis

    This step involves the following participants:

    • CRM optimization team

    Outcomes of this step

    • Gap analysis for CRM-related processes (current vs. desired state)

    2.1.1 Determine process relevance

    1-3 hours

    1. Open tab “4. Process Importance,” in the Get the Most Out of Your CRM Workbook.
    2. Rate each process for level of importance to your organization on the following scale:
      • Crucial
      • Important
      • Secondary
      • Unimportant
      • Not applicable

    This image contains a screenshot of tab 4 of the Get the most out of your CRM Workbook.

    Get the Most Out of Your CRM Workbook

    2.1.2 Perform process gap analysis

    1-3 hours

    1. Open tab “5. Process Assessment,” in the Get the Most Out of Your CRM Workbook.
    2. For each line item, identify your current state and your desired state on the following scale:
      • Not important
      • Poor
      • Moderate
      • Good
      • Excellent

    This is a screenshot of Tab 5 of the Get the Most Out of your CRM Workshop

    Get the Most Out of Your CRM Workbook

    Step 2.2

    Assess User Satisfaction

    Activities

    • 2.2.1 Prepare and complete a user satisfaction survey
    • 2.2.2 Enter user satisfaction

    Assess Your Current State

    This step will walk you through the following activities:

    • Preparation and completion of an application portfolio assessment (APA)
    • Entry of the user satisfaction scores into the workbook

    This step involves the following participants:

    • CRM optimization team
    • Users across functional areas of CRM and related technologies

    Outcomes of this step

    • Understanding of user satisfaction across applications and processes
    • Insight into CRM data quality

    Benefits of the Application Portfolio Assessment

    This is a screenshot of the application  Overview tab

    Assess the health of the application portfolio

    • Get a full 360-degree view of the effectiveness, criticality, and prevalence of all relevant applications to get a comprehensive view of the health of the applications portfolio.
    • Identify opportunities to drive more value from effective applications, retire nonessential applications, and immediately address at-risk applications that are not meeting expectations.

    This is a screenshot of the Finance Overview tab

    Provide targeted department feedback

    • Share end-user satisfaction and importance ratings for core IT services, IT communications, and business enablement to focus on the right end-user groups or lines of business, and ramp up satisfaction and productivity.

    This is a screenshot of the application  Overview tab

    Insight into the state of data quality

    • Data quality is one of the key issues causing poor CRM user satisfaction and business results. This can include the relevance, accuracy, timeliness, or usability of the organization’s data.
    • Targeted, open-ended feedback around data quality will provide insight into where optimization efforts should be focused.

    2.2.1 Prepare and complete a user satisfaction survey

    1 hour

    Option 1: Use Info-Tech’s Application Portfolio Assessment to generate your user satisfaction score. This tool not only measures application satisfaction but also elicits great feedback from users regarding support they receive from the IT team.

    1. Download the CRM Application Inventory Tool.
    2. Complete the “Demographics” tab (tab 2).
    3. Complete the “Inventory” tab (tab 3).
      1. Complete the inventory by treating each process within the organization as a separate row. Use the processes identified in the process gap analysis as a reference.
      2. Treat every department as a separate column in the department section. Feel free to add, remove, or modify department names to match your organization.
      3. Include data quality for all applications applicable.

    Option 2: Use the method of choice to elicit current user satisfaction for each of the processes identified as important to the organization.

    1. List processes identified as important (from the Get the Most Out of Your CRM Workbook, tab 4, “Process Importance”).
    2. Gather user contact information by department.
    3. Ask users to rate satisfaction: Extremely Satisfied, Satisfied, Neutral, Dissatisfied, and Extremely Dissatisfied (on Get the Most Out of Your CRM Workbook, tab 5. “Process Assessment”).

    This image contains a screenshot of the CRM Application Inventory Tool Tab

    Understand user satisfaction across capabilities and departments within your organization.

    Download the CRM Application Inventory Tool

    2.2.2 Enter user satisfaction

    20 minutes

    Using the results from the Application Portfolio Assessment or your own user survey:

    1. Open your Get the Most Out of Your CRM Workbook, tab “5. Process Assessment.”
    2. For each process, record up to three different department responses.
    3. Enter the answers to the survey for each line item using the drop-down options:
      • Extremely Satisfied
      • Satisfied
      • Neutral
      • Dissatisfied
      • Extremely Dissatisfied

    This is a screenshot of Tab 5 of the Get the most out of your CRM Workbook

    Understand user satisfaction across capabilities and departments within your organization.

    Get the Most Out of Your CRM Workbook

    Step 2.3

    Review Your Satisfaction With the Vendor and Product

    Activities

    2.3.1 Rate your vendor and product satisfaction

    2.3.2 Enter SoftwareReviews scores from your CRM Product Scorecard (optional)

    Assess Your Current State

    This step will walk you through the following activities:

    • Rate your vendor and product satisfaction
    • Compare with survey data from SoftwareReviews

    This step involves the following participants:

    • CRM Owner(s)
    • Procurement Representative
    • Vendor Contracts Manager

    Outcomes of this step

    • Quantified satisfaction with vendor and product

    Use a SoftwareReviews Product Scorecard to evaluate your satisfaction compared to other organizations.

    This is a screenshot of the SoftwareReviews Product Scorecard

    Source: SoftwareReviews, March 2019

    Where effective IT leaders spend their time

    This image contains two lists.  One list is where CIOs with  data-verified=80% satisfaction score, and the other list is CIOs with <80% satisfaction score.">

    Info-Tech Insight

    The data shows that effective IT leaders invest a significant amount of time (8%) on vendor management initiatives.

    Be proactive in managing you calendar and block time for these important tasks.

    CIOs who prioritize vendor management see improved results

    Analysis of CIOs’ calendars revealed that how CIOs spend their time has a correlation to both stakeholder IT satisfaction and CEO-CIO alignment.

    Those CIOs that prioritized vendor management were more likely to have a business satisfaction score greater than 80%.

    This image demonstrates that CIOs who spend time with the team members of their direct reports delegate management responsibilities to direct reports and spend less time micromanaging, and CIOs who spend time on vendor management align rapidly changing business needs with updated vendor offerings.

    2.3.1 Rate your vendor and product satisfaction

    30 minutes

    Use Info-Tech’s vendor satisfaction survey to identify optimization areas with your CRM product(s) and vendor(s).

    Option 1 (recommended): Conduct a satisfaction survey using SoftwareReviews. This option allows you to see your results in the context of the vendor landscape.

    Download the Get the Most Out of Your CRM Workbook

    Option 2: Use your Get the Most Out of Your CRM Workbook, tab “6. Vendor Optimization,” to review your satisfaction with your software.

    SoftwareReviews’ Customer Relationship Management

    This is a screenshot of tab 6 of the Get the most out of your CRM Workbook.

    2.3.2 Enter SoftwareReviews scores (optional)

    30 minutes

    1. Download the scorecard for your CRM product from the SoftwareReviews website. (Note: Not all products are represented or have sufficient data, so a scorecard may not be available.)
    2. Use your Get the Most Out of Your CRM Workbook, tab “6. Vendor Optimization,” to record the scorecard results.
    3. Use your Get the Most Out of Your CRM Workbook, tab “6. Vendor Optimization,” to flag areas where your score may be lower than the product scorecard. Brainstorm ideas for optimization.

    Download the Get the Most Out of Your CRM Workbook

    SoftwareReviews’ Customer Relationship Management

    This is a screenshot of the optional vendor optimization scorecard

    Phase 3

    Build Your Optimization Roadmap

    • 3.1 Identify Key Optimization Areas
    • 3.2 Compile Optimization Assessment Results

    Get the Most Out of Your CRM

    This phase will walk you through the following activities:

    • Identify key optimization areas
    • Create an optimization roadmap

    This phase involves the following participants:

    • CRM Optimization Team

    Build your optimization roadmap

    Address process gaps

    • CRM and related technologies are invaluable to sales, marketing, and customer service enablement, but they must have supported processes driven by business goals.
    • Identify areas where capabilities need to be improved and work towards.

    Support user satisfaction

    • The best technology in the world won’t deliver business results if it is not working for the users who need it.
    • Understand concerns, communicate improvements, and support users in all roles.

    Improve data quality

    • Data quality is unique to each business unit and requires tolerance, not perfection.
    • Implement a set of data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself.

    Proactively manage vendors

    • Vendor management is a critical component of technology enablement and IT satisfaction.
    • Assess your current satisfaction against those of your peers and work towards building a process that is best fit for your organization.

    Info-Tech Insight

    Enabling a high-performing, customer-centric sales, marketing, and customer service operations program requires excellent management practices and continuous optimization efforts.

    Technology portfolio and architecture is important, but we must go deeper. Taking a holistic view of CRM technologies in the environments in which they operate allows for the inclusion of people and process improvements – this is key to maximizing business results.

    Using a formal CRM optimization initiative will drive business-IT alignment, identify IT automation priorities, and dig deep into continuous process improvement.

    Step 3.1

    Identify Key Optimization Areas

    Activities

    • 3.1.1 Explore process gaps
    • 3.1.2 Analyze user satisfaction
    • 3.1.3 Assess data quality
    • 3.1.4 Analyze product satisfaction and vendor management

    Build Your Optimization Roadmap

    This step will guide you through the following activities:

    • Explore existing process gaps
    • Identify the impact of processes on user satisfaction
    • Identify the impact of data quality on user satisfaction
    • Review your overall product satisfaction and vendor management

    This step involves the following participants:

    • CRM Optimization Team

    Outcomes of this step

    • Application optimization plan

    3.1.1 Explore process gaps

    1 hour

    1. Review the compiled CRM Process Assessment in the Get the Most Out of Your CRM Workbook, tab “7. Process Prioritization.”
    2. These are processes you should prioritize.
    • The activities in the rest of Step 3.1 help you create optimization strategies for the different areas of improvement these processes relate to: user satisfaction, data quality, product satisfaction, and vendor management.
  • Consolidate your optimization strategies in the Get the Most Out of Your CRM Workbook, tab “8. Optimization Roadmap.” (See next slide for screenshot.)
  • This image consists of the CRM Process Importance Rankings

    Get the Most Out of Your CRM Workbook

    Plan your product optimization strategy for each area of improvement

    This is a screenshot from the Get the most out of your CRM Workbook, with the Areas of Improvement column  highlighted in a red box.

    3.1.2 Analyze user satisfaction

    1 hour

    1. Use the APA survey results from activity 2.2.1 (or your own internal survey) to identify areas where the organization is performing low in user satisfaction across the CRM portfolio.
      1. Understand application portfolio and IT service satisfaction.
      2. Identify cost savings opportunities from unused or unimportant apps.
      3. Build a roadmap for improving user IT services.
      4. Manage needs by department and seniority.
    2. Consolidate your optimization strategies in the Get the Most Out of Your CRM Workbook, tab “8. Optimization Roadmap.” (See next slide for screenshot.)

    this is an image of the Business & IT Communications Overview Tab from the Get the Most Out of Your CRM Workbook

    Get the Most Out of Your CRM Workbook

    Plan your user satisfaction optimization strategy

    This is a screenshot from the Get the most out of your CRM Workbook, with the Optimization Strategies column  highlighted in a red box.

    Next steps in improving your data quality

    Data Quality Management Effective Data Governance Data-Centric Integration Strategy Extensible Data Warehousing
    • Prevention is ten times cheaper than remediation. Stop fixing data quality with band-aid solutions and start fixing it by healing it at the source of the problem.
    • Data governance enables data-driven insight. Think of governance as a structure for making better use of data.
    • Every enterprise application involves data integration. Any change in the application and database ecosystem requires you to solve a data integration problem.
    • A data warehouse is a project; but successful data warehousing is a program. An effective data warehouse requires planning beyond the technology implementation.
    • Data quality is unique to each business unit and requires tolerance, not perfection. If the data allows the business to operate at the desired level, don’t waste time fixing data that may not need to be fixed.
    • Collaboration is critical. The business may own the data, but IT understands the data. Data governance will not work unless the business and IT work together.
    • Data integration is becoming more and more critical for downstream functions of data management and for business operations to be successful. Poor integration holds back these critical functions.
    • Governance, not technology, needs to be the core support system for enabling a data warehouse program.
    • Implement a set of data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself.
    • Data governance powers the organization up the data value chain through policies and procedures, master data management, data quality, and data architecture.
    • Build your data integration practice with a firm foundation in governance and reference architecture. Ensure your process is scalable and sustainable.
    • Leverage an approach that focuses on constructing a data warehouse foundation that can address a combination of operational, tactical, and ad hoc business needs.
    • Develop a prioritized data quality improvement project roadmap and long-term improvement strategy.
    • Create a roadmap to prioritize initiatives and delineate responsibilities among data stewards, data owners, and members of the data governance steering committee.
    • Support the flow of data through the organization and meet the organization’s requirements for data latency, availability, and relevancy.
    • Invest time and effort to put together pre-project governance to inform and provide guidance to your data warehouse implementation.
    • Build related practices with more confidence and less risk after achieving an appropriate level of data quality.
    • Ensure buy-in from the business and IT stakeholders. Communicate initiatives to end users and executives to reduce resistance.
    • Data availability must be frequently reviewed and repositioned to continue to grow with the business.
    • Select the most suitable architecture pattern to ensure the data warehouse is “built right” at the very beginning.

    Build Your Data Quality Program

    Establish Data Governance

    Build a Data Integration Strategy

    Build an Extensible Data Warehouse Foundation

    3.1.3 Assess data quality

    1 hour

    1. Use your APA survey results (if available) to identify areas where the organization is performing low in data quality initiatives. Common areas for improvement include:
      • Overall data quality management
      • Effective data governance
      • Poor data integration
      • The need to implement extensible data warehousing
    2. Consolidate your optimization strategies in the Get the Most Out of Your CRM Workbook, tab “8. Optimization Roadmap.” (See next slide for screenshot.)

    This is an image of the Business & IT Communications Overview tab from the Get the most out of your CRM Workbook

    Get the Most Out of Your CRM Workbook

    Plan your data quality optimization strategy

    This is a screenshot from the Get the most out of your CRM Workbook, with the Optimization Strategies column  highlighted in a red box.

    Use Info-Tech’s vendor management initiative (VMI)

    Create a right-size, right-fit strategy for managing the vendors relevant to your organization.

    A crowd chart is depicted, with quadrants for strategic value, and Vendor spend/switching cost.

    Info-Tech Insight

    A VMI is a formalized process within an organization, responsible for evaluating, selecting, managing, and optimizing third-party providers of goods and services.

    The amount of resources you assign to managing vendors depends on the number and value of your organization’s relationships. Before optimizing your vendor management program around the best practices presented in this blueprint, assess your current maturity and build the process around a model that reflects the needs of your organization.

    Info-Tech uses VMI interchangeably with the terms “vendor management office (VMO),” “vendor management function,” “vendor management process,” and “vendor management program.”

    Jump Start Your Vendor Management Initiative

    3.1.4 Analyze product satisfaction and vendor management

    1 hour

    1. Use the Get the Most Out of Your CRM Workbook, tab “6. Vendor Optimization.”
    2. Download the SoftwareReviews Vendor Scorecard.
    3. Using the scorecards, compare your results with those of your peers.
    4. Consolidate areas of improvement and optimization strategies in the Get the Most Out of Your CRM Workbook, tab “8. Optimization Roadmap.” (See next slide for screenshot.)

    See previous slide for help around implementing a vendor management initiative.

    This is a screenshot from the Get the most out of your CRM Workbook, with the Areas for Optimization column  highlighted in a red box.

    Get the Most Out of Your CRM Workbook

    Plan your vendor management optimization strategy

    This is a screenshot from the Get the most out of your CRM Workbook, with the Optimization Strategies column  highlighted in a red box.

    Step 3.2

    Compile Optimization Assessment Results

    Activities

    • 3.2.1 Identify key optimization areas

    Build Your Optimization Roadmap

    This step will guide you through the following activities:

    • Use your work from previous activities and prioritization to build your list of optimization activities and lay them out on a roadmap

    This step involves the following participants:

    • CRM Optimization Team

    Outcomes of this step

    • Application optimization plan

    3.2.1 Identify key optimization areas

    1-3 hours

    Before you can make changes and optimization decisions, you need to understand the high-level costs associated with your current application architecture. This activity will help you identify the types of technology and people costs associated with your current systems.

    1. Consolidate your findings and identify optimization priorities (Step 3.1).
    2. Prioritize those most critical to the organization, easiest to change, and whose impact will be highest.
    3. Use the information gathered from exercise 1.5.1 on Get the Most Out of Your CRM Workbook, tab “9. Costs (Optional).”
    4. These costs could affect the priority or timeline of the initiatives. Consolidate your thoughts on your Get the Most Out of Your CRM Workbook, tab 8, “Optimization Roadmap.” Note: There is no column specific to costs on tab 8.

    This is meant as a high-level roadmap. For formal, ongoing optimization project management, refer to “Build a Better Backlog” (Phase 2 of the Info-Tech blueprint Deliver on Your Digital Product Vision).

    This is a screenshot from the Get the most out of your CRM Workbook, with the Priority; Owner; and Timeline columns highlighted in a red box.

    Next steps: Manage your technical debt

    Use a holistic assessment of the “interest” paid on technical debt to quantify and prioritize risk and enable the business make better decisions.

    • Technical debt is an IT risk, which in turn is a category of business risk.
    • The business must decide how to manage business risk.
    • At the same time, business decision makers may not be aware of technical debt or be able to translate technical challenges into business risk. IT must help the business make decisions around IT risk by describing the risk of technical debt in business terms and by outlining the options available to address risk.
    • Measure the ongoing business impact (the “interest” paid on technical debt) to establish the business risk of technical debt. Consider a range of possible impacts including direct costs, lost goodwill, lost flexibility and resilience, and health, safety, and compliance impacts.
    • When weighing these impacts, the business may choose to accept the risk of technical debt if the cost of addressing the debt outweighs the benefit. But it’s critically important that the business accepts that risk – not IT.

    Manage Your Technical Debt

    Take it a step further…

    Deliver on Your Digital Product Vision

    Phase 2: Build a Better Product Backlog

    Build a structure for your backlog that supports your product vision.

    Deliver on Your Digital Product Vision

    Build a better backlog

    An ongoing CRM optimization effort is best facilitated through a continuous Agile process. Use info-Tech’s developed tools to build out your backlog.

    The key to a better backlog is a common structure and guiding principles that product owners and product teams can align to.

    Info-Tech Insight

    Exceptional customer value begins with a clearly defined backlog focused on items that will create the greatest human and business benefits.

    Activity Participants

    Backlog Activity

    Quality Filter

    Product Manager

    Product Owner

    Dev Team

    Scrum Master

    Business

    Architects

    Sprint

    Sprint Planning

    “Accepted”

    Ready

    Refine

    “Ready”

    Qualified

    Analysis

    “Qualified”

    Ideas

    Intake

    “Backlogged”

    A product owner and the product backlog are critical to realize the benefits of Agile development

    A product owner is accountable for defining and prioritizing the work that will be of the greatest value to the organization and its customers. The backlog is the key to facilitating this process and accomplishing the most fundamental goals of delivery.

    For more information on the role of a product owner, see Build a Better Product Owner.

    Highly effective Agile teams spend 28% of their time on product backlog management and roadmapping (Quantitative Software Management, 2015).

    1. Manage Stakeholders

    • Stakeholders need to be kept up to speed on what the future holds for a product, or at least they should be heard. This task falls to the product owner.

    2. Inform and Protect the Team

    • The product owner is a servant leader of the team. They need to protect the team from all the noise and give them the time they need to focus on what they do best: develop.

    3. Maximize Value to the Product

    • Sifting through all of these voices and determining what is valuable, or what is most valuable, falls to the product owner.

    A backlog stores and organizes PBIs at various stages of readiness.

    Your backlog must give you a holistic understanding of demand for change in the product

    A well-formed backlog can be thought of as a DEEP backlog:

    Detailed Appropriately: PBIs are broken down and refined as necessary.

    Emergent: The backlog grows and evolves over time as PBIs are added and removed.

    Estimated: The effort a PBI requires is estimated at each tier.

    Prioritized: The PBI’s value and priority are determined at each tier.

    Ideas; Qualified; Ready

    3 - IDEAS

    Composed of raw, vague, and potentially large ideas that have yet to go through any formal valuation.

    2 - QUALIFIED

    Researched and qualified PBIs awaiting refinement.

    1 - READY

    Discrete, refined PBIs that are ready to be placed in your development teams’ sprint plans.

    Summary of Accomplishment

    Get the Most Out of Your CRM

    CRM technology is critical to facilitate an organization’s relationships with customers, service users, employees, and suppliers. CRM implementation should not be a one-and-done exercise. There needs to be an ongoing optimization to enable business processes and optimal organizational results.

    Get the Most Out of Your CRM allows organizations to proactively implement continuous assessment and optimization of a customer relationship management system. This includes:

    • Alignment and prioritization of key business and technology drivers
    • Identification of CRM processes including classification and gap analysis
    • Measurement of user satisfaction across key departments
    • Improved vendor relations
    • Data quality initiatives

    This formal CRM optimization initiative will drive business-IT alignment, identify IT automation priorities, and dig deep into continuous process-improvement.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information

    workshops@infotech.com
    1-866-670-8889

    Research Contributors

    Ben Dickie

    Ben Dickie
    Research Practice Lead
    Info-Tech Research Group

    Ben Dickie is a Research Practice Lead at Info-Tech Research Group. His areas of expertise include customer experience management, CRM platforms, and digital marketing. He has also led projects pertaining to enterprise collaboration and unified communications.

    Scott Bickley

    Scott Bickley
    Practice Lead & Principal Research Director
    Info-Tech Research Group

    Scott Bickley is a Practice Lead & Principal Research Director at Info-Tech Research Group focused on vendor management and contract review. He also has experience in the areas of IT asset management (ITAM), software asset management (SAM), and technology procurement, along with a deep background in operations, engineering, and quality systems management.

    Andy Neil

    Andy Neil
    Practice Lead, Applications
    Info-Tech Research Group

    Andy is Senior Research Director, Data Management and BI, at Info-Tech Research Group. He has over 15 years of experience in managing technical teams, information architecture, data modeling, and enterprise data strategy. He is an expert in enterprise data architecture, data integration, data standards, data strategy, big data, and the development of industry-standard data models.

    Bibliography

    Armel, Kate. “Data-driven Estimation, Management Lead to High Quality.” Quantitative Software Management Inc. 2015. Web.

    Chappuis, Bertil, and Brian Selby. “Looking beyond Technology to Drive Sales Operations.” McKinsey & Company, 24 June 2016. Web.

    Cross-Industry Process Classification Framework (PCF) Version 7.2.1. APQC, 26 Sept. 2019. Web.

    Fleming, John, and Hater, James. “The Next Discipline: Applying Behavioral Economics to Drive Growth and Profitability.” Gallup, 22 Sept. 2012. Accessed 6 Oct. 2020.

    Hinchcliffe, Dion. “The evolving role of the CIO and CMO in customer experience.” ZDNet, 22 Jan. 2020. Web.

    Karlsson, Johan. “Backlog Grooming: Must-Know Tips for High-Value Products.” Perforce. 18 May 2018. Web. Feb. 2019.

    Klie, L. “CRM Still Faces Challenges, Most Speakers Agree: CRM systems have been around for decades, but interoperability and data siloes still have to be overcome.” CRM Magazine, vol. 23, no. 5, 2019, pp. 13-14.

    Kumar, Sanjib, et al. “Improvement of CRM Using Data Mining: A Case Study at Corporate Telecom Sector.” International Journal of Computer Applications, vol. 178, no. 53, 2019, pp. 12-20, doi:10.5120/ijca2019919413.

    Morgan, Blake. “50 Stats That Prove The Value Of Customer Experience.” Forbes, 24 Sept. 2019. Web.

    Norelus, Ernese, et al. “An Approach to Application Modernization: Discovery and Assessment Phase.” IBM Garage, Medium, 24 Feb 2020. Accessed 4 Mar. 2020.

    “Process Frameworks.” APQC, 4 Nov. 2020. Web.

    “Process vs. Capability: Understanding the Difference.” APCQ, 2017. Web.

    Rubin, Kenneth S. "Essential Scrum: A Practical Guide to the Most Popular Agile Process." Pearson Education, 2012.

    Savolainen, Juha, et al. “Transitioning from Product Line Requirements to Product Line Architecture.” 29th Annual International Computer Software and Applications Conference (COMPSAC'05), IEEE, vol. 1, 2005, pp. 186-195, doi: 10.1109/COMPSAC.2005.160

    Smith, Anthony. “How To Create A Customer-Obsessed Company Like Netflix.” Forbes, 12 Dec. 2017. Web.

    “SOA Reference Architecture – Capabilities and the SOA RA.” The Open Group, TOGAF. Web.

    Taber, David. “What to Do When Your CRM Project Fails.” CIO Magazine, 18 Sept. 2017. Web.

    “Taudata Case Study.” Maximizer CRM Software, 17 Jan. 2020. Web.

    Create a Service Management Roadmap

    • Buy Link or Shortcode: {j2store}394|cart{/j2store}
    • member rating overall impact (scale of 10): 8.9/10 Overall Impact
    • member rating average dollars saved: $71,003 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Our Advice

    Critical Insight

    • Having effective service management practices in place will allow you to pursue activities, such as innovation, and drive the business forward.
    • Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value.
    • Providing consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Impact and Result

    • Understand the foundational and core elements that allow you to build a successful service management practice focused on outcomes.
    • Use Info-Tech’s advice and tools to perform an assessment of your organization’s current state, identify the gaps, and create a roadmap for success.
    • Increase business and customer satisfaction by delivering services focused on creating business value.

    Create a Service Management Roadmap Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why many service management maturity projects fail to address foundational and core elements, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the project

    Kick-off the project and complete the project charter.

    • Create a Service Management Roadmap – Phase 1: Launch Project
    • Service Management Roadmap Project Charter

    2. Assess the current state

    Determine the current state for service management practices.

    • Create a Service Management Roadmap – Phase 2: Assess the Current State
    • Service Management Maturity Assessment Tool
    • Organizational Change Management Capability Assessment Tool
    • Service Management Roadmap Presentation Template

    3. Build the roadmap

    Build your roadmap with identified initiatives.

    • Create a Service Management Roadmap – Phase 3: Identify the Target State

    4. Build the communication slide

    Create the communication slide that demonstrates how things will change, both short and long term.

    • Create a Service Management Roadmap – Phase 4: Build the Roadmap
    [infographic]

    Workshop: Create a Service Management Roadmap

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Service Management

    The Purpose

    Understand service management.

    Key Benefits Achieved

    Gain a common understanding of service management, the forces that impact your roadmap, and the Info-Tech Service Management Maturity Model.

    Activities

    1.1 Understand service management.

    1.2 Build a compelling vision and mission.

    Outputs

    Constraints and enablers chart

    Service management vision, mission, and values

    2 Assess the Current State of Service Management

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand attitudes, behaviors, and culture.

    Understand governance and process ownership needs.

    Understand strengths, weaknesses, opportunities, and threats.

    Defined desired state.

    Activities

    2.1 Assess cultural ABCs.

    2.2 Assess governance needs.

    2.3 Perform SWOT analysis.

    2.4 Define desired state.

    Outputs

    Cultural improvements action items

    Governance action items

    SWOT analysis action items

    Defined desired state

    3 Continue Current-State Assessment

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand the current maturity of service management processes.

    Understand organizational change management capabilities.

    Activities

    3.1 Perform service management process maturity assessment.

    3.2 Complete OCM capability assessment.

    3.3 Identify roadmap themes.

    Outputs

    Service management process maturity activities

    OCM action items

    Roadmap themes

    4 Build Roadmap and Communication Tool

    The Purpose

    Use outputs from previous steps to build your roadmap and communication one-pagers.

    Key Benefits Achieved

    Easy-to-understand roadmap one-pager

    Communication one-pager

    Activities

    4.1 Build roadmap one-pager.

    4.2 Build communication one-pager.

    Outputs

    Service management roadmap

    Service management roadmap – Brought to Life communication slide

    Further reading

    Create a Service Management Roadmap

    Implement service management in an order that makes sense.

    ANALYST PERSPECTIVE

    "More than 80% of the larger enterprises we’ve worked with start out wanting to develop advanced service management practices without having the cultural and organizational basics or foundational practices fully in place. Although you wouldn’t think this would be the case in large enterprises, again and again IT leaders are underestimating the importance of cultural and foundational aspects such as governance, management practices, and understanding business value. You must have these fundamentals right before moving on."

    Tony Denford,

    Research Director – CIO

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIO
    • Senior IT Management

    This Research Will Help You:

    • Create or maintain service management (SM) practices to ensure user-facing services are delivered seamlessly to business users with minimum interruption.
    • Increase the level of reliability and availability of the services provided to the business and improve the relationship and communication between IT and the business.

    This Research Will Also Assist

    • Service Management Process Owners

    This Research Will Help Them:

    • Formalize, standardize, and improve the maturity of service management practices.
    • Identify new service management initiatives to move IT to the next level of service management maturity.

    Executive summary

    Situation

    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Complication

    • IT organizations want to be seen as strategic partners, but they fail to address the cultural and organizational constraints.
    • Without alignment with the business goals, services often fail to provide the expected value.
    • Traditional service management approaches are not adaptable for new ways of working.

    Resolution

    • Follow Info-Tech’s methodology to create a service management roadmap that will help guide the optimization of your IT services and improve IT’s value to the business.
    • The blueprint will help you right-size your roadmap to best suit your specific needs and goals and will provide structure, ownership, and direction for service management.
    • This blueprint allows you to accurately identify the current state of service management at your organization. Customize the roadmap and create a plan to achieve your target service management state.

    Info-Tech Insight

    Having effective service management practices in place will allow you to pursue activities such as innovation and drive the business forward. Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value. Consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Poor service management manifests in many different pains across the organization

    Immaturity in service management will not result in one pain – rather, it will create a chaotic environment for the entire organization, crippling IT’s ability to deliver and perform.

    Low Service Management Maturity

    These are some of the pains that can be attributed to poor service management practices.

    • Frequent service-impacting incidents
    • Low satisfaction with the service desk
    • High % of failed deployments
    • Frequent change-related incidents
    • Frequent recurring incidents
    • Inability to find root cause
    • No communication with the business
    • Frequent capacity-related incidents

    And there are many more…

    Mature service management practices are a necessity, not a nice-to-have

    Immature service management practices are one of the biggest hurdles preventing IT from reaching its true potential.

    In 2004, PwC published a report titled “IT Moves from Cost Center to Business Contributor.” However, the 2014-2015 CSC Global CIO Survey showed that a high percentage of IT is still considered a cost center.

    And low maturity of service management practices is inhibiting activities such as agility, DevOps, digitalization, and innovation.

    A pie chart is shown that is titled: Where does IT sit? The chart has 3 sections. One section represents IT and the business have a collaborative partnership 28%. The next section represents at 33% where IT has a formal client/service provider relationship with the business. The last section has 39% where IT is considered as a cost center.
    Source: CSC Global CIO Survey: 2014-2015 “CIOs Emerge as Disruptive Innovators”

    39%: Resources are primarily focused on managing existing IT workloads and keeping the lights on.

    31%: Too much time and too many resources are used to handle urgent incidents and problems.

    There are many misconceptions about what service management is

    Misconception #1: “Service management is a process”

    Effective service management is a journey that encompasses a series of initiatives that improves the value of services delivered.

    Misconception #2: “Service Management = Service Desk”

    Service desk is the foundation, since it is the main end-user touch point, but service management is a set of people and processes required to deliver business-facing services.

    Misconception #3: “Service management is about the ITSM tool”

    The tool is part of the overall service management program, but the people and processes must be in place before implementing.

    Misconception #4: “Service management development is one big initiative”

    Service management development is a series of initiatives that takes into account an organization’s current state, maturity, capacities, and objectives.

    Misconception #5: “Service management processes can be deployed in any order, assuming good planning and design”

    A successful service management program takes into account the dependencies of processes.

    Misconception #6: “Service management is resolving incidents and deploying changes”

    Service management is about delivering high-value and high-quality services.

    Misconception #7: “Service management is not the key determinant of success”

    As an organization progresses on the service management journey, its ability to deliver high-value and high-quality services increases.

    Misconception #8: “Resolving Incidents = Success”

    Preventing incidents is the name of the game.

    Misconception #9: “Service Management = Good Firefighter”

    Service management is about understanding what’s going on with user-facing services and proactively improving service quality.

    Misconception #10: “Service management is about IT and technical services (e.g. servers, network, database)”

    Service management is about business/user-facing services and the value the services provide to the business.

    Service management projects often don’t succeed because they are focused on process rather than outcomes

    Service management projects tend to focus on implementing process without ensuring foundational elements of culture and management practices are strong enough to support the change.

    1. Aligning your service management goals with your organizational objectives leads to better understanding of the expected outcomes.
    2. Understand your customers and what they value, and design your practices to deliver this value.

    3. IT does not know what order is best when implementing new practices or process improvements.
    4. Don't run before you can walk. Fundamental practices must reach the maturity threshold before developing advanced practices. Implement continuous improvement on your existing processes so they continue to support new practices.

    5. IT does not follow best practices when implementing a practice.
    6. Our best-practice research is based on extensive experience working with clients through advisory calls and workshops.

    Info-Tech can help you create a customized, low-effort, and high-value service management roadmap that will shore up any gaps, prove IT’s value, and achieve business satisfaction.

    Info-Tech’s methodology will help you customize your roadmap so the journey is right for you

    With Info-Tech, you will find out where you are, where you want to go, and how you will get there.

    With our methodology, you can expect the following:

    • Eliminate or reduce rework due to poor execution.
    • Identify dependencies/prerequisites and ensure practices are deployed in the correct order, at the correct time, and by the right people.
    • Engage all necessary resources to design and implement required processes.
    • Assess current maturity and capabilities and design the roadmap with these factors in mind.

    Doing it right the first time around

    You will see these benefits at the end

      ✓ Increase the quality of services IT provides to the business.

      ✓ Increase business satisfaction through higher alignment of IT services.

      ✓ Lower cost to design, implement, and manage services.

      ✓ Better resource utilization, including staff, tools, and budget.

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Follow our model and get to your target state

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The canopy of the tree are labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Each step along the way, Info-Tech has the tools to help you

    Phase 1: Launch the Project

    Assemble a team with the right talent and vision to increase the chances of project success.

    Phase 2: Assess Current State

    Understand where you are currently on the service management journey using the maturity assessment tool.

    Phase 3: Build Roadmap

    Based on the assessments, build a roadmap to address areas for improvement.

    Phase 4: Build Communication slide

    Based on the roadmap, define the current state, short- and long-term visions for each major improvement area.

    Info-Tech Deliverables:

    • Project Charter
    • Assessment Tools
    • Roadmap Template
    • Communication Template

    CIO call to action

    Improving the maturity of the organization’s service management practice is a big commitment, and the project can only succeed with active support from senior leadership.

    Ideally, the CIO should be the project sponsor, even the project leader. At a minimum, the CIO needs to perform the following activities:

    1. Walk the talk – demonstrate personal commitment to the project and communicate the benefits of the service management journey to IT and the steering committee.
    2. Improving or adopting any new practice is difficult, especially for a project of this size. Thus, the CIO needs to show visible support for this project through internal communication and dedicated resources to help complete this project.

    3. Select a senior, capable, and results-driven project leader.
    4. Most likely, the implementation of this project will be lengthy and technical in some nature. Therefore, the project leader must have a good understanding of the current IT structure, senior standing within the organization, and the relationship and power in place to propel people into action.

    5. Help to define the target future state of IT’s service management.
    6. Determine a realistic target state for the organization based on current capability and resource/budget restraints.

    7. Conduct periodic follow-up meetings to keep track of progress.
    8. Reinforce or re-emphasize the importance of this project to the organization through various communication channels if needed.

    Stabilizing your environment is a must before establishing any more-mature processes

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • The business landscape was rapidly changing for this manufacturer and they wanted to leverage potential cost savings from cloud-first initiatives and consolidate multiple, self-run service delivery teams that were geographically dispersed.

    Solution

    Original Plan

    • Consolidate multiple service delivery teams worldwide and implement service portfolio management.

    Revised Plan with Service Management Roadmap:

    • Markets around the world had very different needs and there was little understanding of what customers value.
    • There was also no understanding of what services were currently being offered within each geography.

    Results

    • Plan was adjusted to understand customer value and services offered.
    • Services were then stabilized and standardized before consolidation.
    • Team also focused on problem maturity and drove a continuous improvement culture and increasing transparency.

    MORAL OF THE STORY:

    Understanding the value of each service allowed the organization to focus effort on high-return activities rather than continuous fire fighting.

    Understand the processes involved in the proactive phase

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • Services were fairly stable, but there were significant recurring issues for certain services.
    • The business was not satisfied with the service quality for certain services, due to periodic availability and reliability issues.
    • Customer feedback for the service desk was generally good.

    Solution

    Original Plan

    • Review all service desk and incident management processes to ensure that service issues were handled in an effective manner.

    Revised Plan with Service Management Roadmap:

    • Design and deploy a rigorous problem management process to determine the root cause of recurring issues.
    • Monitor key services for events that may lead to a service outage.

    Results

    • Root cause of recurring issues was determined and fixes were deployed to resolve the underlying cause of the issues.
    • Service quality improved dramatically, resulting in high customer satisfaction.

    MORAL OF THE STORY:

    Make sure that you understand which processes need to be reviewed in order to determine the cause for service instability. Focusing on the proactive processes was the right answer for this company.

    Have the right culture and structure in place before you become a service provider

    CASE STUDY

    Industry: Healthcare

    Source:Journal of American Medical Informatics Association

    Challenge

    • The IT organization wanted to build a service catalog to demonstrate the value of IT to the business.
    • IT was organized in technology silos and focused on applications, not business services.
    • IT services were not aligned with business activities.
    • Relationships with the business were not well established.

    Solution

    Original Plan

    • Create and publish a service catalog.

    Revised Plan: with Service Management Roadmap:

    • Establish relationships with key stakeholders in the business units.
    • Understand how business activities interface with IT services.
    • Lay the groundwork for the service catalog by defining services from the business perspective.

    Results

    • Strong relationships with the business units.
    • Deep understanding of how business activities map to IT services.
    • Service definitions that reflect how the business uses IT services.

    MORAL OF THE STORY:

    Before you build and publish a service catalog, make sure that you understand how the business is using the IT services that you provide.

    Calculate the benefits of using Info-Tech’s methodology

    To measure the value of developing your roadmap using the Info-Tech tools and methodology, you must calculate the effort saved by not having to develop the methods.

    A. How much time will it take to develop an industry-best roadmap using Info-Tech methodology and tools?

    Using Info-Tech’s tools and methodology you can accurately estimate the effort to develop a roadmap using industry-leading research into best practice.

    B. What would be the effort to develop the insight, assess your team, and develop the roadmap?

    This metric represents the time your team would take to be able to effectively assess themselves and develop a roadmap that will lead to service management excellence.

    C. Cost & time saving through Info-Tech’s methodology

    Measured Value

    Step 1: Assess current state

    Cost to assess current state:

    • 5 Directors + 10 Managers x 10 hours at $X an hour = $A

    Step 2: Build the roadmap

    Cost to create service management roadmap:

    • 5 Directors + 10 Managers x 8 hours at $X an hour = $B

    Step 3: Develop the communication slide

    Cost to create roadmaps for phases:

    • 5 Directors + 10 Managers x 6 hours at $X an hour = $C

    Potential financial savings from using Info-Tech resources:

    Estimated cost to do “B” – (Step 1 ($A) + Step 2 ($B) + Step 3 ($C)) = $Total Saving

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Create a Service Management Roadmap – project overview


    Launch the project

    Assess the current state

    Build the roadmap

    Build communication slide

    Best-Practice Toolkit

    1.1 Create a powerful, succinct mission statement

    1.2 Assemble a project team with representatives from all major IT teams

    1.3 Determine project stakeholders and create a communication plan

    1.4 Establish metrics to track the success of the project

    2.1 Assess impacting forces

    2.2 Build service management vision, mission, and values

    2.3 Assess attitudes, behaviors, and culture

    2.4 Assess governance

    2.5 Perform SWOT analysis

    2.6 Identify desired state

    2.7 Assess SM maturity

    2.8 Assess OCM capabilities

    3.1 Document overall themes

    3.2 List individual initiatives

    4.1 Document current state

    4.2 List future vision

    Guided Implementations

    • Kick-off the project
    • Build the project team
    • Complete the charter
    • Understand current state
    • Determine target state
    • Build the roadmap based on current and target state
    • Build short- and long-term visions and initiative list

    Onsite Workshop

    Module 1: Launch the project

    Module 2: Assess current service management maturity

    Module 3: Complete the roadmap

    Module 4: Complete the communication slide

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

    Activities

    Understand Service Management

    1.1 Understand the concepts and benefits of service management.

    1.2 Understand the changing impacting forces that affect your ability to deliver services.

    1.3 Build a compelling vision and mission for your service management program.

    Assess the Current State of Your Service Management Practice

    2.1 Understand attitudes, behaviors, and culture.

    2.2 Assess governance and process ownership needs.

    2.3 Perform SWOT analysis.

    2.4 Define the desired state.

    Complete Current-State Assessment

    3.1 Conduct service management process maturity assessment.

    3.2 Identify organizational change management capabilities.

    3.3 Identify themes for roadmap.

    Build Roadmap and Communication Tool

    4.1 Build roadmap one-pager.

    4.2 Build roadmap communication one-pager.

    Deliverables

    1. Constraints and enablers chart
    2. Service management vision, mission, and values
    1. Action items for cultural improvements
    2. Action items for governance
    3. Identified improvements from SWOT
    4. Defined desired state
    1. Service Management Process Maturity Assessment
    2. Organizational Change Management Assessment
    1. Service management roadmap
    2. Roadmap Communication Tool in the Service Management Roadmap Presentation Template

    PHASE 1

    Launch the Project

    Launch the project

    This step will walk you through the following activities:

    • Create a powerful, succinct mission statement based on your organization’s goals and objectives.
    • Assemble a project team with representatives from all major IT teams.
    • Determine project stakeholders and create a plan to convey the benefits of this project.
    • Establish metrics to track the success of the project.

    Step Insights

    • The project leader should have a strong relationship with IT and business leaders to maximize the benefit of each initiative in the service management journey.
    • The service management roadmap initiative will touch almost every part of the organization; therefore, it is important to have representation from all impacted stakeholders.
    • The communication slide needs to include the organizational change impact of the roadmap initiatives.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Launch the Project

    Step 1.1 – Kick-off the Project

    Start with an analyst kick-off call:

    • Identify current organization pain points relating to poor service management practices
    • Determine high-level objectives
    • Create a mission statement

    Then complete these activities…

    • Identify potential team members who could actively contribute to the project
    • Identify stakeholders who have a vested interest in the completion of this project

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Step 1.2 – Complete the Charter

    Review findings with analyst:

    • Create the project team; ensure all major IT teams are represented
    • Review stakeholder list and identify communication messages

    Then complete these activities…

    • Establish metrics to complete project planning
    • Complete the project charter

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Use Info-Tech’s project charter to begin your initiative

    1.1 Service Management Roadmap Project Charter

    The Service Management Roadmap Project Charter is used to govern the initiative throughout the project. It provides the foundation for project communication and monitoring.

    The template has been pre-populated with sample information appropriate for this project. Please review this sample text and change, add, or delete information as required.

    The charter includes the following sections:

    • Mission Statement
    • Goals & Objectives
    • Project Team
    • Project Stakeholders
    • Current State (from phases 2 & 3)
    • Target State (from phases 2 & 3)
    • Target State
    • Metrics
    • Sponsorship Signature
    A screenshot of Info-Tech's Service Management Roadmap Project Charter is shown.

    Use Info-Tech’s ready-to-use deliverable to customize your mission statement

    Adapt and personalize Info-Tech’s Service Management Roadmap Mission Statement and Goals & Objectives below to suit your organization’s needs.

    Goals & Objectives

    • Create a plan for implementing service management initiatives that align with the overall goals/objectives for service management.
    • Identify service management initiatives that must be implemented/improved in the short term before deploying more advanced initiatives.
    • Determine the target state for each initiative based on current maturity and level of investment available.
    • Identify service management initiatives and understand dependencies, prerequisites, and level of effort required to implement.
    • Determine the sequence in which initiatives should be deployed.
    • Create a detailed rollout plan that specifies initiatives, time frames, and owners.
    • Engage the right teams and obtain their commitment throughout both the planning and assessment of roadmap initiatives.
    • both the planning and assessment of roadmap initiatives. Obtain support for the completed roadmap from executive stakeholders.

    Example Mission Statement

    To help [Organization Name] develop a set of service management practices that will better address the overarching goals of the IT department.

    To create a roadmap that sequences initiatives in a way that incorporates best practices and takes into consideration dependencies and prerequisites between service management practices.

    To garner support from the right people and obtain executive buy-in for the roadmap.

    Create a well-balanced project team

    The project leader should be a member of your IT department’s senior executive team with goals and objectives that will be impacted by service management implementation. The project leader should possess the following characteristics:

    Leader

    • Influence and impact
    • Comprehensive knowledge of IT and the organization
    • Relationship with senior IT management
    • Ability to get things done

    Team Members

    Identify

    The project team members are the IT managers and directors whose day-to-day lives will be impacted by the service management roadmap and its implementation. The service management initiative will touch almost every IT staff member in the organization; therefore, it is important to have representatives from every single group, including those that are not mentioned. Some examples of individuals you should consider for your team:

    • Service Delivery Managers
    • Director/Manager of Applications
    • Director/Manager of Infrastructure
    • Director/Manager of Service Desk
    • Business Relationship Managers
    • Project Management Office

    Engage & Communicate

    You want to engage your project participants in the planning process as much as possible. They should be involved in the current-state assessment, the establishment of goals and objectives, and the development of your target state.

    To sell this project, identify and articulate how this project and/or process will improve the quality of their job. For example, a formal incident management process will benefit people working at the service desk or on the applications or infrastructure teams. Helping them understand the gains will help to secure their support throughout the long implementation process by giving them a sense of ownership.

    The project stakeholders should also be project team members

    When managing stakeholders, it is important to help them understand their stake in the project as well as their own personal gain that will come out of this project.

    For many of the stakeholders, they also play a critical role in the development of this project.

    Role & Benefits

    • CIO
    • The CIO should be actively involved in the planning stage to help determine current and target stage.

      The CIO also needs to promote and sell the project to the IT team so they can understand that higher maturity of service management practices will allow IT to be seen as a partner to the business, giving IT a seat at the table during decision making.

    • Service Delivery Managers/Process Owners
    • Service Delivery Managers are directly responsible for the quality and value of services provided to the business owners. Thus, the Service Delivery Managers have a very high stake in the project and should be considered for the role of project leader.

      Service Delivery Managers need to work closely with the process owners of each service management process to ensure clear objectives are established and there is a common understanding of what needs to be achieved.

    • IT Steering Committee
    • The Committee should be informed and periodically updated about the progress of the project.

    • Manager/Director – Service Desk
    • The Manager of the Service Desk should participate closely in the development of fundamental service management processes, such as service desk, incident management, and problem management.

      Having a more established process in place will create structure, governance, and reduce service desk staff headaches so they can handle requests or incidents more efficiently.

    • Manager/Director –Applications & Infrastructure
    • The Manager of Applications and Infrastructure should be heavily relied on for their knowledge of how technology ties into the organization. They should be consulted regularly for each of the processes.

      This project will also benefit them directly, such as improving the process to deploy a fix into the environment or manage the capacity of the infrastructure.

    • Business Relationship Manager
    • As the IT organization moves up the maturity ladder, the Business Relationship Manager will play a fundamental role in the more advanced processes, such as business relationship management, demand management, and portfolio management.

      This project will be an great opportunity for the Business Relationship Manager to demonstrate their value and their knowledge of how to align IT objectives with business vision.

    Ensure you get the entire IT organization on board for the project with a well-practiced change message

    Getting the IT team on board will greatly maximize the project’s chance of success.

    One of the top challenges for organizations embarking on a service management journey is to manage the magnitude of the project. To ensure the message is not lost, communicate this roadmap in two steps.

    1. Communicate the roadmap initiative

    The most important message to send to the IT organization is that this project will benefit them directly. Articulate the pains that IT is currently experiencing and explain that through more mature service management, these pains can be greatly reduced and IT can start to earn a place at the table with the business.

    2. Communicate the implementation of each process separately

    The communication of process implementation should be done separately and at the beginning of each implementation. This is to ensure that IT staff do not feel overwhelmed or overloaded. It also helps to keep the project more manageable for the project team.

    Continuously monitor feedback and address concerns throughout the entire process

    • Host lunch and learns to provide updates on the service management initiative to the entire IT team.
    • Understand if there are any major roadblocks and facilitate discussions on how to overcome them.

    Articulate the service management initiative to the IT organization

    Spread the word and bring attention to your change message through effective mediums and organizational changes.

    Key aspects of a communication plan

    The methods of communication (e.g. newsletters, email broadcast, news of the day, automated messages) notify users of implementation.

    In addition, it is important to know who will deliver the message (delivery strategy). You need IT executives to deliver the message – work hard on obtaining their support as they are the ones communicating to their staff and should be your project champions.

    Anticipate organizational changes

    The implementation of the service management roadmap will most likely lead to organizational changes in terms of structure, roles, and responsibilities. Therefore, the team should be prepared to communicate the value that these changes will bring.

    Communicating Change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • What are we trying to achieve?
    • How often will we be updated?

    The Qualities of Leadership: Leading Change

    Create a project communication plan for your stakeholders

    This project cannot be successfully completed without the support of senior IT management.

    1. After the CIO has introduced this project through management meetings or informal conversation, find out how each IT leader feels about this project. You need to make sure the directors and managers of each IT team, especially the directors of application and infrastructure, are on board.
    2. After the meeting, the project leader should seek out the major stakeholders (particularly the heads of applications and infrastructure) and validate their level of support through formal or informal meetings. Create a list documenting the major stakeholders, their level of support, and how the project team will work to gain their approval.
    3. For each identified stakeholder, create a custom communication plan based on their role. For example, if the director of infrastructure is not a supporter, demonstrate how this project will enable them to better understand how to improve service quality. Provide periodic reporting or meetings to update the director on project progress.

    INPUT

    • A collaborative discussion between team members

    OUTPUT

    • Thorough briefing for project launch
    • A committed team

    Materials

    • Communication message and plan
    • Metric tracking

    Participants

    • Project leader
    • Core project team

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1

    A screenshot of activity 1.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    1.2

    A screenshot of activity 1.2 is shown.

    Assemble the project team

    Create a project team with representatives from all major IT teams. Engage and communicate to the project team early and proactively.

    1.3

    A screenshot of activity 1.3 is shown.

    Identify project stakeholders and create a communication plan

    Info-Tech will help you identify key stakeholders who have a vested interest in the success of the project. Determine the communication message that will best gain their support.

    1.4

    A screenshot of activity 1.4 is shown.

    Use metrics to track the success of the project

    The onsite analyst will help the project team determine the appropriate metrics to measure the success of this project.

    PHASE 2

    Assess Your Current Service Management State

    Assess your current state

    This step will walk you through the following activities:

    • Use Info-Tech’s Service Management Maturity Assessment Tool to determine your overall practice maturity level.
    • Understand your level of completeness for each individual practice.
    • Understand the three major phases involved in the service management journey; know the symptoms of each phase and how they affect your target state selection.

    Step Insights

    • To determine the real maturity of your service management practices, you should focus on the results and output of the practice, rather than the activities performed for each process.
    • Focus on phase-level maturity as opposed to the level of completeness for each individual process.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Determine Your Service Management Current State

    Step 2.1 – Assess Impacting Forces

    Start with an analyst kick-off call:

    • Discuss the impacting forces that can affect the success of your service management program
    • Identify internal and external constraints and enablers
    • Review and interpret how to leverage or mitigate these elements

    Then complete these activities…

    • Present the findings of the organizational context
    • Facilitate a discussion and create consensus amongst the project team members on where the organization should start

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.2 – Build Vision, Mission, and Values

    Review findings with analyst:

    • Review your service management vision and mission statement and discuss the values

    Then complete these activities…

    • Socialize the vision, mission, and values to ensure they are aligned with overall organizational vision. Then, set the expectations for behavior aligned with the vision, mission, and values

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.3 – Assess Attitudes, Behaviors, and Culture

    Review findings with analyst:

    • Discuss tactics for addressing negative attitudes, behaviors, or culture identified

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.4 – Assess Governance Needs

    Review findings with analyst:

    • Understand the typical types of governance structure and the differences between management and governance
    • Choose the management structure required for your organization

    Then complete these activities…

    • Determine actions required to establish an effective governance structure and add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.5 – Perform SWOT Analysis

    Review findings with analyst:

    • Discuss SWOT analysis results and tactics for addressing within the roadmap

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.6 – Identify Desired State

    Review findings with analyst:

    • Discuss desired state and commitment needed to achieve aspects of the desired state

    Then complete these activities…

    • Use the desired state to critically assess the current state of your service management practices and whether they are achieving the desired outcomes
    • Prep for the SM maturity assessment

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.7 – Perform SM Maturity Assessment

    Review findings with analyst:

    • Review and interpret the output from your service management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Service Management Maturity Assessment

    Step 2.8 – Review OCM Capabilities

    Review findings with analyst:

    • Review and interpret the output from your organizational change management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Organizational Change Management Assessment

    Understand and assess impacting forces – constraints and enablers

    Constraints and enablers are organizational and behavioral triggers that directly impact your ability and approach to establishing Service Management practices.

    A model is shown to demonstrate the possibe constraints and enablers on your service management program. It incorporates available resources, the environment, management practices, and available technologies.

    Effective service management requires a mix of different approaches and practices that best fit your organization. There’s not a one-size-fits-all solution. Consider the resources, environment, emerging technologies, and management practices facing your organization. What items can you leverage or use to mitigate to move your service management program forward?

    Use Info-Tech’s “Organizational Context” template to list the constraints and enablers affecting your service management

    The Service Management Roadmap Presentation Template will help you understand the business environment you need to consider as you build out your roadmap.

    Discuss and document constraints and enablers related to the business environment, available resources, management practices, and emerging technologies. Any constraints will need to be addressed within your roadmap and enablers should be leveraged to maximize your results.


    Screenshot of Info-Tech's Service Management Roadmap Presentation Template is shown.

    Document constraints and enablers

    1. Discuss and document the constrains and enablers for each aspect of the management mesh: environment, resources, management practices, or technology.
    2. Use this as a thought provoker in later exercises.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Organizational context constraints and enablers

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Build compelling vision and mission statements to set the direction of your service management program

    While you are articulating the vision and mission, think about the values you want the team to display. Being explicit can be a powerful tool to create alignment.

    A vision statement describes the intended state of your service management organization, expressed in the present tense.

    A mission statement describes why your service management organization exists.

    Your organizational values state how you will deliver services.

    Use Info-Tech’s “Vision, Mission, and Values” template to set the aspiration & purpose of your service management practice

    The Service Management Roadmap Presentation Template will help you document your vision for service management, the purpose of the program, and the values you want to see demonstrated.

    If the team cannot gain agreement on their reason for being, it will be difficult to make traction on the roadmap items. A concise and compelling statement can set the direction for desired behavior and help team members align with the vision when trying to make ground-level decisions. It can also be used to hold each other accountable when undesirable behavior emerges. It should be revised from time to time, when the environment changes, but a well-written statement should stand the test of time.

    A screenshot of the Service Management Roadmap Presentation Temaplate is shown. Specifically it is showing the section on the vision, mission, and values results.

    Document your organization’s vision, mission , and values

    1. Vision: Identify your desired target state, consider the details of that target state, and create a vision statement.
    2. Mission: Consider the fundamental purpose of your SM program and craft a statement of purpose.
    3. Values: As you work through the vision and mission, identify values that your organization prides itself in or has the aspiration for.
    4. Discuss common themes and then develop a concise vision statement and mission statement that incorporates the group’s ideas.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Vision statement
    • Mission statement
    • Organizational values

    Materials

    • Whiteboards or flip charts
    • Sample vision and mission statements

    Participants

    • All stakeholders
    • Senior leadership

    Understanding attitude, behavior, and culture

    Attitude

    • What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users.

    Any form of organizational change involves adjusting people’s attitudes, creating buy-in and commitment. You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive. It must be made visible and related to your desired behavior.

    Behaviour

    • What people do. This is influenced by attitude and the culture of the organization.

    To implement change within IT, especially at a tactical level, both IT and organizational behavior needs to change. This is relevant because people don’t like to change and will resist in an active or passive way unless you can sell the need, value, and benefit of changing their behavior.

    Culture

    • The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources.

    The organizational or corporate “attitude,” the impact on employee behavior and attitude is often not fully understood. Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed any organizational change or strategy.

    Culture is a critical and under-addressed success factor

    43% of CIOs cited resistance to change as the top impediment to a successful digital strategy.

    CIO.com

    75% of organizations cannot identify or articulate their culture or its impact.

    Info-Tech

    “Shortcomings in organizational culture are one of the main barriers to company success in the digital age.”

    McKinsey – “Culture for a digital age”

    Examples of how they apply

    Attitude

    • “I’ll believe that when I see it”
    • Positive outlook on new ideas and changes

    Behaviour

    • Saying you’ll follow a new process but not doing so
    • Choosing not to document a resolution approach or updating a knowledge article, despite being asked

    Culture

    • Hero culture (knowledge is power)
    • Blame culture (finger pointing)
    • Collaborative culture (people rally and work together)

    Why have we failed to address attitude, behavior, and culture?

      ✓ While there is attention and better understanding of these areas, very little effort is made to actually solve these challenges.

      ✓ The impact is not well understood.

      ✓ The lack of tangible and visible factors makes it difficult to identify.

      ✓ There is a lack of proper guidance, leadership skills, and governance to address these in the right places.

      ✓ Addressing these issues has to be done proactively, with intent, rigor, and discipline, in order to be successful.

      ✓ We ignore it (head in the sand and hoping it will fix itself).

    Avoidance has been a common strategy for addressing behavior and culture in organizations.

    Use Info-Tech’s “Culture and Environment” template to identify cultural constraints that should be addressed in roadmap

    The Service Management Roadmap Presentation Template will help you document attitude, behavior, and culture constraints.

    Discuss as a team attitudes, behaviors, and cultural aspects that can either hinder or be leveraged to support your vision for the service management program. Capture all items that need to be addressed in the roadmap.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically showing the culture and environment slide.

    Document your organization’s attitudes, behaviors, and culture

    1. Discuss and document positive and negative aspects of attitude, behavior, or culture within your organization.
    2. Identify the items that need to be addressed as part of your roadmap.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Culture and environment worksheet

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    The relationship to governance

    Attitude, behavior, and culture are still underestimated as core success factors in governance and management.

    Behavior is a key enabler of good governance. Leading by example and modeling behavior has a cascading impact on shifting culture, reinforcing the importance of change through adherence.

    Executive leadership and governing bodies must lead and support cultural change.

    Key Points

    • Less than 25% of organizations have formal IT governance in place (ITSM Tools).
    • Governance tends to focus on risk and compliance (controls), but forgets the impact of value and performance.

    Lack of oversight often limits the value of service management implementations

    Organizations often fail to move beyond risk mitigation, losing focus of the goals of their service management practices and the capabilities required to produce value.

    Risk Mitigation

    • Stabilize IT
    • Service Desk
    • Incident Management
    • Change Management

    Gap

    • Organizational alignment through governance
    • Disciplined focus on goals of SM

    Value Production

    • Value that meets business and consumer needs

    This creates a situation where service management activities and roadmaps focus on adjusting and tweaking process areas that no longer support how the organization needs to work.

    How does establishing governance for service management provide value?

    Governance of service management is a gap in most organizations, which leads to much of the failure and lack of value from service management processes and activities.

    Once in place, effective governance enables success for organizations by:

    1. Ensuring service management processes improve business value
    2. Measuring and confirming the value of the service management investment
    3. Driving a focus on outcome and impact instead of simply process adherence
    4. Looking at the integrated impact of service management in order to ensure focused prioritization of work
    5. Driving customer-experience focus within organizations
    6. Ensuring quality is achieved and addressing quality impacts and dependencies between processes

    Four common service management process ownership models

    Your ownership structure largely defines how processes will need to be implemented, maintained, and improved. It has a strong impact on their ability to integrate and how other teams perceive their involvement.

    An organizational structure is shown. In the image is an arrow, with the tip facing in the right direction. The left side of the arrow is labelled: Traditional, and the right side is labelled: Complex. The four models are noted along the arrow. Starting on the left side and going to the right are: Distributed Process Ownership, Centralized Process Ownership, Federated Process Ownership, and Service Management Office.

    Most organizations are somewhere within this spectrum of four core ownership models, usually having some combination of shared traits between the two models that are closest to them on the scale.

    Info-Tech Insight

    The organizational structure that is best for you depends on your needs, and one is not necessarily better than another. The next four slides describe when each ownership level is most appropriate.

    Distributed process ownership

    Distributed process ownership is usually evident when organizations initially establish their service management practices. The processes are assigned to a specific group, who assumes some level of ownership over its execution.

    The distributed process ownership model is shown. CIO is listed at the top with four branches leading out from below it. The four branches are labelled: Service Desk, Operations, Applications, and Security.

    Info-Tech Insight

    This model is often a suitable approach for initial implementations or where it may be difficult to move out of siloes within the organization’s structure or culture.

    Centralized process ownership

    Centralized process ownership usually becomes necessary for organizations as they move into a more functional structure. It starts to drive management of processes horizontally across the organization while still retaining functional management control.

    A centralized process ownership model is shown. The CIO is at the top and the following are branches below it: Service Manager, Support, Middleware, Development, and Infrastructure.

    Info-Tech Insight

    This model is often suitable for maturing organizations that are starting to look at process integration and shared service outcomes and accountability.

    Federated process ownership

    Federated process ownership allows for global control and regional variation, and it supports product orientation and Agile/DevOps principles

    A federated process ownership model is shown. The Sponsor/CIO is at the top, with the ITSM Executive below it. Below that level is the: Process Owner, Process Manager, and Process Manager.

    Info-Tech Insight

    Federated process ownership is usually evident in organizations that have an international or multi-regional presence.

    Service management office (SMO)

    SMO structures tend to occur in highly mature organizations, where service management responsibility is seen as an enterprise accountability.

    A service management office model is shown. The CIO is at the top with the following branches below it: SMO, End-User Services, Infra., Apps., and Architecture.

    Info-Tech Insight

    SMOs are suitable for organizations with a defined IT and organizational strategy. A SMO supports integration with other enterprise practices like enterprise architecture and the PMO.

    Determine which process ownership and governance model works best for your organization

    The Service Management Roadmap Presentation Template will help you document process ownership and governance model

    Example:

    Key Goals:

      ☐ Own accountability for changes to core processes

      ☐ Understand systemic nature and dependencies related to processes and services

      ☐ Approve and prioritize improvement and CSI initiatives related to processes and services

      ☐ Evaluate success of initiative outcomes based on defined benefits and expectations

      ☐ Own Service Management and Governance processes and policies

      ☐ Report into ITSM executive or equivalent body

    Membership:

      ☐ Process Owners, SM Owner, Tool Owner/Liaison, Audit

    Discuss as a team which process ownership model works for your organization. Determine who will govern the service management practice. Determine items that should be identified in your roadmap to address governance and process ownership gaps.

    Use Info-Tech’s “SWOT” template to identify strengths, weaknesses, opportunities & threats that should be addressed

    The Service Management Roadmap Presentation Template will help you document items from your SWOT analysis.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically the SWOT section is shown.

    Brainstorm the strengths, weaknesses, opportunities, and threats related to resources, environment, technology, and management practices. Add items that need to be addressed to your roadmap.

    Perform a SWOT analysis

    1. Brainstorm each aspect of the SWOT with an emphasis on:
    • Resources
    • Environment
    • Technologies
    • Management Practices
  • Record your ideas on a flip chart or whiteboard.
  • Add items to be addressed to the roadmap.
  • INPUT

    • A collaborative discussion

    OUTPUT

    • SWOT analysis
    • Priority items identified

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Indicate desired maturity level for your service management program to be successful

    Discuss the various maturity levels and choose a desired level that would meet business needs.

    The desired maturity model is depicted.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Desired state of service management maturity

    Materials

    • None

    Participants

    • All stakeholders

    Use Info-Tech’s Service Management Process Maturity Assessment Tool to understand your current state

    The Service Management Process Maturity Assessment Tool will help you understand the true state of your service management.

    A screenshot of Info-Tech's Service Management Process Assessment Tool is shown.

    Part 1, Part 2, and Part 3 tabs

    These three worksheets contain questions that will determine the overall maturity of your service management processes. There are multiple sections of questions focused on different processes. It is very important that you start from Part 1 and continue the questions sequentially.

    Results tab

    The Results tab will display the current state of your service management processes as well as the percentage of completion for each individual process.

    Complete the service management process maturity assessment

    The current-state assessment will be the foundation of building your roadmap, so pay close attention to the questions and answer them truthfully.

    1. Start with tab 1 in the Service Management Process Maturity Assessment Tool. Remember to read the questions carefully and always use the feedback obtained through the end-user survey to help you determine the answer.
    2. In the “Degree of Process Completeness” column, use the drop-down menu to input the results solicited from the goals and objectives meeting you held with your project participants.
    3. A screenshot of Info-Tech's Service Management Process Assessment Tool is shown. Tab 1 is shown.
    4. Host a meeting with all participants following completion of the survey and have them bring their results. Discuss in a round-table setting, keeping a master sheet of agreed upon results.

    INPUT

    • Service Management Process Maturity Assessment Tool questions

    OUTPUT

    • Determination of current state

    Materials

    • Service Management Process Maturity Assessment Tool

    Participants

    • Project team members

    Review the results of your current-state assessment

    At the end of the assessment, the Results tab will have action items you could perform to close the gaps identified by the process assessment tool.

    A screenshot of Info-Tech's Service Management Process Maturity Assessment Results is shown.

    INPUT

    • Maturity assessment results

    OUTPUT

    • Determination of overall and individual practice maturity

    Materials

    • Service Management Maturity Assessment Tool

    Participants

    • Project team members

    Use Info-Tech’s OCM Capability Assessment tool to understand your current state

    The Organizational Change Management Capabilities Assessment tool will help you understand the true state of your organizational change management capabilities.

    A screenshot of Info-Tech's Organizational Change Management Capabilities Assessment

    Complete the Capabilities tab to capture the current state for organizational change management. Review the Results tab for interpretation of the capabilities. Review the Recommendations tab for actions to address low areas of maturity.

    Complete the OCM capability assessment

    1. Open Organizational Change Management Capabilities Assessment tool.
    2. Come to consensus on the most appropriate answer for each question. Use the 80/20 rule.
    3. Review result charts and discuss findings.
    4. Identify roadmap items based on maturity assessment.

    INPUT

    • A collaborative discussion

    OUTPUT

    • OCM Assessment tool
    • OCM assessment results

    Materials

    • OCM Capabilities Assessment tool

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1

    A screenshot of activity 2.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    2.2

    A screenshot of activity 2.2 is shown.

    Complete the assessment

    With the project team in the room, go through all three parts of the assessment with consideration of the feedback received from the business.

    2.3

    A screenshot of activity 2.3 is shown.

    Interpret the results of the assessment

    The Info-Tech onsite analyst will facilitate a discussion on the overall maturity of your service management practices and individual process maturity. Are there any surprises? Are the results reflective of current service delivery maturity?

    PHASE 3

    Build Your Service Management Roadmap

    Build Roadmap

    This step will walk you through the following activities:

    • Document your vision and mission on the roadmap one-pager.
    • Using the inputs from the current-state assessments, identify the key themes required by your organization.
    • Identify individual initiatives needed to address key themes.

    Step Insights

    • Using the Info-Tech thought model, address foundational gaps early in your roadmap and establish the management methods to continuously make them more robust.
    • If any of the core practices are not meeting the vision for your service management program, be sure to address these items before moving on to more advanced service management practices or processes.
    • Make sure the story you are telling with your roadmap is aligned to the overall organizational goals.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Determine Your Service Management Target State

    Step 3.1 – Document the Overall Themes

    Start with an analyst kick-off call:

    • Review the outputs from your current-state assessments to identify themes for areas that need to be included in your roadmap

    Then complete these activities…

    • Ensure foundational elements are solid by adding any gaps to the roadmap
    • Identify any changes needed to management practices to ensure continuous improvement

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 3.2 – Determine Individual Initiatives

    Review findings with analyst:

    • Determine the individual initiatives needed to close the gaps between the current state and the vision

    Then complete these activities…

    • Finalize and document roadmap for executive socialization

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Identify themes that can help you build a strong foundation before moving to higher level practices

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The top most branches of the tree is labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Use Info-Tech’s “Service Management Roadmap” template to document your vision, themes and initiatives

    The Service Management Roadmap Presentation Template contains a roadmap template to help communicate your vision, themes to be addressed, and initiatives

    A screenshot of Info-Tech's Service Management Roadmap template is shown.

    Working from the lower maturity items to the higher value practices, identify logical groupings of initiatives into themes. This will aid in communicating the reasons for the needed changes. List the individual initiatives below the themes. Adding the service management vision and mission statements can help readers understand the roadmap.

    Document your service management roadmap

    1. Document the service management vision and mission on the roadmap template.
    2. Identify, from the assessments, areas that need to be improved or implemented.
    3. Group the individual initiatives into logical themes that can ease communication of what needs to happen.
    4. Document the individual initiatives.
    5. Document in terms that business partners and executive sponsors can understand.

    INPUT

    • Current-state assessment outputs
    • Maturity model

    OUTPUT

    • Service management roadmap

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1

    A screenshot of activity 3.1 is shown.

    Identify themes to address items from the foundational level up to higher value service management practices

    Identify easily understood themes that will help others understand the expected outcomes within your organization.

    A screenshot of activity 3.2 is shown.

    Document individual initiatives that contribute to the themes

    Identify specific activities that will close gaps identified in the assessments.

    PHASE 2

    Build Communication Slide

    Complete your service management roadmap

    This step will walk you through the following activities:

    • Use the current-state assessment exercises to document the state of your service management practices. Document examples of the behaviors that are currently seen.
    • Document the expected short-term gains. Describe how you want the behaviors to change.
    • Document the long-term vision for each item and describe the benefits you expect to see from addressing each theme.

    Step Insights

    • Use the communication template to acknowledge the areas that need to be improved and paint the short- and long-term vision for the improvements to be made through executing the roadmap.
    • Write it in business terms so that it can be used widely to gain acceptance of the upcoming changes that need to occur.
    • Include specific areas that need to be fixed to make it more tangible.
    • Adding the values from the vision, mission, and values exercise can also help you set expectations about how the team will behave as they move towards the longer-term vision.

    Phase 4 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Build the Service Management Roadmap

    Step 4.1: Document the Current State

    Start with an analyst kick-off call:

    • Review the pain points identified from the current state analysis
    • Discuss tactics to address specific pain points

    Then complete these activities…

    • Socialize the pain points within the service delivery teams to ensure nothing is being misrepresented
    • Gather ideas for the future state

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 4.2: List the Future Vision

    Review findings with analyst:

    • Review short- and long-term vision for improvements for the pain points identified in the current state analysis

    Then complete these activities…

    • Prepare to socialize the roadmap
    • Ensure long-term vision is aligned with organizational objectives

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Use Info-Tech’s “Service Management Roadmap – Brought to Life” template to paint a picture of the future state

    The Service Management Roadmap Presentation Template contains a communication template to help communicate your vision of the future state

    A screenshot of Info-Tech's Service Management Roadmap - Brought to Life template

    Use this template to demonstrate how existing pain points to delivering services will improve over time by painting a near- and long-term picture of how things will change. Also list specific initiatives that will be launched to affect the changes. Listing the values identified in the vision, mission, and values exercise will also demonstrate the team’s commitment to changing behavior to create better outcomes.

    Document your current state and list initiatives to address them

    1. Use the previous assessments and feedback from business or customers to identify current behaviors that need addressing.
    2. Focus on high-impact items for this document, not an extensive list.
    3. An example of step 1 and 2 are shown.
    4. List the initiatives or actions that will be used to address the specific pain points.

    An example of areas for improvement.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    Document your future state

    An example of document your furture state is shown.

    1. For each pain point document the expected behaviors, both short term and longer term.
    2. Write in terms that allow readers to understand what to expect from your service management practice.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation Template

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    A screenshot of activity 4.1 is shown.

    Identify the pain points and initiatives to address them

    Identify items that the business can relate to and initiatives or actions to address them.

    4.2

    A screenshot of activity 4.2 is shown.

    Identify short- and long-term expectations for service management

    Communicate the benefits of executing the roadmap both short- and long-term gains.

    Research contributors and experts

    Photo of Valence Howden

    Valence Howden, Principal Research Director, CIO Practice

    Info-Tech Research Group

    Valence helps organizations be successful through optimizing how they govern, design, and execute strategies, and how they drive service excellence in all work. With 30 years of IT experience in the public and private sectors, he has developed experience in many information management and technology domains, with focus in service management, enterprise and IT governance, development and execution of strategy, risk management, metrics design and process design, and implementation and improvement.

    Photo of Graham Price

    Graham Price, Research Director, CIO Practice

    Info-Tech Research Group

    Graham has an extensive background in IT service management across various industries with over 25 years of experience. He was a principal consultant for 17 years, partnering with Fortune 500 clients throughout North America, leveraging and integrating industry best practices in IT service management, service catalog, business relationship management, IT strategy, governance, and Lean IT and Agile.

    Photo of Sharon Foltz

    Sharon Foltz, Senior Workshop Director

    Info-Tech Research Group

    Sharon is a Senior Workshop Director at Info-Tech Research Group. She focuses on bringing high value to members via leveraging Info-Tech’s blueprints and other resources enhanced with her breadth and depth of skills and expertise. Sharon has spent over 15 years in various IT roles in leading companies within the United States. She has strong experience in organizational change management, program and project management, service management, product management, team leadership, strategic planning, and CRM across various global organizations.

    Related Info-Tech Research

    Build a Roadmap for Service Management Agility

    Extend the Service Desk to the Enterprise

    Bibliography

    • “CIOs Emerge as Disruptive Innovators.” CSC Global CIO Survey: 2014-2015. Web.
    • “Digital Transformation: How Is Your Organization Adapting?” CIO.com, 2018. Web.
    • Goran, Julie, Laura LaBerge, and Ramesh Srinivasan. “Culture for a digital age.” McKinsey, July 2017. Web.
    • The Qualities of Leadership: Leading Change. Cornelius & Associates, 14 April 2012.
    • Wilkinson, Paul. “Culture, Ethics, and Behavior – Why Are We Still Struggling?” ITSM Tools, 5 July 2018. Web.

    Position IT to Support and Be a Leader in Open Data Initiatives

    • Buy Link or Shortcode: {j2store}326|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Open data programs are often seen as unimportant or not worth taking up space in the budget in local government.
    • Open data programs are typically owned by a single open data evangelist who works on it as a side-of-desk project.
    • Having a single resource spend a portion of their time on open data doesn’t allow the open data program to mature to the point that local governments are realizing benefits from it.
    • It is difficult to gain buy-in for open data as it is hard to track the benefits of an open data program.

    Our Advice

    Critical Insight

    • Local government can help push the world towards being more open, unlocking economic benefits for the wider economy.
    • Cities don’t know the solutions to all of their problems often they don’t know all of the problems they have. Release data as a platform to crowdsource solutions and engage your community.
    • Build your open data policies in collaboration with the community. It’s their data, let them shape the way it’s used!

    Impact and Result

    • Level-set expectations for your open data program. Every local government is different in terms of the benefits they can achieve with open data; ensure the business understands what is realistic to achieve.
    • Create a team of open data champions from departments outside of IT. Identify potential champions for the team and use this group to help gain greater business buy-in and gather feedback on the program’s direction.
    • Follow the open data maturity model in order to assess your current state, identify a target state, and assess capability gaps that need to be improved upon.
    • Use industry best practices to develop an open data policy and processes to help improve maturity of the open data program and reach your desired target state.
    • Identify metrics that you can use to track, and communicate the success of, the open data program.

    Position IT to Support and Be a Leader in Open Data Initiatives Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop your open data program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set the foundation for the success of your open data program

    Identify your open data program's current state maturity, and gain buy-in from the business for the program.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 1: Set the Foundation for the Success of Your Open Data Program
    • Open Data Maturity Assessment
    • Open Data Program – IT Stakeholder Powermap Template
    • Open Data in Our City Stakeholder Presentation Template

    2. Grow the maturity of your open data program

    Identify a target state maturity and reach it through building a policy and processes and the use of metrics.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 2: Grow the Maturity of Your Open Data Program
    • Open Data Policy Template
    • Open Data Process Template
    • Open Data Process Descriptions Template
    • Open Data Process Visio Templates (Visio)
    • Open Data Process Visio Templates (PDF)
    • Open Data Metrics Template
    [infographic]

    Workshop: Position IT to Support and Be a Leader in Open Data Initiatives

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Business Drivers for Open Data Program

    The Purpose

    Ensure that the open data program is being driven out from the business in order to gain business support.

    Key Benefits Achieved

    Identify drivers for the open data program that are coming directly from the business.

    Activities

    1.1 Understand constraints for the open data program.

    1.2 Conduct interviews with the business to gain input on business drivers and level-set expectations.

    1.3 Develop list of business drivers for open data.

    Outputs

    Defined list of business drivers for the open data program

    2 Assess Current State and Define Target State of the Open Data Program

    The Purpose

    Understand the gaps between where your program currently is and where you want it to be.

    Key Benefits Achieved

    Identify top processes for improvement in order to bring the open data program to the desired target state maturity.

    Activities

    2.1 Perform current state maturity assessment.

    2.2 Define desired target state with business input.

    2.3 Highlight gaps between current and target state.

    Outputs

    Defined current state maturity

    Identified target state maturity

    List of top processes to improve in order to reach target state maturity

    3 Develop an Open Data Policy

    The Purpose

    Develop a draft open data policy that will give you a starting point when building your policy with the community.

    Key Benefits Achieved

    A draft open data policy will be developed that is based on best-practice standards.

    Activities

    3.1 Define the purpose of the open data policy.

    3.2 Establish principles for the open data program.

    3.3 Develop a rough governance outline.

    3.4 Create a draft open data policy document based on industry best-practice examples.

    Outputs

    Initial draft of open data policy

    4 Develop Open Processes and Identify Metrics

    The Purpose

    Build open data processes and identify metrics for the program in order to track benefits realization.

    Key Benefits Achieved

    Formalize processes to set in place to improve the maturity of the open data program.

    Identify metrics that can track the success of the open data program.

    Activities

    4.1 Develop the roles that will make up the open data program.

    4.2 Create processes for new dataset requests, updates of existing datasets, and the retiring of datasets.

    4.3 Identify metrics that will be used for measuring the success of the open data program.

    Outputs

    Initial draft of open data processes

    Established metrics for the open data program

    Select and Use SDLC Metrics Effectively

    • Buy Link or Shortcode: {j2store}150|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $2,991 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Your organization wants to implement (or revamp existing) software delivery metrics to monitor performance as well as achieve its goals.
    • You know that metrics can be a powerful tool for managing team behavior.
    • You also know that all metrics are prone to misuse and mismanagement, which can lead to unintended consequences that will harm your organization.
    • You need an approach for selecting and using effective software development lifecycle (SDLC) metrics that will help your organization to achieve its goals while minimizing the risk of unintended consequences.

    Our Advice

    Critical Insight

    • Metrics are powerful, dangerous, and often mismanaged, particularly when they are tied to reward or punishment. To use SDLC metrics effectively, know the dangers, understand good practices, and then follow Info-Tech‘s TAG (team-oriented, adaptive, and goal-focused) approach to minimize risk and maximize impact.

    Impact and Result

    • Begin by understanding the risks of metrics.
    • Then understand good practices associated with metrics use.
    • Lastly, follow Info-Tech’s TAG approach to select and use SDLC metrics effectively.

    Select and Use SDLC Metrics Effectively Research & Tools

    Start here – read the Executive Brief

    Understand both the dangers and good practices related to metrics, along with Info-Tech’s TAG approach to the selection and use of SDLC metrics.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the dangers of metrics

    Explore the significant risks associated with metrics selection so that you can avoid them.

    • Select and Use SDLC Metrics Effectively – Phase 1: Understand the Risks of Metrics

    2. Know good practices related to metrics

    Learn about good practices related to metrics and how to apply them in your organization, then identify your team’s business-aligned goals to be used in SDLC metric selection.

    • Select and Use SDLC Metrics Effectively – Phase 2: Know Good Practices Related to Metrics
    • SDLC Metrics Evaluation and Selection Tool

    3. Rank and select effective SDLC metrics for your team

    Follow Info-Tech’s TAG approach to selecting effective SDLC metrics for your team, create a communication deck to inform your organization about your selected SDLC metrics, and plan to review and revise these metrics over time.

    • Select and Use SDLC Metrics Effectively – Phase 3: Rank and Select Effective SDLC Metrics for Your Team
    • SDLC Metrics Rollout and Communication Deck
    [infographic]

    Workshop: Select and Use SDLC Metrics Effectively

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Dangers of Metrics

    The Purpose

    Learn that metrics are often misused and mismanaged.

    Understand the four risk areas associated with metrics: Productivity loss Gaming behavior Ambivalence Unintended consequences

    Productivity loss

    Gaming behavior

    Ambivalence

    Unintended consequences

    Key Benefits Achieved

    An appreciation of the dangers associated with metrics.

    An understanding of the need to select and manage SDLC metrics carefully to avoid the associated risks.

    Development of critical thinking skills related to metric selection and use.

    Activities

    1.1 Examine the dangers associated with metric use.

    1.2 Share real-life examples of poor metrics and their impact.

    1.3 Practice identifying and mitigating metrics-related risk.

    Outputs

    Establish understanding and appreciation of metrics-related risks.

    Solidify understanding of metrics-related risks and their impact on an organization.

    Develop the skills needed to critically analyze a potential metric and reduce associated risk.

    2 Understand Good Practices Related to Metrics

    The Purpose

    Develop an understanding of good practices related to metric selection and use.

    Introduce Info-Tech’s TAG approach to metric selection and use.

    Identify your team’s business-aligned goals for SDLC metrics.

    Key Benefits Achieved

    Understanding of good practices for metric selection and use.

    Document your team’s prioritized business-aligned goals.

    Activities

    2.1 Examine good practices and introduce Info-Tech’s TAG approach.

    2.2 Identify and prioritize your team’s business-aligned goals.

    Outputs

    Understanding of Info-Tech’s TAG approach.

    Prioritized team goals (aligned to the business) that will inform your SDLC metric selection.

    3 Rank and Select Your SDLC Metrics

    The Purpose

    Apply Info-Tech’s TAG approach to rank and select your team’s SDLC metrics.

    Key Benefits Achieved

    Identification of potential SDLC metrics for use by your team.

    Collaborative scoring/ranking of potential SDLC metrics based on their specific pros and cons.

    Finalize list of SDLC metrics that will support goals and minimize risk while maximizing impact.

    Activities

    3.1 Select your list of potential SDLC metrics.

    3.2 Score each potential metric’s pros and cons against objectives using a five-point scale.

    3.3 Collaboratively select your team’s first set of SDLC metrics.

    Outputs

    A list of potential SDLC metrics to be scored.

    A ranked list of potential SDLC metrics.

    Your team’s first set of goal-aligned SDLC metrics.

    4 Create a Communication and Rollout Plan

    The Purpose

    Develop a rollout plan for your SDLC metrics.

    Develop a communication plan.

    Key Benefits Achieved

    SDLC metrics.

    A plan to review and adjust your SDLC metrics periodically in the future.

    Communication material to be shared with the organization.

    Activities

    4.1 Identify rollout dates and responsible individuals for each SDLC metric.

    4.2 Identify your next SDLC metric review cycle.

    4.3 Create a communication deck.

    Outputs

    SDLC metrics rollout plan

    SDLC metrics review plan

    SDLC metrics communication deck

    Measure and Manage Customer Satisfaction Metrics That Matter the Most

    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Lack of understanding of what is truly driving customer satisfaction or dissatisfaction.
    • Lack of insight into who our satisfied and dissatisfied customers are.
    • Lack of a system for early detection of declines in satisfaction.
    • Lack of clarity on what to improve and how resources should be allocated.

    Our Advice

    Critical Insight

    • All software companies measure satisfaction in some way, but many lack understanding of what’s truly driving customers to stay or leave. By understanding the true drivers of satisfaction, solution providers can measure and monitor satisfaction more effectively, pull actionable insights and feedback, and make changes to products and services that customers really care about and will keep them coming back to you to have their needs met.
    • Obstacles:
      • Use of metrics that don’t provide the insight needed to make impactful changes that will boost satisfaction and ultimately, retention and profit.
      • Lack of a clear definition of what satisfaction means to customers, metric definitions and/or standard methods of measurement, and a consistent monitoring cadence.

    Impact and Result

    • Understanding of who your satisfied and dissatisfied customers are.
    • Understanding of the true drivers of satisfaction and dissatisfaction among your customer segments.
    • Establishment of a repeatable process and cadence for effective satisfaction measurement and monitoring.
    • Development of an executable customer satisfaction improvement plan that identifies customer journey pain points and areas of dissatisfaction, and outlines how to improve them.
    • Knowledge of where money, time, and other resources are needed most to improve satisfaction levels and ultimately increase retention.

    Measure and Manage Customer Satisfaction Metrics That Matter the Most Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Measure and Manage the Customer Satisfaction Metrics that Matter the Most Deck – An overview of how to understand what drives customer satisfaction and how to measure and manage it for improved business outcomes.

    Understand the true drivers of customer satisfaction and build a process for managing and improving customer satisfaction.

    [infographic]

    Further reading

    Measure and Manage the Customer Satisfaction Metrics that Matter the Most

    Understand what truly keeps your customer satisfied. Start to measure what matters to improve customer experience and increase satisfaction and advocacy. 

    EXECUTIVE BRIEF

    Analyst perspective

    Understanding and measuring the true drivers of satisfaction enable the delivery of real customer value

    The image contains a picture of Emily Wright.

    “Healthy customer relationships are the paramount to long-term growth. When customers are satisfied, they remain loyal, spend more, and promote your company to others in their network. The key to high satisfaction is understanding and measuring the true drivers of satisfaction to enable the delivery of real customer value.

    Most companies believe they know who their satisfied customers are and what keeps them satisfied, and 76% of B2B buyers expect that providers understand their unique needs (Salesforce Research, 2020). However, on average B2B companies have customer experience scores of less than 50% (McKinsey, 2016). This disconnect between customer expectations and provider experience indicates that businesses are not effectively measuring and monitoring satisfaction and therefore are not making meaningful enhancements to their service, offerings, and overall experience.

    By focusing on the underlying drivers of customer satisfaction, organizations develop a truly accurate picture of what is driving deep satisfaction and loyalty, ensuring that their company will achieve sustainable growth and stay competitive in a highly competitive market.”

    Emily Wright

    Senior Research Analyst, Advisory

    SoftwareReviews

    Executive summary

    Your Challenge

    Common Obstacles

    SoftwareReviews’ Approach

    Getting a truly accurate picture of satisfaction levels among customers, and where to focus efforts to improve satisfaction, is challenging. Providers often find themselves reacting to customer challenges and being blindsided when customers leave. More effective customer satisfaction measurement is possible when providers self-assess for the following challenges:

    • Lack of understanding of what is truly driving customer satisfaction or dissatisfaction.
    • Lack of insight into who our satisfied and dissatisfied customers are.
    • Lack of a system for early detection of declines in satisfaction.
    • Lack of clarity of what needs to be improved and how resources should be allocated.
    • Lack of reliable internal data for effective customer satisfaction monitoring.

    What separates customer success leaders from developing a full view of their customers are several nagging obstacles:

    • Use of metrics that don’t provide the insight needed to make impactful changes that will boost satisfaction and ultimately, retention and profit.
    • Friction from customers participating in customer satisfaction studies.
    • Lack of data, or integrated databases from which to track, pull, and analyze customer satisfaction data.
    • Lack a clear definition of what satisfaction means to customers, metric definitions, and/or standard methods of measurement and a consistent monitoring cadence.
    • Lack of time, resources, or technology to uncover and effectively measure and monitor satisfaction drivers.

    Through the SoftwareReviews’ approach, customer success leaders will:

    • Understand who your satisfied and dissatisfied customers are.
    • Understand the true drivers of satisfaction and dissatisfaction among your customer segments.
    • Establish a repeatable process and cadence for effective satisfaction measurement and monitoring.
    • Develop an executable customer satisfaction improvement plan that identifies customer journey pain points and areas of dissatisfaction, and outlines how to improve them.
    • Know where money, time, and resources are needed most to improve satisfaction levels and ultimately retention.

    Overarching SoftwareReviews Advisory Insight:

    All companies measure satisfaction in some way, but many lack understanding of what’s truly driving customers to stay or leave. By understanding the true drivers of satisfaction, solution providers can measure and monitor satisfaction more effectively, pull actionable insights and feedback, and make changes to products and services that customers really care about. This will keep them coming back to you to have their needs met.

    Healthy Customer Relationships are vital for long-term success and growth

    Measuring customer satisfaction is critical to understanding the overall health of your customer relationships and driving growth.

    Through effective customer satisfaction measurement, organizations can:

    Improve Customer Experience

    Increase Retention and CLV

    Increase Profitability

    Reduce Costs

    • Provide insight into where and how to improve.
    • Enhance experience, increase loyalty.
    • By providing strong CX, organizations can increase revenue by 10-15% (McKinsey, 2014).
    • Far easier to retain existing customers than to acquire new ones.
    • Ensuring high satisfaction among customers increases Customer Lifetime Value (CLV) through longer tenure and higher spending.
    • NPS Promoter score has a customer lifetime value that's 600%-1,400% higher than a Detractor (Bain & Company, 2015).
    • Highly satisfied customers spend more through expansions and add-ons, as well as through their long tenure with your company.
    • They also spread positive word of mouth, which brings in new customers.
    • “Studies demonstrate a strong correlation between customer satisfaction and increased profits — with companies with high customer satisfaction reporting 5.7 times more revenue than competitors.” (Matthew Loper, CEO and Co-Founder of WELLTH, 2022)
    • Measuring, monitoring, and maintaining high satisfaction levels reduces costs across the board.
    • “Providing a high-quality customer experience can save up to 33% of customer service costs” (Deloitte, 2018).
    • Satisfied customers are more likely to spread positive word of mouth which reduces acquisition / marketing costs for your company.

    “Measuring customer satisfaction is vital for growth in any organization; it provides insights into what works and offers opportunities for optimization. Customer satisfaction is essential for improving loyalty rate, reducing costs and retaining your customers.”

    -Ken Brisco, NICE, 2019

    Poor customer satisfaction measurement is costly

    Virtually all companies measure customer satisfaction, but few truly do it well. All too often, customer satisfaction measurement consists of a set of vanity metrics that do not result in actionable insight for product/service improvement. Improper measurement can result in numerous consequences:

    Direct and Indirect Costs

    Being unaware of true drivers of satisfaction that are never remedied costs your business directly through customer churn, service costs, etc.

    Tarnished Brand

    Tarnished brand through not resolving issues drives dissatisfaction; dissatisfied customers share their negative experiences, which can damage brand image and reputation.

    Waste Limited Resources

    Putting limited resources towards vanity programs and/or fixes that have little to no bearing on core satisfaction drivers wastes time and money.

    “When customer dissatisfaction goes unnoticed, it can slowly kill a company. Because of the intangible nature of customer dissatisfaction, managers regularly underestimate the magnitude of customer dissatisfaction and its impact on the bottom line.”

    - Lakshmiu Tatikonda, “The Hidden Costs of Customer Dissatisfaction”, 2013

    SoftwareReviews Advisory Insight:

    Most companies struggle to understand what’s truly driving customers to stay or leave. By understanding the true satisfaction drivers, tech providers can measure and monitor satisfaction more effectively, avoiding the numerous harmful consequences that result from average customer satisfaction measurement.

    Does your customer satisfaction measurement process need improvement?

    Getting an accurate picture of customer satisfaction is no easy task. Struggling with any of the following means you are ready for a detailed review of your customer satisfaction measurement efforts:

    • Not knowing who your most satisfied customers are.
    • Lacking early detection for declining satisfaction – either reactive, or unaware of dissatisfaction as it’s occurring.
    • Lacking a process for monitoring changes in satisfaction and lack ability to be proactive; you feel blindsided when customers leave.
    • Inability to fix the problem and wasting money on the wrong areas, like vanity metrics that don’t bring value to customers.
    • Spending money and other resources towards fixes based on a gut feeling, without quantifying the real root cause drivers and investing in their improvement.
    • Having metrics and data but lacking context; don’t know what contributed to the metrics/results, why people are dissatisfied or what contributes to satisfaction.
    • Lacking clear definition of what satisfaction means to customers / customer segments.
    • Difficulty tying satisfaction back to financial results.

    Customers are more satisfied with software vendors who understand the difference between surface level and short-term satisfaction, and deep or long-term satisfaction

    Surface-level satisfaction

    Surface-level satisfaction has immediate effects, but they are usually short-term or limited to certain groups of users. There are several factors that contribute to satisfaction including:

    • Novelty of new software
    • Ease of implementation
    • Financial savings
    • Breadth of features

    Software Leaders Drive Deep Satisfaction

    Deep satisfaction has long-term and meaningful impacts on the way that organizations work. Deep satisfaction has staying power and increases or maintains satisfaction over time, by reducing complexity and delivering exceptional quality for end-users and IT alike. This report found that the following capabilities provided the deepest levels of satisfaction:

    • Usability and intuitiveness
    • Quality of features
    • Ease of customization
    • Vendor-specific capabilities

    The above solve issues that are part of everyday problems, and each drives satisfaction in deep and meaningful ways. While surface-level satisfaction is important, deep and impactful capabilities can sustain satisfaction for a longer time.

    Deep Customer Satisfaction Among Software Buyers Correlates Highly to “Emotional Attributes”

    Vendor Capabilities and Product Features remain significant but are not the primary drivers

    The image contains a graph to demonstrate a correlation to Satisfaction, all Software Categories.
    Source: SoftwareReviews buyer reviews (based on 82,560 unique reviews).

    Driving deep satisfaction among software customers vs. surface-level measures is key

    Vendor capabilities and product features correlate significantly to buyer satisfaction

    Yet, it’s the emotional attributes – what we call the “Emotional Footprint”, that correlate more strongly

    Business-Value Created and Emotional Attributes are what drives software customer satisfaction the most

    The image contains a screenshot of a graph to demonstrate Software Buyer Satisfaction Drivers and Emotional Attributes are what drives software customer satisfaction.

    Software companies looking to improve customer satisfaction will focus on business value created and the Emotional Footprint attributes outlined here.

    The essential ingredient is understanding how each is defined by your customers.

    Leaders focus on driving improvements as described by customers.

    SoftwareReviews Insight:

    These true drivers of satisfaction should be considered in your customer satisfaction measurement and monitoring efforts. The experience customers have with your product and brand is what will differentiate your brand from competitors, and ultimately, power business growth. Talk to a SoftwareReviews Advisor to learn how users rate your product on these satisfaction drivers in the SoftwareReviews Emotional Footprint Report.

    Benefits of Effective Customer Satisfaction Measurement

    Our research provides Customer Success leaders with the following key benefits:

    • Ability to know who is satisfied, dissatisfied, and why.
    • Confidence in how to understand or uncover the factors behind customer satisfaction; understand and identify factors driving satisfaction, dissatisfaction.
    • Ability to develop a clear plan for improving customer satisfaction.
    • Knowledge of how to establish a repeatable process for customer satisfaction measurement and monitoring that allows for proactivity when declines in satisfaction are detected.
    • Understanding of what metrics to use, how to measure them, and where to find the right information/data.
    • Knowledge of where money, time, and other resources are needed most to drive tangible customer value.

    “81% of organizations cite CX as a competitive differentiator. The top factor driving digital transformation is improving CX […] with companies reporting benefits associated with improving CX including:

    • Increased customer loyalty (92%)
    • An uplift in revenue (84%)
    • Cost savings (79%).”

    – Dan Cote, “Advocacy Blooms and Business Booms When Customers and Employees Engage”, Influitive, 2021

    The image contains a screenshot of a thought model that focuses on Measure & Manage the Customer Satisfaction Metrics That Matter the Most.

    Who benefits from improving the measurement and monitoring of customer satisfaction?

    This Research Is Designed for:

    • Customer Success leaders and marketers who are:
      • Responsible for understanding how to benchmark, measure, and understand customer satisfaction to improve satisfaction, NPS, and ROI.
      • Looking to take a more proactive and structured approach to customer satisfaction measurement and monitoring.
      • Looking for a more effective and accurate way to measure and understand how to improve customer satisfaction around products and services.

    This Research Will Help You:

    • Understand the factors driving satisfaction and dissatisfaction.
    • Know which customers are satisfied/dissatisfied.
    • Know where time, money, and resources are needed the most in order to improve or maintain satisfaction levels.
    • Develop a formal plan to improve customer satisfaction.
    • Establish a repeatable process for customer satisfaction measurement and monitoring that allows for proactivity when declines in satisfaction are detected.

    This Research Will Also Assist:

    • Customer Success Leaders, Marketing and Sales Directors and Managers, Product Marketing Managers, and Advocacy Managers/Coordinators who are responsible for:
      • Product improvements and enhancements
      • Customer service and onboarding
      • Customer advocacy programs
      • Referral/VoC programs

    This Research Will Help Them:

    • Coordinate and align on customer experience efforts and actions.
    • Gather and make use of customer feedback to improve products, solutions, and services provided.
    • Provide an amazing customer experience throughout the entirety of the customer journey.

    SoftwareReviews’ methodology for measuring the customer satisfaction metrics that matter the most

    1. Identify true customer satisfaction drivers

    2. Develop metrics dashboard

    3. Develop customer satisfaction measurement and management plan

    Phase Steps

    1. Identify data sources, documenting any gaps in data
    2. Analyze all relevant data on customer experiences and outcomes
    3. Document top satisfaction drivers
    1. Identify business goals, problems to be solved / define business challenges and marketing/customer success goals
    2. Use SR diagnostic to assess current state of satisfaction measurement, assessing metric alignment to satisfaction drivers
    3. Define your metrics dashboard
    4. Develop common metric definitions, language for discussing, and standards for measuring customer satisfaction
    1. Determine committee structure to measure performance metrics over time
    2. Map out gaps in satisfaction along customer journey/common points in journey where customers are least dissatisfied
    3. Build plan that identifies weak areas and shows how to fix using SR’s emotional footprint, other measures
    4. Create plan and roadmap for CSat improvement
    5. Create communication deck

    Phase Outcomes

    1. Documented satisfaction drivers
    2. Documented data sources and gaps in data
    1. Current state customer satisfaction measurement analysis
    2. Common metric definitions and measurement standards
    3. Metrics dashboard
    1. Customer satisfaction measurement plan
    2. Customer satisfaction improvement plan
    3. Customer journey maps
    4. Customer satisfaction improvement communication deck
    5. Customer Satisfaction Committee created

    Insight summary

    Understanding and measuring the true drivers of satisfaction enable the delivery of real customer value

    All software companies measure satisfaction in some way, but many lack understanding of what’s truly driving customers to stay or leave. By understanding the true drivers of satisfaction, solution providers can measure and monitor satisfaction more effectively, pull actionable insights and feedback, and make changes to products and services that customers really care about and which will keep them coming back to you to have their needs met.

    Positive experiences drive satisfaction more so than features and cost

    According to our analysis of software buyer reviews data*, the biggest drivers of satisfaction and likeliness to recommend are the positive experiences customers have with vendors and their products. Customers want to feel that:

    1. Their productivity and performance is enhanced, and the vendor is helping them innovate and grow as a company.
    2. Their vendor inspires them and helps them to continually improve.
    3. They can rely on the vendor and the product they purchased.
    4. They are respected by the vendor.
    5. They can trust that the vendor will be on their side and save them time.
    *8 million data points across all software categories

    Measure Key Relationship KPIs to gauge satisfaction

    Key metrics to track include the Business Value Created score, Net Emotional Footprint, and the Love/Hate score (the strength of emotional connection).

    Orient the organization around customer experience excellence

    1. Arrange staff incentives around customer value instead of metrics that are unrelated to satisfaction.
    2. Embed customer experience as a core company value and integrate it into all functions.
    3. Make working with your organization easy and seamless for customers.

    Have a designated committee for customer satisfaction measurement

    Best in class organizations create customer satisfaction committees that meet regularly to measure and monitor customer satisfaction, resolve issues quickly, and work towards improved customer experience and profit outcomes.

    Use metrics that align to top satisfaction drivers

    This will give you a more accurate and fulsome view of customer satisfaction than standard satisfaction metrics alone will.

    Guided Implementation

    What is our GI on measuring and managing the customer satisfaction metrics that matter most?

    Identify True Customer Satisfaction Drivers

    Develop Metrics Dashboard Develop Customer Satisfaction Measurement and Management Plan

    Call #1: Discuss current pain points and barriers to successful customer satisfaction measurement, monitoring and maintenance. Plan next call – 1 week.

    Call #2: Discuss all available data, noting any gaps. Develop plan to fill gaps, discuss feasibility and timelines. Plan next call – 1 week.

    Call #3: Walk through SoftwareReviews reports to understand EF and satisfaction drivers. Plan next call – 3 days.

    Call #4: Segment customers and document key satisfaction drivers. Plan next call – 2 week.

    Call #5: Document business goals and align them to metrics. Plan next call – 1 week.

    Call #6: Complete the SoftwareReviews satisfaction measurement diagnostic. Plan next call – 3 days.

    Call #7: Score list of metrics that align to satisfaction drivers. Plan next call – 2 days.

    Call #8: Develop metrics dashboard and definitions. Plan next call – 2 weeks.

    Call #9: Finalize metrics dashboard and definitions. Plan next call – 1 week.

    Call #10: Discuss committee and determine governance. Plan next call – 2 weeks.

    Call #11: Map out gaps in satisfaction along customer journey as they relate to top satisfaction drivers. Plan next call –2 weeks.

    Call #12: Develop plan and roadmap for satisfaction improvement. Plan next call – 1 week.

    Call #13: Finalize plan and roadmap. Plan next call – 1 week.

    Call # 14: Review and coach on communication deck.

    A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization.

    For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst.

    Your engagement managers will work with you to schedule analyst calls.

    Software Reviews offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
    Included within Advisory Membership Optional add-ons

    Bibliography

    “Are you experienced?” Bain & Company, Apr. 2015. Accessed 6 June. 2022.

    Brisco, Ken. “Measuring Customer Satisfaction and Why It’s So Important.” NICE, Feb. 2019. Accessed 6 June. 2022.

    CMO.com Team. “The Customer Experience Management Mandate.” Adobe Experience Cloud Blog, July 2019. Accessed 14 June. 2022.

    Cote, Dan. “Advocacy Blooms and Business Booms When Customers and Employees Engage.” Influitive, Dec. 2021. Accessed 15 June. 2022.

    Fanderl, Harald and Perrey, Jesko. “Best of both worlds: Customer experience for more revenues and lower costs.” McKinsey & Company, Apr. 2014. Accessed 15 June. 2022.

    Gallemard, Jeremy. “Why – And How – Should Customer Satisfaction Be Measured?” Smart Tribune, Feb. 2020. Accessed 6 June. 2022.

    Kumar, Swagata. “Customer Success Statistics in 2021.” Customer Success Box, 2021. Accessed 17 June. 2022.

    Lakshmiu Tatikonda, “The Hidden Costs of Customer Dissatisfaction”, Management Accounting Quarterly, vol. 14, no. 3, 2013, pp 38. Accessed 17 June. 2022.

    Loper, Matthew. “Why ‘Customer Satisfaction’ Misses the Mark – And What to Measure Instead.” Newsweek, Jan. 2022. Accessed 16 June. 2022.

    Maechler, Nicolas, et al. “Improving the business-to-business customer experience.” McKinsey & Company, Mar. 2016. Accessed 16 June.

    “New Research from Dimension Data Reveals Uncomfortable CX Truths.” CISION PR Newswire, Apr. 2017. Accessed 7 June. 2022.

    Sheth, Rohan. 75 Must-Know Customer Experience Statistics to move Your Business Forward in 2022.” SmartKarrot, Feb. 2022. Accessed 17 June. 2022.

    Smith, Mercer. “111 Customer Service Statistics and Facts You Shouldn’t Ignore.” HelpScout, May 2022. Accessed 17 June. 2022.

    “State of the Connected Customer.” Salesforce, 2020. Accessed 14 June. 2022

    “The true value of customer experiences.” Deloitte, 2018. Accessed 15 June. 2022.

    Develop and Implement a Security Incident Management Program

    • Buy Link or Shortcode: {j2store}316|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $105,346 Average $ Saved
    • member rating average days saved: 39 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Tracked incidents are often classified into ready-made responses that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
    • Outcomes of incident response tactics are not formally tracked or communicated, resulting in a lack of comprehensive understanding of trends and patterns regarding incidents, leading to being re-victimized by the same vector.
    • Having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.

    Our Advice

    Critical Insight

    • You will experience incidents. Don’t rely on ready-made responses. They’re too broad and easy to ignore. Save your organization response time and confusion by developing your own specific incident use cases.
    • Analyze, track, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns, you can be re-victimized by the same attack vector.
    • Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and exchange information with other organizations to stay ahead of incoming threats.

    Impact and Result

    • Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
    • This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.

    Develop and Implement a Security Incident Management Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop and implement a security incident management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare

    Equip your organization for incident response with formal documentation of policies and processes.

    • Develop and Implement a Security Incident Management Program – Phase 1: Prepare
    • Security Incident Management Maturity Checklist ‒ Preliminary
    • Information Security Requirements Gathering Tool
    • Incident Response Maturity Assessment Tool
    • Security Incident Management Charter Template
    • Security Incident Management Policy Template
    • Security Incident Management RACI Tool

    2. Operate

    Act with efficiency and effectiveness as new incidents are handled.

    • Develop and Implement a Security Incident Management Program – Phase 2: Operate
    • Security Incident Management Plan
    • Security Incident Runbook Prioritization Tool
    • Security Incident Management Runbook: Credential Compromise
    • Security Incident Management Workflow: Credential Compromise (Visio)
    • Security Incident Management Workflow: Credential Compromise (PDF)
    • Security Incident Management Runbook: Distributed Denial of Service
    • Security Incident Management Workflow: Distributed Denial of Service (Visio)
    • Security Incident Management Workflow: Distributed Denial of Service (PDF)
    • Security Incident Management Runbook: Malware
    • Security Incident Management Workflow: Malware (Visio)
    • Security Incident Management Workflow: Malware (PDF)
    • Security Incident Management Runbook: Malicious Email
    • Security Incident Management Workflow: Malicious Email (Visio)
    • Security Incident Management Workflow: Malicious Email (PDF)
    • Security Incident Management Runbook: Ransomware
    • Security Incident Management Workflow: Ransomware (Visio)
    • Security Incident Management Workflow: Ransomware (PDF)
    • Security Incident Management Runbook: Data Breach
    • Security Incident Management Workflow: Data Breach (Visio)
    • Security Incident Management Workflow: Data Breach (PDF)
    • Data Breach Reporting Requirements Summary
    • Security Incident Management Runbook: Third-Party Incident
    • Security Incident Management Workflow: Third-Party Incident (Visio)
    • Security Incident Management Workflow: Third-Party Incident (PDF)
    • Security Incident Management Runbook: Blank Template

    3. Maintain and optimize

    Manage and improve the incident management process by tracking metrics, testing capabilities, and leveraging best practices.

    • Develop and Implement a Security Incident Management Program – Phase 3: Maintain and Optimize
    • Security Incident Metrics Tool
    • Post-Incident Review Questions Tracking Tool
    • Root-Cause Analysis Template
    • Security Incident Report Template
    [infographic]

    Workshop: Develop and Implement a Security Incident Management Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare Your Incident Response Program

    The Purpose

    Understand the purpose of incident response.

    Formalize the program.

    Identify key players and escalation points.

    Key Benefits Achieved

    Common understanding of the importance of incident response.

    Various business units becoming aware of their roles in the incident management program.

    Formalized documentation.

    Activities

    1.1 Assess the current process, obligations, scope, and boundaries of the incident management program.

    1.2 Identify key players for the response team and for escalation points.

    1.3 Formalize documentation.

    1.4 Prioritize incidents requiring preparation.

    Outputs

    Understanding of the incident landscape

    An identified incident response team

    A security incident management charter

    A security incident management policy

    A list of top-priority incidents

    A general security incident management plan

    A security incident response RACI chart

    2 Develop Incident-Specific Runbooks

    The Purpose

    Document the clear response procedures for top-priority incidents.

    Key Benefits Achieved

    As incidents occur, clear response procedures are documented for efficient and effective recovery.

    Activities

    2.1 For each top-priority incident, document the workflow from detection through analysis, containment, eradication, recovery, and post-incident analysis.

    Outputs

    Up to five incident-specific runbooks

    3 Maintain and Optimize the Program

    The Purpose

    Ensure the response procedures are realistic and effective.

    Identify key metrics to measure the success of the program.

    Key Benefits Achieved

    Real-time run-through of security incidents to ensure roles and responsibilities are known.

    Understanding of how to measure the success of the program.

    Activities

    3.1 Limited scope tabletop exercise.

    3.2 Discuss key metrics.

    Outputs

    Completed tabletop exercise

    Key success metrics identified

    Further reading

    Develop and Implement a Security Incident Management Program

    Create a scalable incident response program without breaking the bank.

    ANALYST PERSPECTIVE

    Security incidents are going to happen whether you’re prepared or not. Ransomware and data breaches are just a few top-of-mind threats that all organizations deal with. Taking time upfront to formalize response plans can save you significantly more time and effort down the road. When an incident strikes, don’t waste time deciding how to remediate. Rather, proactively identify your response team, optimize your response procedures, and track metrics so you can be prepared to jump to action.

    Céline Gravelines,
    Senior Research Analyst
    Security, Risk & Compliance Info-Tech Research Group

    Picture of Céline Gravelines

    Céline Gravelines,
    Senior Research Analyst
    Security, Risk & Compliance Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For

    • A CISO who is dealing with the following:
      • Inefficient use of time and money when retroactively responding to incidents, negatively affecting business revenue and workflow.
      • Resistance from management to adequately develop a formal incident response plan.
      • Lack of closure of incidents, resulting in being re-victimized by the same vector.

    This Research Will Help You

    • Develop a consistent, scalable, and usable incident response program that is not resource intensive.
    • Track and communicate incident response in a formal manner.
    • Reduce the overall impact of incidents over time.
    • Learn from past incidents to improve future response processes.

    This Research Will Also Assist

    • Business stakeholders who are responsible for the following:
    • Improving workflow and managing operations in the event of security incidents to reduce any adverse business impacts.
    • Ensuring that incident response compliance requirements are being adhered to.

    This Research Will Help Them

    • Efficiently allocate resources to improve incident response in terms of incident frequency, response time, and cost.
    • Effectively communicate expectations and responsibilities to users.

    Executive Summary

    Situation

    • Security incidents are inevitable, but how they’re dealt with can make or break an organization. Poor incident response negatively affects business practices, including workflow, revenue generation, and public image.
    • The incident response of most organizations is ad hoc at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and inefficient allocation of resources.

    Complication

    • Tracked incidents are often classified into ready-made responses that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
    • Outcomes of incident response tactics are not formally tracked or communicated, resulting in a lack of comprehensive understanding of trends and patterns regarding incidents, leading to being revictimized by the same vector.
    • Having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.

    Resolution

    • Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
    • This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.

    Info-Tech Insight

    • You will experience incidents. Don’t rely on ready-made responses. They’re too broad and easy to ignore. Save your organization response time and confusion by developing your own specific incident use cases.
    • Analyze, track, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns, you can be re-victimized by the same attack vector.
    • Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and exchange information with other organizations to stay ahead of incoming threats.

    Data breaches are resulting in major costs across industries

    Per capita cost by industry classification of benchmarked companies (measured in USD)

    This is a bar graph showing the per capita cost by industry classification of benchmarked companies(measured in USD). the companies are, in decreasing order of cost: Health; Financial; Services; Pharmaceutical; Technology; Energy; Education; Industrial; Entertainment; Consumer; Media; Transportation; Hospitality; Retail; Research; Public

    Average data breach costs per compromised record hit an all-time high of $148 (in 2018).
    (Source: IBM, “2018 Cost of Data Breach Study)”

    % of systems impacted by a data breach
    1%
    No Impact
    19%
    1-10% impacted
    41%
    11-30% impacted
    24%
    31-50% impacted
    15%
    > 50% impacted
    % of customers lost from a data breach
    61% Lost
    < 20%
    21% Lost 20-40% 8% Lost
    40-60%
    6% Lost
    60-80%
    4% Lost
    80-100%
    % of customers lost from a data breach
    58% Lost
    <20%
    25% Lost
    20-40%
    9% Lost
    40-60%
    5% Lost
    60-80%
    4% Lost
    80-100%

    Source: Cisco, “Cisco 2017 Annual Cybersecurity Report”

    Defining what is security incident management

    IT Incident

    Any event not a part of the standard operation of a service which causes, or may cause, the interruption to, or a reduction in, the quality of that service.

    Security Event:

    A security event is anything that happens that could potentially have information security implications.

    • A spam email is a security event because it may contain links to malware.
    • Organizations may be hit with thousands or perhaps millions of identifiable security events each day.
    • These are typically handled by automated tools or are simply logged.

    Security Incident:

    A security incident is a security event that results in damage such as lost data.

    • Incidents can also include events that don't involve damage but are viable risks.
    • For example, an employee clicking on a link in a spam email that made it through filters may be viewed as an incident.

    It’s not a matter of if you have a security incident, but when

    The increasing complexity and prevalence of threats have finally caught the attention of corporate leaders. Prepare for the inevitable with an incident response program.

    1. A formalized incident response program reduced the average cost of a data breach (per capita) from $148 to $134, while third-party involvement increased costs by $13.40.
    2. US organizations lost an average of $7.91 million per data breach as a result of increased customer attrition and diminished goodwill. Canada and the UK follow suit at $1.57 and $1.39 million, respectively.
    3. 73% of breaches are perpetrated by outsiders, 50% are the work of criminal groups, and 28% involve internal actors.
    4. 55% of companies have to manage fallout, such as reputational damage after a data breach.
    5. The average cost of a data breach increases by $1 million if left undetected for > 100 days.

    (Sources: IBM, “2018 Cost of Data Breach Study”; Verizon, “2017 Data Breach Investigations Report”; Cisco, “Cisco 2018 Annual Cybersecurity Report”)

    Threat Actor Examples

    The proliferation of hacking techniques and commoditization of hacking tools has enabled more people to become threat actors. Examples include:
    • Organized Crime Groups
    • Lone Cyber Criminals
    • Competitors
    • Nation States
    • Hacktivists
    • Terrorists
    • Former Employees
    • Domestic Intelligence Services
    • Current Employees (malicious and accidental)

    Benefits of an incident management program

    Effective incident management will help you do the following:

    Improve efficacy
    Develop structured processes to increase process consistency across the incident response team and the program as a whole. Expose operational weak points and transition teams from firefighting to innovating.

    Improve threat detection, prevention, analysis, and response
    Enhance your pressure posture through a structured and intelligence-driven incident handling and remediation framework.

    Improve visibility and information sharing
    Promote both internal and external information sharing to enable good decision making.

    Create and clarify accountability and responsibility
    Establish a clear level of accountability throughout the incident response program, and ensure role responsibility for all tasks and processes involved in service delivery.

    Control security costs
    Effective incident management operations will provide visibility into your remediation processes, enabling cost savings from misdiagnosed issues and incident reduction.

    Identify opportunities for continuous improvement
    Increase visibility into current performance levels and accurately identify opportunities for continuous improvement with a holistic measurement program.

    Impact

    Short term:
    • Streamlined security incident management program.
    • Formalized and structured response process.
    • Comprehensive list of operational gaps and initiatives.
    • Detailed response runbooks that predefine necessary operational protocol.
    • Compliance and audit adherence.
    Long term:
    • Reduced incident costs and remediation time.
    • Increased operational collaboration between prevention, detection, analysis, and response efforts.
    • Enhanced security pressure posture.
    • Improved communication with executives about relevant security risks to the business.
    • Preserved reputation and brand equity.

    Incident management is essential for organizations of any size

    Your incidents may differ, but a standard response ensures practical security.

    Certain regulations and laws require incident response to be a mandatory process in organizations.

    Compliance Standard Examples Description
    Federal Information Security Modernization Act (FISMA)
    • Organizations must have “procedures for detecting, reporting, and responding to security incidents” (2002).
    • They must also “inform operators of agency information systems about current and potential information security threats and vulnerabilities.”
    Federal Information Processing Standards (FIPS)
    • “Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.”
    Payment Card Industry Data Security Standard (PCI DSS v3)
    • 12.5.3: “Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.”
    Health Insurance Portability and Accountability Act (HIPAA)
    • 164.308: Response and Reporting – “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.”

    Security incident management is applicable to all verticals

    Examples:
    • Finance
    • Insurance
    • Healthcare
    • Public administration
    • Education services
    • Professional services
    • Scientific and technical services

    Maintain a holistic security operations program

    Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.

    Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operation, and technology infrastructure on a daily basis.

    Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.
    Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

    Info-Tech’s incident response blueprint is one of four security operations initiatives

    Design and Implement a Vulnerability Management Program Vulnerability Management
    Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.
    • Vulnerability Tracking Tool
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template
    • Vulnerability Mitigation Process Template
    Integrate Threat Intelligence Into Your Security Operations Vulnerability Management
    Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.
    • Threat Intelligence Maturity Assessment Tool
    • Threat Intelligence RACI Tool
    • Threat Intelligence Management Plan Template
    • Threat Intelligence Policy Template
    • Threat Intelligence Alert Template
    • Threat Intelligence Alert and Briefing Cadence Schedule Template
    Develop Foundational Security Operations Processes Operations
    Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. These analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.
    • Security Operations Maturity Assessment Tool
    • Security Operations Event Prioritization Tool
    • Security Operations Efficiency Calculator
    • Security Operations Policy
    • In-House vs. Outsourcing Decision-Making Tool
    • Seccrimewareurity Operations RACI Tool
    • Security Operations TCO & ROI Comparison Calculator
    Develop and Implement a Security Incident Management Program Incident Response (IR)
    Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. Incident response teams coordinate root cause and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.
    Security Incident Management Policy
    • Security Incident Management Plan
    • Incident Response Maturity Assessment Tool
    • Security Incident Runbook Prioritization Tool
    • Security Incident Management RACI Tool
    • Various Incident Management Runbooks

    Understand how incident response ties into related processes

    Info-Tech Resources:
    Business Continuity Plan Develop a Business Continuity Plan
    Disaster Recovery Plan Create a Right-Sized Disaster Recovery Plan
    Security Incident Management Develop and Implement a Security Incident Management Program
    Incident Management Incident and Problem Management
    Service Desk Standardize the Service Desk

    Develop and Implement a Security Incident Management Program – project overview

    1. Prepare 2. Operate 3. Maintain and Optimize
    Best-Practice Toolkit 1.1 Establish the Drivers, Challenges, and Benefits.

    1.2 Examine the Security Incident Landscape and Trends.

    1.3 Understand Your Security Obligations, Scope, and Boundaries.

    1.4 Gauge Your Current Process to Identify Gaps.

    1.5 Formalize the Security Incident Management Charter.

    1.6 Identify Key Players and Develop a Call Escalation Tree.

    1.7 Develop a Security Incident Management Policy.

    2.1 Understand the Incident Response Framework.

    2.2 Understand the Purpose of Runbooks.

    2.3 Prioritize the Development of Incident-Specific Runbooks.

    2.4 Develop Top-Priority Runbooks.

    2.5 Fill Out the Root-Cause Analysis Template.

    2.6 Customize the Post-Incident Review Questions Tracking Tool to Standardize Useful Questions for Lessons-Learned Meetings.

    2.7 Complete the Security Incident Report Template.

    3.1 Conduct Tabletop Exercises.

    3.2 Initialize a Security Incident Management Metrics Program.

    3.3 Leverage Best Practices for Continuous Improvement.

    Guided Implementations Understand the incident response process, and define your security obligations, scope, and boundaries.

    Formalize the incident management charter, RACI, and incident management policy.
    Use the framework to develop a general incident management plan.

    Prioritize and develop top-priority runbooks.
    Develop and facilitate tabletop exercises.

    Create an incident management metrics program, and assess the success of the incident management program.
    Onsite Workshop Module 1:
    Prepare for Incident Response
    Module 2:
    Handle Incidents
    Module 3:
    Review and Communicate Security Incidents
    Phase 1 Outcome:
  • Formalized stakeholder support
  • Security Incident Management Policy
  • Security Incident Management Charter
  • Call Escalation Tree
  • Phase 2 Outcome:
    • A generalized incident management plan
    • A prioritized list of incidents
    • Detailed runbooks for top-priority incidents
    Phase 3 Outcome:
    • A formalized tracking system for benchmarking security incident metrics.
    • Recommendations for optimizing your security incident management processes.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities
    • Kick off and introductions.
    • High-level overview of weekly activities and outcomes.
    • Understand the benefits of security incident response management.
    • Formalize stakeholder support.
    • Assess your current process, obligations, and scope.
    • Develop RACI chart.
    • Define impact and scope.
    • Identify key players for the threat escalation protocol.
    • Develop a security incident response policy.
    • Develop a general security incident response plan.
    • Prioritize incident-specific runbook development.
    • Understand the incident response process.
    • Develop general and incident-specific call escalation trees.
    • Develop specific runbooks for your top-priority incidents (e.g. ransomware).
      • Detect the incident.
      • Analyze the incident.
      • Contain the incident.
      • Eradicate the root cause.
      • Recover from the incident.
      • Conduct post-incident analysis and communication.
    • Develop specific runbooks for your next top-priority incidents:
      • Detect the incident.
      • Analyze the incident.
      • Contain the incident.
      • Eradicate the root cause.
      • Recover from the incident.
      • Conduct post-incident analysis and communication.
    • Determine key metrics to track and report.
    • Develop post-incident activity documentation.
    • Understand best practices for both internal and external communication.
    • Finalize key deliverables created during the workshop.
    • Present the security incident response program to key stakeholders.
    • Workshop executive presentation and debrief.
    • Finalize main deliverables.
    • Schedule subsequent Analyst Calls.
    • Schedule feedback call.
    Deliverables
    • Security Incident Management Maturity Checklist ‒ Preliminary
    • Security Incident Management RACI Tool
    • Security Incident Management Policy
    • General incident management plan
    • Security Incident Management Runbook
    • Development prioritization
    • Prioritized list of runbooks
    • Understanding of incident handling process
    • Incident-specific runbooks for two incidents (including threat escalation criteria and Visio workflow)
    • Discussion points for review with response team
    • Incident-specific runbooks for two incidents (including threat escalation criteria and Visio workflow)
    • Discussion points for review with response team
    • Security Incident Metrics Tool
    • Post-Incident Review Questions Tracking Tool
    • Post-Incident Report Analysis Template
    • Root Cause Analysis Template
    • Post-Incident Review Questions Tracking Tool
    • Communication plans
    • Workshop summary documentation
  • All final deliverables
  • Measured value for Guided Implementations

    Engaging in GIs doesn’t just offer valuable project advice – it also results in significant cost savings.

    GI Purpose Measured Value
    Section 1: Prepare

    Understand the need for an incident response program.
    Develop your incident response policy and plan.
    Develop classifications around incidents.
    Establish your program implementation roadmap.

    Time, value, and resources saved using our classification guidance and templates: 2 FTEs*2 days*$80,000/year = $1,280
    Time, value, and resources saved using our classification guidance and templates:
    2 FTEs*5 days*$80,000/year = $3,200

    Section 2: Operate

    Prioritize runbooks and develop the processes to create your own incident response program:

  • Detect
  • Analyze
  • Contain
  • Eradicate
  • Recover
  • Post-Incident Activity
  • Time, value, and resources saved using our guidance:
    4 FTEs*10 days*$80,000/year = $12,800 (if done internally)

    Time, value, and resources saved using our guidance:
    1 consultant*15 days*$2,000/day = $30,000 (if done by third party)
    Section 3: Maintain and Optimize Develop methods of proper reporting and create templates for communicating incident response to key parties. Time, value, and resources saved using our guidance, templates, and tabletop exercises:
    2 FTEs*3 days*$80,000/year = $1,920
    Total Costs To just get an incident response program off the ground. $49,200

    Insurance company put incident response aside; executives were unhappy

    Organization implemented ITIL, but formal program design became less of a priority and turned more ad hoc.

    Situation

    • Ad hoc processes created management dissatisfaction around the organization’s ineffective responses to data breaches.
    • Because of the lack of formal process, an entirely new security team needed to be developed, costing people their positions.

    Challenges

    • Lack of criteria to categorize and classify security incidents.
    • Need to overhaul the long-standing but ineffective program means attempting to change mindsets, which can be time consuming.
    • Help desk is not very knowledgeable on security.
    • New incident response program needs to be in alignment with data classification policy and business continuity.
    • Lack of integration with MSSP’s ticketing system.

    Next steps:

    • Need to get stakeholder buy-in for a new program.
    • Begin to establish classification/reporting procedures.

    Follow this case study to Phase 1

    Phase 1

    Prepare

    Develop and Implement a Security Incident Management Program

    Phase 1: Prepare

    PHASE 1 PHASE 2 PHASE 3
    Prepare Operate Optimize

    This phase walks you through the following activities:

    1.1 Establish the drivers, challenges, and benefits.
    1.2 Examine the security incident landscape and trends.
    1.3 Understand your security obligations, scope, and boundaries.
    1.4 Gauge your current process to identify gaps.
    1.5 Formalize a security incident management charter.
    1.6 Identify key players and develop a call escalation tree.
    1.7 Develop a security incident management policy.

    This phase involves the following participants:

    • CISO
    • Security team
    • IT staff
    • Business leaders

    Outcomes of this phase

    • Formalized stakeholder support.
    • Security incident management policy.
    • Security incident management charter.
    • Call escalation tree.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Prepare for Incident Response
    Proposed Time to Completion: 3 Weeks
    Step 1.1-1.3 Understand Incident Response Step 1.4-1.7 Begin Developing Your Program
    Start with an analyst kick-off call:
  • Discuss your current incident management status.
  • Review findings with analyst:
  • Review documents.
  • Then complete these activities…
    • Establish your security obligations, scope, and boundaries.
    • Identify the drivers, challenges, and benefits of formalized incident response.
    • Review any existing documentation.
    Then complete these activities…
    • Discuss further incident response requirements.
    • Identify key players for escalation and notifications.
    • Develop the policy.
    • Develop the plan.

    With these tools & templates:
    Security Incident Management Maturity Checklist ‒ Preliminary Information Security Requirements Gathering Tool

    With these tools & templates:
    Security Incident Management Policy
    Security Incident Management Plan
    Phase 1 Results & Insights:

    Ready-made incident response solutions often contain too much coverage: too many irrelevant cases that are not applicable to the organization are accounted for, making it difficult to sift through all the incidents to find the ones you care about. Develop specific incident use cases that correspond with relevant incidents to quickly identify the response process and eliminate ambiguity when handled by different individuals.

    Ice breaker: What is a security incident for your organization?

    1.1 Whiteboard Exercise – 60 minutes

    How do you classify various incident types between service desk, IT/infrastructure, and security?

    • Populate sticky notes with various incidents and assign them to the appropriate team.
      • Who owns the remediation? When are other groups involved? What is the triage/escalation process?
      • What other groups need to be notified (e.g. cyber insurance, Legal, HR, PR)?
      • Are there dependencies among incidents?
      • What are we covering in the scope of this project?

    Risk management company

    Expert risk management consultancy firm

    Based on experience
    Implementable advice
    human-based and people-oriented

    Engage Tymans Group, expert risk management and consultancy company, to advise you on mitigating, preventing, and monitoring IT and information security risks within your business. We offer our extensive experience as a risk consulting company to provide your business with a custom roadmap and practical solutions to any risk management problems you may encounter.

    Security and risk management

    Our security and risk services

    Security strategy

    Security Strategy

    Embed security thinking through aligning your security strategy to business goals and values

    Read more

    Disaster Recovery Planning

    Disaster Recovery Planning

    Create a disaster recovey plan that is right for your company

    Read more

    Risk Management

    Risk Management

    Build your right-sized IT Risk Management Program

    Read more

    Check out all our services

    Setting up risk management within your company with our expert help

    Risk is unavoidable when doing business, but that does not mean you should just accept it and move on. Every company should try to manage and mitigate risk as much as possible, be it risks regarding data security or general corporate security. As such, it would be wise to engage an expert risk management and consultancy company, like Tymans Group. Our risk management consulting firm offers business practical solutions for setting up risk management programs and IT risk monitoring protocols as well as solutions for handling IT incidents. Thanks to our experience as a risk management consulting firm, you enjoy practical and proven solutions based on a people-oriented approach.

    Benefit from our expert advice on risk management

    If you engage our risk management consultancy company you get access to various guides and documents to help you set up risk management protocols within you company. Additionally, you can book a one-hour online talk with our risk management consulting firm’s CEO Gert Taeymans to discuss any problems you may be facing or request an on-site appointment in which our experts analyze your problems. The talk can discuss any topic, from IT risk control to external audits and even corporate security consultancy. If you have any questions about our risk management and consulting services for your company, we are happy to answer them. Just contact our risk management consulting firm through the online form and we will get in touch with as soon as possible.

    Continue reading

    Establish Realistic IT Resource Management Practices

    • Buy Link or Shortcode: {j2store}435|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $36,337 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As CIO, you oversee a department that lacks the resource capacity to adequately meet organizational demand for new projects and services.
    • More projects are approved by the steering committee (or equivalent) than your department realistically has the capacity for, and you and your staff have little recourse to push back. If you have a PMO – and that PMO is one of the few that provides usable resource capacity projections – that information is rarely used to make strategic approval and prioritization decisions.
    • As a result, project quality and timelines suffer, and service delivery lags. Your staff are overallocated, but you lack statistical evidence because of incomplete estimates, allocations, and very little accurate data.

    Our Advice

    Critical Insight

    • IT’s capacity for new project work is largely overestimated. Much of IT’s time is lost to tasks that go unregulated and untracked (e.g. operations and support work, break-fixes and other reactive work) before project work is ever approved. When projects are approved, it is done so with little insight or concern for IT’s capacity to realistically complete that work.
    • The shift to matrix work structures has strained traditional methods of time tracking. Day-to-day demand is chaotic, and staff are pulled in multiple directions by numerous people. As fast-paced, rapidly changing, interruption-driven environments become the new normal, distractions and inefficiencies interfere with productive project work and usable capacity data.
    • The executive team approves too many projects, but it is not held to account for this malinvestment of time. Instead, it’s up to individual workers to sink or swim, as they attempt to reconcile, day after day, seemingly infinite organizational demand for new services and projects with their finite supply of working hours.

    Impact and Result

    • Instill a culture of capacity awareness. For years, the project portfolio management (PPM) industry has helped IT departments report on demand and usage, but has largely failed to make capacity part of the conversation. This research helps inject capacity awareness into project and service portfolio planning, enabling IT to get proactive about constraints before overallocation spirals, and project and service delivery suffers.
    • Build a sustainable process. Efforts to improve resource management often falter when you try to get too granular too quickly. Info-Tech’s approach starts at a high level, ensuring that capacity data is accurate and usable, and that IT’s process discipline is mature enough to maintain the data, before drilling down into greater levels of precision.
    • Establish a capacity book of record. You will ultimately need a tool to help provide ongoing resource visibility. Follow the advice in this blueprint to help with your tool selection, and ensure you meet the reporting needs of both your team and executives.

    Establish Realistic IT Resource Management Practices Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a resource management strategy, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take stock of organizational supply and demand

    Set the right resource management approach for your team and create a realistic estimate of your resource supply and organizational demand.

    • Balance Supply and Demand with Realistic Resource Management Practices – Phase 1: Take Stock of Organizational Supply and Demand
    • Resource Management Supply-Demand Calculator
    • Time Audit Workbook
    • Time-Tracking Survey Email Template

    2. Design a realistic resource management process

    Build a resource management process to ensure data accuracy and sustainability, and make the best tool selection to support your processes.

    • Balance Supply and Demand with Realistic Resource Management Practices – Phase 2: Design a Realistic Resource Management Process
    • Resource Management Playbook
    • PPM Solution Vendor Demo Script
    • Portfolio Manager Lite 2017

    3. Implement sustainable resource management practices

    Develop a plan to pilot your resource management processes to achieve maximum adoption, and anticipate challenges that could inhibit you from keeping supply and demand continually balanced.

    • Balance Supply and Demand with Realistic Resource Management Practices – Phase 3: Implement Sustainable Resource Management Practices
    • Process Pilot Plan Template
    • Project Portfolio Analyst / PMO Analyst
    • Resource Management Communications Template
    [infographic]

    Workshop: Establish Realistic IT Resource Management Practices

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Take Stock of Organizational Supply and Demand

    The Purpose

    Obtain a high-level view of current resource management practices.

    Identify current and target states of resource management maturity.

    Perform an in-depth time-tracking audit and gain insight into how time is spent on project versus non-project work to calculate realized capacity.

    Key Benefits Achieved

    Assess current distribution of accountabilities in resource management.

    Delve into your current problems to uncover root causes.

    Validate capacity and demand estimations with a time-tracking survey.

    Activities

    1.1 Perform a root-cause analysis of resourcing challenges facing the organization.

    1.2 Create a realistic estimate of project capacity.

    1.3 Map all sources of demand on resources at a high level.

    1.4 Validate your supply and demand assumptions by directly surveying your resources.

    Outputs

    Root-cause analysis

    Tab 2 of the Resource Management Supply-Demand Calculator, the Time Audit Workbook, and survey templates

    Tabs 3 and 4 of the Resource Management Supply-Demand Calculator

    Complete the Time Audit Workbook

    2 Design a Realistic Resource Management Process

    The Purpose

    Construct a resource management strategy that aligns with your team’s process maturity levels.

    Determine the resource management tool that will best support your processes.

    Key Benefits Achieved

    Activities

    2.1 Action the decision points in Info-Tech’s seven dimensions of resource management.

    2.2 Review resource management tool options, and depending on your selection, prepare a vendor demo script or review and set up Info-Tech’s Portfolio Manager Lite.

    2.3 Customize a workflow and process steps within the bounds of your seven dimensions and informed by your tool selection.

    Outputs

    A wireframe for a right-sized resource management strategy

    A vendor demo script or Info-Tech’s Portfolio Manager Lite.

    A customized resource management process and Resource Management Playbook.

    3 Implement Sustainable Resource Management Practices

    The Purpose

    Develop a plan to pilot your new processes to test whether you have chosen the right dimensions for maintaining resource data.

    Develop a communication plan to guide you through the implementation of the strategy and manage any resistance you may encounter.

    Key Benefits Achieved

    Identify and address improvements before officially instituting the new resource management strategy.

    Identify the other factors that affect resource productivity.

    Implement a completed resource management solution.

    Activities

    3.1 Develop a pilot plan.

    3.2 Perform a resource management start/stop/continue exercise.

    3.3 Develop plans to mitigate executive stakeholder, team, and structural factors that could inhibit your implementation.

    3.4 Finalize the playbook and customize a presentation to help explain your new processes to the organization.

    Outputs

    Process Pilot Plan Template

    A refined resource management process informed by feedback and lessons learned

    Stakeholder management plan

    Resource Management Communications Template

    Further reading

    Establish Realistic IT Resource Management Practices

    Holistically balance IT supply and demand to avoid overallocation.

    Analyst perspective

    Restore the right accountabilities for reconciling supply and demand.

    "Who gets in trouble at the organization when too many projects are approved?

    We’ve just exited a period of about 20-25 years where the answer to the above question was usually “nobody.” The officers of the corporation held nobody to account for the malinvestment of resources that comes from approving too many projects or having systemically unrealistic project due dates. Boards of directors failed to hold the officers accountable for that. And shareholders failed to hold boards of directors accountable for that.

    But this is shifting right under our feet. Increasingly, PMOs are being managed with the mentality previously reserved for those in the finance department. In many cases, the PMOs are now reporting to the CFO! This represents a very simple and basic reversion to the concept of fiduciary duty: somebody will be held to account for the consumption of all those hours, and somebody should be the approver of projects who created the excess demand." – Barry Cousins Senior Director of Research, PMO Practice Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • IT leaders who lack actionable evidence of a resource-supply, work-demand imbalance.
    • CIOs whose departments struggle to meet service and project delivery expectations with given resources.
    • Portfolio managers, PMO directors, and project managers whose portfolio and project plans suffer due to unstable resource availability.

    This Research Will Help You:

    • Build trustworthy resource capacity data to support service and project portfolio management.
    • Develop sustainable resource management practices to help you estimate, and continually validate, your true resource capacity for services and projects.
    • Identify the demands that deplete your resource capacity without creating value for IT.

    This Research Will Also Assist:

    • Steering committee and C-suite management who want to improve IT’s delivery of projects.
    • Project sponsors that want to ensure their projects get the promised resource time by their project managers.

    This Research Will Help Them:

    • Ensure sufficient supply of time for projects to be successfully completed with high quality.
    • Communicate the new resource management practice and get stakeholder buy-in.

    Executive summary

    Situation

    • As CIO, you oversee a department that lacks the resource capacity to adequately meet organizational demand for new projects and services. As a result, project quality and timelines suffer, and service delivery lags.
    • You need a resource management strategy to help bring balance to supply and demand in order to improve IT’s ability to deliver.

    Complication

    • The shift to matrix work structures has strained traditional methods of time tracking. Day-to-day demand is chaotic; staff are pulled in multiple directions by numerous people, making usable capacity data elusive.
    • The executive team approves too many projects, but is not held to account for the overspend on time. Instead, the IT worker is made liable, expected to simply get things done under excessive demands.

    Resolution

    • Instill a culture of capacity awareness. For years, the project portfolio management (PPM) industry has helped IT departments report on demand and usage, but it has largely failed to make capacity part of the conversation. This research helps inject capacity awareness into project and service portfolio planning, enabling IT to get proactive about constraints before overallocation spirals, and project and service delivery suffers.
    • Build a sustainable process. Efforts to get better at resource management often falter when you try to get too granular too quickly. Info-Tech’s approach starts at a high level, ensuring that capacity data is accurate and usable, and that IT’s process discipline is mature enough to maintain the data, before drilling down into greater levels of precision.
    • Establish a capacity hub. You will ultimately need a tool to help provide ongoing resource visibility. Follow the advice in this blueprint to help with your tool selection and ensure the reporting needs of both your team and executives are met.

    Info-Tech Insight

    1. Take a realistic approach to resource management. New organizational realities have made traditional, rigorous resource projections impossible to maintain. Accept reality and get realistic about where IT’s time goes.
    2. Make IT’s capacity perpetually transparent. The best way to ensure projects are approved and scheduled based upon the availability of the right teams and skills is to shine a light into IT’s capacity and hold decision makers to account with usable capacity reports.

    The availability of staff time is rarely factored into IT project and service delivery commitments

    As a result, a lot gets promised and worked on, and staff are always busy, but very little actually gets done – at least not within given timelines or to expected levels of quality.

    Organizations tend to bite off more than they can chew when it comes to project and service delivery commitments involving IT resources.

    While the need for businesses to make an excess of IT commitments is understandable, the impacts of systemically overallocating IT are clearly negative:

    • Stakeholder relations suffer. Promises are made to the business that can’t be met by IT.
    • IT delivery suffers. Project timelines and quality frequently suffer, and service support regularly lags.
    • Employee engagement suffers. Anxiety and stress levels are consistently high among IT staff, while morale and engagement levels are low.

    76% of organizations say they have too many projects on the go and an unmanageable and ever-growing backlog of things to get to. (Cooper, 2014)

    Almost 70% of workers feel as though they have too much work on their plates and not enough time to do it. (Reynolds, 2016)

    Resource management can help to improve workloads and project results, but traditional approaches commonly fall short

    Traditional approaches to resource management suffer from a fundamental misconception about the availability of time in 2017.

    The concept of resource management comes from a pre-World Wide Web era, when resource and project plans could be based on a relatively stable set of assumptions.

    In the old paradigm, the availability of time was fairly predictable, as was the demand for IT services, so there was value to investing time into rigorous demand forecasts and planning.

    Resource projections could be based in a secure set of assumptions – i.e. 8 hour days, 40 hour weeks – and staff had the time to support detailed resource management processes that provided accurate usage data.

    Old Realities

    • Predictability. Change tended to be slow and deliberate, providing more stability for advanced, rigorous demand forecasts and planning.
    • Fixed hierarchy. Tasks, priorities, and decisions were communicated through a fixed chain of command.
    • Single-task focus. The old reality was more accommodating to sustained focus on one task at a time.

    96% of organizations report problems with the accuracy of information on employee timesheets. (Dimensional, 2013)

    Old reality resource forecasting inevitably falters under the weight of unpredictable demands and constant distractions

    New realities are causing demands on workers’ time to be unpredictable and unrelenting, making a sustained focus on a specific task for any length of time elusive.

    Part of the old resource management mythology is the idea that a person can do (for example) eight different one-hour tasks in eight hours of continuous work. This idea has gone from harmlessly mistaken to grossly unrealistic.

    The predictability and focus have given way to more chaotic workplace realities. Technology is ubiquitous, and the demand for IT services is constant.

    A day in IT is characterized by frequent task-switching, regular interruptions, and an influx of technology-enabled distractions.

    Every 3 minutes and 5 seconds: How often the typical office worker switches tasks, either through self-directed or other-directed interruptions. (Schulte, 2015)

    12 minutes, 40 seconds: The average amount of time in-between face-to-face interruptions in matrix organizations. (Anderson, 2015)

    23 minutes, 15 seconds: The average amount of time it takes to become on task, productive, and focused again after an interruption. (Schulte, 2015)

    759 hours: The average number of hours lost per employee annually due to distractions and interruptions. (Huth, 2015)

    The validity of traditional, rigorous resource planning has long been an illusion. New realities are making the sustained focus and stable assumptions that old reality projections relied on all but impossible to maintain.

    For resource management practices to be effective, they need to evolve to meet new realities

    New organizational realities have exacerbated traditional approaches to time tracking, making accurate and usable resource data elusive.

    The technology revolution that began in the 1990s ushered in a new paradigm in organizational structures. Matrix reporting structures, diminished supervision of knowledge workers, massive multi-tasking, and a continuous stream of information and communications from the outside world have smashed the predictability and stability of the old paradigm.

    The resource management industry has largely failed to evolve. It remains stubbornly rooted in old realities, relying on calculations and rollups that become increasingly unsustainable and irrelevant in our high-autonomy staff cultures and interruption-driven work days.

    New Realities

    • Unpredictable. Technologies and organizational strategies change before traditional IT demand forecasts and project plans can be realized.
    • Matrix management. Staff can be accountable to multiple project managers and functional managers at any given time.
    • Multi-task focus. In the new reality, workers’ attentions are scattered across multiple tasks and projects at any given time.

    87% of organizations report challenges with traditional methods of time tracking and reporting. (Dimensional, 2013)

    40% of working time is not tracked or tracked inaccurately by staff. (actiTIME, 2016)

    Poor resource management practices cost organizations dearly

    While time is money, the statistics around resource visibility and utilization suggest that the vast majority of organizations don’t spend their available time all that wisely.

    Research shows that ineffective resource management directly impacts an organization’s bottom line, contributing to such cost drains as the systemic late delivery of projects and increased project costs.

    Despite this, the majority of organizations fail to treat staff time like the precious commodity it is.

    As the results of a 2016 survey show, the top three pain points for IT and PMO leaders all revolve around a wider cultural negligence concerning staff time (Alexander, TechRepublic, 2016):

    • Overcommitted resources
    • Constant change that affects staff assignments
    • An inability to prioritize shared resources

    Top risks associated with poor resource management

    Inability to complete projects on time – 52%

    Inability to innovate fast enough – 39%

    Increased project costs – 38%

    Missed business opportunities – 34%

    Dissatisfied customers or clients – 32%

    12 times more waste – Organizations with poor resource management practices waste nearly 12 times more resource hours than high-performing organizations. (PMI, 2014)

    The concept of fiduciary duty represents the best way to bring balance to supply and demand, and improve project outcomes

    Unless someone is accountable for controlling the consumption of staff hours, too much work will get approved and committed to without evidence of sufficient resourcing.

    Who is accountable for controlling the consumption of staff hours?

    In many ways, no question is more important to the organization’s bottom line – and certainly, to the effectiveness of a resource management strategy.

    Historically, the answer would have been the executive layer of the organization. However, in the 1990s management largely abdicated its obligation to control resources and expenditures via “employee empowerment.”

    Controls on approvals became less rigid, and accountability for choosing what to do (and not do) shifted onto the shoulders of the individual worker. This creates a current paradigm where no one is accountable for the malinvestment…

    …of resources that comes from approving too many projects. Instead, it’s up to individual workers to sink-or-swim, as they attempt to reconcile, day after day, seemingly infinite organizational demand with their finite supply of working hours.

    If your organization has higher demand (i.e. approved project work) than supply (i.e. people’s time), your staff will be the final decision makers on what does and does NOT get worked on.

    Effective time leadership distinguishes top performing senior executives

    "Everything requires time… It is the one truly universal condition. All work takes place in time and uses up time. Yet most people take for granted this unique, irreplaceable and necessary resource. Nothing else, perhaps, distinguishes effective executives as much as their tender loving care of time." – Peter Drucker (quoted in Frank)

    67% of employees surveyed believe their CEOs focus too much on decisions based in short-term financial results and not enough time on decisions that create a stable, positive workplace for staff. (2016 Edelman Trust Barometer)

    Bring balance to supply and demand with realistic resource management practices

    Use Info-Tech’s approach to resource management to capture an accurate view of where your time goes and achieve sustained visibility into your capacity for new projects.

    Realistic project resource management starts by aligning demand with capacity, and then developing tactics to sustain alignment, even in the chaos of our fast-paced, rapidly changing, interruption-driven project environments.

    This blueprint will help you develop practices to promote and maintain accurate resourcing data, while developing tactics to continually inform decision makers’ assumptions about how much capacity is realistically available for project work.

    This research follows a three-phase approach to sustainable practices:

    1. Take Stock of Organizational Supply and Demand
    2. Design a Realistic Resource Management Process
    3. Implement Sustainable Resource Management Practices

    Info-Tech’s three-phase framework is structured around a practical, tactical approach to resource management. It’s not about what you put together as a one-time snapshot. It’s about what you can and will maintain every week, even during a crisis. When you stop maintaining resource management data, it’s nearly impossible to catch up and you’re usually forced to start fresh.

    Info-Tech’s approach is rooted in our seven dimensions of resource management

    Action the decision points across Info-Tech’s seven dimensions to ensure your resource management process is guided by realistic data and process goals.

    Default project vs. non-project ratio

    How much time is available for projects once non-project demands are factored in?

    Reporting frequency

    How often is the allocation data verified, reconciled, and reported for use?

    Forecast horizon

    How far into the future can you realistically predict resource supply?

    Scope of allocation

    To whom is time allocated?

    Allocation cadence

    How long is each allocation period?

    Granularity of time allocation

    What’s the smallest unit of time to allocate?

    Granularity of work assignment

    What is time allocated to?

    This blueprint will help you make the right decisions for your organization across each of these dimensions to ensure your resource management practices match your current process maturity levels.

    Once your framework is defined, we’ll equip you with a tactical plan to help keep supply and demand continually balanced

    This blueprint will help you customize a playbook to ensure your allocations are perpetually balanced week after week, month after month.

    Developing a process is one thing, sustaining it is another.

    The goal of this research isn’t just to achieve a one-time balancing of workloads and expect that this will stand the test of time.

    The true test of a resource management process is how well it facilitates the flow of accurate and usable data as workloads become chaotic, and fires and crises erupt.

    • Info-Tech’s approach will help you develop a playbook and a “rebalancing routine” that will help ensure your allocations remain perpetually current and balanced.
    • The sample routine to the right shows you an example of what this rebalancing process will look like (customizing this process is covered in Phase 3 of the blueprint).

    Sample “rebalancing” routine

    • Maintain a comprehensive list of the sources of demand (i.e. document the matrix).
    • Catalog the demand.
    • Allocate the supply.
    • Forecast the capacity to your forecast horizon.
    • Identify and prepare work packages or tasks for unsatisfied demand to ensure that supply can be utilized if it becomes free.
    • Reconcile any imbalance by repeating steps 1-5 on update frequency, say, weekly or monthly.

    Info-Tech’s method is complemented by a suite of resource management tools and templates

    Each phase of this blueprint is accompanied by supporting deliverables to help plan your resource management strategy and sustain your process implementation.

    Resource management depends on the flow of information and data from the project level up to functional managers, project managers, and beyond – CIOs, steering committees, and senior executives.

    Tools are required to help plan, organize, and facilitate this flow, and each phase of this blueprint is centered around tools and templates to help you successfully support your process implementation.

    Take Stock of Organizational Supply and Demand

    Tools and Templates:

    Design a Realistic Resource Management Process

    Tools and Templates:

    Implement Sustainable Resource Management Practices

    Tools and Templates:

    Use Info-Tech’s Portfolio Manager Lite to support your new process without a heavy upfront investment in tools

    Spreadsheets can provide a viable alternative for organizations not ready to invest in an expensive tool, or for those not getting what they need from their commercial selections.

    While homegrown solutions like spreadsheets and intranet sites lack the robust functionality of commercial offerings, they have dramatically lower complexity and cost-in-use.

    Info-Tech’s Portfolio Manager Lite is a sophisticated, scalable, and highly customizable spreadsheet-based solution that will get your new resource management process up and running, without a heavy upfront cost.

    Kinds of PPM solutions used by Info-Tech clients

    Homemade – 46%

    Commercial – 33%

    No Solution – 21%

    (Info-Tech Research Group (2016), N=433)

    The image shows 3 sheets with charts and graphs.

    Samples of Portfolio Manager Lite's output and reporting tabs

    Info-Tech’s approach to resource management is part of our larger project portfolio management framework

    This blueprint will help you master the art of resource management and set you up for greater success in other project portfolio management capabilities.

    Resource management is one capability within Info-Tech’s larger project portfolio management (PPM) framework.

    Resource visibility and capacity awareness permeates the whole of PPM, helping to ensure the right intake decisions get made, and projects are scheduled according to resource and skill availability.

    Whether you have an existing PPM strategy that you are looking to optimize or you are just starting on your PPM journey, this blueprint will help you situate your resource management processes within a larger project and portfolio framework.

    Info-Tech’ s PPM framework is based on extensive research and practical application, and complements industry standards such as those offered by PMI and ISACA.

    Project Portfolio Management
    Status & Progress Reporting
    Intake, Approval, & Prioritization Resource Management Project Management Project Closure Benefits Tracking
    Organizational Change Management
    Intake → Execution→ Closure

    Realize the value that improved resource management practices could bring to your organization

    Spend your company’s HR dollars more efficiently.

    Improved resource management and capacity awareness will allow your organization to improve resource utilization and increase project throughput.

    CIOs, PMOs, and portfolio managers can use this blueprint to improve the alignment between supply and demand. You should be able to gauge the value through the following metrics:

    Near-Term Success Metrics (6 to 12 months)

    • Increased frequency of currency (i.e. more accurate and usable resource data and reports).
    • Improved job satisfaction from project resources due to more even workloads.
    • Better ability to schedule project start dates and estimate end dates due to recourse visibility.

    Long-Term Success Metrics (12 to 24 months)

    • More projects completed on time.
    • Reclaimed capacity for project work.
    • A reduction in resource waste and increased resource utilization on productive project work.
    • Ability to track estimated vs. actual budget and work effort on projects.

    In the past 12 months, Info-Tech clients have reported an average measured value rating of $550,000 from the purchase of workshops based on this research.

    Info-Tech client masters resource management by shifting the focus to capacity forecasting

    CASE STUDY

    Industry Education

    Source Info-Tech Client

    Situation

    • There are more than 200 people in the IT organization.
    • IT is essentially a shared services environment with clients spanning multiple institutions across a wide geography.
    • The PMO identified dedicated resources for resource management.

    Complication

    • The definition of “resource management” was constantly shifting between accounting the past (i.e. time records), the present (i.e. work assignments), and the future (i.e. long term project allocations).
    • The task data set (i.e. for current work assignments) was not aligned to the historic time records or future capacity.
    • It was difficult to predict or account for the spend, which exceeded 30,000 hours per month.

    “We’re told we can’t say NO to projects. But this new tool set and approach allows us to give an informed WHEN.” – Senior PMO Director, Education

    Resolution

    • The leadership decided to forecast and communicate their resource capacity on a 3-4 month forecast horizon using Info-Tech’s Portfolio Manager 2017.
    • Unallocated resource capacity was identified within certain skill sets that had previously been assessed as fully allocated. While some of the more high-visibility staff were indeed overallocated, other more junior personnel had been systemically underutilized on projects.
    • The high demand for IT project resourcing was immediately placed in the context of a believable, credible expression of supply.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Establish Realistic IT Resource Management Practices – project overview

    1. Take Stock of Organizational Supply and Demand 2. Design a Realistic Resource Management Process 3. Implement Sustainable Resource Management Practices
    Best-Practice Toolkit

    1.1 Set a resource management course of action

    1.2 Create realistic estimates of supply and demand

    2.1 Customize the seven dimensions of resource management

    2.2 Determine the resource management tool that will best support your process

    2.3 Build process steps to ensure data accuracy and sustainability

    3.1 Pilot your resource management process to assess viability

    3.2 Plan to engage your stakeholders with your playbook

    Guided Implementations
    • Scoping call
    • Assess how accountability for resource management is currently distributed
    • Create a realistic estimate of project capacity
    • Map all sources of demand on resources at a high level
    • Set your seven dimensions of resource management
    • Jump-start spreadsheet-based resource management with Portfolio Manager Lite
    • Build on the workflow to determine how data will be collected and who will support the process
    • Define the scope of a pilot and determine logistics
    • Finalize resource management roles and responsibilities
    • Brainstorm and plan for potential resistance to change, objections, and fatigue from stakeholders
    Onsite Workshop

    Module 1:

    • Take Stock of Organizational Supply and Demand

    Module 2:

    • Design a Realistic Resource Management Process

    Module 3:

    • Implement Sustainable Resource Management Practices

    Phase 1 Outcome:

    • Resource Management Supply-Demand Calculator

    Phase 2 Outcome:

    • Resource Management Playbook

    Phase 3 Outcome:

    • Resource Management Communications Template

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Introduction to PPM and resource management

    1.1 Complete and review PPM Current State Scorecard Assessment

    1.2 Perform root cause analysis of resource management challenges

    1.3 Initiate time audit survey of management and staff

    Take stock of supply and demand

    2.1 Review the outputs of the time audit survey and analyze the data

    2.2 Analyze project and non-project demands, including the sources of those demands

    2.3 Set the seven dimensions of resource management

    Design a resource management process

    3.1 Review resource management tool options

    3.2 Prepare a vendor demo script or review Portfolio Manager Lite

    3.3 Build process steps to ensure data accuracy and sustainability

    Pilot and refine the process

    4.1 Define methods for piloting the strategy (after the workshop)

    4.2 Complete the Process Pilot Plan Template

    4.3 Conduct a mock resource management meeting

    4.4 Perform a RACI exercise

    Communicate and implement the process

    5.1 Brainstorm potential implications of the new strategy and develop a plan to manage stakeholder and staff resistance to the strategy

    5.2 Customize the Resource Management Communications Template

    5.3 Finalize the playbook

    Deliverables
    1. PPM Current State Scorecard Assessment
    2. Root cause analysis
    3. Time Audit Workbook and survey templates
    1. Resource Management Supply-Demand Calculator
    1. Portfolio Manager Lite
    2. PPM Solution Vendor Demo Script
    3. Tentative Resource Management Playbook
    1. Process Pilot Plan Template
    2. RACI chart
    1. Resource Management Communications Template
    2. Finalized Resource Management Playbook

    Phase 1

    Take Stock of Organizational Resource Supply and Demand

    Phase 1 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Take Stock of Organizational Resource Supply and Demand

    Proposed Time to Completion (in weeks): 1-2 weeks

    Step 1.1: Analyze the current state

    Start with an analyst kick-off call:

    • Discuss the goals, aims, benefits, and challenges of resource management
    • Identify who is currently accountable for balancing resource supply and demand

    Then complete these activities…

    • Assess the current distribution of accountabilities in resource management
    • Delve into your current problems to uncover root causes
    • Make a go/no-go decision on developing a new resource management practice
    Step 1.2: Estimate your supply and demand

    Review findings with analyst:

    • Root causes of resource management
    • Your current impression about the resource supply-demand imbalance

    Then complete these activities…

    • Estimate your resource capacity for each role
    • Estimate your project/non-project demand on resources
    • Validate the findings with a time-tracking survey

    With these tools & templates:

    • Resource Management Supply-Demand Calculator
    • Time-Tracking Survey Email Template

    Phase 1 Results & Insights:

    A matrix organization creates many small, untraceable demands that are often overlooked in resource management efforts, which leads to underestimating total demand and overcommitting resources. To capture them and enhance the success of your resource management effort, focus on completeness rather than precision. Precision of data will improve over time as your process maturity grows.

    Step 1.1: Set a resource management course of action

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:
    • Determine your resource management process capability level
    • Assess how accountability for resource management is currently distributed
    This step involves the following participants:
    • CIO / IT Director
    • PMO Director/ Portfolio Manager
    • Functional / Resource Managers
    • Project Managers
    Outcomes of this step
    • Current distribution of accountability for resource management practice
    • Root-cause analysis of resourcing challenges facing the organization
    • Commitment to implementing a right-sized resource management practice

    “Too many projects, not enough resources” is the reality of most IT environments

    A profound imbalance between demand (i.e. approved project work and service delivery commitments) and supply (i.e. people’s time) is the top challenge IT departments face today..

    In today’s organizations, the desires of business units for new products and enhancements, and the appetites of senior leadership to approve more and more projects for those products and services, far outstrip IT’s ability to realistically deliver on everything.

    The vast majority of IT departments lack the resourcing to meet project demand – especially given the fact that day-to-day operational demands frequently trump project work.

    As a result, project throughput suffers – and with it, IT’s reputation within the organization.

    Info-Tech Insight

    Where does the time go? The portfolio manager (or equivalent) should function as the accounting department for time, showing what’s available in IT’s human resources budget for projects and providing ongoing visibility into how that budget of time is being spent.

    Resource management can help to even out staff workloads and improve project and service delivery results

    As the results of a recent survey* show, the top three pain points for IT and PMO leaders all revolve around a wider cultural negligence concerning staff time:

    • Overcommitted resources
    • Constant change that affects staff assignments
    • An inability to prioritize shared resources

    A resource management strategy can help to alleviate these pain points and reconcile the imbalance between supply and demand by achieving the following outcomes:

    • Improving resource visibility
    • Reducing overallocation, and accordingly, resource stress
    • Reducing project delay
    • Improving resource efficiency and productivity

    Top risks associated with poor resource management

    Inability to complete projects on time – 52%

    Inability to innovate fast enough – 39%

    Increased project costs – 38%

    Missed business opportunities – 34%

    Dissatisfied customers or clients – 32%

    12 times more waste – Organizations with poor resource management practices waste nearly 12 times more resource hours than high-performing organizations. (PMI, 2014)

    Resource management is a core process in Info-Tech’s project portfolio management framework

    Project portfolio management (PPM) creates a stable and secure infrastructure around projects.

    PPM’s goal is to maximize the throughput of projects that provide strategic and operational value to the organization. To do this, a PPM strategy must help to:

    Info-Tech's Project Portfolio Management Process Model
    3. Status & Progress Reporting [make sure the projects are okay]
    1. Intake, Approval, & Prioritization [select the right projects] 2. Resource Management [Pick the right time and people to execute the projects Project Management

    4. Project Closure

    [make sure the projects get done]

    5. Benefits Tracking

    [make sure they were worth doing]

    Organizational Change Management
    Intake → Execution→ Closure

    If you don’t yet have a PPM strategy in place, or would like to revisit your existing PPM strategy before implementing resource management practices, see Info-Tech’s blueprint, Develop a Project Portfolio Management Strategy.

    Effective resource management is rooted in a relatively simple set of questions

    However, while the questions are rather simple, the answers become complicated by challenges unique to matrix organizations and other workplace realities in 2017.

    To support the goals of PPM more generally, resource management must (1) supply quality work-hours to approved and ongoing projects, and (2) supply reliable data with which to steer the project portfolio.

    To do this, a resource management strategy must address a relatively straightforward set of questions.

    Key Questions

    • Who assigns the resources?
    • Who feeds the data on resources?
    • How do we make sure it’s valid?
    • How do we handle contingencies when projects are late or when availability changes?

    Challenges

    • Matrix organizations require project workers to answer to many masters and balance project work with “keep the lights on” activities and other administrative work.
    • Interruptions, distractions, and divided attention create consistent challenges for workplace productivity.

    "In matrix organizations, complicated processes and tools get implemented to answer the deceptively simple question “what’s Bob going to work on over the next few months?” Inevitably, the data captured becomes the focus of scrutiny as functional and project managers complain about data inaccuracy while simultaneously remaining reluctant to invest the effort necessary to improve quality." – Kiron Bondale

    Determine your organization’s resource management capability level with a maturity assessment

    1.1.1
    10 minutes

    Input

    • Organizational strategy and culture

    Output

    • Resource management capability level

    Materials

    • N/A

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Resource Managers

    Kick-off the discussion on the resource management process by deciding which capability level most accurately describes your organization’s current state.

    Capability Level Descriptions
    Capability Level 5: Optimized Our organization has an accurate picture of project versus non-project workloads and allocates resources accordingly. We periodically reclaim lost capacity through organizational and behavioral change.
    Capability Level 4: Aligned We have an accurate picture of how much time is spent on project versus non-project work. We allocate resources to these projects accordingly. We are checking in on project progress bi-weekly.
    Capability Level 3: Pixelated We are allocating resources to projects and tracking progress monthly. We have a rough estimate of how much time is spent on project versus non-project work.
    Capability Level 2: Opaque We match resource teams to projects and check in annually, but we do not forecast future resource needs or track project versus non-project work.
    Capability Level 1: Unmanaged Our organization expects projects to be finished, but there is no process in place for allocating resources or tracking project progress.

    If resources are poorly managed, they prioritize work based on consequences rather than on meeting demand

    As a result, matrix organizations are collectively steered by each resource and its individual motives, not by managers, executives, or organizational strategy.

    In a matrix organization, demands on a resource’s time come from many directions, each demand unaware of the others. Resources are expected to prioritize their work, but they typically lack the authority to formally reject demand, so demand frequently outstrips the supply of work-hours the resource can deliver.

    When this happens, the resource has three options:

    1. Work more hours, typically without compensation.
    2. Choose tasks not to do in a way that minimizes personal consequences.
    3. Diminish work quality to meet quantity demands.

    The result is an unsustainable system for those involved:

    1. Resources cannot meet expectations, leading to frustration and disengagement.
    2. Managers cannot deliver on the projects or services they manage and struggle to retain skilled resources who are looking elsewhere for “greener pastures.”
    3. Executives cannot execute strategic plans as they lose decision-making power over their resources.

    Scope your resource management practices within a matrix organization by asking “who?”

    Resource management boils down to a seemingly simple question: how do we balance supply and demand? Balancing requires a decision maker to make choices; however, in a matrix organization, identifying this decision maker is not straightforward:

    Balance

    • Who decides how much capacity should be dedicated to project work versus administrative or operational work?
    • Who decides how to respond to unexpected changes in supply or demand?

    Supply

    • Who decides how much total capacity we have for each necessary skill set?
    • Who manages the contingency, or redundancy, of capacity?
    • Who validates the capacity supply as a whole?
    • Who decides what to report as unexpected changes in supply (and to whom)?

    Demand

    • Who generates demand on the resource that can be controlled by their manager?
    • Who generates demand on the capacity that cannot be controlled by their manager?
    • Who validates the demand on capacity as a whole?
    • Who decides what to report as unexpected changes in demand (and to whom)?

    The individual who has the authority to make choices, and who is ultimately liable for those decisions, is an accountable person. In a matrix organization, accountability is dispersed, sometimes spilling over to those without the necessary authority.

    To effectively balance supply and demand, senior management must be held accountable

    Differentiate between responsibility and accountability to manage the organization’s project portfolio effectively.

    Responsibility

    The responsible party is the individual (or group) who actually completes the task.

    Responsibility can be shared.

    VS.

    Accountability

    The accountable person is the individual who has the authority to make choices, and is ultimately answerable for the decision.

    Accountability cannot be shared.

    Resources often do not have the necessary scope of authority to make resource management choices, so they can never be truly accountable for the project portfolio. Instead, resources are accountable for making available trustworthy data, so the right people can make choices driven by organizational strategy.

    The next activity will assess how accountability for resource management is currently distributed in your organization.

    Assess the current distribution of accountability for resource management practice

    1.1.2
    15 minutes

    Input

    • Organizational strategy and culture

    Output

    • Current distribution of accountabilities for resource management

    Materials

    • Whiteboard/flip chart
    • Markers

    Participants

    • CIO
    • PMO Director/ Portfolio Manager

    Below is a list of tasks in resource management that require choices. Discuss who is currently accountable and whether they have the right authority and ability to deliver on that accountability.

    Resource management tasks that require choices Accountability
    Current Effective?
    Identify all demands on resources
    Prioritize identified project demands
    Prioritize identified operational demands
    Prioritize identified administrative demands
    Prioritize all of the above demands
    Enumerate resource supply
    Validate resource supply
    Collect and validate supply and demand data
    Defer or reject work beyond available supply
    Adjust resource supply to meet demand

    Develop coordination between project and functional managers to optimize resource management

    Because resources are invariably responsible for both project and non-project work, efforts to procure capacity for projects cannot exist in isolation.

    IT departments need many different technical skill sets at their disposal for their day-to-day operations and services, as well as for projects. A limited hiring budget for IT restricts the number of hires with any given skill, forcing IT to share resources between service and project portfolios.

    This resource sharing produces a matrix organization divided along the lines of service and projects. Functional and project managers provide respective oversight for services and projects. Resources split their available work-hours toward service and project tasks according to priority – in theory.

    However, in practice, two major challenges exist:

    1. Poor coordination between functional and project managers causes commitments beyond resource capacity, disputes about resource oversight, and animosity among management, all while resources struggle to balance unclear priorities.
    2. Resources have a “third boss,” namely uncontrolled demands from the rest of the business, which lack both visibility and accountability.

    The image shows a board balanced on a ball (labelled Resource Management), with two balls on either end of it (Capacity Supply on the left, and Demand on the right), and another board balanced on top of the right ball, with two more balls balanced on either side of it (Projects on the left and Operational, Administrative, Etc. on the right).

    Resource management processes must account for the numerous small demands generated in a matrix organization

    Avoid going bankrupt $20 at a time: small demands add up to a significant chunk of work-hours.

    Because resource managers must cover both projects and services within IT, the typical solution to allocation problems in matrix organizations is to escalate the urgency and severity of demands by involving the executive steering committee. Unfortunately, the steering committee cannot expend time and resources on all demands. Instead, they often set a minimum threshold for cases – 100-1,000 work-hours depending on the organization.

    Under this resource management practice, small demands – especially the quick-fixes and little projects from “the third boss” – continue to erode project capacity. Eventually, projects fail to get resources because pesky small demands have no restrictions on the resources they consumed.

    Realistic resource management needs to account for demand from all three bosses; however…

    Info-Tech Insight

    Excess project or service request intake channels lead to the proliferation of “off-the-grid” projects and tasks that lack visibility from the IT leadership. This can indicate that there may be too much red tape: that is, the request process is made too complex or cumbersome. Consider simplifying the request process and bring IT’s visibility into those requests.

    Interrogate your resource management problems to uncover root causes

    1.1.3
    30 minutes to 1 hour

    Input

    • Organizational strategy and culture

    Output

    • Root causes of resource management failures

    Materials

    • Whiteboard/flip chart
    • Sticky notes
    • Markers

    Participants

    • CIO
    • PMO Director/ Portfolio Manager
    • Functional Managers
    • Project Managers
    1. Pick a starting problem statement in resource management. e.g. projects can’t get resource work-hours.
    2. Ask the participants “why”? Use three generic headings – people, processes, and technology – to keep participants focused. Keep the responses solution-agnostic: do not jump to solutions. If you have a large group, divide into smaller groups and use sticky notes to encourage more participation in this brainstorming step.
    People Processes Technology
    • We don’t have enough people/skills.
    • People are tied up on projects that run late.
    • Functional and project managers appear to hoard resources.
    • Resources cannot prioritize work.
    • Resources are too busy responding to 911s from the business.
    • Resources cannot prioritize projects vs. operational tasks.
    • “Soft-closed” projects do not release resources for other work.
    • We don’t have tools that show resource availability.
    • Tools we have for showing resource availability are not being used.
    • Data is inaccurate and unreliable.
    1. Determine the root cause by iteratively asking “why?” up to five times, or until the chain of whys comes full circle. (i.e. Why A? B. Why B? C. Why C? A.) See below for an example.

    1.1.2 Example of a root-cause analysis: people

    The following is a non-exhaustive example:

    The image shows an example of a root-cause analysis. It begins on the left with the header People, and then lists a series of challenges below. Moving toward the right, there are a series of headers that read Why? at the top of the chart, and listing reasons for the challenges below each one. As you read through the chart from left to right, the reasons for challenges become increasingly specific.

    Right-size your resource management strategy with Info-Tech’s realistic resource management practice

    If precise, accurate, and complete data on resource supply and demand was consistently available, reporting on project capacity would be easy. Such data would provide managers complete control over a resource’s time, like a foreman at a construction site. However, this theoretical scenario is incompatible with today’s matrixed workplace:

    • Sources of demand can lie outside IT’s control.
    • Demand is generated chaotically, with little predictability.
    • Resources work with minimal supervision.

    Collecting and maintaining resource data is therefore nearly impossible:

    • Achieving perfect data accuracy creates unnecessary overhead.
    • Non-compliance by one project or resource makes your entire data set unusable for resource management.

    This blueprint will guide you through right-sizing your resource management efforts to achieve maximum value-to-effort ratio and sustainability.


    The image shows a graph with Quality, Value on the Y axis, and Required Effort on the X-Axis. The graph is divided into 3 categories, based on the criteria: Value-to-effort Ratio and Sustainability. The three sections are labelled at the top of the graph as: Reactive, “gut feel”-driven; Right-sized resource management; Full control, complete data. The 2nd section is bolded. The line in the graph starts low, rising through the 2nd section, and is stable at the top of the chart in the final section.

    Choose your resource management course of action

    Portfolio managers looking for a resource management solution have three mutually exclusive options:

    Option A: Do Nothing

    • Rely on expert judgment and intuition to make portfolio choices.
    • Allow the third boss to dictate the demands of your resources.

    Option B: Get Precise

    • Aim for granularity and precision of data with a solution that may demand more capacity than is realistically available by hiring, outsourcing, or over-allocating people’s time.
    • Require detailed, accurate time sheets for all project tasks.
    • For those choosing this option, proceed to Info-Tech’s Select and Implement a PPM Solution.

    Option C: Get Realistic

    • Balance capacity supply and demand using abstraction.
    • Implement right-sized resource management practices that rely on realistic, high-level capacity estimates.
    • Reduce instability in data by focusing on resource capacity, rather than granular project demands and task level details.

    This blueprint takes you through the steps necessary to accomplish Option C, using Info-Tech’s tools and templates for managing your resources.

    Step 1.2: Create realistic estimates of supply and demand

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:
    • Create a realistic estimate of project capacity
    • Map all sources of demand on resources at a high level
    • Validate your supply and demand assumptions by directly surveying your resources
    This step involves the following participants:
    • PMO Director / Portfolio Manager
    • Project Managers (optional)
    • Functional / Resource Managers (optional)
    • Project Resources (optional)
    Outcomes of this step
    • A realistic estimate of your total and project capacity, as well as project and non-project demand on their time
    • Quantitative insight into the resourcing challenges facing the organization
    • Results from a time-tracking survey, which are used to validate the assumptions made for estimating resource supply and demand

    Create a realistic estimate of your project capacity with Info-Tech’s Resource Management Supply-Demand Calculator

    Take an iterative approach to capacity estimates: use your assumptions to create a meaningful estimate, and then validate with your staff to improve its accuracy.

    Use Info-Tech’s Resource Management Supply-Demand Calculator to create a realistic estimate of your project capacity.

    The calculator tool requires minimal upfront staff participation: you can obtain meaningful results with participation from even a single person, with insight on the distribution of your resources and their average work week or month. As the number of participants increases, the quality of analysis will improve.

    The first half of this step guides you through how to use the calculator. The second half provides tactical advice on how to gather additional data and validate your resourcing data with your staff.

    Download Info-Tech’s Resource Management Supply-Demand Calculator

    Info-Tech Insight

    What’s first, process or tools? Remember that process determines the quality of your data while data quality limits the tool’s utility. Without quality data, you cannot evaluate the success of the tool, so nail down your collection process first.

    Break down your resource capacity into high-level buckets of time for each role

    1.2.1
    30 minutes - 1 hour

    Input

    • Staff resource types
    • Average work week
    • Estimated allocations

    Output

    A realistic estimate of project capacity

    Materials

    Resource Management Supply-Demand Calculator

    Participants

    • PMO Director
    • Resource/Functional Managers (optional)

    We define four high-level buckets of resource time:

    • Absence: on average, a resource spends 14% of the year on vacation, statutory holidays, business holidays and other forms of absenteeism.
    • Administrative: time spent on meetings, recordkeeping, etc.
    • Operational: keeping the lights on; reactive work.
    • Projects: time to work on projects; typically, this bucket of time is whatever’s left from the above.

    The image shows a pie chart with four sections: Absence - 6,698 14%; Admin - 10,286 22%; Keep the Lights On - 15, 026 31%; Project Capacity 15, 831 33%.

    Instructions for working through Tab 2 of the Resource Management Supply-Demand Calculator are provided in the next two sections. Follow along to obtain your breakdown of annual resource capacity in a pie chart.

    Break down your resource capacity into high-level buckets of time for each role

    1.2.1
    Resource Management Supply-Demand Calculator, Tab 2: Capacity Supply

    Discover how many work-hours are at your disposal by first accounting for absences.

    The image shows a section of the Resource Management Supply-Demand Calculator, for calculating absences, with sample information filled in.

    1. Compile a list of each of the roles within your department.
    2. Enter the number of staff currently performing each role.
    3. Enter the number of hours in a typical work week for each role.
    4. Enter the foreseeable out-of-office time (vacation, sick time, etc.) Typically, this value is 12-16% depending on the region.

    Hours per Year represents your total resource capacity for each role, as well as the entire department. This column is automatically calculated.

    Working Time per Year represents your total resource capacity minus time employees are expected to spend out of office. This column is automatically calculated.

    Info-Tech Insight

    Example for a five-day work week:

    • 2 weeks (10 days) of statutory holidays
    • 3 weeks of vacation
    • 1.4 weeks (7 days) of sick days on average
    • 1 week (5 days) for company holidays

    Result: 7.4/52 weeks’ absence = 14.2%

    Break down your resource capacity into high-level buckets of time for each role (continued)

    1.2.1
    Resource Management Supply-Demand Calculator, Tab 2: Capacity Supply

    Determine the current distribution of your resources’ time and your confidence in whether the resources indeed supply those times.

    The image is a screen capture of the Working Time section of the calculator, with sample information filled in.

    5. Enter the percentage of working time across each role that, on an annual basis, goes toward administrative duties (non-project meetings, training, time spent checking email, etc.) and keep-the-lights-on work (e.g. support and maintenance work).

    While these percentages will vary by individual, a high-level estimate across each role will suffice for the purposes of this activity.

    6. Express how confident you are in each resource being able to deliver the calculated project work hours in percentages.

    Another interpretation for supply confidence is “supply control”: estimate your current ability to control this distribution of working time to meet the changing needs in percentages.

    Percentage of your working time that goes toward project work is calculated based upon what’s left after your non-project working time allocations have been subtracted.

    Create a realistic estimate of the demand from your project portfolio with the T-shirt sizing technique

    1.2.2
    15 minutes - 30 minutes

    Input

    • Average work-hours for a project
    • List of projects
    • PPM Current State Scorecard

    Output

    A realistic estimate of resource demand from your project portfolio

    Materials

    Resource Management Supply-Demand Calculator

    Participants

    • PMO Director
    • Project Managers (optional)

    Quickly re-express the size of your project portfolio in resource hours required.

    Estimating the resources required for a project in a project backlog can take a lot of effort. Rather than trying to create an accurate estimate for each project, a set of standard project sizes (often referred to as the “T-shirt sizing” technique) will be sufficiently accurate for estimating your project backlog’s overall demand.

    Instructions for working through Tab 3 of the tool are provided here and in the next section.

    1. For each type of project, enter the average number for work-hours.

    Project Types Average Number of Work Hours for a Project
    Small 80
    Medium 200
    Large 500
    Extra-Large 1000

    Improve your estimate of demand from your project portfolio by accounting for unproductive capacity spending

    1.2.2
    Resource Management Supply-Demand Calculator, Tab 3: Project Demand

    2. Using your list of projects, enter the number of projects for each appropriate field.

    The image shows a screen capture of the number of projects section of the Resource Management Supply-Demand Calculator, with sample information filled in.

    3. Enter your resource waste data from the PPM Current State Scorecard (see next section). Alternatively, enter your best guess on how much project capacity is spent wastefully per category.

    The image shows a screen capture of the Waste Assessment section of the Resource Management Supply-Demand Calculator, with sample information filled in, and a pie chart on the right based on the sample data.

    Info-Tech Insight

    The calculator estimates the project demand by T-shirt-sizing the work-hours required by projects to be delivered within the next 12 months and then adding the corresponding wasted capacity. This may be a pessimistic estimate, but it is more realistic because projects tend to be delivered late more than early.

    Estimate how much project capacity is wasted with Info-Tech’s PPM Current State Scorecard

    Call 1-888-670-8889 or contact your Account Manager for more information.

    This step is highly recommended but not required.

    Info-Tech’s PPM Current State Scorecard diagnostic provides a comprehensive view of your portfolio management strengths and weaknesses, including project portfolio management, project management, customer management, and resource utilization.

    Use the wisdom-of-the-crowd to estimate resource waste in:

    • Cancelled projects
    • Inefficiency
    • Suboptimal assignment of resources
    • Unassigned resources
    • Analyzing, fixing, and redeploying

    50% of PPM resource is wasted on average, effectively halving your available project capacity.

    Estimate non-project demand on your resources by role

    1.2.3
    45 minutes - 1 hour

    Input

    • Organizational chart
    • Knowledge of staff non-project demand

    Output

    Documented non-project demands and their estimated degree of fluctuation

    Materials

    Resource Management Supply-Demand Calculator

    Participants

    • PMO Director
    • Functional Managers (optional)
    Document non-project demand that could eat into your project capacity.

    When discussing project demands, non-project demands (administrative and operational) are often underestimated and downplayed – even though, in reality, they take a de facto higher priority to project work. Use Tab 4 of the tool to document these non-project demands, as well as their sources.

    The image shows a screen capture from Tab 4 of the tool, with sample information filled in.

    1. Choose a role using a drop-down list.

    2. Enter the type and the source of the demand.

    3. Enter the size and the frequency of the demand in hours.

    4. Estimate how stable the non-project demands are for each role.

    Examine and discuss your supply-demand analysis report

    1.2.4
    30 minutes - 1 hour

    Input

    Completed Resource Management Supply-Demand Calculator

    Output

    Supply-Demand Analysis Report

    Materials

    Resource Management Supply-Demand Calculator

    Participants

    • PMO Director
    • Functional Managers
    • Project Managers

    Start a data-driven discussion on resource management using the capacity supply-demand analysis report.

    Tab 5 of the calculator is a report that contains the following analysis:

    1. Overall resource capacity supply and demand gap
    2. Project capacity supply vs. demand gap
    3. Non-project capacity supply vs. demand balance
    4. Resource capacity confidence

    Each analysis is described and explained in the following four sections. Examine the report and discuss the following among the activity participants:

    1. How is your perception of the current resource capacity supply-demand balance affected by this analysis? How is it confirmed? Is it changed?
    2. Perform a root-cause analysis of problems revealed by the report. For each observation, ask “why?” repeatedly – generally, you can arrive at the root cause in four iterations.
    3. Refer back to Activity 1.1.2: current distribution of accountability for resource management. In your situation, how would you prioritize which resource management tasks to improve? Who are the involved stakeholders?

    Examine your supply-demand analysis report: overall resource capacity gap

    1.2.4
    Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

    1. Examine your resource capacity supply and demand gap.

    The top of the report on Tab 5 shows a breakdown of your annual resource supply and demand, with resource capacity shown in both total hours and percentage of the total. For the purposes of the analysis, absence is averaged. If total demand is less than available resource supply, the surplus capacity will be displayed as “Free Capacity” on the demand side.

    The Supply & Demand Analysis table displays the realistic project capacity, which is calculated by subtracting non-project supply deficit from the project capacity. This is based on the assumption that all non-project work must get done. The difference between the project demand and the realistic project capacity is your supply-demand gap, in work-hours.

    If your supply-demand gap is zero, recognize that the project demand does not take into account the project backlog: it only takes into account the projects that are expected to be delivered within the next 12 months.

    Examine your supply-demand analysis report: project capacity gap

    1.2.4
    Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

    2. Examine your project capacity supply vs. demand gap.

    The project capacity supply and demand analysis compares your available annual project capacity with the size of your project portfolio, expressed in work-hours.

    The supply side is further broken down to productive vs. wasted project capacity. The demand side is broken down to three buckets of projects: those that are active, those that sit in the backlog, and those that are expected to be added within 12 months. Percentage values are expressed in terms of total project capacity.

    A key observation here is the limitation to which reducing wasteful spending of resources can get to the project portfolio backlog. In this example, even a theoretical scenario of 100% productive project capacity will not likely result in net shrinkage of the project portfolio backlog. To achieve that, either the total project capacity must be increased, or less projects must be approved.

    Note: the work-hours necessary for delivering projects that are expected to be completed within 12 months is not shown in this visualization, as they should be represented within the other three categories of projects.

    Examine your supply-demand analysis report: non-project capacity gap

    1.2.4
    Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

    3. Drill down on the non-project capacity supply-demand balance by each role.

    The non-project capacity supply and demand analysis compares your available non-project capacity and their demands in a year, for each role, in work-hours.

    With this chart, you can:

    1. Observe which roles are “running hot,” (i.e. they have more demand than available supply).
    2. Verify your non-project/project supply ratio assumptions in Tab 2 of the tool / Activity 1.2.1.

    Tab 5 also provides similar breakdowns for administrative and keep-the-lights-on capacity supply and demand by each role.

    Examine your supply-demand analysis report: resource capacity confidence (RCC)

    1.2.4
    Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

    4. Examine your resource capacity confidence.

    In our approach, we introduce a metric called Resource Capacity Confidence (RCC). Conceptually, RCC is defined as follows:

    Resource Capacity Confidence = SC × DS × SDR

    Term Name Description
    SC Supply Control How confident are you that the supply of your resources’ project capacity will be delivered?
    DS Demand Stability How wildly does demand fluctuate? If it cannot be controlled, can it be predicted?
    SDR Supply-Demand Ratio How severely does demand outstrip supply?

    In this context, RCC can be defined as follows:

    "Given the uncertainty that our resources can supply hours according to the assumed project/non-project ratio, the fluctuations in non-project demand, and the overall deficit in project capacity, there is about 50% chance that we will be able to deliver the projects we are expected to deliver within the next 12 months."

    Case study: Non-project work is probably taking far more time than you might like

    CASE STUDY

    Industry Government

    Source Info-Tech Client

    "When our customers get a budget for a project, it’s all in capital. It never occurs to them that IT has a limited number of hours. "

    Challenge

    • A small municipal government was servicing a wide geographic area for information technology and infrastructure services.
    • There was no meaningful division of IT resources between support and project work.
    • Previous IT leadership tried a commercial PPM tool and stopped paying maintenance fees for it because of lack of adoption.
    • Projects were tracked inconsistently in multiple places.

    Solution

    • New project requests were approved with IT involvement.
    • Project approvals were entirely associated with the capital budget required and resourcing was never considered to be a constraint.
    • The broad assumption was that IT time was generally available for project work.
    • In reality, the IT personnel had almost no time for project work.

    Results

    • The organization introduced Info-Tech’s Grow Your Own PPM Solution template with minor modifications.
    • They established delivery dates for projects based on available time.
    • Time was allocated for projects based on person, project, percentage of time, and month.
    • They prioritized project allocations above reactive support work.

    Validate your resourcing assumptions with your staff by surveying their use of time

    Embrace the reality of imperfect IT labor efficiency to improve your understanding of resource time spend.

    Use Info-Tech’s time-tracking survey to validate your resourcing assumptions and get additional information to improve your understanding of resource time spent: imperfect labor efficiency and continuous partial attention.

    Causes of imperfect IT labor inefficiency
    • Most IT tasks are unique to their respective projects and contexts. A component that took 30 minutes to install last year might take two hours to install this year due to system changes that occurred since then.
    • Many IT tasks come up unexpectedly due to the need to maintain and support systems implemented on past projects. This work is unpredictable in terms of specifics (what will break where, when, or how).
    • Task switching slows people down and consumes time.
    • Problem solving and solution design often requires unstructured time to think more openly. Some of the most valuable solutions are conceived or discovered when people aren’t regimented and focused on getting things done.

    Info-Tech Insight

    Part of the old resource management mythology is the idea that a person can do (for example) eight different one-hour tasks in eight hours of continuous work. This idea has gone from harmlessly mistaken to grossly unrealistic.

    Constant interruptions lead to continuous partial attention that threatens real productivity

    There’s a difference between being busy and getting things done.

    “Working” on multiple tasks at once can often feel extremely gratifying in the short term because it distracts people from thinking about work that isn’t being done.

    The bottom line is that continuous partial attention impedes the progress of project work.

    Research on continuous partial attention
    • A study that analyzed interruptions and their effects on individuals in the workplace found that that “41% of the time an interrupted task was not resumed right away” (Mark, 2015).
    • Research has also shown that it can take people an average of 23 minutes to return to a task after being interrupted (Schulte, 2015).
    • Delays following interruptions are typically due to switching between multiple other activities before returning to the original task. In many cases, those tasks are much lower priorities – and in some cases not even work-related.

    Info-Tech Insight

    It may not be possible to minimize interruptions in the workplace, as many of these are considered to be urgent at the time. However, setting guidelines for how and when individuals can be interrupted may help to limit the amount of lost project time.

    "Like so many things, in small doses, continuous partial attention can be a very functional behavior. However, in large doses, it contributes to a stressful lifestyle, to operating in crisis management mode, and to a compromised ability to reflect, to make decisions, and to think creatively."

    – Linda Stone, Continuous Partial Attention

    Define the goals and the scope of the time-tracking survey

    1.2.5
    30 minutes

    Input

    Completed Resource Management Supply-Demand Calculator

    Output

    Survey design for the time-tracking survey

    Materials

    N/A

    Participants

    • PMO Director
    • Functional Managers
    • Project Managers

    Discuss the following with the activity participants:

    1. Define the scope of the survey
      • Respondents: Comprehensive survey of individuals vs. a representative sample using roles.
      • Granularity: decide how in-depth the questions will be and how often the survey will be delivered.
      • Data Collection: what information do you want to collect?
        • Proportion of project vs. non-project work.
        • Time spent on administrative tasks.
        • Prevalence and impact of distractions.
        • Worker satisfaction.
    2. Determine the sample time period covered by the survey
      • Info-Tech recommends 2-4 weeks. Less than 2 weeks might not be a representative sample, especially during vacation seasons.
      • More than 4 weeks will impose unreasonable time and effort for diminishing returns; data quality will begin to deteriorate as participation declines.
    3. Determine the survey method
      • Use your organization’s preferred survey distributor/online survey tool, or conduct one-on-one interviews to capture data.

    1.2.5 continued - Refine the questionnaire to improve the relevance and quality of insights produced by the survey

    Start with Info-Tech’s recommended weekly survey questions:

    1. Estimate your daily average for number of hours spent on:
      1. Total work
      2. Project work
      3. Non-project work
    2. How many times are you interrupted with “urgent” requests requiring immediate response in a given day?
    3. How many people or projects did you complete tasks for this week?
    4. Rate your overall satisfaction with work this week.
    5. Describe any special tasks, interruptions, or requests that took your time and attention away from project work this week.

    Customize these questions to suit your needs.

    Info-Tech Insight

    Maximize the number of survey responses you get by limiting the number of questions you ask. Info-Tech finds that participation drops off rapidly after five questions.

    1.2.5 continued - Communicate the survey goals and steps, and conduct the survey

    1. Communicate the purpose and goals of the survey to maximize participation and satisfaction.
      • Provide background for why the survey is taking place. Clarify that the intention is to improve working conditions and management capabilities, not to play “gotcha” or hold workers accountable.
    2. Provide a timeline so expectations are clear about when possible next steps will occur, such as
      • Sharing and analyzing results
      • Making decisions
      • Taking action
    3. Reiterate what people are required or expected to do and how much effort is required. Provide reasonable and realistic estimates of how much time and effort people should spend on audit participation.
    4. Distribute the survey; collect and analyze the data.

    Info-Tech Insight

    Make sure that employees understand the purpose of the survey. It is important that they give honest responses that reflect the struggles they are encountering with balancing project and non-project work, not simply telling management what they want to hear.

    Ensuring that employees know this survey is being used to help them, rather than scolding them for not completing work, will give you useful, insightful data on employee time.

    Use Info-Tech’s Time-Tracking Survey Email Template for facilitating your communications.

    Info-Tech Best Practice

    Provide guidance to your resources with examples on how to differentiate project work vs. non-project work, administrative vs. keep-the-lights-on work, what counts as interruptions, etc.

    Optimize your project portfolio to maintain continuous visibility into capacity

    Now that you have a realistic picture of your realized project capacity and demand amounts, it’s time to use these values to tailor and optimize your resource management practices.

    Based on desired outcomes for this phase, we have

    1. Determined the correct course of action to resolve your supply/demand imbalances.
    2. Assessed the overall project capacity of your portfolio.
    3. Cataloged sources of project and non-project demands.
    4. Performed a time audit to create an accurate and realistic picture of the time spent on different types of work.

    In the next phase, we will:

    1. Wireframe a resource management process.
    2. Choose a resource management tool.
    3. Define data collection, analysis, and reporting steps within a sustainable resource management process.

    The image is a screenshot from tab 6 of the Time Audit Workbook. The image shows two pie charts.

    The image is a screenshot from tab 6 of the Time Audit Workbook. The image shows a pie chart.

    Screenshots from tab 6 of the Time Audit Workbook.

    Info-Tech Insight

    The validity of traditional, rigorous resource planning has long been an illusion because the resource projections were typically not maintained. New realities such as faster project cycles, matrix organizations, and high-autonomy staff cultures have made the illusion impossible to maintain.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.2 Assess the current distribution of accountability for resource management practice

    Discuss who is currently accountable for various facets of resource management, and whether they have the right authority and ability to deliver on that accountability.

    1.2.1 Create realistic estimates of supply and demand using Info-Tech’s Supply-Demand Calculator

    Derive actionable, quantitative insight into the resourcing challenges facing the organization by using Info-Tech’s methodology that prioritizes completeness over precision.

    Phase 2

    Design a Realistic Resource Management Process

    Phase 2 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Draft a Resource Management Process

    Proposed Time to Completion (in weeks): 3-6 weeks

    Step 2.1: Determine the dimensions of resource management

    Start with an analyst kick-off call:

    • Introduce the seven dimensions of resource management
    • Trade-off between granularity and utility of data

    Then complete these activities…

    • Decide on the seven dimensions
    • Examine the strategy’s cost-of-use

    With these tools & templates:

    Resource Management Playbook

    Step 2.2: Support your process with a resource management tool

    Discuss with the analyst:

    • Inventory of available PPM tools
    • Overview of Portfolio Manager Lite 2017

    Then complete these activities…

    • Populate the tool with data
    • Explore portfolio data with the workbook’s output tabs

    With these tools & templates:

    • Portfolio Manager Lite
    • PPM Solution Vendor Demo Script
    Step 2.3: Build process steps

    Discuss with the analyst:

    • Common challenges of resource management practice
    • Recommendations for a pilot initiative

    Then complete these activities…

    • Review and customize contents of the Resource Management Playbook

    With these tools & templates:

    • Resource Management Playbook

    Phase 2 Results & Insights:

    Draft the resource management practice with sustainability in mind. It is about what you can and will maintain every week, even during a crisis: it is not about what you put together as a one-time snapshot. Once you stop maintaining resource data, it's nearly impossible to catch up.

    Step 2.1: Customize the seven dimensions of resource management

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:
    • Establish a default project vs. non-project work ratio
    • Decide the scope of allocation for your strategy
    • Set your allocation cadence
    • Limit the granularity of time allocation
    • Define the granularity of work assignment
    • Apply a forecast horizon
    • Determine the update frequency
    This step involves the following participants:
    • CIO / IT Director
    • PMO Director / Portfolio Manager
    • Functional / Resource Managers
    • Project Managers
    Outcomes of this step
    • Seven dimensions of resource management, chosen to fit the current needs and culture of the organization
    • Parameters for creating a resource management process (downstream)

    There is no one-size-fits-all resource management strategy

    Don’t get boxed into a canned solution that doesn’t make sense for your department’s maturity level and culture.

    Resource management strategies are commonly implemented “out-of-the-box,” via a commercial PPM or time-tracking tool, or an external third-party consultant in partnership with those types of tools.

    While these solutions and best practices have insights to offer – and provide admirable maturity targets – they often outstrip the near-term abilities of IT teams to successfully implement, adopt, and support them.

    Tailor an approach that makes sense for your department and organization. You don’t need complex and granular processes to get usable resourcing data; you just need to make sure that you’ve carved out a process that works in terms of providing data you can use.

    • In this step, we will walk you through Info-Tech’s seven dimensions of resource management to help wireframe your resource management process.
    • In the subsequent steps in this phase, we will develop these dimensions from a wireframe into a functioning process.

    Info-Tech Insight

    Put processes before tools. Most commercial PPM tools include a resource management function that was designed for hourly granularity. This is part of the fallacy of an old reality that was never real. Determine which goals are realistic and fit your solution to your problem.

    Wireframe a strategy that will work for your department using Info-Tech’s seven dimensions of resource management

    Action the decision points across Info-Tech’s seven dimensions to ensure your resource management process is guided by realistic data and process goals.

    In this step, we will walk you through the decision points in each dimension to determine the departmental specificities of your resource management strategy

    Default project vs. non-project ratio

    How much time is available for projects once non-project demands are factored in?

    Reporting frequency

    How often is the allocation data verified, reconciled, and reported for use?

    Forecast horizon

    How far into the future can you realistically predict resource supply?

    Scope of allocation

    To whom is time allocated?

    Allocation cadence

    How long is each allocation period?

    Granularity of time allocation

    What’s the smallest unit of time to allocate?

    Granularity of work assignment

    What is time allocated to?

    Info-Tech Best Practice

    Ensure that both the functional managers and the project managers participate in the following discussions. Without buy-in from both dimensions of the matrix organization, you will have difficulty making meaningful resource management data and process decisions.

    Establish your default project versus non-project work ratio

    2.1.1
    30 minutes

    Input

    • Completed Resource Management Supply-Demand Calculator

    Output

    • Default organizational P-NP ratio and role-specific P-NP ratios

    Materials

    • Resource Management Supply-Demand Calculator
    • Time Audit Workbook
    • Resource Management Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    How much time is available for projects once non-project demands are factored in?

    The default project vs. non-project work ratio (P-NP Ratio) is a starting point for functional and project managers to budget the work-hours at their disposal as well as for resources to split their time – if not directed otherwise by their managers.

    How to set this dimension. The Resource Management Supply-Demand Calculator from step 1.2 shows the current P-NP ratio for the department, and how the percentages translate into work-hours. The Time Audit Workbook from step 1.2 shows the ratio for specific roles.

    For the work of setting this dimension, you can choose to keep the current ratio from step 1.2 as your default, or choose a new ratio based on the advice below.

    • Discuss and decide how the supply-demand gap should be reconciled from the project side vs. the functional side.
      • Use the current organizational priority as a guide, and keep in mind that the default P-NP ratio is to be adjusted over time to respond to changing needs and priorities of the organization.
      • Once the organizational default P-NP ratio is chosen, defining role-specific ratios may be helpful. A help desk employee may spend only 10% of their time on project work, while an analyst may spend 80% of their time on project work.

    Decide the scope of allocation for your strategy

    2.1.2
    15-30 minutes

    Input

    • Current practices for assigning work and allocating time
    • Distribution of RM accountability (Activity 1.1.2)

    Output

    • Resource management scope of allocation

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    To whom is time allocated?

    Scope of allocation is the “who” of the equation. At the lowest and most detailed level, allocations are made to individual resources. At the highest and most abstract level, though, allocations can be made to a department. Other “whos” in scope of allocation can include teams, roles, or skills.

    How to set this dimension. Consider how much granularity is required for your overall project capacity visibility, and the process overhead you’re willing to commit to support this visibility. The more low-level and detailed the scope of allocation (e.g. skills or individuals) the more data maintenance required to keep it current.

    • Discuss and decide to whom time will be allocated for the purposes of resource management.
      • Recall your prior discussion from activity 1.1.2 on how accountabilities for resource management are distributed within your organization.
      • The benefit of allocating teams to projects is that it is much easier to avoid overallocation. When a team is overallocated, it is visible. Individual overallocations can go unnoticed.
      • Once you have mastered the art of keeping resource data current and accurate at a higher level (e.g. team), it can be easier move lower level and assign and track allocations in a per-role or per-person basis.

    Set your allocation cadence

    2.1.3
    15-30 minutes

    Input

    • Current practices for assigning work and allocating time
    • Scope of allocation (Activity 2.1.2)

    Output

    • Determination of temporal frames over which time will be allotted

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    How long is each allocation period?

    How long is each individual allocation period? In what “buckets of time” do you plan to spend time – week by week, month by month, or quarter by quarter? The typical allocation cadence is monthly; however, depending on the scope of allocation and the nature of work assigned, this cadence can differ.

    How to set this dimension. Allocation cadence can depend on a number of factors. For instance, if you’re allocating time to agile teams, the cadence would most naturally be bi-weekly; if work is assigned via programs, you might allocate time by quarters.

    • Discuss and decide the appropriate allocation cadence for the purposes of resource management. You could even be an environment that currently has different cadences for different teams. If so, it will be helpful to standardize a cadence for the purposes of centralized project portfolio resource management.
      • If the cadence is too short (e.g. days or weeks), it will require a dedicated effort to maintain the data.
      • If the cadence is too long (e.g. quarters or bi-annual), your resource management strategy could fail to produce actionable insight and lack the appropriate agility in being responsive to changes in direction.
      • Ultimately, your allocation cadence may be contingent upon the limitations of your resource management solution (see step 2.2).

    Limit the granularity of time allocation

    2.1.3
    15-30 minutes

    Input

    • Requirements for granularity of data
    • Resource management scope of allocation (Activity 2.1.2)

    Output

    • Determination of lowest level of granularity for time allocation

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    What’s the smallest unit of time that will be allocated?

    Granularity of time allocation refers to the smallest unit of time that can be allocated. You may not need to set firm limits on this, given that it could differ from PM to PM, and resource manager to resource manager. Nevertheless, it can be helpful to articulate an “as-low-as-you’ll-go” limit to help avoid getting too granular too soon in your data aspirations.

    How to set this dimension. At a high level, the granularity of allocation could be as high as a week. At its lowest level, it could be an hour. Other options include a full day (e.g. 8 hours), a half day (4 hours), or 2-hour increments.

    • Discuss and decide the appropriate granularity for all allocations in the new resource management practice.
      • As a guideline, granularity of allocation should be one order of magnitude smaller than the allocation cadence to provide enough precision for meaningfully dividing up each allocation cadence, without imposing an unreasonably rigorous expectation for resources to manage their time.
      • The purpose of codifying this dimension is to help provide a guideline for how granular allocations should be. Hourly granularity can be difficult to maintain, so (for instance) by setting a half-day granularity you can help avoid project managers and resource managers getting too granular.

    Define the granularity of work assignments

    2.1.4
    15-30 minutes

    Input

    • Requirements for granularity of work assignment
    • Resource management scope of allocation (Activity 2.1.2)

    Output

    • Determination of work assignment

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    To what is time allocated?

    Determine a realistic granularity for your allocation. This is the “what” of the equation: what your resources are working on or the size of work for which allocations are managed.

    How to set this dimension. A high level granularity of work assignment would assign an entire program, a mid-level scope would involve allocating a project or a phase of a project, and a low level, rigorous scope would involve allocating an individual task.

    • Discuss and decide the appropriate granularity for all work assignments in the new resource management strategy.
      • The higher granularity that is assigned, the more difficult it becomes to maintain the data. However, assigning at program level might not lead to useful, practical data.
      • Begin by allocating to projects to help you mature your organization, and once you have mastered data maintenance at this level, you can move on to a more granular work assignment.
        • If you are at a maturity level of 1 or 2, Info-Tech recommends beginning by assigning by project. If you are at a maturity level 3-4, it may be time to start allocating by phase or task.

    Apply a forecast horizon

    2.1.5
    15-30 minutes

    Input

    • Current practices for work planning, capacity forecasting
    • Allocation scope, cadence, and granularity (Activities 2.1.2-4)

    Output

    • Resource management forecast horizon

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    How far into the future can you realistically predict resource supply?

    Determine a realistic forecasting horizon for your allocation. At this point you have decided “what” “who” is working on and how frequently this will be updated. Now it is time to decide how far resource needs will be forecasted, e.g. “what will this person be working on in 3 months?”

    How to set this dimension. A high-level forecast horizon would only look forward week-to-week, with little consideration of the long-term future. A mid-level forecast would involve predicting one quarter in advance and a low-level, rigorous scope would involve forecasting one or more years in advance.

    • Discuss and decide the appropriate forecast horizon that will apply to all allocations in the new resource management practice. It’s important that your forecast horizon helps to foster accurate data. If you can’t ensure data accuracy for a set period, make your forecast horizon shorter.
      • If you are at a maturity level of 1 or 2, Info-Tech recommends forecasting one month in advance.
      • If you are already at level 3-4 on the resource management maturity model, Info-Tech recommends forecasting one quarter to one year in advance.

    See the diagram below for further explanation

    2.1.5 Forecast horizon diagram

    Between today and the forecast horizon (“forecast window”), all stakeholders in resource management commit to reasonable accuracy of data. The aim is to create a reliable data set that can be used to determine true resource capacity, as well as the available resource capacity to meet unplanned, urgent demands.

    The image shows a Forecast horizon diagram, with Time on the x-axis and Data completeness on the Y-axis. The time between today and the forecast horizon is labelled as the forecast window. there is a line which descends in small degrees until the Forecast Horizon point, where the line is labelled Reasonable level of completeness.

    The image shows a chart that lines up with the sections before and after the Forecast Horizon. In the accuracy row, Data is accurate before the forecast horizon and a rough estimate after. In the planning row, before the horizon is reliable for planning, and can inform high-level planning after the horizon. In the free capacity row, before the horizon, it can be committed to urgent demands, and after the horizon, negotiate for capacity.

    Info-Tech Insight

    Ensure data accuracy. It is important to note that forecasting a year in advance does not necessarily make your organization more mature, unless you can actually rely on these estimates and use them. It is important to only forecast as far in advance as you can accurately predict.

    Determine the update frequency

    2.1.6
    30 minutes

    Input

    • Current practices for work planning, capacity reporting
    • Current practices for project intake, prioritization, and approval
    • RM core dimensions (Activities 2.1.1)

    Output

    • Resource management update frequency

    Materials

    • RM Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    How often is the allocation data verified, reconciled, and reported for use?

    How often will you reconcile and rebalance your allocations? Your update frequency will determine this. It is very much the heartbeat of resource management, dictating how often reports on allocations will be updated and published for stakeholders’ consumption.

    How to set this dimension. Determine a realistic frequency with which to update project reports. This will be how you determine who is working on what during each measurement period.

    • Discuss and decide how often the supply-demand gap should be reconciled from the project side vs. the functional side.
      • Keep in mind that the more frequent the reporting period, the more time must go into data maintenance. A monthly frequency requires maintenance at the end of the month, while weekly requires it at the end of each week.
      • Also think about how accurately you can maintain the data. Having a quarterly update frequency may require less maintenance time than monthly, but this information may not stay up to date in between these long stretches.
      • Reports generated at each update frequency should both inform resources on what to work on, what not to work on, and how to prioritize tasks if something unexpected comes up, as well as the steering committee, to help inform project approval decisions.

    Finalize the dimensions for your provisional resource management process

    2.1.7
    10 minutes

    Input

    • 7 core dimensions of resource management (Activities 2.1.1-6)

    Output

    • Provisional resource management strategy

    Materials

    • Resource Management Playbook

    Participants

    • CIO
    • PMO Director
    • Project Managers
    • Resource Managers

    Document the outputs from the preceding seven activities. These determinations will form the foundation of your resource management strategy, which we will go on to define in more detail in the subsequent steps of this phase.

    • Keep in mind, at this stage your dimensions are provisional and subject to change, pending the outcomes of steps 2.2 and 2.3.
    RM Core Dimensions Decision
    Default P-NP ratio 40%-60$ + exception by roles
    Scope of allocation Individual resource
    Allocation cadence Monthly
    Granularity of time allocation 4 hours
    Granularity of work assignment Projects
    Forecast horizon 3 months
    Reporting frequency Twice a month

    Document these dimensions in Section 1.1 of Info-Tech’s Resource Management Playbook. We will be further customizing this template in steps 2.3 and 3.1.

    Step 2.2: Determine the resource management tool that will best support your process

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:

    • Consider the pros and cons of commercial tools vs. spreadsheets as a resource management tool
    • Review the PPM Solution Vendor Demo Script to ensure your investment in a commercial tool meets your resource management needs
    • Jump-start spreadsheet-based resource management with Portfolio Manager Lite

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Functional / Resource Managers
    • Project Managers

    Outcomes of this step

    • Choice of tool to support the resource management process
    • Examination of the commercial tool’s ability to support the resource management process chosen
    • Set-up and initial use of Portfolio Manager Lite for a spreadsheet-based resource management solution

    Effective resource management practices require an effective resource management tool

    The discipline of resource management has largely become inextricable from the tools that help support it. Ensure that you choose the right tool for your environment.

    Resource management depends on the flow of information and data from the project level up to functional managers, project managers, and beyond.

    Tools are required to help facilitate this flow, and the project portfolio management landscape is littered with endless time-tracking and capacity management options.

    These options can each have their merits and their drawbacks. The success of implementing a resource management strategy very much hinges upon weighing these, and then choosing the right solution for your project eco-system.

    • This first part of this step will help you assess the tool landscape and make the right choice to help support your resource management practices.
    • In the second part of this step, we’ll take a deep-dive into Info-Tech’s Excel-based resource management solution. If you are implementing our solution, these sections will help you understand and set up the tool.

    Info-Tech Insight

    Establish a book of record. While it is possible to succeed using ad hoc tools and data sources, a centralized repository for capacity data works best. Your tool choice should help establish a capacity book of record to help ensure ongoing reconciliation of supply and demand at the portfolio level.

    Get to know your resource management tool options

    At a high level, those looking for a resource management solution have two broad options: a commercial project portfolio management (PPM) or time-tracking software on the one hand, and a spreadsheet-based tool, like Google Sheets or Excel, on the other.

    Obviously, if your team or department already has access to a PPM or time-tracking software, it makes sense to continue using this, as long as it will accommodate the process that was wireframed in the previous step.

    Otherwise, pursue the tool option that makes the most sense given both the strategy that you’ve wireframed and other organizational factors. See the table below and the next section for guidance.

    If you’re planning on doing resource allocation by hand, you’re not going to get very far.”

    Rachel Burger

    Commercial Solutions Spreadsheet-Based Solutions
    Description
    • These highly powerful solutions are purchased from a software/service provider.
    • These can be as simple as a list of current projects on a spreadsheet or a more advanced solution with resource capacity analysis.
    Pros
    • Extraordinary function
    • Potential for automated roll-ups
    • Collaboration functionality
    • Easy to deploy: high process maturity or organization-wide adoption not required.
    • Lower cost-in-use – in many cases, they are free.
    • Highly customizable.
    Cons
    • High process maturity required
    • High cost-in-use
    • Generally expensive to customize
    • Comprehensive, continual, and organization-wide adoption required
    • Easy to break.
    • Typically, they require a centralized deployment with a single administrator responsible for data entry.

    Option A: When pursuing commercial options, don’t bite off more functionality than your people can sustain

    While commercial options offer the most robust functionality for automation, collaboration, and reporting, they are also costly, difficult to implement, and onerous to sustain over the long run.

    It’s not uncommon for organizations to sink vast amounts of money into commercial PPM tools, year after year, and never actually get any usable resource or forecasting data from these tools.

    The reasons for this can vary, but in many cases it is because organizations mistake a tool for a PPM or a resource management strategy.

    A tool is no substitute for having a clearly defined process that staff can support. Be aware of these two factors before investing in a commercial tool:

    • Visibility cannot be automated. It is not uncommon for CIOs to believe that because they’ve invested in a tool, they have an automated portfolio that enables them to sit back and wait for the data to roll in. With many tools, the challenge is that the calculations driving the rollups have become increasingly unsustainable and irrelevant in our high-autonomy staff cultures and interruption-driven work days.
    • Information does not equal knowledge. While commercial tools have robust reporting features, the data outputs can lead to information overload – and, subsequently, disinterest – unless they are curated and filtered to suit your executive’s needs and expectations.

    47%
    Of those companies using automated software to assist in resource management, almost half report that those systems failed to accurately calculate resource forecasts.

    PM Solutions

    Info-Tech Insight

    Put process sustainability before enhanced tool functionality.

    Ensure that you have sustainable processes in place before investing in an expensive commercial tool. Your tool selection should help facilitate capability-matched processes and serve user adoption.

    Trying to establish processes around a tool with a functionality that exceeds your process maturity is a recipe for failure.

    Before jumping into a commercial tool, consider some basic parameters for your selection

    Use the table below as a starting point to help ensure you are pursuing a resource management tool that is right for your organization’s size and process maturity level.

    Tool Category Characteristics # of Users PPM Maturity Sample Vendors
    Enterprise tools
    • Higher professional services requirements for enterprise deployment
    • Larger reference customers
    1,000> High
    • MS Project Server
    • Oracle Primavera
    • Planisware
    Mid-market tools
    • Lower expectation of professional services engaged in initial deployment contract
    • Fewer globally recognizable reference clients
    • Faster deployments
    100> Intermediate-to-High
    • Workfront
    • Project Insight
    • Innotas
    Entry-level tools
    • Lower cost than mid-market and enterprise PPM tools
    • Limited configurability, reporting, and resource management functionalities
    • Compelling solutions to the organizations that want to get a fast start to a trial deployment
    <100 Low-to-Intermediate
    • 5PM
    • AceProject
    • Liquid Planner

    For a more in-depth treatment of choosing and implementing a commercial PPM tool to assist with your resource management practice, see Info-Tech’s blueprint, Select and Implement a PPM Solution.

    Use Info-Tech’s PPM Solution Vendor Demo Script to help ensure you get the functionality you need

    PPM Solution Vendor Demo Script (optional)

    To ensure your investment in a commercial tool meets your resource management needs, use Info-Tech’s PPM Solution Vendor Demo Script to structure your tool demos and interactions with vendors.

    For instance, some important scenarios to consider when looking at potential tools include:

    • How are overallocation and underallocation situations identified and reconciled in the solution?
    • How are users motivated to maintain their own timesheets (beyond simply being mandated as part of their job); how does the solution and timesheet functionality help team members do their job?
    • How will portfolio-level reports remain useful and accurate despite “zero-adoption” scenarios, in which some or all teams do not actively maintain task and timesheet data?

    Any deficiencies in answering these types of questions should alert you to the fact that a potential solution may not adequately meet the needs of your resource management strategy.

    Download Info-Tech’s PPM Solution Vendor Demo Script

    "[H]ow (are PPM solutions) performing in a matrix organization? Well, there are gaps. There will be employees who do not submit timesheets, who share their time between project and operational activities, and whose reporting relationships do not fit neatly into the PPM database structure. This creates exceptions in the PPM application, and you may just have the perfect solution to a small subset of your problems." – Vilmos Rajda

    Option B: When managing resourcing via spreadsheets, you don’t have to feel like you’re settling for the lesser option

    Spreadsheets can provide a viable alternative for organizations not ready to invest in an expensive tool or for those not getting what they need from their commercial selections.

    When it comes to resource management at a portfolio level, spreadsheets can be just as effective as commercial tools for facilitating the flow of accurate and maintainable resourcing data and for communicating resource usage and availability.

    Some of the benefits of spreadsheets over commercials tools include:

    • They are easy to set up and deploy. High process maturity or organization-wide user adoption are not required.
    • They have a low cost-in-use. In the case of Excel, the tool itself comes at no additional cost.
    • They are highly customizable. No development time/costs are required to tweak the solution to suit your needs.

    To be clear: spreadsheets have their drawbacks (for instance, they are easy to break, require a centralized data administrator, and are yours and yours alone to maintain). If your department has the budget and the process maturity to support a commercial tool, you should pursue the options covered in the previous sections.

    However, if you are looking for a viable alternative to an expensive tool, spreadsheets have the ability to support a rigorous resource management practice.

    "Because we already have enterprise licensing for an expensive commercial tool, everyone else thinks it’s logical to start there. I think we’re going to start with something quick and dirty like Excel." – EPMO Director, Law Enforcement Services

    Info-Tech Insight

    Make the choice to ensure adoption.

    When making your selection, the most important consideration across all the solution categories is data maintenance. You must be assured that you and your team can maintain the data.

    As soon as your portfolio data becomes inconsistent and unreliable, decision makers will lose trust in your resource data, and the authority of your resource management strategy will become very tenuous.

    While spreadsheets offer a viable resource management option, not all spreadsheets are created equal

    Lean on Info-Tech’s experience and expertise to get up and running quickly with a superior resource management Excel-based tool: Portfolio Manager Lite 2017.

    Spreadsheets are the most common PPM tool – and it’s not hard to understand why: they can be created with minimal cost and effort.

    But when something is easy to do, it’s important to keep in mind that it’s also easy to do badly. As James Kwak says in his article, “The Importance of Excel,” “The biggest problem is that anyone can create Excel Spreadsheets—badly.”

    • Info-Tech’s Portfolio Manager Lite 2017 offers an antidote to the deficiencies that can haunt home-grown resource management tools.
    • As an easy-to-deploy, highly evolved spreadsheet-based option, Portfolio Manager Lite enables you to mature your resource management processes, and provide effective resource visibility without the costly upfront investment.

    Download Info-Tech’s Portfolio Manager Lite 2017

    Info-Tech Insight

    Balance functionality and adoption. Clients often find it difficult to gain adoption with commercial tools. Though homegrown solutions may have less functionality, the higher adoption level can make up for this and also potentially save your organization thousands a year in licensing fees.

    Determine your resource management solution and revisit your seven dimensions of resource management

    2.2.1
    Times will vary

    Participants

    • PMO Director

    Based on input from the previous slides, determine the resource management solution option you will pursue and implement to help support your resource management strategy. Record this selection in section 1.2 of the Resource Management Playbook.

    • You may need to revisit the decisions made in step 2.1 to consider if the default values for your seven core dimensions of resource management are still sound. Keep these current and relevant as you become more familiar with your resource management solution.
    RM Core Dimensions Default Value
    Default P-NP ratio Role-specific
    Scope of allocation Individual resource
    Allocation cadence Monthly
    Granularity of allocation (not defined)
    Granularity of work assignment Project
    Forecast horizon 6 months
    Reporting frequency (not defined)

    Portfolio Manager Lite has comprehensive sample data to help you understand its functions.

    As you can see in this table, the tool itself assumes five of the seven resource management core dimensions. You will need to determine departmental values for granularity of allocation and reporting frequency. The other dimensions are determined by the tool.

    If you’re piloting Info-Tech’s Portfolio Manager Lite, review the subsequent slides in this step before proceeding to step 2.3. If you are not piloting Portfolio Manager Lite, proceed directly to step 2.3.

    Overview of Portfolio Manager Lite

    Portfolio Manager Lite has two set-up tabs, three data entry tabs, and six output-only tabs. The next 15 slides show how to use them. To use this tool, you need Excel 2013 or 2016. If you’re using Excel 2013, you must download and install Microsoft Power Query version 2.64 or later, available for download from Microsoft.

    The image shows an overview of the Portfolio Manager Lite tool. It shows the Input and Data Tabs on the left, and output tabs on the right. The middle of the graphic includes guidance to ensure that you refresh the outputs after each data entry, by using the Refresh All button

    Observe “table manners” to maintain table integrity and prevent Portfolio Manager Lite malfunctions

    Excel tables enable you to manage and analyze a group of related data. Since Portfolio Manager Lite uses tables extensively, maintaining the table’s integrity is critical. Here are some things to know for working with Excel tables.

    Do not leave empty rows at the end.

    Adjust the sizing handle to eliminate empty rows.

    Always paste values.

    Default pasting behavior can interrupt formula references and introduce unwanted external links. Always right-click and select Paste Values.

    Correctly add/remove rows within a table.

    Do not use row headings; instead, always right-click inside a table to manipulate table rows.

    Set up Portfolio Manager Lite

    2.2.1
    Portfolio Manager Lite, Tab 2a: Org Setup

    The Org Setup tab is divided into two sections, Resources and Projects. Each section contains several categories to group your resources and projects. Items listed under each category will be available via drop-down lists in the data tabs.

    These categorizations will be used later to “slice” your resource allocation data. For example, you’ll be able to visualize the resource allocations for each team, for each division, or for each role.

    The image shows a screenshot of Tab 2a, with sample information filled in.

    1. Role and Default Non-Project Ratio columns: From the Supply-Demand Calculator, copy the list of roles, and how much of each role’s time is spent on non-projects by default (see below; add the values marked with yellow arrows).

    2. Resource Type column: List the type of resource you have available.

    3. Team and Skill columns: List the teams, and skills for your resources.

    In the Resources tab, items in drop-down lists will appear in the same order as shown here. Sort them to make things easy to find.

    Do not delete tables you won’t use. Instead, leave or hide tables.

    Set up Portfolio Manager Lite (continued)

    2.2.1
    Portfolio Manager Lite, Tab 2a: Org Setup

    The projects section of the Org Setup tab contains several categories for entering project data. Items listed under each category will be available via drop-down lists in the Projects tab. These categorizations will be used later to analyze how your resources are allocated.

    The image shows the projects sections of Tab 2a.

    1. Project Type: Enter the names of project types, in which projects will be grouped. All projects must belong to a type. Examples of types may include sub-portfolios or programs.

    2. Project Category: Enter the names of project categories, in which projects will be grouped. Unlike types, category is an optional grouping.

    3. Phase: Enter the project phases. Ensure that your phases list has “In Progress” and “Complete” options. They are needed for the portfolio-wide Gantt chart (the Gantt tab).

    4. Priority and Status: Define the choices for project priorities and statuses if necessary (optional).

    5. Unused: An extra column with predefined choices is left for customization (optional).

    Set up Portfolio Manager Lite (continued)

    2.2.1
    Portfolio Manager Lite, Tab 2b: Calendar Setup

    Portfolio Manager Lite is set up for a monthly allocation cadence out of the box. Use this tab to set up the start date, the default resource potential capacity, and the months to include in your reports.

    The image shows fields in the calendar set-up section of Tab 2a, with a Start Date and Hours Assumed per day.

    1. Enter a start date for the calendar, e.g. start of your fiscal or calendar year.

    2. Enter how many hours are assumed in a working day. It is used to calculate the default maximum available hours in a month.

    The image shows the Calendar section of tab 2a, with sample information filled in.

    Maximum Available Hours, Weekdays, and Business Days are automatically generated.

    The current month is highlighted in green.

    3. Enter the number of holidays to correct the number of business days for each month.

    Year to Date Reporting and Forecast Reporting ranges are controlled by this table. Use the period above Maximum Available Hours.

    The image shows the Year-to-Date and Forecast Reporting sections.

    Info-Tech Best Practice

    Both Portfolio Manager Lite and Portfolio Manager 2017 can be customized for non-monthly resource allocation. Speak to an Info-Tech analyst to ask for more information.

    Enter resource information and their total capacity

    2.2.2
    Portfolio Manager Lite, Tab 3: Resources

    Portfolio Manager Lite is set up for allocating time to individual resources out of the box. Information on these resources is entered in the Resources tab. It has four sections, arranged horizontally.

    1. Enter basic information on your resources. Resource type, team, role, and skill will be used to help you analyze your resource data.

    The image shows a screenshot of the Resources tab with sample information filled in.

    Ensure that the resource names are unique.

    Sort or filter the table using the filter button in the header row.

    2. Their total capacity in work-hours is automatically calculated for each month, using the default numbers from the Calendar Setup tab. If necessary, overwrite the formula and enter in custom values.

    The image shows a screenshot of the total capacity in work-hours, with sample info filled in.

    Cells with less than 120 hours are highlighted in blue.

    Do not add or delete any columns, or modify this header row.

    Enter out-of-office time and non-project time for your resources

    2.2.2
    Portfolio Manager Lite, Tab 3: Resources

    3. Enter the resources’ out-of-office time for each month, as they are reported.

    The image shows the Absence (hours) section, with sample information filled in.

    Do not add or delete any columns, or modify the header row, below the dates.

    4. Resources’ percentages of time spent on non-projects are automatically calculated, based on their roles’ default P-NP ratios. If necessary, overwrite the formula and enter in custom values.

    The image shows the Non-Project Ratio section, with sample information filled in.

    Do not add or delete any columns, or modify the header row, below the dates.

    Populate your project records

    2.2.3
    Portfolio Manager Lite, Tab 4: Projects

    Portfolio Manager Lite is set up for allocating time to projects out of the box. Information on these projects is entered in the Projects tab.

    1. Enter project names and some basic information. These fields are mandatory.

    The image shows the section for filling in project names and basic information in the Projects tab. The image shows the table with sample information.

    Ensure that the project names are unique.

    Do not modify or change the headers of the first seven columns. Do not add to or delete these columns.

    2. Continue entering more information about projects. These fields are optional and can be customized.

    The image shows a section of the Projects tab, where you fill in more information.

    Headers of these columns can be changed. Extra columns can be added to the right of the Status column if desired. However, Info-Tech strongly recommends that you speak to an Info-Tech analyst before customizing.

    The Project Category, Phase, and Priority fields are entered using drop-down lists from the Org Setup tab.

    Allocate your resource project capacity to projects

    2.2.4
    Portfolio Manager Lite, Tab 5: Allocations

    Project capacity for each resource is calculated as follows, using the data from the Resources tab:

    Project capacity = (total project capacity – absence) x (100% – non-project%)

    In the Allocations tab, project capacity is allocated in percentages with 100% representing the allocation of all available project time of a resource to a project.

    This allocation-by-percentage model has some advantages and drawbacks:

    Advantages

    • Allocating all available project capacity to project is straightforward
    • Easy for project managers to coordinate with each other (e.g. “Jon’s project time will be split 50%-50% between two projects” = enter 50% allocation to each project)

    Drawbacks

    • How many hours is represented by a percentage of someone’s capacity is unclear
    • Must check whether enough work-hours are allocated for what’s needed (e.g. “Deliverable A needs 20 hours of work from Jon in November. Is 50% of his project capacity enough?”)

    The Allocations tab has a few features to help you mitigate these disadvantages.

    Info-Tech Best Practice

    For organizations with lower resource management practice maturity, start with percentages. In Portfolio Manager 2017, allocations are entered in work-hours to avoid the above drawbacks altogether, but this may require a higher practice maturity.

    Enter your resource project capacity allocations

    2.2.4
    Portfolio Manager Lite, Tab 5: Allocations

    A line item in the Allocations tab requires three pieces of information: a project, a resource, and the percentage of project capacity for each month.

    The image shows a screenshot from the Allocations tab, with sample information filled in.

    1. Choose a project. Type, Start date, and End date are automatically displayed.

    2. Choose a resource. Team is automatically displayed.

    This image is another screenshot of the Allocations tab, showing the section with dates, with sample information filled in.

    3. Enter the resource’s allocated hours for the project in percentages.

    Built-in functions in the Allocations tab display helpful information for balancing project supply and demand

    2.2.4
    Portfolio Manager Lite, Tab 5: Allocations

    The Allocations tab helps you preview the available project capacity of a resource, as well as the work-hours represented by each allocation line item, to mitigate the drawbacks of percentage allocations.

    In addition, overallocations (allocations for a given month add up to over 100%) are highlighted in red. These functions help resource managers balance the project supply and demand.

    The image shows a screenshot of the Allocations tab, with sample information filled in.

    To preview a resource’s project capacity in work-hours, choose a resource using a drop down. The resource’s available project capacity for each month is displayed to the right.

    Sort or filter the table using the filter button in the header row. Here, the Time table is sorted by Resource.

    The total work-hours for each line item is shown in the Hours column. Here, 25% of Bethel’s project capacity for 4 months adds up to only 16 work-hours for this project.

    A resource is overallocated when project capacity allocations add up to more than 100% for a given month. Overallocations are highlighted in red.

    Get the timeline of your project portfolio with the Gantt chart tab

    2.2.5
    Portfolio Manager Lite, Tab 6: Gantt

    The Gantt tab is a pivot-table-driven chart that graphically represents the start and end dates of projects and their project statuses.

    The image shows a screenshot of the Gantt tab, with sample information filled in.

    Filter entries by project type above the chart.

    The current month (9-17) is highlighted.

    You can filter and sort entries by project name, sponsor, or project manager.

    In progress (under Phase column) projects show the color of their overall status.

    Projects that are neither completed nor in progress are shown in grey.

    Completed (under Phase column) projects are displayed as black.

    Get a bird’s-eye view of your available project capacity with the Resource Load tab

    2.2.6
    Portfolio Manager Lite, Tab 7: Resource Load

    The Resource Load tab is a PivotTable showing the available project capacity for each resource.

    The image is a screenshot of the Resource Load tab, with sample information filled in.

    Change the thresholds for indicating project overallocation at the top right.

    You can filter and sort entries by resource or role.

    Values in yellow and red highlight overallocation.

    Values in green indicate resource availability.

    This table provides a bird’s-eye view of all available project capacity. Highlights for overallocated resources yield a simple heat map that indicates resourcing conflicts that need attention.

    The next two tabs contain graphical dashboards of available capacity.

    Tip: Add more resource information by dragging a column name into the Rows box in the PivotTable field view pane.

    Example: add the Team column by dragging it into the Rows box

    The image shows a screenshot demonstrating that you can add a Team column.

    Analyze your resource allocation landscape with the Capacity Slicer tab

    2.2.7
    Portfolio Manager Lite, Tab 8: Capacity Slicer

    The Capacity Slicer tab is a set of pivot charts showing the distribution of resource allocation and how they compare against the potential capacity.

    The image shows a collection of 5 graphs and charts, showing the distribution of resource allocation, and compared against potential capacity.

    At the top left of each chart, you can turn Forecast Reporting on (true) or off (false). For Year to Date reporting, replace Forecast with YTD in the Field View pane’s Filter field.

    In the Allocated Capacity, in % chart, capacity is shown as a % of total available capacity. Exceeding 100% indicates overallocation.

    In the Realized Project Capacity, in hours chart, the vertical axis is in work-hours. This gap between allocation and capacity represents available project capacity.

    The bottom plots show how allocated project capacity is distributed. If the boxes are empty, no allocation data is available.

    Use the Team slicer to drill down on resource capacity and allocation by groups of resources

    2.2.7
    Portfolio Manager Lite, Tab 8: Capacity Slicer

    A slicer filters the data shown in a PivotTable, a PivotChart, or other slicers. In this tab, the team slicer enables you to view resource capacity and allocation by each team or for multiple teams.

    The image shows a sample graph.

    The button next to the Team header enables multiple selection.

    The next button to the right clears the filter set by this slicer.

    All teams with capacity or allocation data are listed in the slicers.

    For example, if you select "App Dev":

    The image shows the same graph as previously shown, but this time with only App Dev selected in the left-hand column.

    The vertical axis scales automatically for filtered data.

    The capacity and allocation data for all application division teams is shown.

    Resources not in the App Dev team are filtered out.

    Drill down on individual-level resource allocation and demand with the Capacity Locator tab

    2.2.8
    Portfolio Manager Lite, Tab 9: Capacity Locator

    The Capacity Locator tab is a group of PivotCharts with multiple slicers to view available project capacity.

    For example: click on “Developer” under Role:

    The image shows the list of slicers available using the Capacity Locator tab.

    The image shows a series of graphs produced in the Capacity Locator tab.

    Primary skills of all developers are displayed on the left in the Primary Skill column. You can choose a skill to narrow down the list of resources from all developers to all developers with that skill.

    The selected resources are shown in the Resources column. Data on the right pertains to these resources.

    • The top left graph shows the average available project capacity for all selected resources.
    • The top right graph shows the sum of all available capacity from all selected resources.
    • In the lower left graph, pay attention to available total capacity, as selected resources may have significant non-project demands.
    • The lower right graph shows the number of assigned projects. Control the number of concurrent projects to reduce the need for multitasking and optimize your resource use.

    Where you see the filter button with an x, you can clear the filter imposed by this slicer.

    Check how your projects are resourced with the Project Viewer tab

    2.2.9
    Portfolio Manager Lite
    , Tab 10: Project Viewer

    The Project Viewer tab is a set of PivotCharts with multiple slicers to view how resources are allocated to different projects.

    The image shows a screenshot of the Project Viewer tab, with a bar graph at the top, filter selections at the bottom left, and four pie charts at the bottom right.

    Filtering by sponsor or project manager is useful for examining a group of projects by accountability (sponsor) or responsibility (project manager).

    The graphs show how project budgets are distributed across different categories and priorities of projects, and how resource allocations are distributed across different categories and priorities of projects.

    Report on your project portfolio status with the Project Updates tab

    2.2.10
    Portfolio Manager Lite
    , Tab 11: Project Updates

    The Project Updates tab is a PivotTable showing various fields from the Projects table to rapidly generate a portfolio-wide status report. You can add or remove fields from the Projects table using the PivotTable’s Field View pane.

    The image shows a screenshot of a large table, which is the Project Updates tab. A selection is open, showing how you can filter entries.

    Filter entries by phase. The screenshot shows an expansion of this drop down at the top left.

    Rearrange the columns by first clicking just below the header to select all cells in the column, and then dragging it to the desired position. Alternatively, arrange them in the Field View pane.

    Tools and other requirements needed to complete the resource management strategy

    2.2.11
    10 minutes

    • Recommended: If you are below a level 4 on Info-Tech’s resource management maturity scale, use Info-Tech’s Portfolio Manager Lite to start.
    • Use a commercial PPM tool if you already have one in use and feel that you can accurately maintain the data in this tool.
    • Use this chart to estimate the amount of time it will take to accurately maintain the data for each reporting period.
      • Determine who will be responsible for this maintenance.
      • If there is no one currently available to maintain the data, allocate time for someone or you may even need a portfolio analyst.
      • We will confirm roles and responsibilities in phase 3.
    Maturity Level Dimensions Time needed per month
    Small (1-25 employees) Medium (25-75) Large (75-100) Enterprise (100+)
    1-2 %, team, project, monthly update, 1 month forecast 2 hours 6 hours 20 hours 50 hours
    3-4 %, person, phase, weekly update, 1 quarter forecast 4 hours 12 hours 50 hours 150 hours
    5 %, person, task, continuous update, 1 year forecast 8+ hours 20+ hours 100+ hours 400+ hours

    See also: Grow Your Own PPM Solution with Info-Tech’s Portfolio Manager 2017

    Join hundreds of Info-Tech clients who are successfully growing their own PPM solution.

    If you are looking for a more robust resource management solution, or prefer to allocate staff time in hours rather than percentages, see Info-Tech’s Portfolio Manager 2017.

    Similar to Portfolio Manager Lite, Portfolio Manager 2017 is a Microsoft Excel-based PPM solution that provides project visibility, forecasting, historical insight, and portfolio analytics capabilities for your PMO without a large upfront investment for a commercial solution.

    Watch Info-Tech’s Portfolio Manager 2017 Video – Introduction and Demonstration.

    System Requirements

    To use all functions of Portfolio Manager 2017, you need Excel 2013 or Excel 2016 running on Windows, with the following add-ins:

    • Power Query (Excel 2013 only)
    • Power Pivot
    • Power View

    Power View is only available on select editions of Excel 2013 and 2016, but you can still use Portfolio Manager 2017 without Power View.

    If you are unsure, speak to your IT help desk or an Info-Tech analyst for help.

    For a new PMO, start with the new reality

    CASE STUDY

    Industry Law Enforcement

    Source Info-Tech Client

    Because we already have enterprise licensing for an expensive commercial tool, everyone else thinks it’s logical to start there. I think we’re going to start with something quick and dirty like Excel.” – EPMO Director, Law Enforcement Services

    Situation

    • This was an enterprise PMO, but with relatively low organizational maturity.
    • The IT department had relatively high project management maturity, but the enterprise was under-evolved at the portfolio level.
    • Other areas of the organization already had licensing and deployment of a top-tier commercial PPM tool.
    • There were no examples of a resource management practice.

    Complication

    • There was executive visibility on larger and more strategic projects.
    • There were no constraints on the use of resources for smaller projects.
    • The PMO was generally expected to provide project governance with their limited resources.
    • The organization lacked an understanding of the difference between project and portfolio management. Consequently, it was difficult to create resource management practices at the portfolio level due to a lack of resourcing.

    Resolution

    • The organization deferred the implementation of the commercial PPM tool.
    • They added high-level resource management using spreadsheets.
    • Executive focus was reoriented around overall resource capacity as the principle constraint for project approvals.
    • They introduced deeper levels of planning granularity over time.
    • When the planning granularity gets down to the task level, they move toward the commercial solution.

    Step 2.3: Build process steps to ensure data accuracy and sustainability

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:
    • Draft a high-level resource management workflow
    • Build on the workflow to determine how data will be collected at each step, and who will support the process
    • Document your provisional resource management process
    This step involves the following participants:
    • PMO Director / Portfolio Manager
    • Functional / Resource Managers
    • Project Managers
    Outcomes of this step
    • A high-level resource management workflow, customized from Info-Tech’s sample workflow
    • Process for collecting resource supply data for each reporting period
    • Process for capturing the project demand within each reporting period
    • Process for identifying and documenting resource constraints and issues for each reporting period
    • Standard protocol for resolving resource issues within each reporting period
    • Process for finalizing and communicating resource allocations for the forecast window
    • A customized Resource Management Playbook, documenting the standard operating procedure for the processes

    Make sustainability the goal of your resource management practices

    A resource management process is doing more harm than good if it doesn’t facilitate the flow of accurate and usable data week after week, month after month, year after year.

    When resource management strategies fail, it can typically be tied back to the same culprit: unrealistic expectations from the outset.

    If a resource management process strives for a level of data precision that staff cannot juggle day to day, over the long run, then things will eventually fall apart as staff and decision makers alike lose faith in the data and the relevancy of the process.

    Two things can be done to help avoid this fate:

    1. Strive for accuracy over precision. If your department’s process maturity is low, and staff are ping-ponged from task to task, fire to fire, throughout any given day, then striving for precise data is ill advised. Keep your granularity of allocation more high level, and strive for data that is “maintainably” accurate rather than “unmaintainably” precise.
    2. Keep the process simple. Use the advice in this step to develop a sustainable process, one that is easy to follow with clearly defined responsibilities and accountabilities at each step.

    Info-Tech Insight

    It's not about what you put together as a one-time snapshot. It's about what you can and will maintain every week, even during a crisis. When you stop maintaining resource management data, it’s nearly impossible to catch up and you’re usually forced to start fresh.

    Maintain reliable resourcing data with an easy-to-follow, repeatable process

    Info-Tech recommends following a simple five-step process for resource management.

    1. Collect resource supply data

    • Resources
    • Resource Managers

    2. Collect project demand data

    • Resource Managers
    • Project Managers
    • PMO

    3. Identify sources of supply/demand imbalance

    • PMO

    4. Resolve conflicts and balance project and non-project allocations

    • Resource Managers
    • Project Managers
    • PMO
    • Steering Committee, CIO, other executives

    5. Approve allocations for forecast window

    • PMO
    • Steering Committee, CIO, other executives

    This is a sample workflow with sample roles and responsibilities. This step will help you customize the appropriate steps for your department.

    Info-Tech Insight

    This process aims to control the resource supply to meet the demand – project and non-project alike. Coordinate this process with other portfolio management processes, ensuring that up-to-date resource data is available for project approval, portfolio reporting, closure, etc.

    Draft your own high-level resource management workflow

    2.3.1
    60 to 90 minutes

    Participants

    • Portfolio Manager
    • Project Managers
    • Resource Managers
    • Business Analysts

    Input

    • Process data requirements

    Output

    • High-level description of your target-state process

    Materials

    • Whiteboard or recipe cards

    Conduct a table-top planning exercise to map out, at a high-level, your required and desired process steps.

    While Info-Tech recommends a simple five-step process (see previous slide), you may need to flesh out your process into additional steps, depending upon the granularity of your seven dimensions and the complexity of your resource management tool. A table-top planning exercise can be helpful to ensure the right process steps are covered.

    1. On a whiteboard or using white 4x6 recipe cards, write the unique steps of a resource management process. Use the process example at the bottom of this slide as a guide.
    2. Use a green marker or green cards to write artifacts or deliverables that result from each step.
    3. Use a red marker or red cards to address potential issues, problems, or risks that you can foresee at each step.

    For the purposes of this activity, avoid getting into too much detail by keeping to your focus on the high-level data points that will be required to keep supply and demand balanced on an ongoing basis.

    "[I]t’s important not to get too granular with your time tracking. While it might be great to get lots of insight into how your team is performing, being too detailed can eat into your team’s productive work time. A good rule of thumb to work by is if your employees’ timesheets include time spent time tracking, then you’ve gone too granular."

    Nicolas Jacobeus

    Use Info-Tech’s Resource Management Playbook to help evolve your high-level steps into a repeatable practice

    Once you’ve determined a high-level workflow, you’ll need to flesh out the organizational details for how data will be collected at each step and who will support the process.

    Use Info-Tech’s Resource Management Playbook to help determine and communicate the “who, what, when, where, why, and how” of each of your high-level process steps.

    The playbook template is intended to function as your resource management standard operating procedure. Customize Section 3 of the template to record the specific organizational details of how data will be collected at each process step, and the actions and decisions the data collection process will necessitate.

    • Activities 2.3.2-2.3.6 in this step will help you customize the process steps in Info-Tech’s five-step resource management model and record these in the template. If you developed a customized process in activity 2.3.1, you will need to add to/take away from the activity slides and customize the template accordingly.
    • Lean on the seven dimensions of resource management that you developed in step 2.1 to determine the cadence and frequency of data collection. For instance, if your update frequency is monthly, you will need to ensure you collect your supply-demand data prior to that, giving yourself enough time to analyze it and reconcile imbalances with stakeholders before refreshing your monthly reporting data.

    Download Info-Tech’s Resource Management Playbook

    How the next five activities will help you develop your playbook

    2.3 Resource Management Playbook

    Each of the slides for activities 2.3.2-2.3.6 are comprised of a task-at-a glance box as well as “important decisions to document” for each step.

    Work as a group to complete the task-at-a-glance boxes for each step. Use the “important decisions to document” notes to help brainstorm the “how” for each step. These details should be recorded below the task-at-a-glance boxes in the playbook – see point 6 in the legend below.

    Screenshot of Section 3 of the RM Playbook.

    The image shows a screenshot of Section 3 of the RM Playbook. A legend is included below.

    Screenshot Legend:

    1. Review your existing steps, tools, and templates used for this task. Alternatively, review the example provided in the RM Playbook.
    2. Designate the responsible party/parties for this process. Who carries out the task?
    3. Document the inputs and outputs for the task: artifacts, consulted and informed parties.
    4. If applicable, document the tools and templates used for the task.
    5. Designate the accountable party for this task. Only a single party can be accountable.
    6. Describe the “how” of the task below the Task-at-a-Glance table.

    Step one: determine the logistics for collecting resource supply data for each reporting period

    2.3.2
    20 minutes

    Step one in your resource management process should be ensuring a perpetually current view into your resource supply.

    Resource supply in this context should be understood as the time, per your scope of allocation (i.e. individual, team, skill, etc.) that is leftover or available once non-project demands have been taken out of the equation. In short, the goal of this process step is to determine the non-project demands for the forecast period.

    The important decisions to document for this step include:

    1. What data will be collected and from whom? For example, functional managers to update resource potential capacity and non-project resource allocations.
    2. How often will data be collected and when? For example, data will be collected third Monday of the month, three days before our monthly update frequency.
    3. How will the data be collected? For example, tool admin to send out data to update on third Monday; resource managers update the data and email back to tool admin.

    Document your process for determining resource supply in Section 3.1 of Info-Tech’s Resource Management Playbook.

    Task-at-a-glance:

    Inputs Artifacts i.e. historical usage data
    Consulted i.e. project resources
    Tools & Templates i.e. time tracking template
    Outputs Artifacts i.e. updated template
    Informed i.e. portfolio analyst
    Timing i.e. every second Monday
    Responsible i.e. functional managers
    Accountable i.e. IT directors

    Step two: map out how project demand will be captured within each reporting period

    2.3.3
    20 minutes

    Step two in your resource management process will be to determine the full extent of project demand for your forecast period.

    Project demand in this context can entail both in-flight projects as well as new project plans or new project requests that are proposing to consume capacity during the forecast period. In short, the goal of this process step is to determine all of the project demands for the forecast period.

    The important decisions to document for this step include:

    1. What data will be collected and from whom? For example, project managers to update project allocations for in-flight projects, and PMO will provide proposed allocations for new project requests.
    2. How often will data be collected and when? For example, data will be collected third Tuesday of the month, two days before our monthly update frequency.
    3. How will the data be collected? For example, tool admin to send out data to update on third Tuesday; project managers update the data and email back to tool admin.

    Document your process for determining project demand in Section 3.2 of Info-Tech’s Resource Management Playbook.

    Task-at-a-glance

    Inputs Artifacts i.e. historical usage data
    Consulted i.e. project resources
    Tools & Templates i.e. project demand template
    Outputs Artifacts i.e. updated demand table
    Informed i.e. portfolio analyst
    Timing i.e. every second Monday
    Responsible i.e. project managers
    Accountable i.e. PMO director

    Step three: record how resource constraints and issues for each reporting period will be identified and documented

    2.3.4
    20 minutes

    Step three in your resource management process will be to analyze your resource supply and project demand data to identify points of conflict.

    Once the supply-demand data has been compiled, it will need to be analyzed for points of imbalance and conflict. The goal of this process step is to analyze the raw data and to make it consumable by other stakeholders in preparation for a reconciliation or rebalancing process.

    The important decisions to document for this step include:

    1. How will the data be checked for inaccuracies? For example, tool admin to enter and QA data; reach out by the following Wednesday at noon with inconsistencies; managers to respond no later than next day by noon.
    2. What reports will employed? For example, a refreshed demand spreadsheet will be made available.
    3. What is an acceptable range for over- and under-allocations? For example, the acceptable tolerance for allocation is 15%; that is, report only those resources that are less than 85% allocated, or more than 115% allocated.

    Document your process for identifying resource constraints and issues in Section 3.3 of Info-Tech’s Resource Management Playbook.

    Task-at-a-glance

    Inputs Artifacts i.e. supply/demand data
    Consulted i.e. no one
    Tools & Templates i.e. Portfolio Manager Lite
    Outputs Artifacts i.e. list of issues
    Informed i.e. no one
    Timing i.e. every second Tuesday
    Responsible i.e. portfolio analyst
    Accountable i.e. PMO director

    Step four: establish a standard protocol for resolving resource issues within each reporting period

    2.3.5
    20 minutes

    Step four in your resource management process should be to finalize your capacity management book of record for the reporting period and prepare recommendations for resolving conflicts and issues.

    The reconciliation process will likely take place at a meeting amongst the management of the PMO and representatives from the various functional groups within the department. The goal of this step is to get the right roles and individuals to agree upon proposed reconciliations and to sign-off on resource allocations.

    The important decisions to document for this step include:

    1. What reports will be distributed and in what form? For example, refreshed spreadsheet will be available on the PMO SharePoint site.
    2. When will the reports be generated and for whom? For example, fourth Tuesday of the month, end of day – accessible for all managers.
    3. Who has input into how conflicts should be resolved? For example, conflicts will be resolved at monthly resource management meeting. All meeting participants have input, but the PMO director will have ultimate decision-making authority.

    Document your process for resolving resource constraints and issues in Section 3.4 of Info-Tech’s Resource Management Playbook.

    Inputs Artifacts i.e. meeting agenda
    Consulted i.e. meeting participants
    Tools & Templates i.e. capacity reports
    Outputs Artifacts i.e. minutes and resolutions
    Informed i.e. steering committee
    Timing i.e. every second Thursday
    Responsible i.e. PMO director
    Accountable i.e. CIO

    Step five: record how resource allocations will be finalized and communicated for the forecast window

    2.3.6
    20 minutes

    The final step in your resource management process is to clarify how resource allocations will be documented in your resource management solution and reported to the department.

    Once a plan to rebalance supply and demand for the reporting period has been agreed on, you will need to ensure that the appropriate data is updated in your resource management book of record, and that allocation decisions are communicated to the appropriate stakeholders.

    The important decisions to document for this step include:

    1. Who has ultimate authority for allocation decisions? For example, the CIO has final authority when conflicts need to be escalated and must approve all allocations for the forecast period.
    2. Who will update the book of record and when? For example, the tool admin will update the data before the end of the day following the resource management meeting.
    3. Who needs to be informed and of what? For example, resource plans will be updated in SharePoint for resources and managers to review.

    Document your process for approving and finalizing allocation in Section 3.5 of Info-Tech’s Resource Management Playbook.

    Task-at-a-glance

    Inputs Artifacts i.e. minutes and resolutions
    Consulted i.e. CIO, IT directors
    Tools & Templates i.e. Portfolio Manager Lite
    Outputs Artifacts i.e. updated availability table
    Informed i.e. steering committee
    Timing i.e. every second Friday
    Responsible i.e. portfolio analyst
    Accountable i.e. PMO director

    Finalize your provisional resource management process in the Playbook Template

    2.3 Resource Management Playbook

    Use Info-Tech’s Resource Management Playbook to solidify your processes in a formalized operating plan.

    Throughout this phase, we have been customizing sections 1, 2, and 3 of the Resource Management Playbook.

    Before we move to pilot and implement your resource management strategy in the next phase of this blueprint, ensure that sections 1-3 of your playbook have been drafted and are ready to be communicated and shared with stakeholders.

    • Avoid getting too granular in your process requirements. Keep it to high-level data requirements. Imposing too much detail in your playbook is a recipe for failure.
    • The playbook should remain provisional throughout your pilot phase. Aspects of your process will likely need to be changed or tweaked as they are met with some day-to-day realities. As with any “living document,” it can be helpful to explicitly assign responsibilities for updating the playbook over the long term to ensure it stays relevant.

    "People are spending far more time creating these elaborate [time-tracking] systems than it would have taken just to do the task. You’re constantly on your app refiguring, recalculating, re-categorizing... A better strategy would be [returning] to the core principles of good time management…Block out your calendar for the non-negotiable things. [Or] have an organized prioritized task list." – Laura Stack (quoted in Zawacki)

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1 Wireframe a resource management strategy using Info-Tech’s seven dimensions of resource management

    Action the decision points across Info-Tech’s seven dimensions to ensure your resource management process is guided by realistic data and process goals.

    2.3 Draft a high-level resource management workflow and elaborate it into a repeatable practice

    Customize Info-Tech’s five-step resource management process model. Then, document how the process will operate by customizing the Resource Management Playbook.

    Phase 3

    Implement Sustainable Resource Management Practices

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Implement Sustainable Resource Management Practices

    Proposed Time to Completion (in weeks): 4-12 weeks

    Step 3.1: Pilot your resource management process

    Start with an analyst kick-off call:

    • Review your resource management dimensions and tools
    • Review your provisional resource management processes
    • Discuss your ideas for a pilot

    Then complete these activities…

    • Select receptive project/functional managers to work with
    • Define the scope of your pilot and determine logistics
    • Finalize resource management roles and responsibilities

    With these tools & templates:

    • Process Pilot Plan Template
    • Resource Management Playbook
    • Project Portfolio Analyst Job Description
    Step 3.2: Plan to engage your stakeholders

    Review findings with analyst:

    • Results of your pilot, team feedback, and lessons learned
    • Your stakeholder landscape

    Then complete these activities…

    • Brainstorm and plan for potential resistance to change, objections, and fatigue from stakeholders
    • Plan for next steps

    With these tools & templates:

    • Resource Management Playbook

    Phase 3 Results & Insights:

    Engagement paves the way for smoother adoption. An engagement approach (rather than simply communication) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Step 3.1: Pilot your resource management process to assess viability

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:

    • Select receptive project and functional managers to work with during your pilot
    • Define the scope of your pilot and determine logistics
    • Plan to obtain feedback, document lessons learned, and create an action plan for any changes
    • Finalize resource management roles and responsibilities

    This step involves the following participants:

    • CIO
    • PMO Director / Portfolio Manager
    • Project Managers
    • Resource Managers

    Outcomes of this step

    • A pilot team
    • A process pilot plan that defines the scope, logistics, and process for retrospection
    • Roles, responsibilities, and accountabilities for resource management
    • Project Portfolio Analyst job description template

    Pilot your new processes to test feasibility and address issues before a full deployment

    Adopting the right set of practices requires a significant degree of change that necessitates buy-in from varied stakeholders throughout IT and the business.

    Rome wasn’t built in a day. Similarly, your visibility into resource usage and availability won’t happen overnight.

    Resist the urge to deploy a big-bang rollout of your research management practices. This approach is ill advised for two main reasons:

    • It will put more of a strain on the implementation team in the near term, with a larger pool of end users to train and collect data from.
    • Putting untested practices in a department-wide spotlight could lead to mass confusion in the near-term and color the new processes in a negative light, leading to a loss of stakeholder trust and engagement right out of the gate.

    Start with a pilot phase. Identify receptive project managers and functional managers to work with, and leverage their insights to help iron out the kinks in your process before unveiling your practices to IT and business users at large.

    This step will help you:

    • Plan and execute a pilot of the processes we developed in Phase 2.
    • Incorporate the lessons learned from that pilot to strengthen your playbook and ease the communication process.

    Info-Tech Insight

    Engagement paves the way for smoother adoption. An engagement approach (rather than simply communication) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Plan your pilot like you would any project to ensure it’s well defined and its goals are clearly articulated

    Use Info-Tech’s Process Pilot Plan Template to help define the scope of your pilot and set appropriate goals for the test run of your new processes.

    A process pilot is a limited scope of an implementation (constrained by time and resources involved) to test the viability and effectiveness of the process as it has been designed.

    • Investing time and energy into a pilot phase can help to lower implementation risk, enhance the details and steps within a process, and improve stakeholder relations prior to a full scale rollout.
    • More than a dry run, however, a pilot should be approached strategically and planned out to limit the scope of it and achieve specific outcomes.
    • Leverage a planning document to ensure your process pilot is grounded in a common set of definitions, that the pilot is delivering value and insight, and that ultimately the pilot can serve as a starting point for a full-scale process implementation.

    "The advantages to a pilot are several. First, risk is constrained. Pilots are closely monitored so if a problem does occur, it can be fixed immediately. Second, the people working in the pilot can become trainers as you roll the process out to the rest of the organization. Third, the pilot is another opportunity for skeptics to visit the pilot process and learn from those working in it. There’s nothing like seeing a new process working for people to change their minds." – Daniel Madison

    Download Info-Tech’s Process Pilot Plan Template

    Select receptive project and functional managers to work with during your pilot

    3.1.1
    20 to 60 minutes

    Input

    • Project management staff and functional managers

    Output

    • Pilot project teams

    Materials

    • Stakeholder Engagement Workbook
    • Process Pilot Plan Template

    Participants

    • Process owner (PMO director or portfolio owner)
    • CIO

    Info-Tech recommends selecting project managers and functional managers who are aware of your role and some of the supply-demand challenges to assist in the implementation process.

    1. If receptive project and functional managers are known, schedule a 15-minute meeting with them to inquire if they would be willing to be part of the pilot process.
    2. If receptive project managers are not known, use Info-Tech’s Stakeholder Engagement Workbook to conduct a formal selection process.
      1. Enter a list of potential pilot project managers in tab 3.
      2. Rate project managers in terms of influence, pilot interest, and potential deployment contribution within tab 4.
      3. Review tab 5 in the workbook. Receptive project managers will appear in the top quadrants. Ideal project managers for the pilot are located in the top right quadrant of the graph.

    Document the project and functional managers involved in your pilot in Section 3 of Info-Tech’s Process Pilot Plan Template.

    Define the scope of your pilot and determine logistics

    Input

    • Sections 1 through 4 of the Process Pilot Plan Template

    Output

    • A process pilot plan

    Materials

    • Process Pilot Plan Template

    Participants

    • Process Owner (PMO Director or Portfolio Owner)
    • CIO
    • Project and Resource Managers

    Use Info-Tech’s Process Pilot Plan Template to design the details of your pilot.

    Investing time into planning your pilot phase strategically will ensure a clear scope, better communications for those piloting the processes, and overall, better, more actionable results during the pilot phase. The Process Pilot Plan Template is broken into five sections to assist in these goals:

      • Pilot Overview and Scope
      • Success and Risk Factors
      • Stakeholders Involved and Communications Plan
      • Pilot Retrospective and Feedback Protocol
      • Lessons Learned
    • The duration of your pilot should go at least one allocation period, depending on your frequency of updates, e.g. one week or month.
    • Estimates of time commitments should be captured for each stakeholder. During the retrospective at the end of the pilot, you should capture actuals to help determine the time-cost of the process itself and measure its sustainability.
    • Once the template is completed, schedule time to share and communicate it with the pilot team and executive sponsors of the process.

    While you should invest time in this planning document, continue to lean on the Resource Management Playbook as well as a process guide throughout the pilot phase.

    Execute your pilot and prepare to make process revisions before the full rollout

    Hit play! Begin the process pilot and get familiar with the work routine and resource management solution.

    Some things to keep in mind during the pilot include:

    • Depending on the solution you’re using, you will likely need to spend one day or less to populate the tool. During the pilot, measure the time and effort required to manage the data within the tool. Compare with the original estimate from activity 2.2.2. Determine whether time and effort required are viable on an ongoing basis (i.e. can you do it every week or month) and have value.
    • Meet with the pilot team and other stakeholders regularly during the pilot – at least weekly. Allow the team (and yourself) to speak honestly and openly about what isn’t working. The pilot is your chance to make things better.
    • Keep notes about what will need to change in the RM Playbook. For major changes, you may have to tweak the process during the pilot itself. Update the process documents as needed and communicate the changes and why they’re being made. If required, update the scope of the pilot in the Process Pilot Plan Template.

    Obtain feedback from the pilot group to improve your processes before a wider rollout

    3.1.3
    30 minutes

    Input

    • What’s working and what isn’t in the process

    Output

    • Ideas to improve process

    Materials

    • Whiteboard
    • Sticky notes
    • Process Pilot Plan Template

    Participants

    • Process Owner (PMO Director or Portfolio Owner)
    • Pilot Team

    Pilot projects allow you to validate your assumptions and leverage lessons learned. During the planning of the pilot, you should have scheduled a retrospective meeting with the pilot team to formally assess strengths and weaknesses in the process you have drafted.

    • Schedule the retrospective shortly after the pilot is completed. Info-Tech recommends a stop/start/continue activity with pilot participants to obtain and capture feedback.
    • Have members of the meeting record any processes/activities on sticky notes that should:
      • Stop: because they are ineffective or not useful
      • Start: because they would be useful for the tool and have not been incorporated into current processes
      • Continue: because they are useful and positively contribute to intended process outcomes

    An example of how to structure a stop/start/continue activity on a whiteboard using sticky notes.

    The image shows three black squares, each with three brightly coloured sticky notes in it. The three squares are labelled: Stop; Start; Continue.

    See below for additional instructions

    Document lessons learned and create an action plan for any changes to the resource management processes

    3.1.4
    30 minutes

    As a group, discuss everyone’s responses and organize according to top priority (mark with a 1) and lower priority/next steps (mark with a 2). At this point, you can also remove any sticky notes that are repetitive or no longer relevant.

    Once you have organized based on priority, be sure to come to a consensus with the group regarding which actions to take. For example, if the group agrees that they should “stop holding meetings weekly,” come to a consensus regarding how often meetings will be held, i.e. monthly.

    Create an action plan for the top priority items that require changes (the stops and starts). Record in this slide or your preferred medium. Be sure to include who is responsible for the action and the date that it will be implemented.

    Priority Action Required Who is Responsible Implementation Date
    Stop: Holding meetings weekly Hold meetings monthly Jane Doe, PMO Next Meeting: November 1, 2017
    Start: Discussing backlog during meetings Ensure that backlog data is up to date for discussion on date of next meeting John Doe, Portfolio Manager November 1, 2017

    Document the outcomes of the start/stop/continue exercise and your action plan in Section 6 of Info-Tech’s Process Pilot Plan Template.

    Review actions that can be taken based on the results of your pilot

    Situation Action Next Steps
    The dimensions that we chose for our strategy have proven to be too difficult to accurately maintain. The dimensions that we chose for our strategy have proven to be too difficult to accurately maintain. Reassess the dimensions that you chose for your strategy. Make sure that you are not overcommitting yourself based on your maturity level. You can always go back and adjust for a higher level of resource management maturity once you have mastered your current level. For example, if you chose “weekly” as your update frequency and this has proven to be too much to maintain, try updating monthly for a few months. Once you have mastered this update frequency, it will be easier to adjust to a weekly update process.
    We were able to maintain the data for our pilot based on the dimensions that we chose. However, allocating projects based on realized capacity did not alleviate any of our resourcing issues and resources still seem to be working on more projects than they can handle. Determine other factors at the organization that would help to maintain the data and work toward reclaiming capacity. Continue working with the dimensions that you chose and maintain the accuracy of this data. The next step is to identify other factors that are contributing to your resource allocation problems and begin reclaiming capacity. Continue forward to the resource management roadmap section and work on changing organizational structures and worker behavior to maximize capacity for project work.
    We were able to easily and accurately maintain the data, which led to positive results and improvement in resource allocation issues. If your strategy is easily maintained, identify factors that will help your organization reclaim capacity. Continue to maintain this data, and eventually work toward maintaining it at a more precise level. For example, if you are currently using an update frequency of “monthly” and succeeding, think about moving toward a “weekly” frequency within a few months. Once you feel confident that you can maintain project and resource data, continue on to the roadmap section to discover ways to reclaim resource capacity through organizational and behavioral change.

    Finalize resource management roles and responsibilities

    3.1.5
    15 to 30 minutes

    Input

    • Tasks for resource management
    • Stakeholder involved

    Output

    • Roles, responsibilities, and accountabilities for resource management

    Materials

    • Resource Management Playbook

    Participants

    • PMO Director/ Portfolio Manager
    • Functional Managers
    • Project Managers

    Perform a RACI exercise to help standardize terminology around roles and responsibilities and to ensure that expectations are consistent across stakeholders and teams.

    • A RACI will help create a clear understanding of the tasks and expectations for each stakeholder at each process step, assigning responsibilities and accountability for resource management outcomes.

    Responsible

    Accountable

    Consulted

    Informed

    Roles CIO PMO Portfolio Analyst Project Manager Functional Manager
    Collect supply data I A R I C
    Collect demand data I A R C I
    Identify conflicts I C/A R C C
    Resolve conflicts C A/R I R R
    Approve allocations A R I R I

    Document your roles and responsibilities in Section 2 of Info-Tech’s Resource Management Playbook.

    Use Info-Tech’s Portfolio Analyst job description to help fill any staffing needs around data maintenance

    3.1 Project Portfolio Analyst/PMO Analyst Job Description

    You will need to determine responsibilities and accountabilities for portfolio management functions within your team.

    If you do not have a clearly identifiable portfolio manager at this time, you will need to clarify who will wear which hats in terms of facilitating intake and prioritization, high-level capacity awareness, and portfolio reporting.

    • Use Info-Tech’s Project Portfolio Analyst job description template to help clarify some of the required responsibilities to support your PPM strategy.
      • If you need to bring in an additional staff member to help support the strategy, you can customize the job description template to help advertise the position. Simply edit the text in grey within the template.
    • If you have other PPM tasks that you need to define responsibilities for, you can use the RASCI chart on the final tab of the PPM Strategy Development Tool.

    Download Info-Tech’s Project Portfolio Analyst Job Description Template

    Finalize the Resource Management Playbook and prepare to communicate your processes

    Once you’ve completed the pilot process and made the necessary tweaks, you should finalize your Resource Management Playbook and prepare to communicate it.

    Revisit your RM Playbook from step 2.3 and ensure it has been updated to reflect the process changes that were identified in activity 3.1.4.

    • If during the pilot process the data was too difficult or time consuming to maintain, revisit the dimensions you have chosen and select dimensions that are easier to accurately maintain. Tweak your process steps in the playbook accordingly.
    • In the long term, if you are not observing any capacity being reclaimed, revisit the roadmap that we’ll prepare in step 3.2 and address some of these inhibitors to organizational change.
    • In the next step, we will also be repurposing some of the content from the playbook, as well as from previous activities, to include them in your presentation to stakeholders, using Info-Tech’s Resource Management Communications Template.

    Download Info-Tech’s Resource Management Playbook

    Info-Tech Best Practice

    Make your process standardization comprehensive. The RM Playbook should serve as your resource management standard operating procedure. In addition to providing a walk-through of the process, an SOP also clarifies project governance by clearly defining roles and responsibilities.

    Step 3.2: Plan to engage your stakeholders with your playbook

    PHASE 1

    1.1 Set a course of action

    1.2 Estimate supply and demand

    PHASE 2

    2.1 Select resource management dimensions

    2.2 Select resource management tools

    2.3 Build process steps

    PHASE 3

    3.1 Pilot your process for viability

    3.2 Plan stakeholder engagement

    This step will walk you through the following activities:

    • Brainstorm and plan for potential resistance to change, objections, and fatigue from stakeholders
    • Plan for next steps in reclaiming project capacity
    • Plan for next steps in overcoming supply-demand reconciliation challenges

    This step involves the following participants:

    • CIO
    • PMO Director / Portfolio Manager
    • Pilot Team from Step 3.1

    Outcomes of this step

    • Plan for communicating responses and objections from stakeholders and staff
    • Plan to manage structural/enabling factors that influence success of the resource management strategy
    • Description of next steps in reclaiming project capacity and overcoming supply-demand reconciliation challenges
    • Final draft of the customized Resource Management Playbook

    Develop a resource management roadmap to communicate and reinforce the strategy

    A roadmap will help anticipate, plan, and address barriers and opportunities that influence the success of the resource management strategy.

    This step of the project will ensure the new strategy is adopted and applied with maximum success by helping you manage challenges and opportunities across three dimensions:

    1. Executive Stakeholder Factors

    For example, resistance to adopting new assumptions about ratio of project versus non-project work.

    2. Workforce/Team Factors

    For example, resistance to moving from individual- to team-based allocations.

    3. Structural Factors

    For example, ensuring priorities are stable within the chosen resource planning horizon.

    See Info-Tech’s Drive Organizational Change from the PMOfor comprehensive tools and guidance on achieving organizational buy-in for your new resource management practices.

    Info-Tech Insight

    Communicate, communicate, communicate. Staff are 34% more likely to adapt to change quickly during the implementation and adoption phases when they are provided with a timeline of impending changes specific to their department. (McLean & Company)

    Anticipate a wide range of responses toward your new processes

    While your mandate may be backed by an executive sponsor, you will need to influence stakeholders from throughout the organization in order to succeed. Indeed, as EPMO leader, success will depend upon your ability to confirm and reaffirm commitments on soft or informal grounds. Prepare an engagement strategy that anticipates a wide range of responses.

    Enthusiasts Fence-sitters Skeptics Saboteurs
    What they look like: Put all their energy into learning new skills and behaviors. Start to use new skills and behaviors at a sluggish pace. Look for alternate ways of implementing the change. Refuse to learn anything new or try new behaviors.
    How they contribute: Lead the rest of the group. Provide an undercurrent of movement from old behaviors to new. Challenge decisions and raise risk points with managers. May raise valid points about the process that should be fixed.
    How to manage them: Give them space to learn and lead others. Keep them moving forward by testing their progress. Listen to them, but don’t give in to their demands. Keep communicating with them until you convert them.
    How to leverage them: Have them lead discussions and training sessions. Use them as an example to forecast the state once the change is adopted. Test new processes by having them try to poke holes in them. If you can convert them, they will lead the Skeptics and Fence-sitters.

    Info-Tech Insight

    Hone your stakeholder engagement strategy. Most people affected by an IT-enabled change tend to be fence-sitters. Small minorities will be enthusiasts, saboteurs, and skeptics. Your communication strategy should focus on engaging the skeptics, saboteurs, and enthusiasts. Fence-sitters will follow.

    Define plans to deal with resistance to change, objections, and fatigue

    Be prepared to confront skeptics and saboteurs when communicating the change.

    1. Use the templates on the following slide to:
      1. Brainstorm possible objections from stakeholders and staff. Prioritize objections that are likely to occur.
      2. Develop responses to objections.
    2. Develop a document and plan for proactively communicating responses and objections to show people that you understand their point of view.
      1. Revise the communications messaging and plan to include proactive objection handling.
    3. Discuss the likelihood and impact of “saboteurs” who aren’t convinced or affected by change management efforts.
      1. Explore contingency plans for dealing with difficult saboteurs. These individuals can negate the progress of the rest of the team by continuing to resist the process and spreading toxic energy. If necessary, be ruthless with these individuals. Let them know that the rest of the group is moving on without them, and if they can’t or won’t adopt the new standards, then they can leave.

    Info-Tech Insight

    Communicate well and engage often. Agility and continuous improvement are good, but can degenerate into volatility if change isn’t managed properly. People will perceive change to be volatile if their expectations aren’t managed through communications and engagement planning.

    Info-Tech Best Practice

    The individuals best positioned to provide insight and influence change positively are also best positioned to create resistance.

    These people should be engaged early and often in the implementation process – not just to make them feel included or part of the change, but also because their insight could very likely identify risks, barriers, and opportunities that need to be addressed.

    Develop a plan to manage stakeholder resistance to the new resource management strategy

    3.2.1
    30 minutes

    Brainstorm potential implications and objections that executive stakeholders might raise about your new processes.

    Dimension Decision Potential Impact, Implications, and Objections Possible Responses and Actions
    i.e. Default Project Ratio 50% “This can’t be right...” “We conducted a thorough time audit to establish this ratio.”
    “We need to spend more time on project work.” “Realistic estimates will help us control new project intake, which will help us optimize time allocated to projects.”
    i.e. Frequency Monthly “This data isn’t detailed enough, we need to know what people are working on right now.” “Maintaining an update frequency of weekly would require approximately [X] extra hours of PMO effort. We can work toward weekly as we mature.”
    i.e. Scope Person “That is a lot of people to keep track of.” “Managing individuals is still the job of the project manager; we are responsible for allocating individuals to projects.”
    i.e. Granularity of Work Assignment Project “We need to know exactly what tasks are being worked on and what the progress is.” “Assigning at task level is very difficult to accurately maintain. Once we have mastered a project-level granularity we can move toward task level.”
    i.e. Forecast Horizon One month “We need to know what each resource is working on next year.” “With a monthly forecast, our estimates are dependable. If we forecast a year in advance, this estimate will not be accurate.”

    Document the outcomes of this activity on slide 26 of Info-Tech’s Resource Management Communications Template.

    Develop a plan to manage staff/team resistance to the new resource management strategy

    3.2.2
    30 minutes

    Brainstorm potential implications and objections that individual staff and members of project teams might raise about your new processes.

    Dimension Decision Potential Impact, Implications, and Objections Possible Responses and Actions
    i.e. Default Project Ratio 50% “There’s too much support work.” “We conducted a thorough time audit to establish this ratio. Realistic estimates will help us control new project intake, which will help us optimize your project time.”
    i.e. Frequency Monthly “I don’t have time to give you updates on project progress.” “This update frequency requires only [X] amount of time from you per week/month.”
    i.e. Granularity Project “I need more clarity on what I’m working on.” “Team members and project managers are in the best position to define and assign (or self-select) individual tasks.”
    i.e. Forecast Horizon One month “I need to know what my workload will be further in advance.” “You will still have a high-level understanding of what you will be working on in the future, but projects will only be officially forecasted one month in advance.”
    i.e. Allocation Cadence Monthly “We need a more frequent cadence.” “We can work toward weekly cadence as we mature.”

    Document the outcomes of this activity on slide 27 of Info-Tech’s Resource Management Communications Template.

    Develop a plan to manage structural/enabling factors that influence success of the resource management strategy

    3.2.3
    30 minutes

    Brainstorm a plan to manage other risks and challenges to implementing your processes.

    Dimension Decision Potential Impact, Implications, and Objections Possible Responses and Actions
    i.e. Default Project Ratio 50% “We have approved too many projects to allocate so little time to project work.” Nothing has changed – this was always the amount of time that would actually go toward projects. If you are worried about a backlog, stop approving projects until you have completed the current workload.
    i.e. Frequency Monthly “Status reports aren’t reliably accurate and up to date more than quarterly.” Enforce strict requirements to provide monthly status updates for 1-3 key KPIs.
    i.e. Scope Person “How can we keep track of what each individual is working on?” Establish a simple, easy reporting mechanism so that resources are reporting their own progress.
    i.e. Granularity Project “How will we know the status of a project without knowing what tasks are completed?” It is in the domain of the project manager to know what tasks have been completed and to report overall project progress.
    i.e. Forecast Horizon One Month “It will be difficult to plan for resource needs in advance.” Planning a month in advance allows you to address conflicts or issues before they are urgent.

    Document the outcomes of this activity on slide 28 of Info-Tech’s Resource Management Communications Template.

    Finalize your communications plan and prepare to present the new processes to the organization

    Use Info-Tech’s Resource Management Communications Template to record the challenges your resource management strategy is addressing and how it is addressing them.

    Highlight organizational factors that necessitated the change.

    • Stakeholders and staff understandably tend to dislike change for the sake of change. Use Info-Tech’s Resource Management Communications Template to document the pain points that your process change is addressing and explain the intended benefits for all who will be subject to the new procedures.

    Determine goals and benefits for implementation success.

    • Provide metrics by which the implementation will be deemed a success. Providing this horizon will provide some structure for stakeholders and hopefully help to encourage process discipline.

    Clearly indicate what is required of people to adopt new processes.

    • Document your Resource Management Playbook. Be sure to include specific roles and responsibilities so there is no doubt regarding who is accountable for what.

    Download Info-Tech’s Resource Management Communications Template

    "You need to be able to communicate effectively with major stakeholders – you really need their buy-in. You need to demonstrate credibility with your audience in the way you communicate and show how portfolio [management] is a structured decision-making process." – Dr. Shan Rajegopal (quoted in Akass, “What Makes a Successful Portfolio Manager”)

    Review tactics for keeping your processes on track

    Once the strategy is adopted, the next step is to be prepared to address challenges as they come up. Review the tactics in the table below for assistance.

    Challenge Resolution Next Step
    Workers are distracted because they are working on too many projects at once; their attention is split and they are unproductive. Workers are distracted because they are working on too many projects at once; their attention is split and they are unproductive. Review portfolio practices for ways to limit work in progress (WIP).
    Employees are telling project managers what they want to hear and not giving honest estimates about the way their time is spent. Ensure that employees understand the value of honest time tracking. If you’re allocating your hours to the wrong projects, it is your projects that suffer. If you are overallocated, be honest and share this with management. Display employee time-tracking reports on a public board so that everyone will see where their time is spent. If they are struggling to complete projects by their deadlines they must be able to demonstrate the other work that is taking up their time.
    Resources are struggling with projects because they do not have the necessary expertise. Perform a skills audit to determine what skills employees have and assign them to projects accordingly. If an employee with a certain skill is in high demand, consider hiring more resources who are able to complete this work.

    See below for additional challenges and tactics

    Review tactics for keeping supply and demand aligned

    Once the strategy is adopted, the next step is to use the outputs of the strategy to reclaim capacity and ensure supply and demand remain aligned. Review the tactics in the table below for assistance.

    Challenge Resolution Next Step
    There is insufficient project capacity to take on new work, but demand continues to grow. Extend project due date and manage the expectations of project sponsors with data. If possible, reclaim capacity from non-project work. Customize the playbook to address insufficient project capacity.
    There is significant fluctuation in demand, making it extremely challenging to stick to allocations. Project managers can build in additional contingencies to project plans based on resourcing data, with plans for over-delivering with surplus capacity. In addition, the CIO can leverage business relationships to curb chaotic demand. The portfolio manager should analyze the project portfolio for clues on expanding demand. Customize the playbook to address large fluctuations in demand.
    On a constant basis, there are conflicting project demands over specific skills. Re-evaluate the definition of a project to guard the value of the portfolio. Continually prioritize projects based on their business values as of today. Customize the playbook to address conflicting project demands. Feed into any near- and long-term staffing plans.

    Prepare to communicate your new resource management practices and reap their benefits

    As you roll out your resource management strategy, familiarize yourself with the capability improvements that will drive your resource management success metrics.

    1. Increased capacity awareness through the ability to more efficiently and more effectively collect and track complex, diverse, and dynamic project data across the project portfolio.
    2. Improved supply management. Increased awareness of resource capacity (current and forecasted) combined with the ability to see the results of resource allocations across the portfolio will help ensure that project resources are used as effectively as possible.
    3. Improved demand management. Increased capacity awareness, combined with reliable supply management, will help PMOs set realistic limits on the amount and kind of IT projects the organization can take on at any given time. The ability to present user-friendly reports to key decision makers will help the PMO to ensure that the projects that are approved are realistically attainable and strategically aligned.
    4. Increased portfolio success. Improvements in the three areas indicated above should result in more realistic demands on project workers/managers, better products, and better service to all stakeholders. While successfully implemented PPM solutions should produce more efficient PPM processes, ideally they should also drive improved project stakeholder satisfaction across the organization.

    The image shows a series on concentric circles, labelled (from the inside out): Capacity Awareness; Supply Management; Demand Management; Project Success.

    Info-Tech client achieves resource management success by right-sizing its data requirements and focusing on reporting

    CASE STUDY

    Industry Manufacturing

    Source Info-Tech Client

    We were concerned that the staff would not want to do timesheets. With one level of task definition, it’s not really timesheets. It’s more about reconciling our allocations.” – PMO Director, Manufacturing

    Challenge

    • In a very fast-paced environment, the PMO had developed a meaningful level of process maturity.
    • There had never been time to slow down enough to introduce a mature PPM tool set.
    • The executive leadership had started to ask for more throughput of highly visible IT projects.

    Solution

    • There had never been oversight on how much IT time went toward escalated support issues and smaller enhancement requests.
    • Staff had grown accustomed to a lack of documentation rigor surrounding the portfolio.
    • Despite a historic baseline of the ratio between strategic projects, small projects, and support, the lack of recordkeeping made it hard to validate or reconcile these ratios.

    Results

    • The organization introduced a robust commercial PPM tool.
    • They were able to restrict the granularity of data to a high level in order to limit the time required to enter and manage, and track the actuals.
    • They prepared executive leadership for their renewed focus on the allocation of resources to strategically important projects.
    • Approval of projects was right-sized based on the actual capacity and realized through improved timesheet recordkeeping.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1 Define the scope of your pilot and set appropriate goals for the test-run of your new processes

    An effective pilot lowers implementation risk, enhances the details and steps within a process, and improves stakeholder relations prior to a full scale rollout.

    3.2 Develop a plan to manage stakeholder and staff resistance to the new resource management practice

    Proactively plan for communicating responses and objections to show people that you understand their point of view and win their buy-in.

    Insight breakdown

    Insight 1

    A matrix organization creates many small, untraceable demands that are often overlooked in resource management efforts, which lead to underestimating total demand and overcommitting resources. To capture them and enhance the success of your resource management effort, focus on completeness rather than precision. Precision of data will improve over time as your process maturity grows.

    Insight 2

    Draft the resource management practice with sustainability in mind. It is about what you can and will maintain every week, even during a crisis: it is not about what you put together as a one-time snapshot. Once you stop maintaining resource data, it’s nearly impossible to catch up.

    Insight 3

    Engagement paves the way for smoother adoption. An engagement approach (rather than simply communication) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Summary of accomplishment

    Knowledge Gained

    • Disconnect between traditional resource management paradigms and today’s reality of work environment
    • Differentiation of accuracy and precision in capacity data
    • Snapshot of resource capacity supply and demand
    • Seven dimensions of resource management strategy
    • How to create sustainability of a resource management practice

    Processes Optimized

    • Collecting resource supply data
    • Capturing the project demand
    • Identifying and documenting resource constraints and issues
    • Resolving resource issues
    • Finalizing and communicating resource allocations for the forecast window

    Deliverable Completed

    • Resource Management Supply-Demand Calculator, to create an initial estimate of resource capacity supply and demand
    • Time-tracking survey emails, to validate assumptions made for creating the initial snapshot of resource capacity supply and demand
    • Resource Management Playbook, which documents your resource management strategy dimensions, process steps, and responses to challenges
    • PPM Solution Vendor Demo Script, to structure your resource management tool demos and interactions with vendors to ensure that their solutions can fully support your resource management practices
    • Portfolio Manager Lite, a spreadsheet-based resource management solution to facilitate the flow of data
    • Process Pilot Plan, to ensure that the pilot delivers value and insight necessary for a wider rollout
    • Project Portfolio Analyst job description, to help your efforts in bringing in additional staff to provide support for the new resource management practice
    • Resource Management Communications presentation, with which to engage your stakeholders during the new process rollout

    Research contributors and experts

    Trevor Bramwell, ICT Project Manager Viridor Waste Management

    John Hansknecht, Director of Technology University of Detroit Jesuit High School & Academy

    Brian Lasby, Project Manager Toronto Catholic District School Board

    Jean Charles Parise, CIO & DSO Office of the Auditor General of Canada

    Darren Schell, Associate Executive Director of IT Services University of Lethbridge

    Related Info-Tech research

    Develop a Project Portfolio Management Strategy

    Grow Your Own PPM Solution

    Optimize Project Intake, Approval, and Prioritization

    Maintain and Organized Portfolio

    Manage a Minimum-Viable PMO

    Establish the Benefits Realization Process

    Manage an Agile Portfolio

    Tailor Project Management Processes to Fit Your Projects

    Project Portfolio Management Diagnostic Program

    The Project Portfolio Management Diagnostic Program is a low-effort, high-impact program designed to help project owners assess and improve their PPM practices. Gather and report on all aspects of your PPM environment to understand where you stand and how you can improve.

    Bibliography

    actiTIME. “How Poor Tracking of Work Time Affects Your Business.” N.p., Oct. 2016. Web.

    Akass, Amanda. “What Makes a Successful Portfolio Manager.” Pcubed, n.d. Web.

    Alexander, Moira. “5 Steps to avoid overcommitting resources on your IT projects.” TechRepublic. 18 July 2016. Web.

    Anderson, Ryan. “Some Shocking Statistics About Interruptions in Your Work Environment.” Filevine, 9 July 2015. Web.

    Bondale, Kiron. “Focus less on management and more on the resources with resource management.” Easy in Theory, Difficult in Practice. 16 July 2014. Web.

    Burger, Rachel. “10 Software Options that Will Make Your Project Resource Allocation Troubles Disappear.” Capterra Project Management Blog, 6 January 2016. Web.

    Cooper, Robert, G. “Effective Gating: Make product innovation more productive by using gates with teeth.” Stage-Gate International and Product Development Institute. March/April 2009. Web.

    Dimensional Research. “Lies, Damned Lies and Timesheet Data.” Replicon, July 2013. Web.

    Edelman Trust Barometer. “Leadership in a Divided World.” 2016. Web.

    Frank, T.A. “10 Execs with Time-Management Secrets You Should Steal.” Monday*. Issue 2: Nov-Dec 2014. Drucker Institute. Web.

    Huth, Susanna. “Employees waste 759 hours each year due to workplace distractions.” The Telegraph, 22 Jun 2015. Web.

    Jacobeus, Nicolas. “How Detailed Does Your Agency Time Tracking Need to Be?” Scale Blog, 18 Jul 2016. Web.

    Lessing, Lawrence. Free Culture. Lulu Press Inc.: 30 July 2016.

    Kwak, James. “The Importance of Excel. The Baseline Scenario, 9 Feb 2013. Web.

    Madison, Daniel. “The Five Implementation Options to Manage the Risk in a New Process.” BPMInstitute.org. n.d. Web.

    Mark, Gloria. Multitasking in the Digital Age. Morgan & Claypool Publishers. 1 April 2015

    Maron, Shim. “Accountability Vs. Responsibility In Project Management.” Workfront, 10 June 2016. Web.

    PM Solutions. “Resource Management and the PMO: Three Strategies for Addressing Your Biggest Challenge.” N.p., 2009. Web.

    Project Management Institute. “Pulse of the Profession 2014.” PMI, 2014. Web.

    Planview. “Capacity Planning Fuels Innovation Speed.” 2016. Web.

    Rajda, Vilmos. “The Case Against Project Portfolio Management.” PMtimes, 1 Dec 2010. Web.

    Reynolds, Justin. “The Sad Truth about Nap Pods at Work.” TINYpulse, 22 Aug 2016. Web.

    Schulte, Brigid. “Work interrupts can cost you 6 hours a day. An efficiency expert explains how to avoid them.” Washington Post, 1 June 2015. Web.

    Stone, Linda. "Continuous Partial Attention." Lindastone.net. N.p., n.d. Web.

    Zawacki, Kevin. “The Perils of Time Tracking.” Fast Company, 26 Jan 2015. Web.

    Master M&A Cybersecurity Due Diligence

    • Buy Link or Shortcode: {j2store}261|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $12,399 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance

    This research is designed to help organizations who are preparing for a merger or acquisition and need help with:

    • Understanding the information security risks associated with the acquisition or merger.
    • Avoiding the unwanted possibility of acquiring or merging with an organization that is already compromised by cyberattackers.
    • Identifying best practices for information security integration post merger.

    Our Advice

    Critical Insight

    The goal of M&A cybersecurity due diligence is to assess security risks and the potential for compromise. To succeed, you need to look deeper.

    Impact and Result

    • A repeatable methodology to systematically conduct cybersecurity due diligence.
    • A structured framework to rapidly assess risks, conduct risk valuation, and identify red flags.
    • Look deeper by leveraging compromise diagnostics to increase confidence that you are not acquiring a compromised entity.

    Master M&A Cybersecurity Due Diligence Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to master M&A cyber security due diligence, review Info-Tech’s methodology, and understand how we can support you in completing this project.

    [infographic]

    Integrate Threat Intelligence Into Your Security Operations

    • Buy Link or Shortcode: {j2store}320|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: 2 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Organizations have limited visibility into their threat landscape, and as such are vulnerable to the latest attacks, hindering business practices, workflow, revenue generation, and damaging their public image.
    • Organizations are developing ad hoc intelligence capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
    • It is difficult to communicate the value of a threat intelligence solution when trying to secure organizational buy-in and the appropriate resourcing.
    • There is a vast array of “intelligence” in varying formats, often resulting in information overload.

    Our Advice

    Critical Insight

    1. Information alone is not actionable. A successful threat intelligence program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives.
    2. Your security controls are diminishing in value (if they haven’t already). As technology in the industry evolves, threat actors will inevitably adopt new tools, tactics, and procedures; a threat intelligence program can provide relevant situational awareness to stay on top of the rapidly-evolving threat landscape.
    3. Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product/service offerings. Threat intelligence provides visibility into the latest threats, which can help you avoid becoming a backdoor in the next big data breach.

    Impact and Result

    • Assess the needs and intelligence requirements of key stakeholders.
    • Garner organizational buy-in from senior management.
    • Identify organizational intelligence gaps and structure your efforts accordingly.
    • Understand the different collection solutions to identify which best supports your needs.
    • Optimize the analysis process by leveraging automation and industry best practices.
    • Establish a comprehensive threat knowledge portal.
    • Define critical threat escalation protocol.
    • Produce and share actionable intelligence with your constituency.
    • Create a deployment strategy to roll out the threat intelligence program.
    • Integrate threat intelligence within your security operations.

    Integrate Threat Intelligence Into Your Security Operations Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement a threat intelligence program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Plan for a threat intelligence program

    Assess current capabilities and define an ideal target state.

    • Integrate Threat Intelligence Into Your Security Operations – Phase 1: Plan for a Threat Intelligence Program
    • Security Pressure Posture Analysis Tool
    • Threat Intelligence Maturity Assessment Tool
    • Threat Intelligence Project Charter Template
    • Threat Intelligence RACI Tool
    • Threat Intelligence Management Plan Template
    • Threat Intelligence Policy Template

    2. Design an intelligence collection strategy

    Understand the different collection solutions to identify which best supports needs.

    • Integrate Threat Intelligence Into Your Security Operations – Phase 2: Design an Intelligence Collection Strategy
    • Threat Intelligence Prioritization Tool
    • Threat Intelligence RFP MSSP Template

    3. Optimize the intelligence analysis process

    Begin analyzing and acting on gathered intelligence.

    • Integrate Threat Intelligence Into Your Security Operations – Phase 3: Optimize the Intelligence Analysis Process
    • Threat Intelligence Malware Runbook Template

    4. Design a collaboration and feedback program

    Stand up an intelligence dissemination program.

    • Integrate Threat Intelligence Into Your Security Operations – Phase 4: Design a Collaboration and Feedback Program
    • Threat Intelligence Alert Template
    • Threat Intelligence Alert and Briefing Cadence Schedule Template
    [infographic]

    Establish an Effective IT Steering Committee

    • Buy Link or Shortcode: {j2store}191|cart{/j2store}
    • member rating overall impact (scale of 10): 9.6/10 Overall Impact
    • member rating average dollars saved: $44,821 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • Unfortunately, when CIOs implement IT steering committees, they often lack the appropriate structure and processes to be effective.
    • Due to the high profile of the IT steering committee membership, CIOs need to get this right – or their reputation is at risk.

    Our Advice

    Critical Insight

    • 88% of IT steering committees fail. The organizations that succeed have clearly defined responsibilities that are based on business needs.
    • Without a documented process your committee can’t execute on its responsibilities. Clearly define the flow of information to make your committee actionable.
    • Limit your headaches by holding your IT steering committee accountable for defining project prioritization criteria.

    Impact and Result

    Leverage Info-Tech’s process and deliverables to see dramatic improvements in your business satisfaction through an effective IT steering committee. This blueprint will provide three core customizable deliverables that you can use to launch or optimize your IT steering committee:

    • IT Steering Committee Charter: Use this template in combination with this blueprint to form a highly tailored committee.
    • IT Steering Committee Stakeholder Presentation: Build understanding around the goals and purpose of the IT steering committee, and generate support from your leadership team.
    • IT Steering Committee Project Prioritization Tool: Engage your IT steering committee participants in defining project prioritization criteria. Track project prioritization and assess your portfolio.

    Establish an Effective IT Steering Committee Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should establish an IT steering committee, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the steering committee charter

    Build your IT steering committee charter using results from the stakeholder survey.

    • Establish an Effective IT Steering Committee – Phase 1: Build the Steering Committee Charter
    • IT Steering Committee Stakeholder Survey
    • IT Steering Committee Charter

    2. Define IT steering commitee processes

    Define your high level steering committee processes using SIPOC, and select your steering committee metrics.

    • Establish an Effective IT Steering Committee – Phase 2: Define ITSC Processes

    3. Build the stakeholder presentation

    Customize Info-Tech’s stakeholder presentation template to gain buy-in from your key IT steering committee stakeholders.

    • Establish an Effective IT Steering Committee – Phase 3: Build the Stakeholder Presentation
    • IT Steering Committee Stakeholder Presentation

    4. Define the prioritization criteria

    Build the new project intake and prioritization process for your new IT steering committee.

    • Establish an Effective IT Steering Committee – Phase 4: Define the Prioritization Criteria
    • IT Steering Committee Project Prioritization Tool
    • IT Project Intake Form
    [infographic]

    Workshop: Establish an Effective IT Steering Committee

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build the IT Steering Committee

    The Purpose

    Lay the foundation for your IT steering committee (ITSC) by surveying your stakeholders and identifying the opportunities and threats to implementing your ITSC.

    Key Benefits Achieved

     An understanding of the business environment affecting your future ITSC and identification of strategies for engaging with stakeholders

    Activities

    1.1 Launch stakeholder survey for business leaders.

    1.2 Analyze results with an Info-Tech advisor.

    1.3 Identify opportunities and threats to successful IT steering committee implementation.

    1.4 Develop the fit-for-purpose approach.

    Outputs

    Report on business leader governance priorities and awareness

    Refined workshop agenda

    2 Define the ITSC Goals

    The Purpose

    Define the goals and roles of your IT steering committee.

    Plan the responsibilities of your future committee members.

    Key Benefits Achieved

     Groundwork for completing the steering committee charter

    Activities

    2.1 Review the role of the IT steering committee.

    2.2 Identify IT steering committee goals and objectives.

    2.3 Conduct a SWOT analysis on the five governance areas

    2.4 Define the key responsibilities of the ITSC.

    2.5 Define ITSC participation.

    Outputs

    IT steering committee key responsibilities and participants identified

    IT steering committee priorities identified

    3 Define the ITSC Charter

    The Purpose

    Document the information required to create an effective ITSC Charter.

    Create the procedures required for your IT steering committee.

    Key Benefits Achieved

    Clearly defined roles and responsibilities for your steering committee

    Completed IT Steering Committee Charter document

    Activities

    3.1 Build IT steering committee participant RACI.

    3.2 Define your responsibility cadence and agendas.

    3.3 Develop IT steering committee procedures.

    3.4 Define your IT steering committee purpose statement and goals.

    Outputs

    IT steering committee charter: procedures, agenda, and RACI

    Defined purpose statement and goals

    4 Define the ITSC Process

    The Purpose

    Define and test your IT steering committee processes.

    Get buy-in from your key stakeholders through your stakeholder presentation.

    Key Benefits Achieved

    Stakeholder understanding of the purpose and procedures of IT steering committee membership

    Activities

    4.1 Define your high-level IT steering committee processes.

    4.2 Conduct scenario testing on key processes, establish ITSC metrics.

    4.3 Build your ITSC stakeholder presentation.

    4.4 Manage potential objections.

    Outputs

    IT steering committee SIPOC maps

    Refined stakeholder presentation

    5 Define Project Prioritization Criteria

    The Purpose

    Key Benefits Achieved

    Activities

    5.1 Create prioritization criteria

    5.2 Customize the project prioritization tool

    5.3 Pilot test the tool

    5.4 Define action plan and next steps

    Outputs

    IT Steering Committee Project Prioritization Tool

    Action plan

    Further reading

    Establish an Effective IT Steering Committee

    Have the right people making the right decisions to drive IT success.

    Our understanding of the problem

    This Research Is Designed For:

    • CIOs
    • IT Leaders

    This Research Will Also Assist:

    • Business Partners

    This Research Will Help You:

    • Structure an IT steering committee with the appropriate membership and responsibilities
    • Define appropriate cadence around business involvement in IT decision making
    • Define your IT steering committee processes, metrics, and timelines
    • Obtain buy-in for IT steering committee participations
    • Define the project prioritization criteria

    This Research Will Help Them:

    • Understand the importance of IT governance and their role
    • Identify and build the investment prioritization criteria

    Executive Summary

    Situation

    • An effective IT steering committee (ITSC) is one of the top predictors of value generated by IT, yet only 11% of CIOs believe their committees are effective.
    • An effective steering committee ensures that the right people are involved in critical decision making to drive organizational value.

    Complication

    • Unfortunately, when CIOs do implement IT steering committees, they often lack the appropriate structure and processes to be effective.
    • Due to the high profile of the IT steering committee membership, CIOs need to get this right – or their reputation is at risk.

    Resolution

    Leverage Info-Tech’s process and deliverables to see dramatic improvements in your business satisfaction through an effective IT steering committee. This blueprint will provide three core customizable deliverables that you can use to launch or optimize your IT steering committee. These include:

    1. IT Steering Committee Charter: Customizable charter complete with example purpose, goals, responsibilities, procedures, RACI, and processes. Use this template in combination with this blueprint to get a highly tailored committee.
    2. IT Stakeholder Presentation: Use our customizable presentation guide to build understanding around the goals and purpose of the IT steering committee and generate support from your leadership team.
    3. IT Steering Committee Project Prioritization Tool: Engage your IT steering committee participants in defining the project prioritization criteria. Use our template to track project prioritization and assess your portfolio.

    Info-Tech Insight

    1. 88% of IT steering committees fail. The organizations that succeed have clearly defined responsibilities that are based on business needs.
    2. Without a documented process your committee can’t execute on its responsibilities. Clearly define the flow of information to make your committee actionable.
    3. Limit your headaches by holding your IT steering committee accountable for defining project prioritization criteria.

    IT Steering Committee

    Effective IT governance critical in driving business satisfaction with IT. Yet 88% of CIOs believe that their governance structure and processes are not effective. The IT steering committee (ITSC) is the heart of the governance body and brings together critical organizational stakeholders to enable effective decision making (Info-Tech Research Group Webinar Survey).

    IT STEERING COMMITTEES HAVE 3 PRIMARY OBJECTIVES – TO IMPROVE:

    1. Alignment: IT steering committees drive IT and business strategy alignment by having business partners jointly accountable for the prioritization and selection of projects and investments within the context of IT capacity.
    2. Accountability: The ITSC facilitates the involvement and commitment of executive management through clearly defined roles and accountabilities for IT decisions in five critical areas: investments, projects, risk, services, and data.
    3. Value Generation: The ITSC is responsible for the ongoing evaluation of IT value and performance of IT services. The committee should define these standards and approve remediation plans when there is non-achievement.

    "Everyone needs good IT, but no one wants to talk about it. Most CFOs would rather spend time with their in-laws than in an IT steering-committee meeting. But companies with good governance consistently outperform companies with bad. Which group do you want to be in?"

    – Martha Heller, President, Heller Search Associates

    An effective IT steering committee improves IT and business alignment and increases support for IT across the organization

    CEOs’ PERCEPTION OF IT AND BUSINESS ALIGNMENT

    67% of CIOs/CEOs are misaligned on the target role for IT.

    47% of CEOs believe that business goals are going unsupported by IT.

    64% of CEOs believe that improvement is required around IT’s understanding of business goals.

    28% of business leaders are supporters of their IT departments.

    A well devised IT steering committee ensures that core business partners are involved in critical decision making and that decisions are based on business goals – not who shouts the loudest. Leading to faster decision-making time, and better-quality decisions and outcomes.

    Source: Info-Tech CIO/CEO Alignment data

    Despite the benefits, 9 out of 10 steering committees are unsuccessful

    WHY DO IT STEERING COMMITTEES FAIL?

    1. A lack of appetite for an IT steering committee from business partners
    2. An effective ITSC requires participation from core members of the organization’s leadership team. The challenge is that most business partners don’t understand the benefits of an ITSC and the responsibilities aren’t tailored to participants’ needs or interests. It’s the CIOs responsibility to make this case to stakeholders and right-size the committee responsibilities and membership.
    3. IT steering committees are given inappropriate responsibilities
    4. The IT steering committee is fundamentally about decision making; it’s not a working committee. CIOs struggle with clarifying these responsibilities on two fronts: either the responsibilities are too vague and there is no clear way to execute on them within a meeting, or responsibilities are too tactical and require knowledge that participants do not have. Responsibilities should determine who is on the ITSC, not the other way around.
    5. Lack of process around execution
    6. An ITSC is only valuable if members are able to successfully execute on the responsibilities. Without well defined processes it becomes nearly impossible for the ITSC to be actionable. As a result, participants lack the information they need to make critical decisions, agendas are unmet, and meetings are seen as a waste of time.

    GOVERNANCE and ITSC and IT Management

    Organizations often blur the line between governance and management, resulting in the business having say over the wrong things. Understand the differences and make sure both groups understand their role.

    The ITSC is the most senior body within the IT governance structure, involving key business executives and focusing on critical strategic decisions impacting the whole organization.

    Within a holistic governance structure, organizations may have additional committees that evaluate, direct, and monitor key decisions at a more tactical level and report into the ITSC.

    These committees require specialized knowledge and are implemented to meet specific organizational needs. Those operational committees may spark a tactical task force to act on specific needs.

    IT management is responsible for executing on, running, and monitoring strategic activities as determined by IT governance.

    RELATIONSHIP BETWEEN STRATEGIC, TACTICAL, AND OPERATIONAL GROUPS

    Strategic IT Steering Committee
    Tactical

    Project Governance Service Governance

    Risk Governance Information Governance

    IT Management
    Operational Risk Task Force

    This blueprint focuses exclusively on building the IT steering committee. For more information on IT governance see Info-Tech’s blueprint Tailor an IT Governance Plan to Fit Organizational Needs.

    1. Governance of the IT Portfolio & Investments: ensures that funding and resources are systematically allocated to the priority projects that deliver value
    2. Governance of Projects: ensures that IT projects deliver the expected value, and that the PM methodology is measured and effective.
    3. Governance of Risks: ensures the organization’s ability to assess and deliver IT projects and services with acceptable risk.
    4. Governance of Services: ensures that IT delivers the required services at the acceptable performance levels.
    5. Governance of Information and Data: ensures the appropriate classification and retention of data based on business need.

    If these symptoms resonate with you, it might be time to invest in building an IT steering committee

    SIGNS YOU MAY NEED TO BUILD AN IT STEERING COMMITTEE

    As CIO I find that there is a lack of alignment between business and IT strategies.
    I’ve noticed that projects are thrown over the fence by stakeholders and IT is expected to comply.
    I’ve noticed that IT projects are not meeting target project metrics.
    I’ve struggled with a lack of accountability for decision making, especially by the business.
    I’ve noticed that the business does not understand the full cost of initiatives and projects.
    I don’t have the authority to say “no” when business requests come our way.
    We lack a standardized approach for prioritizing projects.
    IT has a bad reputation within the organization, and I need a way to improve relationships.
    Business partners are unaware of how decisions are made around IT risks.
    Business partners don’t understand the full scope of IT responsibilities.
    There are no SLAs in place and no way to measure stakeholder satisfaction with IT.

    Info-Tech’s approach to implementing an IT steering committee

    Info-Tech’s IT steering committee development blueprint will provide you with the required tools, templates, and deliverables to implement a right-sized committee that’s effective the first time.

    • Measure your business partner level of awareness and interest in the five IT governance areas, and target specific responsibilities for your steering committee based on need.
    • Customize Info-Tech’s IT Steering Committee Charter Template to define and document the steering committee purpose, responsibilities, participation, and cadence.
    • Build critical steering committee processes to enable information to flow into and out of the committee to ensure that the committee is able to execute on responsibilities.
    • Customize Info-Tech’s IT Steering Committee Stakeholder Presentation template to make your first meeting a breeze, providing stakeholders with the information they need, with less than two hours of preparation time.
    • Leverage our workshop guide and prioritization tools to facilitate a meeting with IT steering committee members to define the prioritization criteria for projects and investments and roll out a streamlined process.

    Info-Tech’s Four-Phase Process

    Key Deliverables:
    1 2 3 4
    Build the Steering Committee Charter Define ITSC Processes Build the Stakeholder Presentation Define the Prioritization Criteria
    • IT Steering Committee Stakeholder Survey
    • IT Steering Committee Charter
      • Purpose
      • Responsibilities
      • RACI
      • Procedures
    • IT Steering Committee SIPOC (Suppliers, Inputs, Process, Outputs, Customers)
    • Defined process frequency
    • Defined governance metrics
    • IT Steering Committee Stakeholder Presentation template
      • Introduction
      • Survey outcomes
      • Responsibilities
      • Next steps
      • ITSC goals
    • IT project prioritization facilitation guide
    • IT Steering Committee Project Prioritization Tool
    • Project Intake Form

    Leverage both COBIT and Info-Tech-defined metrics to evaluate the success of your program or project

    COBIT METRICS Alignment
    • Percent of enterprise strategic goals and requirements supported by strategic goals.
    • Level of stakeholder satisfaction with scope of the planned portfolio of programs and services.
    Accountability
    • Percent of executive management roles with clearly defined accountabilities for IT decisions.
    • Rate of execution of executive IT-related decisions.
    Value Generation
    • Level of stakeholder satisfaction and perceived value.
    • Number of business disruptions due to IT service incidents.
    INFO-TECH METRICS Survey Metrics:
    • Percent of business leaders who believe they understand how decisions are made in the five governance areas.
    • Percentage of business leaders who believe decision making involved the right people.
    Value of Customizable Deliverables:
    • Estimated time to build IT steering committee charter independently X cost of employee
    • Estimated time to build and generate customer stakeholder survey and generate reports X cost of employee
    • # of project interruptions due to new or unplanned projects

    CASE STUDY

    Industry: Consumer Goods

    Source: Interview

    Situation

    A newly hired CIO at a large consumer goods company inherited an IT department with low maturity from her predecessor. Satisfaction with IT was very low across all business units, and IT faced a lot of capacity constraints. The business saw IT as a bottleneck or red tape in terms of getting their projects approved and completed.

    The previous CIO had established a steering committee for a short time, but it had a poorly established charter that did not involve all of the business units. Also the role and responsibilities of the steering committee were not clearly defined. This led the committee to be bogged down in politics.

    Due to the previous issues, the business was wary of being involved in a new steering committee. In order to establish a new steering committee, the new CIO needed to navigate the bad reputation of the previous CIO.

    Solution

    The CIO established a new steering committee engaging senior members of each business unit. The roles of the committee members were clearly established in the new steering committee charter and business stakeholders were informed of the changes through presentations.

    The importance of the committee was demonstrated through the new intake and prioritization process for projects. Business stakeholders were impressed with the new process and its transparency and IT was no longer seen as a bottleneck.

    Results

    • Satisfaction with IT increased by 12% after establishing the committee and IT was no longer seen as red tape for completing projects
    • IT received approval to hire two more staff members to increase capacity
    • IT was able to augment service levels, allowing them to reinvest in innovative projects
    • Project prioritization process was streamlined

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Establish an Effective IT Steering Committee

    Build the Steering Committee Charter Define ITSC Processes Build the Stakeholder Presentation Define the Prioritization Criteria
    Best-Practice Toolkit

    1.1 Survey Your Steering Committee Stakeholders

    1.2 Build Your ITSC Charter

    2.1 Build a SIPOC

    2.2 Define Your ITSC Process

    3.1 Customize the Stakeholder Presentation

    4.1 Establish your Prioritization Criteria

    4.2 Customize the Project Prioritization Tool

    4.3 Pilot Test Your New Prioritization Criteria

    Guided Implementations
    • Launch your stakeholder survey
    • Analyze the results of the survey
    • Build your new ITSC charter
    • Review your completed charter
    • Build and review your SIPOC
    • Review your high-level steering committee processes
    • Customize the presentation
    • Build a script for the presentation
    • Practice the presentation
    • Review and select prioritization criteria
    • Review the Project Prioritization Tool
    • Review the results of the tool pilot test
    Onsite Workshop

    Module 1:

    Build a New ITSC Charter

    Module 2:

    Design Steering Committee Processes

    Module 3:

    Present the New Steering Committee to Stakeholders

    Module 4:

    Establish Project Prioritization Criteria

    Phase 1 Results:
    • Customized ITSC charter

    Phase 2 Results:

    • Completed SIPOC and steering committee processes
    Phase 3 Results:
    • Customized presentation deck and script
    Phase 4 Results:
    • Customized project prioritization tool

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Build the IT Steering Committee

    1.1 Launch stakeholder survey for business leaders

    1.2 Analyze results with an Info-Tech Advisor

    1.3 Identify opportunities and threats to successful IT steering committee implementation.

    1.4 Develop the fit-for-purpose approach

    Define the ITSC Goals

    2.1 Review the role of the IT steering committee

    2.2 Identify IT steering committee goals and objectives

    2.3 Conduct a SWOT analysis on the five governance areas

    2.4 Define the key responsibilities of the ITSC 2.5 Define ITSC participation

    Define the ITSC Charter

    3.1 Build IT steering committee participant RACI

    3.2 Define your responsibility cadence and agendas

    3.3 Develop IT steering committee procedures

    3.4 Define your IT steering committee purpose statement and goals

    Define the ITSC Process

    4.1 Define your high-level IT steering committee processes

    4.2 Conduct scenario testing on key processes, establish ITSC metrics

    4.3 Build your ITSC stakeholder presentation

    4.4 Manage potential objections

    Define Project Prioritization Criteria

    5.1 Create prioritization criteria

    5.2 Customize the Project Prioritization Tool

    5.3 Pilot test the tool

    5.4 Define action plan and next steps

    Deliverables
    1. Report on business leader governance priorities and awareness
    2. Refined workshop agenda
    1. IT steering committee priorities identified
    2. IT steering committee key responsibilities and participants identified
    1. IT steering committee charter: procedures, agenda, and RACI
    2. Defined purpose statement and goals
    1. IT steering committee SIPOC maps
    2. Refined stakeholder presentation
    1. Project Prioritization Tool
    2. Action plan

    Phase 1

    Build the IT Steering Committee Charter

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Formalize the Security Policy Program

    Proposed Time to Completion: 1-2 weeks

    Select Your ITSC Members

    Start with an analyst kick-off call:

    • Launch your stakeholder survey

    Then complete these activities…

    • Tailor the survey questions
    • Identify participants and tailor email templates

    With these tools & templates:

    • ITSC Stakeholder Survey
    • ITSC Charter Template

    Review Stakeholder Survey Results

    Review findings with analyst:

    • Review the results of the Stakeholder Survey

    Then complete these activities…

    • Customize the ITSC Charter Template

    With these tools & templates:

    • ITSC Charter Template

    Finalize the ITSC Charter

    Finalize phase deliverable:

    • Review the finalized ITSC charter with an Info-Tech analyst

    Then complete these activities…

    • Finalize any changes to the ITSC Charter
    • Present it to ITSC Members

    With these tools & templates:

    • ITSC Charter Template

    Build the IT Steering Committee Charter

    This step will walk you through the following activities:

    • Launch and analyze the stakeholder survey
    • Define your ITSC goals and purpose statement
    • Determine ITSC responsibilities and participants
    • Determine ITSC procedures

    This step involves the following participants:

    • CIO
    • IT Steering Committee
    • IT Leadership Team
    • PMO

    Key Insight:

    Be exclusive with your IT steering committee membership. Determine committee participation based on committee responsibilities. Select only those who are key decision makers for the activities the committee is responsible for and, wherever possible, keep membership to 5-8 people.

    Tailor Info-Tech’s IT Steering Committee Charter Template to define terms of reference for the ITSC

    1.1

    A charter is the organizational mandate that outlines the purpose, scope, and authority of the ITSC. Without a charter, the steering committee’s value, scope, and success criteria are unclear to participants, resulting in unrealistic stakeholder expectations and poor organizational acceptance.

    Start by reviewing Info-Tech’s template. Throughout this section we will help you to tailor its contents.

    Committee Purpose: The rationale, benefits of, and overall function of the committee.

    Responsibilities: What tasks/decisions the accountable committee is making.

    Participation: Who is on the committee

    RACI: Who is accountable, responsible, consulted, and informed regarding each responsibility.

    Committee Procedures and Agendas: Includes how the committee will be organized and how the committee will interact and communicate with business units.

    A screenshot of Info-Tech's <em data-verified=IT Steering Committee Charter Template.">

    IT Steering Committee Charter

    Take a data-driven approach to build your IT steering committee based on business priorities

    1.2

    Leverage Info-Tech’s IT Steering Committee Stakeholder Surveyand reports to quickly identify business priorities and level of understanding of how decisions are made around the five governance areas.

    Use these insights to drive the IT steering committee responsibilities, participation, and communication strategy.

    The Stakeholder Survey consists of 17 questions on:

    • Priority governance areas
    • Desired level of involvement in decision making in the five governance areas
    • Knowledge of how decisions are made
    • Five open-ended questions on improvement opportunities

    To simplify your data collection and reporting, Info-Tech can launch a web-based survey, compile the report data and assist in the data interpretation through one of our guided implementations.

    Also included is a Word document with recommended questions, if you prefer to manage the survey logistics internally.

    A screenshot of Info-Tech's first page of the <em data-verified=IT Steering Committee Stakeholder Survey "> A screenshot of Info-Tech's survey.

    Leverage governance reports to define responsibilities and participants, and in your presentation to stakeholders

    1.3

    A screenshot is displayed. It advises that 72% of stakeholders do <strong data-verified= understand how decisions around IT services are made (quality, availability, etc.). Two graphs are included in the screenshot. One of the bar graphs shows the satisfaction with the quality of decisions and transparency around IT services. The other bar graph displays IT decisions around service delivery and quality that involve the right people.">

    OVERALL PRIORITIES

    You get:

    • A clear breakdown of stakeholders’ level of understanding on how IT decisions are made in the five governance areas
    • Stakeholder perceptions on the level of IT and business involvement in decision making
    • Identification of priority areas

    So you can:

    • Get an overall pulse check for understanding
    • Make the case for changes in decision-making accountability
    • Identify which areas the IT steering committee should focus on
    A screenshot is displayed. It advises that 80% of stakeholders do <strong data-verified=not understand how decisions around IT investments or project and service resourcing are made. Two bar graphs are displayed. One of the bar graphs shows the satisfaction with the quality of decisions made around IT investments. The other graph display IT decisions around spending priorities involving the right people.">

    GOVERNANCE AREA REPORTS

    You get:

    • Satisfaction score for decision quality in each governance area
    • Breakdown of decision-making accountability effectiveness
    • Identified level of understanding around decision making
    • Open-ended comments

    So you can:

    • Identify the highest priority areas to change.
    • To validate changes in decision-making accountability
    • To understand business perspectives on decision making.

    Conduct a SWOT analysis of the five governance areas

    1.4

    1. Hold a meeting with your IT leadership team to conduct a SWOT analysis on each of the five governance areas. Start by printing off the following five slides to provide participants with examples of the role of governance and the symptoms of poor governance in each area.
    2. In groups of 1-2 people, have each group complete a SWOT analysis for one of the governance areas. For each consider:
    • Strengths: What is currently working well in this area?
    • Weaknesses: What could you improve? What are some of the challenges you’re experiencing?
    • Opportunities: What are some organizational trends that you can leverage? Consider whether your strengths or weaknesses that could create opportunities?
    • Threats: What are some key obstacles across people, process, and technology?
  • Have each team or individual rotate until each person has contributed to each SWOT. Add comments from the stakeholder survey to the SWOT.
  • As a group rank each of the five areas in terms of importance for a phase one IT steering committee implementation, and highlight the top 10 challenges, and the top 10 opportunities you see for improvement.
  • Document the top 10 lists for use in the stakeholder presentation.
  • INPUT

    • Survey outcomes
    • Governance overview handouts

    OUTPUT

    • SWOT analysis
    • Ranked 5 areas
    • Top 10 challenges and opportunities identified.

    Materials

    • Governance handouts
    • Flip chart paper, pens

    Participants

    • IT leadership team

    Governance of RISK

    Governance of risk establishes the risk framework, establishes policies and standards, and monitors risks.

    Governance of risk ensures that IT is mitigating all relevant risks associated with IT investments, projects, and services.

    GOVERNANCE ROLES:

    1. Defines responsibility and accountability for IT risk identification and mitigation.
    2. Ensures the consideration of all elements of IT risk, including value, change, availability, security, project, and recovery
    3. Enables senior management to make better IT decisions based on the evaluation of the risks involved
    4. Facilitates the identification and analysis of IT risk and ensures the organization’s informed response to that risk.

    Symptoms of poor governance of risk

    • Opportunities for value creation are missed by not considering or assessing IT risk, or by completely avoiding all risk.
    • No formal risk management process or accountabilities exist.
    • There is no business continuity strategy.
    • Frequent security breaches occur.
    • System downtime occurs due to failed IT changes.

    Governance of PPM

    Governance of the IT portfolio achieves optimum ROI through prioritization, funding, and resourcing.

    PPM practices create value if they maximize the throughput of high-value IT projects at the lowest possible cost. They destroy value when they foster needlessly sophisticated and costly processes.

    GOVERNANCE ROLES:

    1. Ensures that the projects that deliver greater business value get a higher priority.
    2. Provides adequate funding for the priority projects and ensures adequate resourcing and funding balanced across the entire portfolio of projects.
    3. Makes the business and IT jointly accountable for setting project priorities.
    4. Evaluate, direct, and monitor IT value metrics and endorse the IT strategy and monitor progress.

    Symptoms of poor governance of PPM/investments

    • The IT investment mix is determined solely by Finance and IT.
    • It is difficult to get important projects approved.
    • Projects are started then halted, and resources are moved to other projects.
    • Senior management has no idea what projects are in the backlog.
    • Projects are approved without a valid business case.

    Governance of PROJECTS

    Governance of projects improves the quality and speed of decision making for project issues.

    Don’t confuse project governance and management. Governance makes the decisions regarding allocation of funding and resources and reviews the overall project portfolio metrics and process methodology.

    Management ensures the project deliverables are completed within the constraints of time, budget, scope, and quality.

    GOVERNANCE ROLES:

    1. Monitors and evaluates the project management process and critical project methodology metrics.
    2. Ensures review and mitigation of project issue and that management is aware of projects in crisis.
    3. Ensures that projects beginning to show characteristics of failure cannot proceed until issues are resolved.
    4. Endorses the project risk criteria, and monitors major risks to project completion.
    5. Approves the launch and execution of projects.

    Symptoms of poor governance of projects

    • Projects frequently fail or get cancelled.
    • Project risks and issues are not identified or addressed.
    • There is no formal project management process.
    • There is no senior stakeholder responsible for making project decisions.
    • There is no formal project reporting.

    Governance of SERVICES

    Governance of services ensures delivery of a highly reliable set of IT services.

    Effective governance of services enables the business to achieve the organization’s goals and strategies through the provision of reliable and cost-effective services.

    GOVERNANCE ROLES:

    1. Ensures the satisfactory performance of those services critical to achieving business objectives.
    2. Monitors and directs changes in service levels.
    3. Ensures operational and performance objectives for IT services are met.
    4. Approves policy and standards on the service portfolio.

    Symptoms of poor governance of service

    • There is a misalignment of business needs and expectations with IT capability.
    • No metrics are reported for IT services.
    • The business is unaware of the IT services available to them.
    • There is no accountability for service level performance.
    • There is no continuous improvement plan for IT services.
    • IT services or systems are frequently unavailable.
    • Business satisfaction with IT scores are low.

    Governance of INFORMATION

    Governance of information ensures the proper handling of data and information.

    Effective governance of information ensures the appropriate classification, retention, confidentiality, integrity, and availability of data in line with the needs of the business.

    GOVERNANCE ROLES:

    1. Ensures the information lifecycle owner and process are defined and endorse by business leadership.
    2. Ensures the controlled access to a comprehensive information management system.
    3. Ensures knowledge, information, and data are gathered, analyzed, stored, shared, used, and maintained.
    4. Ensures that external regulations are identified and met.

    Symptoms of poor governance of information

    • There is a lack of clarity around data ownership, and data quality standards.
    • There is insufficient understanding of what knowledge, information, and data are needed by the organization.
    • There is too much effort spent on knowledge capture as opposed to knowledge transfer and re-use.
    • There is too much focus on storing and sharing knowledge and information that is not up to date or relevant.
    • Personnel see information management as interfering with their work.

    Identify the responsibilities of the IT steering committee

    1.5

    1. With your IT leadership team, review the typical responsibilities of the IT steering committee on the following slide.
    2. Print off the following slide, and in your teams of 1-2 have each group identify which responsibilities they believe the IT steering committee should have, brainstorm any additional responsibilities, and document their reasoning.
    3. Note: The bolded responsibilities are the ones that are most common to IT steering committees, and greyed out responsibilities are typical of a larger governance structure. Depending on their level of importance to your organization, you may choose to include the responsibility.

    4. Have each team present to the larger group, track the similarities and differences between each of the groups, and come to consensus on the list of responsibilities.
    5. Complete a sanity check – review your swot analysis and survey results. Do the responsibilities you’ve identified resolve the critical challenges or weaknesses?
    6. As a group, consider the responsibilities and consider whether you can reasonably implement those in one year, or if there are any that will need to wait until year two of the IT steering committee.
    7. Modify the list of responsibilities in Info-Tech’s IT Steering Committee Charter by deleting the responsibilities you do not need and adding any that you identified in the process.

    INPUT

    • SWOT analysis
    • Survey reports

    OUTPUT

    • Defined ITSC responsibilities documented in the ITSC Charter

    Materials

    • Responsibilities handout
    • Voting dots

    Participants

    • IT leadership team

    Typical IT steering committee and governance responsibilities

    The bolded responsibilities are those that are most common to IT steering committees, and responsibilities listed in grey are typical of a larger governance structure.

    INVESTMENTS / PPM

    • Establish the target investment mix
    • Evaluate and select programs/projects to fund
    • Monitor IT value metrics
    • Endorse the IT budget
    • Monitor and report on program/project outcomes
    • Direct the governance optimization
    • Endorse the IT strategy

    PROJECTS

    • Monitor project management metrics
    • Approve launch of projects
    • Review major obstacles to project completion
    • Monitor a standard approach to project management
    • Monitor and direct project risk
    • Monitor requirements gathering process effectiveness
    • Review feasibility studies and formulate alternative solutions for high risk/high investment projects

    SERVICE

    • Monitor stakeholder satisfaction with services
    • Monitor service metrics
    • Approve plans for new or changed service requirements
    • Monitor and direct changes in service levels
    • Endorse the enterprise architecture
    • Approve policy and standards on the service portfolio
    • Monitor performance and capacity

    RISK

    • Monitor risk management metrics
    • Review the prioritized list of risks
    • Monitor changes in external regulations
    • Maintain risk profiles
    • Approve the risk management emergency action process
    • Maintain a mitigation plan to minimize risk impact and likelihood
    • Evaluate risk management
    • Direct risk management

    INFORMATION / DATA

    • Define information lifecycle process ownership
    • Monitor information lifecycle metrics
    • Define and monitor information risk
    • Approve classification categories of information
    • Approve information lifecycle process
    • Set policies on retirement of information

    Determine committee membership based on the committee’s responsibilities

    • One of the biggest benefits to an IT steering committee is it involves key leadership from the various lines of business across the organization.
    • However, in most cases, more people get involved than is required, and all the committee ends up accomplishing is a lot of theorizing. Participants should be selected based on the identified responsibilities of the IT steering committee.
    • If the responsibilities don’t match the participants, this will negatively impact committee effectiveness as leaders become disengaged in the process and don’t feel like it applies to them or accomplishes the desired goals. Once participants begin dissenting, it’s significantly more difficult to get results.
    • Be careful! When you have more than one individual in a specific role, select only the people whose attendance is absolutely critical. Don’t let your governance collapse under committee overload!

    LIKELY PARTICIPANT EXAMPLES:

    MUNICIPALITY

    • City Manager
    • CIO/IT Leader
    • CCO
    • CFO
    • Division Heads

    EDUCATION

    • Provost
    • Vice Provost
    • VP Academic
    • VP Research
    • VP Public Affairs
    • VP Operations
    • VP Development
    • Etc.

    HEALTHCARE

    • President/CEO
    • CAO
    • EVP/ EDOs
    • VPs
    • CIO
    • CMO

    PRIVATE ORGANIZATIONS

    • CEO
    • CFO
    • COO
    • VP Marketing
    • VP Sales
    • VP HR
    • VP Product Development
    • VP Engineering
    • Etc.

    Identify committee participants and responsibility cadence

    1.6

    1. In a meeting with your IT leadership team, review the list of committee responsibilities and document them on a whiteboard.
    2. For each responsibility, identify the individuals whom you would want to be either responsible or accountable for that decision.
    3. Repeat this until you’ve completed the exercise for each responsibility.
    4. Group the responsibilities with the same participants and highlight groupings with less than four participants. Consider the responsibility and determine whether you need to change the wording to make it more applicable or if you should remove the responsibility.
    5. Review the grouping, the responsibilities within them, and their participants, and assess how frequently you would like to meet about them – annually, quarterly, or monthly. (Note: suggested frequency can be found in the IT Steering Committee Charter.)
    6. Subdivide the responsibilities for the groupings to determine your annual, quarterly, and monthly meeting schedule.
    7. Validate that one steering committee is all that is needed, or divide the responsibilities into multiple committees.
    8. Document the committee participants in the IT Steering Committee Charter and remove any unneeded responsibilities identified in the previous exercise.

    INPUT

    • List of responsibilities

    OUTPUT

    • ITSC participants list
    • Meeting schedule

    Materials

    • Whiteboard
    • Markers

    Participants

    • IT leadership team

    Committees can only be effective if they have clear and documented authority

    It is not enough to participate in committee meetings; there needs to be a clear understanding of who is accountable, responsible, consulted, and informed about matters brought to the attention of the committee.

    Each committee responsibility should have one person who is accountable, and at least one person who is responsible. This is the best way to ensure that committee work gets done.

    An authority matrix is often used within organizations to indicate roles and responsibilities in relation to processes and activities. Using the RACI model as an example, there is only one person accountable for an activity, although several people may be responsible for executing parts of the activity. In this model, accountable means end-to-end accountability for the process.

    RESPONSIBLE: The one responsible for getting the job done.

    ACCOUNTABLE: Only one person can be accountable for each task.

    CONSULTED: Involvement through input of knowledge and information.

    INFORMED: Receiving information about process execution and quality.

    A chart is depicted to show an example of the authority matrix using the RACI model.

    Define IT steering committee participant RACI for each of the responsibilities

    1.7

    1. Use the table provided in the IT Steering Committee Charter and edit he list of responsibilities to reflect the chosen responsibilities of your ITSC.
    2. Along the top of the chart list the participant names, and in the right hand column of the table document the agreed upon timing from the previous exercise.
    3. For each of the responsibilities identify whether participants are Responsible, Accountable, Consulted, or Informed by denoting an R, A, C, I, or N/A in the table. Use N/A if this is a responsibility that the participant has no involvement in.
    4. Review your finalized RACI chart. If there are participants who are only consulted or informed about the majority of responsibilities, consider removing them from the IT steering committee. You only want the decision makers on the committee.

    INPUT

    • Responsibilities
    • Participants

    OUTPUT

    • RACI documented in the ITSC Charter

    Materials

    • ITSC RACI template
    • Projector

    Participants

    • IT leadership

    Building the agenda may seem trivial, but it is key for running effective meetings

    49% of people consider unfocused meetings as the biggest workplace time waster.*

    63% of the time meetings do not have prepared agendas.*

    80% Reduction of time spent in meetings by following a detailed agenda and starting on time.*

    *(Source: http://visual.ly/fail-plan-plan-fail).

    EFFECTIVE MEETING AGENDAS:

    1. Have clearly defined meeting objectives.
    2. Effectively time-boxed based on priority items.
    3. Defined at least two weeks prior to the meetings.
    4. Evaluated regularly – are not static.
    5. Leave time at the end for new business, thus minimizing interruptions.

    BUILDING A CONSENT AGENDA

    A consent agenda is a tool to free up time at meetings by combining previously discussed or simple items into a single item. Items that can be added to the consent agenda are those that are routine, noncontroversial, or provided for information’s sake only. It is expected that participants read this information and, if it is not pulled out, that they are in agreement with the details.

    Members have the option to pull items out of the consent agenda for discussion if they have questions. Otherwise these are given no time on the agenda.

    Define the IT steering committee meeting agendas and procedures

    1.8

    Agendas

    1. Review the listed responsibilities, participants, and timing as identified in a previous exercise.
    2. Annual meeting: Identify if all of the responsibilities will be included in the annual meeting agenda (likely all governance responsibilities).
    3. Quarterly Meeting Agenda: Remove the meeting responsibilities from the annual meeting agenda that are not required and create a list of responsibilities for the quarterly meetings.
    4. Monthly Meeting Agenda: Remove all responsibilities from the list that are only annual or quarterly and compile a list of monthly meeting responsibilities.
    5. Review each responsibility, and estimate the amount of time each task will take within the meeting. We recommend giving yourself at least an extra 10-20% more time for each agenda item for your first meeting. It’s better to have more time than to run out.
    6. Complete the Agenda Template in the IT Steering Committee Charter.

    Procedures:

    1. Review the list of IT steering committee procedures, and replace the grey text with the information appropriate for your organization.

    INPUT

    • Responsibility cadence

    OUTPUT

    • ITSC annual, quarterly, monthly meeting agendas & procedures

    Materials

    • ITSC Charter

    Participants

    • IT leadership team

    Draft your IT steering committee purpose statement and goals

    1.9

    1. In a meeting with your IT leadership team – and considering the defined responsibilities, participants, and opportunities and threats identified – review the example goal statement in the IT Steering Committee Charter, and first identify whether any of these statements apply to your organization. Select the statements that apply and collaboratively make any changes needed.
    2. Define unique goal statements by considering the following questions:
      1. What three things would you realistically list for the ITSC to achieve.
      2. If you were to accomplish three things in the next year, what would those be?
    3. Document those goals in the IT Steering Committee Charter.
    4. With those goal statements in mind, consider the overall purpose of the committee. The purpose statement should be a reflection of what the committee does, why it does it, and the goals.
    5. Have each individual review the example purpose statement, and draft what they think a good purpose statement would be.
    6. Present each statement, and work together to determine a best of breed statement.
    7. Document this in the IT Steering Committee Charter.

    INPUT

    • Responsibilities, participants, top 10 lists of challenges and opportunities.

    OUTPUT

    • ITSC goals and purpose statement

    Materials

    • ITSC Charter

    Participants

    • IT leadership team

    CASE STUDY

    "Clearly defined Committee Charter allows CIO to escape the bad reputation of previous committee."

    Industry: Consumer Goods

    Source: Interview

    CHALLENGE

    The new CIO at a large consumer goods company had difficulty generating interest in creating a new IT steering committee. The previous CIO had created a steering committee that was poorly organized and did not involve all of the pertinent members. This led to a committee focused on politics that would often devolve into gossip. Also, many members were dissatisfied with the irregular meetings that would often go over their allotted time.

    In order to create a new committee, the new CIO needed to dispel the misgivings of the business leadership.

    SOLUTION

    The new CIO decided to build the new steering committee from the ground up in a systematic way.

    She collected information from relevant stakeholders about what they know/how they feel about IT and used this information to build a detailed charter.

    Using this info she outlined the new steering committee charter and included in it the:

    1. Purpose
    2. Responsibilities
    3. RACI Chart
    4. Procedures

    OUTCOME

    The new steering committee included all the key members of business units, and each member was clear on their roles in the meetings. Meetings were streamlined and effective. The adjustments in the charter and the improvement in meeting quality played a role in improving the satisfaction scores of business leaders with IT by 21%.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1

    A screenshot of activity 1.1 is displayed. 1.1 is about surveying your ITSC stakeholders.

    Survey your ITSC stakeholders

    Prior to the workshop, Info-Tech’s advisors will work with you to launch the IT Steering Committee Stakeholder Survey to understand business priorities and level of understanding of how decisions are made. Using this data, we will create the IT steering committee responsibilities, participation, and communication strategy.

    1.7

    A screenshot of activity 1.7 is displayed. 1.7 is about defining a participant RACI for each of the responsibilities.

    Define a participant RACI for each of the responsibilities

    The analyst will facilitate several exercises to help you and your stakeholders create an authority matrix. The output will be defined responsibilities and authorities for members.

    Phase 2

    Build the IT Steering Committee Process

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Define your ITSC Processes
    Proposed Time to Completion: 2 weeks

    Review SIPOCs and Process Creation

    Start with an analyst kick-off call:

    • Review the purpose of the SIPOC and how to build one

    Then complete these activities…

    • Build a draft SIPOC for your organization

    With these tools & templates:

    Phase 2 of the Establish an Effective IT Steering Committee blueprint

    Finalize the SIPOC

    Review Draft SIPOC:

    • Review and make changes to the SIPOC
    • Discuss potential metrics

    Then complete these activities…

    • Test survey link
    • Info-Tech launches survey

    With these tools & templates:

    Phase 2 of the Establish an Effective IT Steering Committee blueprint

    Finalize Metrics

    Finalize phase deliverable:

    • Finalize metrics

    Then complete these activities…

    • Establish ITSC metric triggers

    With these tools & templates:

    Phase 2 of the Establish an Effective IT Steering Committee blueprint

    Build the IT Steering Committee Process

    This step will walk you through the following activities:

    • Define high-level steering committee processes using SIPOC
    • Select steering committee metrics

    This step involves the following participants:

    • CIO
    • IT Steering Committee
    • IT Leadership Team
    • PMO

    Key Insight:

    Building high-level IT steering committee processes brings your committee to life. Having a clear process will ensure that you have the right information from the right sources so that committees can operate and deliver the appropriate output to the customers who need it.

    Build your high-level IT steering committee processes to enable committee functionality

    The IT steering committee is only valuable if members are able to successfully execute on responsibilities.

    One of the most common mistakes organizations make is that they build their committee charters and launch into their first meeting. Without defined inputs and outputs, a committee does not have the needed information to be able to effectively execute on responsibilities and is unable to meet its stated goals.

    The arrows in this picture represent the flow of information between the IT steering committee, other committees, and IT management.

    Building high-level processes will define how that information flows within and between committees and will enable more rapid decision making. Participants will have the information they need to be confident in their decisions.

    Strategic IT Steering Committee
    Tactical

    Project Governance Service Governance

    Risk Governance Information Governance

    IT Management
    Operational Risk Task Force

    Define the high-level process for each of the IT steering committee responsibilities

    Info-Tech recommends using SIPOC as a way of defining how the IT steering committee will operate.

    Derived from the core methodologies of Six Sigma process management, SIPOC – a model of Suppliers, Inputs, Processes, Outputs, Customers – is one of several tools that organizations can use to build high level processes. SIPOC is especially effective when determining process scope and boundaries and to gain consensus on a process.

    By doing so you’ll ensure that:

    1. Information and documentation required to complete each responsibility is identified.
    2. That the results of committee meetings are distributed to those customers who need the information.
    3. Inputs and outputs are identified and that there is defined accountability for providing these.

    Remember: Your IT steering committee is not a working committee. Enable effective decision making by ensuring participants have the necessary information and appropriate recommendations from key stakeholders to make decisions.

    Supplier Input
    Who provides the inputs to the governance responsibility. The documented information, data, or policy required to effectively respond to the responsibility.
    Process
    In this case this represents the IT steering committee responsibility defined in terms of the activity the ITSC is performing.
    Output Customer
    The outcome of the meeting: can be approval, rejection, recommendation, request for additional information, endorsement, etc. Receiver of the outputs from the committee responsibility.

    Define your SIPOC model for each of the IT steering committee responsibilities

    2.1

    1. In a meeting with your IT leadership, draw the SIPOC model on a whiteboard or flip-chart paper. Either review the examples on the following slides or start from scratch.
    2. If you are adjusting the following slides, consider the templates you already have which would be appropriate inputs and make adjustments as needed.

    For atypical responsibilities:

    1. Start with the governance responsibility and identify what specifically it is that the IT steering committee is doing with regards to that responsibility. Write that in the center of the model.
    2. As a group, consider what information or documentation would be required by the participants to effectively execute on the responsibility.
    3. Identify which individual will supply each piece of documentation. This person will be accountable for this moving forward.
    4. Outputs: Once the committee has met about the responsibility, what information or documentation will be produced. List all of those documents.
    5. Identify the individuals who need to receive the outputs of the information.
    6. Repeat this for all of the responsibilities.
    7. Once complete, document the SIPOC models in the IT Steering Committee Charter.

    INPUT

    • List of responsibilities
    • Example SIPOCs

    OUTPUT

    • SIPOC model for all responsibilities.

    Materials

    • Whiteboard
    • Markers
    • ITSC Charter

    Participants

    • IT leadership team

    SIPOC examples for typical ITSC responsibilities

    SIPOC: Establish the target investment mix
    Supplier Input
    CIO
    • Target investment mix and rationale
    Process
    Responsibility: The IT steering committee shall review and approve the target investment mix.
    Output Customer
    • Approval of target investment mix
    • Rejection of target investment mix
    • Request for additional information
    • CFO
    • CIO
    • IT leadership
    SIPOC: Endorse the IT budget
    Supplier Input
    CIO
    • Recommendations

    See Info-Tech’s blueprint IT Budget Presentation

    Process

    Responsibility: Review the proposed IT budget as defined by the CIO and CFO.

    Output Customer
    • Signed endorsement of the IT budget
    • Request for additional information
    • Recommendation for changes to the IT budget.
    • CFO
    • CIO
    • IT leadership

    SIPOC examples for typical ITSC responsibilities

    SIPOC: Monitor IT value metrics
    Supplier Input
    CIO
    • IT value dashboard
    • Key metric takeaways
    • Recommendations
    CIO Business Vision
    Process

    Responsibility: Review recommendations and either accept or reject recommendations. Refine go-forward metrics.

    Output Customer
    • Launch corrective task force
    • Accept recommendations
    • Define target metrics
    • CEO
    • CFO
    • Business executives
    • CIO
    • IT leadership
    SIPOC: Evaluate and select programs/projects to fund
    Supplier Input
    PMO
    • Recommended project list
    • Project intake documents
    • Prioritization criteria
    • Capacity metrics
    • IT budget

    See Info-Tech’s blueprint

    Grow Your Own PPM Solution
    Process

    Responsibility: The ITSC will approve the list of projects to fund based on defined prioritization criteria – in line with capacity and IT budget.

    It is also responsible for identifying the prioritization criteria in line with organizational priorities.

    Output Customer
    • Approved project list
    • Request for additional information
    • Recommendation for increased resources
    • PMO
    • CIO
    • Project sponsors

    SIPOC examples for typical ITSC responsibilities

    SIPOC: Endorse the IT strategy
    Supplier Input
    CIO
    • IT strategy presentation

    See Info-Tech’s blueprint

    IT Strategy and Roadmap
    Process

    Responsibility: Review, understand, and endorse the IT strategy.

    Output Customer
    • Signed endorsement of the IT strategy
    • Recommendations for adjustments
    • CEO
    • CFO
    • Business executives
    • IT leadership
    SIPOC: Monitor project management metrics
    Supplier Input
    PMO
    • Project metrics report with recommendations
    Process

    Responsibility: Review recommendations around PM metrics and define target metrics. Endorse current effectiveness levels or determine corrective action.

    Output Customer
    • Accept project metrics performance
    • Accept recommendations
    • Launch corrective task force
    • Define target metrics
    • PMO
    • Business executives
    • IT leadership

    SIPOC examples for typical ITSC responsibilities

    SIPOC: Approve launch of planned and unplanned project
    Supplier Input
    CIO
    • Project list and recommendations
    • Resourcing report
    • Project intake document

    See Info-Tech’s Blueprint:

    Grow Your Own PPM Solution
    Process

    Responsibility: Review the list of projects and approve the launch or reprioritization of projects.

    Output Customer
    • Approved launch of projects
    • Recommendations for changes to project list
    • CFO
    • CIO
    • IT leadership
    SIPOC: Monitor stakeholder satisfaction with services and other service metrics
    Supplier Input
    Service Manager
    • Service metrics report with recommendations
    Info-Tech End User Satisfaction Report
    Process

    Responsibility: Review recommendations around service metrics and define target metrics. Endorse current effectiveness levels or determine corrective action.

    Output Customer
    • Accept service level performance
    • Accept recommendations
    • Launch corrective task force
    • Define target metrics
    • Service manager
    • Business executives
    • IT leadership

    SIPOC examples for typical ITSC responsibilities

    SIPOC: Approve plans for new or changed service requirements
    Supplier Input
    Service Manager
    • Service change request
    • Project request and change plan
    Process

    Responsibility: Review IT recommendations, approve changes, and communicate those to staff.

    Output Customer
    • Approved service changes
    • Rejected service changes
    • Service manager
    • Organizational staff
    SIPOC: Monitor risk management metrics
    Supplier Input
    CIO
    • Risk metrics report with recommendations
    Process

    Responsibility: Review recommendations around risk metrics and define target metrics. Endorse current effectiveness levels or determine corrective action.

    Output Customer
    • Accept risk register and mitigation strategy
    • Launch corrective task force to address risks
    • Risk manager
    • Business executives
    • IT leadership

    SIPOC examples for typical ITSC responsibilities

    SIPOC: Review the prioritized list of risks
    Supplier Input
    Risk Manager
    • Risk register
    • Mitigation strategies
    See Info-Tech’s risk management research to build a holistic risk strategy.
    Process

    Responsibility: Accept the risk registrar and define any additional action required.

    Output Customer
    • Accept risk register and mitigation strategy
    • Launch corrective task force to address risks
    • Risk manager
    • IT leadership
    • CRO
    SIPOC: Define information lifecycle process ownership
    Supplier Input
    CIO
    • List of risk owner options with recommendations
    See Info-Tech’s related blueprint: Information Lifecycle Management
    Process

    Responsibility: Define responsibility and accountability for information lifecycle ownership.

    Output Customer
    • Defined information lifecycle owner
    • Organization wide.

    SIPOC examples for typical ITSC responsibilities

    SIPOC: Monitor information lifecycle metrics
    Supplier Input
    Information lifecycle owner
    • Information metrics report with recommendations
    Process

    Responsibility: Review recommendations around information management metrics and define target metrics. Endorse current effectiveness levels or determine corrective action.

    Output Customer
    • Accept information management performance
    • Accept recommendations
    • Launch corrective task force to address challenges
    • Define target metrics
    • IT leadership

    Define which metrics you will report to the IT steering committee

    2.2

    1. Consider your IT steering committee goals and the five IT governance areas.
    2. For each governance area, identify which metrics you are currently tracking and determine whether these metrics are valuable to IT, to the business, or both. For metrics that are valuable to business stakeholders determine whether you have an identified target metric.

    New Metrics:

    1. For each of the five IT governance areas review your SWOT analysis and document your key opportunities and weaknesses.
    2. For each, brainstorm hypotheses around why the opportunity was weak or was a success. For each hypothesis identify if there are any clear ways to measure and test the hypothesis.
    3. Review the list of metrics and select 5-7 metrics to track for each prioritized governance area.

    INPUT

    • List of responsibilities
    • Example SIPOCs

    OUTPUT

    • SIPOC model for all responsibilities

    Materials

    • Whiteboard
    • Markers

    Participants

    • IT leadership team

    IT steering committee metric triggers to consider

    RISK

    • Risk profile % increase
    • # of actionable risks outstanding
    • # of issues arising not identified prior
    • # of security breaches

    SERVICE

    • Number of business disruptions due to IT service incidents
    • Number of service requests by department
    • Number of service requests that are actually projects
    • Causes of tickets overall and by department
    • Percentage of duration attributed to waiting for client response

    PROJECTS

    • Projects completed within budget
    • Percentage of projects delivered on time
    • Project completion rate
    • IT completed assigned portion to scope
    • Project status and trend dashboard

    INFORMATION / DATA

    • % of data properly classified
    • # of incidents locating data
    • # of report requests by complexity
    • # of open data sets

    PPM /INVESTMENTS

    • CIO Business Vision (an Info-Tech diagnostic survey that helps align IT strategy with business goals)
    • Level of stakeholder satisfaction and perceived value
    • Percentage of ON vs. OFF cycle projects by area/silo
    • Realized benefit to business units based on investment mix
    • Percent of enterprise strategic goals and requirements supported by strategic goals
    • Target vs. actual budget
    • Reasons for off-cycle projects causing delays to planned projects

    CASE STUDY

    Industry: Consumer Goods

    Source: Interview

    "IT steering committee’s reputation greatly improved by clearly defining its process."

    CHALLENGE

    One of the major failings of the previous steering committee was its poorly drafted procedures. Members of the committee were unclear on the overall process and the meeting schedule was not well established.

    This led to low attendance at the meetings and ineffective meetings overall. Since the meeting procedures weren’t well understood, some members of the leadership team took advantage of this to get their projects pushed through.

    SOLUTION

    The first step the new CIO took was to clearly outline the meeting procedures in her new steering committee charter. The meeting agenda, meeting goals, length of time, and outcomes were outlined, and the stakeholders signed off on their participation.

    She also gave the participants a SIPOC, which helped members who were unfamiliar with the process a high-level overview. It also reacquainted previous members with the process and outlined changes to the previous, out-of-date processes.

    OUTCOME

    The participation rate in the committee meetings improved from the previous rate of approximately 40% to 90%. The committee members were much more satisfied with the new process and felt like their contributions were appreciated more than before.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    An image of an Info-Tech analyst is depicted.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1

    A screenshot of activity 2.1 is depicted. Activity 2.1 is about defining a SIPOC for each of the ITSC responsibilities.

    Define a SIPOC for each of the ITSC responsibilities

    Create SIPOCs for each of the governance responsibilities with the help of an Info-Tech advisor.

    2.2

    A screenshot of activity 2.2 is depicted. Activity 2.2 is about establishing the reporting metrics for the ITSC.

    Establish the reporting metrics for the ITSC

    The analyst will facilitate several exercises to help you and your stakeholders define the reporting metrics for the ITSC.

    Phase 3

    Build the Stakeholder Presentation

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Build the Stakeholder Presentation
    Proposed Time to Completion: 1 week

    Customize the Presentation

    Start with an analyst kick-off call:

    • Review the IT Steering Committee Stakeholder Presentation with an analyst

    Then complete these activities…

    • Schedule the first meeting and invite the ITSC members
    • Customize the presentation template

    With these tools & templates:

    IT Steering Committee Stakeholder Presentation


    Review and Practice the Presentation

    Review findings with analyst:

    • Review the changes made to the template
    • Practice the presentation and create a script

    Then complete these activities…

    • Hold the ITSC meeting

    With these tools & templates:

    • IT Steering Committee Stakeholder Presentation
    Review the First ITSC Meeting

    Finalize phase deliverable:

    • Review the outcomes of the first ITSC meeting and plan out the next steps

    Then complete these activities…

    • Review the discussion and plan next steps

    With these tools & templates:

    Establish an Effective IT Steering Committee blueprint

    Build the Stakeholder Presentation

    This step will walk you through the following activities:

    • Organizing the first ITSC meeting
    • Customizing an ITSC stakeholder presentation
    • Determine ITSC responsibilities and participants
    • Determine ITSC procedures

    This step involves the following participants:

    • CIO
    • IT Steering Committee
    • IT Leadership Team
    • PMO

    Key Insight:

    Stakeholder engagement will be critical to your ITSC success, don't just focus on what is changing. Ensure stakeholders know why you are engaging them and how it will help them in their role.

    Hold a kick-off meeting with your IT steering committee members to explain the process, responsibilities, and goals

    3.1

    Don’t take on too much in your first IT steering committee meeting. Many participants may not have participated in an IT steering committee before, or some may have had poor experiences in the past.

    Use this meeting to explain the role of the IT steering committee and why you are implementing one, and help participants to understand their role in the process.

    Quickly customize Info-Tech’s IT Steering Committee Stakeholder Presentation template to explain the goals and benefits of the IT steering committee, and use your own data to make the case for governance.

    At the end of the meeting, ask committee members to sign the committee charter to signify their agreement to participate in the IT steering committee.

    A screenshot of IT Steering Committee: Meeting 1 is depicted. A screenshot of the IT Steering Committee Challenges and Opportunities for the organization.

    Tailor the IT Steering Committee Stakeholder Presentation template: slides 1-5

    3.2 Estimated Time: 10 minutes

    Review the IT Steering Committee Stakeholder Presentation template. This document should be presented at the first IT steering committee meeting by the assigned Committee Chair.

    Customization Options

    Overall: Decide if you would like to change the presentation template. You can change the color scheme easily by copying the slides in the presentation deck and pasting them into your company’s standard template. Once you’ve pasted them in, scan through the slides and make any additional changes needed to formatting.

    Slide 2-3: Review the text on each of the slides and see if any wording should be changed to better suite your organization.

    Slide 4: Review your list of the top 10 challenges and opportunities as defined in section 2 of this blueprint. Document those in the appropriate sections. (Note: be careful that the language is business-facing; challenges and opportunities should be professionally worded.)

    Slide 5: Review the language on slide 5 to make any necessary changes to suite your organization. Changes here should be minimal.

    INPUT

    • Top 10 list
    • Survey report
    • ITSC Charter

    OUTPUT

    • Ready-to-present presentation for defined stakeholders

    Materials

    • IT Steering Committee Stakeholder Presentation

    Participants

    • IT Steering Committee Chair/CIO

    Tailor the IT Steering Committee Stakeholder Presentation template: slides 6-10

    3.2 Estimated Time: 10 minutes

    Customization Options

    Slide 6: The goal of this slide is to document and share the names of the participants on the IT steering committee. Document the names in the right-hand side based on your IT Steering Committee Charter.

    Slides 7-9:

    • Review the agenda items as listed in your IT Steering Committee Charter. Document the annual, quarterly, and monthly meeting responsibilities on the left-hand side of slides 7-9.
    • Meeting Participants: For each slide, list the members who are required for that meeting.
    • Document the key required reading materials as identified in the SIPOC charts under “inputs.”
    • Document the key meeting outcomes as identified in the SIPOC chart under “outputs.”

    Slide 10: Review and understand the rollout timeline. Make any changes needed to the timeline.

    INPUT

    • Top 10 list
    • Survey report
    • ITSC Charter

    OUTPUT

    • Ready-to-present presentation for defined stakeholders

    Materials

    • IT Steering Committee Stakeholder Presentation

    Participants

    • IT Steering Committee Chair/CIO

    Present the information to the IT leadership team to increase your comfort with the material

    3.3 Estimated Time: 1-2 hours

    1. Once you have finished customizing the IT Steering Committee Stakeholder Presentation, practice presenting the material by meeting with your IT leadership team. This will help you become more comfortable with the dialog and anticipate any questions that might arise.
    2. The ITSC chair will present the meeting deck, and all parties should discuss what they think went well and opportunities for improvement.
    3. Each business relationship manager should document the needed changes in preparation for their first meeting.

    INPUT

    • IT Steering Committee Stakeholder Presentation - Meeting 1

    Participants

    • IT leadership team

    Schedule your first meeting of the IT steering committee

    3.4

    By this point, you should have customized the meeting presentation deck and be ready to meet with your IT steering committee participants.

    The meeting should be one hour in duration and completed in person.

    Before holding the meeting, identify who you think is going to be most supportive and who will be least. Consider meeting with those individuals independently prior to the group meeting to elicit support or minimize negative impacts on the meeting.

    Customize this calendar invite script to invite business partners to participate in the meeting.

    Hello [Name],

    As you may have heard, we recently went through an exercise to develop an IT steering committee. I’d like to take some time to discuss the results of this work with you, and discuss ways in which we can work together in the future to better enable corporate goals.

    The goals of the meeting are:

    1. Discuss the benefits of an IT steering committee
    2. Review the results of the organizational survey
    3. Introduce you to our new IT steering committee

    I look forward to starting this discussion with you and working with you more closely in the future.

    Warm regards,

    CASE STUDY

    Industry:Consumer Goods

    Source: Interview

    "CIO gains buy-in from the company by presenting the new committee to its stakeholders."

    CHALLENGE

    Communication was one of the biggest steering committee challenges that the new CIO inherited.

    Members were resistant to joining/rejoining the committee because of its previous failures. When the new CIO was building the steering committee, she surveyed the members on their knowledge of IT as well as what they felt their role in the committee entailed.

    She found that member understanding was lacking and that their knowledge surrounding their roles was very inconsistent.

    SOLUTION

    The CIO dedicated their first steering committee meeting to presenting the results of that survey to align member knowledge.

    She outlined the new charter and discussed the roles of each member, the goals of the committee, and the overarching process.

    OUTCOME

    Members of the new committee were now aligned in terms of the steering committee’s goals. Taking time to thoroughly outline the procedures during the first meeting led to much higher member engagement. It also built accountability within the committee since all members were present and all members had the same level of knowledge surrounding the roles of the ITSC.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1

    A screenshot of Activity 3.1 is depicted. Activity 3.1 is about creating a presentation for ITSC stakeholders to be presented at the first ITSC meeting.

    Create a presentation for ITSC stakeholders to be presented at the first ITSC meeting

    Work with an Info-Tech advisor to customize our IT Steering Committee Stakeholder Presentation template. Use this presentation to gain stakeholder buy-in by making the case for an ITSC.

    Phase 4

    Define the Prioritization Criteria

    Phase 4 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation : Define the Prioritization Criteria
    Proposed Time to Completion: 4 weeks

    Discuss Prioritization Criteria

    Start with an analyst kick-off call:

    • Review sample project prioritization criteria and discuss criteria unique to your organization

    Then complete these activities...

    • Select the criteria that would be most effective for your organization
    • Input these into the tool

    With these tools & templates:

    IT Steering Committee Project Prioritization Tool

    Customize the IT Steering Committee Project Prioritization Tool

    Review findings with analyst:

    • Review changes made to the tool
    • Finalize criteria weighting

    Then complete these activities…

    • Pilot test the tool using projects from the previous year

    With these tools & templates:

    IT Steering Committee Project Prioritization Tool

    Review Results of the Pilot Test

    Finalize phase deliverable:

    • Review the results of the pilot test
    • Make changes to the tool

    Then complete these activities…

    • Input your current project portfolio into the prioritization tool

    With these tools & templates:

    IT Steering Committee Project Prioritization Tool

    Define the Project Prioritization Criteria

    This step will walk you through the following activities:

    • Selecting the appropriate project prioritization criteria for your organization
    • Developing weightings for the prioritization criteria
    • Filling in Info-Tech’s IT Steering Committee Project Prioritization Tool

    This step involves the following participants:

    • CIO
    • IT Steering Committee
    • IT Leadership Team
    • PMO

    Key Insight:

    The steering committee sets and agrees to principles that guide prioritization decisions. The agreed upon principles will affect business unit expectations and justify the deferral of requests that are low priority. In some cases, we have seen the number of requests drop substantially because business units are reluctant to propose initiatives that do not fit high prioritization criteria.

    Understand the role of the IT steering committee in project prioritization

    One of the key roles of the IT steering committee is to review and prioritize the portfolio of IT projects.

    What is the prioritization based on? Info-Tech recommends selecting four broad criteria with two dimensions under each to evaluate the value of the projects. The criteria are aligned with how the project generates value for the organization and the execution of the project.

    What is the role of the steering committee in prioritizing projects? The steering committee is responsible for reviewing project criteria scores and making decisions about where projects rank on the priority list. Planning, resourcing, and project management are the responsibility of the PMO or the project owner.

    Info-Tech’s Sample Criteria

    Value

    Strategic Alignment: How much a project supports the strategic goals of the organization.

    Customer Satisfaction: The impact of the project on customers and how visible a project will be with customers.

    Operational Alignment: Whether the project will address operational issues or compliance.

    Execution

    Financial: Predicted ROI and cost containment strategies.

    Risk: Involved with not completing projects and strategies to mitigate it.

    Feasibility: How easy the project is to complete and whether staffing resources exist.

    Use Info-Tech’s IT Steering Committee Project Prioritization Tool to catalog and prioritize your project portfolio

    4.1

    • Use Info-Tech’s IT Steering Committee Project Prioritization Tool in conjunction with the following activities to catalog and prioritize all of the current IT projects in your portfolio.
    • Assign weightings to your selected criteria to prioritize projects based on objective scores assigned during the intake process and adjust these weightings on an annual basis to align with changing organizational priorities and goals.
    • Use this tool at steering committee meetings to streamline the prioritization process and create alignment with the PMO and project managers.
    • Monitor ongoing project status and build a communication channel between the PMO and project managers and the IT steering committee.
    • Adjusting the titles in the Settings tab will automatically adjust the titles in the Project Data tab.
    • Note: To customize titles in the document you must unprotect the content under the View tab. Be sure to change the content back to protected after making the changes.
    A screenshot of Info-Tech's IT Steering Committee Project Prioritization Tool is depicted. The first page of the tool is shown. A screenshot of Info-Tech's IT Steering Committee Project Prioritization Tool is depicted. The page depicted is on the Intake and Prioritization Tool Settings.

    Establish project prioritization criteria and build the matrix

    4.2 Estimated Time: 1 hour

    1. During the second steering committee meeting, discuss the criteria you will be basing your project prioritization scoring on.
    2. Review Info-Tech’s prioritization criteria matrix, located in the Prioritization Criteria List tab of the IT Steering Committee Project Prioritization Tool, to gain ideas for what criteria would best suit your organization.
    3. Write these main criteria on the whiteboard and brainstorm criteria that are more specific for your organization; include these on the list as well.
    4. Discuss the criteria. Eliminate criteria that won’t contribute strongly to the prioritization process and vote on the remaining. Select four main criteria from the list.
    5. After selecting the four main criteria, write these on the whiteboard and brainstorm the dimensions that fall under the criteria. These should be more specific/measurable aspects of the criteria. These will be the statements that values are assigned to for prioritizing projects so they should be clear. Use the Prioritization Criteria List in the tool to help generate ideas.
    6. After creating the dimensions, determine what the scoring statements will be. These are the statements that will be used to determine the score out of 10 that the different dimensions will receive.
    7. Adjust the Settings and Project Data tabs in the IT Steering Committee Project Prioritization Tool to reflect your selections.
    8. Edit Info-Tech’s IT Project Intake Form or the intake form that you currently use to contain these criteria and scoring parameters.

    INPUT

    • Group input
    • IT Steering Committee Project Prioritization Tool

    OUTPUT

    • Project prioritization criteria to be used for current and future projects

    Materials

    • Whiteboard and markers

    Participants

    • IT steering committee
    • CIO
    • IT leadership

    Adjust prioritization criteria weightings to reflect organizational needs

    4.3 Estimated Time: 1 hour

    1. In the second steering committee meeting, after deciding what the project prioritization criteria will be, you need to determine how much weight (the importance) each criteria will receive.
    2. Use the four agreed upon criteria with two dimensions each, determined in the previous activity.
    3. Perform a $100 test to assign proportions to each of the criteria dimensions.
      1. Divide the committee into pairs.
      2. Tell each pair that they have $100 divide among the 4 major criteria based on how important they feel the criteria is.
      3. After dividing the initial $100, ask them to divide the amount they allocated to each criteria into the two sub-dimensions.
      4. Next, ask them to present their reasoning for the allocations to the rest of the committee.
      5. Discuss the weighting allotments and vote on the best one (or combination).
      6. Input the weightings in the Settings tab of the IT Steering Committee Project Prioritization Tool and document the discussion.
    4. After customizing the chart establish the owner of the document. This person should be a member of the PMO or the most suitable IT leader if a PMO doesn’t exist.
    5. Only perform this adjustment annually or if a major strategic change happens within the organization.

    INPUT

    • Group discussion

    OUTPUT

    • Agreed upon criteria weighting
    • Complete prioritization tool

    Materials

    • IT Steering Committee Project Prioritization Tool
    • Whiteboard and sticky notes

    Participants

    • IT steering committee
    • IT leadership

    Document the prioritization criteria weightings in Info-Tech’s IT Steering Committee Project Prioritization Tool.

    Configure the prioritization tool to align your portfolio with business strategy

    4.4 Estimated Time: 60 minutes

    Download Info-Tech’s Project Intake and Prioritization Tool.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool.

    Rank: Project ranking will dynamically update relative to your portfolio capacity (established in Settings tab) and the Size, Scoring Progress, Remove from Ranking, and Overall Score columns. The projects in green represent top priorities based on these inputs, while yellow projects warrant additional consideration should capacity permit.

    Scoring Progress: You will be able to determine some items on the scorecard earlier in the scoring progress (such as strategic and operational alignment). As you fill in scoring columns on the Project Data tab, the Scoring Progress column will dynamically update to track progress.

    The Overall Score will update automatically as you complete the scoring columns (refer to Activity 4.2).

    Days in Backlog: This column will help with backlog management, automatically tracking the number of days since an item was added to the list based on day added and current date.

    Validate your new prioritization criteria using previous projects

    4.5 Estimated Time: 2 hours

    1. After deciding on the prioritization criteria, you need to test their validity.
    2. Look at the portfolio of projects that were completed in the previous year.
    3. Go through each project and score it according to the criteria that were determined in the previous exercise.
    4. Enter the scores and appropriate weighting (according to goals/strategy of the previous year) into the IT Steering Committee Project Prioritization Tool.
    5. Look at the prioritization given to the projects in reference to how they were previously prioritized.
    6. Adjust the criteria and weighting to either align the new prioritization criteria with previous criteria or to align with desired outcomes.
    7. After scoring the old projects, pilot test the tool with upcoming projects.

    INPUT

    • Information on previous year’s projects
    • Group discussion

    OUTPUT

    • Pilot tested project prioritization criteria

    Materials

    • IT Steering Committee Project Prioritization Tool

    Participants

    • IT steering committee
    • IT leadership
    • PMO

    Pilot the scorecard to validate criteria and weightings

    4.6 Estimated Time: 60 minutes

    1. Pilot your criteria and weightings in the IT Steering Committee Project Prioritization Tool using project data from one or two projects currently going through approval process.
    2. For most projects, you will be able to determine strategic and operational alignment early in the scoring process, while the feasibility and financial requirements will come later during business case development. Score each column as you can. The tool will automatically track your progress in the Scoring Progress column on the Project Data tab.

    Projects that are scored but not prioritized will populate the portfolio backlog. Items in the backlog will need to be rescored periodically, as circumstances can change, impacting scores. Factors necessitating rescoring can include:

    • Assumptions in business case have changed.
    • Organizational change – e.g. a new CEO or a change in strategic objectives.
    • Major emergencies or disruptions – e.g. a security breach.

    Score projects using the Project Data tab in Info-Tech’s IT Steering Committee Project Prioritization Tool

    A screenshot of Info-Tech's <em data-verified=IT Steering Committee Project Prioritization Tool is depicted. The Data Tab is shown.">

    Use Info-Tech’s IT Project Intake Form to streamline the project prioritization and approval process

    4.7

    • Use Info-Tech’s IT Project Intake Form template to streamline the project intake and prioritization process.
    • Customize the chart on page 2 to include the prioritization criteria that were selected during this phase of the blueprint.
    • Including the prioritization criteria at the project intake phase will free up a lot of time for the steering committee. It will be their job to verify that the criteria scores are accurate.
    A screenshot of Info-Tech's IT Project Intake Form is depicted.

    After prioritizing and selecting your projects, determine how they will be resourced

    Consult these Info-Tech blueprints on project portfolio management to create effective portfolio project management resourcing processes.

    A Screenshot of Info-Tech's Create Project Management Success Blueprint is depicted. Create Project Management Success A Screenshot of Info-Tech's Develop a Project Portfolio Management Strategy Blueprint is depicted. Develop a Project Portfolio Management Strategy

    CASE STUDY

    Industry: Consumer Goods

    Source: Interview

    "Clear project intake and prioritization criteria allow for the new committee to make objective priority decisions."

    CHALLENGE

    One of the biggest problems that the previous steering committee at the company had was that their project intake and prioritization process was not consistent. Projects were being prioritized based on politics and managers taking advantage of the system.

    The procedure was not formalized so there were no objective criteria on which to weigh the value of proposed projects. In addition to poor meeting attendance, this led to the overall process being very inconsistent.

    SOLUTION

    The new CIO, with consultation from the newly formed committee, drafted a set of criteria that focused on the value and execution of their project portfolio. These criteria were included on their intake forms to streamline the rating process.

    All of the project scores are now reviewed by the steering committee, and they are able to facilitate the prioritization process more easily.

    The objective criteria process also helped to prevent managers from taking advantage of the prioritization process to push self-serving projects through.

    OUTCOME

    This was seen as a contributor to the increase in satisfaction scores for IT, which improved by 12% overall.

    The new streamlined process helped to reduce capacity constraints on IT, and it alerted the company to the need for more IT employees to help reduce these constraints further. The IT department was given permission to hire two new additional staff members.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    A screenshot of activity 4.1 is depicted. Activity 4.1 was about defining your prioritization criteria and customize our <em data-verified=IT Steering Committee Project Prioritization Tool.">

    Define your prioritization criteria and customize our IT Steering Committee Project Prioritization Tool

    With the help of Info-Tech advisors, create criteria for determining a project’s priority. Customize the tool to reflect the criteria and their weighting. Run pilot tests of the tool to verify the criteria and enter your current project portfolio.

    Research contributors and experts

    • Andy Lomasky, Manager, Technology & Management Consulting, McGladrey LLP
    • Angie Embree, CIO, Best Friends Animal Society
    • Corinne Bell, CTO and Director of IT Services, Landmark College
    • John Hanskenecht, Director of Technology, University of Detroit Jesuit High School and Academy
    • Lori Baker, CIO, Village of Northbrook
    • Lynne Allard, IT Supervisor, Nipissing Parry Sound Catholic School Board
    • Norman Allen, Senior IT Manager, Baker Tilly
    • Paul Martinello, VP, IT Services, Cambridge and North Dumfries Hydro Inc.
    • Renee Martinez, IT Director/CIO, City of Santa Fe
    • Sam Wong, Director, IT, Seneca College
    • Suzanne Barnes, Director, Information Systems, Pathfinder International
    • Walt Joyce, CTO, Peoples Bank

    Appendices

    GOVERNANCE & ITSC & IT Management

    Organizations often blur the line between governance and management, resulting in the business having say over the wrong things. Understand the differences and make sure both groups understand their role.

    The ITSC is the most senior body within the IT governance structure, involving key business executives and focusing on critical strategic decisions impacting the whole organization.

    Within a holistic governance structure, organizations may have additional committees that evaluate, direct, and monitor key decisions at a more tactical level and report into the ITSC.

    These committees require specialized knowledge and are implemented to meet specific organizational needs. Those operational committees may spark a tactical task force to act on specific needs.

    IT management is responsible for executing on, running, and monitoring strategic activities as determined by IT governance.

    Strategic IT Steering Committee
    Tactical

    Project Governance Service Governance

    Risk Governance Information Governance

    IT Management
    Operational Risk Task Force

    This blueprint focuses exclusively on building the IT Steering committee. For more information on IT governance see Info-Tech’s related blueprint: Tailor an IT Governance Plan to Fit Organizational Needs.

    IT steering committees play an important role in IT governance

    By bucketing responsibilities into these areas, you’ll be able to account for most key IT decisions and help the business to understand their role in governance, fostering ownership and joint accountability.

    The five governance areas are:

    Governance of the IT Portfolio and Investments: Ensures that funding and resources are systematically allocated to the priority projects that deliver value.

    Governance of Projects: Ensures that IT projects deliver the expected value, and that the PM methodology is measured and effective.

    Governance of Risks: Ensures the organization’s ability to assess and deliver IT projects and services with acceptable risk.

    Governance of Services: Ensures that IT delivers the required services at the acceptable performance levels.

    Governance of Information and Data: Ensures the appropriate classification and retention of data based on business need.

    A survey of stakeholders identified a need for increased stakeholder involvement and transparency in decision making

    A bar graph is depicted. The title is: I understand how decisions are made in the following areas. The areas include risk, services, projects, portfolio, and information. A circle graph is depicted. The title is: Do IT decisions involve the right people?

    Overall, survey respondents indicated a lack of understanding about how decisions are made around risk, services, projects, and investments, and that business involvement in decision making was too minimal.

    Satisfaction with decision quality around investments and PPM are uneven and largely not well understood

    72% of stakeholders do not understand how decisions around IT services are made (quality, availability, etc.).

    A bar graph is depicted. The title is: How satisfied are you with the quality of decisions and transparency around IT services? A bar graph is depicted. Title of the graph: IT decisions around service delivery and quality involve the right people?

    Overall, services were ranked #1 in importance of the 5 areas

    62% of stakeholders do not understand how decisions around IT services are made (quality, availability, etc.).

    A bar graph is depicted. The title is: How satisfied are you with the quality of decisions and transparency around IT services? A bar graph is depicted. Title of the graph: IT decisions around service delivery and quality involve the right people?

    Projects ranked as one of the areas with which participants are most satisfied with the quality of decisions

    70% of stakeholders do not understand how decisions around projects selection, success, and changes are made.

    A bar graph is depicted. The title is: How satisfied are you with the quality of decisions and transparency around IT services? A bar graph is depicted. The title is: IT decisions around project changes, delays, and metrics involve the right people?

    Stakeholders are largely unaware of how decisions around risk are made and believe business participation needs to increase

    78% of stakeholders do not understand how decisions around risk are made

    A bar graph is depicted. The title is: How satisfied are you with the quality of decisions made around risk? A bar graph is depicted. The title is: IT decisions around acceptable risk involve the right people?

    The majority of stakeholders believe that they are aware of how decisions around information are made

    67% of stakeholders believe they do understand how decisions around information (data) retention and classification are made.

    A bar graph is depicted. The title is: How satisfied are you with the quality of decisions around information governance? A bar graph is depicted. The title is: IT decisions around information retention and classification involve the right people?

    Availability and Capacity Management

    • Buy Link or Shortcode: {j2store}10|cart{/j2store}
    • Related Products: {j2store}10|crosssells{/j2store}
    • Up-Sell: {j2store}10|upsells{/j2store}
    • member rating overall impact (scale of 10): 8.0/10.0
    • member rating average dollars saved: $2,950
    • member rating average days saved: 10
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    Develop your availability and capacity management plant and align it with exactly what the business expects.

    Cut Cost Through Effective IT Category Planning

    • Buy Link or Shortcode: {j2store}213|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • IT departments typically approach sourcing a new vendor or negotiating a contract renewal as an ad hoc event.
    • There is a lack of understanding on how category planning governance can save money.
    • IT vendor “go to market” or sourcing activities are typically not planned and are a reaction to internal client demands or vendor contract expiration.

    Our Advice

    Critical Insight

    • Lack of knowledge of the benefits and features of category management, including the perception that the sourcing process takes too long, are two of the most common challenges that prevent IT from category planning.
    • Other challenges include the traditional view of contract renegotiation and vendor acquisition as a transactional event vs. an ongoing strategic process.
    • Finally, allocating resources and time to collect the data, vendor information, and marketing analysis prevents us from creating category plans.

    Impact and Result

    • An IT category plan establishes a consistent and proactive methodology or process to sourcing activities such as request for information (RFI), request for proposals, (RFPs), and direct negotiations with a specific vendor or“targeted negotiations” such as renewals.
    • The goal of an IT category plan is to leverage a strategic approach to vendor selection while identify cost optimizing opportunities that are aligned with IT strategy and budget objectives.

    Cut Cost Through Effective IT Category Planning Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create an IT category plan to reduce your IT cost, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create an IT category plan

    Use our three-step approach of Organize, Design, and Execute an IT Category Plan to get the most out of your IT budget while proactively planning your vendor negotiations.

    • IT Category Plan
    • IT Category Plan Metrics
    • IT Category Plan Review Presentation
    [infographic]

    Take Control of Cloud Costs on Microsoft Azure

    • Buy Link or Shortcode: {j2store}426|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $125,999 Average $ Saved
    • member rating average days saved: 50 Average Days Saved
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy
    • Traditional IT budgeting and procurement processes don't work for public cloud services.
    • The self-service nature of the cloud means that often the people provisioning cloud resources aren't accountable for the cost of those resources.
    • Without centralized control or oversight, organizations can quickly end up with massive Azure bills that exceed their IT salary cost.

    Our Advice

    Critical Insight

    • Most engineers care more about speed of feature delivery and reliability of the system than they do about cost.
    • Often there are no consequences for overarchitecting or overspending on Azure.
    • Many organizations lack sufficient visibility into their Azure spend, making it impossible to establish accountability and controls.

    Impact and Result

    • Define roles and responsibilities.
    • Establish visibility.
    • Develop processes, procedures, and policies.

    Take Control of Cloud Costs on Microsoft Azure Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should take control of cloud costs, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a cost accountability framework

    Assess your current state, define your cost allocation model, and define roles and responsibilities.

    • Cloud Cost Management Worksheet
    • Cloud Cost Management Capability Assessment
    • Cloud Cost Management Policy
    • Cloud Cost Glossary of Terms

    2. Establish visibility

    Define dashboards and reports, and document account structure and tagging requirements.

    • Service Cost Cheat Sheet for Azure

    3. Define processes and procedures

    Establish governance for tagging and cost control, define process for right-sizing, and define process for purchasing commitment discounts.

    • Right-Sizing Workflow (Visio)
    • Right-Sizing Workflow (PDF)
    • Commitment Purchasing Workflow (Visio)
    • Commitment Purchasing Workflow (PDF)

    4. Build an implementation plan

    Document process interactions, establish program KPIs, and build implementation roadmap and communication plan.

    • Cloud Cost Management Task List
    [infographic]

    Workshop: Take Control of Cloud Costs on Microsoft Azure

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build a Cost Accountability Framework

    The Purpose

    Establish clear lines of accountability and document roles & responsibilities to effectively manage cloud costs.

    Key Benefits Achieved

    Understanding of key areas to focus on to improve cloud cost management capabilities.

    Activities

    1.1 Assess current state

    1.2 Determine cloud cost model

    1.3 Define roles & responsibilities

    Outputs

    Cloud cost management capability assessment

    Cloud cost model

    Roles & responsibilities

    2 Establish Visibility

    The Purpose

    Establish visibility into cloud costs and drivers of those costs.

    Key Benefits Achieved

    Better understanding of what is driving costs and how to keep them in check.

    Activities

    2.1 Develop architectural patterns

    2.2 Define dashboards and reports

    2.3 Define account structure

    2.4 Document tagging requirements

    Outputs

    Architectural patterns; service cost cheat sheet

    Dashboards and reports

    Account structure

    Tagging scheme

    3 Define Processes & Procedures

    The Purpose

    Develop processes, procedures, and policies to control cloud costs.

    Key Benefits Achieved

    Improved capability of reducing costs.

    Documented processes & procedures for continuous improvement.

    Activities

    3.1 Establish governance for tagging

    3.2 Establish governance for costs

    3.3 Define right-sizing process

    3.4 Define purchasing process

    3.5 Define notification and alerts

    Outputs

    Tagging policy

    Cost control policy

    Right-sizing process

    Commitment purchasing process

    Notifications and alerts

    4 Build an Implementation Plan

    The Purpose

    Document next steps to implement & improve cloud cost management program.

    Key Benefits Achieved

    Concrete roadmap to stand up and/or improve the cloud cost management program.

    Activities

    4.1 Document process interaction changes

    4.2 Define cloud cost program KPIs

    4.3 Build implementation roadmap

    4.4 Build communication plan

    Outputs

    Changes to process interactions

    Cloud cost program KPIs

    Implementation roadmap

    Communication plan

    Determine the Future of Microsoft Project in Your Organization

    • Buy Link or Shortcode: {j2store}357|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $125,999 Average $ Saved
    • member rating average days saved: 50 Average Days Saved
    • Parent Category Name: Project Management Office
    • Parent Category Link: /project-management-office
    • You use Microsoft tools to manage your work, projects, and/or project portfolio.
    • Its latest offering, Project for the web, is new and you’re not sure what to make of it. Microsoft says it will soon replace Microsoft Project and Project Online, but the new software doesn’t seem to do what the old software did.
    • The organization has adopted M365 for collaboration and work management. Meetings happen on Teams, projects are scoped a bit with Planner, and the operations group uses Azure Boards to keep track of what they need to get done.
    • Despite your reservations about the new project management software, Microsoft software has become even more ubiquitous.

    Our Advice

    Critical Insight

    • The various MS Project offerings (but most notably the latest, Project for the web) hold the promise of integrating with the rest of M365 into a unified work management solution. However, out of the box, Project for the web and the various platforms within M365 are all disparate utilities that need to be pieced together in a purpose-built manner to make use of them for holistic work management purposes. If you’re looking for a cohesive product out of the box, look elsewhere. If you’re looking to assemble a wide array of work, project, and portfolio management functions across different functions and departments, you may have found what you seek.
    • Rather than choosing tools based on your gaps, assess your current maturity level so that you optimize your investment in the Microsoft landscape.

    Impact and Result

    Follow Info-Tech’s path in this blueprint to:

    • Perform a tool audit to trim your work management tool landscape.
    • Navigate the MS Project and M365 licensing landscape.
    • Make sense of what to do with Project for the web and take the right approach to rolling it out (i.e. DIY or MS Gold Partner driven) based upon your needs.
    • Create an action plan to inform next steps.

    After following the program in this blueprint, you will be prepared to advise the organization on how to best leverage the rapidly shifting work management options within M365 and the place of MS Project within it.

    Determine the Future of Microsoft Project in Your Organization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should make sense of the MS Project and M365 landscapes, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine your tool needs

    Assess your work management tool landscape, current state maturity, and licensing needs to inform a purpose-built work management action plan.

    • M365 Task Management Tool Guide
    • M365 Project Management Tool Guide
    • M365 Project Portfolio Management Tool Guide
    • Tool Audit Workbook
    • Force Field Analysis Tool
    • Microsoft Project & M365 Licensing Tool
    • Project Portfolio Management Maturity Assessment Workbook (With Tool Analysis)
    • Project Management Maturity Assessment Workbook (With Tool Analysis)

    2. Weigh your MS Project implementation options

    Get familiar with Project for the web’s extensibility as well as the MS Gold Partner ecosystem as you contemplate the best implementation approach(s) for your organization.

    • None
    • None

    3. Finalize your implementation approach

    Prepare a boardroom-ready presentation that will help you communicate your MS Project and M365 action plan to PMO and organizational stakeholders.

    • Microsoft Project & M365 Action Plan Template

    Infographic

    Workshop: Determine the Future of Microsoft Project in Your Organization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Driving Forces and Risks

    The Purpose

    Assess the goals and needs as well as the risks and constraints of a work management optimization.

    Take stock of your organization’s current work management tool landscape.

    Key Benefits Achieved

    Clear goals and alignment across workshop participants as well as an understanding of the risks and constraints that will need to be mitigated to succeed.

    Current-state insight into the organization’s work management tool landscape.

    Activities

    1.1 Review the business context.

    1.2 Explore the M365 work management landscape.

    1.3 Identify driving forces for change.

    1.4 Analyze potential risks.

    1.5 Perform current-state analysis on work management tools.

    Outputs

    Business context

    Current-state understanding of the task, project, and portfolio management options in M365 and how they align with the organization’s ways of working

    Goals and needs analysis

    Risks and constraints analysis

    Work management tool overview

    2 Determine Tool Needs and Process Maturity

    The Purpose

    Determine your organization’s work management tool needs as well as its current level of project management and project portfolio management process maturity.

    Key Benefits Achieved

    An understanding of your tooling needs and your current levels of process maturity.

    Activities

    2.1 Review tool audit dashboard and conduct the final audit.

    2.2 Identify current Microsoft licensing.

    2.3 Assess current-state maturity for project management.

    2.4 Define target state for project management.

    2.5 Assess current-state maturity for project portfolio management.

    2.6 Define target state for project portfolio management.

    Outputs

    Tool audit

    An understanding of licensing options and what’s needed to optimize MS Project options

    Project management current-state analysis

    Project management gap analysis

    Project portfolio management current-state analysis

    Project portfolio management gap analysis

    3 Weigh Your Implementation Options

    The Purpose

    Take stock of your implementation options for Microsoft old project tech and new project tech.

    Key Benefits Achieved

    An optimized implementation approach based upon your organization’s current state and needs.

    Activities

    3.1 Prepare a needs assessment for Microsoft 365 and Project Plan licenses.

    3.2 Review the business case for Microsoft licensing.

    3.3 Get familiar with Project for the web.

    3.4 Assess the MS Gold Partner Community.

    3.5 Conduct a feasibility test for PFTW.

    Outputs

    M365 and Project Plan needs assessment

    Business case for additional M365 and MS Project licensing

    An understand of Project for the web and how to extend it

    MS Gold Partner outreach plan

    A go/no-go decision for extending Project for the web on your own

    4 Finalize Implementation Approach

    The Purpose

    Determine the best implementation approach for your organization and prepare an action plan.

    Key Benefits Achieved

    A purpose-built implementation approach to help communicate recommendations and needs to key stakeholders.

    Activities

    4.1 Decide on the implementation approach.

    4.2 Identify the audience for your proposal.

    4.3 Determine timeline and assign accountabilities.

    4.4 Develop executive summary presentation.

    Outputs

    An implementation plan

    Stakeholder analysis

    A communication plan

    Initial executive presentation

    5 Next Steps and Wrap-Up (offsite)

    The Purpose

    Finalize your M365 and MS Project work management recommendations and get ready to communicate them to key stakeholders.

    Key Benefits Achieved

    Time saved in developing and communicating an action plan.

    Stakeholder buy-in.

    Activities

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Outputs

    Finalized executive presentation

    A gameplan to communicate your recommendations to key stakeholders as well as a roadmap for future optimization

    Further reading

    Determine the Future of Microsoft Project in Your Organization

    View your task management, project management, and project portfolio management options through the lens of M365.

    EXECUTIVE BRIEF

    Analyst Perspective

    Microsoft Project is an enigma

    Microsoft Project has dominated its market since being introduced in the 1980s, yet the level of adoption and usage per license is incredibly low.

    The software is ubiquitous, mostly considered to represent its category for “Project Management.” Yet, the software is conflated with its “Portfolio Management” offerings as organizations make platform decisions with Microsoft Project as the incorrectly identified incumbent.

    And incredibly, Microsoft has dominated the next era of productivity software with the “365” offerings. Yet, it froze the “Project” family of offerings and introduced the not-yet-functional “Project for the web.”

    Having a difficult time understanding what to do with, and about, Microsoft Project? You’re hardly alone. It’s not simply a question of tolerating, embracing, or rejecting the product: many who choose a competitor find they’re still paying for Microsoft Project-related licensing for years to come.

    If you’re in the Microsoft 365 ecosystem, use this research to understand your rapidly shifting landscape of options.

    (Barry Cousins, Project Portfolio Management Practice Lead, Info-Tech Research Group)

    Executive Summary

    Your Challenge

    You use Microsoft (MS) tools to manage your work, projects, and/or project portfolio.

    Their latest offering, Project for the web, is new and you’re not sure what to make of it. Microsoft says it will soon replace Microsoft Project and Project Online, but the new software doesn’t seem to do what the old software did.

    The organization has adopted M365 for collaboration and work management. Meetings happen on Teams, projects are scoped a bit with Planner, and the operations group uses Azure Boards to keep track of what they need to get done.

    Despite your reservations about the new project management software, Microsoft software has become even more ubiquitous.

    Common Obstacles

    M365 provides the basic components for managing tasks, projects, and project portfolios, but there is no instruction manual for making those parts work together.

    M365 isn’t the only set of tools at play. Business units and teams across the organization have procured other non-Microsoft tools for work management without involving IT.

    Microsoft’s latest project offering, Project for the web, is still evolving and you’re never sure if it is stable or ready for prime time. The missing function seems to involve the more sophisticated project planning disciplines, which are still important to larger, longer, and costlier projects.

    Common Obstacles

    Follow Info-Tech’s path in this blueprint to:

    • Perform a tool audit to trim your work management tool landscape.
    • Navigate the MS Project and M365 licensing landscape.
    • Make sense of what to do with Project for the web and take the right approach to rolling it out (i.e. DIY or MS Gold Partner driven) for your needs.
    • Create an action plan to inform next steps.

    After following the program in this blueprint, you will be prepared to advise the organization on how to best leverage the rapidly shifting work management options within M365 and the place of MS Project within it.

    M365 and, within it, O365 are taking over

    Accelerated partly by the pandemic and the move to remote work, Microsoft’s market share in the work productivity space has grown exponentially in the last two years.

    70% of Fortune 500 companies purchased 365 from Sept. 2019 to Sept. 2020. (Thexyz blog, 2020)

    In its FY21 Q2 report, Microsoft reported 47.5 million M365 consumer subscribers – an 11.2% increase from its FY20 Q4 reporting. (Office 365 for IT Pros, 2021)

    As of September 2020, there were 258,000,000 licensed O365 users. (Thexyz blog, 2020)

    In this blueprint, we’ll look at what the what the phenomenal growth of M365 means for PMOs and project portfolio practitioners who identify as Microsoft shops

    The market share of M365 warrants a fresh look at Microsoft’s suite of project offerings

    For many PMO and project portfolio practitioners, the footprint of M365 in their organizations’ work management cultures is forcing a renewed look at Microsoft’s suite of project offerings.

    The complicating factor is this renewed look comes at a transitional time in Microsoft’s suite of project and portfolio offerings.

    • The market dominance of MS Project Server and Project Online are wanning, with Microsoft promising the end-of-life for Online sometime in the coming years.
    • Project Online’s replacement, Project for the web, is a viable task management and lightweight project management tool, but its viability as a replacement for the rigor of Project Online is at present largely a question mark.
    • Related to the uncertainty and promise around Project for the web, the Dataverse and the Power Platform offer a glimpse into a democratized future of work management tools but anything specific about that future has yet to solidify.

    Microsoft Project has 66% market share in the project management tool space. (Celoxis, 2018)

    A copy of MS project is sold or licensed every 20 seconds. (Integent, 2013)

    MS Project is evolving to meet new work management realities

    It also evolved to not meet the old project management realities.

    • The lines between traditional project management and operational task management solutions are blurring as organizations struggle to keep up with demands.
    • To make the software easier to use, modern work management doesn’t involve the complexities from days past. You won’t find anywhere to introduce complex predecessor-successor relationships, unbalanced assignments with front-loading or back-loading, early-start/late-finish, critical path, etc.
    • “Work management” is among the latest buzzwords in IT consulting. With Project for the web (PFTW), Azure Boards, and Planner, Microsoft is attempting to compete with lighter and better-adopted tools like Trello, Basecamp, Asana, Wrike, and Monday.com.
    • Buyers of project and work management software have struggled to understand how PFTW will still be usable if it gets the missing project management function from MS Project.

    Info-Tech Insight

    Beware of the Software Granularity Paradox.

    Common opinion 1: “Plans and estimates that are granular enough to be believable are too detailed to manage and maintain.”

    Common opinion 2: “Plans simple enough to publish aren’t detailed enough to produce believable estimates.”

    In other words, software simple enough to get widely adopted doesn’t produce believable plans. Software that can produce believable plans is too complex to use at scale.

    A viable task and project management option must walk the line between these dichotomies.

    M365 gives you the pieces, but it’s on PMO users to piece them together in a viable way

    With the new MS Project and M365, it’s on PMOs to avoid the granularity paradox and produce a functioning solution that fits with the organization’s ways of working.

    Common perception still sees Microsoft Project as a rich software tool. Thus, when we consider the next generation of Microsoft Project, it’s easy to expect a newer and friendlier version of what we knew before.

    In truth, the new solution is a collection of partially integrated but largely disparate tools that each satisfy a portion of the market’s needs. While it looks like a rich collection of function when viewed through high-level requirements, users will find:

    • Overlaps, where multiple tools satisfy the same functional requirement (e.g. “assign a task”)
    • Gaps, where a tool doesn’t quite do enough and you’re forced to incorporate another tool (e.g. reverting back to Microsoft Project for advanced resource planning)
    • Islands, where tools don’t fluently talk to each other (e.g. Planner data integrated in real-time with portfolio data, which requires clunky, unstable, decentralized end-user integrations with Microsoft Power Automate)
    A colourful arrangement of Microsoft programs arranged around a pile of puzzle pieces.

    Info-Tech's approach

    Use our framework to best leverage the right MS Project offerings and M365 components for your organization’s work management needs.

    The Info-Tech difference:

    1. A simple to follow framework to help you make sense of a chaotic landscape.
    2. Practical and tactical tools that will help you save time.
    3. Leverage industry best practices and practitioner-based insights.
    An Info-Tech framework titled 'Determine the Future of Microsoft Project in Your Organization, subtitle 'View your task, project, and portfolio management options through the lens of Microsoft 365'. There are four main sections titled 'Background', 'Approaches', 'Deployments', and 'Portfolio Outcomes'. In '1) Background' are 'Analyze Content', 'Assess Constraints', and 'Determine Goals and Needs'. In '2) Approaches' are 'DIY: Are you ready to do it yourself?' 'Info-Tech: Can our analysts help?', and 'MS Gold Partner: Are you better off with a third party?'. In '3) Deployments' are five sections: 'Personal Task Management', Barriers to Portfolio Outcomes: Isolated to One Person. 'Team Task Management', Barriers to Portfolio Outcomes: Isolated to One Team. 'Project Portfolio Management', Barriers to Portfolio Outcomes: Isolated to One Project. 'Project Management', Barriers to Portfolio Outcomes: Functionally Incomplete. 'Enterprise Project and Portfolio Management', Barriers to Portfolio Outcomes: Underadopted. In '4) Portfolio Outcomes' are 'Informed Steering Committee', 'Increased Project Throughput', 'Improved Portfolio Responsiveness', 'Optimized Resource Utilization', and 'Reduced Monetary Waste'.

    Determine the Future of Microsoft Project in Your Organization

    View your task, project, and portfolio management options through the lens of Microsoft 365.

    1. Background

    • Analyze Content
    • Assess Constraints
    • Determine Goals and Needs

    2. Approaches

    • DIY – Are you ready to do it yourself?
    • Info-Tech – Can our analysts help?
    • MS Gold Partner – Are you better off with a third party?

    3. Deployments

      Task Management

    • Personal Task Management
      • Who does it? Knowledge workers
      • What is it? To-do lists
      • Common Approaches
        • Paper list and sticky notes
        • Light task tools
      • Applications
        • Planner
        • To Do
      • Level of Rigor 1/5
      • Barriers to Portfolio Outcomes: Isolated to One Person
    • Team Task Management
      • Who does it? Groups of knowledge workers
      • What is it? Collaborative to-do lists
      • Common Approaches
        • Kanban boards
        • Spreadsheets
        • Light task tools
      • Applications
        • Planner
        • Azure Boards
        • Teams
      • Level of Rigor 2/5
      • Barriers to Portfolio Outcomes: Isolated to One Team
    • Project Management

    • Project Portfolio Management
      • Who does it? PMO Directors, Portfolio Managers
      • What is it?
        • Centralized list of projects
        • Request and intake handling
        • Aggregating reporting
      • Common Approaches
        • Spreadsheets
        • PPM software
        • Roadmaps
      • Applications
        • Project for the Web
        • Power Platform
      • Level of Rigor 3/5
      • Barriers to Portfolio Outcomes: Isolated to One Project
    • Project Management
      • Who does it? Project Managers
      • What is it? Deterministic scheduling of related tasks
      • Common Approaches
        • Spreadsheets
        • Lists
        • PM software
        • PPM software
      • Applications
        • Project Desktop Client
      • Level of Rigor 4/5
      • Barriers to Portfolio Outcomes: Functionally Incomplete
    • Enterprise Project and Portfolio Management

    • Enterprise Project and Portfolio Management
      • Who does it? PMO and ePMO Directors, Portfolio Managers, Project Managers
      • What is it?
        • Centralized request and intake handling
        • Resource capacity management
        • Deterministic scheduling of related tasks
      • Common Approaches
        • PPM software
      • Applications
        • Project Online
        • Project Desktop Client
        • Project Server
      • Level of Rigor 5/5
      • Barriers to Portfolio Outcomes: Underadopted

    4. Portfolio Outcomes

    • Informed Steering Committee
    • Increased Project Throughput
    • Improved Portfolio Responsiveness
    • Optimized Resource Utilization
    • Reduced Monetary Waste

    Info-Tech's methodology for Determine the Future of MS Project for Your Organization

    1. Determine Your Tool Needs

    2. Weigh Your MS Project Implementation Options

    3. Finalize Your Implementation Approach

    Phase Steps

    1. Survey the M365 Work Management Tools
    2. Perform a Process Maturity Assessment to Help Inform Your M365 Starting Point
    3. Consider the Right MS Project Licenses for Your Stakeholders
    1. Get Familiar With Extending Project for the Web Using Power Apps
    2. Assess the MS Gold Partner Community
    1. Prepare an Action Plan

    Phase Outcomes

    1. Work Management Tool Audit
    2. MS Project and Power Platform Licensing Needs
    3. Project Management and Project Portfolio Management Maturity Assessment
    1. Project for the Web Readiness Assessment
    2. MS Gold Partner Outreach Plan
    1. MS Project and M365 Action Plan Presentation

    Insight Summary

    Overarching blueprint insight: Microsoft Parts Sold Separately. Assembly required.

    The various MS Project offerings (but most notably the latest, Project for the web) hold the promise of integrating with the rest of M365 into a unified work management solution. However, out of the box, Project for the web and the various platforms within M365 are all disparate utilities that need to be pieced together in a purpose-built manner to make use of them for holistic work management purposes.

    If you’re looking for a cohesive product out of the box, look elsewhere. If you’re looking to assemble a wide array of work, project, and portfolio management functions across different functions and departments, you may have found what you seek

    Phase 1 insight: Align your tool choice to your process maturity level.

    Rather than choosing tools based on your gaps, make sure to assess your current maturity level so that you optimize your investment in the Microsoft landscape.

    Phase 2 insight: Weigh your options before jumping into Microsoft’s new tech.

    Microsoft’s new Project plans (P1, P3, and P5) suggest there is a meaningful connection out of the box between its old tech (Project desktop, Project Server, and Project Online) and its new tech (Project for the web).

    However, the offerings are not always interoperable.

    Phase 3 insight: Keep the iterations small as you move ahead with trials and implementations.

    Organizations are changing as fast as the software we use to run them.

    If you’re implementing parts of this platform, keep the changes small as you monitor the vendors for new software versions and integrations.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable: Microsoft Project & M365 Action Plan Template

    The Action Plan will help culminate and present:

    • Context and Constraints
    • DIY Implementation Approach
    Or
    • MS Partner Implementation Approach
    • Future-State Vision and Goals
    Samples of Info-Tech's key deliverable 'Microsoft Project and M365 Action Plan Template'.

    Tool Audit Workbook

    Sample of Info-Tech deliverable 'Tool Audit Workbook'.

    Assess your organization's current work management tool landscape and determine what tools drive value for individual users and teams and which ones can be rationalized.

    Force Field Analysis

    Sample of Info-Tech deliverable 'Force Field Analysis'.

    Document the driving and resisting forces for making a change to your work management tools.

    Maturity Assessments

    Sample of Info-Tech deliverable 'Maturity Assessments'.

    Use these assessments to identify gaps in project management and project portfolio management processes. The results will help guide process improvement efforts and measure success and progress.

    Microsoft Project & M365 Licensing Tool

    Sample of Info-Tech deliverable 'Microsoft Project and M365 Licensing Tool'.

    Determine the best licensing options and approaches for your implementation of Microsoft Project.

    Curate your work management tools to harness valuable portfolio outcomes

    • Increase Project Throughput

      Do more projects by ensuring the right projects and the right amount of projects are approved and executed.
    • Support an Informed Steering Committee

      Easily compare progress of projects across the portfolio and enable the leadership team to make decisions.
    • Improve portfolio responsiveness

      Make the portfolio responsive to executive steering when new projects and changing priorities need rapid action.
    • Optimize Resource Utilization

      Assign the right resources to approved projects and minimize the chronic over-allocation of resources that leads to burnout.
    • Reduce Monetary Waste

      Terminate low-value projects early and avoid sinking additional funds into unsuccessful ventures.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 6 to 8 calls over the course of 3 to 4 months.

      Introduction

    • Call #1: Scope requirements, objectives, and your specific challenges.
    • Phase 1

    • Call #2: Explore the M365 work management landscape.
    • Call #3: Discuss Microsoft Project Plans and their capabilities.
    • Call #4: Assess current-state maturity.
    • Phase 2

    • Call #5: Get familiar with extending Project for the web using Power Apps.
    • Call #6: Assess the MS Gold Partner Community.
    • Phase 3

    • Call #7: Determine approach and deployment.
    • Call #8: Discuss action plan.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1
    Assess Driving Forces and Risks

    Day 2
    Determine Tool Needs and Process Maturity

    Day 3
    Weigh Your Implementation Options

    Day 4
    Finalize Implementation Approach

    Day 5
    Next Steps and Wrap-Up (offsite)

    Activities

    • 1.1 Review the business context.
    • 1.2 Explore the M365 work management landscape.
    • 1.3 Identify driving forces for change.
    • 1.4 Analyze potential risks.
    • 1.5 Perform current-state analysis on work management tools.
    • 2.1 Review tool audit dashboard and conduct the final audit.
    • 2.2 Identify current Microsoft licensing.
    • 2.3 Assess current-state maturity for project management.
    • 2.4 Define target state for project management.
    • 2.5 Assess current-state maturity for project portfolio management.
    • 2.6 Define target state for project portfolio management.
    • 3.1 Prepare a needs assessment for Microsoft 365 and Project Plan licenses.
    • 3.2 Review the business case for Microsoft licensing.
    • 3.3 Get familiar with Project for the web.
    • 3.4 Assess the MS Gold Partner Community.
    • 3.5 Conduct a feasibility test for PFTW.
    • 4.1 Decide on the implementation approach.
    • 4.2 Identify the audience for your proposal.
    • 4.3 Determine timeline and assign accountabilities.
    • 4.4 Develop executive summary presentation.
    • 5.1 Complete in-progress deliverables from previous four days.
    • 5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Force Field Analysis
    2. Tool Audit Workbook
    1. Tool Audit Workbook
    2. Project Management Maturity Assessment
    3. Portfolio Management Maturity Assessment
    1. Microsoft Project and M365 Licensing Tool
    1. Microsoft Project & M365 Action Plan
    1. Microsoft Project & M365 Action Plan

    Determine the Future of Microsoft Project for Your Organization

    Phase 1: Determine Your Tool Needs

    Phase 1: Determine Your Tool Needs

    Phase 2: Weigh Your Implementation Options Phase 3: Finalize Your Implementation Approach
    • Step 1.1: Survey the M365 work management landscape
    • Step 1.2: Explore the Microsoft Project Plans and their capabilities
    • Step 1.3: Assess the maturity of your current PM & PPM capabilities
    • Step 2.1: Get familiar with extending Project for the web using Power Apps
    • Step 2.2: Assess the MS Gold Partner Community
    • Step 3.1: Prepare an action plan

    Phase Outcomes

    • Tool Audit
    • Microsoft Project Licensing Analysis
    • Project Management Maturity Assessment
    • Project Portfolio Management Maturity Assessments

    Step 1.1

    Survey the M365 Work Management Landscape

    Activities

    • 1.1.1 Distinguish between task, project, and portfolio capabilities
    • 1.1.2 Review Microsoft’s offering for task, project, and portfolio management needs
    • 1.1.4 Assess your organizational context and constraints
    • 1.1.3 Explore typical deployment options

    This step will walk you through the following activities:

    • Assessing your organization’s context for project and project portfolio management
    • Documenting the organization’s constraints
    • Establishing the organization’s goals and needs

    This step involves the following participants:

    • PMO Director
    • Resource Managers
    • Project Managers
    • Knowledge Workers

    Outcomes of Step

    • Knowledge of the Microsoft ecosystem as it relates to task, project, and portfolio management
    • Current organizational context and constraints

    Don’t underestimate the value of interoperability

    The whole Microsoft suite is worth more than the sum of its parts … if you know how to put it together.

    38% of the worldwide office suite market belongs to Microsoft. (Source: Statistica, 2021)

    1 in 3 small to mid-sized organizations moving to Microsoft Project say they are doing so because it integrates well with Office 365. (Source: CBT Nuggets, 2018)

    There’s a gravity to the Microsoft ecosystem.

    And while there is no argument that there are standalone task management tools, project management tools, or portfolio management tools that are likely more robust, feature-rich, and easier to adopt, it’s rare that you find an ecosystem that can do it all, to an acceptable level.

    That is the value proposition of Microsoft: the ubiquity, familiarity, and versatility. It’s the Swiss army knife of software products.

    The work management landscape is evolving

    With M365, Microsoft is angling to become the industry leader, and your organization’s hub, for work management.

    Workers lose up to 40% of their time multi-tasking and switching between applications. (Bluescape, 2018)

    25 Context switches – On average, workers switch between 10 apps, 25 times a day. (Asana, 2021)

    “Work management” is among the latest buzzwords in IT consulting.

    What is work management? It was born of a blurring of the traditional lines between operational or day-to-day tasks and project management tasks, as organizations struggle to keep up with both operational and project demands.

    To make the software easier to use, modern work management doesn’t involve the complexities from days past. You won’t find anywhere to introduce complex predecessor-successor relationships, unbalanced assignments with front-loading or back-loading, early-start/late-finish, critical path, etc.

    Indeed, with Project for the web, Azure Boards, Planner, and other M365 utilities, Microsoft is attempting to compete with lighter and better-adopted tools (e.g. Trello, Wike, Monday.com).

    The Microsoft world of work management can be understood across three broad categories

    1. Task Management

      Task management is essentially the same as keeping track of a to-do list. While you can have a project-related task, you can also have a non-project-related task. The sum of project and non-project tasks make up the work that you need to complete.
    2. Project Management

      Project management (PM) is a methodical approach to planning and guiding project processes from start to finish. Implementing PM processes helps establish repeatable steps and controls that enable project success. Documentation of PM processes leads to consistent results and dependable delivery on expectations.
    3. Portfolio Management

      Project portfolio management (PPM) is a strategic approach to approving, prioritizing, resourcing, and reporting on project. In addition, effective PPM should nurture the completion of projects in the portfolio in the most efficient way and track the extent to which the organization is realizing the intended benefits from completed projects.

    The slides ahead explain each of these modes of working in the Microsoft ecosystem in turn. Further, Info-Tech’s Task, Project, and Project Portfolio Management Tool Guides explain these areas in more detail.

    Use Info-Tech’s Tool Guides assess your MS Project and M365 work management options

    Lean on Info-Tech’s Tool Guides as you navigate Microsoft’s tasks management, project management, and project portfolio management options.

    • The slides ahead take you through a bird’s-eye view of what your MS Project and M365 work management options look like across Info-Tech’s three broad categories
    • In addition to these slides, Info-Tech has three in-depth tool guides that take you through your operational task management, project management, and project portfolio management options in MS Project and M365.
    • These tool guides can be leveraged as you determine whether Microsoft has the required toolset for your organization’s task, project, and project portfolio management needs.

    Download Info-Tech’s Task Management, Project Management, and Project Portfolio Management Tool Guides

    Task Management Overview

    What is task management?

    • It is essentially the same as keeping track of a to-do list. While you can have a project-related task, you can also have a non-project-related task. The sum of project and non-project tasks make up the work that you need to complete.

    What are the benefits of task management using applications within the MS suite?

    • Many organizations already own the tools and don't have to go out and buy something separately.
    • There is easy integration with other MS applications.

    What is personal task management?

    • Tools that allow you to structure work that is visible only to you. This can include work from tasks you are going to be completing for yourself and tasks you are completing as part of a larger work effort.

    What is team task management?

    • Tools that allow users to structure work that is visible to a group. When something is moved or changed, it affects what the group is seeing because it is a shared platform.

    Get familiar with the Microsoft product offerings for task management

    A diagram of Microsoft products and what they can help accomplish. It starts on the right with 'Teams' and 'Outlook'. Both can flow through to 'Personal Task Management' with products 'Teams Tasks' and 'To-Do', but Teams also flows into 'Team Task Management' with products 'Planner' and 'Project for the web'. See the next two slides for more details on these modes of working.

    Download the M365 Task Management Tool Guide

    Personal Task Management

    The To-Do list

    • Who does it?
      • Knowledge workers
    • What is it?
      • How each knowledge worker organizes their individual work tasks in M365
    • When is it done?
      • As needed throughout the day
    • Where is it done?
      • Paper
      • Digital location
    • How is it done?
      • DIY and self-developed
      • Usually not repeatable and evolves depending on work location and tools available
      • Not governed

    Microsoft differentiator:

    Utilities like Planner and To-Do make it easier to turn what are often ad hoc approaches into a more repeatable process.

    Team Task Management

    The SharedTo-Do list

    • Who does it?
      • Groups of knowledge workers
    • What is it?
      • Temporary and permanent collections of knowledge workers
    • When is it done?
      • As needed or on a pre-determined cadence
    • Where is it done?
      • Paper
      • Digital location
    • How is it done?
      • User norms are established organically and adapted based upon the needs of the team.
      • To whatever extent processes are repeatable in the first place, they remain repeatable only if the team is a collective.
      • Usually governed within the team and not subject to wider visibility.

    Microsoft differentiator:

    Teams has opened personal task management tactics up to more collaborative approaches.

    Project Management Overview

    2003

    Project Server: This product serves many large enterprise clients, but Microsoft has stated that it is at end of life. It is appealing to industries and organizations where privacy is paramount. This is an on-premises system that combines servers like SharePoint, SQL, and BI to report on information from Project Desktop Client. To realize the value of this product, there must be adoption across the organization and engagement at the project-task level for all projects within the portfolio.

    2013

    Project Online: This product serves many medium enterprise clients. It is appealing for IT departments who want to get a rich set of features that can be used to intake projects, assign resources, and report on project portfolio health. It is a cloud solution built on the SharePoint platform, which provides many users a sense of familiarity. However, due to the bottom-up reporting nature of this product, again, adoption across the organization and engagement at the project task level for all projects within the portfolio is critical.

    2020

    Project for the web: This product is the newest on the market and is quickly being evolved. Many O365 enthusiasts have been early adopters of Project for the web despite its limited features when compared to Project Online. It is also a cloud solution that encourages citizen developers by being built on the MS Power Platform. This positions the product well to integrate with Power BI, Power Automate, and Power Apps. It is, so far, the only MS product that lends itself to abstracted portfolio management, which means it doesn’t rely on project task level engagement to produce portfolio reports. The portfolio can also run with a mixed methodology by funneling Project, Azure Boards, and Planner boards into its roadmap function.

    Get familiar with the Microsoft product offerings for project management

    A diagram of Microsoft products and what they can help accomplish in Personal and Team Project Management. Products listed include 'Project Desktop Client', 'Project Online', 'SharePoint', 'Power Platform', 'Azure DevOps', 'Project for the web', Project Roadmap', 'Project Home', and 'Project Server'. See the next slide for more details on personal and team project management as modes of working.

    Download the M365 Project Management Tool Guide

    Project Management

    Orchestrating the delivery of project work

    • Who does it?
      • Project managers
    • What is it?
      • Individual project managers developing project plans and schedules in the MS Project Desktop Client
    • When is it done?
      • Throughout the lifecycle of the project
    • Where is it done?
      • Digital location
    • How is it done?
      • Used by individual project managers to develop and manage project plans.
      • Common approaches may or may not involve reconciliation of resource capacity through integration with Active Directory.
      • Sometimes usage norms are established by organizational project management governance standards, though individual use of the desktop client is largely ungoverned.

    Microsoft differentiator:

    For better or worse, Microsoft’s core solution is veritably synonymous with project management itself and has formally contributed to the definition of the project management space.

    Project Portfolio Management Overview

    Optimize what you’re already using and get familiar with the Power Platform.

    What does PPM look like within M365?

    • The Office suite in the Microsoft 365 suite boasts the world’s most widely used application for the purposes of abstracted and strategic PPM: Excel. For the purposes of PPM, Excel is largely implemented in a suboptimal fashion, and as a result, organizations fail to gain PPM adoption and maturation through its use.
    • Until very recently, Microsoft toolset did not explicitly address abstracted PPM needs.
    • However, with the latest version of M365 and Project for the web, Microsoft is boasting of renewed PPM capabilities from its toolset. These capabilities are largely facilitated through what Microsoft is calling its Power Platform (i.e. a suite of products that includes Power, Power Apps, and Power Automate).

    Explore the Microsoft product offering for abstracted project portfolio management

    A diagram of Microsoft products for 'Adaptive or Abstracted Portfolio Management'. Products listed include 'Excel', 'MS Lists', 'Forms', 'Teams', and the 'Power Platform' products 'Power BI', 'Power Apps', and 'Power Automate'. See the next slide for more details on adaptive or abstracted portfolio management as a mode of working.

    Download the M365 Project Portfolio Management Tool Guide

    Project Portfolio Management

    Doing the right projects, at the right time, with the right resources

    • Who does it?
      • PMO directors; portfolio managers
    • What is it?
      A strategic approach to approving, prioritizing, resourcing, and reporting on projects using applications in M365 and Project for the web. In distinction to enterprise PPM, a top-down or abstracted approach is applied, meaning PPM data is not tied to project task details.
    • Where is it done?
      • Digital tool, either homegrown or commercial
    • How is it done?
      • Currently in M365, PPM approaches are largely self-developed, though Microsoft Gold Partners are commonly involved.
      • User norms are still evolving, along with the software’s (Project for the web) function.

    Microsoft differentiator:

    Integration between Project for the web and Power Apps allows for custom approaches.

    Project Portfolio Management Overview

    Microsoft’s legacy project management toolset has contributed to the definition of traditional or enterprise PPM space.

    A robust and intensive bottom-up approach that requires task level roll-ups from projects to inform portfolio level data. For this model to work, reconciliation of individual resource capacity must be universal and perpetually current.

    If your organization has low or no maturity with PPM, this approach will be tough to make successful.

    In fact, most organizations under adopt the tools required to effectively operate with the traditional project portfolio management. Once adopted and operationalized, this combination of tools gives the executives the most precise view of the current state of projects within the portfolio.

    Explore the Microsoft product offering for enterprise project portfolio management

    A diagram of Microsoft products for 'Enterprise or Traditional Portfolio Management'. Products listed include 'Project Desktop Client', 'SharePoint', 'Project Online', 'Azure DevOps', 'Project Roadmaps', and 'Project Home'. See the next slide for more details on this as a mode of working.

    Download the M365 Project Portfolio Management Tool Guide

    Enterprise Project and Portfolio Management

    Bottom-up approach to managing the project portfolio

    • Who does it?
      • PMO and ePMO directors; portfolio managers
      • Project managers
    • What is it?
      • A strategic approach to approving, prioritizing, resourcing, and reporting on projects using applications in M365 and Project for the web. In distinction to enterprise PPM, a top-down or abstracted approach is applied, meaning PPM data is not tied to project task details.
    • Where is it done?
      • Digital tool that is usually commercial.
    • How is it done?
      • Microsoft Gold Partner involvement is highly likely in successful implementations.
      • Usage norms are long established and customized solutions are prevalent.
      • To be successful, use must be highly governed.
      • Reconciliation of individual resource capacity must be universal and perpetually current.

    Microsoft differentiator:

    Microsoft’s established network of Gold Partners helps to make this deployment a viable option.

    Assess your current tool ecosystem across work management categories

    Use Info-Tech’s Tool Audit Workbook to assess the value and satisfaction for the work management tools currently in use.

    • With the modes of working in mind that have been addressed in the previous slides and in Info-Tech’s Tool Guides, the activity slides ahead encourage you to engage your wider organization to determine all of the ways of working across individuals and teams.
    • Depending on the scope of your work management optimization, these engagements may be limited to IT or may extend to the business.
    • Use Info-Tech’s Tool Audit Workbook to help you gather and make sense of the tool data you collect. The result of this activity is to gain insight into the tools that drive value and fail to drive value across your work management categories with a view to streamline the organization’s tool ecosystem.

    Download Info-Tech’s Tool Audit Workbook

    Sample of Info-Tech's Tool Audit Workbook.

    1.2.1 Compile list of tools

    1-3 hours

    Input: Information on tools used to complete task, project, and portfolio tasks

    Output: Analyzed list of tools

    Materials: Whiteboard/Flip Charts, Tool Audit Workbook

    Participants: Portfolio Manager (PMO Director), PMO Admin Team, Project Managers, Business Stakeholders

    1. Identify the stakeholder groups that are in scope. For each group that you’ve identified, brainstorm the different tools and artifacts that are necessary to get the task, project, and project portfolio management functions done.
    2. Make sure to record the tool name and specify its category (standard document, artifact, homegrown solution, or commercial solution).
    3. Think about and discuss how often the tool is being used for each use case across the organization. Document whether its use is required. Then assess reporting functionality, data accuracy, and cost.
    4. Lastly, give a satisfaction rating for each use case.

    Excerpt from the Tool Audit Workbook

    Excerpt from Info-Tech's Tool Audit Workbook on compiling tools.

    1.2.1 Review dashboard

    1-3 hours

    Input: List of key PPM decision points, List of who is accountable for PPM decisions, List of who has PPM decision-making authority

    Output: Prioritized list of PPM decision-making support needs

    Materials: Whiteboard/Flip Charts, Tool Audit Workbook

    Participants: Portfolio Manager (PMO Director), PMO Admin Team, CIO

    Discuss the outputs of the Dashboards tab to inform your decision maker on whether to pass or fail the tool for each use case.

    Sample of a BI dashboard used to evaluate the usefulness of tools. Written notes include: 'Slice the data based on stakeholder group, tool, use case, and category', and 'Review the results of the questionnaire by comparing cost and satisfaction'.

    1.2.1 Execute final audit

    1 hour

    Input: List of key PPM decision points, List of who is accountable for PPM decisions, List of who has PPM decision-making authority

    Output: Prioritized list of PPM decision-making support needs

    Materials: Whiteboard/Flip Charts, Tool Audit Workbook

    Participants: Portfolio Manager (PMO Director), PMO Admin Team, CIO

    1. Using the information available, schedule time with the leadership team to present the results.
    2. Identify the accountable party to make the final decision on what current tools pass or fail the final audit.
    3. Mind the gap presented by the failed tools and look to possibilities within the M365 and Microsoft Project suite. For each tool that is deemed unsatisfactory for the future state, mark it as “Fail” in column O on tab 2 of the Tool Audit Workbook. This will ensure the item shows in the “Fail” column on tab 4 of the tool when you refresh the data.
    4. For each of the tools that “fail” your audit and that you’re going to make recommendations to rationalize in a future state, try to capture the annual total current-state spending on licenses, and the work modes the tool currently supports (i.e. task, project, and/or portfolio management).
    5. Additionally, start to think about future-state replacements for each tool within or outside of the M365/MS Project platforms. As we move forward to finalize your action plan in the last phase of this blueprint, we will capture and present this information to key stakeholders.

    Document your goals, needs, and constraints before proceeding

    Use Info-Tech’s Force Field Analysis Tool to help weigh goals and needs against risks and constraints associated with a work management change.

    • Now that you have discussed the organization’s ways of working and assessed its tool landscape – and made some initial decisions on some tool options that might need to change across that landscape – gather key stakeholders to define (a) why a change is needed at this time and (b) to document some of the risks and constraints associated with changing.
    • Info-Tech’s Force Field Analysis Tool can be used to capture these data points. It takes an organizational change management approach and asks you to consider the positive and negative forces associated with a work management tool change at this time.
    • The slides ahead walk you through a force field analysis activity and help you to navigate the relevant tabs in the Tool.

    Download Info-Tech's Force Field Analysis Tool

    Sample of Info-Tech's Force Field Analysis Tool.

    1.2.1 Identify goals and needs (1 of 2)

    Use tab 1 of the Force Field Analysis Workbook to assess goals and needs.

    30 minutes

    Input: Opportunities associated with determining the use case for Microsoft Project and M365 in your organization

    Output: Plotted opportunities based on probability and impact

    Materials: Whiteboard/Flip Charts, Force Field Analysis Tool

    Participants: Portfolio Manager (PMO Director), PMO Admin Team, Project Managers

    1. Brainstorm opportunities associated with exploring and/or implementing Microsoft Project and the Microsoft 365 suite of products for task, project, and project portfolio management.
    2. Document relevant opportunities in tab 1 of the Force Field Analysis Tool. For each driving force for the change (note: a driving force can include goals and needs) that is identified, provide a category that explains why the driving force is a concern (i.e. with this force is the organization looking to mature, integrate, scape, or accelerate?).
    3. In addition, assess the ease of achieving or realizing each goal or need and the impact of realizing them on the PMO and/or the organization.
    4. See the next slide for a screenshot that helps you navigate tab 1 of the Tool.

    Download the Force Field Analysis Tool

    1.2.1 Identify goals and needs (2 of 2)

    Screenshot of tab 1 of the Force Field Analysis Workbook.

    Screenshot of tab 1 of the Force Field Analysis Workbook. There are five columns referred to as columns B through F with the headings 'Opportunities', 'Category', 'Source', 'Ease of Achieving', and 'Impact on PMO/Organization'.

    In column B on tab 1, note the specific opportunities the group would like to call out.

    In column C, categorize the goal or need being articulated by the list of drop-down options: will it accelerate the time to benefit? Will it help to integrate systems and data sources? Will it mature processes and the organization overall? Will it help to scale across the organization? Choose the option that best aligns with the opportunity.

    In column D, categorize the source of the goal or need as internal or external.

    In column E, use the drop-down menus to indicate the ease of realizing each goal or need for the organization. Will it be relatively easy to manifest or will there be complexities to implementing it?

    In column F, use the drop-down menus to indicate the positive impact of realizing or achieving each need on the PMO and/or the organization.

    On tab 3 of the Force Field Analysis Workbook, your inputs on tab 1 are summarized in graphical form from columns B to G. On tab 3, these goals and needs results are contrasted with your inputs on tab 2 (see next slide).

    1.2.2 Identify risk and constraints (1 of 2)

    Use tab 2 of the Force Field Analysis Workbook to assess opposing forces to change.

    30 minutes

    Input: Risks associated with determining the use case for Microsoft Project and M365 in your organization

    Output: Plotted risks based on probability and impact

    Materials: Whiteboard/Flip Charts, Force Field Analysis Tool

    Participants: Portfolio Manager (PMO Director), PMO Admin Team, Project Managers

    1. With the same working group from 1.2.1, brainstorm risks, constraints, and other opposing forces pertaining to your potential future state.
    2. Document relevant opposing forces in tab 2 of the Force Field Analysis Tool. For each opposing force for the change (note: a driving force can include goals and needs) that is identified, provide a category that explains why the opposing force is a concern (i.e. will it impact or is it impacted by time, resources, maturity, budget, or culture?).
    3. In addition, assess the likelihood of the risk or constraint coming to light and the negative impact of it coming to light for your proposed change.
    4. See the next slide for a screenshot that helps you navigate tab 2 of the Force Field Analysis Tool.

    Download the Force Field Analysis Tool

    1.2.2 Identify risk and constraints (2 of 2)

    Screenshot of tab 2 of the Force Field Analysis Workbook.

    Screenshot of tab 2 of the Force Field Analysis Workbook. There are five columns referred to as columns B through F with the headings 'Risks and Constraints', 'Category', 'Source', 'Likelihood of Constraint/Risk/Resisting Force Being Felt', and 'Impact to Derailing Goals and Needs'.

    In column B on tab 2, note the specific risks and constraints the group would like to call out.

    In column C, categorize the risk or constraint being articulated by the list of drop-down options: will it impact or is it impacted by time, resources, budget, culture or maturity?

    In column D, categorize the source of the goal or need as internal or external.

    In column E, use the drop-down menus to indicate the likelihood of each risk or constraint materializing during your implementation. Will it definitely occur or is there just a small chance it could come to light?

    In column F, use the drop-down menus to indicate the negative impact of the risk or constraint to achieving your goals and needs.

    On tab 3 of the Force Field Analysis Workbook, your inputs on tab 2 are summarized in graphical form from columns I to N. On tab 3, your risk and constraint results are contrasted with your inputs on tab 1 to help you gauge the relative weight of driving vs. opposing forces.

    Step 1.2

    Explore the Microsoft Project Plans and their capabilities

    Activities

    • 1.1.1 Review the Microsoft 365 licensing features
    • 1.1.2 Explore the Microsoft Project Plan licenses
    • 1.1.3 Prepare a needs assessment for Microsoft 365 and Project Plan licenses

    This step will walk you through the following activities:

    • Review the suite of task management, project management, and project portfolio management options available in Microsoft 365.
    • Prepare a preliminary checklist of required M365 apps for your stakeholders.

    This step usually involves the following participants:

    • PMO/Portfolio Manager
    • Project Managers
    • CIO and other executive stakeholders
    • Other project portfolio stakeholders (project and IT workers)

    Outcomes of Step

    • Preliminary requirements for an M365 project management and project portfolio management tool implementation

    Microsoft recently revamped its project plans to balance its old and new tech

    Access to the new tech, Project for the web, comes with all license types, while Project Online Professional and Premium licenses have been revamped as P3 and P5.

    Navigating Microsoft licensing is never easy, and Project for the web has further complicated licensing needs for project professionals.

    As we’ll cover in step 2.1 of this blueprint, Project for the web can be extended beyond its base lightweight work management functionality using the Power Platform (Power Apps, Power Automate, and Power BI). Depending on the scope of your implementation, this can require additional Power Platform licensing.

    • In this step, we will help you understand the basics of what’s already included in your enterprise M365 licensing as well as what’s new in Microsoft’s recent Project licensing plans (P1, P3, and P5).
    • As we cover toward the end of this step, you can use Info-Tech’s MS Project and M365 Licensing Tool to help you understand your plan and licensing needs. Further assistance on licensing can be found in the Task, Project, and Portfolio Management Tool Guides that accompany this blueprint and Info-Tech’s Modernize Your Microsoft Licensing for the Cloud Era.

    Download Info-Tech’s Modernize Your Microsoft Licensing for the Cloud Era

    Licensing features for knowledge workers

    Please note that licensing packages are frequently subject to change. This is up to date as of August 2021. For the most up-to-date information on licensing, visit the Microsoft website.

    Bundles are extremely common and can be more cost effective than à la carte options for the Microsoft products.

    The biggest differentiator between M365 and O365 is that the M365 product also includes Windows 10 and Enterprise Mobility and Security.

    The color coding in the diagram indicates that the same platform/application suite is available.

    Platform or Application M365 E3 M365 E5 O365 E1 O365 E3 O365 E5
    Microsoft Forms X X X X X
    Microsoft Lists X X X X X
    OneDrive X X X X X
    Planner X X X X X
    Power Apps for Office 365 X X X X X
    Power Automate for Office X X X X X
    Power BI Pro X X
    Power Virtual Agents for Teams X X X X X
    SharePoint X X X X X
    Stream X X X X X
    Sway X X X X X
    Teams X X X X X
    To Do X X X X X

    Get familiar with Microsoft Project Plan 1

    Please note that licensing packages are frequently subject to change. This is up to date as of August 2021. For the most up to date information on licensing, visit the Microsoft website.

    Who is a good fit?

    • New project managers
    • Zero-allocation project managers
    • Individuals and organizations who want to move out of Excel into something less fragile (easily breaking formulas)

    What does it include?

    • Access to Project Home, a landing page to access all project plans you’ve created or have been assigned to.
    • Access to Grid View, Board View, and Timeline (Gantt) View to plan and manage your projects with Project for the web
    • Sharing Project for the web plans across Microsoft Teams channels
    • Co-authoring on project plans

    When does it make sense?

    • Lightweight project management
    • No process to use bottom-up approach for resourcing data
    • Critical-path analysis is not required
    • Organization does not have an appetite for project management rigor

    Get familiar with Microsoft Project Plan 3

    Please note that licensing packages are frequently subject to change. This is up to date as of August 2021. For the most up to date information on licensing, visit the Microsoft website.

    Who is a good fit?

    • Experienced and dedicated project managers
    • Organizations with complex projects
    • Large project teams are required to complete project work
    • Organizations have experience using project management software

    What does it include?

    Everything in Project Plan 1 plus the following:

    • Reporting through Power BI Report template apps (note that there are no pre-built reports for Project for the web)
    • Access to build a Roadmap of projects from Project for the web and Azure DevOps with key milestones, statuses, and deadlines
    • Project Online to submit and track timesheets for project teams
    • MS Project Desktop Client to support resource management

    When does it make sense?

    • Project management is an established discipline at the organization
    • Critical-path analysis is commonly used
    • Organization has some appetite for project management rigor
    • Resources are expected to submit timesheets to allow for more precise resource management data

    Get familiar with Microsoft Project Plan 5

    Please note that licensing packages are frequently subject to change. This is up to date as of August 2021. For the most up to date information on licensing, visit the Microsoft website.

    Who is a good fit?

    • Experienced and dedicated project managers
    • Experienced and dedicated PMO directors
    • Dedicated portfolio managers
    • Organizations proficient at sustaining data in a standard tool

    What does it include?

    Everything in Project Plan 3 plus the following:

    • Portfolio selection and optimization
    • Demand management
    • Enterprise resource planning and management through deterministic task and resource scheduling
    • MS Project Desktop Client to support resource management

    When does it make sense?

    • Project management is a key success factor at the organization
    • Organization employs a bottom-up approach for resourcing data
    • Critical-path analysis is required
    • Formal project portfolio management processes are well established
    • The organization is willing to either put in the time, energy, and resources to learn to configure the system through DIY or is willing to leverage a Microsoft Partner to help them do so

    What’s included in each plan (1 of 2)

    Plan details are up to date as of September 2021. Plans and pricing can change often. Visit the Microsoft website to validate plan options and get pricing details.
    MS Project Capabilities Info-Tech's Editorial Description P1 P3 P5
    Project Home Essentially a landing page that allows you to access all the project plans you've created or that you're assigned to. It amalgamates plans created in Project for the web, the Project for the web app in Power Apps, and Project Online. X X X
    Grid view One of three options in which to create your project plans in Project for the web (board view and timeline view are the other options). You can switch back and forth between the options. X X X
    Board view One of three options in which to create your project plans in Project for the web (grid view and timeline view are the other options). You can switch back and forth between the options. X X X
    Timeline (Gantt) view One of three options in which to create your project plans in Project for the web (board view and grid view are the other options). You can switch back and forth between the options. X X X
    Collaboration and communication This references the ability to add Project for the web project plans to Teams channels. X X X
    Coauthoring Many people can have access to the same project plan and can update tasks. X X X
    Project planning and scheduling For this the marketing lingo says "includes familiar scheduling tools to assign project tasks to team members and use different views like Grid, Board, and Timeline (Gantt chart) to oversee the schedule." Unclear how this is different than the project plans in the three view options above. X X X

    X - Functionality Included in Plan

    O - Functionality Not Included in Plan

    What’s included in each plan (2 of 2)

    Plan details are up to date as of September 2021. Plans and pricing can change often. Visit the Microsoft website to validate plan options and get pricing details.
    MS Project Capabilities Info-Tech's Editorial Description P1 P3 P5
    Reporting This seems to reference Excel reports and the Power BI Report Template App, which can be used if you're using Project Online. There are no pre-built reports for Project for the web, but third-party Power Apps are available. O X X
    Roadmap Roadmap is a platform that allows you to take one or more projects from Project for the web and Azure DevOps and create an organizational roadmap. Once your projects are loaded into Roadmap you can perform additional customizations like color status reporting and adding key days and milestones. O X X
    Timesheet submission Project Online and Server 2013 and 2016 allow team members to submit timesheets if the functionality is required. O X X
    Resource management The rich MS Project client supports old school, deterministic project scheduling at the project level. O X X
    Desktop client The full desktop client comes with P3 and P5, where it acts as the rich editor for project plans. The software enjoys a multi-decade market dominance as a project management tool but was never paired with an enterprise collaboration server engine that enjoyed the same level of success. O X X
    Portfolio selection and optimization Portfolio selection and optimization has been offered as part of the enterprise project and portfolio suite for many years. Most people taking advantage of this capability have used a Microsoft Partner to formalize and operationalize the feature. O O X
    Demand Management Enterprise demand management is targeted at the most rigorous of project portfolio management practices. Most people taking advantage of this capability have used a Microsoft Partner to formalize and operationalize the feature. O O X
    Enterprise resource planning and management The legacy MS Project Online/Server platform supports enterprise-wide resource capacity management through an old-school, deterministic task and resource scheduling engine, assuming scaled-out deployment of Active Directory. Most people succeeding with this capability have used a Microsoft Partner to formalize and operationalize the feature. O O X

    X - Functionality Included in Plan

    O - Functionality Not Included in Plan

    Use Info-Tech’s MS Project and M365 Licensing Tool

    Leverage the analysis in Info-Tech’s MS Project & M365 Licensing Tool to help inform your initial assumptions about what you need and how much to budget for it.

    • The Licensing Tool can help you determine what Project Plan licensing different user groups might need as well as additional Power Platform licensing that may be required.
    • It consists of four main tabs: two set-up tabs where you can validate the plan and pricing information for M365 and MS Project; an analysis tab where you set up your user groups and follow a survey to assess their Project Plan needs; and another analysis tab where you can document your Power Platform licensing needs across your user groups.
    • There is also a business case tab that breaks down your total licensing needs. The outputs of this tab can be used in your MS Project & M365 Action Plan Template, which we will help you develop in phase three of this blueprint.

    Download Info-Tech's Microsoft Project & M365 Licensing Tool

    Sample of Info-Tech's Microsoft Project and M365 Licensing Tool.

    1.2.1 Conduct a needs assessment

    1-2 hours

    Input: List of key user groups/profiles, Number of users and current licenses

    Output: List of Microsoft applications/capabilities included with each license, Analysis of user group needs for Microsoft Project Plan licenses

    Materials: Microsoft Project & 365 Licensing Tool

    Participants: Portfolio Manager (PMO Director), PMO Admin Team, Project Managers

    1. As a group, analyze the applications included in your current or desired 365 license and calculate any additional Power Platform licensing needs.
    2. Screenshot of the 'Application/Capabilities' screen from the 'Microsoft Project and M365 Licensing Tool'.
    3. Within the same group, use the drop-down menus to analyze your high-level MS Project requirements by selecting whether each capability is necessary or not.
    4. Your inputs to the needs assessment will determine the figures in the Business Case tab. Consider exporting this information to PDF or other format to distribute to stakeholders.
    5. Screenshot of the 'Business Case' tab from the 'Microsoft Project and M365 Licensing Tool'.

    Download Info-Tech's Microsoft Project & M365 Licensing Tool

    Step 1.3

    Assess the maturity of your current PM & PPM capabilities

    Activities

    • Assess current state project and project portfolio management processes and tools
    • Determine target state project and project portfolio management processes and tools

    This step will walk you through the following activities:

    • Assess current state project and project portfolio management processes and tools
    • Determine target state project and project portfolio management processes and tools

    This step usually involves the following participants:

    • PMO/Portfolio Manager
    • Project Managers
    • CIO and other executive stakeholders
    • Other project portfolio stakeholders (project and IT workers)

    Outcomes of Step

    • Current and target state maturity for project management and project portfolio management processes

    Project portfolio management and project management are more than tools

    Implementing commercial tools without a matching level of process discipline is a futile exercise, leaving organizations frustrated at the wasted time and money.

    • The tool is only as good as the data that is input. There is often a misunderstanding that a tool will be “automatic.” While it is true that a tool can help make certain processes easier and more convenient by aggregating information, enhancing reporting, and coauthoring, it will not make up the data. If data becomes stale, the tool is no longer valid for accurate decision making.
    • Getting people onboard and establishing a clear process is often the hardest part. As IT folk, it can be easy to get wrapped up in the technology. All too often excitement around tools can drown out the important requisites around people and process. The reality is people and process are a necessary condition for a tool to be successful. Having a tool will not be sufficient to overcome obstacles like poor stakeholder buy-in, inadequate governance, and the absence of a standard operating procedure.

    • Slow is the way to go. When deciding what tools to purchase, start small and scale up rather than going all in and all too often ending up with many unused features and fees.

    "There's been a chicken-egg debate raging in the PPM world for decades: What comes first, the tool or the process? It seems reasonable to say, ‘We don't have a process now, so we'll just adopt the one in the tool.’ But you'll soon find out that the tool doesn't have a process, and you needed to do more planning and analysis before buying the tool." (Barry Cousins, Practice Lead, Project Portfolio Management)

    Assess your process maturity to determine the right tool approach

    Take the time to consider and reflect on the current and target state of the processes for project portfolio management and project management.

    Project Portfolio Management

    • Status and Progress Reporting
      1. Intake, Approval, and Prioritization

        PPM is the practice of selecting the right projects and ensuring the organization has the necessary resources to complete them. PPM should enable executive decision makers to make sense of the excess of demand and give IT the ability to prioritize those projects that are most valuable to the business.
      2. Resource Management

      3. Project Management

        1. Initiation
        2. Planning
        3. Execution
        4. Monitoring and Controlling
        5. Closing
        Tailor a project management framework to fit your organization. Formal methodologies aren’t always the best fit. Take what you can use from formal frameworks and define a right-sized approach to your project management processes.
      4. Project Closure

      5. Benefits Tracking

    Info-Tech’s maturity assessment tools can help you match your tools to your maturity level

    Use Info-Tech’s Project Portfolio Management Maturity Assessment Tool and Project Management Maturity Assessment Tool.

    • The next few slides in this step take you through using our maturity assessment tools to help gauge your current-state and target-state maturity levels for project management (PM) and project portfolio management (PPM).
    • In addition to the process maturity assessments, these workbooks also help you document current-state support tools and desired target-state tools.
    • The outputs of these workbooks can be used in your MS Project & M365 Action Plan Template, which we will help you develop in phase three of this blueprint.

    Download Info-Tech’s Project Portfolio Management Maturity Assessment Tool and Project Management Maturity Assessment Tool

    Samples of Info-Tech's Project Portfolio Management Maturity Assessment Tool and Project Management Maturity Assessment Tool.

    Conduct a gap analysis survey for both project and project portfolio management.

    • Review the category and activity statements: For each gap analysis tab in the maturity assessments, use the comprehensive activity statements to identify gaps for the organization.
    • Assess the current state: To assess the current state, evaluate whether the statement should be labeled as:
      • Absent: There is no evidence of any activities supporting this process.
      • Initial: Activity is ad hoc and not well defined.
      • Defined: Activity is established and there is moderate adherence to its execution.
      • Repeatable: Activity is established, documented, repeatable, and integrated with other phases of the process.
      • Managed: Activity execution is tracked by gathering qualitative and quantitative feedback

    Once this is documented, take some time to describe the type of tool being used to do this (commercial, home-grown, standardized document) and provide additional details, where applicable.

    Define the target state: Repeat the assessment of activity statements for the target state. Then gauge the organizational impact and complexity of improving each capability on a scale of very low to very high.

    Excerpt from Info-Tech's Project Portfolio Management Maturity Assessment Tool, the 'PPM Current State Target State Maturity Assessment Survey'. It has five columns whose purpose is denoted in notes. Column 1 'Category within the respective discipline'; Column 2 'Statement to consider'; Column 3 'Select the appropriate answer for current and target state'; Column 4 'Define the tool type'; Column 5 'Provide addition detail about the tool'.

    Analyze survey results for project and project portfolio management maturity

    Take stock of the gap between current state and target state.

    • What process areas have the biggest gap between current and target state?
    • What areas are aligned across current and target state?

    Identify what areas are currently the least and most mature.

    • What process area causes the most pain in the organization?
    • What process area is the organization’s lowest priority?

    Note the overall current process maturity.

    • After having done this exercise, does the overall maturity come as a surprise?
    • If so, what are some of the areas that were previously overlooked?
    A table and bar graph documenting and analysis of maturity survey results. The table has four columns labelled 'Process Area', 'Current Process Completeness', 'Current Maturity Level', and 'Target State Maturity'. Rows headers in the 'Process Area' column are 'Intake, Approval, and Prioritization', 'Resource Management', 'Portfolio Reporting', 'Project Closure and Benefits Realization', 'Portfolio Administration', and finally 'Overall Maturity'. The 'Current Process Completeness' column's values are in percentages. The 'Current Maturity Level' and 'Target State Maturity' columns' values can be one of the following: 'Absent', 'Initial', 'Defined', 'Repeatable', or 'Managed'. The bar chart visualizes the levels of the 'Target State' and 'Current State' with 'Absent' from 0-20%, 'Initial' from 20-40%, 'Defined' from 40-60%, 'Repeatable' from 60-80%, and 'Managed' from 80-100%.
    • Identify process areas with low levels of maturity
    • Spot areas of inconsistency between current and target state.
    • Assess the overall gap to get a sense of the magnitude of the effort required to get to the target state.
    • 100% doesn’t need to be the goal. Set a goal that is sustainable and always consider the value to effort ratio.

    Screenshot your results and put them into the MS Project and M365 Action Plan Template.

    Review the tool overview and plan to address gaps (tabs 3 & 4)

    Tool Overview:

    Analyze the applications used to support your project management and project portfolio management processes.

    Look for:

    • Tools that help with processes across the entire PM or PPM lifecycle.
    • Tools that are only used for one specific process.

    Reflect on the overlap between process areas with pain points and the current tools being used to complete this process.

    Consider the sustainability of the target-state tool choice

    Screenshot of a 'Tool Overview' table. Chart titled 'Current-to-Target State Supporting Tools by PPM Activity' documenting the current and target states of different supporting tools by PPM Activity. Tools listed are 'N/A', 'Standardized Document', 'Homegrown Tool', and 'Commercial Tool'.

    You have the option to create an action plan for each of the areas of improvement coming out of your maturity assessment.

    This can include:

    • Tactical Optimization Action: What is the main action needed to improve capability?
    • Related Actions: Is there a cross-over with any actions for other capabilities?
    • Timeframe: Is this near-term, mid-term, or long-term?
    • Proposed Start Date
    • Proposed Go-Live Date
    • RACI: Who will be responsible, accountable, consulted, and informed?
    • Status: What is the status of this action item over time?

    Determine the Future of Microsoft Project for Your Organization

    Phase 2: Weigh Your Implementation Options

    Phase 1: Determine Your Tool Needs

    Phase 2: Weigh Your Implementation Options

    Phase 3: Finalize Your Implementation Approach
    • Step 1.1: Survey the M365 work management landscape
    • Step 1.2: Perform a process maturity assessment to help inform your M365 starting point
    • Step 1.3: Consider the right MS Project licenses for your stakeholders
    • Step 2.1: Get familiar with extending Project for the web using Power Apps
    • Step 2.2: Assess the MS Gold Partner Community
    • Step 3.1: Prepare an action plan

    Phase Outcomes

    • A decision on how best to proceed (or not proceed) with Project for the web
    • A Partner outreach plan

    Step 2.1

    Get familiar with extending Project for the web using Power Apps

    Activities

    • Get familiar with Project for the web: how it differs from Microsoft’s traditional project offerings and where it is going
    • Understand the basics of how to extend Project for the web in Power Apps
    • Perform a feasibility test

    This step will walk you through the following activities:

    • Get familiar with Project for the web
    • Understand the basics of how to extend Project for the web in Power Apps
    • Perform a feasibility test to determine if taking a DIY approach to extending Project for the web is right for your organization currently

    This step usually involves the following participants:

    • Portfolio Manager (PMO Director)
    • Project Managers
    • Other relevant PMO stakeholders

    Outcomes of Step

    • A decision on how best to proceed (or not proceed) with Project for the web

    Project for the web is the latest of Microsoft’s project management offerings

    What is Project for the web?

    • First introduced in 2019 as Project Service, Project for the web (PFTW) is Microsoft’s entry into the world of cloud-based work management and lightweight project management options.
    • Built on the Power Platform and leveraging the Dataverse for data storage, PFTW integrates with the many applications that M365 users are already employing in their day-to-day work management and collaboration activities.
    • It is available as a part of your M365 subscription with the minimum activation of P1 license – it comes with P3 and P5 licenses as well.
    • From a functionality and user experience perspective, PFTW is closer to applications like Planner or Azure Boards than it is to traditional MS Project options.

    What does it do?

    • PFTW allows for task and dependency tracking and basic timeline creation and scheduling and offers board and grid view options. It also allows real-time coauthoring of tasks among team members scheduled to the same project.
    • PFTW also comes with a product/functionality Microsoft calls Roadmap, which allows users to aggregate multiple project timelines into a single view for reporting purposes.

    What doesn't it do?

    • With PFTW, Microsoft is offering noticeably less traditional project management functionality than its existing solutions. Absent are table stakes project management capabilities like critical path, baselining, resource load balancing, etc.

    Who is it for?

    • Currently, in its base lightweight project management option, PFTW is targeted toward occasional or part-time project managers (not the PMP-certified set) tasked with overseeing and/or collaborating on small to mid-sized initiatives and projects.

    Put Project for the web in perspective

    Out of the box, PFTW occupies a liminal space when it comes to work management options

    • More than a task management tool, but not quite a full project management tool
    • Not exactly a portfolio management tool, yet some PPM reporting functionality is inherent in the PFTW through Roadmap

    The table to the right shows some of the functionality in PFTW in relation to the task management functionality of Planner and the enterprise project and portfolio management functionality of Project Online.

    Table 2.1a Planner Project for the web Project Online
    Coauthoring on Tasks X X
    Task Planning X X X
    Resource Assignments X X X
    Board Views X X X
    MS Teams Integration X X X
    Roadmap X X
    Table and Gantt Views X X
    Task Dependency Tracking X X
    Timesheets X
    Financial Planning X
    Risks and Issues Tracking X
    Program Management X
    Advanced Portfolio Management X

    Project for the web will eventually replace Project Online

    • As early as 2018 Microsoft has been foreshadowing a transition away from the SharePoint-backed Project environments of Server and Online toward something based in Common Data Service (CDS) – now rebranded as the Dataverse.
    • Indeed, as recently as the spring of 2021, at its Reimagine Project Management online event, Microsoft reiterated its plans to sunset Project Online and transition existing Online users to the new environment of Project for the web – though it provided no firm dates when this might occur.
      • The reason for this move away from Online appears to be an acknowledgment that the rigidity of the tool is awkward in our current dynamic, collaborative, and overhead-adverse work management paradigm.
      • To paraphrase a point made by George Bullock, Sr. Product Marketing Manager, for Microsoft at the Reimagine Project Management event, teams want to manage work as they see fit, but the rigidity of legacy solutions doesn’t allow for this, leading to a proliferation of tools and data sprawl. (This comment was made during the “Overview of Microsoft Project” session during the Reimagine event.)

    PFTW is Microsoft’s proposed future-state antidote to this challenge. Its success will depend on how well users are able to integrate the solution into a wider M365 work management setting.

    "We are committed to supporting our customers on Project Online and helping them transition to Project for the Web. No end-of-support has been set for Project Online, but when the time comes, we will communicate our plans on the transition path and give you plenty of advance notice." (Heather Heide, Program Manager, Microsoft Planner and Project. This comment was made during the “Overview of Microsoft Project” session during the Reimagine event.)

    Project for the web can be extended beyond its base lightweight functionality

    Project for the web can be extended to add more traditional and robust project and project portfolio management functionality using the Power Platform.

    Microsoft plans to sunset Project Online in favor of PFTW will at first be a head-scratcher for those familiar with the extensive PPM functionality in Project Online and underwhelmed by the project and portfolio management in PFTW.

    However, having built the solution upon the Power Platform, Microsoft has made it possible to take the base functionality in PFTW and extend it to create a more custom, organizationally specific user experience.

    • With a little taste of what can be done with PFTW by leveraging the Power Platform – and, in particular, Power Apps – it becomes more obvious how we, as users, can begin to evolve the base tool toward a more traditional PPM solution and how, in time, Microsoft’s developers may develop the next iteration of PFTW into something more closely resembling Project Online.

    Before users get too excited about using these tools to build a custom PPM approach, we should consider the time, effort, and skills required. The slides ahead will take you through a series of considerations to help you gauge whether your PMO is ready to go it alone in extending the solution.

    Extending the tool enhances functionality

    Table 2.1a in this step displayed the functionality in PFTW in relation to the task management tool Planner and the robust PPM functionality in Online.

    The table to the right shows how the functionality in PFTW can differ from the base solution and Project Online when it is extended using the model-driven app option in Power Apps.

    Caveat: The list of functionality and processes in this table is sample data.

    This functionality is not inherent in the solution as soon as you integrate with Power Apps. Rather it must be built – and your success in developing these functions will depend upon the time and skills you have available.

    Table 2.1b Project for the web PFTW extended with PowerApps Project Online
    Critical Path X
    Timesheets X
    Financial Planning X X
    Risks and Issues Tracking X X
    Program Management X
    Status Updates X
    Project Requests X
    Business Cases X
    Project Charters X
    Resource Planning and Capacity Management X X
    Project Change Requests X

    Get familiar with the basics of Power Apps before you decide to go it alone

    While the concept of being able to customize and grow a commercial PPM tool is enticing, the reality of low-code development and application maintenance may be too much for resource-constrained PMOs.

    Long story short: Extending PFTW in Power Apps is time consuming and can be frustrating for the novice to intermediate user.

    It can take days, even weeks, just to find your feet in Power Apps, let alone to determine requirements to start building out a custom model-driven app. The latter activity can entail creating custom columns and tables, determining relationships between tables to get required outputs, in addition to basic design activities.

    Time-strapped and resource-constrained practitioners should pause before committing to this deployment approach. To help better understand the commitment, the slides ahead cover the basics of extending PFTW in Power Apps:

    1. Dataverse environments.
    2. Navigating Power App Designer and Sitemap Designer
    3. Customizing tables and forms in the Dataverse

    See Info-Tech’s M365 Project Portfolio Management Tool Guide for more information on Power Apps in general.

    Get familiar with Power Apps licensing

    Power Apps for 365 comes with E1 through E5 M365 licenses (and F3 and F5 licenses), though additional functionality can be purchased if required.

    While extending Project for the web with Power Apps does not at this time, in normal deployments, require additional licensing from what is included in a E3 or E5 license, it is not out of the realm of possibility that a more complex deployment could incur costs not included in the Power Apps for 365 that comes with your enterprise agreement.

    The table to the right shows current additional licensing options.

    Power Apps, Per User, Per App Plan

    Per User Plan

    Cost: US$10 per user per app per month, with a daily Dataverse database capacity of 40 MB and a daily Power Platform request capacity of 1,000. Cost: US$40 per user per month, with a daily Dataverse database capacity of 250 MB and a daily Power Platform request capacity of 5,000.
    What's included? This option is marketed as the option that allows organizations to “get started with the platform at a lower entry point … [or those] that run only a few apps.” Users can run an application for a specific business case scenario with “the full capabilities of Power Apps” (meaning, we believe, that unlicensed users can still submit data via an app created by a licensed user). What's included? A per-user plan allows licensed users to run unlimited canvas apps and model-driven apps – portal apps, the licensing guide says, can be “provisioned by customers on demand.” Dataverse database limits (the 250 MB and 5,000 request capacity mentioned above) are pooled at the per tenant, not the per user plan license, capacity.

    For more on Power Apps licensing, refer to Info-Tech’s Modernize Your Microsoft Licensing for the Cloud Era for more information.

    What needs to be configured?

    Extending Project for the web requires working with your IT peers to get the right environments configured based upon your needs.

    • PFTW data is stored in the Microsoft Dataverse (formerly Common Data Service or CDS).
    • The organization’s Dataverse can be made up of one to many environments based upon its needs. Environments are individual databases with unique proprieties in terms of who can access them and what applications can store data in them.
    • Project for the web supports three different types of environments: default, production, and sandbox.
    • You can have multiple instances of a custom PFTW app deployed across these environments and across different users – and the environment you choose depends upon the use case of each instance.

    Types of Environments

    • Default Environment

      • It is the easiest to deploy and get started with the PFTW Power App in the default environment. However, it is also the most restricted environment with the least room for configuration.
      • Microsoft recommends this environment for simple deployments or for projects that span the organization. This is because everyone in the organization is by default a member of this environment – and, with the least room for configuration, the app is relatively straightforward.
      • At minimum, you need one project license to deploy PFTW in the default environment.
    • Production Environment

      • This environment affords more flexibility for how a custom app can be configured and deployed. Unlike the default environment, deploying a production environment is a manual process (through the Power Platform Admin Center) and security roles need to be set to limit users who can access the environment.
      • Because users can be limited, production environments can be used to support more advanced deployments and can support diverse processes for different teams.
      • At present, you need at least five Project licenses to deploy to production environments.
    • Sandbox Environment

      • This environment is for users who are responsible for the creation of custom apps. It offers the same functionality as a production environment but allows users to make changes without jeopardizing a production environment.

    Resources to provide your IT colleagues with to help in your PFTW deployment:

    1. Project for the web admin help (Product Documentation, Microsoft)
    2. Advanced deployment for Project for the web (Video, Microsoft)
    3. Get Started with Project Power App (Product Support Documentation, Microsoft)
    4. Project for the Web Security Roles (Product Support Documentation, Microsoft)

    Get started creating or customizing a model-driven app

    With the proper environments procured, you can now start extending Project for the web.

    • Navigate to the environment you would like to extend PFTW within. For the purposes of the slides ahead, we’ll be using a sandbox environment for an example. Ensure you have the right access set up for production and sandbox environments of your own (see links on previous slide for more assistance).
    • To begin extending PFTW, the two core features you need to be familiar with before you start in Power Apps are (1) Tables/Entities and (2) the Power Apps Designer – and in particular the Site Map.

    From the Power Apps main page in 365, you can change your environment by selecting from the options in the top right-hand corner of the screen.

    Screenshot of the Power Apps “Apps” page in a sandbox environment. The Project App will appear as “Project” when the application is installed, though it is also easy to create an app from scratch.

    Model-driven apps are built around tables

    In Power Apps, tables (formerly called entities and still referred to as entities in the Power Apps Designer) function much like tables in Excel: they are containers of columns of data for tracking purposes. Tables define the data for your app, and you build your app around them.

    In general, there are three types of tables:

    • Standard: These are out-of-the box tables included with a Dataverse environment. Most standard tables can be customized.
    • Managed: These are tables that get imported into an environment as part of a managed solution. Managed tables cannot be customized.
    • Custom: These types of tables can either be imported from another solution or created directly in the Dataverse environment. To create custom tables, users need to have System Administrator or System Customizer security roles within the Dataverse.

    Tables can be accessed under Data banner on the left-hand panel of your Power Apps screen.

    The below is a list of standard tables that can be used to customize your Project App.

    A screenshot of the 'Data' banner in 'Power Apps' and a list of table names.

    Table Name

    Display Name

    msdyn_project Project
    msdyn_projectchange Change
    msdyn_projectprogram Program
    msdyn_projectrequest Request
    msdyn_projectrisk Risk
    msdyn_projectissue Issue
    msdyn_projectstatusreport Status

    App layouts are designed in the Power App Designer

    You configure tables with a view to using them in the design of your app in the Power Apps Designer.

    • If you’re customizing a Project for the web app manually installed into your production or sandbox environment, you can access Designer by highlighting the app from your list of apps on the Apps page and clicking “Edit” in the ribbon above.
      • If you’re creating a model-driven app from scratch, Designer will open past the “Create a New App” intro screen.
      • If you need to create separate apps in your environment for different PMOs or business units, it is as easy to create an app from scratch as it is to customize the manual install.
    • The App Designer is where you can design the layout of your model-driven app and employ the right data tables.
    Screenshot of the 'App Designer' screen in 'Power Apps'.

    The Site Map determines the navigation for your app, i.e. it is where you establish the links and pages users will navigate. We will review the basics of the sitemap on the next few slides.

    The tables that come loaded into your Project Power App environment (at this time, 37) via the manual install will appear in the Power Apps Designer in the Entity View pane at the bottom of the page. You do not have to use all of them in your design.

    Navigate the Sitemap Designer

    With the components of the previous two slides in mind, let’s walk through how to use them together in the development of a Project app.

    As addressed in the previous slide, the sitemap determines the navigation for your app, i.e. it is where you establish the links and the pages that users will navigate.

    To get to the Sitemap Designer, highlight the Project App from your list of apps on the Apps page and click “Edit” in the ribbon above. If you’re creating a model-driven app from scratch, Designer will open past the “Create a New App” intro screen.

    • To start designing your app layout, click the pencil icon beside the Site Map logo on the App Designer screen.
    • This will take you into the Sitemap Designer (see screenshot to the right). This is where you determine the layout of your app and the relevant data points (and related tables from within the Dataverse) that will factor into your Project App.
    • In the Sitemap Designer, you simply drag and drop the areas, groups, and subareas you want to see in your app’s user interface (see next slide for more details).
    Screenshot of the 'Sitemap Designer' in 'Power Apps'.

    Use Areas, Groups, and Subareas as building blocks for your App

    Screenshots of the main window and the right-hand panel in the 'Sitemap Designer', and of the subarea pop-up panel where you connect components to data tables. The first two separate elements into 'Area', 'Group', and 'Subarea'.

    Drag and drop the relevant components from the panel on the right-hand side of the screen into the main window to design the core pieces that will be present within your user interface.

    For each subarea in your design, use the pop-up panel on the right-hand side of the screen to connect your component the relevant table from within your Dataverse environment.

    How do Areas, Groups, and Subareas translate into an app?

    Screenshots of the main window in the 'Sitemap Designer' and of a left-hand panel from a published 'Project App'. There are notes defining the terms 'Area', 'Group', and 'Subarea' in the context of the screenshot.

    The names or titles for your Areas and Groups can be customized within the Sitemap Designer.

    The names or titles for your Subareas is dependent upon your table name within the Dataverse.

    Area: App users can toggle the arrows to switch between Areas.

    Group: These will change to reflect the chosen Area.

    Subarea: The tables and forms associated with each subarea.

    How to properly save and publish your changes made in the Sitemap Designer and Power Apps Designer:

    1. When you are done making changes to your components within the Sitemap Designer, and want your changes to go live, hit the “Publish” button in the top right corner; when it has successfully published, select “Save and Close.”
    2. You will be taken back to the Power App Designer homepage. Hit “Save,” then “Publish,” and then finally “Play,” to go to your app or “Save and Close.”

    How to find the right tables in the Dataverse

    While you determine which tables will play into your app in the Sitemap Designer, you use the Tables link to customize tables and forms.

    Screenshots of the tables search screen and the 'Tables' page under the 'Data' banner in 'Power Apps'.

    The Tables page under the Data banner in Power Apps houses all of the tables available in your Dataverse environment. Do not be overwhelmed or get too excited. Only a small portion of the tables in the Tables folder in Power Apps will be relevant when it comes to extending PFTW.

    Find the table you would like to customize and/or employ in your app and select it. The next slides will look at customizing the table (if you need to) and designing an app based upon the table.

    To access all the tables in your environment, you’ll need to ensure your filter is set correctly on the top right-hand corner of the screen, otherwise you will only see a small portion of the tables in your Dataverse environment.

    If you’re a novice, it will take you some time to get familiar with the table structure in the Dataverse.

    We recommend you start with the list of tables listed on slide. You can likely find something there that you can use or build from for most PPM purposes.

    How to customize a table (1 of 3)

    You won’t necessarily need to customize a table, but if you do here are some steps to help you get familiar with the basics.

    Screenshot of the 'Columns' tab, open in the 'msdyn_project table' in 'Power Apps'.

    In this screenshot, we are clicked into the msdyn_project (display name: Project) table. As you can see, there are a series of tabs below the name of the table, and we are clicked into the Columns tab. This is where you can see all of the data points included in the table.

    You are not able to customize all columns. If a column that you are not able to customize does not meet your needs, you will need to create a custom column from the “+Add column” option.

    “Required” or “Optional” status pertains to when the column or field is used within your app. For customizable or custom columns this status can be set when you click into each column.

    How to customize a table (2 of 3)

    Create a custom “Status” column.

    By way of illustrating how you might need to customize a table, we’ll highlight the “msdyn_project_statecode” (display name: Project Status) column that comes preloaded in the Project (msdyn_project) table.

    • The Project Status column only gives you a binary choice. While you are able to customize what that binary choice is (it comes preloaded with “Active” and “Inactive” as the options) you cannot add additional choices – so you cannot set it to red/yellow/green, the most universally adopted options for status in the project portfolio management world.
    • Because of this, let’s look at the effort involved in creating a choice and adding a custom column to your table based upon that choice.
    Screenshots of the '+New choice' button in the 'Choices' tab and the 'New choice' pane that opens when you click it.

    From within the Choices tab, click “+New choice” option to create a custom choice.

    A pane will appear to the right of your screen. From there you can give your choice a name, and under the “Items” header, add your list of options.

    Click save. Your custom choice is now saved to the Choices tab in the Dataverse environment and can be used in your table. Further customizations can be made to your choice if need be.

    How to customize a table (3 of 3)

    Back in the Tables tab, you can put your new choice to work by adding a column to a table and selecting your custom choice.

    Screenshots of the pop-up window that appear when you click '+Add Column', and details of what happens when you select the data type 'Choice'.

    Start by selecting “+ Add Column” at the top left-hand side of your table. A window will appear on the right-hand side of the page, and you will have options to name your column and choose the data type.

    As you can see in this screenshot to the left, data type options include text, number and date types, and many more. Because we are looking to use our custom choice for this example, we are going to choose “Choice.”

    When you select “Choice” as your data type, all of the choice options available or created in your Dataverse environment will appear. Find your custom choice – in this example the one name “RYG Status” – and click done. When the window closes, be sure to select “Save Table.”

    How to develop a Form based upon your table (1 of 3 – open the form editor)

    A form is the interface users will engage with when using your Project app.

    When the Project app is first installed in your environment, the main user form will be lacking, with only a few basic data options.

    This form can be customized and additional tabs can be added to your user interface.

    1. To do this, go to the table you want to customize.
    2. In the horizontal series of tabs at the top of the screen, below the table title select the “Forms” option.
    3. Click on the main information option or select Edit Form for the form with “Main” under its form type. A new window will open where you can customize your form.
    Screenshot of the 'Forms' tab, open in the 'msdyn_project' table in 'Power Apps'.

    Select the Forms tab.

    Start with the form that has “Main” as its Format Type.

    How to develop a Form based upon your table (2 of 3 – add a component)

    Screenshot of the 'Components' window in 'Power Apps' with a list of layouts as a window to the right of the main screen where you can name and format the chosen layout.

    You can add element like columns or sections to your form by selecting the Components window.

    In this example, we are adding a 1-Column section. When you select that option from the menu options on the left of the screen, a window will open to the right of the screen where you can name and format the section.

    Choose the component you would like to add from the layout options. Depending on the table element you are looking to use, you can also add input options like number inputs and star ratings and pull in related data elements like a project timeline.

    How to develop a Form based upon your table (3 of 3 – add table columns)

    Screenshot of the 'Table Columns' window in 'Power Apps' and instructions for adding table columns.

    If you click on the “Table Columns” option on the left-hand pane, all of the column options from within your table will appear in alphabetical order.

    When clicked within the form section you would like to add the new column to, select the column from the list of option in the left-hand pane. The new data point will appear within the section. You can order and format section elements as you would like.

    When you are done editing the form, click the “Save” icon in the top right-hand corner. If you are ready for your changes to go live within your Project App, select the “Publish” icon in the top right-hand corner. Your updated form will go live within all of the apps that use it.

    The good and the bad of extending Project for the web

    The content in this step has not instructed users how to extend PFTW; rather, it has covered three basic core pieces of Power Apps that those interesting in PFTW need to be aware of: Dataverse environments, the Power Apps and Sitemaps Designers, and Tables and associated Forms.

    Because we have only covered the very tip of the iceberg, those interested in going further and taking a DIY approach to extending PFTW will need to build upon these basics to unlock further functionality. Indeed, it takes work to develop the product into something that begins to resemble a viable enterprise project and portfolio management solution. Here are some of the good and the bad elements associated with that work:

    The Good:

    • You can right-size and purpose build: add as much or as little project management rigor as your process requires. Related, you can customize the solution in multiple ways to suit the needs of specific business units or portfolios.
    • Speed to market: it is possible to get up and running quickly with a minimum-viable product.

    The Bad:

    • Work required: to build anything beyond MVP requires independent research and trial and error.
    • Time required: to build anything beyond MVP requires time and skills that many PMOs don’t have.
    • Shadow support costs: ungoverned app creation could have negative support and maintenance impacts across IT.

    "The move to Power Platform and low code development will […increase] maintenance overhead. Will low code solution hit problems at scale? [H]ow easy will it be to support hundreds or thousands of small applications?

    I can hear the IT support desks already complaining at the thought of this. This part of the puzzle is yet to hit real world realities of support because non developers are busy creating lots of low code applications." (Ben Hosking, Software Developer and Blogger, "Why low code software development is eating the world")

    Quick start your extension with the Accelerator

    For those starting out, there is a pre-built app you can import into your environment to extend the Project for the web app without any custom development.

    • If the DIY approach in the previous slides was overwhelming, and you don’t have the budget for a MS Partner route in the near-term, this doesn’t mean that evolving your Project for the web app is unattainable.
    • Thanks to a partnership between OnePlan (one of the MS Gold Partners we detail in the next step) and Microsoft, Project for the web users have access to a free resource to help them evolve the base Project app. It’s called the “Project for the web Accelerator” (commonly referred to as “the Accelerator” for short).
    • Users interested in learning more about, and accessing, this free resource should refer to the links below:
      1. The Future of Microsoft Project Online (source: OnePlan).
      2. Introducing the Project Accelerator (source: Microsoft).
      3. Project for the web Accelerator (source: GitHub)
    Screen shot from one of the dashboards that comes with the Accelerator (image source: GitHub).

    2.1.1 Perform a feasibility test (1 of 2)

    15 mins

    As we’ve suggested, and as the material in this step indicates, extending PFTW in a DIY fashion is not small task. You need a knowledge of the Dataverse and Power Apps, and access to the requisite skills, time, and resources to develop the solution.

    To determine whether your PMO and organization are ready to go it alone in extending PFTW, perform the following activity:

    1. Convene a collection of portfolio, project, and PMO staff.
    2. Using the six-question survey on tab 5 of the Microsoft Project & M365 Licensing Tool (see screenshot to the right) as a jumping off point for a discussion, consider the readiness of your PMO or project organization to undertake a DIY approach to extending and implementing PFTW at this time.
    3. You can use the recommendations on tab 5 of the Microsoft Project & 365 Licensing Tool to inform your next steps, and input the gauge graphic in section 4 of the Microsoft Project & M365 Action Plan Template.
    Screenshots from the 'Project for the Web Extensibility Feasibility Test'.

    Go to tab 5 of the Microsoft Project & M365 Licensing Tool

    See next slide for additional activity details

    2.1.1 Perform a feasibility test (2 of 2)

    Input: The contents of this step, The Project for the Web Extensibility Feasibility Test (tab 5 in the Microsoft Project & 365 Licensing Tool)

    Output: Initial recommendations on whether to proceed and how to proceed with a DIY approach to extending Project for the web

    Materials: The Project for the Web Extensibility Feasibility Test (tab 5 in the Microsoft Project & 365 Licensing Tool)

    Participants: Portfolio Manager (PMO Director), Project Managers, Other relevant PMO stakeholders

    Step 2.2

    Assess the Microsoft Gold Partner Community

    Activities

    • Review what to look for in a Microsoft Partner
    • Determine whether your needs would benefit from reaching out to a Microsoft Partner
    • Review three key Partners from the North American market
    • Create a Partner outreach plan

    This step will walk you through the following activities:

    • Review what to look for in a Microsoft Partner.
    • Determine whether your needs would benefit from reaching out to a Microsoft Partner.
    • Review three key Partners from the North American market.

    This step usually involves the following participants:

    • Portfolio Manager (PMO Director)
    • Project Managers
    • Other relevant PMO stakeholders

    Outcomes of Step

    • A better understanding of MS Partners
    • A Partner outreach plan

    You don’t have to go it alone

    Microsoft has an established community of Partners who can help in your customizations and implementations of Project for the web and other MS Project offerings.

    If the content in the previous step seemed too technical or overly complex in a way that scared you away from a DIY approach to extending Microsoft’s latest project offering (and at some point in the near future, soon to be its only project offering), Project for the web, fear not.

    You do not have to wade into the waters of extending Project for the web alone, or for that matter, in implementing any other MS Project solution.

    Instead, Microsoft nurtures a community of Silver and Gold partners who offer hands-on technical assistance and tool implementation services. While the specific services provided vary from partner to partner, all can assist in the customization and implementation of any of Microsoft’s Project offerings.

    In this step we will cover what to look for in a Partner and how to assess whether you are a good candidate for the services of a Partner. We will also highlight three Partners from within the North American market.

    The basics of the Partner community

    What is a Microsoft Partner?

    Simply put, an MS Gold Partner is a software or professional services organization that provides sales and services related to Microsoft products.

    They’re resellers, implementors, integrators, software manufacturers, trainers, and virtually any other technology-related business service.

    • Microsoft has for decades opted out of being a professional services organization, outside of its very “leading edge” offerings from MCS (Microsoft Consulting Services) for only those technologies that are so new that they aren’t yet supported by MS Partners.
    • As you can see in the chart on the next slide, to become a silver or gold certified partner, firms must demonstrate expertise in specific areas of business and technology in 18 competency areas that are divided into four categories: applications and infrastructure, business applications, data and AI, and modern workplace and security.

    More information on what it takes to become a Microsoft Partner:

    1. Partner Center (Document Center, Microsoft)
    2. Differentiate your business by attaining Microsoft competencies (Document Center, Microsoft)
    3. Partner Network Homepage (Webpage, Microsoft)
    4. See which partner offer is right for you (Webpage, Microsoft)

    Types of partnerships and qualifications

    Microsoft Partner Network

    Microsoft Action Pack

    Silver Competency

    Gold Competency

    What is it?

    The Microsoft Partner Network (MPN) is a community that offers members tools, information, and training. Joining the MPN is an entry-level step for all partners. The Action Pack is an annual subscription offered to entry-level partners. It provides training and marketing materials and access to expensive products and licenses at a vastly reduced price. Approximately 5% of firms in the Microsoft Partner Network (MPN) are silver partners. These partners are subject to audits and annual competency exams to maintain silver status. Approximately 1% of firms in the Microsoft Partner Network (MPN) are gold partners. These partners are subject to audits and annual competency exams to maintain Gold status.

    Requirements

    Sign up for a membership Annual subscription fee While requirements can vary across competency area, broadly speaking, to become a silver partner firms must:
    • Pass regular exams and skills assessments, with at least two individuals on staff with Microsoft Certified Professional Status.
    • Hit annual customer, revenue, and licensing metrics.
    • Pay the annual subscription fee.
    While requirements can vary across competency area, broadly speaking, to become a gold partner firms must:
    • Pass regular exams and skills assessments, with at least two individuals on staff with Microsoft Certified Professional Status.
    • Hit annual customer, revenue, and licensing metrics.
    • Pay the annual subscription fee.

    Annual Fee

    No Cost $530 $1800 $5300

    When would a MS Partner be helpful?

    • Project management and portfolio management practitioners might look into procuring the services of a Microsoft Partner for a variety of reasons.
    • Because services vary from partner to partner (help to extend Project for the web, implement Project Server or Project Online, augment PMO staffing, etc.) we won’t comment on specific needs here.
    • Instead, the three most common conditions that trigger the need are listed to the right.

    Speed

    When you need to get results faster than your staff can grow the needed capabilities.

    Cost

    When the complexity of the purchase decision, implementation, communication, training, configuration, and/or customization cannot be cost-justified for internal staff, often because you’ll only do it once.

    Expertise & Skills

    When your needs cannot be met by the core Microsoft technology without significant extension or customization.

    Canadian Microsoft Partners Spotlight

    As part of our research process for this blueprint, Info-Tech asked Microsoft Canada for referrals and introductions to leading Microsoft Partners. We spent six months collaborating with them on fresh research into the underlying platform.

    These vendors are listed below and are highlighted in subsequent slides.

    Spotlighted Partners:

    Logo for One Plan. Logo for PMO Outsource Ltd. Logo for Western Principles.

    Please Note: While these vendors were referred to us by Microsoft Canada and have a footprint in the Canadian market, their footprints extend beyond this to the North American and global markets.

    A word about our approach

    Photo of Barry Cousins, Project Portfolio Management Practice Lead, Info-Tech Research Group.
    Barry Cousins
    Project Portfolio Management Practice Lead
    Info-Tech Research Group

    Our researchers have been working with Microsoft Project Online and Microsoft Project Server clients for years, and it’s fair to say that most of these clients (at some point) used a Microsoft Partner in their deployment. They’re not really software products, per se; they’re platforms. As a Microsoft Partner in 2003 when Project Server got its first big push, I heard it loud and clear: “Some assembly required. You might only make 7% on the licensing, but the world’s your oyster for services.”

    In the past few years, Microsoft froze the market for major Microsoft Project decisions by making it clear that the existing offering is not getting updates while the new offering (Project for the web) doesn’t do what the old one did. And in a fascinating timing coincidence, the market substantially adopted Microsoft 365 during that period, which enables access to Project for the web.

    Many of Info-Tech’s clients are justifiably curious, confused, and concerned, while the Microsoft Partners have persisted in their knowledge and capability. So, we asked Microsoft Canada for referrals and introductions to leading Microsoft Partners and spent six months collaborating with them on fresh research into the underlying platform.

    Disclosure: Info-Tech conducted collaborative research with the partners listed on the previous slide to produce this publication. Market trends and reactions were studied, but the only clients identified were in case studies provided by the Microsoft Partners. Info-Tech’s customers have been, and remain, anonymous. (Barry Cousins, Project Portfolio Management Practice Lead, Info-Tech Research Group)

    MS Gold Partner Spotlight:

    OnePlan

    Logo for One Plan.
    Headquarters: San Marcos, California, and Toronto, Ontario
    Number of Employees: ~80
    Active Since: 2007 (as EPMLive)
    Website: www.oneplan.ai

    Who are they?

    • While the OnePlan brand has only been the marketplace for a few years, the company has been a major player in MS Gold Partner space for well over a decade.
    • Born out of EPMLive in the mid-aughts, OnePlan Solutions has evolved through a series of acquisitions, including Upland, Tivitie, and most recently Wicresoft.

    What do they do?

    • Software: Its recent rebranding is largely because OnePlan Solutions is as much a software company as it is a professional services firm. The OnePlan software product is an impressive solution that can be used on its own to facilitate the portfolio approaches outlined on the next slide and that can also integrate with the tools your organization is already using to manage tasks (see here for a full rundown of the solutions within the Microsoft stack and beyond OnePlan can integrate with).
    • Beyond its ability to integrate with existing solutions, as a software product, OnePlan has modules for resource planning, strategic portfolio planning, financial planning, time tracking, and more.

    • PPM Consulting Services: The OnePlan team also offers portfolio management consulting services. See the next slide for a list of its approaches to project portfolio management.

    Markets served

    • US, Canada, Europe, and Australia

    Channel Differentiation

    • OnePlan scales to all the PPM needs of all industry types.
    • Additionally, OnePlan offers insights and functionality specific to the needs of BioTech-Pharma.

    What differentiates OnePlan?

    • OnePlan co-developed the Project Accelerator for Project for the web with Microsoft. The OnePlan team’s involvement in developing the Accelerator and making it free for users to access suggests it is aligned to and has expertise in the purpose-built and collaborative vision behind Microsoft’s move away from Project Online and toward the Power Platform and Teams collaboration.
    • 2021 MS Gold Partner of the Year. At Microsoft’s recent Microsoft Inspire event, OnePlan was recognized as the Gold Partner of the Year for Project and Portfolio Management as well as a finalist for Power Apps and Power Automate.
    • OnePlan Approaches: Below is a list of the services or approaches to project portfolio management that OnePlan provides. See its website for more details.
      • Strategic Portfolio Management: Align work to objectives and business outcomes. Track performance against the proposed objectives outcomes.
      • Agile Portfolio Management: Implement Agile practices across the organization, both at the team and executive level.
      • Adaptive Portfolio Management: Allow teams to use the project methodology and tools that best suit the work/team. Maintain visibility and decision making across the entire portfolio.
      • Professional Services Automation: Use automation to operate with greater efficiency.

    "OnePlan offers a strategic portfolio, financial and resource management solution that fits the needs of every PMO. Optimize your portfolio, financials and resources enterprise wide." (Paul Estabrooks, Vice President at OnePlan)

    OnePlan Case Study

    This case study was provided to Info-Tech by OnePlan.

    Brambles

    INDUSTRY: Supply Chain & Logistics
    SOURCE: OnePlan

    Overview: Brambles plays a key role in the delivery or return of products amongst global trading partners such as manufacturers, distributors and retailers.

    Challenge

    Brambles had a variety of Project Management tools with no easy way of consolidating project management data. The proliferation of project management solutions was hindering the execution of a long-term business transformation strategy. Brambles needed certain common and strategic project management processes and enterprise project reporting while still allowing individual project management solutions to be used as part of the PPM platform.

    Solution

    As part of the PMO-driven business transformation strategy, Brambles implemented a project management “operating system” acting as a foundation for core processes such as project intake, portfolio management, resource, and financial planning and reporting while providing integration capability for a variety of tools used for project execution.

    OnePlan’s new Adaptive PPM platform, combining the use of PowerApps and OnePlan, gives Brambles the desired PPM operating system while allowing for tool flexibility at the execution level.

    Results

    • Comprehensive picture of progress across the portfolio.
    • Greater adoption by allowing flexibility of work management tools.
    • Modern portfolio management solution that enables leadership to make confident decision.

    Solution Details

    • OnePlan
    • Project
    • Power Apps
    • Power Automate
    • Power BI
    • Teams

    Contacting OnePlan Solutions

    www.oneplan.ai

    Joe Larscheid: jlarscheid@oneplan.ai
    Paul Estabrooks: pestabrooks@oneplan.ai
    Contact Us: contact@oneplan.ai
    Partners: partner@oneplan.ai

    Partner Resources. OnePlan facilitates regular ongoing live webinars on PPM topics that anyone can sign up for on the OnePlan website.

    For more information on upcoming webinars, or to access recordings of past webinars, see here.

    Additional OnePlan Resources

    1. How to Extend Microsoft Teams into a Collaborative Project, Portfolio and Work Management Solution (on-demand webinar, OnePlan’s YouTube channel)
    2. What Does Agile PPM Mean To The Modern PMO (on-demand webinar, OnePlan’s YouTube channel)
    3. OnePlan is fused with the Microsoft User Experience (blog article, OnePlan)
    4. Adaptive Portfolio Management Demo – Bringing Order to the Tool Chaos with OnePlan (product demo, OnePlan’s YouTube channel)
    5. How OnePlan is aligning with Microsoft’s Project and Portfolio Management Vision (blog article, OnePlan)
    6. Accelerating Office 365 Value with a Hybrid Project Portfolio Management Solution (product demo, OnePlan’s YouTube channel)

    MS Gold Partner Spotlight:

    PMO Outsource Ltd.

    Logo for PMO Outsource Ltd.

    Headquarters: Calgary, Alberta, and Mississauga, Ontario
    Website: www.pmooutsource.com

    Who are they?

    • PMO Outsource Ltd. is a Microsoft Gold Partner and PMI certified professional services firm based in Alberta and Ontario, Canada.
    • It offers comprehensive project and portfolio management offerings with a specific focus on project lifecycle management, including demand management, resource management, and governance and communication practices.

    What do they do?

    • Project Online and Power Platform Expertise. The PMO Outsource Ltd. team has extensive knowledge in both Microsoft’s old tech (Project Server and Desktop) and in its newer, cloud-based technologies (Project Online, Project for the web, the Power Platform, and Dynamics 365). As the case study in two slides demonstrates, PMO Outsource Ltd. Uses its in-depth knowledge of the Microsoft suite to help organizations automate project and portfolio data collection process, create efficiencies, and encourage cloud adoption.
    • PPM Consulting Services: In addition to its Microsoft platform expertise, the PMO Outsource Ltd. team also offers project and portfolio management consulting services, helping organizations evolve their process and governance structures as well as their approaches to PPM tooling.

    Markets served

    • Global

    Channel Differentiation

    • PMO Outsource Ltd. scales to all the PPM needs of all industry types.

    What differentiates PMO Outsource Ltd.?

    • PMO Staff Augmentation. In addition to its technology and consulting services, PMO Outsource Ltd. offers PMO staff augmentation services. As advertised on its website, it offers “scalable PMO staffing solutions. Whether you require Project Managers, Business Analysts, Admins or Coordinators, [PMO Outsource Ltd.] can fulfill your talent search requirements from a skilled pool of resources.”
    • Multiple and easy-to-understand service contract packages. PMO Outsource Ltd. offers many prepackaged service offerings to suit PMOs’ needs. Those packages include “PMO Management, Admin, and Support,” “PPM Solution, Site and Workflow Configuration,” and “Add-Ons.” For full details of what’s included in these services packages, see the PMO Outsource Ltd. website.
    • PMO Outsource Ltd. Services: Below is a list of the services or approaches to project portfolio management that PMO Outsource Ltd. Provides. See its website for more details.
      • Process Automation, Workflows, and Tools. Facilitate line of sight by tailoring Microsoft’s technology to your organization’s needs and creating custom workflows.
      • PMO Management Framework. Receive a professionally managed PPM methodology as well as governance standardization of processes, tools, and templates.
      • Custom BI Reports. Leverage its expertise in reporting and dashboarding to create the visibility your organization needs.

    "While selecting an appropriate PPM tool, the PMO should not only evaluate the standard industry tools but also analyze which tool will best fit the organization’s strategy, budget, and culture in the long run." (Neeta Manghnani, PMO Strategist, PMO Outsource Ltd.)

    PMO Outsource Ltd. Case Study

    This case study was provided to Info-Tech by PMO Outsource Ltd.

    SAMUEL

    INDUSTRY: Manufacturing
    SOURCE: PMO Outsource Ltd.

    Challenge

    • MS Project 2013 Server (Legacy/OnPrem)
    • Out-of-support application and compliance with Office 365
    • Out-of-support third-party application for workflows
    • No capability for resource management
    • Too many manual processes for data maintenance and server administration

    Solution

    • Migrate project data to MS Project Online
    • Recreate workflows using Power Automate solution
    • Configure Power BI content packs for Portfolio reporting and resource management dashboards
    • Recreate OLAP reports from legacy environment using Power BI
    • Cut down nearly 50% of administrative time by automating PMO/PPM processes
    • Save costs on Server hardware/application maintenance by nearly 75%

    Full Case Study Link

    • For full details about how PMO Outsource Ltd. assisted Samuel in modernizing its solution and creating efficiencies, visit the Microsoft website where this case study is highlighted.

    Contacting PMO Outsource Ltd.

    www.pmooutsource.com

    700 8th Ave SW, #108
    Calgary, AB T2P 1H2
    Telephone : +1 (587) 355-3745
    6045 Creditview Road, #169
    Mississauga, ON L5V 0B1
    Telephone : +1 (289) 334-1228
    Information: info@pmooutsource.com
    LinkedIn: https://www.linkedin.com/company/pmo-outsource/

    Partner Resources. PMO Outsource Ltd.’s approach is rooted within a robust and comprehensive PPM framework that is focused on driving strategic outcomes and business success.

    For a full overview of its PPM framework, see here.

    Additional PMO Outsource Ltd. Resources

    1. 5 Benefits of PPM tools and PMO process automation (blog article, PMO Outsource Ltd.)
    2. Importance of PMO (blog article, PMO Outsource Ltd.)
    3. Meet the Powerful and Reimagined PPM tool for Everyone! (video, PMO Outsource Ltd. LinkedIn page)
    4. MS Project Tips: How to add #Sprints to an existing Project? (video, PMO Outsource Ltd. LinkedIn page)
    5. MS Project Tips: How to add a milestone to your project? (video, PMO Outsource Ltd. LinkedIn page)
    6. 5 Benefits of implementing Project Online Tools (video, PMO Outsource Ltd. LinkedIn page)

    MS Gold Partner Spotlight:

    Western Principles

    Logo for Western Principles.

    Headquarters: Vancouver, British Columbia
    Years Active: 16 Years
    Website: www.westernprinciples.com

    Who are they?

    • Western Principles is a Microsoft Gold Partner and UMT 360 PPM software provider based in British Columbia with a network of consultants across Canada.
    • In the last sixteen years, it has successfully conducted over 150 PPM implementations, helping in the implementation, training, and support of Microsoft Project offerings as well as UMT360 – a software solution provider that, much like OnePlan, enhances the PPM capabilities of the Microsoft platform.

    What do they do?

    • Technology expertise. The Western Principles team helps organizations maximize the value they are getting form the Microsoft Platform. Not only does it offer expertise in all the solutions in the MS Project ecosystem, it also helps organizations optimize their use and understanding of Teams, SharePoint, the Power Platform, and more. In addition to the Microsoft platform, Western Principles is partnered with many other technology providers, including UMT360 for strategic portfolio management, the Simplex Group for project document controls, HMS for time sheets, and FluentPro for integration, back-ups, and migrations.
    • PPM Consulting Services: In addition to its technical services and solutions, Western Principles offers PPM consulting and staff augmentation services.

    Markets served

    • Canada

    Channel Differentiation

    • Western Principles scales to all the PPM needs of all industry types, public and private sector.
    • In addition, its website offers persona-specific information based on the PPM needs of engineering and construction, new product development, marketing, and more.

    What differentiates Western Principles?

    • Gold-certified UMT 360 partner. In addition to being a Microsoft Gold Partner, Western Principles is a gold-certified UMT 360 partner. UMT 360 is a strategic portfolio management tool that integrates with many other work management solutions to offer holistic line of sight into the organization’s supply-demand pain points and strategic portfolio management needs. Some of the solutions UMT 360 integrates with include Project Online and Project for the web, Azure DevOps, Jira, and many more. See here for more information on the impressive functionality in UMT360.
    • Sustainment Services. Adoption can be the bane of most PPM tool implementations. Among the many services Western Principles offers, its “sustainment services” stand out. According to Western Principles’ website, these services are addressed to those who require “continual maintenance, change, and repair activities” to keep PPM systems in “good working order” to help maximize ROI.
    • Western Principles Services: In addition to the above, below is a list of some of the services that Western Principles offers. See its website for a full list of services.
      • Process Optimization: Determine your requirements and process needs.
      • Integration: Create a single source of truth.
      • Training: Ensure your team knows how to use the systems you implement.
      • Staff Augmentation: Provide experienced project team members based upon your needs.

    "One of our principles is to begin with the end in mind. This means that we will work with you to define a roadmap to help you advance your strategic portfolio … and project management capabilities. The roadmap for each customer is different and based on where you are today, and where you need to get to." (Western Principles, “Your Strategic Portfolio Management roadmap,” Whitepaper)

    Contacting Western Principles

    www.westernprinciples.com

    610 – 700 West Pender St.
    Vancouver, BC V6C 1G8
    +1 (800) 578-4155
    Information: info@westernprinciples.com
    LinkedIn: https://www.linkedin.com/company/western-principle...

    Partner Resources. Western Principles provides a multitude of current case studies on its home page. These case studies let you know what the firm is working on this year and the type of support it provides to its clientele.

    To access these case studies, see here.

    Additional Western Principles Resources

    1. Program and Portfolio Roll ups with Microsoft Project and Power BI (video, Western Principles YouTube Channel)
    2. Dump the Spreadsheets for Microsoft Project Online (video, Western Principles YouTube Channel)
    3. Power BI for Project for the web (video, Western Principles YouTube Channel)
    4. How to do Capacity Planning and Resource Management in Microsoft Project Online [Part 1 & Part 2] (video, Western Principles YouTube Channel)
    5. Extend & Integrate Microsoft Project (whitepaper, Western Principles)
    6. Your COVID-19 Return-to-Work Plan (whitepaper, Western Principles)

    Watch Info-Tech’s Analyst-Partner Briefing Videos to lean more

    Info-Tech was able to sit down with the partners spotlighted in this step to discuss the current state of the PPM market and Microsoft’s place within it.

    • All three partners spotlighted in this step contributed to Info-Tech’s research process for this publication.
    • For two of the partners, OnePlan and PMO Outsource Ltd., Info-Tech was able to record a conversation where our analysts and the partners discuss Microsoft’s current MS Project offerings, the current state of the PPM tool market, and the services and the approaches of each respective partner.
    • A third video briefing with Western Principles has not happened yet due to logistical reasons. We are hoping we can include a video chat with our peers at Western Principles in the near future.
    Screenshot form the Analyst-Partner Briefing Videos. In addition to the content covered in this step, you can use these videos for further information about the partners to inform your next steps.

    Download Info-Tech’s Analyst-Partner Briefing Videos (OnePlan & PMO Outsource Ltd.)

    2.2.1 Create a partner outreach plan

    1-3 hours

    Input: Contents of this step, List of additional MS Gold Partners

    Output: A completed partner outreach program

    Materials: MS Project & M365 Action Plan Template

    Participants: Portfolio Manager (PMO Director), PMO Admin Team, Project Managers, CIO

    1. With an understanding of the partner ecosystem, compile a working group of PMO peers and stakeholders to produce a gameplan for engaging the MS Gold Partner ecosystem.
      • For additional partner options see Microsoft’s Partner Page.
    2. Using slide 20 in Info-Tech’s MS Project and M365 Action Plan Template, document the Partners you would want or have scheduled briefings with.
      • As you go through the briefings and research process, document the pros and cons and areas of specialized associated with each vendor for your particular work management implementation.

    Download the Microsoft Project & M365 Action Plan Template

    2.2.2 Document your PM and PPM requirements

    1-3 hours

    Input: Project Portfolio Management Maturity Assessment, Project Management Maturity Assessment

    Output: MS Project & M365 Action Plan Template

    Materials: Project Portfolio Management Maturity Assessment, Project Management Maturity Assessment, MS Project & M365 Action Plan Template

    Participants: Portfolio Manager (PMO Director), PMO Admin Team, Project Managers, CIO

    1. As you prepare to engage the Partner Community, you should have a sense of where your project management and project portfolio management gaps are to better communicate your tooling needs.
    2. Leverage tab 4 from both your Project Portfolio Management Assessment and Project Management Assessment from step 1.3 of this blueprint to help document and communicate your requirements. Those tabs prioritize your project and portfolio management needs by highest impact for the organization.
    3. You can use the outputs of the tab to inform your inputs on slide 23 of the MS Project & M365 Action Plan Template to present to organizational stakeholders and share with the Partners you are briefing with.

    Download the Microsoft Project & M365 Action Plan Template

    Determine the Future of Microsoft Project for Your Organization

    Phase 3: Finalize Your Implementation Approach

    Phase 1: Determine Your Tool NeedsPhase 2: Weigh Your Implementation Options

    Phase 3: Finalize Your Implementation Approach

    • Step 1.1: Survey the M365 work management landscape
    • Step 1.2: Perform a process maturity assessment to help inform your M365 starting point
    • Step 1.3: Consider the right MS Project licenses for your stakeholders
    • Step 2.1: Get familiar with extending Project for the web using Power Apps
    • Step 2.2: Assess the MS Gold Partner Community
    • Step 3.1: Prepare an action plan

    Phase Outcomes

    An action plan concerning what to do with MS Project and M365 for your PMO or project organization.

    Step 3.1

    Prepare an action plan

    Activities

    • Compile the current state results
    • Prepare an Implementation Roadmap
    • Complete your presentation deck

    This step will walk you through the following activities:

    • Assess the impact of organizational change for the project
    • Develop your vision for stakeholders
    • Compile the current state results and document the implementation approach
    • Create clarity through a RACI and proposed implementation timeline

    This step usually involves the following participants:

    • Portfolio Manager (PMO Director)
    • PMO Admin Team
    • Business Analysts
    • Project Managers

    Outcomes of Step

    • Microsoft Project and M365 Action Plan

    Assess the impact of organizational change

    Be prepared to answer: “What’s in it for me?”

    Before jumping into licensing and third-party negotiations, ensure you’ve clearly assessed the impact of change.

    Tailor the work effort involved in each step, as necessary:

    1. Assess the impact
      • Use the impact assessment questions to identify change impacts.
    2. Plan for change
      • Document the impact on each stakeholder group.
      • Anticipate their response.
      • Curate a compelling message for each stakeholder group.
      • Develop a communication plan.
    3. Act according to plan
      • Identify your executive sponsor.
      • Enable the sponsor to drive change communication.
      • Coach managers on how they can drive change at the individual level.

    Impact Assessment Questions

    • Will the change impact how our clients/customers receive, consume, or engage with our products/services?
    • Will there be a price increase?
    • Will there be a change to compensation and/or rewards?
    • Will the vision or mission of the job change?
    • Will the change span multiple locations/time zones?
    • Are multiple products/services impacted by this change?
    • Will staffing levels change?
    • Will this change increase the workload?
    • Will the tools of the job be substantially different?
    • Will a new or different set of skills be needed?
    • Will there be a change in reporting relationships?
    • Will the workflow and approvals be changed?
    • Will there be a substantial change to scheduling and logistics?

    Master Organizational Change Management Practices blueprint

    Develop your vision for stakeholders

    After careful analysis and planning, it’s time to synthesize your findings to those most impacted by the change.

    Executive Brief

    • Prepare a compelling message about the current situation.
    • Outline the considerations the working group took into account when developing the action plan.
    • Succinctly describe the recommendations proposed by the working group.

    Goals

    • Identify the goals for the project.
    • Explain the details for each goal to develop the organizational rationale for the project.
    • These goals are the building blocks for the change communication that the executive sponsor will use to build a coalition of sponsors.

    Future State Vision

    • Quantify the high-level costs and benefits of moving forward with this project.
    • Articulate the future- state maturity level for both the project and project portfolio management process.
    • Reiterate the organizational rationale and drivers for change.

    "In failed transformations, you often find plenty of plans, directives, and programs, but no vision…A useful rule of thumb: If you can’t communicate the vision to someone in five minutes or less and get a reaction that signifies both understanding and interest, you are not yet done…" (John P. Kotter, Leading Change)

    Get ready to compile the analysis completed throughout this blueprint in the subsequent activities. The outputs will come together in your Microsoft Project and M365 Action Plan.

    Use the Microsoft Project & M365 Action Plan Template to help communicate your vision

    Our boardroom-ready presentation and communication template can be customized using the outputs of this blueprint.

    • Getting stakeholders to understand why you are recommending specific work management changes and then communicating exactly what those changes are and what they will cost is key to the success of your work management implementation.
    • To that end, the slides ahead walk you through how to customize the Microsoft Project & M365 Action Plan Template.
    • Many of the current-state analysis activities you completed during phase 1 of this blueprint can be directly made use of within the template as can the decisions you made and requirements you documented during phase 2.
    • By the end of this step, you will have a boardroom-ready presentation that will help you communicate your future-state vision.
    Screenshot of Info-Tech's Microsoft Project and M365 Action Plan Template with a note to 'Update the presentation or distribution date and insert your name, role, and organization'.

    Download Info-Tech’s Microsoft Project & M365 Action Plan Template

    3.1.1 Compile current state results

    1-3 hours

    Input: Force Field Analysis Tool, Tool Audit Workbook, Project Management Maturity Assessment Tool, Project Portfolio Management Maturity Assessment Tool

    Output: Section 1: Executive Brief, Section 2: Context and Constraints

    Materials: Microsoft Project and M365 Action Plan Template

    Participants: PMO Director, PMO Admin Team, Business Analysts, Project Managers

    1. As a group, review the results of the tools introduced throughout this blueprint. Use this information along with organizational knowledge to document the business context and current state.
    2. Update the driving forces for change and risks and constraints slides using your outputs from the Force Field Analysis Tool.
    3. Update the current tool landscape, tool satisfaction, and tool audit results slides using your outputs from the Tool Audit Workbook.
    4. Update the gap analysis results slides using your outputs from the Project Management and Project Portfolio Management Maturity Assessment Tools.

    Screenshots of 'Business Context and Current State' screen from the 'Force Field Analysis Tool', the 'Tool Audit Results' screen from the 'Tool Audit Workbook', and the 'Project Portfolio Management Gap Analysis Results' screen from the 'PM and PPM Maturity Assessments Tool'.

    Download the Microsoft Project & M365 Action Plan Template

    3.2.1 Option A: Prepare a DIY roadmap

    1-3 hours; Note: This is only applicable if you have chosen the DIY route

    Input: List of key PPM decision points, List of who is accountable for PPM decisions, List of who has PPM decision-making authority

    Output: Section 3: DIY Implementation Approach

    Materials: Microsoft Project and M365 Action Plan Template

    Participants: PMO Director, PMO Admin Team, Business Analysts, Project Managers

    1. As a group, review the results of the Microsoft Project and M365 Licensing Tool. Use this information along with organizational knowledge and discussion with the working group to complete Section 3: DIY Implementation Approach.
    2. Copy and paste your results from tab 5 of the Microsoft Project and M365 Licensing Tool. Update the Implementation Approach slide to detail the rationale for selecting this option.
    3. Update the Action Plan to articulate the details for total and annual costs of the proposed licensing solution.
    4. Facilitate a discussion to determine roles and responsibilities for the implementation. Based on the size, risk, and complexity of the implementation, create a reasonable timeline.
    Screenshots from the 'Microsoft Project and M365 Action Plan Template' outlining the 'DIY Implementation Approach'.

    Download the Microsoft Project and M365 Action Plan Template

    3.2.1 Option b: Prepare a Partner roadmap

    1-3 hours; Note: This is only applicable if you have chosen the Partner route

    Input: Microsoft Project and M365 Licensing Tool, Information on Microsoft Partners

    Output: Section 4: Microsoft Partner Implementation Route

    Materials: Microsoft Project and M365 Action Plan Template

    Participants: PMO Director, PMO Admin Team, Business Analysts, Project Managers

    1. As a group, review the results of the Microsoft Project and M365 Licensing Tool. Use this information along with organizational knowledge and discussion with the working group to complete Section 4: Microsoft Partner Implementation Route.
    2. Copy and paste your results from tab 5 of the Microsoft Project and M365 Licensing Tool. Update the Implementation Approach slide to detail the rationale for selecting this option.
    3. Develop an outreach plan for the Microsoft Partners you are planning to survey. Set targets for briefing dates and assign an individual to own any back-and-forth communication. Document the pros and cons of each Partner and gauge interest in continuing to analyze the vendor as a possible solution.
    4. Facilitate a discussion to determine roles and responsibilities for the implementation. Based on the size, risk, and complexity of the implementation, create a reasonable timeline.

    Screenshots from the 'Microsoft Project and M365 Action Plan Template' outlining the 'Microsoft Partner Implementation Route'.

    Microsoft Project and M365 Action Plan Template

    3.1.2 Complete your presentation deck

    1-2 hours

    Input: Outputs from the exercises in this blueprint

    Output: Section 5: Future-State Vision and Goals

    Materials: Microsoft Project and M365 Action Plan Template

    Participants: PMO Director, PMO Admin Team, Business Analysts, Project Managers

    1. Put the finishing touches on your presentation deck by documenting your future- state vision and goals.
    2. Prepare to present to your stakeholders.
      • Understand your audience, their needs and priorities, and their degree of knowledge and experiences with technology. This informs what to include in your presentation and how to position the message and goal.
    3. Review the deck beginning to end and check for spelling, grammar, and vertical logic.
    4. Practice delivering the vision for the project through several practice sessions.

    Screenshots from the 'Microsoft Project and M365 Action Plan Template' regarding finishing touches.

    Microsoft Project and M365 Action Plan Template

    Pitch your vision to key stakeholders

    There are multiple audiences for your pitch, and each audience requires a different level of detail when addressed. Depending on the outcomes expected from each audience, a suitable approach must be chosen. The format and information presented will vary significantly from group to group.

    Audience

    Key Contents

    Outcome

    Business Executives

    • Section 1: Executive Brief
    • Section 2: Context and Constraints
    • Section 5: Future-State Vision and Goals
    • Identify executive sponsor

    IT Leadership

    • Sections 1-5 with a focus on Section 3 or 4 depending on implementation approach
    • Get buy-in on proposed project
    • Identify skills or resourcing constraints

    Business Managers

    • Section 1: Executive Brief
    • Section 2: Context and Constraints
    • Section 5: Future-State Vision and Goals
    • Get feedback on proposed plan
    • Identify any unassessed risks and organizational impacts

    Business Users

    • Section 1: Executive Brief
    • Support the organizational change management process

    Summary of Accomplishment

    Problem Solved

    Knowledge Gained
    • How you work: Work management and the various ways of working (personal and team task management, strategic project portfolio management, formal project management, and enterprise project and portfolio management).
    • Where you need to go: Project portfolio management and project management current- and target-state maturity levels.
    • What you need: Microsoft Project Plans and requisite M365 licensing.
    • The skills you need: Extending Project for the web.
    • Who you need to work with: Get to know the Microsoft Gold Partner community.
    Deliverables Completed
    • M365 Tool Guides
    • Tool Audit Workbook
    • Force Field Analysis Tool
    • Project Portfolio Management Maturity Assessment Tool
    • Project Management Maturity Assessment Tool
    • Microsoft Project & M365 Action Plan Template

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information
    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Photo of Barry Cousins.
    Contact your account representative for more information
    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Perform a work management tool audit

    Gain insight into the tools that drive value or fail to drive value across your work management landscape with a view to streamline the organization’s tool ecosystem.

    Prepare an action plan for your tool needs

    Prepare the right work management tool recommendations for your IT teams and/or business units and develop a boardroom-ready presentation to communicate needs and next steps.

    Research Contributors and Experts

    Neeta Manghnani
    PMO Strategist
    PMO Outsource Ltd.

    Photo of Neeta Manghnani, PMO Strategist, PMO Outsource Ltd.
    • Innovative, performance-driven executive with significant experience managing Portfolios, Programs & Projects, and technical systems for international corporations with complex requirements. A hands-on, dynamic leader with over 20 years of experience guiding and motivating cross-functional teams. Highly creative and brings a blend of business acumen and expertise in multiple IT disciplines, to maximize the corporate benefit from capital investments.
    • Successfully deploys inventive solutions to automate processes and improve the functionality, scalability and security of critical business systems and applications. Leverages PMO/PPM management and leadership skills to meet the strategic goals and business initiatives.

    Robert Strickland
    Principal Consultant & Owner
    PMO Outsource Ltd.

    Photo of Robert Strickland, Principal Consultant and Owner, PMO Outsource Ltd.
    • Successful entrepreneur, leader, and technologist for over 15 years, is passionate about helping organizations leverage the value of SharePoint, O365, Project Online, Teams and the Power Platform. Expertise in implementing portals, workflows and collaboration experiences that create business value. Strategic manager with years of successful experience building businesses, developing custom solutions, delivering projects, and managing budgets. Strong transformational leader on large implementations with a technical pedigree.
    • A digital transformation leader helping clients move to the cloud, collaborate, automate their business processes and eliminate paper forms, spreadsheets and other manual practices.

    Related Info-Tech Research

    • Develop a Project Portfolio Management Strategy
      Time is money; spend it wisely.
    • Establish Realistic IT Resource Management Practices
      Holistically balance IT supply and demand to avoid overallocation.
    • Tailor Project Management Processes to Fit Your Projects
      Spend less time managing processes and more time delivering results

    Bibliography

    “13 Reasons not to use Microsoft Project.” Celoxis, 14 Sept. 2018. Accessed 17 Sept. 2021.

    Advisicon. “Project Online vs Project for the Web.” YouTube, 13 Nov. 2013. Accessed 17 Sept. 2021.

    Branscombe, Mary. “Is Project Online ready to replace Microsoft Project?” TechRepublic, 23 Jan. 2020. Accessed 17 Sept. 2021.

    Chemistruck, Dan. “The Complete Office 365 and Microsoft 365 Licensing Comparison.” Infused Innovations, 4 April 2019. Accessed 17 Sept. 2021.

    “Compare Project management solutions and costs.” Microsoft. Accessed 17 Sept. 2021.

    Day to Day Dynamics 365. “Microsoft Project for the web - Model-driven app.” YouTube, 29 Oct. 2019. Accessed 17 Sept. 2021.

    “Deploying Project for the web.” Microsoft, 24 Aug. 2021. Accessed 17 Sept. 2021.

    “Differentiate your business by attaining Microsoft competencies.” Microsoft, 26 Jan. 2021. Accessed 17 Sept. 2021.

    “Extend & Integrate Microsoft Project.” Western Principles. Accessed 17 Sept. 2021.

    “Get Started with Project Power App.” Microsoft. Accessed 17 Sept. 2021.

    Hosking, Ben. “Why low code software development is eating the world.” DevGenius, May 2021. Accessed 17 Sept. 2021.

    “How in the World is MS Project Still a Leading PM Software?” CBT Nuggets, 12 Nov. 2018. Accessed 17 Sept. 2021.

    Integent. “Project for the Web - Create a Program Entity and a model-driven app then expose in Microsoft Teams.” YouTube, 25 Mar. 2020. Accessed 17 Sept. 2021.

    “Introducing the Project Accelerator.” Microsoft, 10 Mar. 2021. Accessed 17 Sept. 2021.

    “Join the Microsoft Partner Network.” Microsoft. Accessed 17 Sept. 2021.

    Kaneko, Judy. “How Productivity Tools Can Lead to a Loss of Productivity.” Bluescape, 2 Mar. 2018 Accessed 17 Sept. 2021.

    Kotter, John. Leading Change. Harvard Business School Press, 1996.

    Leis, Merily. “What is Work Management.” Scoro. Accessed 17 Sept. 2021.

    Liu, Shanhong. “Number of Office 365 company users worldwide as of June 2021, by leading country.” Statistica, 2021. Web.

    Manghnani, Neeta. “5 Benefits of PPM tools and PMO process automation.” PMO Outsource Ltd., 11 Apr. 2021. Accessed 17 Sept. 2021.

    “Microsoft 365 and Office 365 plan options.” Microsoft, 31 Aug. 2021. Accessed 17 Sept. 2021.

    “Microsoft 365 for enterprise.” Microsoft. Accessed 17 Sept. 2021

    “Microsoft Office 365 Usage Statistics.” Thexyz blog, 18 Sept. 2020. Accessed 17 Sept. 2021.

    “Microsoft Power Apps, Microsoft Power Automate and Microsoft Power Virtual Agents Licensing Guide.” Microsoft, June 2021. Web.

    “Microsoft Project service description.” Microsoft, 31 Aug. 2021. Accessed 17 Sept. 2021.

    “Microsoft Project Statistics.” Integent Blog, 12 Dec. 2013. Accessed 17 Sept. 2021.

    Nanji, Aadil . Modernize Your Microsoft Licensing for the Cloud Era. Info-Tech Research Group, 12 Mar. 2020. Accessed 17 Sept. 2021.

    “Number of Office 365 company users worldwide as of June 2021, by leading country.” Statista, 8 June 2021. Accessed 17 Sept. 2021.

    “Overcoming disruption in a digital world.” Asana. Accessed 17 Sept. 2021.

    Pajunen, Antti. “Customizing and extending Project for the web.” Day to Day Dynamics 365, 20 Jan. 2020. Accessed 17 Sept. 2021.

    “Partner Center Documentation.” Microsoft. Accessed 17 Sept. 2021.

    Pragmatic Works. “Building First Power Apps Model Driven Application.” YouTube, 21 June 2019. Accessed 17 Sept. 2021.

    “Project architecture overview.” Microsoft, 27 Mar. 2020. Accessed 17 Sept. 2021.

    “Project for the web Accelerator.” GitHub. Accessed 17 Sept. 2021.

    “Project for the web admin help.” Microsoft, 28 Oct. 2019. Accessed 17 Sept. 2021.

    “Project for the Web – The New Microsoft Project.” TPG. Accessed 17 Sept. 2021.

    “Project for the Web Security Roles.” Microsoft, 1 July 2021. Accessed 17 Sept. 2021.

    “Project Online: Project For The Web vs Microsoft Project vs Planner vs Project Online.” PM Connection, 30 Nov. 2020. Accessed 17 Sept. 2021.

    Redmond, Tony. “Office 365 Insights from Microsoft’s FY21 Q2 Results.” Office 365 for IT Pros, 28 Jan. 2021. Accessed 17 Sept. 2021.

    Reimagine Project Management with Microsoft. “Advanced deployment for Project for the web.” YouTube, 4 Aug. 2021. Accessed 17 Sept. 2021.

    Reimagine Project Management with Microsoft. “Overview of Microsoft Project.” YouTube, 29 July 2021. Accessed 17 Sept. 2021.

    “See which partner offer is right for you.” Microsoft. Accessed 17 Sept. 2021.

    Shalomova, Anna. “Microsoft Project for Web 2019 vs. Project Online: What’s Best for Enterprise Project Management?” FluentPro, 23 July 2020. Accessed 17 Sept. 2021.

    Speed, Richard. “One Project to rule them all: Microsoft plots end to Project Online while nervous Server looks on.” The Register, 28 Sept. 2018. Accessed 17 Sept. 2021.

    Spataro, Jared. “A new vision for modern work management with Microsoft Project.” Microsoft, 25 Sept. 2018. Accessed 17 Sept. 2021.

    Stickel, Robert. “OnePlan Recognized as Winner of 2021 Microsoft Project & Portfolio Management Partner of the Year.” OnePlan, 8 July 2021. Accessed 17 Sept. 2021.

    Stickel, Robert. “The Future of Project Online.” OnePlan, 2 Mar. 2021. Accessed 17 Sept. 2021.

    Stickel, Robert. “What It Means to be Adaptive.” OnePlan, 24 May 2021. Accessed 17 Sept. 2021.

    “The Future of Microsoft Project Online.” OnePlan. Accessed 17 Sept. 2021.

    Weller, Joe. “Demystifying Microsoft Project Licensing.” Smartsheet, 10 Mar. 2016. Accessed 17 Sept. 2021.

    Western Principles Inc. “Dump the Spreadsheets for Microsoft Project Online.” YouTube, 2 July 2020. Accessed 17 Sept. 2021.

    Western Principles Inc. “Project Online or Project for the web? Which project management system should you use?” YouTube, 11 Aug. 2020. Accessed 17 Sept. 2021.

    “What is Power Query?” Microsoft, 22 July 2021. Web.

    Wicresoft. “The Power of the New Microsoft Project and Microsoft 365.” YouTube, 29 May 2020. Accessed 17 Sept. 2021.

    Wicresoft. “Why the Microsoft Power Platform is the Future of PPM.” YouTube, 11 June 2020. Accessed 17 Sept. 2021.

    Prepare to Successfully Deploy PPM Software

    • Buy Link or Shortcode: {j2store}437|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • PPM suite deployments are complicated and challenging. Vendors and consultants can provide much needed expertise and assistance to organizations deploying new PPM suites.
    • While functional requirements are often defined during the procurement stage (for example, in an RFP), the level of detail during this stage is likely insufficient for actually configuring the solution to your specific PPM needs. Too many organizations fail to further develop these functional requirements between signing their contracts and the official start of their professional implementation engagement.
    • Many organizations fail to organize and record the PPM data they will need to populate the new PPM suite. In almost all cases, customers have the expertise and are in the best position to collect and organize their own data. Leaving this until the vendor or consultant arrives to help with the deployment can result in using your professional services in a suboptimal way.
    • Vendors and consultants want you to prepare for their implementation engagements so that you can make the best use of their expertise and assistance. They want you to deploy a PPM suite that can be sustainably adopted in the long term. All too often, however, they arrive onsite to find customers that are disorganized and underprepared.

    Our Advice

    Critical Insight

    • Preparing for a professional implementation engagement allows you to make the best use of your professional services, as well as helping to ensure that the PPM suite is deployed according to your specific PPM needs.
    • Involving your internal resources in the preparation of data and in fully defining functional requirements for the PPM suite helps to establish stakeholder buy-in early on, helping to build internal ownership of the solution from the beginning. This avoids the solution being perceived as something the vendor/consultant “forced upon us.”
    • Vendors and consultants are happy when organizations are organized and prepared for their professional implementation engagements. Preparation ensures these engagements are positive experiences for everyone involved.

    Impact and Result

    • Ensure that the data necessary to deploy the new PPM suite is recorded and organized.
    • Make your functional requirements detailed enough to ensure that the new PPM suite can be configured/customized during the deployment engagement in a way that best fits the organization’s actual PPM needs.
    • Through carefully preparing data and fully defining functional requirements, you help the solution become sustainably adopted in the long term.

    Prepare to Successfully Deploy PPM Software Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why preparing for PPM deployment will ensure that organizations get the most value out of the implementation professional services they purchased and will help drive long-term sustainable adoption of the new PPM suite.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a preparation team and plan

    Engage in purposeful and effective PPM deployment planning by clearly defining what to prepare and when exactly it is time to move from planning to execution.

    • Prepare to Successfully Deploy PPM Software – Phase 1: Create a Preparation Team and Plan
    • Prepare to Deploy PPM Suite Project Charter Template
    • PPM Suite Functional Requirements Document Template
    • PPM Suite Deployment Timeline Template (Excel)
    • PPM Suite Deployment Timeline Template (Project)
    • PPM Suite Deployment Communication Plan Template

    2. Prepare project-related requirements and deliverables

    Provide clearer definition to specific project-related functional requirements and collect the appropriate PPM data needed for an effective PPM suite deployment facilitated by vendors/consultants.

    • Prepare to Successfully Deploy PPM Software – Phase 2: Prepare Project-Related Requirements and Deliverables
    • PPM Deployment Data Workbook
    • PPM Deployment Dashboard and Report Requirements Workbook

    3. Prepare PPM resource requirements and deliverables

    Provide clearer definition to specific resource management functional requirements and data and create a communication and training plan.

    • Prepare to Successfully Deploy PPM Software – Phase 3: Prepare PPM Resource Requirements and Deliverables
    • PPM Suite Transition Plan Template
    • PPM Suite Training Plan Template
    • PPM Suite Training Management Tool

    4. Provide preparation materials to the vendor and implementation professionals

    Plan how to engage vendors/consultants by communicating functional requirements to them and evaluating changes to those requirements proposed by them.

    • Prepare to Successfully Deploy PPM Software – Phase 4: Provide Preparation Materials to the Vendor and Implementation Professionals
    [infographic]

    Workshop: Prepare to Successfully Deploy PPM Software

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Plan the Preparation Project

    The Purpose

    Select a preparation team and establish clear assignments and accountabilities.

    Establish clear deliverables, milestones, and metrics to ensure it is clear when the preparation phase is complete.

    Key Benefits Achieved

    Preparation activities will be organized and purposeful, ensuring that you do not threaten deployment success by being underprepared or waste resources by overpreparing.

    Activities

    1.1 Overview: Determine appropriate functional requirements to define and data to record in preparation for the deployment.

    1.2 Create a timeline.

    1.3 Create a charter for the PPM deployment preparation project: record lessons learned, establish metrics, etc.

    Outputs

    PPM Suite Deployment Timeline

    Charter for the PPM Suite Preparation Project Team

    2 Prepare Project-Related Requirements and Deliverables

    The Purpose

    Collect and organize relevant project-related data so that you are ready to populate the new PPM suite when the vendor/consultant begins their professional implementation engagement with you.

    Clearly define project-related functional requirements to aid in the configuration/customization of the tool.

    Key Benefits Achieved

    An up-to-date and complete record of all relevant PPM data.

    Avoidance of scrambling to find data at the last minute, risking importing out-of-date or irrelevant information into the new software.

    Clearly defined functional requirements that will ensure the suite is configured in a way that can be adoption in the long term.

    Activities

    2.1 Define project phases and categories.

    2.2 Create a list of all projects in progress.

    2.3 Record functional requirements for project requests, project charters, and business cases.

    2.4 Create a list of all existing project requests.

    2.5 Record the current project intake processes.

    2.6 Define PPM dashboard and reporting requirements.

    Outputs

    Project List (basic)

    Project Request Form Requirements (basic)

    Scoring/Requirements (basic)

    Business Case Requirements (advanced)

    Project Request List (basic)

    Project Intake Workflows (advanced)

    PPM Reporting Requirements (basic)

    3 Prepare PPM Resource Requirements and Deliverables

    The Purpose

    Collect and organize relevant resource-related data.

    Clearly define resource-related functional requirements.

    Create a purposeful transition, communication, and training plan for the deployment period.

    Key Benefits Achieved

    An up-to-date and complete record of all relevant PPM data that allows your vendor/consultant to get right to work at the start of the implementation engagement.

    Improved buy-in and adoption through transition, training, and communication activities that are tailored to the actual needs of your specific organization and users.

    Activities

    3.1 Create a portfolio-wide roster of project resources (and record their competencies and skills, if appropriate).

    3.2 Record resource management processes and workflows.

    3.3 Create a transition plan from existing PPM tools and processes to the new PPM suite.

    3.4 Identify training needs and resources to be leveraged during the deployment.

    3.5 Define training requirements.

    3.6 Create a PPM deployment training plan.

    Outputs

    Resource Roster and Competency Profile (basic)

    User Roles and Permissions (basic)

    Resource Management Workflows (advanced)

    Transition Approach and Plan (basic)

    Data Archiving Requirements (advanced)

    List of Training Modules and Attendees (basic)

    Internal Training Capabilities (advanced)

    Training Milestones and Deadlines (basic)

    4 Provide Preparation Materials to the Vendor and Implementation Professionals

    The Purpose

    Compile the data collected and the functional requirements defined so that they can be provided to the vendor and/or consultant before the implementation engagement.

    Key Benefits Achieved

    Deliverables that record the outputs of your preparation and can be provided to vendors/consultants before the implementation engagement.

    Ensures that the customer is an active and equal partner during the deployment by having the customer prepare their material and initiate communication.

    Vendors and/or consultants have a clear understanding of the customer’s needs and expectations from the beginning.

    Activities

    4.1 Collect, review, and finalize the functional requirements.

    4.2 Compile a functional requirements and data package to provide to the vendor and/or consultants.

    4.3 Discuss how proposed changes to the functional requirements will be reviewed and decided.

    Outputs

    PPM Suite Functional Requirements Documents

    PPM Deployment Data Workbook

    GDPR, Implemented!

    GDPR, Are You really ready?

    It is now 2020 and the GDPR has been in effect for almost 2 years. Many companies thought: been there, done that. And for a while the regulators let some time go by.

    The first warnings appeared quickly enough. Eg; in September 2018, the French regulator warned a company that they needed to get consent of their customers for getting geolocation based data.

    That same month, an airline was hacked and, on top of the reputational damage and costs to fix the IT systems, it faced the threat of a stiff fine.

    Even though we not have really noticed, fines started being imposed as early as January 2019.

    But these fines, that is when you have material breaches...

    Wrong! The fines are levied in a number of cases. And to make it difficult to estimate, there are guidelines that will shape the decision making process, but no hard and fast rules!

    The GDPR is very complex and consists of both articles and associated recitals that you need to be in compliance with. it is amuch about the letter as it is about the spirit.

    We have a clear view on what most of those cases are.
    And more importantly, when you follow our guidelines, you will be well placed to answer any questions by your clients and cooperate with the regulator in a proactive way.

    They will never come after me. I'm too small.

    And besides, I have my privacy policy and cookie notice in place

    Company size has nothing to do with it.

    While in the beginning, it seemed mostly a game for the big players (for names, you have to contact us) that is just perception.

    As early as March 2018 a €10M revenue company was fined around €120,000. 2 days later another company with operating revenues of  around €6.2M was fined close to €200.000 for failing to abide by the DSRR stipulatons.

    Don't know what these are?
    Fill out the form below and we'll let you in on the good stuff.

     

    Continue reading

    Develop a Use Case for Smart Contracts

    • Buy Link or Shortcode: {j2store}92|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Organizations today continue to use traditional and often archaic methods of manual processing with physical paper documents.
    • These error-prone methods introduce cumbersome administrative work, causing businesses to struggle with payments and contract disputes.
    • The increasing scale and complexity of business processes has led to many third parties, middlemen, and paper hand-offs.
    • Companies remain bogged down by expensive and inefficient processes while losing sight of their ultimate stakeholder: the customer. A failure to focus on the customer is a failure to do business.

    Our Advice

    Critical Insight

    • Simplify, automate, secure. Smart contracts enable businesses to simplify, automate, and secure traditionally complex transactions.
    • Focus on the customer. Smart contracts provide a frictionless experience for customers by removing unnecessary middlemen and increasing the speed of transactions.
    • New business models. Smart contracts enable the redesign of your organization and business-to-business relationships and transactions.

    Impact and Result

    • Simplify and optimize your business processes by using Info-Tech’s methodology to select processes with inefficient transactions, unnecessary middlemen, and excessive manual paperwork.
    • Use Info-Tech’s template to generate a smart contract use case customized for your business.
    • Customize Info-Tech’s stakeholder presentation template to articulate the goals and benefits of the project and get buy-in from business executives.

    Develop a Use Case for Smart Contracts Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should leverage smart contracts in your business, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Develop a Use Case for Smart Contracts – Phases 1-2

    1. Understand smart contracts

    Understand the fundamental concepts of smart contract technology and get buy-in from stakeholders.

    • Develop a Use Case for Smart Contracts – Phase 1: Understand Smart Contracts
    • Smart Contracts Executive Buy-in Presentation Template

    2. Develop a smart contract use case

    Select a business process, create a smart contract logic diagram, and complete a smart contract use-case deliverable.

    • Develop a Use Case for Smart Contracts – Phase 2: Develop the Smart Contract Use Case
    • Smart Contracts Use-Case Template

    [infographic]

    Workshop: Develop a Use Case for Smart Contracts

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Smart Contracts

    The Purpose

    Review blockchain basics.

    Understand the fundamental concepts of smart contracts.

    Develop smart contract use-case executive buy-in presentation.

    Key Benefits Achieved

    Understanding of blockchain basics.

    Understanding the fundamentals of smart contracts.

    Development of an executive buy-in presentation.

    Activities

    1.1 Review blockchain basics.

    1.2 Understand smart contract fundamentals.

    1.3 Identify business challenges and smart contract benefits.

    1.4 Create executive buy-in presentation.

    Outputs

    Executive buy-in presentation

    2 Smart Contract Logic Diagram

    The Purpose

    Brainstorm and select a business process to develop a smart contract use case around.

    Generate a smart contract logic diagram.

    Key Benefits Achieved

    Selected a business process.

    Developed a smart contract logic diagram for the selected business process.

    Activities

    2.1 Brainstorm candidate business processes.

    2.2 Select a business process.

    2.3 Identify phases, actors, events, and transactions.

    2.4 Create the smart contract logic diagram.

    Outputs

    Smart contract logic diagram

    3 Smart Contract Use Case

    The Purpose

    Develop smart contract use-case diagrams for each business process phase.

    Complete a smart contract use-case deliverable.

    Key Benefits Achieved

    Smart contract use-case diagrams.

    Smart contract use-case deliverable.

    Activities

    3.1 Build smart contract use-case diagrams for each phase of the business process.

    3.2 Create a smart contract use-case summary diagram.

    3.3 Complete smart contract use-case deliverable.

    Outputs

    Smart contract use case

    4 Next Steps and Action Plan

    The Purpose

    Review workshop week and lessons learned.

    Develop an action plan to follow through with next steps for the project.

    Key Benefits Achieved

    Reviewed workshop week with common understanding of lessons learned.

    Completed an action plan for the project.

    Activities

    4.1 Review workshop deliverables.

    4.2 Create action plan.

    Outputs

    Smart contract action plan

     

    Find Value With Cloud Asset Management

    • Buy Link or Shortcode: {j2store}61|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Spending on cloud platforms and software-as-a-service (SaaS) is growing, and with spending comes waste.
    • The barriers are drastically lower for purchasing SaaS and cloud services as compared to traditional IT components.
    • Skills gap: IT asset managers tend not to have the skills to optimize spending on cloud platforms.
    • New space, new tools: The IT asset management market space is still developing cloud asset management and SaaS management capabilities. Practitioners must rely on cloud optimization tools in the meantime.

    Our Advice

    Critical Insight

    • IT asset managers are uniquely suited to provide value here. They already optimize costs and manage assets.
    • Scope creep is a killer. Focus first on your highest value, highest risk cloud instances.
    • Don’t completely centralize. Central oversight is powerful, but outsource some responsibility to the business.

    Impact and Result

    • Introduce governance: Work with developers, power business users, and infrastructure groups to define a governance approach to cloud assets and to SaaS.
    • Standardize high-impact, low-effort cloud services: Focus your efforts where they will have the most value and in places where you can provide early value.
    • Update your processes: Ensure that your asset registers and your configuration management database is up to date when cloud assets are provisioned and quiesced.

    Find Value With Cloud Asset Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement IT asset management for cloud instances and SaaS, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define cloud asset management

    Define when a cloud instance is an asset, and what it means for the asset to be managed.

    • Find Value With Cloud Asset Management – Phase 1: Define Cloud Asset Management
    • Cloud Asset Management Standard Operating Procedures
    • Cloud Instance Provisioning Standards Checklist

    2. Build cloud asset management practices

    Develop an approach to auditing and optimizing cloud assets.

    • Find Value With Cloud Asset Management – Phase 2: Build Cloud Asset Management Practices
    • Cloud Asset Management Policy
    • Monthly Cloud Asset Optimization Checklist
    • Strategic Infrastructure Roadmap Tool
    [infographic]

    Build a Vendor Security Assessment Service

    • Buy Link or Shortcode: {j2store}318|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $17,501 Average $ Saved
    • member rating average days saved: 17 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Vendor security risk management is a growing concern for many organizations. Whether suppliers or business partners, we often trust them with our most sensitive data and processes.
    • More and more regulations require vendor security risk management, and regulator expectations in this area are growing.
    • However, traditional approaches to vendor security assessments are seen by business partners and vendors as too onerous and are unsustainable for information security departments.

    Our Advice

    Critical Insight

    • An efficient and effective assessment process can only be achieved when all stakeholders are participating.
    • Security assessments are time-consuming for both you and your vendors. Maximize the returns on your effort with a risk-based approach.
    • Effective vendor security risk management is an end-to-end process that includes assessment, risk mitigation, and periodic re-assessments.

    Impact and Result

    • Develop an end-to-end security risk management process that includes assessments, risk treatment through contracts and monitoring, and periodic re-assessments.
    • Base your vendor assessments on the actual risks to your organization to ensure that your vendors are committed to the process and you have the internal resources to fully evaluate assessment results.
    • Understand your stakeholder needs and goals to foster support for vendor security risk management efforts.

    Build a Vendor Security Assessment Service Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a vendor security assessment service, review Info-Tech’s methodology, and understand the three ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define governance and process

    Determine your business requirements and build your process to meet them.

    • Build a Vendor Security Assessment Service – Phase 1: Define Governance and Process
    • Vendor Security Policy Template
    • Vendor Security Process Template
    • Vendor Security Process Diagram (Visio)
    • Vendor Security Process Diagram (PDF)

    2. Develop assessment methodology

    Develop the specific procedures and tools required to assess vendor risk.

    • Build a Vendor Security Assessment Service – Phase 2: Develop Assessment Methodology
    • Service Risk Assessment Questionnaire
    • Vendor Security Questionnaire
    • Vendor Security Assessment Inventory

    3. Deploy and monitor process

    Implement the process and develop metrics to measure effectiveness.

    • Build a Vendor Security Assessment Service – Phase 3: Deploy and Monitor Process
    • Vendor Security Requirements Template
    [infographic]

    Workshop: Build a Vendor Security Assessment Service

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Governance and Process

    The Purpose

    Understand business and compliance requirements.

    Identify roles and responsibilities.

    Define the process.

    Key Benefits Achieved

    Understanding of key goals for process outcomes.

    Documented service that leverages existing processes.

    Activities

    1.1 Review current processes and pain points.

    1.2 Identify key stakeholders.

    1.3 Define policy.

    1.4 Develop process.

    Outputs

    RACI Matrix

    Vendor Security Policy

    Defined process

    2 Define Methodology

    The Purpose

    Determine methodology for assessing procurement risk.

    Develop procedures for performing vendor security assessments.

    Key Benefits Achieved

    Standardized, repeatable methodologies for supply chain security risk assessment.

    Activities

    2.1 Identify organizational security risk tolerance.

    2.2 Develop risk treatment action plans.

    2.3 Define schedule for re-assessments.

    2.4 Develop methodology for assessing service risk.

    Outputs

    Security risk tolerance statement

    Risk treatment matrix

    Service Risk Questionnaire

    3 Continue Methodology

    The Purpose

    Develop procedures for performing vendor security assessments.

    Establish vendor inventory.

    Key Benefits Achieved

    Standardized, repeatable methodologies for supply chain security risk assessment.

    Activities

    3.1 Develop vendor security questionnaire.

    3.2 Define procedures for vendor security assessments.

    3.3 Customize the vendor security inventory.

    Outputs

    Vendor security questionnaire

    Vendor security inventory

    4 Deploy Process

    The Purpose

    Define risk treatment actions.

    Deploy the process.

    Monitor the process.

    Key Benefits Achieved

    Understanding of how to treat different risks according to the risk tolerance.

    Defined implementation strategy.

    Activities

    4.1 Define risk treatment action plans.

    4.2 Develop implementation strategy.

    4.3 Identify process metrics.

    Outputs

    Vendor security requirements

    Understanding of required implementation plans

    Metrics inventory

    Improve Incident and Problem Management

    • Buy Link or Shortcode: {j2store}290|cart{/j2store}
    • member rating overall impact (scale of 10): 9.6/10 Overall Impact
    • member rating average dollars saved: $43,761 Average $ Saved
    • member rating average days saved: 23 Average Days Saved
    • Parent Category Name: Incident and problem management
    • Parent Category Link: /improve-your-core-processes/infra-and-operations/i-and-o-process-management/incident-and-problem-management
    • IT infrastructure managers have conflicting accountabilities. It can be difficult to fight fires as they appear while engaging in systematic fire prevention.
    • Repetitive interruptions erode faith in IT. If incidents recur consistently, why should the business trust IT to resolve them?

    Register to read more …

    Drive Business Value With a Right-Sized Project Gating Process

    • Buy Link or Shortcode: {j2store}445|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $61,999 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Low sponsor commitment on projects.
    • Poor quality on completed projects.
    • Little to no visibility into the project portfolio.
    • Organization does not operationalize change .
    • Analyzing, fixing, and redeploying is a constant struggle. Even when projects are done well, they fail to deliver the intended outcomes and benefits.

    Our Advice

    Critical Insight

    • Stop applying a one-size-fits-all-projects approach to governance.
    • Engage the sponsor by shifting the accountability to the business so they can get the most out of the project.
    • Do not limit the gating process to project management – expand to portfolio management.

    Impact and Result

    • Increase Project Throughput: Do more projects by ensuring the right projects and right amount of projects are approved and executed.
    • Validate Project Quality: Ensure issues are uncovered and resolved with standard check points in the project.
    • Increase Reporting and Visibility: Easily compare progress of projects across the portfolio and report outcomes to leadership.
    • Reduce Resource Waste: Terminate low-value projects early and assign the right resources to approved projects.
    • Achieve Intended Project Outcomes: Keep the sponsor engaged throughout the gating process to achieve desired outcomes.

    Drive Business Value With a Right-Sized Project Gating Process Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design a right-sized project gating process, review Info-Tech’s methodology, and understand the four ways we can support you.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Lay the groundwork for tailored project gating

    This phase will walk you through the following activities:

  • Understand the role of gating and why we need it.
  • Determine what projects will follow the gating process and how to classify them.
  • Establish the role of the project sponsor throughout the entire project lifecycle.
    • Drive Business Value With a Right-Sized Project Gating Process – Phase 1: Lay the Groundwork for Tailored Project Gating
    • Project Intake Classification Matrix
    • Project Sponsor Role Description Template

    2. Establish level 1 project gating

    This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 2: Establish Level 1 Project Gating
    • Project Gating Strategic Template

    3. Establish level 2 project gating

    This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 3: Establish Level 2 Project Gating

    4. Establish level 3 project gating

    This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities. It will also help you determine next steps and milestones for the adoption of the new process.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 4: Establish Level 3 Project Gating
    • Project Gating Reference Document
    [infographic]

    Workshop: Drive Business Value With a Right-Sized Project Gating Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay the Groundwork for Tailored Project Gating

    The Purpose

    Understand the role of gating and why we need it.

    Determine what projects will follow the gating process and how to classify them.

    Establish the role of the project sponsor throughout the entire project lifecycle.

    Key Benefits Achieved

    Get stakeholder buy-in for the process.

    Ensure there is a standard leveling process to determine size, risk, and complexity of requests.

    Engage the project sponsor throughout the portfolio and project processes.

    Activities

    1.1 Project Gating Review

    1.2 Establish appropriate project levels

    1.3 Define the role of the project sponsor

    Outputs

    Project Intake Classification Matrix

    Project Sponsor Role Description Template

    2 Establish Level 1 Project Gating

    The Purpose

    This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.

    Key Benefits Achieved

    Create a lightweight project gating process for small projects.

    Activities

    2.1 Review level 1 project gating process

    2.2 Determine what gates should be part of your custom level 1 gating process

    2.3 Establish required artifacts for each gate

    2.4 Define the stakeholder’s roles and responsibilities at each gate

    Outputs

    Documented outputs in the Project Gating Strategic Template

    3 Establish Level 2 Project Gating

    The Purpose

    This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.

    Key Benefits Achieved

    Create a heavier project gating process for medium projects.

    Activities

    3.1 Review level 2 project gating process

    3.2 Determine what gates should be part of your custom level 2 gating process

    3.3 Establish required artifacts for each gate

    3.4 Define the stakeholder’s roles and responsibilities at each gate

    Outputs

    4 Establish Level 3 Project Gating

    The Purpose

    This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities.

    Come up with a roadmap for the adoption of the new project gating process.

    Key Benefits Achieved

    Create a comprehensive project gating process for large projects.

    Activities

    4.1 Review level 3 project gating process

    4.2 Determine what gates should be part of your custom level 3 gating process

    4.3 Establish required artifacts for each gate

    4.4 Define the stakeholder’s roles and responsibilities at each gate

    4.5 Determine next steps and milestones for process adoption

    Outputs

    Documented outputs in the Project Gating Strategic Template

    Documented Project Gating Reference Document for all stakeholders

    Lead Strategic Decision Making With Service Portfolio Management

    • Buy Link or Shortcode: {j2store}397|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • There are no standardized processes for the intake of new ideas and no consistent view of the drivers needed to assess the value of these ideas.
    • IT is spending money on low-value services and doesn’t have the ability to understand and track value in order to prioritize IT investment.
    • CIOs are not trusted to drive innovation.

    Our Advice

    Critical Insight

    • The service portfolio empowers IT to be a catalyst in business strategy, change, and growth.
    • IT must drive value-based investment by understanding value of all services in the portfolio.
    • Organizations must assess the value of their services throughout their lifecycle to optimize business outcomes and IT spend.

    Impact and Result

    • Optimize IT investments by prioritizing services that provide more value to the business, ensuring that you do not waste money on low-value or out-of-date IT services.
    • Ensure that services are directly linked to business objectives, goals, and needs, keeping IT embedded in the strategic vision of the organization.
    • Enable the business to understand the impact of IT capabilities on business strategy.
    • Ensure that IT maintains a strategic and tactical view of the services and their value.
    • Drive agility and innovation by having a streamlined view of your business value context and a consistent intake of ideas.
    • Provide strategic leadership and create new revenue by understanding the relative value of new ideas vs. existing services.

    Lead Strategic Decision Making With Service Portfolio Management Research & Tools

    Start here – read the Executive Brief

    Service portfolio management enables organizations to become strategic value creators by establishing a dynamic view of service value. Understand the driving forces behind the need to manage services through their lifecycles.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish the service portfolio

    Establish and understand the service portfolio process by setting up the Service Portfolio Worksheet.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 1: Establish the Service Portfolio
    • Service Portfolio Worksheet

    2. Develop a value assessment framework

    Use the value assessment tool to assess services based on the organization’s context of value.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 2: Develop a Value Assessment Framework
    • Value Assessment Tool
    • Value Assessment Example Tool

    3. Manage intake and assessment of initiatives

    Create a centralized intake process to manage all new service ideas.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 3: Manage Intake and Assessment of Initiatives
    • Service Intake Form

    4. Assess active services

    Continuously validate the value of the existing service and determine the future of service based on the value and usage of the service.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 4: Assess Active Services

    5. Manage and communicate the service portfolio

    Communicate and implement the service portfolio within the organization, and create a mechanism to seek out continuous improvement opportunities.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 5: Manage and Communicate the Service Portfolio
    [infographic]

    Workshop: Lead Strategic Decision Making With Service Portfolio Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Service Portfolio

    The Purpose

    Establish and understand the service portfolio process by setting up the Service Portfolio Worksheet.

    Understand at a high level the steps involved in managing the service portfolio.

    Key Benefits Achieved

    Adapt the Service Portfolio Worksheet to organizational needs and create a plan to begin documenting services in the worksheet.

    Activities

    1.1 Review the Service Portfolio Worksheet.

    1.2 Adapt the Service Portfolio Worksheet.

    Outputs

    Knowledge about the use of the Service Portfolio Worksheet.

    Adapt the worksheet to reflect organizational needs and structure.

    2 Develop a Value Assessment Framework

    The Purpose

    Understand the need for a value assessment framework.

    Key Benefits Achieved

    Identify the organizational context of value through a holistic look at business objectives.

    Leverage Info-Tech’s Value Assessment Tool to validate and determine service value.

    Activities

    2.1 Understand value from business context.

    2.2 Determine the governing body.

    2.3 Assess culture and organizational structure.

    2.4 Complete the value assessment.

    2.5 Discuss value assessment score.

    Outputs

    Alignment on value context.

    Clear roles and responsibilities established.

    Ensure there is a supportive organizational structure and culture in place.

    Understand how to complete the value assessment and obtain a value score for selected services.

    Understand how to interpret the service value score.

    3 Manage Intake and Assessment of Initiatives

    The Purpose

    Create a centralized intake process to manage all new service ideas.

    Key Benefits Achieved

    Encourage collaboration and innovation through a transparent, formal, and centralized service intake process.

    Activities

    3.1 Review or design the service intake process.

    3.2 Review the Service Intake Form.

    3.3 Design a process to assess and transfer service ideas.

    3.4 Design a process to transfer completed services to the service catalog.

    Outputs

    Create a centralized process for service intake.

    Complete the Service Intake Form for a specific initiative.

    Have a process designed to transfer approved projects to the PMO.

    Have a process designed for transferring of completed services to the service catalog.

    4 Assess Active Services

    The Purpose

    Continuously validate the value of existing services.

    Key Benefits Achieved

    Ensure services are still providing the expected outcome.

    Clear next steps for services based on value.

    Activities

    4.1 Discuss/review management of active services.

    4.2 Complete value assessment for an active service.

    4.3 Determine service value and usage.

    4.4 Determine the next step for the service.

    4.5 Document the decision regarding the service outcome.

    Outputs

    Understand how active services must be assessed throughout their lifecycles.

    Understand how to assess an existing service.

    Place the service on the 2x2 matrix based on value and usage.

    Understand the appropriate next steps for services based on value.

    Formally document the steps for each of the IRMR options.

    5 Manage and Communicate Your Service Portfolio

    The Purpose

    Communicate and implement the service portfolio within the organization.

    Key Benefits Achieved

    Obtain buy-ins for the process.

    Create a mechanism to identify changes within the organization and to seek out continuous improvement opportunities for the service portfolio management process and procedures.

    Activities

    5.1 Create a communication plan for service portfolio and value assessment.

    5.2 Create a communication plan for service intake.

    5.3 Create a procedure to continuously validate the process.

    Outputs

    Document the target audience, the message, and how the message should be communicated.

    Document techniques to encourage participation and promote participation from the organization.

    Document the formal review process, including cycle, roles, and responsibilities.

    Take the First Steps to Embrace Open-Source Software

    • Buy Link or Shortcode: {j2store}164|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Development
    • Parent Category Link: /development

    Your organization is looking to invest in new software or a tool to solve key business and IT problems. They see open source as a viable option given the advertised opportunities and the popularity of many open-source projects, but they have concerns:

    • Despite the longevity and broad adoption of open-source software, stakeholders are hesitant about its long-term viability and the costs of ongoing support.
    • A clear direction and strategy are needed to align the expected value of open source to your stakeholders’ priorities and gain the funding required to select, implement, and support open-source software.

    Our Advice

    Critical Insight

    • Position open source in the same light as commercial software. The continuous improvement and evolution of popular open-source software and communities have established a reputation for reliability in the industry.
    • Consider open source as another form of outsource development. Open source is externally developed software where the code is accessible and customizable. Code quality may not align to your organization’s standards, which can require extensive testing and optimization.
    • Treat open source as any internally developed solution. Configurations, integrations, customizations, and orchestrations of open-source software are often done at the code level. While some community support is provided, most of the heavy lifting is done by the applications team.

    Impact and Result

    • Outline the value you expect to gain. Discuss current business and IT priorities, use cases, and value opportunities to determine what to expect from open-source versus commercial software.
    • Define your open-source selection criteria. Clarify the driving factors in your evaluation of open-source and commercial software using your existing IT procurement practices as a starting point.
    • Assess the readiness of your team. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of open-source software.

    Take the First Steps to Embrace Open-Source Software Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take the First Steps to Embrace Open-Source Software Storyboard – A guide to learn the fit, value, and considerations of open-source software.

    This research walks you through the misconceptions about open source, factors to consider in its selection, and initiatives to prepare your teams for its adoption.

    • Take the First Steps to Embrace Open-Source Software Storyboard

    2. Open-Source Readiness Assessment – A tool to help you evaluate your readiness to embrace open-source software in your environment.

    Use this tool to identify key gaps in the people, processes, and technologies needed to support open source in your organization. It also contains a canvas to facilitate discussions about expectations with your stakeholders and applications teams.

    • Open-Source Readiness Assessment
    [infographic]

    Further reading

    Take the First Steps to Embrace Open-Source Software

    Begin to understand what is required to embrace open-source software in your organization.

    Analyst Perspective

    With great empowerment comes great responsibilities.

    Open-source software promotes enticing technology and functional opportunities to any organization looking to modernize without the headaches of traditional licensing. Many organizations see the value of open source in its ability to foster innovation, be flexible to various use cases and system configurations, and give complete control to the teams who are using and managing it.

    However, open source is not free. While the software is freely and easily accessible, its use and sharing are bound by its licenses, and its implementation requires technical expertise and infrastructure investments. Your organization must be motivated and capable of taking on the various services traditionally provided and managed by the vendor.

    Photo of Andrew Kum-Seun

    Andrew Kum-Seun
    Research Director,
    Application Delivery and Application Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Your organization is looking to invest in new software or a tool to solve key business and IT problems. They see open source as a viable option because of the advertised opportunities and the popularity of many open-source projects.

    Despite the longevity and the broad adoption of open-source software, stakeholders are hesitant about its adoption, its long-term viability, and the costs of ongoing support.

    A clear direction and strategy is needed to align the expected value of open source to your stakeholders’ priorities and gain the funding required to select, implement, and support open-source software.

    Common Obstacles

    Your stakeholders’ fears, uncertainties, and doubts about open source may be driven by misinterpretation or outdated information. This hesitancy can persist despite some projects being active longer than their proprietary counterparts.

    Certain software features, support capabilities, and costs are commonly overlooked when selecting open-source software because they are often assumed in the licensing and service costs of commercial software.

    Open-source software is often technically complicated and requires specific skill sets and knowledge. Unfortunately, current software delivery capability gaps impede successful adoption and scaling of open-source software.

    Info-Tech’s Approach

    Outline the value you expect to gain. Discuss current business and IT priorities, use cases, and value opportunities to determine what to expect from open-source versus commercial software.

    Define your open-source selection criteria. Clarify the driving factors in your evaluation of open-source and commercial software using your existing IT procurement practices as a starting point.

    Assess the readiness of your team. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of open-source software.

    Insight Summary

    Overarching Info-Tech Insight

    Open source is as much about an investment in people as it is about technology. It empowers applications teams to take greater control over their technology and customize it as they see fit. However, teams need the time and funding to conduct the necessary training, management, and ongoing community engagement that open-source software and its licenses require.

    • Position open source in the same light as commercial software.
      The continuous improvement and evolution of popular open-source software and communities have established a trusting and reliable reputation in the industry. Open-source software quality and community support can rival similar vendor capabilities given the community’s maturity and contributions in the technology.
    • Consider open source another form of outsource development.
      Open source is externally developed software where the code is accessible and customizable. Code quality may not align to your organization’s standards, which can require extensive testing and optimization. A thorough analysis of change logs, code repositories, contributors, and the community is recommended – much to the same degree as one would do with prospective outsourcing partners.
    • Treat open source as any internally developed solution.
      Configurations, integrations, customizations, and orchestrations of open-source software are often done at the code level. While some community support is provided, most of the heavy lifting is done by the applications team. Teams must be properly resourced, upskilled, and equipped to meet this requirement. Otherwise, third-party partners are needed.

    What is open source?

    According to Synopsys, “Open source software (OSS) is software that is distributed with its source code, making it available for use, modification, and distribution with its original rights. … Programmers who have access to source code can change a program by adding to it, changing it, or fixing parts of it that aren’t working properly. OSS typically includes a license that allows programmers to modify the software to best fit their needs and control how the software can be distributed.”

    What are the popular use cases?

    1. Programming languages and frameworks
    2. Databases and data technologies
    3. Operating systems
    4. Git public repos
    5. Frameworks and tools for AI/ML/DL
    6. CI/CD tooling
    7. Cloud-related tools
    8. Security tools
    9. Container technology
    10. Networking

    Source: OpenLogic, 2022

    Common Attributes of All Open-Source Software

    • Publicly shared repository that anyone can access to use the solution and contribute changes to the design and functionality of the project.
    • A community that is an open forum to share ideas and solution enhancements, discuss project direction and vision, and seek support from peers.
    • Project governance that sets out guidelines, rules, and requirements to participate and contribute to the project.
    • Distribution license that defines the terms of how a solution can be used, assessed, modified, and distributed.

    Take the first steps to embrace open-source software

    Begin to understand what is required to embrace open-source software in your organization.

    A diagram of open-source community.

    State the Value of Open Source: Discuss current business and IT priorities, use cases, and value opportunities to determine what to expect from open-source versus commercial software.

    Select Your Open-Source Software: Clarify the driving factors in your evaluation of open-source and commercial software using your existing IT procurement practices as a starting point.

    Prepare for Open Source: Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of open-source software.

    Step 1.1: State the Value of Open Source

    Diagram of step 1.1

    Activities

    1.1.1 Outline the value you expect to gain from open-source software

    This step involves the following participants:

    • Applications team
    • Product owner

    Outcomes of this step:

    • Value proposition for open source
    • Potential open-source use cases

    Use a canvas to frame your open-source evaluation

    A photo of open-source canvas

    This canvas is intended to provide a single pane of glass to start collecting your thoughts and framing your future conversations on open-source software selection and adoption.

    Record the results in the “Open-Source Canvas” tab in the Open-Source Readiness Assessment.

    Open source presents unique software and tooling opportunities

    Innovation

    Many leading-edge and bleeding-edge technologies are collaborated and innovated in open-source projects, especially in areas that are beyond the vision and scope of vendor products and priorities.

    Niche Solutions

    Open-source projects are focused. They are designed and built to solve specific business and technology problems.

    Flexible & Customizable

    All aspects of the open-source software are customizable, including source code and integrations. They can be used to extend, complement, or replace internally developed code. Licenses define how open-source code should be and must be used, productized, and modified.

    Brand & Recognition

    Open-source communities encourage contribution and collaboration among their members to add functionality and improve quality and adoption.

    Cost

    Open-source software is accessible to everyone, free of charge. Communities do not need be consulted prior to acquisition, but the software’s use, configurations, and modifications may be restricted by its license.

    However, myths continue to challenge adoption

    • Open source is less secure or poorer quality than proprietary solutions.
    • Open source is free from risk of intellectual property (IP) infringement.
    • Open source is cheaper than proprietary solutions.

    What are the top perceived barriers to using enterprise open source?

    • Concerns about the level of support
    • Compatibility concerns
    • Concerns about inherent security of the code
    • Lack of internal skills to manage and support it

    Source: Red Hat, 2022

    Identify the Components of Your Cloud Security Architecture

    • Buy Link or Shortcode: {j2store}354|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Leveraging the cloud introduces IT professionals to a new world that they are tasked with securing. Consumers do not know what security services they need and when to implement them.
    • With many cloud vendors proposing to share the security responsibility, it can be a challenge for organizations to develop a clear understanding of how they can best secure their data off premises.

    Our Advice

    Critical Insight

    • Your cloud security architecture needs to be strategic, realistic, and based on risk. The NIST approach to cloud security is to include everything security into your cloud architecture to be deemed secure. However, you can still have a robust and secure cloud architecture by using a risk-based approach to identify the necessary controls and mitigating services for your environment.
    • The cloud is not the right choice for everyone. You’re not as unique as you think. Start with a reference model that is based on your risks and business attributes and optimize it from there.
    • Your responsibility doesn’t end at the vendor. Even if you outsource your security services to your vendors, you will still have security responsibilities to address.
    • Don’t boil the ocean; do what is realistic for your enterprise. Your cloud security architecture should be based on securing your most critical assets. Use our reference model to determine a launch point.
    • A successful strategy is holistic. Controlling for cloud risks comes from knowing what the risks are. Consider the full spectrum of security, including both processes and technologies.

    Impact and Result

    • The business is adopting a cloud environment and it must be secured, which includes:
      • Ensuring business data cannot be leaked or stolen.
      • Maintaining the privacy of data and other information.
      • Securing the network connection points.
      • Knowing the risks associated with the cloud and mitigating those risks with the appropriate services.
    • This blueprint and associated tools are scalable for all types of organizations within various industry sectors. It allows them to know what types of risk they are facing and what security services are strongly recommended to mitigate those risks.

    Identify the Components of Your Cloud Security Architecture Research & Tools

    Start Here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create a cloud security architecture with security at the forefront, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Cloud security alignment analysis

    Explore how the cloud changes and whether your enterprise is ready for the shift to the cloud.

    • Identify the Components of Your Cloud Security Architecture – Phase 1: Cloud Security Alignment Analysis
    • Cloud Security Architecture Workbook

    2. Business-critical workload analysis

    Analyze the workloads that will migrated to the cloud. Consider the various domains of security in the cloud, considering the cloud’s unique risks and challenges as they pertain to your workloads.

    • Identify the Components of Your Cloud Security Architecture – Phase 2: Business-Critical Workload Analysis

    3. Cloud security architecture mapping

    Map your risks to services in a reference model from which to build a robust launch point for your architecture.

    • Identify the Components of Your Cloud Security Architecture – Phase 3: Cloud Security Architecture Mapping
    • Cloud Security Architecture Archive Document
    • Cloud Security Architecture Reference Model (Visio)
    • Cloud Security Architecture Reference Model (PDF)

    4. Cloud security strategy planning

    Map your risks to services in a reference architecture to build a robust roadmap from.

    • Identify the Components of Your Cloud Security Architecture – Phase 4: Cloud Security Strategy Planning
    • Cloud Security Architecture Communication Deck

    Infographic

    Workshop: Identify the Components of Your Cloud Security Architecture

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Cloud Security Alignment Analysis

    The Purpose

    Understand your suitability and associated risks with your workloads as they are deployed into the cloud.

    Key Benefits Achieved

    An understanding of the organization’s readiness and optimal service level for cloud security.

    Activities

    1.1 Workload Deployment Plan

    1.2 Cloud Suitability Questionnaire

    1.3 Cloud Risk Assessment

    1.4 Cloud Suitability Analysis

    Outputs

    Workload deployment plan

    Determined the suitability of the cloud for your workloads

    Risk assessment of the associated workloads

    Overview of cloud suitability

    2 Business-Critical Workload Analysis

    The Purpose

    Explore your business-critical workloads and the associated controls and mitigating services to secure them.

    Key Benefits Achieved

    Address NIST 800-53 security controls and the appropriate security services that can mitigate the risks appropriately.

    Activities

    2.1 “A” Environment Analysis

    2.2 “B” Environment Analysis

    2.3 “C” Environment Analysis

    2.4 Prioritized Security Controls

    2.5 Effort and Risk Dashboard Overview

    Outputs

    NIST 800-53 control mappings and relevancy

    NIST 800-53 control mappings and relevancy

    NIST 800-53 control mappings and relevancy

    Prioritized security controls based on risk and environmental makeup

    Mitigating security services for controls

    Effort and Risk Dashboard

    3 Cloud Security Architecture Mapping

    The Purpose

    Identify security services to mitigate challenges posed by the cloud in various areas of security.

    Key Benefits Achieved

    Comprehensive list of security services, and their applicability to your network environment. Documentation of your “current” state of cloud security.

    Activities

    3.1 Cloud Security Control Mapping

    3.2 Cloud Security Architecture Reference Model Mapping

    Outputs

    1. Cloud Security Architecture Archive Document to codify and document each of the associated controls and their risk levels to security services

    2. Mapping of the codified controls onto Info-Tech’s Cloud Security Architecture Reference Model for clear security prioritization

    4 Cloud Security Strategy Planning

    The Purpose

    Prepare a communication deck for executive stakeholders to socialize them to the state of your cloud security initiatives and where you still have to go.

    Key Benefits Achieved

    A roadmap for improving security in the cloud.

    Activities

    4.1 Cloud Security Strategy Considerations

    4.2 Cloud Security Architecture Communication Deck

    Outputs

    Consider the additional security considerations of the cloud for preparation in the communication deck.

    Codify all your results into an easily communicable communication deck with a clear pathway for progression and implementation of security services to mitigate cloud risks.

    Adapt Your Onboarding Process to a Virtual Environment

    • Buy Link or Shortcode: {j2store}577|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select
    • For many, the WFH arrangement will be temporary, however, the uncertainty around the length of the pandemic makes it hard for organizations to plan long term.
    • As onboarding plans traditionally carry a six- to twelve-month outlook, the uncertainty around how long employees will be working remotely makes it challenging to determine how much of the current onboarding program needs to change. In addition, introducing new technologies to a remote workforce and planning training on how to access and effectively use these technologies is difficult.

    Our Advice

    Critical Insight

    • The COVID-19 pandemic has led to a virtual environment many organizations were not prepared for.
    • Focusing on critical parts of the onboarding process and leveraging current technology allows organizations to quickly adapt to the uncertainty and constant change.

    Impact and Result

    • Organizations need to assess their existing onboarding process and identify the parts that are critical.
    • Using the technology currently available, organizations must adapt onboarding to a virtual environment.
    • Develop a plan to re-assess and update the onboarding program according to the duration of the situation.

    Adapt Your Onboarding Process to a Virtual Environment Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess current onboarding processes

    Map the current onboarding process and identify the challenges to a virtual approach.

    • Adapt Your Onboarding Process to a Virtual Environment Storyboard
    • Virtual Onboarding Workbook
    • Process Mapping Guide

    2. Modify onboarding activities

    Determine how existing onboarding activities can be modified for a virtual environment.

    • Virtual Onboarding Ideas Catalog
    • Performance Management for Emergency Work-From-Home

    3. Launch the virtual onboarding process and plan to re-assess

    Finalize the virtual onboarding process and create an action plan. Continue to re-assess and iterate over time.

    • Virtual Onboarding Guide for HR
    • Virtual Onboarding Guide for Managers
    • HR Action and Communication Plan
    • Virtual Onboarding Schedule
    [infographic]

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments

    • Buy Link or Shortcode: {j2store}386|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Security remains a large impediment to realizing cloud benefits. Numerous concerns still exist around the ability for data privacy, confidentiality, and integrity to be maintained in a cloud environment.
    • Even if adoption is agreed upon, it becomes hard to evaluate vendors that have strong security offerings and even harder to utilize security controls that are internally deployed in the cloud environment.

    Our Advice

    Critical Insight

    • The cloud can be secure despite unique security threats.
    • Securing a cloud environment is a balancing act of who is responsible for meeting specific security requirements.
    • Most security challenges and concerns can be minimized through our structured process (CAGI) of selecting a trusted cloud security provider (CSP) partner.

    Impact and Result

    • The business is adopting a cloud environment and it must be secured, which includes:
      • Ensuring business data cannot be leaked or stolen.
      • Maintaining privacy of data and other information.
      • Securing the network connection points.
    • Determine your balancing act between yourself and your CSP; through contractual and configuration requirements, determine what security requirements your CSP can meet and cover the rest through internal deployment.
    • This blueprint and associated tools are scalable for all types of organizations within various industry sectors.

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should prioritize security in the cloud, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine your cloud risk profile

    Determine your organization’s rationale for cloud adoption and what that means for your security obligations.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 1: Determine Your Cloud Risk Profile
    • Secure Cloud Usage Policy

    2. Identify your cloud security requirements

    Use the Cloud Security CAGI Tool to perform four unique assessments that will be used to identify secure cloud vendors.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 2: Identify Your Cloud Security Requirements
    • Cloud Security CAGI Tool

    3. Evaluate vendors from a security perspective

    Learn how to assess and communicate with cloud vendors with security in mind.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 3: Evaluate Vendors From a Security Perspective
    • IaaS and PaaS Service Level Agreement Template
    • SaaS Service Level Agreement Template
    • Cloud Security Communication Deck

    4. Implement your secure cloud program

    Turn your security requirements into specific tasks and develop your implementation roadmap.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 4: Implement Your Secure Cloud Program
    • Cloud Security Roadmap Tool

    5. Build a cloud security governance program

    Build the organizational structure of your cloud security governance program.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 5: Build a Cloud Security Governance Program
    • Cloud Security Governance Program Template
    [infographic]

    Maintain Employee Engagement During the COVID-19 Pandemic

    • Buy Link or Shortcode: {j2store}548|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $12,399 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • The uncertainty of the pandemic means that employee engagement is at higher risk.
    • Organizations need to think beyond targeting traditional audiences by considering engagement of onsite, remote, and laid-off employees.

    Our Advice

    Critical Insight

    • The changing way of work triggered by this pandemic means engagement efforts must be easy to implement and targeted for relevant audiences.

    Impact and Result

    • Identify key drivers to leverage during the pandemic to boost engagement as well as at-risk drivers to focus efforts on.
    • Select quick-win tactics to sustain and boost engagement for relevant target audiences.

    Maintain Employee Engagement During the COVID-19 Pandemic Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine the scope

    Evaluate the current state, stakeholder capacity, and target audience of engagement actions.

    • Maintain Employee Engagement During the COVID-19 Pandemic Storyboard
    • Pandemic Engagement Workbook

    2. Identify engagement drivers

    Review impact to engagement drivers in order to prioritize and select tactics for addressing each.

    • Tactics Catalog: Maintain Employee Engagement During the COVID-19 Pandemic
    • Employee Engagement During COVID-19: Manager Tactics

    3. Determine ownership and communicate engagement actions

    Designate owners of tactics, select measurement tools and cadence, and communicate engagement actions.

    • Crisis Communication Guide for HR
    • Crisis Communication Guide for Leaders
    • Leadership Crisis Communication Guide Template
    • HR Action and Communication Plan
    [infographic]

    Measure IT Project Value

    • Buy Link or Shortcode: {j2store}431|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $5,549 Average $ Saved
    • member rating average days saved: 6 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • People treat benefits as a box to tick on the business case, deflating or inflating them to facilitate project approval.
    • Even if benefits are properly defined, they are usually forgotten once the project is underway.
    • Subsequent changes to project scope may impact the viability of the project’s business benefits, resulting in solutions that do not deliver expected value.

    Our Advice

    Critical Insight

    • It is rare for project teams or sponsors to be held accountable for managing and/or measuring benefits. The assumption is often that no one will ask if benefits have been realized after the project is closed.
    • The focus is largely on the project’s schedule, budget, and scope, with little attention paid to the value that the project is meant to deliver to the organization.
    • Without an objective stakeholder to hold people accountable for defining benefits and demonstrating their delivery, benefits will continue to be treated as red tape.
    • Sponsors will not take the time to define benefits properly, if at all. The project team will not take the time to ensure they are still achievable as the project progresses. When the project is complete, no one will investigate actual project success.

    Impact and Result

    • The project sponsor and business unit leaders must own project benefits; IT is only accountable for delivering the solution.
    • IT can play a key role in this process by establishing and supporting a benefits realization process. They can help business unit leaders and sponsors define benefits properly, identify meaningful metrics, and report on benefits realization effectively.
    • The project management office is ideally suited to facilitate this process by providing tools and templates, and a consistent and comparable view across projects.
    • Project managers are accountable for delivering the project, not for delivering the benefits of the project itself. However, they must ensure that changes to project scope are assessed for impact on benefits viability.

    Measure IT Project Value Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should establish a benefits legitimacy practice, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish benefits legitimacy during portfolio Intake

    This phase will help you define a benefits management process to help support effective benefits definition during portfolio intake.

    • Deliver Project Value With a Benefits Legitimacy Initiative – Phase 1: Establish Benefits Legitimacy During Portfolio Intake
    • Project Sponsor Role Description Template
    • Benefits Commitment Form Template
    • Right-Sized Business Case Template

    2. Maintain benefits legitimacy throughout project planning and execution

    This phase will help you define a process for effective benefits management during project planning and the execution intake phase.

    • Deliver Project Value With a Benefits Legitimacy Initiative – Phase 2: Maintain Benefits Legitimacy Throughout Project Planning and Execution
    • Project Benefits Documentation Workbook
    • Benefits Legitimacy Workflow Template (PDF)
    • Benefits Legitimacy Workflow Template (Visio)

    3. Close the deal on project benefits

    This phase will help you define a process for effectively tracking and reporting on benefits realization post-project.

    • Deliver Project Value With a Benefits Legitimacy Initiative – Phase 3: Close the Deal on Project Benefits
    • Portfolio Benefits Tracking Tool
    • Benefits Lag Report Template
    • Benefits Legitimacy Handbook Template
    [infographic]

    Workshop: Measure IT Project Value

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Analyze the Current State of Benefits Management

    The Purpose

    Assess the current state of benefits management at your organization and establish a realistic target state.

    Establish project and portfolio baselines for benefits management.

    Key Benefits Achieved

    Set achievable workshop goals and align stakeholder expectations.

    Establish a solid foundation for benefits management success.

    Activities

    1.1 Introductions and overview.

    1.2 Discuss attendee expectations and goals.

    1.3 Complete Info-Tech’s PPM Current State Scorecard.

    1.4 Perform right-wrong-confusing-missing analysis.

    1.5 Define target state for benefits management.

    1.6 Refine project levels.

    Outputs

    Info-Tech’s PPM Current State Scorecard report

    Right-wrong-confusing-missing analysis

    Stakeholder alignment around workshop goals and target state

    Info-Tech’s Project Intake Classification Matrix

    2 Establish Benefits Legitimacy During Portfolio Intake

    The Purpose

    Establish organizationally specific benefit metrics and KPIs.

    Develop clear roles and accountabilities for benefits management.

    Key Benefits Achieved

    An articulation of project benefits and measurements.

    Clear checkpoints for benefits communication during the project are defined.

    Activities

    2.1 Map the current portfolio intake process.

    2.2 Establish project sponsor responsibilities and accountabilities for benefits management.

    2.3 Develop organizationally specific benefit metrics and KPIs.

    2.4 Integrate intake legitimacy into portfolio intake processes.

    Outputs

    Info-Tech’s Project Sponsor Role Description Template

    Info-Tech’s Benefits Commitment Form Template

    Intake legitimacy process flow and RASCI chart

    Intake legitimacy SOP

    3 Maintain Benefits Legitimacy Throughout Project Planning and Execution

    The Purpose

    Develop a customized SOP for benefits management during project planning and execution.

    Key Benefits Achieved

    Ensure that all changes to the project have been recorded and benefits have been updated in preparation for deployment.

    Updated benefits expectations are included in the final sign-off package.

    Activities

    3.1 Map current project management process and audit project management documentation.

    3.2 Identify appropriate benefits control points.

    3.3 Customize project management documentation to integrate benefits.

    3.4 Develop a deployment legitimacy process flow.

    Outputs

    Customized project management toolkit

    Info-Tech’s Project Benefits Documentation Workbook

    Deployment of legitimacy process flow and RASCI chart

    Deployment of legitimacy SOP

    4 Close the Deal on Project Benefits

    The Purpose

    Develop a post-project benefits realization process.

    Key Benefits Achieved

    Clear project sponsorship accountabilities for post-project benefits tracking and reporting.

    A portfolio level benefits tracking tool for reporting on benefits attainment.

    Activities

    4.1 Identify appropriate benefits control points in the post-project process.

    4.2 Configure Info-Tech’s Portfolio Benefits Tracking Tool.

    4.3 Define a post-project benefits reporting process.

    4.4 Formalize protocol for reporting on, and course correcting, benefit lags.

    4.5 Develop a post-project legitimacy process flow.

    Outputs

    Info-Tech’s Portfolio Benefits Tracking Tool

    Post-Project legitimacy process flow and RASCI chart

    Post-Project Legitimacy SOP

    Info-Tech’s Benefits Legitimacy Handbook

    Info-Tech’s Benefits Legitimacy Workflow Template

    Implement a New IT Organizational Structure

    • Buy Link or Shortcode: {j2store}276|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $30,999 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Organizational Design
    • Parent Category Link: /organizational-design
    • Organizational design implementations can be highly disruptive for IT staff and business partners. Without a structured approach, IT leaders may experience high turnover, decreased productivity, and resistance to the change.
    • CIOs walk a tightrope as they manage the operational and emotional turbulence while aiming to improve business satisfaction within IT. Failure to achieve balance could result in irreparable failure.

    Our Advice

    Critical Insight

    • Mismanagement will hurt you. The majority of IT organizations do not manage organizational design implementations effectively, resulting in decreased satisfaction, productivity loss, and increased IT costs.
    • Preventing mismanagement is within your control. 72% of change management issues can be directly improved by managers. IT leaders have a tendency to focus their efforts on operational changes rather than on people.

    Impact and Result

    Leverage Info-Tech’s organizational design implementation process and deliverables to build and implement a detailed transition strategy and to prepare managers to lead through change.

    Follow Info-Tech’s 5-step process to:

    1. Effect change and sustain productivity through real-time employee engagement monitoring.
    2. Kick off the organizational design implementation with effective communication.
    3. Build an integrated departmental transition strategy.
    4. Train managers to effectively lead through change.
    5. Develop personalized transition plans.

    Implement a New IT Organizational Structure Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how you should implement a new organizational design, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a change communication strategy

    Create strategies to communicate the changes to staff and maintain their level of engagement.

    • Implement a New Organizational Structure – Phase 1: Build a Change Communication Strategy
    • Organizational Design Implementation FAQ
    • Organizational Design Implementation Kick-Off Presentation

    2. Build the organizational transition plan

    Build a holistic list of projects that will enable the implementation of the organizational structure.

    • Implement a New Organizational Structure – Phase 2: Build the Organizational Transition Plan
    • Organizational Design Implementation Project Planning Tool

    3. Lead staff through the reorganization

    Lead a workshop to train managers to lead their staff through the changes and build transition plans for all staff members.

    • Implement a New Organizational Structure – Phase 3: Lead Staff Through the Reorganization
    • Organizational Design Implementation Manager Training Guide
    • Organizational Design Implementation Stakeholder Engagement Plan Template
    • Organizational Design Implementation Transition Plan Template
    [infographic]

    Workshop: Implement a New IT Organizational Structure

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build Your Change Project Plan

    The Purpose

    Create a holistic change project plan to mitigate the risks of organizational change.

    Key Benefits Achieved

    Building a change project plan that encompasses both the operational changes and minimizes stakeholder and employee resistance to change.

    Activities

    1.1 Review the new organizational structure.

    1.2 Determine the scope of your organizational changes.

    1.3 Review your MLI results.

    1.4 Brainstorm a list of projects to enable the change.

    Outputs

    Project management planning and monitoring tool

    McLean Leadership Index dashboard

    2 Finalize Change Project Plan

    The Purpose

    Finalize the change project plan started on day 1.

    Key Benefits Achieved

    Finalize the tasks that need to be completed as part of the change project.

    Activities

    2.1 Brainstorm the tasks that are contained within the change projects.

    2.2 Determine the resource allocations for the projects.

    2.3 Understand the dependencies of the projects.

    2.4 Create a progress monitoring schedule.

    Outputs

    Completed project management planning and monitoring tool

    3 Enlist Your Implementation Team

    The Purpose

    Enlist key members of your team to drive the implementation of your new organizational design.

    Key Benefits Achieved

    Mitigate the risks of staff resistance to the change and low engagement that can result from major organizational change projects.

    Activities

    3.1 Determine the members that are best suited for the team.

    3.2 Build a RACI to define their roles.

    3.3 Create a change vision.

    3.4 Create your change communication strategy.

    Outputs

    Communication strategy

    4 Train Your Managers to Lead Through Change

    The Purpose

    Train your managers who are more technically focused to handle the people side of the change.

    Key Benefits Achieved

    Leverage your managers to translate how the organizational change will directly impact individuals on their teams.

    Activities

    4.1 Conduct the manager training workshop with managers.

    4.2 Review the stakeholder engagement plans.

    4.3 Review individual transition plan template with managers.

    Outputs

    Conflict style self-assessments

    Stakeholder engagement plans

    Individual transition plan template

    5 Build Your Transition Plans

    The Purpose

    Complete transition plans for individual members of your staff.

    Key Benefits Achieved

    Create individual plans for your staff members to ease the transition into their new roles.

    Activities

    5.1 Bring managers back in to complete transition plans.

    5.2 Revisit the new organizational design as a source of information.

    5.3 Complete aspects of the templates that do not require staff feedback.

    5.4 Discuss strategies for transitioning.

    Outputs

    Individual transition plan template

    Further reading

    Implement a New IT Organizational Structure

    Prioritize quick wins and critical services during IT org changes.

    This blueprint is part 3/3 in Info-Tech’s organizational design program and focuses on implementing a new structure

    Part 1: Design Part 2: Structure Part 3: Implement
    IT Organizational Architecture Organizational Sketch Organizational Structure Organizational Chart Transition Strategy Implement Structure
    1. Define the organizational design objectives.
    2. Develop strategically-aligned capability map.
    3. Create the organizational design framework.
    4. Define the future state work units.
    5. Create future state work unit mandates.
    1. Assign work to work units (accountabilities and responsibilities).
    2. Develop organizational model options (organizational sketches).
    3. Assess options and select go-forward model.
    1. Define roles by work unit.
    2. Create role mandates.
    3. Turn roles into jobs.
    4. Define reporting relationships between jobs.
    5. Define competency requirements.
    1. Determine number of positions per job.
    2. Conduct competency assessment.
    3. Assign staff to jobs.
    1. Form OD implementation team.
    2. Develop change vision.
    3. Build communication presentation.
    4. Identify and plan change projects.
    5. Develop organizational transition plan.
    1. Train managers to lead through change.
    2. Define and implement stakeholder engagement plan.
    3. Develop individual transition plans.
    4. Implement transition plans.
    Risk Management: Create, implement, and monitor risk management plan.
    HR Management: Develop job descriptions, conduct job evaluation, and develop compensation packages.

    Monitor and Sustain Stakeholder Engagement →

    The sections highlighted in green are in scope for this blueprint. Click here for more information on designing or on structuring a new organization.

    Our understanding of the problem

    This Research is Designed For:

    • CIOs

    This Research Will Help You:

    • Effectively implement a new organizational structure.
    • Develop effective communications to minimize turnover and lost productivity during transition.
    • Identify a detailed transition strategy to move to your new structure with minimal interruptions to service quality.
    • Train managers to lead through change and measure ongoing employee engagement.

    This Research Will Also Assist:

    • IT Leaders

    This Research Will Help Them:

    • Effectively lead through the organizational change.
    • Manage difficult conversations with staff and mitigate staff concerns and turnover.
    • Build clear transition plans for their teams.

    Executive summary

    Situation

    • Organizational Design (OD) projects are typically undertaken in order to enable organizational priorities, improve IT performance, or to reduce IT costs. However, due to the highly disruptive nature of the change, only 25% of changes achieve their objectives over the long term. (2013 Towers Watson Change and Communication ROI Survey)

    Complication

    • OD implementations can be highly disruptive for IT staff and business partners. Without a structured approach, IT leaders may experience high turnover, decreased productivity, and resistance to the change.
    • CIOs walk a tightrope as they manage the operational and emotional turbulence while aiming to improve business satisfaction within IT. Failure to achieve balance could result in irreparable failure.

    Resolution

    • Leverage Info-Tech’s organizational design implementation process and deliverables to build and implement a detailed transition strategy and to prepare managers to lead through change. Follow Info-Tech’s 5-step process to:
      1. Effect change and sustain productivity through real-time employee engagement monitoring.
      2. Kick off the organizational design implementation with effective communication.
      3. Build an integrated departmental transition strategy.
      4. Train managers to effectively lead through change.
      5. Develop personalized transition plans.

    Info-Tech Insight

    1. Mismanagement will hurt you. The majority of IT organizations do not manage OD implementations effectively, resulting in decreased satisfaction, productivity loss, and increased IT costs.
    2. Preventing mismanagement is within your control. 72% of change management issues can be directly improved by managers. (Abilla, 2009) IT leaders have a tendency to focus their efforts on operational changes rather than on people. This is a recipe for failure.

    Organizational Design Implementation

    Managing organizational design (OD) changes effectively is critical to maintaining IT service levels and retaining top talent throughout a restructure. Nevertheless, many organizations fail to invest appropriate consideration and resources into effective OD change planning and execution.

    THREE REASONS WHY CIOS NEED TO EFFECTIVELY MANAGE CHANGE:

    1. Failure is the norm; not the exception. According to a study by Towers Watson, only 55% of organizations experience the initial value of a change. Even fewer organizations, a mere 25%, are actually able to sustain change over time to experience the full expected benefits. (2013 Towers Watson Change and Communication ROI Survey)
    2. People are the biggest cause of failure. Organizational design changes are one of the most difficult types of changes to manage as staff are often highly resistant. This leads to decreased productivity and poor results. The most significant people challenge is the loss of momentum through the change process which needs to be actively managed.
    3. Failure costs money. Poor IT OD implementations can result in increased turnover, lost productivity, and decreased satisfaction from the business. Managing the implementation has a clear ROI as the cost of voluntary turnover is estimated to be 150% of an employee’s annual salary. (Inc)

    86% of IT leaders believe organization and leadership processes are critical, yet the majority struggle to be effective

    PERCENTAGE OF IT LEADERS WHO BELIEVE THEIR ORGANIZATION AND LEADERSHIP PROCESSES ARE HIGHLY IMPORTANT AND HIGHLY EFFECTIVE

    A bar graph, with the following organization and leadership processes listed on the Y-axis: Human Resources Management; Leadership, Culture, Values; Organizational Change Management; and Organizational Design. The bar graph shows that over 80% of IT leaders rate these processes as High Importance, but less than 40% rate them as having High Effectiveness.

    GAP BETWEEN IMPORTANCE AND EFFECTIVENESS

    Human Resources Management - 61%

    Leadership, Culture, Values - 48%

    Organizational Change Management - 55%

    Organizational Design - 45%

    Note: Importance and effectiveness were determined by identifying the percentage of individuals who responded with 8-10/10 to the questions…

    • “How important is this process to the organization’s ability to achieve business and IT goals?” and…
    • “How effective is this process at helping the organization to achieve business and IT goals?”

    Source: Info-Tech Research Group, Management and Governance Diagnostic. N=22,800 IT Professionals

    Follow a structured approach to your OD implementation to improve stakeholder satisfaction with IT and minimize risk

    • IT reorganizations are typically undertaken to enable strategic goals, improve efficiency and performance, or because of significant changes to the IT budget. Without a structured approach to manage the organizational change, IT might get the implementation done, but fail to achieve the intended benefits, i.e. the operation succeeds, but the patient has died on the table.
    • When implementing your new organizational design, it’s critical to follow a structured approach to ensure that you can maintain IT service levels and performance and achieve the intended benefits.
    • The impact of organizational structure changes can be emotional and stressful for staff. As such, in order to limit voluntary turnover, and to maintain productivity and performance, IT leaders need to be strategic about how they communicate and respond to resistance to change.

    TOP 3 BENEFITS OF FOLLOWING A STRUCTURED APPROACH TO IMPLEMENTING ORGANIZATIONAL DESIGN

    1. Improved stakeholder satisfaction with IT. A detailed change strategy will allow you to successfully transition staff into new roles with limited service interruptions and with improved stakeholder satisfaction.
    2. Experience minimal voluntary turnover throughout the change. Know how to actively engage and minimize resistance of stakeholders throughout the change.
    3. Execute implementation on time and on budget. Effectively managed implementations are 65–80% more likely to meet initial objectives than those with poor organizational change management. (Boxley Group, LLC)

    Optimize your organizational design implementation results by actively preparing managers to lead through change

    IT leaders have a tendency to make change even more difficult by focusing on operations rather than on people. This is a recipe for failure. People pose the greatest risk to effective implementation and as such, IT managers need to be prepared and trained on how to lead their staff through the change. This includes knowing how to identify and manage resistance, communicating the change, and maintaining positive momentum with staff.

    Staff resistance and momentum are the most challenging part of leading through change (McLean & Company, N=196)

    A bar graph with the following aspects of Change Management listed on the Y-Axis, in increasing order of difficulty: Dealing with Technical Issues; Monitoring metrics to measure progress; Amending policies and processes; Coordinating with stakeholders; Getting buy-in from staff; Maintaining a positive momentum with staff.

    Reasons why change fails: 72% of failures can be directly improved by the manager (shmula)

    A pie chart showing the reasons why change fails: Management behavior not supportive of change = 33%; Employee resistance to change = 39%; Inadequate resources or budget = 14%; and All other obstacles = 14%.

    Leverage organizational change management (OCM) best practices for increased OD implementation success

    Effective change management correlates with project success

    A line graph, with Percent of respondents that met or exceeded project objectives listed on the Y-axis, and Poor, Fair, Good, and Excellent listed on the X-axis. The line represents the overall effectiveness of the change management program, and as the value on the Y-axis increases, so does the value on the X-axis.

    Source: Prosci. From Prosci’s 2012 Best Practices in Change Management benchmarking report.

    95% of projects with excellent change management met or EXCEEDED OBJECTIVES, vs. 15% of those with poor OCM. (Prosci)

    143% ROI on projects with excellent OCM. In other words, for every dollar spent on the project, the company GAINS 43 CENTS. This is in contrast to 35% ROI on projects with poor OCM. (McKinsey)

    Info-Tech’s approach to OD implementation is a practical and tactical adaptation of several successful OCM models

    BUSINESS STRATEGY-ORIENTED OCM MODELS. John Kotter’s 8-Step model, for instance, provides a strong framework for transformational change but doesn’t specifically take into account the unique needs of an IT transformation.

    GENERAL-PURPOSE OCM FRAMEWORKS such as ACMP’s Standard for Change Management, CMI’s CMBoK, and Prosci’s ADKAR model are very comprehensive and need to be configured to organizational design implementation-specific initiatives.

    COBIT MANAGEMENT PRACTICE BAI05: MANAGE ORGANIZATIONAL CHANGE ENABLEMENT follows a structured process for implementing enterprise change quickly. This framework can be adapted to OD implementation; however, it is most effective when augmented with the people and management training elements present in other frameworks.

    References and Further Reading

    Tailoring a comprehensive, general-purpose OCM framework to an OD implementation requires familiarity and experience. Info-Tech’s OD implementation model adapts the best practices from a wide range of proven OCM models and distills it into a step-by-step process that can be applied to an organizational design transformation.

    The following OD implementation symptoms can be avoided through structured planning

    IN PREVIOUS ORGANIZATIONAL CHANGES, I’VE EXPERIENCED…

    “Difficultly motivating my staff to change.”

    “Higher than average voluntary turnover during and following the implementation.”

    “An overall sense of staff frustration or decreased employee engagement.”

    “Decreased staff productivity and an inability to meet SLAs.”

    “Increased overtime caused by being asked to do two jobs at once.”

    “Confusion about the reporting structure during the change.”

    “Difficulty keeping up with the rate of change and change fatigue from staff.”

    “Business partner dissatisfaction about the change and complaints about the lack of effort or care put in by IT employees.”

    “Business partners not wanting to adjust to the change and continuing to follow outdated processes.”

    “Decrease in stakeholder satisfaction with IT.”

    “Increased prevalence of shadow IT during or following the change.”

    “Staff members vocally complaining about the IT organization and leadership team.”

    Follow this blueprint to develop and execute on your OD implementation

    IT leaders often lack the experience and time to effectively execute on organizational changes. Info-Tech’s organizational design implementation program will provide you with the needed tools, templates, and deliverables. Use these insights to drive action plans and initiatives for improvement.

    How we can help

    • Measure the ongoing engagement of your employees using Info-Tech’s MLI diagnostic. The diagnostic comes complete with easily customizable reports to track and act on employee engagement throughout the life of the change.
    • Use Info-Tech’s customizable project management tools to identify all of the critical changes, their impact on stakeholders, and mitigate potential implementation risks.
    • Develop an in-depth action plan and transition plans for individual stakeholders to ensure that productivity remains high and that service levels and project expectations are met.
    • Align communication with real-time staff engagement data to keep stakeholders motivated and focused throughout the change.
    • Use Info-Tech’s detailed facilitation guide to train managers on how to effectively communicate the change, manage difficult stakeholders, and help ensure a smooth transition.

    Leverage Info-Tech’s customizable deliverables to execute your organizational design implementation

    A graphic with 3 sections: 1.BUILD A CHANGE COMMUNICATION STRATEGY; 2.BUILD THE ORGANIZATIONAL TRANSITION PLAN; 3.1 TRAIN MANAGERS TO LEAD THROUGH CHANGE; 3.2 TRANSITION STAFF TO NEW ROLES. An arrow emerges from point one and directs right, over the rest of the steps. Text above the arrow reads: ONGOING ENGAGEMENT MONITORING AND COMMUNICATION. Dotted arrows emerge from points two and three directing back toward point one. Text below the arrow reads: COMMUNICATION STRATEGY ITERATION.

    CUSTOMIZABLE PROJECT DELIVERABLES

    1. BUILD A CHANGE COMMUNICATION STRATEGY

    • McLean Leadership Index: Real-Time Employee Engagement Dashboard
    • Organizational Design
    • Implementation Kick-Off Presentation
    • Organizational Design Implementation FAQ

    2. BUILD THE ORGANIZATIONAL TRANSITION PLAN

    • Organizational Design Implementation Project Planning Tool

    3.1 TRAIN MANAGERS TO LEAD THROUGH CHANGE

    3.2 TRANSITION STAFF TO NEW ROLES

    • Organizational Design Implementation Manager Training Guide
    • Organizational Design Implementation Transition Plan Template

    Leverage Info-Tech’s tools and templates to overcome key engagement program implementation challenges

    KEY SECTION INSIGHTS:

    BUILD A CHANGE COMMUNICATION STRATEGY

    Effective organizational design implementations mitigate the risk of turnover and lost productivity through ongoing monitoring and managing of employee engagement levels. Take a data-driven approach to managing engagement with Info-Tech’s real-time MLI engagement dashboard and adjust your communication and implementation strategy before engagement risks become issues.

    BUILD THE ORGANIZATIONAL TRANSITION PLAN

    Your organizational design implementation is made up of a series of projects and needs to be integrated into your larger project schedule. Too often, organizations attempt to fit the organizational design implementation into their existing schedules which results in poor resource planning, long delays in implementation, and overall poor results.

    LEAD STAFF THROUGH THE REORGANIZATION

    The majority of IT managers were promoted because they excelled at the technical aspect of their job rather than in people management. Not providing training is setting your organization up for failure. Train managers to effectively lead through change to see a 72% decrease in change management issues. (Abilla, 2009)

    METRICS:

    1. Voluntary turnover: Conduct an exit interview with all staff members during and after transition. Identify any staff members who cite the change as a reason for departure. For those who do leave, multiply their salary by 1.5% (the cost of a new hire) and track this over time.
    2. Business satisfaction trends: Conduct CIO Business Vision one year prior to the change vs. one year after change kick-off. Prior to the reorganization, set metrics for each category for six months after the reorganization, and one year following.
    3. Saved development costs: Number of hours to develop internal methodology, tools, templates, and process multiplied by the salary of the individual.

    Use this blueprint to save 1–3 months in implementing your new organizational structure

    Time and Effort Using Blueprint Without Blueprint
    Assess Current and Ongoing Engagement 1 person ½ day – 4 weeks 1–2 hours for diagnostic set up (allow extra 4 weeks to launch and review initial results). High Value 4–8 weeks
    Set Up the Departmental Change Workbooks 1–5 people 1 day 4–5 hours (varies based on the scope of the change). Medium Value 1–2 weeks
    Design Transition Strategy 1–2 people 1 day 2–10 hours of implementation team’s time. Medium Value 0–2 weeks
    Train Managers to Lead Through Change 1–5 people 1–2 weeks 1–2 hours to prepare training (allow for 3–4 hours per management team to execute). High Value 3–5 weeks

    These estimates are based on reviews with Info-Tech clients and our experience creating the blueprint.

    Totals:

    Workshop: 1 week

    GI/DIY: 2-6 weeks

    Time and Effort Saved: 8-17 weeks

    CIO uses holistic organizational change management strategies to overcome previous reorganization failures

    CASE STUDY

    Industry: Manufacturing

    Source: Client interview

    Problem

    When the CIO of a large manufacturing company decided to undertake a major reorganization project, he was confronted with the stigma of a previous CIO’s attempt. Senior management at the company were wary of the reorganization since the previous attempt had failed and cost a lot of money. There was major turnover since staff were not happy with their new roles costing $250,000 for new hires. The IT department saw a decline in their satisfaction scores and a 10% increase in help desk tickets. The reorganization also cost the department $400,000 in project rework.

    Solution

    The new CIO used organizational change management strategies in order to thoroughly plan the implementation of the new organizational structure. The changes were communicated to staff in order to improve adoption, every element of the change was mapped out, and the managers were trained to lead their staff through the change.

    Results

    The reorganization was successful and eagerly adopted by the staff. There was no turnover after the new organizational structure was implemented and the engagement levels of the staff remained the same.

    $250,000 - Cost of new hires and salary changes

    10% - Increase in help desk tickets

    $400,000 - Cost of project delays due to the poorly effective implementation of changes

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Implement a New Organizational Structure

    3. Lead Staff Through the Reorganization
    1. Build a Change Communication Strategy 2. Build the Organizational Transition Plan 3.1 Train Managers to Lead Through Change 3.2 Transition Staff to New Roles
    Best-Practice Toolkit

    1.1 Launch the McLean Leadership Index to set a baseline.

    1.2 Establish your implementation team.

    1.3 Build your change communication strategy and change vision.

    2.1 Build a holistic list of change projects.

    2.2 Monitor and track the progress of your change projects.

    3.1.1 Conduct a workshop with managers to prepare them to lead through the change.

    3.1.2 Build stakeholder engagement plans and conduct conflict style self-assessments.

    3.2.1 Build transition plans for each of your staff members.

    3.2.2 Transition your staff to their new roles.

    Guided Implementations
    • Set up your MLI Survey.
    • Determine the members and roles of your implementation team.
    • Review the components of a change communication strategy.
    • Review the change dimensions and how they are used to plan change projects.
    • Review the list of change projects.
    • Review the materials and practice conducting the workshop.
    • Debrief after conducting the workshop.
    • Review the individual transition plan and the process for completing it.
    • Final consultation before transitioning staff to their new roles.
    Onsite Workshop Module 1: Effectively communicate the reorganization to your staff. Module 2: Build the organizational transition plan. Module 3.1: Train your managers to lead through change. Module 3.2: Complete your transition plans

    Phase 1 Results:

    • Plans for effectively communicating with your staff.

    Phase 2 Results:

    • A holistic view of the portfolio of projects required for a successful reorg

    Phase 3.1 Results:

    • A management team that is capable of leading their staff through the reorganization

    Phase 3.2 Results:

    • Completed transition plans for your entire staff.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Build Your Change Project Plan

    1.1 Review the new organizational structure.

    1.2 Determine the scope of your organizational changes.

    1.3 Review your MLI results.

    1.4 Brainstorm a list of projects to enable the change.

    Finalize Change Project Plan

    2.1 Brainstorm the tasks that are contained within the change projects.

    2.2 Determine the resource allocation for the projects.

    2.3 Understand the dependencies of the projects.

    2.4 Create a progress monitoring schedule

    Enlist Your Implementation Team

    3.1 Determine the members that are best suited for the team.

    3.2 Build a RACI to define their roles.

    3.3 Create a change vision.

    3.4 Create your change communication strategy.

    Train Your Managers to Lead Through Change

    4.1 Conduct the manager training workshop with managers.

    4.2 Review the stakeholder engagement plans.

    4.3 Review individual transition plan template with managers

    Build Your Transition Plans

    5.1 Bring managers back in to complete transition plans.

    5.2 Revisit new organizational design as a source for information.

    5.3 Complete aspects of the template that do not require feedback.

    5.4 Discuss strategies for transitioning.

    Deliverables
    1. McLean Leadership Index Dashboard
    2. Organizational Design Implementation Project Planning Tool
    1. Completed Organizational Design Implementation Project Planning Tool
    1. Communication Strategy
    1. Stakeholder Engagement Plans
    2. Conflict Style Self-Assessments
    3. Organizational Design Implementation Transition Plan Template
    1. Organizational Design Implementation Transition Plan Template

    Phase 1

    Build a Change Communication Strategy

    Build a change communication strategy

    Outcomes of this Section:

    • Launch the McLean Leadership Index
    • Define your change team
    • Build your reorganization kick-off presentation and FAQ for staff and business stakeholders

    This section involves the following participants:

    • CIO
    • IT leadership team
    • IT staff

    Key Section Insight:

    Effective organizational design implementations mitigate the risk of turnover and lost productivity through ongoing monitoring of employee engagement levels. Take a data-driven approach to managing engagement with Info-Tech’s real-time MLI engagement dashboard and adjust your communication and implementation strategy in real-time before engagement risks become issues.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Build a Change Communication Strategy

    Proposed Time to Completion (in weeks): 1-6 weeks

    Step 1.1: Launch Your McLean Leadership Index Survey

    Start with an analyst kick off call:

    • Discuss the benefits and uses of the MLI.
    • Go over the required information (demographics, permissions, etc.).
    • Set up a live demo of the survey.

    Then complete these activities…

    • Launch the survey with your staff.
    • Have a results call with a member of the Info-Tech staff.

    With these tools & templates:

    McLean Leadership Index

    Step 1.2: Establish Your Implementation Team

    Review findings with analyst:

    • Review what members of your department should participate.
    • Build a RACI to determine the roles of your team members.

    Then complete these activities…

    • Hold a kick-off meeting with your new implementation team.
    • Build the RACI for your new team members and their roles.

    Step 1.3: Build Your Change Communication Strategy

    Finalize phase deliverable:

    • Customize your reorganization kick-off presentation.
    • Create your change vision. Review the communication strategy.

    Then complete these activities…

    • Hold your kick-off presentation with staff members.
    • Launch the reorganization communications.

    With these tools & templates:

    • Organizational Design Implementation Kick-Off Presentation
    • Organizational Design Implementation FAQ

    Set the stage for the organizational design implementation by effectively introducing and communicating the change to staff

    Persuading people to change requires a “soft,” empathetic approach to keep them motivated and engaged. But don’t mistake “soft” for easy. Managing the people and communication aspects around the change are amongst the toughest work there is, and require a comfort and competency with uncertainty, ambiguity, and conflict.

    Design Engagement Transition
    Communication

    Communication and engagement are the chains linking your design to transition. If the organizational design initiative is going to be successful it is critical that you manage this effectively. The earlier you begin planning the better. The more open and honest you are about the change the easier it will be to maintain engagement levels, business satisfaction, and overall IT productivity.

    Kick-Off Presentation Inputs

    • LAUNCH THE MCLEAN LEADERSHIP INDEX
    • IDENTIFY YOUR CHANGE TEAM
    • DETERMINE CHANGE TEAM RESPONSIBILITIES
    • DEVELOP THE CHANGE VISION
    • DEFINE KEY MESSAGES AND GOALS
    • IDENTIFY MAJOR CHANGES
    • IDENTIFY KEY MILESTONES
    • BUILD AND MAINTAIN A CHANGE FAQ

    Use the MLI engagement dashboard to measure your current state and the impact of the change in real-time

    The McLean Leadership Index diagnostic is a low-effort, high-impact program that provides real-time metrics on staff engagement levels. Use these insights to understand your employees’ engagement levels throughout the organizational design implementation to measure the impact of the change and to manage turnover and productivity levels throughout the implementation.

    WHY CARE ABOUT ENGAGEMENT DURING THE CHANGE? ENGAGED EMPLOYEES REPORT:

    39% Higher intention to stay at the organization.

    29% Higher performance and increased likelihood to work harder and longer hours. (Source: McLean and Company N=1,308 IT Employees)

    Why the McLean Leadership Index?

    Based on the Net Promoter Score (NPS), the McLean Leadership Index is one question asked monthly to assess engagement at various points in time.

    Individuals responding to the MLI question with a 9 or 10 are your Promoters and are most positive and passionate. Those who answer 7 or 8 are Passives while those who answer 0 to 6 are Detractors.

    Track your engagement distribution using our online dashboard to view MLI data at any time and view results based on teams, locations, manager, tenure, age, and gender. Assess the reactions to events and changes in real-time, analyze trends over time, and course-correct.

    Dashboard reports: Know your staff’s overall engagement and top priorities

    McLean Leadership Index

    OVERALL ENGAGEMENT RESULTS

    You get:

    • A clear breakdown of your detractors, passives, and promotors.
    • To view results by team, location, and individual manager.
    • To dig deeper into results by reviewing results by age, gender, and tenure at the organization to effectively identify areas where engagement is weak.

    TIME SERIES TRENDS

    You get:

    • View of changes in engagement levels for each team, location, and manager.
    • Breakdown of trends weekly, monthly, quarterly, and yearly.
    • To encourage leaders to monitor results to analyze root causes for changes and generate improvement initiatives.

    QUALITATIVE COMMENTS

    You get:

    • To view qualitative comments provided by staff on what is impacting their engagement.
    • To reply directly to comments without impacting the anonymity of the individuals making the comments.
    • To leverage trends in the comments to make changes to communication approaches.

    Launch the McLean Leadership Index in under three weeks

    Info-Tech’s dedicated team of program managers will facilitate this diagnostic program remotely, providing you with a convenient, low-effort, high-impact experience.

    We will guide you through the process with your goals in mind to deliver deep insight into your successes and areas to improve.

    What You Need To Do:

    1. Contact Info-Tech to launch the program and test the functionality in a live demo.
    2. Identify demographics and set access permissions.
    3. Complete manager training with assistance from Info-Tech Advisors.
    4. Participate in a results call with an Info-Tech Advisor to review results and develop an action plan.

    Info-Tech’s Program Manager Will:

    1. Collect necessary inputs and generate your custom dashboard.
    2. Launch, maintain, and support the online system in the field.
    3. Send out a survey to 25% of the staff each week.
    4. Provide ongoing support over the phone, and the needed tools and templates to communicate and train staff as well as take action on results.

    Explore your initial results in a one-hour call with an Executive Advisor to fully understand the results and draw insights from the data so you can start your action plan.

    Start Your Diagnostic Now

    We'll help you get set up as soon as you're ready.

    Start Now

    Communication has a direct impact on employee engagement; measure communication quality using your MLI results

    A line graph titled: The impact of manager communication on employee engagement. The X-axis is labeled from Strongly Disagree to Strongly Agree, and the Y-axis is labeled: Percent of Engaged Respondents. There are 3 colour-coded lines: dark blue indicates My manager provides me with high-quality feedback; light blue indicates I clearly understand what is expected of me on the job; and green indicates My manager keeps me well informed about decisions that affect me. The line turns upward as it moves to the right of the graph.

    (McLean & Company, 2015 N=17,921)

    A clear relationship exists between how effective a manager’s communication is perceived to be and an employee’s level of engagement. If engagement drops, circle back with employees to understand the root causes.

    Establish an effective implementation team to drive the organizational change

    The implementation team is responsible for developing and disseminating information around the change, developing the transition strategy, and for the ongoing management of the changes.

    The members of the implementation team should include:

    • CIO
    • Current IT leadership team
    • Project manager
    • Business relationship managers
    • Human resources advisor

    Don’t be naïve – building and executing the implementation plan will require a significant time commitment from team members. Too often, organizations attempt to “fit it in” to their existing schedules resulting in poor planning, long delays, and overall poor results. Schedule this work like you would a project.

    TOP 3 TIPS FOR DEFINING YOUR IMPLEMENTATION TEAM

    1. Select a Project Manager. Info-Tech strongly recommends having one individual accountable for key project management activities. They will be responsible for keeping the project on time and maintaining a holistic view of the implementation.
    2. Communication with Business Partners is Critical. If you have Business Relationship Managers (BRMs), involve them in the communication planning or assign someone to play this role. You need your business partners to be informed and bought in to the implementation to maintain satisfaction.
    3. Enlist Your “Volunteer Army.” (Kotter’s 8 Principles) If you have an open culture, Info-Tech encourages you to have an extended implementation team made up of volunteers interested in supporting the change. Their role will be to support the core group, assist in planning, and communicate progress with peers.

    Determine the roles of your implementation team members

    1.1 30 Minutes

    Input

    • Implementation team members

    Output

    • RACI for key transition elements

    Materials

    • RACI chart and pen

    Participants

    • Core implementation committee
    1. Each member should be actively engaged in all elements of the organizational design implementation. However, it’s important to have one individual who is accountable for key activities and ensures they are done effectively and measured.
    2. Review the chart below and as a group, brainstorm any additional key change components.
    3. For each component listed below, identify who is Accountable, Responsible, Consulted, and Informed for each (suggested responsibility below).
    CIO IT Leaders PM BRM HR
    Communication Plan A R R R C
    Employee Engagement A R R R C

    Departmental Transition Plan

    R A R I R
    Organizational Transition Plan R R A I C
    Manager Training A R R I C

    Individual Transition Plans

    R A R I I
    Technology and Logistical Changes R R A I I
    Hiring A R I I R
    Learning and Development R A R R R
    Union Negotiations R I I I A
    Process Development R R A R I

    Fast-track your communication planning with Info-Tech’s Organizational Design Implementation Kick-Off Presentation

    Organizational Design Implementation Kick-Off Presentation

    Communicate what’s important to your staff in a simple, digestible way. The communication message should reflect what is important to your stakeholders and what they want to know at the time.

    • Why is this change happening?
    • What are the goals of the reorganization?
    • What specifically is changing?
    • How will this impact me?
    • When is this changing?
    • How and where can I get more information?

    It’s important that the tone of the meeting suits the circumstances.

    • If the reorganization is going to involve lay-offs: The meeting should maintain a positive feel, but your key messages should stress the services that will be available to staff, when and how people will be communicated with about the change, and who staff can go to with concerns.
    • If the reorganization is to enable growth: Focus on celebrating where the organization is going, previous successes, and stress that the staff are critical in enabling team success.

    Modify the Organizational Design ImplementationKick-Off Presentation with your key messages and goals

    1.2 1 hour

    Input

    • New organizational structure

    Output

    • Organizational design goal statements

    Materials

    • Whiteboard & marker
    • ODI Kick-off Presentation

    Participants

    • OD implementation team
    1. Within your change implementation team, hold a meeting to identify and document the change goals and key messages.
    2. As a group, discuss what the key drivers were for the organizational redesign by asking yourselves what problem you were trying to solve.
    3. Select 3–5 key problem statements and document them on a whiteboard.
    4. For each problem statement, identify how the new organizational design will allow you to solve those problems.
    5. Document these in your Organizational Design Implementation Kick-Off Presentation.

    Modify the presentation with your unique change vision to serve as the center piece of your communication strategy

    1.3 1 hour

    Input

    • Goal statements

    Output

    • Change vision statement

    Materials

    • Sticky notes
    • Pens
    • Voting dots

    Participants

    • Change team
    1. Hold a meeting with the change implementation team to define your change vision. The change vision should provide a picture of what the organization will look like after the organizational design is implemented. It should represent the aspirational goal, and be something that staff can all rally behind.
    2. Hand out sticky notes and ask each member to write down on one note what they believe is the #1 desired outcome from the organizational change and one thing that they are hoping to avoid (you may wish to use your goal statements to drive this).
    3. As a group, review each of the sticky notes and group similar statements in categories. Provide each individual with 3 voting dots and ask them to select their three favorite statements.
    4. Select your winning statements in teams of 2–3. Review each statement and as a team work to strengthen the language to ensure that the statement provides a call to action, that it is short and to the point, and motivational.
    5. Present the statements back to the group and select the best option through a consensus vote.
    6. Document the change vision in your Organizational Design Implementation Kick-Off Presentation.

    Customize the presentation identifying key changes that will be occurring

    1.4 2 hours

    Input

    • Old and new organizational sketch

    Output

    • Identified key changes that are occurring

    Materials

    • Whiteboard
    • Sticky notes & Pens
    • Camera

    Participants

    • OD implementation team
    1. On a whiteboard, draw a high-level picture of your previous organizational sketch and your new organizational sketch.
    2. Using sticky notes, ask individuals to highlight key high-level challenges that exist in the current model (consider people, process, and technology).
    3. Consider each sticky note, and highlight and document how and where your new sketch will overcome those challenges and the key differences between the old structure and the new.
    4. Take a photo of the two sketches and comments, and document these in your Organizational Design Implementation Kick-Off Presentation.

    Modify the presentation by identifying and documenting key milestones

    1.5 1 hour

    Input

    • OD implementation team calendars

    Output

    • OD implementation team timeline

    Materials

    • OD Implementation Kick-Off Presentation

    Participants

    • OD implementation team
    1. Review the timeline in the Organizational Design Implementation Kick-Off Presentation. As a group, discuss the key milestones identified in the presentation:
      • Kick-off presentation
      • Departmental transition strategy built
      • Organizational transition strategy built
      • Manager training
      • One-on-one meetings with staff to discuss changes to roles
      • Individual transition strategy development begins
    2. Review the timeline, and keeping your other commitments in mind, estimate when each of these tasks will be completed and update the timeline.

    Build an OD implementation FAQ to proactively address key questions and concerns about the change

    Organizational Design Implementation FAQ

    Leverage this template as a starting place for building an organizational design implementation FAQ.

    This template is prepopulated with example questions and answers which are likely to arise.

    Info-Tech encourages you to use the list of questions as a basis for your FAQ and to add additional questions based on the changes occurring at your organization.

    It may also be a good idea to store the FAQ on a company intranet portal so that staff has access at all times and to provide users with a unique email address to forward questions to when they have them.

    Build your unique organizational design implementation FAQ to keep staff informed throughout the change

    1.6 1 hour + ongoing

    Input

    • OD implementation team calendars

    Output

    • OD implementation team timeline

    Materials

    • OD Implementation Kick-Off Presentation

    Participants

    • OD implementation team
    1. Download a copy of the Organizational Design Implementation FAQ and as a group, review each of the key questions.
    2. Delete any questions that are not relevant and add any additional questions you either believe you will receive or which you have already been asked.
    3. Divide the questions among team members and have each member provide a response to these questions.
    4. The CIO and the project manager should review the responses for accuracy and ensure they are ready to be shared with staff.
    5. Publish the responses on an IT intranet site and make the location known to your IT staff.

    Dispelling rumors by using a large implementation team

    CASE STUDY

    Industry: Manufacturing

    Source: CIO

    Challenge

    When rumors of the impending reorganization reached staff, there was a lot of confusion and some of the more vocal detractors in the department enforced these rumors.

    Staff were worried about changes to their jobs, demotions, and worst of all, losing their jobs. There was no communication from senior management to dispel the gossip and the line managers were also in the dark so they weren’t able to offer support.

    Staff did not feel comfortable reaching out to senior management about the rumors and they didn’t know who the change manager was.

    Solution

    The CIO and change manager put together a large implementation team that included many of the managers in the department. This allowed the managers to handle the gossip through informal conversations with their staff.

    The change manager also built a communication strategy to communicate the stages of the reorganization and used FAQs to address the more common questions.

    Results

    The reorganization was adopted very quickly since there was little confusion surrounding the changes with all staff members. Many of the personnel risks were mitigated by the communication strategy because it dispelled rumors and took some of the power away from the vocal detractors in the department.

    An engagement survey was conducted 3 months after the reorganization and the results showed that the engagement of staff had not changed after the reorganization.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1a: Launch the MLI Dashboard (Pre-Work)

    Prior to the workshop, Info-Tech’s advisors will work with you to launch the MLI diagnostic to understand the overall engagement levels of your organization.

    1b: Review Your MLI Results

    The analysts will facilitate several exercises to help you and your team identify your current engagement levels, and the variance across demographics and over time.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.1: Define Your Change Team Responsibilities

    Review the key responsibilities of the organizational design implementation team and define the RACI for each individual member.

    1.3: Define Your Change Vision and Goals

    Identify the change vision statement which will serve as the center piece for your change communications as well as the key message you want to deliver to your staff about the change. These messages should be clear, emotionally impactful, and inspirational.

    1.4: Identify Key Changes Which Will Impact Staff

    Collectively brainstorm all of the key changes that are happening as a result of the change, and prioritize the list based on the impact they will have on staff. Document the top 10 biggest changes – and the opportunities the change creates or problems it solves.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.5: Define the High-Level Change Timeline

    Identify and document the key milestones within the change as a group, and determine key dates and change owners for each of the key items. Determine the best way to discuss these timelines with staff, and whether there are any which you feel will have higher levels of resistance.

    1.5: Build the FAQ and Prepare for Objection Handling

    As a group, brainstorm the key questions you believe you will receive about the change and develop a common FAQ to provide to staff members. The advisor will assist you in preparing to manage objections to limit resistance.

    Phase 2

    Build The Organizational Transition Plan

    Build the organizational transition plan

    Outcomes of this section:

    • A holistic list of projects that will enable the implementation of the organizational structure.
    • A schedule to monitor the progress of your change projects.

    This section involves the following participants:

    • CIO
    • Reorganization Implementation Team

    Key Section Insight:

    Be careful to understand the impacts of the change on all groups and departments. For best results, you will need representation from all departments to limit conflict and ensure a smooth transition. For large IT organizations, you will need to have a plan for each department/work unit and create a larger integration project.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Build the Organizational Transition Plan

    Proposed Time to Completion (in weeks): 2-4 weeks

    Step 2.1: Review the Change Dimensions and How They Are Used to Plan Change Projects

    Start with an analyst kick off call:

    • Review the purpose of the kick-off meeting.
    • Review the change project dimensions.
    • Review the Organizational Design Implementation Project Planning Tool.

    Then complete these activities…

    • Conduct your kick-off meeting.
    • Brainstorm a list of reorganization projects and their related tasks.

    With these tools & templates:

    • Organizational Design Implementation Project Planning Tool

    Step 2.2: Review the List of Change Projects

    Review findings with analyst:

    • Revisit the list of projects and tasks developed in the brainstorming session.
    • Assess the list and determine resourcing and dependencies for the projects.
    • Review the monitoring process.

    Then complete these activities…

    • Complete the Organizational Design Implementation Project Planning Tool.
    • Map out your project dependencies and resourcing.
    • Develop a schedule for monitoring projects.

    With these tools & templates:

    • Organizational Design Implementation Project Planning Tool

    Use Info-Tech’s Organizational Design Implementation Project Planning Tool to plan and track your reorganization

    • Use Info-Tech’s Organizational Design Implementation Project Planning Tool to document and track all of the changes that are occurring during your reorganization.
    • Automatically build Gantt charts for all of the projects that are being undertaken, track problems in the issue log, and monitor the progress of projects in the reporting tab.
    • Each department/work group will maintain its own version of this tool throughout the reorganization effort and the project manager will maintain a master copy with all of the projects listed.
    • The chart comes pre-populated with example data gathered through the research and interview process to help generate ideas for your own reorganization.
    • Review the instructions at the top of each work sheet for entering and modifying the data within each chart.

    Have a short kick-off meeting to introduce the project planning process to your implementation team

    2.1 30 minutes

    Output

    • Departmental ownership of planning tool

    Materials

    • OD Implementation Project Planning Tool

    Participants

    • Change Project Manager
    • Implementation Team
    • Senior Management (optional)
    1. The purpose of this kick-off meeting is to assign ownership of the project planning process to members of the implementation team and to begin thinking about the portfolio of projects required to successfully complete the reorganization.
    2. Use the email template included on this slide to invite your team members to the meeting.
    3. The topics that need to be covered in the meeting are:
      • Introducing the materials/templates that will be used throughout the process.
      • Assigning ownership of the Organizational Design Implementation Project Planning Tool to members of your team.
        • Ownership will be at the departmental level where each department or working group will manage their own change projects.
      • Prepare your implementation team for the next meeting where they will be brainstorming the list of projects that will need to be completed throughout the reorganization.
    4. Distribute/email the tools and templates to the team so that they may familiarize themselves with the materials before the next meeting.

    Hello [participant],

    We will be holding our kickoff meeting for our reorganization on [date]. We will be discussing the reorganization process at a high level with special attention being payed to the tools and templates that we will be using throughout the process. By the end of the meeting, we will have assigned ownership of the Project Planning Tool to department representatives and we will have scheduled the next meeting where we’ll brainstorm our list of projects for the reorganization.

    Consider Info-Tech’s four organizational change dimensions when identifying change projects

    CHANGE DIMENSIONS

    • TECHNOLOGY AND LOGISTICS
    • COMMUNICATION
    • STAFFING
    • PROCESS

    Technology and Logistics

    • These are all the projects that will impact the technology used and physical logistics of your workspace.
    • These include new devices, access/permissions, new desks, etc.

    Communication

    • All of the required changes after the reorganization to ongoing communications within IT and to the rest of the organization.
    • Also includes communication projects that are occurring during the reorganization.

    Staffing

    • These projects address the changes to your staff’s roles.
    • Includes role changes, job description building, consulting with HR, etc.

    Process

    • Projects that address changes to IT processes that will occur after the reorganization.

    Use these trigger questions to help identify all aspects of your coming changes

    STAFFING

    • Do you need to hire short or long-term staff to fill vacancies?
    • How long does it typically take to hire a new employee?
    • Will there be staff who are new to management positions?
    • Is HR on board with the reorganization?
    • Have they been consulted?
    • Have transition plans been built for all staff members who are transitioning roles/duties?
    • Will gaps in the structure need to be addressed with new hires?

    COMMUNICATION

    • When will the change be communicated to various members of the staff?
    • Will there be disruption to services during the reorganization?
    • Who, outside of IT, needs to know about the reorganization?
    • Do external communications need to be adjusted because of the reorganization? Moving/centralizing service desk, BRMs, etc.?
    • Are there plans/is there a desire to change the way IT communicates with the rest of the organization?
    • Will the reorganization affect the culture of the department? Is the new structure compatible with the current culture?

    Use these trigger questions to help identify all aspects of your coming changes (continued)

    TECHNOLOGY AND LOGISTICS

    • Will employees require new devices in their new roles?
    • Will employees be required to move their workspace?
    • What changes to the workspace are required to facilitate the new organization?
    • Does new furniture have to be purchased to accommodate new spaces/staff?
    • Is the workspace adequate/up to date technologically (telephone network, Wi-Fi coverage, etc.)?
    • Will employees require new permissions/access for their changing roles?
    • Will permissions/access need to be removed?
    • What is your budget for the reorganization?
    • If a large geographical move is occurring, have problems regarding geography, language barriers, and cultural sensitivities been addressed?

    PROCESS

    • What processes need to be developed?
    • What training for processes is required?
    • Is the daily functioning of the IT department predicted to change?
    • Are new processes being implemented during the reorganization?
    • How will the project portfolio be affected by the reorganization?
    • Is new documentation required to accompany new/changing processes?

    Brainstorm the change projects to be carried out during the reorganization for your team/department

    2.2 3 hours

    Input

    • Constructive group discussion

    Output

    • Thorough list of all reorganization projects

    Materials

    • Whiteboard, sticky notes
    • OD Implementation Project Planning Tool

    Participants

    • Implementation Team
    • CIO
    • Senior Management
    1. Before the meeting, distribute the list of trigger questions presented on the two previous slides to prepare your implementation team for the brainstorming session.
    2. Begin the meeting by dividing up your implementation team into the departments/work groups that they represent (and have ownership of the tool over).
    3. Distribute a different color of sticky notes to each team and have them write out each project they can think of for each of the change planning dimensions (Staffing, Communication, Process and Technology/Logistics) using the trigger questions.
    4. After one hour, ask the groups to place the projects that they brainstormed onto the whiteboard divided into the four change dimensions.
    5. Discuss the complete list of projects on the board.
      • Remove projects that are listed more than once since some projects will be universal to some/all departments.
      • Adjust the wording of projects for the sake of clarity.
      • Identify projects that are specific to certain departments.
    6. Document the list of high-level projects on tab 2 “Project Lists” within the OD Implementation Project Planning Tool after the activity is complete.

    Prioritize projects to assist with project planning modeling

    Prioritization is the process of ranking each project based on its importance to implementation success. Hold a meeting for the implementation team and extended team to prioritize the project list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation teams will use these priority levels to ensure efforts are targeted towards the proper projects. A simple way to do this for your implementation is to use the MoSCoW Model of Prioritization to effectively order requirements.

    The MoSCoW Model of Prioritization

    MUST HAVE - Projects must be implemented for the organizational design to be considered successful.

    SHOULD HAVE - Projects are high priority that should be included in the implementation if possible.

    COULD HAVE - Projects are desirable but not necessary and could be included if resources are available.

    WON'T HAVE - Projects won’t be in the next release, but will be considered for the future releases.

    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994.

    Keep the following criteria in mind as you determine your priorities

    Effective Prioritization Criteria

    Criteria Description
    Regulatory & Legal Compliance These requirements will be considered mandatory.
    Policy or Contract Compliance Unless an internal policy or contract can be altered or an exception can be made, these projects will be considered mandatory.
    Business Value Significance Give a higher priority to high-value projects.
    Business Risk Any project with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Implementation Complexity Give a higher priority to quick wins.
    Alignment with Strategy Give a higher priority to requirements that enable the corporate strategy and IT strategy.
    Urgency Prioritize projects based on time sensitivity.
    Dependencies A project on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.
    Funding Availability Do we have the funding required to make this change?

    Prioritize the change projects within your team/department to be executed during the reorganization

    2.3 3 hours

    Input

    • Organizational Design Implementation Project Planning Tool

    Output

    • Prioritized list of projects

    Materials

    • Whiteboard, sticky notes
    • OD Implementation Project Planning Tool

    Participants

    • Implementation Team
    • Extended Implementation Team
    1. Divide the group into their department teams. Draw 4 columns on a whiteboard, including the following:
      • Must have
      • Should have
      • Could have
      • Won’t have
    2. As a group, review each project and collaboratively identify which projects fall within each category. You should have a strong balance between each of the categories.
    3. Beginning with the “must have” projects, determine if each has any dependencies. If any of the projects are dependent on another, add the dependency project to the “must have” category. Group and circle the dependent projects.
    4. Continue the same exercise with the “should have” and “could have” options.
    5. Record the results on tab “2. Project List” of the Organizational Design Implementation Project Planning Tool using the drop down option.

    Determine resource availability for completing your change projects

    2.4 2 hours

    Input

    • Constructive group discussion

    Output

    • Thorough list of all reorganization projects

    Materials

    • Whiteboard, sticky notes
    • OD Implementation Project Planning Tool

    Participants

    • Implementation Team
    • CIO
    • Senior Management
    1. Divide the group into their department teams to plan the execution of the high-level list of projects developed in activity 2.2.
    2. Review the list of high-level projects and starting with the “must do” projects, consider each in turn and brainstorm all of the tasks required to complete these projects. Write down each task on a sticky note and place it under the high-level project.
    3. On the same sticky note as the task, estimate how much time would be required to complete each task. Be realistic about time frames since these projects will be on top of all of the regular day-to-day work.
    4. Along with the time frame, document the resources that will be required and who will be responsible for the tasks. If you have a documented Project Portfolio, use this to determine resourcing.
    5. After mapping out the tasks, bring the group back together to present their list of projects, tasks, and required resources.
      • Go through the project task lists to make sure that nothing is missed.
      • Review the timelines to make sure they are feasible.
      • Review the resources to ensure that they are available and realistic based on constraints (time, current workload, etc.).
      • Repeat the process for the Should do and Could do projects.
    1. Document the tasks and resources in tab “3. Task Monitoring” in the OD Implementation Project Planning Tool after the activity is complete.

    Map out the change project dependencies at the departmental level

    2.5 2 hours

    Input

    • Constructive group discussion

    Output

    • Thorough list of all reorganization projects

    Materials

    • Whiteboard, sticky notes
    • OD Implementation Project Planning Tool

    Participants

    • Implementation Team
    • CIO
    • Senior Management
    1. Divide the group into their department teams to map the dependencies of their tasks created in activity 2.3.
    2. Take the project task sticky notes created in the previous activity and lay them out along a timeline from start to finish.
    3. Determine the dependencies of the tasks internal to the department. Map out the types of dependencies.
      • Finish to Start: Preceding task must be completed before the next can start.
      • Start to Start: Preceding task must start before the next task can start.
      • Finish to Finish: Predecessor must finish before successor can finish.
      • Start to Finish: Predecessor must start before successor can finish.
    4. Bring the group back together and review each group’s timeline and dependencies to make sure that nothing has been missed.
    5. As a group, determine whether there are dependencies that span the departmental lists of projects.
    6. Document all of the dependencies within the department and between departmental lists of projects and tasks in the OD Implementation Project Planning Tool.

    Amalgamate all of the departmental change planning tools into a master copy

    2.6 3 hours

    Input

    • Department-specific copies of the OD Implementation Project Planning Tool

    Output

    • Universal list of all of the change projects

    Materials

    • Whiteboard and sticky notes

    Participants

    • Implementation Project Manager
    • Members of the implementation team for support (optional)
    1. Before starting the activity, gather all of the OD Implementation Project Planning Tools completed at the departmental level.
    2. Review each completed tool and write all of the individual projects with their timelines on sticky notes and place them on the whiteboard.
    3. Build timelines using the documented dependencies for each department. Verify that the resources (time, people, physical) are adequate and feasible.
    4. Combine all of the departmental project planning tools into one master tool to be used to monitor the overall status of the reorganization. Separate the projects based on the departments they are specific to.
    5. Finalize the timeline based on resource approval and using the dependencies mapped out in the previous exercise.
    6. Approve the planning tools and store them in a shared drive so they can be accessed by the implementation team members.

    Create a progress monitoring schedule

    2.7 1 hour weekly

    Input

    • OD Implementation Project Planning Tools (departmental & organizational)

    Output

    • Actions to be taken before the next pulse meeting

    Participants

    • Implementation Project Manager
    • Members of the implementation team for support
    • Senior Management
    1. Hold weekly pulse meetings to keep track of project progress.
    2. The agenda of each meeting should include:
      • Resolutions to problems/complications raised at the previous week’s meeting.
      • Updates on each department’s progress.
      • Raising any issues/complications that have appeared that week.
      • A discussion of potential solutions to the issues/complications.
      • Validating the work that will be completed before the next meeting.
      • Raising any general questions or concerns that have been voiced by staff about the reorganization.
    3. Upload notes from the meeting about resolutions and changes to the schedules to the shared drive containing the tools.
    4. Increase the frequency of the meetings towards the end of the project if necessary.

    Building a holistic change plan enables adoption of the new organizational structure

    CASE STUDY

    Industry: Manufacturing

    Source: CIO

    Challenge

    The CIO was worried about the impending reorganization due to problems that they had run into during the last reorganization they had conducted. The change management projects were not planned well and they led to a lot of uncertainty before and after the implementation.

    No one on the staff was ready for the reorganization. Change projects were completed four months after implementation since many of them had not been predicted and cataloged. This caused major disruptions to their user services leading to drops in user satisfaction.

    Solution

    Using their large and diverse implementation team, they spent a great deal of time during the early stages of planning devoted to brainstorming and documenting all of the potential change projects.

    Through regular meetings, the implementation team was able to iteratively adjust the portfolio of change projects to fit changing needs.

    Results

    Despite having to undergo a major reorganization that involved centralizing their service desk in a different state, there were no disruptions to their user services.

    Since all of the change projects were documented and completed, they were able to move their service desk staff over a weekend to a workspace that was already set up. There were no changes to the user satisfaction scores over the period of their reorganization.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.2 Brainstorm Your List of Change Projects

    Review your reorganization plans and facilitate a brainstorming session to identify a complete list of all of the projects needed to implement your new organizational design.

    2.5 Map Out the Dependencies and Resources for Your Change Projects

    Examine your complete list of change projects and determine the dependencies between all of your change projects. Align your project portfolio and resource levels to the projects in order to resource them adequately.

    Phase 3

    Lead Staff Through the Reorganization

    Train managers to lead through change

    Outcomes of this Section:

    • Completed the workshop: Lead Staff Through Organizational Change
    • Managers possess stakeholder engagement plans for each employee
    • Managers are prepared to fulfil their roles in implementing the organizational change

    This section involves the following participants:

    • CIO
    • IT leadership team
    • IT staff

    Key Section Insight:

    The majority of IT managers were promoted because they excelled at the technical aspect of their job rather than in people management. Not providing training is setting your organization up for failure. Train managers to effectively lead through change to see a 72% decrease in change management issues. (Source: Abilla, 2009)

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Train Managers to Lead Through Change

    Proposed Time to Completion (in weeks): 1-2 weeks

    Step 3.1: Train Your Managers to Lead Through the Change

    Start with an analyst kick off call:

    • Go over the manager training workshop section of this deck.
    • Review the deliverables generated from the workshop (stakeholder engagement plan and conflict style self-assessment).

    Then complete these activities…

    • Conduct the workshop with your managers.

    With these tools & templates:

    • Organizational Design Implementation Manager Training Guide
    • Organizational Design Implementation Stakeholder Engagement Plan Template

    Step 3.2: Debrief After the Workshop

    Review findings with analyst:

    • Discuss the outcomes of the manager training.
    • Mention any feedback.
    • High-level overview of the workshop deliverables.

    Then complete these activities…

    • Encourage participants to review and revise their stakeholder engagement plans.
    • Review the Organizational Design Implementation Transition Plan Template and next steps.

    Get managers involved to address the majority of obstacles to successful change

    Managers all well-positioned to translate how the organizational change will directly impact individuals on their teams.

    Reasons Why Change Fails

    EMPLOYEE RESISTANCE TO CHANGE - 39%

    MANAGEMENT BEHAVIOR NOT SUPPORTIVE OF CHANGE - 33%

    INADEQUATE RESOURCE OR BUDGET - 14%

    OTHER OBSTACLES - 14%

    72% of change management issues can be directly improved by management.

    (Source: shmula)

    Why are managers crucial to organizational change?

    • Managers are extremely well-connected.
      • They have extensive horizontal and vertical networks spanning the organization.
      • Managers understand the informal networks of the organization.
    • Managers are valuable communicators.
      • Managers have established strong relationships with employees.
      • Managers influence the way staff perceive messaging.

    Conduct a workshop with managers to help them lead their teams through change

    Organizational Design Implementation Manager Training Guide

    Give managers the tools and skills to support their employees and carry out difficult conversations.

    Understand the role of management in communicating the change

    Understand reactions to change

    Resolve conflict

    Respond to FAQs

    Monitor and measure employee engagement

    Prepare managers to effectively execute their role in the organizational change by running a 2-hour training workshop.

    Complete the activities on the following slides to:

    • Plan and prepare for the workshop.
    • Execute the group exercises.
    • Help managers develop stakeholder engagement plans for each of their employees.
    • Initiate the McLean Leadership Index™ survey to measure employee engagement.

    Plan and prepare for the workshop

    3.1 Plan and prepare for the workshop.

    Output

    • Workshop participants
    • Completed workshop prep

    Materials

    • Organizational Design Implementation Manager Training Guide

    Instructions

    1. Create a list of all managers that will be responsible for leading their teams through the change.
    2. Select a date for the workshop.
      • The training session will run approximately 2 hours and should be scheduled within a week of when the implementation plan is communicated organization-wide.
    3. Review the material outlined in the presentation and prepare the Organizational Design Implementation Manager Training Guide for the workshop:
      • Copy and print the “Pre-workshop Facilitator Instructions” and “Facilitator Notes” located in the notes section below each slide.
      • Revise frequently asked questions (FAQs) and responses.
      • Delete instruction slides.

    Invite managers to the workshop

    Workshop Invitation Email Template

    Make necessary modifications to the Workshop Invitation Email Template and send invitations to managers.

    Hi ________,

    As you are aware, we are starting to roll out some of the initiatives associated with our organizational change mandate. A key component of our implementation plan is to ensure that managers are well-prepared to lead their teams through the transition.

    To help you proactively address the questions and concerns of your staff, and to ensure that the changes are implemented effectively, we will be conducting a workshop for managers on .

    While the change team is tasked with most of the duties around planning, implementing, and communicating the change organization-wide, you and other managers are responsible for ensuring that your employees understand how the change will impact them specifically. The workshop will prepare you for your role in implementing the organizational changes in the coming weeks, and help you refine the skills and techniques necessary to engage in challenging conversations, resolve conflicts, and reduce uncertainty.

    Please confirm your attendance for the workshop. We look forward to your participation.

    Kind regards,

    Change team

    Prepare managers for the change by helping them build useful deliverables

    ODI Stakeholder Engagement Plan Template & Conflict Style Self-Assessment

    Help managers create useful deliverables that continue to provide value after the workshop is completed.

    Workshop Deliverables

    Organizational Design Implementation Stakeholder Engagement Plan Template

    • Document the areas of change resistance, detachment, uncertainty, and support for each employee.
    • Document strategies to overcome resistance, increase engagement, reduce uncertainty, and leverage their support.
    • Create action items to execute after the workshop.

    Conflict Style Self-Assessment

    • Determine how you approach conflicts.
    • Analyze the strengths and weaknesses of this approach.
    • Identify ways to adopt different conflict styles depending on the situation.

    Book a follow-up meeting with managers and determine which strategies to Start, Stop, or Continue

    3.2 1 hour

    Output

    • Stakeholder engagement templates

    Materials

    • Sticky notes
    • Pen and paper

    Participants

    • Implementation Team
    • Managers
    1. Schedule a follow-up meeting 2–3 weeks after the workshop.
    2. Facilitate an open conversation on approaches and strategies that have been used or could be used to:
      • Overcome resistance
      • Increase engagement
      • Reduce uncertainty
      • Leverage support
    3. During the discussion, document ideas on the whiteboard.
    4. Have participants vote on whether the approaches and strategies should be started, stopped, or continued.
      • Start: actions that the team would like to begin.
      • Stop: actions that the team would like to stop.
      • Continue: actions that work for the team and should proceed.
    5. Encourage participants to review and revise their stakeholder engagement plans.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1 The Change Maze

    Break the ice with an activity that illustrates the discomfort of unexpected change, and the value of timely and instructive communication.

    3.2 Perform a Change Management Retrospective

    Leverage the collective experience of the group. Share challenges and successes from previous organizational changes and apply those lessons to the current transition.

    3.3 Create a Stakeholder Engagement Plan

    Have managers identify areas of resistance, detachment, uncertainty, and support for each employee and share strategies for overcoming resistance and leveraging support to craft an action plan for each of their employees.

    3.4 Conduct a Conflict Style Self-Assessment

    Give participants an opportunity to better understand how they approach conflicts. Administer the Conflict Style Self-Assessment to identify conflict styles and jumpstart a conversation about how to effectively resolve conflicts.

    Transition your staff to their new roles

    Outcomes of this Section:

    • Identified key responsibilities to transition
    • Identified key relationships to be built
    • Built staff individual transition plans and timing

    This section involves the following participants:

    • All IT staff members

    Key Section Insight

    In order to ensure a smooth transition, you need to identify the transition scheduled for each employee. Knowing when they will retire and assume responsibilities and aligning this with the organizational transition will be crucial.

    Phase 3b outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3b: Transition Staff to New Roles

    Proposed Time to Completion (in weeks): 2-4

    Step 4.1: Build Your Transition Plans

    Start with an analyst kick off call:

    • Review the Organizational Design Implementation Transition Plan Template and its contents.
    • Return to the new org structure and project planning tool for information to fill in the template.

    Then complete these activities…

    • Present the template to your managers.
    • Have them fill in the template with their staff.
    • Approve the completed templates.

    With these tools & templates:

    • Organizational Design Implementation Project Planning Tool
    • Organizational Design Implementation Transition Plan Template

    Step 4.2: Finalize Your Transition Plans

    Review findings with analyst:

    • Discuss strategies for timing the transition of your employees.
    • Determine the readiness of your departments for transitioning.

    Then complete these activities…

    • Build a transition readiness timeline of your departments.
    • Move your employees to their new roles.

    With these tools & templates:

    • Organizational Design Implementation Project Planning Tool
    • Organizational Design Implementation Transition Plan Template

    Use Info-Tech’s transition plan template to map out all of the changes your employees will face during reorganization

    Organizational Design Implementation Transition Plan Template

    • Use Info-Tech’s Organizational Design Implementation Transition Plan Template to document (in consultation with your employees) all of the changes individual staff members need to go through in order to transition into their new roles.
    • It provides a holistic view of all of the changes aligned to the change planning dimensions, including:
      • Current and new job responsibilities
      • Outstanding projects
      • Documenting where the employee may be moving
      • Technology changes
      • Required training
      • New relationships that need to be made
      • Risk mitigation
    • The template is designed to be completed by managers for their direct reports.

    Customize the transition plan template for all affected staff members

    4.1 30 minutes per employee

    Output

    • Completed transition plans

    Materials

    • Individual transition plan templates (for each employee)

    Participants

    • Implementation Team
    • Managers
    1. Implementation team members should hold one-on-one meetings with the managers from the departments they represent to go through the transition plan template.
    2. Some elements of the transition plan can be completed at the initial meeting with knowledge from the implementation team and documentation from the new organizational structure:
      • Employee information (except for the planned transition date)
      • New job responsibilities
      • Logistics and technology changes
      • Relationships (recommendations can be made about beneficial relationships to form if the employee is transitioning to a new role)
    3. After the meeting, managers can continue filling in information based on their own knowledge of their employees:
      • Current job responsibilities
      • Outstanding projects
      • Training (identify gaps in the employee’s knowledge if their role is changing)
      • Risks (potential concerns or problems for the employee during the reorganization)

    Verify and complete the individual transition plans by holding one-on-one meetings with the staff

    4.2 30 minutes per employee

    Output

    • Completed transition plans

    Materials

    • Individual transition plan templates (for each employee)

    Participants

    • Managers
    • Staff (Managers’ Direct Reports)
    1. After the managers complete everything they can in the transition plan templates, they should schedule one-on-one meetings with their staff to review the completed document to ensure the information is correct.
    2. Begin the meeting by verifying the elements that require the most information from the employee:
      • Current job responsibilities
      • Outstanding projects
      • Risks (ask about any problems or concerns they may have about the reorganization)
    3. Discuss the following elements of the transition plan to get feedback:
      • Training (ask if there is any training they feel they may need to be successful at the organization)
      • Relationships (determine if there are any relationships that the employee would like to develop that you may have missed)
    4. Since this may be the first opportunity that the staff member has had to discuss their new role (if they are moving to one), review their new job title and new job responsibilities with them. If employees are prepared for their new role, they may feel more accountable for quickly adopting the reorganization.
    5. Document any questions that they may have so that they can be answered in future communications from the implementation team.
    6. After completing the template, managers will sign off on the document in the approval section.

    Validate plans with organizational change project manager and build the transition timeline

    4.3 3 hours

    Input

    • Individual transition plans
    • Organizational Design Implementation Project Planning Tool

    Output

    • Timeline outlining departmental transition readiness

    Materials

    • Whiteboard

    Participants

    • Implementation Project Manager
    • Implementation Team
    • Managers
    1. After receiving all of the completed individual transition plan templates from managers, members of the implementation team need to approve the contents of the templates (for the departments that they represent).
    2. Review the logistics and technology requirements for transition in each of the templates and align them with the completion dates of the related projects in the Project Planning Tool. These dates will serve as the earliest possible time to transition the employee. Use the latest date from the list to serve as the date that the whole department will be ready to transition.
    3. Hand the approved transition plan templates and the dates at which the departments will be ready for transitioning to the Implementation Project Manager.
    4. The Project Manager needs to verify the contents of the transition plans and approve them.
    5. On a calendar or whiteboard, list the dates that each department will be ready for transitioning.
    6. Review the master copy of the Project Planning Tool. Determine if the outstanding projects limit your ability to transition the departments (when they are ready to transition). Change the ready dates of the departments to align with the completion dates of those projects.
    7. Use these dates to determine the timeline for when you would like to transition your employees to their new roles.

    Overcoming inexperience by training managers to lead through change

    CASE STUDY

    Industry: Manufacturing

    Source: CIO

    Challenge

    The IT department had not undergone a major reorganization in several years. When they last reorganized, they experienced high turnover and decreased business satisfaction with IT.

    Many of the managers were new to their roles and only one of them had been around for the earlier reorganization. They lacked experience in leading their staff through major organizational changes.

    One of the major problems they faced was addressing the concerns, fears, and resistance of their staff properly.

    Solution

    The implementation team ran a workshop for all of the managers in the department to train them on the change and how to communicate the impending changes to their staff. The workshop included information on resistance and conflict resolution.

    The workshop was conducted early on in the planning phases of the reorganization so that any rumors or gossip could be addressed properly and quickly.

    Results

    The reorganization was well accepted by the staff due to the positive reinforcement from their managers. Rumors and gossip about the reorganization were under control and the staff adopted the new organizational structure quickly.

    Engagement levels of the staff were maintained and actually improved by 5% immediately after the reorganization.

    Voluntary turnover was minimal throughout the change as opposed to the previous reorganization where they lost 10% of their staff. There was an estimated cost savings of $250,000–$300,000.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.2.1 Build Your Staff Transition Plan

    Review the contends of the staff transition plan, and using the organizational change map as a guide, build the transition schedule for one employee.

    3.2.1 Review the Transition Plan With the Transition Team

    Review and validate the results for your transition team schedule with other team members. As a group, discuss what makes this exercise difficult and any ideas for how to simplify the exercise.

    Works cited

    American Productivity and Quality Center. “Motivation Strategies.” Potentials Magazine. Dec. 2004. Web. November 2014.

    Bersin, Josh. “Time to Scrap Performance Appraisals?” Forbes Magazine. 5 June 2013. Web. 30 Oct 2013.

    Bridges, William. Managing Transitions, 3rd Ed. Philadelphia: Da Capo Press, 2009.

    Buckley, Phil. Change with Confidence – Answers to the 50 Biggest Questions that Keep Change Leaders up at Night. Canada: Jossey-Bass, 2013.

    “Change and project management.” Change First. 2014. Web. December 2009. <http://www.changefirst.com/uploads/documents/Change_and_project_management.pdf>.

    Cheese, Peter, et al. “Creating an Agile Organization.” Accenture. Oct. 2009. Web. Nov. 2013.

    Croxon, Bruce et al. “Dinner Series: Performance Management with Bruce Croxon from CBC's 'Dragon's Den.'” HRPA Toronto Chapter. Sheraton Hotel, Toronto, ON. 12 Nov. 2013. Panel discussion.

    Culbert, Samuel. “10 Reasons to Get Rid of Performance Reviews.” Huffington Post Business. 18 Dec. 2012. Web. 28 Oct. 2013. <http://www.huffingtonpost.com/samuel-culbert/performance-reviews_b_2325104.html>.

    Denning, Steve. “The Case Against Agile: Ten Perennial Management Objections.” Forbes Magazine. 17 Apr. 2012. Web. Nov. 2013.

    Works cited cont.

    “Establish A Change Management Structure.” Human Technology. Web. December 2014.

    Estis, Ryan. “Blowing up the Performance Review: Interview with Adobe’s Donna Morris.” Ryan Estis & Associates. 17 June 2013. Web. Oct. 2013. <http://ryanestis.com/adobe-interview/>.

    Ford, Edward L. “Leveraging Recognition: Noncash incentives to Improve Performance.” Workspan Magazine. Nov 2006. Web. Accessed May 12, 2014.

    Gallup, Inc. “Gallup Study: Engaged Employees Inspire Company Innovation.” Gallup Management Journal. 12 Oct. 2006. Web. 12 Jan 2012.

    Gartside, David, et al. “Trends Reshaping the Future of HR.” Accenture. 2013. Web. 5 Nov. 2013.

    Grenville-Cleave, Bridget. “Change and Negative Emotions.” Positive Psychology News Daily. 2009.

    Heath, Chip, and Dan Heath. Switch: How to Change Things When Change Is Hard. Portland: Broadway Books. 2010.

    HR Commitment AB. Communicating organizational change. 2008.

    Keller, Scott, and Carolyn Aiken. “The Inconvenient Truth about Change Management.” McKinsey & Company, 2009. <http://www.mckinsey.com/en.aspx>.

    Works cited cont.

    Kotter, John. “LeadingChange: Why Transformation Efforts Fail.” Harvard Business Review. March-April 1995. <http://hbr.org>.

    Kubler-Ross, Elisabeth and David Kessler. On Grief and Grieving: Finding the Meaning of Grief Through the Five Stages of Loss. New York: Scribner. 2007.

    Lowlings, Caroline. “The Dangers of Changing without Change Management.” The Project Manager Magazine. December 2012. Web. December 2014. <http://changestory.co.za/the-dangers-of-changing-without-change-management/>.

    “Managing Change.” Innovative Edge, Inc. 2011. Web. January 2015. <http://www.getcoherent.com/managing.html>.

    Muchinsky, Paul M. Psychology Applied to Work. Florence: Thomson Wadsworth, 2006.

    Nelson, Kate and Stacy Aaron. The Change Management Pocket Guide, First Ed., USA: Change Guides LLC, 2005.

    Nguyen Huy, Quy. “In Praise of Middle Managers.” Harvard Business Review. 2001. Web. December 2014. <https://hbr.org/2001/09/in-praise-of-middle-managers/ar/1>

    “Only One-Quarter of Employers Are Sustaining Gains From Change Management Initiatives, Towers Watson Survey Finds.” Towers Watson. August 2013. Web. January 2015. <http://www.towerswatson.com/en/Press/2013/08/Only-One-Quarter-of-Employers-Are-Sustaining-Gains-From-Change-Management>.

    Shmula. “Why Transformation Efforts Fail.” Shmula.com. September 28, 2009. <http://www.shmula.com/why-transformation-efforts-fail/1510/>

    Define Your Cloud Vision

    • Buy Link or Shortcode: {j2store}448|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $182,333 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy

    The cloud permeates the enterprise technology discussion. It can be difficult to separate the hype from the value. Should everything go to the cloud, or is that sentiment stoked by vendors looking to boost their bottom lines? Not everything should go to the cloud, but coming up with a systematic way to determine what belongs where is increasingly difficult as offerings get more complex.

    Our Advice

    Critical Insight

    Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud-first isn’t always the way to go.

    Impact and Result

    • Evaluate workloads’ suitability for the cloud using Info-Tech’s methodology to select the optimal migration (or non-migration) path based on the value of cloud characteristics.
    • Codify risks tied to workloads’ cloud suitability and plan mitigations.
    • Build a roadmap of initiatives for actions by workload and risk mitigation.
    • Define a cloud vision to share with stakeholders.

    Define Your Cloud Vision Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define Your Cloud Vision – A step-by-step guide to generating, validating, and formalizing your cloud vision.

    The cloud vision storyboard walks readers through the process of generating, validating and formalizing a cloud vision, providing a framework and tools to assess workloads for their cloud suitability and risk.

    • Define Your Cloud Vision – Phases 1-4

    2. Cloud Vision Executive Presentation – A document that captures the results of the exercises, articulating use cases for cloud/non-cloud, risks, challenges, and high-level initiative items.

    The executive summary captures the results of the vision exercise, including decision criteria for moving to the cloud, risks, roadblocks, and mitigations.

    • Cloud Vision Executive Presentation

    3. Cloud Vision Workbook – A tool that facilitates the assessment of workloads for appropriate service model, delivery model, support model, and risks and roadblocks.

    The cloud vision workbook comprises several assessments that will help you understand what service model, delivery model, support model, and risks and roadblocks you can expect to encounter at the workload level.

    • Cloud Vision Workbook
    [infographic]

    Workshop: Define Your Cloud Vision

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Cloud

    The Purpose

    Align organizational goals to cloud characteristics.

    Key Benefits Achieved

    An understanding of how the characteristics particular to cloud can support organizational goals.

    Activities

    1.1 Generate corporate goals and cloud drivers.

    1.2 Identify success indicators.

    1.3 Explore cloud characteristics.

    1.4 Explore cloud service and delivery models.

    1.5 Define cloud support models and strategy components.

    1.6 Create state summaries for the different service and delivery models.

    1.7 Select workloads for further analysis.

    Outputs

    Corporate cloud goals and drivers

    Success indicators

    Current state summaries

    List of workloads for further analysis

    2 Assess Workloads

    The Purpose

    Evaluate workloads for cloud value and action plan.

    Key Benefits Achieved

    Action plan for each workload.

    Activities

    2.1 Conduct workload assessment using the Cloud Strategy Workbook tool.

    2.2 Discuss assessments and make preliminary determinations about the workloads.

    Outputs

    Completed workload assessments

    Workload summary statements

    3 Identify and Mitigate Risks

    The Purpose

    Identify and plan to mitigate potential risks in the cloud project.

    Key Benefits Achieved

    A list of potential risks and plans to mitigate them.

    Activities

    3.1 Generate a list of risks and potential roadblocks associated with the cloud.

    3.2 Sort risks and roadblocks and define categories.

    3.3 Identify mitigations for each identified risk and roadblock

    3.4 Generate initiatives from the mitigations.

    Outputs

    List of risks and roadblocks, categorized

    List of mitigations

    List of initiatives

    4 Bridge the Gap and Create the Strategy

    The Purpose

    Clarify your vision of how the organization can best make use of cloud and build a project roadmap.

    Key Benefits Achieved

    A clear vision and a concrete action plan to move forward with the project.

    Activities

    4.1 Review and assign work items.

    4.2 Finalize the decision framework for each of the following areas: service model, delivery model, and support model.

    4.3 Create a cloud vision statement

    Outputs

    Cloud roadmap

    Finalized task list

    Formal cloud decision rubric

    Cloud vision statement

    5 Next Steps and Wrap-Up

    The Purpose

    Complete your cloud vision by building a compelling executive-facing presentation.

    Key Benefits Achieved

    Simple, straightforward communication of your cloud vision to key stakeholders.

    Activities

    5.1 Build the Cloud Vision Executive Presentation

    Outputs

    Completed cloud strategy executive presentation

    Completed Cloud Vision Workbook.

    Further reading

    Define Your Cloud Vision

    Define your cloud vision before it defines you

    Analyst perspective

    Use the cloud’s strengths. Mitigate its weaknesses.

    The cloud isn’t magic. It’s not necessarily cheaper, better, or even available for the thing you want it to do. It’s not mysterious or a cure-all, and it does take a bit of effort to systematize your approach and make consistent, defensible decisions about your cloud services. That’s where this blueprint comes in.

    Your cloud vision is the culmination of this effort all boiled down into a single statement: “This is how we want to use the cloud.” That simple statement should, of course, be representative of – and built from – a broader, contextual strategy discussion that answers the following questions: What should go to the cloud? What kind of cloud makes sense? Should the cloud deployment be public, private, or hybrid? What does a migration look like? What risks and roadblocks need to be considered when exploring your cloud migration options? What are the “day 2” activities that you will need to undertake after you’ve gotten the ball rolling?

    Taken as a whole, answering these questions is difficult task. But with the framework provided here, it’s as easy as – well, let’s just say it’s easier.

    Jeremy Roberts

    Research Director, Infrastructure and Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • You are both extrinsically motivated to move to the cloud (e.g. by vendors) and intrinsically motivated by internal digital transformation initiatives.
    • You need to define the cloud’s true value proposition for your organization without assuming it is an outsourcing opportunity or will save you money.
    • Your industry, once cloud-averse, is now normalizing the use of cloud services, but you have not established a basic cloud vision from which to develop a strategy at a later point.

    Common Obstacles

    • Organizations jump to the cloud before defining their cloud vision and without any clear plan for realizing the cloud’s benefits.
    • Many organizations have a foot in the cloud already, but these decisions have been made in an ad hoc rather than systematic fashion.
    • You lack a consistent framework to assess your workloads’ suitability for the cloud.

    Info-Tech's Approach

    • Evaluate workloads’ suitability for the cloud using Info-Tech’s methodology to select the optimal migration (or non-migration) path based on the value of cloud characteristics.
    • Codify risks tied to workloads’ cloud suitability and plan mitigations.
    • Build a roadmap of initiatives for actions by workload and risk mitigation.
    • Define a cloud vision to share with stakeholders.

    Info-Tech Insight: 1) Base migration decisions on cloud characteristics. If your justification for the migration is simply getting your workload out of the data center, think again. 2) Address the risks up front in your migration plan. 3) The cloud changes roles and calls for different skill sets, but Ops is here to stay.

    Your challenge

    This research is designed to help organizations who need to:

    • Identify workloads that are good candidates for the cloud.
    • Develop a consistent, cost-effective approach to cloud services.
    • Outline and mitigate risks.
    • Define your organization’s cloud archetype.
    • Map initiatives on a roadmap.
    • Communicate your cloud vision to stakeholders so they can understand the reasons behind a cloud decision and differentiate between different cloud service and deployment models.
    • Understand the risks, roadblocks, and limitations of the cloud.

    “We’re moving from a world where companies like Oracle and Microsoft and HP and Dell were all critically important to a world where Microsoft is still important, but Amazon is now really important, and Google also matters. The technology has changed, but most of the major vendors they’re betting their business on have also changed. And that’s super hard for people..” –David Chappell, Author and Speaker

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Organizations jump to the cloud before defining their cloud vision and without any clear plan for realizing the cloud’s benefits.
    • Many organizations already have a foot in the cloud, but the choice to explore these solutions was made in an ad hoc rather than systematic fashion. The cloud just sort of happened.
    • The lack of a consistent assessment framework means that some workloads that probably belong in the cloud are kept on premises or with hosted services providers – and vice versa.
    • Securing cloud expertise is remarkably difficult – especially in a labor market roiled by the global pandemic and the increasing importance of cloud services.

    Standard cloud challenges

    30% of all cloud spend is self-reported as waste. Many workloads that end up in the cloud don’t belong there. Many workloads that do belong in the cloud aren’t properly migrated. (Flexera, 2021)

    44% of respondents report themselves as under-skilled in the cloud management space. (Pluralsight, 2021)

    Info-Tech’s approach

    Goals and drivers

    • Service model
      • What type of cloud makes the most sense for workload archetypes? When does it make sense to pick SaaS over IaaS, for example?
    • Delivery model
      • Will services be delivered over the public cloud, a private cloud, or a hybrid cloud? What challenges accompany this decision?
    • Migration Path
      • What does the migration path look like? What does the transition to the cloud look like, and how much effort will be required? Amazon’s 6Rs framework captures migration options: rehosting, repurchasing, replatforming, and refactoring, along with retaining and retiring. Each workload should be assessed for its suitability for one or more of these paths.
    • Support model
      • How will services be provided? Will staff be trained, new staff hired, a service provider retained for ongoing operations, or will a consultant with cloud expertise be brought on board for a defined period? The appropriate support model is highly dependent on goals along with expected outcomes for different workloads.

    Highlight risks and roadblocks

    Formalize cloud vision

    Document your cloud strategy

    The Info-Tech difference:

    1. Determine the hypothesized value of cloud for your organization.
    2. Evaluate workloads with 6Rs framework.
    3. Identify and mitigate risks.
    4. Identify cloud archetype.
    5. Plot initiatives on a roadmap.
    6. Write action plan statement and goal statement.

    What is the cloud, how is it deployed, and how is service provided?

    Cloud Characteristics

    1. On-demand self-service: the ability to access reosurces instantly without vendor interaction
    2. Broad network access: all services delivered over the network
    3. Resource pooling: multi-tenant environment (shared)
    4. Rapid elasticity: the ability to expand and retract capabilities as needed
    5. Measured service: transparent metering

    Service Model:

    1. Software-as-a-Service: all but the most minor configuration is done by the vendor
    2. Platform-as-a-Service: customer builds the application using tools provided by the provider
    3. Infrastructure-as-a-Service: the customer manages OS, storage, and the application

    Delivery Model

    1. Public cloud: accessible to anyone over the internet; multi-tenant environment
    2. Private cloud: provisioned for a single organization with multiple units
    3. Hybrid cloud: two or more connected clouds; data is portage across them
    4. Community cloud: provisioned for a specific group of organizations

    (National Institute of Standards and Technology)

    A workload-first approach will allow you to take full advantage of the cloud’s strengths

    • Under all but the most exceptional circumstances, good cloud strategies will incorporate different service models. Very few organizations are “IaaS shops” or “SaaS shops,” even if they lean heavily in one direction.
    • These different service models (including non-cloud options like colocation and on-premises infrastructure) each have different strengths. Part of your cloud strategy should involve determining which of the services makes the most sense for you.
    • Own the cloud by understanding which cloud (or non-cloud!) offering makes the most sense for you given your unique context.

    Migration paths

    In a 2016 blog post, Amazon introduced a framework for understanding cloud migration strategies. The framework presented here is slightly modified – including a “relocate” component rather than a “retire” component – but otherwise hews close to the standard.

    These migration paths reflect organizational capabilities and desired outcomes in terms of service models – cloud or otherwise. Retention means keeping the workload where it is, in a datacenter or a colocation service, or relocating to a colocation or hosted software environment. These represent the “non-cloud” migration paths.

    In the graphic on the right, the paths within the red box lead to the cloud. Rehosting means lifting and shifting to an infrastructure environment. Migrating a virtual machine from your VMware environment on premises to Azure Virtual machines is a quick way to realize some benefits from the cloud. Migrating from SQL Server on premises to a cloud-based SQL solution looks a bit more like changing platforms (replatforming). It involves basic infrastructure modification without a substantial architectural component.

    Refactoring is the most expensive of the options and involves engaging the software development lifecycle to build a custom solution, fundamentally rewriting the solution to be cloud native and take advantage of cloud-native architectures. This can result in a PaaS or an IaaS solution.

    Finally, repurchasing means simply going to market and procuring a new solution. This may involve migrating data, but it does not require the migration of components.

    Migration Paths

    Retain (Revisit)

    • Keep the application in its current form, at least for now. This doesn’t preclude revisiting it in the future.

    Relocate

    • Move the workload between datacenters or to a hosted software/colocation provider.

    Rehost

    • Move the application to the cloud (IaaS) and continue to run it in more or less the same form as it currently runs.

    Replatform

    • Move the application to the cloud and perform a few changes for cloud optimizations.

    Refactor

    • Rewrite the application, taking advantage of cloud-native architectures.

    Repurchase

    • Replace with an alternative, cloud-native application and migrate the data.

    Support model

    Support models by characteristic

    Duration of engagement Specialization Flexibility
    Internal IT Indefinite Varies based on nature of business Fixed, permanent staff
    Managed Service Provider Contractually defined General, some specialization Standard offering
    Consultant Project-based Specific, domain-based Entirely negotiable

    IT services, including cloud services, can be delivered and managed in multiple ways depending on the nature of the workload and the organization’s intended path forward. Three high-level options are presented here and may be more or less valuable based on the duration of the expected engagement with the service (temporary or permanent), the skills specialization required, and the flexibility necessary to complete the job.

    By way of example, a highly technical, short-term project with significant flexibility requirements might be a good fit for an expensive consultant, whereas post-implementation maintenance of a cloud email system requires relatively little specialization and flexibility and would therefore be a better fit for internal management.

    There is no universally applicable rule here, but there are some workloads that are generally a good fit for the cloud and others that are not as effective, with that fit being conditional on the appropriate support model being employed.

    Risks, roadblocks, and strategy components

    No two cloud strategies are exactly alike, but all should address 14 key areas. A key step in defining your cloud vision is an assessment of these strategy components. Lower maturity does not preclude an aggressive cloud strategy, but it does indicate that higher effort will be required to make the transition.

    Component Description Component Description
    Monitoring What will system owners/administrators need visibility into? How will they achieve this? Vendor Management What practices must change to ensure effective management of cloud vendors?
    Provisioning Who will be responsible for deploying cloud workloads? What governance will this process be subject to? Finance Management How will costs be managed with the transition away from capital expenditure?
    Migration How will cloud migrations be conducted? What best practices/standards must be employed? Security What steps must be taken to ensure that cloud services meet security requirements?
    Operations management What is the process for managing operations as they change in the cloud? Data Controls How will data residency, compliance, and protection requirements be met in the cloud?
    Architecture What general principles must apply in the cloud environment? Skills and roles What skills become necessary in the cloud? What steps must be taken to acquire those skills?
    Integration and interoperability How will services be integrated? What standards must apply? Culture and adoption Is there a cultural aversion to the cloud? What steps must be taken to ensure broad cloud acceptance?
    Portfolio Management Who will be responsible for managing the growth of the cloud portfolio? Governing bodies What formal governance must be put in place? Who will be responsible for setting standards?

    Cloud archetypes – a cloud vision component

    Once you understand the value of the cloud, your workloads’ general suitability for cloud, and your proposed risks and mitigations, the next step is to define your cloud archetype.

    Your organization’s cloud archetype is the strategic posture that IT adopts to best support the organization’s goals. Info-Tech’s model recognizes seven archetypes, divided into three high-level archetypes.

    After consultation with your stakeholders, and based on the results of the suitability and risk assessment activities, define your archetype. The archetype feeds into the overall cloud vision and provides simple insight into the cloud future state for all stakeholders.

    The cloud vision itself is captured in a “vision statement,” a short summary of the overall approach that includes the overall cloud archetype.

    We can best support the organization's goals by:

    More Cloud

    Less Cloud

    Cloud Focused Cloud-Centric Providing all workloads through cloud delivery.
    Cloud-First Using the cloud as our default deployment model. For each workload, we should ask “why NOT cloud?”
    Cloud Opportunistic Hybrid Enabling the ability to transition seamlessly between on-premises and cloud resources for many workloads.
    Integrated Combining cloud and traditional infrastructure resources, integrating data and applications through APIs or middleware.
    Split Using the cloud for some workloads and traditional infrastructure resources for others.
    Cloud Averse Cloud-Light Using traditional infrastructure resources and limiting our use of the cloud to when it is absolutely necessary.
    Anti-Cloud Using traditional infrastructure resources and avoiding use of the cloud wherever possible.

    Info-Tech’s methodology for defining your cloud vision

    1. Understand the Cloud 2. Assess Workloads 3. Identify and Mitigate Risks 4. Bridge the Gap and Create the Vision
    Phase Steps
    1. Generate goals and drivers
    2. Explore cloud characteristics
    3. Create a current state summary
    4. Select workloads for analysis
    1. Conduct workload assessments
    2. Determine workload future state
    1. Generate risks and roadblocks
    2. Mitigate risks and roadblocks
    3. Define roadmap initiatives
    1. Review and assign work items
    2. Finalize cloud decision framework
    3. Create cloud vision
    Phase Outcomes
    1. List of goals and drivers
    2. Shared understanding of cloud terms
    3. Current state of cloud in the organization
    4. List of workloads to be assessed
    1. Completed workload assessments
    2. Defined workload future state
    1. List of risks and roadblocks
    2. List of mitigations
    3. Defined roadmap initiatives
    1. Cloud roadmap
    2. Cloud decision framework
    3. Completed Cloud Vision Executive Presentation

    Insight summary

    The cloud may not be right for you – and that’s okay!

    Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud first isn’t always the way to go.

    Not all clouds are equal

    It’s not “should I go to the cloud?” but “what service and delivery models make sense based on my needs and risk tolerance?” Thinking about the cloud as a binary can force workloads into the cloud that don’t belong (and vice versa).

    Bottom-up is best

    A workload assessment is the only way to truly understand the cloud’s value. Work from the bottom up, not the top down, understand what characteristics make a workload cloud suitable, and strategize on that basis.

    Your accountability doesn’t change

    You are still accountable for maintaining available, secure, functional applications and services. Cloud providers share some responsibility, but the buck stops where it always has: with you.

    Don’t customize for the sake of customization

    SaaS providers make money selling the same thing to everyone. When migrating a workload to SaaS, work with stakeholders to pursue standardization around a selected platform and avoid customization where possible.

    Best of both worlds, worst of both worlds

    Hybrid clouds are in fashion, but true hybridity comes with additional cost, administration, and other constraints. A convoy moves at the speed of its slowest member.

    The journey matters as much as the destination

    How you get there is as important as what “there” actually is. Any strategy that focuses solely on the destination misses out on a key part of the value conversation: the migration strategy.

    Blueprint benefits

    Cloud Vision Executive Presentation

    This presentation captures the results of the exercises and presents a complete vision to stakeholders including a desired target state, a rubric for decision making, the results of the workload assessments, and an overall risk profile.

    Cloud Vision Workbook

    This workbook includes the standard cloud workload assessment questionnaire along with the results of the assessment. It also includes the milestone timeline for the implementation of the cloud vision.

    Blueprint benefits

    IT Benefits

    • A consistent approach to the cloud takes the guesswork out of deployment decisions and makes it easier for IT to move on to the execution stage.
    • When properly incorporated, cloud services come with many benefits, including automation, elasticity, and alternative architectures (micro-services, containers). The cloud vision project will help IT readers articulate expected benefits and work towards achieving them.
    • A clear framework for incorporating organizational goals into cloud plans.

    Business benefits

    • Simple, well-governed access to high-quality IT resources.
    • Access to the latest and greatest in technology to facilitate remote work.
    • Framework for cost management in the cloud that incorporates OpEx and chargebacks/showbacks. A clear understanding of expected changes to cost modeling is also a benefit of a cloud vision.
    • Clarity for stakeholders about IT’s response (and contribution to) IT strategic initiatives.

    Measure the value of this blueprint

    Don’t take our word for it:

    • The cloud vision material in various forms has been offered for several years, and members have generally benefited substantially, both from cloud vision workshops and from guided implementations led by analysts.
    • After each engagement, we send a survey that asks members how they benefited from the experience. Of 30 responses, the cloud vision research has received an average score of 9.8/10. Real members have found significant value in the process.
    • Additionally, members reported saving between 2 and 120 days (for an average of 17), and financial savings ranged from $1,920 all the way up to $1.27 million, for an average of $170,577.90! If we drop outliers on both ends, the average reported value of a cloud vision engagement is $37, 613.
    • Measure the value by calculating the time saved from using Info-Tech’s framework vs. a home-brewed cloud strategy alternative and by comparing the overall cost of a guided implementation or workshop with the equivalent offering from another firm. We’re confident you’ll come out ahead.

    9.8/10 Average reported satisfaction

    17 Days Average reported time savings

    $37, 613 Average cost savings (adj.)

    Executive Brief Case Study

    Industry: Financial

    Source: Info-Tech workshop

    Anonymous financial institution

    A small East Coast financial institution was required to develop a cloud strategy. This strategy had to meet several important requirements, including alignment with strategic priorities and best practices, along with regulatory compliance, including with the Office of the Comptroller of the Currency.

    The bank already had a significant cloud footprint and was looking to organize and formalize the strategy going forward.

    Leadership needed a comprehensive strategy that touched on key areas including the delivery model, service models, individual workload assessments, cost management, risk management and governance. The output had to be consumable by a variety of audiences with varying levels of technical expertise and had to speak to IT’s role in the broader strategic goals articulated earlier in the year.

    Results

    The bank engaged Info-Tech for a cloud vision workshop and worked through four days of exercises with various IT team members. The bank ultimately decided on a multi-cloud strategy that prioritized SaaS while also allowing for PaaS and IaaS solutions, along with some non-cloud hosted solutions, based on organizational circumstances.

    Bank cloud vision

    [Bank] will provide innovative financial and related services by taking advantage of the multiplicity of best-of-breed solutions available in the cloud. These solutions make it possible to benefit from industry-level innovations, while ensuring efficiency, redundancy, and enhanced security.

    Bank cloud decision workflow

    • SaaS
      • Platform?
        • Yes
          • PaaS
        • No
          • Hosted
        • IaaS
          • Other

    Non-cloud

    Cloud

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this crticial project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off imediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge the take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Phase 1

    • Call #1: Discuss current state, challenges, etc.
    • Call #2: Goals, drivers, and current state.

    Phase 2

    • Call #3: Conduct cloud suitability assessment for selected workloads.

    Phase 3

    • Call #4: Generate and categorize risks.
    • Call #5: Begin the risk mitigation conversation.

    Phase 4

    • Call #6: Complete the risk mitigation process
    • Call #7: Finalize vision statement and cloud decision framework.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Offsite day
    Understand the cloud Assess workloads Identify and mitigate risks Bridge the gap and create the strategy Next steps and wrap-up (offsite)
    Activities

    1.1 Introduction

    1.2 Generate corporate goals and cloud drivers

    1.3 Identify success indicators

    1.4 Explore cloud characteristics

    1.5 Explore cloud service and delivery models

    1.6 Define cloud support models and strategy components

    1.7 Create current state summaries for the different service and delivery models

    1.8 Select workloads for further analysis

    2.1 Conduct workload assessments using the cloud strategy workbook tool

    2.2 Discuss assessments and make preliminary determinations about workloads

    3.1 Generate a list of risks and potential roadblocks associated with the cloud

    3.2 Sort risks and roadblocks and define categories

    3.3 Identify mitigations for each identified risk and roadblock

    3.4 Generate initiatives from the mitigations

    4.1 Review and assign work items

    4.2 Finalize the decision framework for each of the following areas:

    • Service model
    • Delivery model
    • Support model

    4.3 Create a cloud vision statement

    5.1 Build the Cloud Vision Executive Presentation
    Deliverables
    1. Corporate goals and cloud drivers
    2. Success indicators
    3. Current state summaries
    4. List of workloads for further analysis
    1. Completed workload assessments
    2. Workload summary statements
    1. List of risks and roadblocks, categorized
    2. List of mitigations
    3. List of initiatives
    1. Finalized task list
    2. Formal cloud decision rubric
    3. Cloud vision statement
    1. Completed cloud strategy executive presentation
    2. Completed cloud vision workbook

    Understand the cloud

    Build the foundations of your cloud vision

    Phase 1

    Phase 1

    Understand the Cloud

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    1.1.1 Generate organizational goals

    1.1.2 Define cloud drivers

    1.1.3 Define success indicators

    1.3.1 Record your current state

    1.4.1 Select workloads for further assessment

    This phase involves the following participants:

    IT management, the core working group, security, infrastructure, operations, architecture, engineering, applications, non-IT stakeholders.

    It starts with shared understanding

    Stakeholders must agree on overall goals and what “cloud” means

    The cloud is a nebulous term that can reasonably describe services ranging from infrastructure as a service as delivered by providers like Amazon Web Services and Microsoft through its Azure platform, right up to software as a service solutions like Jira or Salesforce. These solutions solve different problems – just because your CRM would be a good fit for a migration to Salesforce doesn’t mean the same system would make sense in Azure or AWS.

    This is important because the language we use to talk about the cloud can color our approach to cloud services. A “cloud-first” strategy will mean something different to a CEO with a concept of the cloud rooted in Salesforce than it will to a system administrator who interprets it to mean a transition to cloud-hosted virtual machines.

    Add to this the fact that not all cloud services are hosted externally by providers (public clouds) and the fact that multiple delivery models can be engaged at once through hybrid or multi-cloud approaches, and it’s apparent that a shared understanding of the cloud is necessary for a coherent strategy to take form.

    This phase proceeds in four steps, each governed by the principle of shared understanding. The first requires a shared understanding of corporate goals and drivers. Step 2 involves coming to a shared understanding of the cloud’s unique characteristics. Step 3 requires a review of the current state. Finally, in Step 4, participants will identify workloads that are suitable for analysis as candidates for the cloud.

    Step 1.1

    Generate goals and drivers

    Activities

    1.1.1 Define organizational goals

    1.1.2 Define cloud drivers

    1.1.3 Define success indicators

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    This step involves the following participants:

    • IT management
    • Core working group
    • Security
    • Applications
    • Infrastructure
    • Service management
    • Leadership

    Outcomes of this step

    • List of organizational goals
    • List of cloud drivers
    • Defined success indicators

    What can the cloud do for you?

    The cloud is not valuable for its own sake, and not all users derive the same value

    • The cloud is characterized by on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Any or all of those characteristics might be enough to make the cloud appealing, but in most cases, there is an overriding driver.
    • Multiple paths may lead to the cloud. Consider an organization with a need to control costs by showing back to business units, or perhaps by reducing capital expenditure – the cloud may be the most appropriate way to effect these changes. Conversely, an organization expanding rapidly and with a need to access the latest and greatest technology might benefit from the elasticity and pooled resources that major cloud providers can offer.
    • In these cases, the destination might be the same (a cloud solution) but the delivery model – public, private, or hybrid – and the decisions made around the key strategy components, including architecture, provisioning, and cost management, will almost certainly be different.
    • Defining goals, understanding cloud drivers, and – crucially – understanding what success means, are all therefore essential elements of the cloud vision process.

    1.1.1 Generate organizational goals

    1-3 hours

    Input

    • Strategy documentation

    Output

    • Organizational goals

    Materials

    • Whiteboard (digital/physical)

    Participants

    • IT leadership
    • Infrastructure
    • Applications
    • Security
    1. As a group, brainstorm organizational goals, ideally based on existing documentation
      • Review relevant corporate and IT strategies.
      • If you do not have access to internal documentation, review the standard goals on the next slide and select those that are most relevant for you.
    2. Record the most important business goals in the Cloud Vision Executive Presentation. Include descriptions where possible to ensure wide readability.
    3. Make note of these goals. They should inform the answers to prompts offered in the Cloud Vision Workbook and should be a consistent presence in the remainder of the visioning exercise. If you’re conducting the session in person, leave the goals up on a whiteboard and make reference to them throughout the workshop.

    Cloud Vision Executive Presentation

    Standard COBIT 19 enterprise goals

    1. Portfolio of competitive products and services
    2. Managed business risk
    3. Compliance with external laws and regulations
    4. Quality of financial information
    5. Customer-oriented service culture
    6. Business service continuity and availability
    7. Quality of management information
    8. Optimization of internal business process functionality
    9. Optimization of business process costs
    10. Staff skills, motivation, and productivity
    11. Compliance with internal policies
    12. Managed digital transformation programs
    13. Product and business innovation

    1.1.2 Define cloud drivers

    30-60 minutes

    Input

    • Organizational goals
    • Strategy documentation
    • Management/staff perspective

    Output

    • List of cloud drivers

    Materials

    • Sticky notes
    • Whiteboard
    • Markers

    Participants

    • IT leadership
    • Infrastructure
    • Applications
    • Security
    1. Cloud drivers sit at a level of abstraction below organizational goals. Keeping your organizational goals in mind, have each participant in the session write down how they expect to benefit from the cloud on a sticky note.
    2. Solicit input one at a time and group similar responses. Encourage participants to bring forward their cloud goals even if similar goals have been mentioned previously. The number of mentions is a useful way to gauge the relative weight of the drivers.
    3. Once this is done, you should have a few groups of similar drivers. Work with the group to name each category. This name will be the driver reported in the documentation.
    4. Input the results of the exercise into the Cloud Vision Executive Presentation, and include descriptions based on the constituent drivers. For example, if a driver is titled “do more valuable work,” the constituent drivers might be “build cloud skills,” “focus on core products,” and “avoid administration work where possible.” The description would be based on these components.

    Cloud Vision Executive Presentation

    1.1.3 Define success indicators

    1 hour

    Input

    • Cloud drivers
    • Organizational goals

    Output

    • List of cloud driver success indicators

    Materials

    • Whiteboard
    • Markers

    Participants

    • IT leadership
    • Infrastructure
    • Applications
    • Security
    1. On a whiteboard, draw a table with each of the cloud drivers (identified in 1.1.2) across the top.
    2. Work collectively to generate success indicators for each cloud driver. In this case, a success indicator is some way you can report your progress with the stated driver. It is a real-world proxy for the sometimes abstract phenomena that make up your drivers. Think about what would be true if your driver was realized.
      1. For example, if your driver is “faster access to resources,” you might consider indicators like developer satisfaction, project completion time, average time to provision, etc.
    3. Once you are satisfied with your list of indicators, populate the slide in the Cloud Vision Executive Presentation for validation from stakeholders.

    Cloud Vision Executive Presentation

    Step 1.2

    Explore cloud characteristics

    Activities

    Understand the value of the cloud:

    • Review delivery models
    • Review support models
    • Review service models
    • Review migration paths

    Understand the Cloud

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    This step involves the following participants:

    • Core working group
    • Architecture
    • Engineering
    • Security

    Outcomes of this step

    • Understanding of cloud service models and value

    Defining the cloud

    Per NIST, the cloud has five fundamental characteristics. All clouds have these characteristics, even if they are executed in somewhat different ways between delivery models, service models, and even individual providers.

    Cloud characteristics

    On-demand self-service

    Cloud customers are capable of provisioning cloud resources without human interaction (e.g. contacting sales), generally through a web console.

    Broad network access

    Capabilities are designed to be delivered over a network and are generally intended for access by a wide variety of platform types (cloud services are generally device-agnostic).

    Resource pooling

    Multiple customers (internal, in the case of private clouds) make use of a highly abstracted shared infrastructure managed by the cloud provider.

    Rapid elasticity

    Customers are capable of provisioning additional resources as required, pulling from a functionally infinite pool of capacity. Cloud resources can be spun-down when no longer needed.

    Measured service

    Consumption is metered based on an appropriate unit of analysis (number of licenses, storage used, compute cycles, etc.) and billing is transparent and granular.

    Cloud delivery models

    The NIST definition of cloud computing outlines four cloud delivery models: public, private, hybrid, and community clouds. A community cloud is like a private cloud, but it is provisioned for the exclusive use of a like-minded group of organizations, usually in a mutually beneficial, non-competitive arrangement. Universities and hospitals are examples of organizations that can pool their resources in this way without impacting competitiveness. The Info-Tech model covers three key delivery models – public, private, and hybrid, and an overarching model (multi-cloud) that can comprise more than one of the other models – public + public, public + hybrid, etc.

    Public

    The cloud service is provisioned for access by the general public (customers).

    Private

    A private cloud has the five key characteristics, but is provisioned for use by a single entity, like a company or organization.

    Hybrid

    Hybridity essentially refers to interoperability between multiple cloud delivery models (public +private).

    Multi

    A multi-cloud deployment requires only that multiple clouds are used without any necessary interoperability (Nutanix, 2019).

    Public cloud

    This is what people generally think about when they talk about cloud

    • The public cloud is, well, public! Anyone can make use of its resources, and in the case of the major providers, capacity is functionally unlimited. Need to store exabytes of data in the cloud? No problem! Amazon will drive a modified shipping container to your datacenter, load it up, and “migrate” it to a datacenter.
    • Public clouds offer significant variety on the infrastructure side. Major IaaS providers, like Microsoft and Amazon, offer dozens of services across many different categories including compute, networking, and storage, but also identity, containers, machine learning, virtual desktops, and much, much more. (See a list from Microsoft here, and Amazon here)
    • There are undoubtedly strengths to the public cloud model. Providers offer the “latest and greatest” and customers need not worry about the details, including managing infrastructure and physical locations. Providers offer built-in redundancy, multi-regional deployments, automation tools, management and governance solutions, and a variety of leading-edge technologies that would not be feasible for organizations to run in-house, like high performance compute, blockchain, or quantum computing.
    • Of course, the public cloud is not all sunshine and rainbows – there are downsides as well. It can be expensive; it can introduce regulatory complications to have to trust another entity with your key information. Additionally, there can be performance hiccups, and with SaaS products, it can be difficult to monitor at the appropriate (per-transaction) level.

    Prominent examples include:

    AWS

    Microsoft

    Azure

    Salesforce.com

    Workday

    SAP

    Private cloud

    A lower-risk cloud for cloud-averse customers?

    • A cloud is a cloud, no matter how small. Some IT shops deploy private clouds that make use of the five key cloud characteristics but provisioned for the exclusive use of a single entity, like a corporation.
    • Private clouds have numerous benefits. Some potential cloud customers might be uncomfortable with the shared responsibility that is inherent in the public cloud. Private clouds allow customers to deliver flexible, measured services without having to surrender control, but they require significant overhead, capital expenditure, administrative effort, and technical expertise.
    • According to the 2021 State of the Cloud Report, private cloud use is common, and the most frequently cited toolset is VMware vSphere, followed by Azure Stack, OpenStack, and AWS Outposts. Private cloud deployments are more common in larger organizations, which makes sense given the overhead required to manage such an environment.

    Private cloud adoption

    The images shows a graph titled Private Cloud Adoption for Enterprises. It is a horizontal bar graph, with three segments in each bar: dark blue marking currently use; mid blue marking experimenting; and light blue marking plan to use.

    VMware and Microsoft lead the pack among private cloud customers, with Amazon and Red Hat also substantially present across private cloud environments.

    Hybrid cloud

    The best of both worlds?

    Hybrid cloud architectures combine multiple cloud delivery models and facilitate some level of interoperability. NIST suggests bursting and load balancing as examples of hybrid cloud use cases. Note: it is not sufficient to simply have multiple clouds running in parallel – there must be a toolset that allows for an element of cross-cloud functionality.

    This delivery model is attractive because it allows users to take advantage of the strengths of multiple service models using a single management pane. Bursting across clouds to take advantage of additional capacity or disaster recovery capabilities are two obvious use cases that appeal to hybrid cloud users.

    But while hybridity is all the rage (especially given the impact Covid-19 has had on the workplace), the reality is that any hybrid cloud user must take the good with the bad. Multiple clouds and a management layer can be technically complex, expensive, and require maintaining a physical infrastructure that is not especially valuable (“I thought we were moving to the cloud to get out of the datacenter!”).

    Before selecting a hybrid approach through services like VMware Cloud on AWS or Microsoft’s Azure Stack, consider the cost, complexity, and actual expected benefit.

    Amazon, Microsoft, and Google dominate public cloud IaaS, but IBM is betting big on hybrid cloud:

    The image is a screencap of a tweet from IBM News. The tweet reads: IBM CEO Ginni Rometty: Hybrid cloud is a trillion dollar market and we'll be number one #Think2019.

    With its acquisition of Red Hat in 2019 for $34 billion, Big Blue put its money where its mouth is and acquired a substantial hybrid cloud business. At the time of the acquisition, Red Hat’s CEO, Jim Whitehurst, spoke about the benefit IBM expected to receive:

    “Joining forces with IBM gives Red Hat the opportunity to bring more open source innovation to an even broader range of organizations and will enable us to scale to meet the need for hybrid cloud solutions that deliver true choice and agility” (Red Hat, 2019).

    Multi-cloud

    For most organizations, the multi-cloud is the most realistic option.

    Multi-cloud is popular!

    The image shows a graph titled Multi-Cloud Architectures Used, % of all Respondents. The largest percentage is Apps siloed on different clouds, followed by DAta integration between clouds.

    Multi-cloud solutions exist at a different layer of abstraction from public, private, and even hybrid cloud delivery models. A multi-cloud architecture, as the name suggests, requires the user to be a customer of more than one cloud provider, and it can certainly include a hybrid cloud deployment, but it is not bound by the same rules of interoperability.

    Many organizations – especially those with fewer resources or a lack of a use case for a private cloud – rely on a multi-cloud architecture to build applications where they belong, and they manage each environment separately (or occasionally with the help of cloud management platforms).

    If your data team wants to work in AWS and your enterprise services run on basic virtual machines in Azure, that might be the most effective architecture. As the Flexera 2021 State of the Cloud Report suggests, this architecture is far more common than the more complicated bursting or brokering architectures characteristic of hybrid clouds.

    NIST cloud service models

    Software as a service

    SaaS has exploded in popularity with consumers who wish to avail themselves of the cloud’s benefits without having to manage underlying infrastructure components. SaaS is simple, generally billed per-user per-month, and is almost entirely provider-managed.

    Platform as a service

    PaaS providers offer a toolset for their customers to run custom applications and services without the requirement to manage underlying infrastructure components. This service model is ideal for custom applications/services that don’t benefit from highly granular infrastructure control.

    Infrastructure as a service

    IaaS represents the sale of components. Instead of a service, IaaS providers sell access to components, like compute, storage, and networking, allowing for customers to build anything they want on top of the providers’ infrastructure.

    Cloud service models

    • This research focuses on five key service models, each of which has its own strengths and weaknesses. Moving right from “on-prem,” customers gradually give up more control over their environments to cloud service providers.
    • An entirely premises-based environment means that the customer is responsible for everything ranging from the dirt under the datacenter to application-level configurations. Conversely, in a SaaS environment, the provider is responsible for everything but those top-level application configurations.
    • A managed service provider or other third party can manage any or of the components of the infrastructure stack. A service provider may, for example, build a SaaS solution on top of another provider’s IaaS, or might offer configuration assistance with a commercially available SaaS.

    Info-Tech Insight

    Not all workloads fit well in the cloud. Many environments will mix service models (e.g. SaaS for some workloads, some in IaaS, some on-premises), and this can be perfectly effective. It must be consistent and intentional, however.

    On-prem Co-Lo IaaS PaaS SaaS
    Application Application Application Application Application
    Database Database Database Database Database
    Runtime/ Middleware Runtime/ Middleware Runtime/ Middleware Runtime/ Middleware Runtime/ Middleware
    OS OS OS OS OS
    Hypervisor Hypervisor Hypervisor Hypervisor Hypervisor
    Server Network Storage Server Network Storage Server Network Storage Server Network Storage Server Network Storage
    Facilities Facilities Facilities Facilities Facilities

    Organization has control

    Organization or vendor may control

    Vendor has control

    Analytics folly

    SaaS is good, but it’s not a panacea

    Industry: Healthcare

    Source: Info-Tech workshop

    Situation

    A healthcare analytics provider had already moved a significant number of “non-core workloads” to the cloud, including email, HRIS, and related services.

    The company CEO was satisfied with the reduced effort required by IT to manage SaaS-based workloads and sought to extend the same benefits to the core analytics platform where there was an opportunity to reduce overhead.

    Complication

    Many components of the health analytics service were designed to run specifically in a datacenter and were not ready to be migrated to the cloud without significant effort/refactoring. SaaS was not an option because this was a core platform – a SaaS provider would have been the competition.

    That left IaaS, which was expensive and would not bring the expected benefits (reduced overhead).

    Results

    The organization determined that there were no short-term gains from migrating to the cloud. Due to the nature of the application (its extensive customization, the fact that it was a core product sold by the company) any steps to reduce operational overhead were not feasible.

    The CEO recognized that the analytics platform was not a good candidate for the cloud and what distinguished the analytics platform from more suitable workloads.

    Migration paths

    In a 2016 blog post, Amazon Web Services articulated a framework for cloud migration that incorporates elements of the journey as well as the destination. If workload owners do not choose to retain or retire their workloads, there are four alternatives. These alternatives all stack up differently along five key dimensions:

    1. Value: does the workload stand to benefit from unique cloud characteristics? To what degree?
    2. Effort: how much work would be required to make the transition?
    3. Cost: how much money is the migration expected to cost?
    4. Time: how long will the migration take?
    5. Skills: what skills must be brought to bear to complete the migration?

    Not all migration paths can lead to all destinations. Rehosting generally means IaaS, while repurchasing leads to SaaS. Refactoring and replatforming have some variety of outcomes, and it becomes possible to take advantage of new IaaS architectures or migrate workloads over fully to SaaS.

    As part of the workload assessment process, use the five dimensions (expanded upon on the next slide) to determine what migration path makes sense. Preferred migration paths form an important part of the overall cloud vision process.

    Retain (Revisit)

    • Keep the application in its current form, at least for now. This doesn’t preclude revisiting it in the future.

    Retire

    • Get rid of the application completely.

    Rehost

    • Move the application to the cloud (IaaS) and continue to run it in more or less the same form as it currently runs.

    Replatform

    • Move the application to the cloud and perform a few changes for cloud optimizations.

    Refactor

    • Rewrite the application, taking advantage of cloud native architectures.

    Repurchase

    • Replace with an alternative, cloud-native application and migrate the data.

    Migration paths – relative value

    Migration path Value Effort Cost Time Skills
    Retain No real change in the absolute value of the workload if it is retained. No effort beyond ongoing workload maintenance. No immediate hard dollar costs, but opportunity costs and technical debt abound. No time required! (At least not right away…) Retaining requires the same skills it has always required (which may be more difficult to acquire in the future).
    Rehire A retired workload can provide no value, but it is not a drain! Spinning a service down requires engaging that part of the lifecycle. N/A Retiring the service may be simple or complicated depending on its current role. N/A
    Rehost Some value comes with rehosting, but generally components stay the same (VM here vs. a VM there). Minimal effort required, especially with automated tools. The effort will depend on the environment being migrated. Relatively cheap compared to other options. Rehosting infrastructure is the simplest cloud migration path and is useful for anyone in a hurry. Rehosting is the simplest cloud migration path for most workloads, but it does require basic familiarity with cloud IaaS.

    Replatform

    Replatformed workloads can take advantage of cloud-native services (SQL vs. SQLaaS). Replatforming is more effortful than rehosting, but less effortful than refactoring. Moderate cost – does not require fundamental rearchitecture, just some tweaking. Relatively more complicated than a simple rehost, but less demanding than a refactor. Platform and workload expertise is required; more substantial than a simple rehost.
    Refactor A fully formed, customized cloud-based workload that can take advantage of cloud-native architectures is generally quite valuable. Significant effort required based on the requirement to engage the full SDLC. Significant cost required to engage SDLC and rebuild the application/service. The most complicated and time-consuming. The most complicated and time-consuming.
    Repurchase Repurchasing is the quickest way to achieve cloud-native value. There are compromises, however (high cost, vendor-lock-in). Repurchasing is the quickest way to achieve cloud-native value. There are compromises, however (high cost, vendor-lock-in). Repurchasing is the quickest way to achieve cloud-native value. There are compromises, however (high cost, vendor-lock-in). Configuration – especially for massive projects – can be time consuming, but in general repurchasing can be quite fast. Buying software does require knowledge of requirements and integrations, but is otherwise quite simple.

    Where should you get your cloud skills?

    Cloud skills are certainly top of mind right now. With the great upheaval in both work patterns and in the labor market more generally, expertise in cloud-related areas is simultaneously more valuable and more difficult to procure. According to Pluralsight’s 2021 “State of Upskilling” report, 44% of respondents report themselves under-skilled in the cloud management area, making cloud management the most significant skill gap reported on the survey.

    Everyone left the office. Work as we know it is fundamentally altered for a generation or more. Cloud services shot up in popularity by enabling the transition. And yet there is a gap – a prominent gap – in skilling up for this critically important future. What is the cloud manager to do?

    Per the framework presented here, that manager has three essential options. They may take somewhat different forms depending on specific requirements and the quirks of the local market, but the options are:

    1. Train or hire internal resources: This might be easier said than done, especially for more niche skills, but makes sense for workloads that are critical to operations for the long term.
    2. Engage a managed service provider: MSPs are often engaged to manage services where internal IT lacks bandwidth or expertise.
    3. Hire a consultant: Consultants are great for time-bound implementation projects where highly specific expertise is required, such as a migration or implementation project.

    Each model makes sense to some degree. When evaluating individual workloads for cloud suitability, it is critical to consider the support model – both immediate and long term. What makes sense from a value perspective?

    Cloud decisions – summary

    A key component of the Info-Tech cloud vision model is that it is multi-layered. Not every decision must be made at every level. At the workload level, it makes sense to select service models that make sense, but each workload does not need its own defined vision. Workload-level decisions should be guided by an overall strategy but applied tactically, based on individual workload characteristics and circumstances.

    Conversely, some decisions will inevitably be applied at the environment level. With some exceptions, it is unlikely that cloud customers will build an entire private/hybrid cloud environment around a single solution; instead, they will define a broader strategy and fit individual workloads into that strategy.

    Some considerations exist at both the workload and environment levels. Risks and roadblocks, as well as the preferred support model, are concerns that exist at both the environment level and at the workload level.

    The image is a Venn diagram, with the left side titled Workload level, and the right side titled Environment Level. In the left section are: service model and migration path. On the right section are: Overall vision and Delivery model. In the centre section are: support model and Risks and roadblocks.

    Step 1.3

    Create a current state summary

    Activities

    1.3.1 Record your current state

    Understand the Cloud

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    This step involves the following participants: Core working group

    Outcomes of this step

    • Current state summary of cloud solutions

    1.3.1 Record your current state

    30 minutes

    Input

    • Knowledge of existing cloud workloads

    Output

    • Current state cloud summary for service, delivery, and support models

    Materials

    • Whiteboard

    Participants

    • Core working group
    • Infrastructure team
    • Service owners
    1. On a whiteboard (real or virtual) draw a table with each of the cloud service models across the top. Leave a cell below each to list examples.
    2. Under each service model, record examples present in your environment. The purpose of the exercise is to illustrate the existence of cloud services in your environment or the lack thereof, so there is no need to be exhaustive. Complete this in turn for each service model until you are satisfied that you have created an effective picture of your current cloud SaaS state, IaaS state, etc.
    3. Input the results into their own slide titled “current state summary” in the Cloud Vision Executive Presentation.
    4. Repeat for the cloud delivery models and support models and include the results of those exercises as well.
    5. Create a short summary statement (“We are primarily a public cloud consumer with a large SaaS footprint and minimal presence in PaaS and IaaS. We retain an MSP to manage our hosted telephony solution; otherwise, everything is handled in house.”

    Cloud Vision Executive Presentation

    Step 1.4

    Select workloads for current analysis

    Activities

    1.4.1 Select workloads for assessment

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • List of workloads for assessment

    Understand the cloud

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    1.4.1 Select workloads for assessment

    30 minutes

    Input

    • Knowledge of existing cloud workloads

    Output

    • List of workloads to be assessed

    Materials

    • Whiteboard
    • Cloud Vision Workbook

    Participants

    • Core working group
    • IT management
    1. In many cases, the cloud project is inspired by a desire to move a particular workload or set of workloads. Solicit feedback from the core working group about what these workloads might be. Ask everyone in the meeting to suggest a workload and record each one on a sticky note or white board (virtual or physical).
    2. Discuss the results with the group and begin grouping similar workloads together. They will be subject to the assessments in the Cloud Vision Workbook, so try to avoid selecting too many workloads that will produce similar answers. It might not be obvious, but try to think about workloads that have similar usage patterns, risk levels, and performance requirements, and select a representative group.
    3. You should embrace counterintuition by selecting a workload that you think is unlikely to be a good fit for the cloud if you can and subjecting it to the assessment as well for validation purposes.
    4. When you have a list of 4-6 workloads, record them on tab 2 of the Cloud Vision Workbook.

    Cloud Vision Workbook

    Assess your cloud workloads

    Build the foundations of your cloud vision

    Phase 2

    Phase 2

    Evaluate Cloud Workloads

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    • Conduct workload assessments
    • Determine workload future state

    This phase involves the following participants:

    • Subject matter experts
    • Core working group
    • IT management

    Define Your Cloud Vision

    Work from the bottom up and assess your workloads

    A workload-first approach will help you create a realistic vision.

    The concept of a cloud vision should unquestionably be informed by the nature of the workloads that IT is expected to provide for the wider organization. The overall cloud vision is no greater than the sum of its parts. You cannot migrate to the cloud in the abstract. Workloads need to go – and not all workloads are equally suitable for the transition.

    It is therefore imperative to understand which workloads are a good fit for the cloud, which cloud service models make the most sense, how to execute the migration, what support should look like, and what risks and roadblocks you are likely to encounter as part of the process.

    That’s where the Cloud Vision Workbook comes into play. You can use this tool to assess as many workloads as you’d like – most people get the idea after about four – and by the end of the exercise, you should have a pretty good idea about where your workloads belong, and you’ll have a tool to assess any net new or previously unconsidered workloads.

    It’s not so much about the results of the assessment – though these are undeniably important – but about the learnings gleaned from the collaborative assessment exercise. While you can certainly fill out the assessment without any additional input, this exercise is most effective when completed as part of a group.

    Introducing the Cloud Vision Workbook

    • The Cloud Vision Workbook is an Excel tool that answers the age old question: “What should I do with my workloads?”
    • It is divided into eight tabs, each of which offers unique value. Start by reading the introduction and inputting your list of workloads. Work your way through tabs 3-6, completing the suitability, migration, management, and risk and roadblock assessments, and review the results on tab 7.
    • If you choose to go through the full battery of assessments for each workload, expect to answer and weight 111 unique questions across the four assessments. This is an intensive exercise, so carefully consider which assessments are valuable to you, and what workloads you have time to assess.
    • Tab 8 hosts the milestone timeline and captures the results of the phase 3 risk and mitigation exercise.

    Understand Cloud Vision Workbook outputs

    The image shows a graphic with several graphs and lists on it, with sections highlighted with notes. At the top, there's the title Database with the note Workload title (populated from tab 2). Below that, there is a graph with the note Relative suitability of the five service models. The Risks and roadblocks section includes the note: The strategy components – the risks and roadblocks – are captured relative to one another to highlight key focus areas. To the left of that, there is a Notes section with the note Notes populated based on post-assessment discussion. At the bottom, there is a section titled Where should skills be procured?, with the note The radar diagram captures the recommended support model relative to the others (MSP, consultant, internal IT). To the right of that, there is a section titled Migration path, with the note that Ordered list of migration paths. Note: a disconnect here with the suggested service model may indicate an unrealistic goal state.

    Step 2.1

    Conduct workload assessments

    Activities

    2.1.1 Conduct workload assessments

    2.1.2 Interpret your results

    Phase Title

    Conduct workload assessments

    Determine workload future state

    This step involves the following participants:

    • Core working group
    • Workload subject matter experts

    Outcomes of this step

    • Completed workload assessments

    2.1.1 Conduct workload assessments

    2 hours per workload

    Input

    • List of workloads to be assessed

    Output

    • Completed cloud vision assessments

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    • Service owners/workload SMEs
    1. The Cloud Vision Workbook is your one stop shop for all things workload assessment. Open the tool to tab 2 and review the workloads you identified at the end of phase 1. Ensure that these are correct. Once satisfied, project the tool (virtually, if necessary) so that all participants can see the assessment questions.
    2. Work through tabs 3-6, answering the questions and assigning a multiplier for each one. A higher multiplier increases the relative weight of the question, giving it a greater impact on the overall outcome.
    3. Do your best to induce participants to offer opinions. Consensus is not absolutely necessary, but it is a good goal. Ask your participants if they agree with initial responses and occasionally take the opposite position (“I’m surprised you said agree – I would have thought we didn’t care about CapEx vs. OpEx”). Stimulate discussion.
    4. Highlight any questions that you will need to return to or run by someone not present. Include a placeholder answer, as the tool requires all cells to be filled for computation.

    Cloud Vision Workbook

    2.1.2 Interpret your results

    10 minutes

    Input

    • Completed cloud vision assessments

    Output

    • Shared understanding of implications

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    • Service owners/workload SMEs
    1. Once you’ve completed all 111 questions for each workload, you can review your results on tab 7. On tab 7, you will see four populated graphics: cloud suitability, migration path, “where should skills be procured?”, and risks and roadblocks. These represent the components of the overall cloud vision that you will present to stakeholders.
    2. The “cloud suitability” chart captures the service model that the assessment judges to be most suitable for the workload. Ask those present if any are surprised by the output. If there is any disagreement, discuss the source of the surprise and what a more realistic outcome would be. Revisit the assessment if necessary.
    3. Conduct a similar exercise with each of the other outputs. Does it make sense to refactor the workload based on its cloud suitability? Does the fact that we scored so highly on the “consultant” support model indicate something about how we handle upskilling internally? Does the profile of risks and roadblocks identified here align with expectations? What should be ranked higher? What about lower?
    4. Once everyone is generally satisfied with the results, close the tool and take a break! You’ve earned it.

    Cloud Vision Workbook

    Understand the cloud strategy components

    Each cloud strategy will take a slightly different form, but all should contain echoes of each of these components. This process will help you define your vision and direction, but you will need to take steps to execute on that vision. The remainder of the cloud strategy, covered in the related blueprint Document Your Cloud Strategy comprises these fourteen topics divided across three categories: people, governance, and technology. The workload assessment covers these under risks and roadblocks and highlights areas that may require specific additional attention. When interpreting the results, think of these areas as comprising things that you will need to do to make your vision a reality.

    People

    • Skills and roles
    • Culture and adoption
    • Governing bodies

    Governance

    • Architecture
    • Integration and interoperability
    • Operations management
    • Cloud portfolio management
    • Cloud vendor management
    • Finance management
    • Security
    • Data controls

    Technology

    • Monitoring
    • Provisioning
    • Migration

    Strategy component: People

    People form the core of any good strategy. As part of your cloud vision, you will need to understand the implications a cloud transition will have on your staff and users, whether those users are internal or external.

    Component Description Challenges
    Skills and roles The move to the cloud will require staff to learn how to handle new technology and new operational processes. The cloud is a different way of procuring IT resources and may require the definition of new roles to handle things like cost management and provisioning. Staff may not have the necessary experience to migrate to a cloud environment or to effectively manage resources once the cloud transition is made. Cloud skills are difficult to hire for, and with the ever-changing nature of the platforms themselves, this shows no sign of abating. Redefining roles can also be politically challenging and should be done with due care and consideration.
    Culture and adoption If you build it, they will come…right? It is not always the case that a new service immediately attracts users. Ensuring that organizational culture aligns with the cloud vision is a critical success factor. Equally important is ensuring that cloud resources are used as intended. Those unfamiliar with cloud resources may be less willing to learn to use them. If alternatives exist (e.g. a legacy service that has not been shut down), or if those detractors are influential, this resistance may impede your cloud execution. Also, if the cloud transition involves significant effort or a fundamental rework (e.g. a DevOps transition) this role redefinition could cause some internal turmoil.
    Governing bodies A large-scale cloud deployment requires formal governance. Formal governance requires a governing body that is ultimately responsible for designing the said governance. This could take the form of a “center of excellence” or may rest with a single cloud architect in a smaller, less complicated environment. Governance is difficult. Defining responsibilities in a way that includes all relevant stakeholders without paralyzing the decision-making process is difficult. Implementing suggestions is a challenge. Navigating the changing nature of service provision (who can provision their own instances or assign licenses?) can be difficult as well. All these concerns must be addressed in a cloud strategy.

    Strategy component: Governance

    Without guardrails, the cloud deployment will grow organically. This has strengths (people tend to adopt solutions that they select and deploy themselves), but these are more than balanced out by the drawbacks that come with inconsistency, poor administration, duplication of services, suboptimal costing, and any number of other unique challenges. The solution is to develop and deploy governance. The following list captures some of the necessary governance-related components of a cloud strategy.

    Component Description Challenges
    Architecture Enterprise architecture is an important function in any environment with more than one interacting workload component (read: any environment). The cloud strategy should include an approach to defining and implementing a standard cloud architecture and should assign responsibility to an individual or group. Sometimes the cloud transition is inspired by the desire to rearchitect. The necessary skills and knowledge may not be readily available to design and transition to a microservices-based environment, for example, vs. a traditional monolithic application architecture. The appropriateness of a serverless environment may not be well understood, and it may be the case that architects are unfamiliar with cloud best practices and reference architectures.
    Integration and interoperability Many services are only highly functional when integrated with other services. What is a database without its front-end? What is an analytics platform without its data lake? For the cloud vision to be properly implemented, a strategy for handling integration and interoperability must be developed. It may be as simple as “all SaaS apps must be compatible with Okta” but it must be there. Migration to the cloud may require a fundamentally new approach to integration, moving away from a point-to-point integrations and towards an ESB or data lake. In many cases, this is easier said than done. Centralization of management may be appealing, but legacy applications – or those acquired informally in a one-off fashion – might not be so easy to integrate into a central management platform.
    Operations management Service management (ITIL processes) must be aligned with your overall cloud strategy. Migrating to the cloud (where applicable) will require refining these processes, including incident, problem, request, change, and configuration management, to make them more suitable for the cloud environment. Operations management doesn’t go away in the cloud, but it does change in line with the transition to shared responsibility. Responding to incidents may be more difficult on the cloud when troubleshooting is a vendor’s responsibility. Change management in a SaaS environment may be more receptive than staff are used to as cloud providers push changes out that cannot be rolled back.

    Strategy component: Governance (cont.)

    Component Description Challenges
    Cloud portfolio management This component refers to the act of managing the portfolio of cloud services that is available to IT and to business users. What requirements must a SaaS service meet to be onboarded into the environment? How do we account for exceptions to our IaaS policy? What about services that are only available from a certain provider? Rationalizing services offers administrative benefits, but may make some tasks more difficult for end users who have learned things a certain way or rely on niche toolsets. Managing access through a service catalog can also be challenging based on buy-in and ongoing administration. It is necessary to develop and implement policy.
    Cloud vendor management Who owns the vendor management function, and what do their duties entail? What contract language must be standard? What does due diligence look like? How should negotiations be conducted? What does a severing of the relationship look like? Cloud service models are generally different from traditional hosted software and even from each other (e.g. SaaS vs. PaaS). There is a bit of a learning curve when it comes to dealing with vendors. Also relevant: the skills that it takes to build and maintain a system are not necessarily the same as those required to coherently interact with a cloud vendor.
    Finance management Cloud services are, by definition, subject to a kind of granular, operational billing that many shops might not be used to. Someone will need to accurately project and allocate costs, while ensuring that services are monitored for cost abnormalities. Cloud cost challenges often relate to overall expense (“the cloud is more expensive than an alternative solution”), expense variability (“I don’t know what my budget needs to be this quarter”), and cost complexity (“I don’t understand what I’m paying for – what’s an Elastic Beanstalk?”).
    Security The cloud is not inherently more or less secure than a premises-based alternative, though the risk profile can be different. Applying appropriate security governance to ensure workloads are compliant with security requirements is an essential component of the strategy.

    Technical security architecture can be a challenge, as well as navigating the shared responsibility that comes with a cloud transition. There are also a plethora of cloud-specific security tools like cloud access security brokers (CASBs), cloud security posture management (CSPM) solutions, and even secure access services edge (SASE) technology.

    Data controls Data residency, classification, quality, and protection are important considerations for any cloud strategy. With cloud providers taking on outsized responsibility, understanding and governing data is essential. Cloud providers like to abstract away from the end user, and while some may be able to guarantee residency, others may not. Additionally, regulations may prevent some data from going to the cloud, and you may need to develop a new organizational backup strategy to account for the cloud.

    Strategy component: Technology

    Good technology will never replace good people and effective process, but it remains important in its own right. A migration that neglects the undeniable technical components of a solid cloud strategy is doomed to mediocrity at best and failure at worst. Understanding the technical implications of the cloud vision – particularly in terms of monitoring, provisioning, and migration – makes all the difference. You can interpret the results of the cloud workload assessments by reviewing the details presented here.

    Component Description Challenges
    Monitoring The cloud must be monitored in line with performance requirements. Staff must ensure that appropriate tools are in place to properly monitor cloud workloads and that they are capturing adequate and relevant data. Defining requirements for monitoring a potentially unfamiliar environment can be difficult, as can consolidating on a monitoring solution that both meets requirements and covers all relevant areas. There may be some upskilling and integration work required to ensure that monitoring works as required.
    Provisioning How will provisioning be done? Who will be responsible for ensuring the right people have access to the right resources? What tooling must be deployed to support provisioning goals? What technical steps must be taken to ensure that the provisioning is as seamless as possible? There is the inevitable challenge of assigning responsibility and accountability in a changing infrastructure and operations environment, especially if the changes are substantial (e.g. a fundamental operating model shift, reoriented around the cloud). Staff may also need to familiarize themselves with cloud-based provisioning tools like Ansible, Terraform, or even CloudFormation.
    Migration The act of migrating is important as well. In some cases, the migration is as simple as configuring the new environment and turning it up (e.g. with a net new SaaS service). In other cases, the migration itself can be a substantial undertaking, involving large amounts of data, a complicated replatforming/refactoring, and/or a significant configuration exercise.

    Not all migration journeys are created equal, and challenges include a general lack of understanding of the requirements of a migration, the techniques that might be necessary to migrate to a particular cloud (there are many) and the disruption/risk associated with moving large amounts of data. All of these challenges must be considered as part of the overall cloud strategy, whether in terms of architectural principles or skill acquisition (or both!).

    Step 2.2

    Determine workload future state

    Activities

    2.2.1 Determine workload future state

    Conduct workload assessments

    Determine workload future state

    This step involves the following participants:

    • IT management
    • Core working group

    Outcomes of this step

    • Completed workload assessments
    • Defined workload future state

    2.2.1 Determine workload future state

    1-3 hours

    Input

    • Completed workload assessments

    Output

    • Preliminary future state outputs

    Materials

    • Cloud Vision Workbook
    • Cloud Vision Executive Presentation

    Participants

    • Core working group
    • Service owners
    • IT management
    1. After you’ve had a chance to validate your results, refer to tab 7 of the tool, where you will find a blank notes section.
    2. With the working group, capture your answers to each of the following questions:
      1. What service model is the most suitable for the workload? Why?
      2. How will we conduct the migration? Which of the six models makes the most sense? Do we have a backup plan if our primary plan doesn’t work out?
      3. What should the support model look like?
      4. What are some workload-specific risks and considerations that must be taken into account for the workload?
    3. Once you’ve got answers to each of these questions for each of the workloads, include your summary in the “notes” section of tab 7.

    Cloud Vision Executive Presentation

    Paste the output into the Cloud Vision Executive Presentation

    • The Cloud Vision Workbook output is a compact, consumable summary of each workload’s planned future state. Paste each assessment in as necessary.
    • There is no absolutely correct way to present the information, but the output is a good place to start. Do note that, while the presentation is designed to lead with the vision statement, because the process is workload-first, the assessments are populated prior to the overall vision in a bottom-up manner.
    • Be sure to anticipate the questions you are likely to receive from any stakeholders. You may consider preparing for questions like: “What other workloads fit this profile?” “What do we expect the impact on the budget to be?” “How long will this take?” Keep these and other questions in mind as you progress through the vision definition process.

    The image shows the Cloud Vision Workbook output, which was described in an annotated version in an earlier section.

    Info-Tech Insight

    Keep your audience in mind. You may want to include some additional context in the presentation if the results are going to be presented to non-technical stakeholders or those who are not familiar with the terms or how to interpret the outputs.

    Identify and Mitigate Risks

    Build the foundations of your cloud vision

    PHASE 3

    Phase 3

    Identify and Mitigate Risks

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    • Generate risks and roadblocks
    • Mitigate risks and roadblocks
    • Define roadmap initiatives

    This phase involves the following participants:

    • Core working group
    • Workload subject matter experts

    You know what you want to do, but what do you have to do?

    What questions remain unanswered?

    There are workload-level risks and roadblocks, and there are environment-level risks. This phase is focused primarily on environment-level risks and roadblocks, or those that are likely to span multiple workloads (but this is not hard and fast rule – anything that you deem worth discussing is worth discussing). The framework here calls for an open forum where all stakeholders – technical and non-technical, pro-cloud and anti-cloud, management and individual contributor – have an opportunity to articulate their concerns, however specific or general, and receive feedback and possible mitigation.

    Start by soliciting feedback. You can do this over time or in a single session. Encourage anyone with an opinion to share it. Focus on those who are likely to have a perspective that will become relevant at some point during the creation of the cloud strategy and the execution of any migration. Explain the preliminary direction; highlight any major changes that you foresee. Remind participants that you are not looking for solutions (yet), but that you want to make sure you hear any and every concern as early as possible. You will get feedback and it will all be valuable.

    Before cutting your participants loose, remind them that, as with all business decisions, the cloud comes with trade-offs. Not everyone will have every wish fulfilled, and in some cases, significant effort may be needed to get around a roadblock, risks may need to be accepted, and workloads that looked like promising candidates for one service model or another may not be able to realize that potential. This is a normal and expected part of the cloud vision process.

    Once the risks and roadblocks conversation is complete, it is the core working group’s job to propose and validate mitigations. Not every risk can be completely resolved, but the cloud has been around for decades – chances are someone else has faced a similar challenge and made it through relatively unscathed. That work will inevitably result in initiatives for immediate execution. Those initiatives will form the core of the initiative roadmap that accompanies the completed Cloud Vision Executive Presentation.

    Step 3.1

    Generate risks and roadblocks

    Activities

    3.1.1 Generate risks and roadblocks

    3.1.2 Generate mitigations

    Identify and mitigate risks

    Generate risks and roadblocks

    Mitigate risks and roadblocks

    Define roadmap initiatives

    This step involves the following participants:

    • Core working group
    • IT management
    • Infrastructure
    • Applications
    • Security
    • Architecture

    Outcomes of this step

    • List of risks and roadblocks

    Understand risks and roadblocks

    Risk

    • Something that could potentially go wrong.
    • You can respond to risks by mitigating them:
      • Eliminate: take action to prevent the risk from causing issues.
      • Reduce: take action to minimize the likelihood/severity of the risk.
      • Transfer: shift responsibility for the risk away from IT, towards another division of the company.
      • Accept: where the likelihood or severity is low, it may be prudent to accept that the risk could come to fruition.

    Roadblock

    • There are things that aren’t “risks” that we care about when migrating to the cloud.
    • We know, for example, that a complicated integration situation will create work items for any migration – this is not an “unknown.”
    • We respond to roadblocks by generating work items.

    3.1.1 Generate risks and roadblocks

    1.5 hours

    Input

    • Completed cloud vision assessments

    Output

    • List of risks and roadblocks

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Core working group
    • Service owners/workload SMEs
    • Anyone with concerns about the cloud
    1. Gather your core working group – and really anyone with an intelligent opinion on the cloud – into a single meeting space. Give the group 5-10 minutes to list anything they think could present a difficulty in transitioning workloads to the cloud. Write each risk/roadblock on its own sticky note. You will never be 100% exhaustive, but don’t let anything your users care about go unaddressed.
    2. Once everyone has had time to write down their risks and roadblocks, have everyone share one by one. Make sure you get them all. Overlap in risks and roadblocks is okay! Group similar concerns together to give a sort of heat map of what your participants are concerned about. (This is called “affinity diagramming.”)
    3. Assign names to these categories. Many of these categories will align with the strategy components discussed in the previous phase (governance, security, etc.) but some will be specific whether by nature or by degree.
    4. Sort each of the individual risks into its respective category, collapsing any exact duplicates, and leaving room for notes and mitigations (see the next slide for a visual).

    Understand risks and roadblocks

    The image is two columns--on the left, the column is titled Affinity Diagramming. Below the title, there are many colored blocks, randomly arranged. There is an arrow pointing right, to the same coloured blocks, now sorted by colour. In the right column--titled Categorization--each colour has been assigned a category, with subcategories.

    Step 3.2

    Mitigate risks and roadblocks

    Activities

    3.2.1 Generate mitigations

    Identify and mitigate risks

    Generate risks and roadblocks

    Mitigate risks and roadblocks

    Define roadmap initiatives

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • List of mitigations

    Is the public cloud less secure?

    This is the key risk-related question that most cloud customers will have to answer at some point: does migrating to the cloud for some services increase their exposure and create a security problem?

    As with all good questions, the answer is “it depends.” But what does it depend on? Consider these cloud risks and potential mitigations:

    1. Misconfiguration: An error grants access to unauthorized parties (as happened to Capital One in 2019). This can be mitigated by careful configuration management and third-party tooling.
    2. Unauthorized access by cloud provider/partner employees: Though rare, it is possible that a cloud provider or partner can be a vector for a breach. Careful contract language, choosing to own your own encryption keys, and a hybrid approach (storing data on-premises) are some possible ways to address this problem.
    3. Unauthorized access to systems: Cloud services are designed to be accessed from anywhere and may be accessed by malicious actors. Possible mitigations include risk-based conditional access, careful identity access management, and logging and detection.

    “The cloud is definitely more secure in that you have much more control, you have much more security tooling, much more visibility, and much more automation. So it is more secure. The caveat is that there is more risk. It is easier to accidentally expose data in the cloud than it is on-premises, but, especially for security, the amount of tooling and visibility you get in cloud is much more than anything we’ve had in our careers on-premises, and that’s why I think cloud in general is more secure.” –Abdul Kittana, Founder, ASecureCloud

    Breach bests bank

    No cloud provider can protect against every misconfiguration

    Industry: Finance

    Source: The New York Times, CNET

    Background

    Capital One is a major Amazon Web Services customer and is even featured on Amazon’s site as a case study. That case study emphasizes the bank’s commitment to the cloud and highlights how central security and compliance were. From the CTO: “Before we moved a single workload, we engaged groups from across the company to build a risk framework for the cloud that met the same high bar for security and compliance that we meet in our on-premises environments. AWS worked with us every step of the way.”

    Complication

    The cloud migration was humming along until July 2019, when the bank suffered a serious breach at the hands of a hacker. That hacker was able to steal millions of credit card applications and hundreds of thousands of Social Security numbers, bank account numbers, and Canadian social insurance numbers.

    According to investigators and to AWS, the breach was caused by an open reverse proxy attack against a misconfigured web app firewall, not by an underlying vulnerability in the cloud infrastructure.

    Results

    Capital One reported that the breach was expected to cost it $150 million, and AWS fervently denied any blame. The US Senate got involved, as did national media, and Capital One’s CEO issued a public apology, writing, “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”

    It was a bad few months for IT at Capital One.

    3.2.1 Generate mitigations

    3-4.5 hours

    Input

    • Completed cloud vision assessments

    Output

    • List of risks and roadblocks

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Core working group
    • Service owners/workload SMEs
    • Anyone with concerns about the cloud
    1. Recall the four mitigation strategies: eliminate, reduce, transfer, or accept. Keep these in mind as you work through the list of risks and roadblocks with the core working group. For every individual risk or roadblock raised in the initial generation session, suggest a specific mitigation. If the concern is “SaaS providers having access to confidential information,” a mitigation might be encryption, specific contract language, or proof of certifications (or all the above).
    2. Work through this for each of the risks and roadblocks, identifying the steps you need to take that would satisfy your requirements as you understand them.
    3. Once you have gone through the whole list – ideally with input from SMEs in particular areas like security, engineering, and compliance/legal – populate the Cloud Vision Workbook (tab 8) with the risks, roadblocks, and mitigations (sorted by category). Review tab 8 for an example of the output of this exercise.

    Cloud Vision Workbook

    Cloud Vision Workbook – mitigations

    The image shows a large chart titled Risks, roadblocks, and mitigations, which has been annotated with notes.

    Step 3.3

    Define roadmap initiatives

    Activities

    3.3.1 Generate roadmap initiatives

    Identify and mitigate risks

    Generate risks and roadblocks

    Mitigate risks and roadblocks

    Define roadmap initiatives

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • Defined roadmap initiatives

    3.3.1 Generate roadmap initiatives

    1 hour

    Input

    • List of risk and roadblock mitigations

    Output

    • List of cloud initiatives

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Executing on your cloud vision will likely require you to undertake some key initiatives, many of which have already been identified as part of your mitigation exercise. On tab 8 of the Cloud Vision Workbook, review the mitigations you created in response to the risks and roadblocks identified. Initiatives should generally be assignable to a party and should have a defined scope/duration. For example, “assess all net new applications for cloud suitability” might not be counted as an initiative, but “design a cloud application assessment” would likely be.
    2. Design a timeline appropriate for your specific needs. Generally short-term (less than 3 months), medium-term (3-6 months), and long-term (greater than 6 months) will work, but this is entirely based on preference.
    3. Review and validate the parameters with the working group. Consider creating additional color-coding (highlighting certain tasks that might be dependent on a decision or have ongoing components).

    Cloud Vision Workbook

    Bridge the gap and create the vision

    Build the foundations of your cloud vision

    Phase 4

    Phase 4

    Bridge the Gap and Create the Vision

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    • Assign initiatives and propose timelines
    • Build a delivery model rubric
    • Build a service model rubric
    • Built a support model rubric
    • Create a cloud vision statement
    • Map cloud workloads
    • Complete the Cloud Vision presentation

    This phase involves the following participants:

    • IT management, the core working group, security, infrastructure, operations, architecture, engineering, applications, non-IT stakeholders

    Step 4.1

    Review and assign work items

    Activities

    4.1.1 Assign initiatives and propose timelines

    Bridge the gap and create the vision

    Review and assign work items

    Finalize cloud decision framework

    Create cloud vision

    This step involves the following participants:

    • Core working group
    • IT management

    Outcomes of this step

    • Populated cloud vision roadmap

    4.1.1 Assign initiatives and propose timelines

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Once the list is populated, begin assigning responsibility for execution. This is not a RACI exercise, so focus on the functional responsibility. Once you have determined who is responsible, assign a timeline and include any notes. This will form the basis of a more formal project plan.
    2. To assign the initiative to a party, consider 1) who will be responsible for execution and 2) if that responsibility will be shared. Be as specific as possible, but be sure to be consistent to make it easier for you to sort responsibility later on.
    3. When assigning timelines, we suggest including the end date (when you expect the project to be complete) rather than the start date, though whatever you choose, be sure to be consistent. Make use of the notes column to record anything that you think any other readers will need to be aware of in the future, or details that may not be possible to commit to memory.

    Cloud Vision Workbook

    Step 4.2

    Finalize cloud decision framework

    Activities

    4.2.1 Build a delivery model rubric

    4.2.2 Build a service model rubric

    4.2.3 Build a support model rubric

    Bridge the gap and create the vision

    Review and assign work items

    Finalize cloud decision framework

    Create cloud vision

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • Cloud decision framework

    4.2.1 Build a delivery model rubric

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    Participants

    • Core working group
    1. Now that we have a good understanding of the cloud’s key characteristics, the relative suitability of different workloads for the cloud, and a good understanding of some of the risks and roadblocks that may need to be overcome if a cloud transition is to take place, it is time to formalize a delivery model rubric. Start by listing the delivery models on a white board vertically – public, private, hybrid, and multi-cloud. Include a community cloud option as well if that is feasible for you. Strike any models that do not figure into your vision.
    2. Create a table style rubric for each delivery model. Confer with the working group to determine what characteristics best define workloads suitable for each model. If you have a hybrid cloud option, you may consider workloads that are highly dynamic; a private cloud hosted on-premises may be more suitable for workloads that have extensive regulatory requirements.
    3. Once the table is complete, include it in the Cloud Vision Executive Presentation.

    Cloud Vision Executive Presentation

    Vision for the cloud future state (example)

    Delivery model Decision criteria
    Public cloud
    • Public cloud is the primary destination for all workloads as the goal is to eliminate facilities and infrastructure management
    • Offers features, broad accessibility, and managed updates along with provider-managed facilities and hardware
    Legacy datacenter
    • Any workload that is not a good fit for the public cloud
    • Dependency (like a USB key for license validation)
    • Performance requirements (e.g. workloads highly sensitive to transaction thresholds)
    • Local infrastructure components (firewall, switches, NVR)

    Summary statement: Everything must go! Public cloud is a top priority. Anything that is not compatible (for whatever reason) with a public cloud deployment will be retained in a premises-based server closet (downgraded from a full datacenter). The private cloud does not align with the overall organizational vision, nor does a hybrid solution.

    4.2.2 Build a service model rubric

    1 hour

    Input

    • Output of workload assessments
    • Output of risk and mitigation exercise

    Output

    • Service model rubric

    Materials

    • Whiteboard
    • Cloud Vision Executive Presentation

    Participants

    • Core working group
    1. This next activity is like the delivery model activity, but covers the relevant cloud service models. On a whiteboard, make a vertical list of the cloud service models (SaaS, PaaS, IaaS, etc.) that will be considered for workloads. If you have an order of preference, place your most preferred at the top, your least preferred at the bottom.
    2. Describe the circumstances under which you would select each service model. Do your best to focus on differentiators. If a decision criterion appears for multiple service models, consider refining or excluding it. (For additional information, check out Info-Tech’s Reimagine IT Operations for a Cloud-First World blueprint.)
    3. Create a summary statement to capture your overall service model position. See the next slide for an example. Note: this can be incorporated into your cloud vision statement, so be sure that it reflects your genuine cloud preferences.
    4. Record the results in the Cloud Vision Executive Presentation.

    Cloud Vision Executive Presentation

    Vision for the cloud future state (example)

    Service model Decision criteria
    SaaS

    SaaS first; opt for SaaS when:

    • A SaaS option exists that meets all key business requirements
    • There is a strong desire to have someone else (the vendor) manage infrastructure components/the platform
    • Not particularly sensitive to performance thresholds
    • The goal is to transition management of the workload outside of IT
    • SaaS is the only feasible way to consume the desired service
    PaaS
    • Highly customized service/workload – SaaS not feasible
    • Still preferable to offload as much management as possible to third parties
    • Customization required, but not at the platform level
    • The workload is built using a standard framework
    • We have the time/resources to replatform
    IaaS
    • Service needs to be lifted and shifted out of the datacenter quickly
    • Customization is required at the platform level/there is value in managing components
    • There is no need to manage facilities
    • Performance is not impacted by hosting the workload offsite
    • There is value in right-sizing the workload over time
    On-premises Anything that does not fit in the cloud for performance or other reasons (e.g. licensing key)

    Summary statement: SaaS will be the primary service model. All workloads will migrate to the public cloud where possible. Anything that cannot be migrated to SaaS will be migrated to PaaS. IaaS is a transitory step.

    4.2.3 Build a support model rubric

    1 hour

    Input

    • Results of the cloud workload assessments

    Output

    • Support model rubric

    Materials

    • Whiteboard
    • Cloud Vision Executive Presentation

    Participants

    • Core working group
    1. The final rubric covered here is that for the support model. Where will you procure the skills necessary to ensure the vision’s proper execution? Much like the other rubric activities, write the three support models vertically (in order of preference, if you have one) on a whiteboard.
    2. Next to each model, describe the circumstances under which you would select each support model. Focus on the dimensions: the duration of the engagement, specialization required, and flexibility required. If you have existing rules/practices around hiring consultants/MSPs, consider those as well.
    3. Once you have a good list of decision criteria, form a summary statement. This should encapsulate your position on support models and should mention any notable criteria that will contribute to most decisions.
    4. Record the results in the Cloud Vision Executive Presentation.

    Cloud Vision Executive Presentation

    Vision for the cloud future state (example)

    Support model Decision criteria
    Internal IT

    The primary support model will be internal IT going forward

    • Chosen where the primary work required is administrative
    • Where existing staff can manage the service in the cloud easily and effectively
    • Where the chosen solution fits the SaaS service model
    Consultant
    • Where the work required is time-bound (e.g. a migration/refactoring exercise)
    • Where the skills do not exist in house, and where the skills cannot easily be procured (specific technical expertise required in areas of the cloud unfamiliar to staff)
    • Where opportunities for staff to learn from consultant SMEs are valuable
    • Where ongoing management and maintenance can be handled in house
    MSP
    • Where an ongoing relationship is valued
    • Where ongoing administration and maintenance are disproportionately burdensome on IT staff (or where this administration and maintenance is likely to be burdensome)
    • Where the managed services model has already been proven out
    • Where specific expertise in an area of technology is required but this does not rise to the need to hire an FTE (e.g. telephony)

    Summary statement: Most workloads will be managed in house. A consultant will be employed to facilitate the transition to micro-services in a cloud container environment, but this will be transitioned to in-house staff. An MSP will continue to manage backups and telephony.

    Step 4.3

    Create cloud vision

    Activities

    4.3.1 Create a cloud vision statement

    4.3.2 Map cloud workloads

    4.3.3 Complete the Cloud Vision Presentation

    Review and assign work items

    Finalize cloud decision framework

    Create cloud vision

    This step involves the following participants:

    • Core working group
    • IT management

    Outcomes of this step

    Completed Cloud Vision Executive Presentation

    4.3.1 Create a cloud vision statement

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Now that you know what service models are appropriate, it’s time to summarize your cloud vision in a succinct, consumable way. A good vision statement should have three components:
      • Scope: Which parts of the organization will the strategy impact?
      • Goal: What is the strategy intended to accomplish?
      • Key differentiator: What makes the new strategy special?
    2. On a whiteboard, make a chart with three columns (one column for each of the features of a good mission statement). Have the group generate a list of words to describe each of the categories. Ideally, the group will produce multiple answers for each category.
    3. Once you’ve gathered a few different responses for each category, have the team put their heads down and generate pithy mission statements that capture the sentiments underlying each category.
    4. Have participants read their vision statements in front of the group. Use the rest of the session to produce a final statement. Record the results in the Cloud Strategy Executive Presentation.

    Example vision statement outputs

    “IT at ACME Corp. hereby commits to providing clients and end users with an unparalleled, productivity-enabling technology experience, leveraging, insofar as it is possible and practical, cloud-based services.”

    “At ACME Corp. our employees and customers are our first priority. Using new, agile cloud services, IT is devoted to eliminating inefficiency, providing cutting-edge solutions for a fast-paced world, and making a positive difference in the lives of our colleagues and the people we serve.”

    As a global leader in technology, ACME Corp. is committed to taking full advantage of new cloud services, looking first to agile cloud options to optimize internal processes wherever efficiency gaps exist. Improved efficiency will allow associates to spend more time on ACME’s core mission: providing an unrivalled customer experience.”

    Scope

    Goal

    Key differentiator

    4.3.2 Map cloud workloads

    1 hour

    Input

    • List of workloads
    • List of acceptable service models
    • List of acceptable migration paths

    Output

    • Workloads mapped by service model/migration path

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Core working group
    1. Now that you have defined your overall cloud vision as well as your service model options, consider aligning your service model preferences with your migration path preferences. Draw a table with your expected migration strategies across the top (retain, retire, rehost, replatform, refactor, repurchase, or some of these) and your expected service models across the side.
    2. On individual sticky notes, write a list of workloads in your environment. In a smaller environment, this list can be exhaustive. Otherwise take advantage of the list you created as part of phase 1 along with any additional workloads that warrant discussion.
    3. As a group, go through the list, placing the sticky notes first in the appropriate row based on their characteristics and the decision criteria that have already been defined, and then in the appropriate column based on the appropriate migration path. (See the next slide for an example of what this looks like.)
    4. Record the results in the Cloud Vision Executive Presentation. Note: not every cell will be filled; some migration path/service model combinations are impossible or otherwise undesirable.

    Cloud Vision Executive Presentation

    Example cloud workload map

    Repurchase Replatform Rehost Retain
    SaaS

    Office suite

    AD

    PaaS SQL Database
    IaaS File Storage DR environment
    Other

    CCTV

    Door access

    4.3.3 Complete the Cloud Vision Presentation

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Open the Cloud Vision Executive Presentation to the second slide and review the templated executive brief. This comprises several sections (see the next slide). Populate each one:
      • Summary of the exercise
      • The cloud vision statement
      • Key cloud drivers
      • Risks and roadblocks
      • Top initiatives and next steps
    2. Review the remainder of the presentation. Be sure to elaborate on any significant initiatives and changes (where applicable) and to delete any slides that you no longer require.

    Cloud Vision Workbook

    Sample cloud vision executive summary

    • From [date to date], a cross-functional group representing IT and its constituents met to discuss the cloud.
    • Over the course of the week, the group identified drivers for cloud computing and developed a shared vision, evaluated several workloads through an assessment framework, identified risks, roadblocks, and mitigations, and finally generated initiatives and next steps.
    • From the process, the group produced a summary and a cloud suitability assessment framework that can be applied at the level of the workload.

    Cloud Vision Statement

    [Organization] will leverage public cloud solutions and retire existing datacenter and colocation facilities. This transition will simplify infrastructure administration, support, and security, while modernizing legacy infrastructure and reducing the need for additional capital expenditure.

    Cloud Drivers Retire the datacenter Do more valuable work
    Right-size the environment Reduce CapEx
    Facilitate ease of mgmt. Work from anywhere
    Reduce capital expenditure Take advantage of elasticity
    Performance and availability Governance Risks and roadblocks
    Security Rationalization
    Cost Skills
    Migration Remaining premises resources
    BC, backup, and DR Control

    Initiatives and next steps

    • Close the datacenter and colocation site in favor of a SaaS-first cloud approach.
    • Some workloads will migrate to infrastructure-as-a-service in the short term with the assistance of third-party consultants.

    Document your cloud strategy

    You did it!

    Congratulations! If you’ve made it this far, you’ve successfully articulated a cloud vision, assessed workloads, developed an understanding (shared with your team and stakeholders) of cloud concepts, and mitigated risks and roadblocks that you may encounter along your cloud journey. From this exercise, you should understand your mission and vision, how your cloud plans will interact with any other relevant strategic plans, and what successful execution looks like, as well as developing a good understanding of overall guiding principles. These are several components of your overall strategy, but they do not comprise the strategy in its entirety.

    How do you fix this?

    First, validate the results of the vision exercise with your stakeholders. Socialize it and collect feedback. Make changes where you think changes should be made. This will become a key foundational piece. The next step is to formally document your cloud strategy. This is a separate project and is covered in the Info-Tech blueprint Document Your Cloud Strategy.

    The vision exercise tells you where you want to go and offers some clues as to how to get there. The formal strategy exercise is a formal documentation of the target state, but also captures in detail the steps you’ll need to take, the processes you’ll need to refine, and the people you’ll need to hire.

    A cloud strategy should comprise your organizational stance on how the cloud will change your approach to people and human resources, technology, and governance. Once you are confident that you can make and enforce decisions in these areas, you should consider moving on to Document Your Cloud Strategy. This blueprint, Define Your Cloud Vision, often serves as a prerequisite for the strategy documentation conversation(s).

    Appendix

    Summary of Accomplishment

    Additional Support

    Research Contributors

    Related Info-Tech Research

    Vendor Resources

    Bibliography

    Summary of Accomplishment

    Problem Solved

    You have now documented what you want from the cloud, what you mean when you say “cloud,” and some preliminary steps you can take to make your vision a reality.

    You now have at your disposal a framework for identifying and evaluating candidates for their cloud suitability, as well as a series of techniques for generating risks and mitigations associated with your cloud journey. The next step is to formalize your cloud strategy using the takeaways from this exercise. You’re well on your way to a completed cloud strategy!

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Generate drivers for cloud adoption

    Work with stakeholders to understand the expected benefits of the cloud migration and how these drivers will impact the overall vision.

    Conduct workload assessments

    Assess your individual cloud workloads for their suitability as candidates for the cloud migration.

    Bibliography

    “2021 State of the Cloud Report.” Flexera, 2021. Web.

    “2021 State of Upskilling Report.” Pluralsight, 2021. Web.

    “AWS Snowmobile.” Amazon Web Services, n.d. Web.

    “Azure products.” Microsoft, n.d. Web.

    “Azure Migrate Documentation.” Microsoft, n.d. Web.

    Bell, Harold. “Multi-Cloud vs. Hybrid Cloud: What’s the Difference?” Nutanix, 2019. Web.

    “Cloud Products.” Amazon Web Services, n.d. Web.

    “COBIT 2019 Framework: Introduction and Methodology.” ISACA, 2019. Web.

    Edmead, Mark T. “Using COBIT 2019 to Plan and Execute an Organization’s Transformation Strategy.” ISACA, 2020. Web.

    Flitter, Emily, and Karen Weise. “Capital One Data Breach Compromises Data of Over 100 Million.” The New York Times, 29 July 2019. Web.

    Gillis, Alexander S. “Cloud Security Posture Management (CSPM).” TechTarget, 2021. Web.

    “’How to Cloud’ with Capital One.” Amazon Web Services, n.d. Web.

    “IBM Closes Landmark Acquisition of Red Hat for $34 Billion; Defines Open, Hybrid Cloud Future.” Red Hat, 9 July 2019. Web.

    Mell, Peter, and Timothy Grance. “The NIST Definition of Cloud Computing.” National Institute of Standards and Technology, Sept. 2011. Web.

    Ng, Alfred. “Amazon Tells Senators it Isn't to Blame for Capital One Breach.” CNET, 2019. Web.

    Orban, Stephen. “6 Strategies for Migrating Applications to the Cloud.” Amazon Web Services, 2016. Web.

    Sullivan, Dan. “Cloud Access Security Broker (CASB).” TechTarget, 2021. Web.

    “What Is Secure Access Service Edge (SASE)?” Cisco, n.d. Web.

    Choose a Right-Sized Contact Center Solution

    • Buy Link or Shortcode: {j2store}334|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $25,535 Average $ Saved
    • member rating average days saved: 18 Average Days Saved
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • IT needs a method to pinpoint which contact center solution best aligns with business objectives, adapting to a post-COVID world of remote work, flexibility, and scalability.
    • Scoring RFP and RFQ proposals is a complex process, and it is difficult to map and gap without a clear view of the organization’s needs. SOWs can contain pitfalls that cause expensive headaches for the organization in the long run. Guidance through a SOW is required to best represent the organization’s interests.

    Our Advice

    Critical Insight

    • “On-premises versus cloud” is a false dichotomy. Contact center architectures come in all shapes and sizes, and organizations should discern whether a hybrid option best meets their needs.
    • Contact centers should service customers – not capabilities. Capabilities must work for you, your agents, and your customers – not the other way around.
    • Deliverables and responsibilities should be a contract’s focal point. While organizations are right to focus on avoiding unanticipated license charges, it is more important to clearly define how deliverables and responsibilities will be divided among the organization, the vendor, and potential third parties.

    Impact and Result

    • Assess the array of contact center architectures with Info-Tech’s Contact Center Decision Points Tool to select a right-sized solution.
    • Build business requirements in a formalized process to achieve stakeholder buy-in.
    • Use Info-Tech’s Contact Center RFP Scoring Tool to evaluate and choose from a range of vendors.
    • Successfully navigate and avoid major pitfalls in a SOW construction.
    • Justify each stage of the process with this blueprint’s key deliverable: the Contact Center Playbook.

    Choose a Right-Sized Contact Center Solution Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to examine the current contact center marketspace, review Info-Tech’s methodology for choosing a right-sized contact center solution, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Contact Center Architectures

    Establish your project vision and metrics of success before shortlisting potential contact center architectures and deciding which is right-sized for the organization.

    • Choose a Right-Sized Contact Center Solution – Phase 1: Assess Contact Center Architectures
    • Contact Center Playbook
    • Contact Center Decision Points Tool

    2. Gather Requirements and Shortlist Vendors

    Build business requirements to achieve stakeholder buy-in, define key deliverables, and issue an RFP/RFQ to shortlisted vendors.

    • Choose a Right-Sized Contact Center Solution – Phase 2: Gather Requirements and Shortlist Vendors
    • Requirements Gathering Documentation Tool
    • Lean RFP Template
    • Contact Center Business Requirements Document
    • Request for Quotation Template
    • Long-Form RFP Template

    3. Score Vendors and Construct SOW

    Score RFP/RFQ responses and decide upon a vendor before constructing a SOW.

    • Choose a Right-Sized Contact Center Solution – Phase 3: Score Vendors and Construct SOW
    • Contact Center RFP Scoring Tool
    • Contact Center SOW Template and Guide
    [infographic]

    Workshop: Choose a Right-Sized Contact Center Solution

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Architecture

    The Purpose

    Shortlist and decide upon a right-sized contact center architecture.

    Key Benefits Achieved

    A high-level decision for a right-sized architecture

    Activities

    1.1 Define vision and mission statements.

    1.2 Identify infrastructure metrics of success.

    1.3 Confirm key performance indicators for contact center operations.

    1.4 Complete architecture assessment.

    1.5 Confirm right-sized architecture.

    Outputs

    Project outline

    Metrics of success

    KPIs confirmed

    Quickly narrow down right-sized architecture

    Decision on right-sized contact center architecture

    2 Gather Requirements

    The Purpose

    Build business requirements and define key deliverables to achieve stakeholder buy-in and shortlist potential vendors.

    Key Benefits Achieved

    Key deliverables defined and a shortlist of no more than five vendors

    Sections 7-8 of the Contact Center Playbook completed

    Activities

    2.1 Hold focus groups with key stakeholders.

    2.2 Gather business, nonfunctional, and functional requirements.

    2.3 Define key deliverables.

    2.4 Shortlist five vendors that appear meet those requirements.

    Outputs

    User requirements identified

    Business Requirements Document completed

    Key deliverables defined

    Shortlist of five vendors

    3 Initial Vendor Scoring

    The Purpose

    Compare and evaluate shortlisted vendors against gathered requirements.

    Key Benefits Achieved

    Have a strong overview of which vendors are preferred for issuing RFP/RFQ

    Section 9 of the Contact Center Playbook

    Activities

    3.1 Input requirements to the Contact Center RFP Scoring Tool. Define which are mandatory and which are desirable.

    3.2 Determine which vendors best meet requirements.

    3.3 Compare requirements met with anticipated TCO.

    3.4 Compare and rank vendors.

    Outputs

    An assessment of requirements

    Vendor scoring

    A holistic overview of requirements scoring and vendor TCO

    An initial ranking of vendors to shape RFP process after workshop end

    4 SOW Walkthrough

    The Purpose

    Walk through the Contact Center SOW Template and Guide to identify how much time to allocate per section and who will be responsible for completing it.

    Key Benefits Achieved

    An understanding of a SOW that is designed to avoid major pitfalls with vendor management

    Section 10 of the Contact Center Playbook

    Activities

    4.1 Get familiar with the SOW structure.

    4.2 Identify which sections will demand greater time allocation.

    4.3 Strategize how to avoid potential pitfalls.

    4.4 Confirm reviewer responsibilities.

    Outputs

    A broad understanding of a SOW’s key sections

    A determination of how much time should be allocated for reviewing major sections

    A list of ways to avoid major pitfalls with vendor management

    A list of reviewers, the sections they are responsible for reviewing, and their time allocation for their review

    5 Communicate and Implement

    The Purpose

    Finalize deliverables and plan post-workshop communications.

    Key Benefits Achieved

    A completed Contact Center Playbook that justifies each decision of this workshop

    Activities

    5.1 Finalize deliverables.

    5.2 Support communication efforts.

    5.3 Identify resources in support of priority initiatives.

    Outputs

    Contact Center Playbook delivered

    Post-workshop engagement to confirm satisfaction

    Follow-up research that complements the workshop or leads workshop group in relevant new directions

    Manage Poor Performance While Working From Home

    • Buy Link or Shortcode: {j2store}599|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $1,600 Average $ Saved
    • member rating average days saved: 18 Average Days Saved
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • For many, emergency WFH comes with several new challenges such as additional childcare responsibilities, sudden changes in role expectations, and negative impacts on wellbeing. These new challenges, coupled with previously existing ones, can result in poor performance. Owing to the lack of physical presence and cues, managers may struggle to identify that an employee’s performance is suffering. Even after identifying poor performance, it can be difficult to address remotely when such conversations would ideally be held in person.

    Our Advice

    Critical Insight

    • Poor performance must be managed, despite the pandemic. Evaluating root causes of performance issues is more important than ever now that personal factors such as lack of childcare and eldercare for those working from home are complicating the issue.

    Impact and Result

    • Organizations need to have a clear process for improving performance for employees working remotely during the COVID-19 pandemic. Provide managers with resources to help them identify performance issues and uncover their root causes as part of addressing overall performance. This will allow managers to connect employees with the required support while working with them to improve performance.

    Manage Poor Performance While Working From Home Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Follow the remote performance improvement process

    Determine how managers can identify poor performance remotely and help them navigate the performance improvement process while working from home.

    • Manage Poor Performance While Working From Home Storyboard
    • Manage Poor Performance While Working From Home: Manager Guide
    • Manage Poor Performance While Working From Home: Infographic

    2. Clarify roles and leverage resources

    Clarify roles and responsibilities in the performance improvement process and tailor relevant resources.

    • Wellness and Working From Home
    [infographic]

    Further reading

    Manage Poor Performance While Working From Home

    Assess and improve remote work performance with our ready-to-use tools.

    Executive Summary

    McLean & Company Insight

    Poor performance must be managed, despite the pandemic. Evaluating root causes of performance issues is more important than ever now that personal factors such as lack of childcare and eldercare for those working from home are complicating the issue.

    Situation

    COVID-19 has led to a sudden shift to working from home (WFH), resulting in a 72% decline in in-office work (Ranosa, 2020). While these uncertain times have disrupted traditional work routines, employee performance remains critical, as it plays a role in determining how organizations recover. Managers must not turn a blind eye to performance issues but rather must act quickly to support employees who may be struggling.

    Complication

    For many, emergency WFH comes with several new challenges such as additional childcare responsibilities, sudden changes in role expectations, and negative impacts on wellbeing. These new challenges, coupled with previously existing ones, can result in poor performance. Owing to the lack of physical presence and cues, managers may struggle to identify that an employee’s performance is suffering. Even after identifying poor performance, it can be difficult to address remotely when such conversations would ideally be held in person.

    Solution

    Organizations need to have a clear process for improving performance for employees working remotely during the COVID-19 pandemic. Provide managers with resources to help them identify performance issues and uncover their root causes as part of addressing overall performance. This will allow managers to connect employees with the required support while working with them to improve performance.

    Manage Poor Performance While Working From Home is made up of the following resources:

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Storyboard

    This storyboard is organized by the four steps of the performance improvement process: identify, initiate, deploy, and follow up/decide. These will appear on the left-hand side of the slides as a roadmap.

    The focus is on how HR can design the process for managing poor performance remotely and support managers through it while emergency WFH measures are in place. Key responsibilities, email templates, and relevant resources are included at the end.

    Adapt the process as necessary for your organization.

    Manager Guide

    The manager guide contains detailed advice for managers on navigating the process and focuses on the content of remote performance discussions.

    It consists of the following sections:

    • Identifying poor performance.
    • Conducting performance improvement discussions.
    • Uncovering and addressing root causes of poor performance.
    Manager Infographic

    The manager infographic illustrates the high-level steps of the performance improvement process for managers in a visually appealing and easily digestible manner.

    This can be used to easily outline the process, providing managers with a resource to quickly reference as they navigate the process with their direct reports.

    In this blueprint, “WFH” and “remote working” are used interchangeably.

    This blueprint will not cover the performance management framework; it is solely focused on managing performance issues.

    For information on adjusting the regular performance management process during the pandemic, see Performance Management for Emergency Work-From-Home.

    Identify how low performance is normally addressed

    A process for performance improvement is not akin to outlining the steps of a performance improvement plan (PIP). The PIP is a development tool used within a larger process for performance improvement. Guidance on how to structure and use a PIP will be provided later in this blueprint.

    Evaluate how low performance is usually brought to the attention of HR in a non-remote situation:
    • Do managers approach HR for an employee transfer or PIP without having prior performance conversations with the employee?
    • Do managers come to HR when they need support in developing an employee in order to meet expectations?
    • Do managers proactively reach out to HR to discuss appropriate L&D for staff who are struggling?
    • Do some departments engage with the process while others do not?
    Poor performance does not signal the immediate need to terminate an employee. Instead, managers should focus on helping the struggling employee to develop so that they may succeed.
    Evaluate how poor performance is determined:
    • Do managers use performance data or concrete examples?
    • Is it based on a subjective assessment by the manager?
    Keep in mind that “poor performance” now might look different than it did before the pandemic. Employees must be aware of the current expectations placed on them before they can be labeled as underperforming – and the performance expectations must be assessed to ensure they are realistic.

    For information on adjusting performance expectations during the pandemic, see Performance Management for Emergency Work-From-Home.

    The process for non-union and union employees will likely differ. Make sure your process for unionized employees aligns with collective agreements.

    Determine how managers can identify poor performance of staff working remotely

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Identify: Determine how managers can identify poor performance.
    In person, it can be easy to see when an employee is struggling by glancing over at their desk and observing body language. In a remote situation, this can be more difficult, as it is easy to put on a brave face for the half-hour to one-hour check-in. Advise managers on how important frequent one-one-ones and open communication are in helping identify issues when they arise rather than when it’s too late.

    Managers must clearly document and communicate instances where employees aren’t meeting role expectations or are showing other key signs that they are not performing at the level expected of them.

    What to look for:
    • PM data/performance-related assessments
    • Continual absences
    • Decreased quality or quantity of output
    • Frequent excuses (e.g. repeated internet outages)
    • Lack of effort or follow-through
    • Missed deadlines
    • Poor communication or lack of responsiveness
    • Failure to improve
    It’s crucial to acknowledge an employee might have an “off week” or need time to adjust to working from home, which can be addressed with performance management techniques. Managers should move into the process for performance improvement when:
    • Performance fluctuates frequently or significantly.
    • Performance has dropped for an extended period of time.
    • Expectations are consistently not being met.

    While it’s important for managers to keep an eye out for decreased performance, discourage them from over-monitoring employees, as this can lead to a damaging environment of distrust.

    Support managers in initiating performance conversations and uncovering root causes

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Initiate: Require that managers have several conversations about low performance with the employee.
    Before using more formal measures, ensure managers take responsibility for connecting with the employee to have an initial performance conversation where they will make the performance issue known and try to diagnose the root cause of the issue.

    Coach managers to recognize behaviors associated with the following performance inhibitors:

    Personal Factors

    Personal factors, usually outside the workplace, can affect an employee’s performance.

    Lack of clarity

    Employees must be clear on performance expectations before they can be labeled as a poor performer.

    Low motivation

    Lack of motivation to complete work can impact the quality of output and/or amount of work an employee is completing.

    Inability

    Resourcing, technology, organizational change, or lack of skills to do the job can all result in the inability of an employee to perform at their best.

    Poor people skills

    Problematic people skills, externally with clients or internally with colleagues, can affect an employee’s performance or the team’s engagement.

    Personal factors are a common performance inhibitor due to emergency WFH measures. The decreased divide between work and home life and the additional stresses of the pandemic can bring up new cases of poor performance or exacerbate existing ones. Remind managers that all potential root causes should still be investigated rather than assuming personal factors are the problem and emphasize that there can be more than one cause.

    Ensure managers continue to conduct frequent performance conversations

    Once an informal conversation has been initiated, the manager should schedule frequent one-on-one performance conversations (above and beyond performance management check-ins).

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Explain to managers the purpose of these discussions is to:
    • Continue to probe for root causes.
    • Reinforce role expectations and performance targets.
    • Follow up on any improvements.
    • Address the performance issue and share relevant resources (e.g. HR or employee assistance program [EAP]).
    Given these conversations will be remote, require managers to:
    • Use video whenever possible to read physical cues and body language.
    • Bookend the conversation. Starting each meeting by setting the context for the discussion and finishing with the employee reiterating the key takeaways back will ensure there are no misunderstandings.
    • Document the conversation and share with HR. This provides evidence of the conversations and helps hold managers accountable.
    What is HR’s role? HR should ensure that the manager has had multiple conversations with the employee before moving to the next step. Furthermore, HR is responsible for ensuring manages are equipped to have the conversations through coaching, role-playing, etc.

    For more information on the content of these conversations or for material to leverage for training purposes, see Manage Poor Performance While Working From Home: Manager Guide.

    McLean & Company Insight

    Managers are there to be coaches, not therapists. Uncovering the root cause of poor performance will allow managers to pinpoint supports needed, either within their expertise (e.g. coaching, training, providing flexible hours) or by directing the employee to proper external resources such as an EAP.

    Help managers use formal performance improvement tools with remote workers

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Deploy: Use performance improvement tools.
    If initial performance conversations were unsuccessful and performance does not improve, refer managers to performance improvement tools:
    • Suggest any other available support and resources they have not yet recommended (e.g. EAP).
    • Explore options for co-creation of a development plan to increase employee buy-in. If the manager has been diligent about clarifying role expectations, invite the employee to put together their own action plan for meeting performance goals. This can then be reviewed and finalized with the manager.
    • Have the manager use a formal PIP for development and to get the employee back on track. Review the development plan or PIP with the manager before they share it with the employee to ensure it is clear and has time bound, realistic goals for improvement.
    Using a PIP solely to avoid legal trouble and terminate employees isn’t true to its intended purpose. This is what progressive discipline is for.In the case of significant behavior problems, like breaking company rules or safety violations, the manager will likely need to move to progressive discipline. HR should advise managers on the appropriate process.

    When does the issue warrant progressive discipline? If the action needs to stop immediately, (e.g. threatening or inappropriate behavior) and/or as outlined in the collective agreement.

    Clarify remote PIP stages and best practices

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Sample Stages:
    1. Written PIP
    • HR reviews and signs off on PIP
    • Manager holds meeting to provide employee with PIP
    • Employee reviews the PIP
    • Manager and employee provide e-signatures
    • Signed PIP is given to HR
    2. Possible Extension
    3. Final Notice
    • Manager provides employee with final notice if there has been no improvement in agreed time frame
    • Copy of signed final notice letter given to HR

    Who is involved?

    The manager runs the meeting with the employee. HR should act as a support by:

    • Ensuring the PIP is clear, aligned with the performance issue, and focused on development, prior to the meeting.
    • Pointing to resources and making themselves available prior to, during, and after the meeting.
      • When should HR be involved? HR should be present in the meeting if the manager has requested it or if the employee has approached HR beforehand with concerns about the manager. Keep in mind that if the employee sees HR has been unexpectedly invited to the video call, it could add extra stress for them.
    • Reviewing documentation and ensuring expectations and the action plan are reasonable and realistic.

    Determine the length of the PIP

    • The length of the initial PIP will often depend on the complexity of the employee’s role and how long it will reasonably take to see improvements. The minimum (before a potential extension) should be 30-60 days.
    • Ensure the action plan takes sustainment into account. Employees must be able to demonstrate improvement and sustain improved performance in order to successfully complete a PIP.

    Timing of delivery

    Help the manager determine when the PIP meeting will occur (what day, time of day). Take into account the schedule of the employee they will be meeting with (e.g. avoid scheduling right before an important client call).

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide

    Follow up: If the process escalated to step 3 and is successful.

    What does success look like? Performance improvement must be sustained after the PIP is completed. It’s not enough to simply meet performance improvement goals and expectations; the employee must continue to perform.

    Have the manager schedule a final PIP review with the employee. Use video, as this enables the employee and manager to read body language and minimize miscommunication/misinterpretation.

    • If performance expectations have been met, instruct managers to document this in the PIP, inform the employee they are off the PIP, and provide it to HR.

    The manager should also continue check-ins with the employee to ensure sustainment and as part of continued performance management.

    • Set a specific timeline, e.g. every two weeks or every month. Choose a cadence that works best for the manager and employee.

    OR

    Decide: Determine action steps if the process is unsuccessful.

    If at the end of step 3 performance has not sufficiently improved, the organization (HR and the manager) should either determine if the employee could/should be temporarily redeployed while the emergency WFH is still in place, if a permanent transfer to a role that is a better fit is an option, or if the employee should be let go.

    See the Complete Manual for COVID-19 Layoffs blueprint for information on layoffs in remote environments.

    Managers, HR, and employees all have a role to play in performance improvement

    Managers
    • Identify the outcomes the organization is looking for and clearly outline and communicate the expectations for the employee’s performance.
    • Diagnose root cause(s) of the performance issue.
    • Support employee through frequent conversations and feedback.
    • Coach for improved performance.
    • Visibly recognize and broadcast employee achievements.
    Employees
    • Have open and honest conversations with their manager, acknowledge their accountability, and be receptive to feedback.
    • Set performance goals to meet expectations of the role.
    • Prepare for frequent check-ins regarding improvement.
    • Seek support from HR as required.
    HR
    • Provide managers with a process, training, and support to improve employee performance.
    • Coach managers to ensure employees have been made aware of their role expectations and current performance and given specific recommendations on how to improve.
    • Reinforce the process for improving employee performance to ensure that adequate coaching conversations have taken place before the formal PIP.
    • Coach employees on how to approach their manager to discuss challenges in meeting expectations.

    HR should conduct checkpoints with both managers and employees in cases where a formal PIP was initiated to ensure the process for performance improvement is being followed and to support both parties in improving performance.

    Email templates

    Use the templates found on the next slides to draft communications to employees who are underperforming while working from home.

    Customize all templates with relevant information and use them as a guide to further tailor your communication to a specific employee.

    Customization Recommendations

    Review all slides and adjust the language or content as needed to suit the needs of the employee, the complexity of their role, and the performance issue.

    • The pencil icon to the left denotes slides requiring customization of the text. Customize text in grey font and be sure to convert all font to black when you are done.

    Included Templates

    1. Performance Discussion Follow-Up
    2. PIP Cover Letter

    This template is not a substitute for legal advice. Ensure you consult with your legal counsel, labor relations representative, and union representative to align with collective agreements and relevant legislation.

    Sample Performance Discussion Follow-Up

    Hello [name],

    Thank you for the commitment and eagerness in our meeting yesterday.

    I wanted to recap the conversation and expectations for the month of [insert month].

    As discussed, you have been advised about your recent [behavior, performance, attendance, policy, etc.] where you have demonstrated [state specific issue with detail of behavior/performance of concern]. As per our conversation, we’ll be working on improvement in this area in order to meet expectations set out for our employees.

    It is expected that employees [state expectations]. Please do not hesitate to reach out to me if there is further clarification needed or you if you have any questions or concerns. The management team and I are committed to helping you achieve these goals.

    We will do a formal check-in on your progress every [insert day] from [insert time] to review your progress. I will also be available for daily check-ins to support you on the right track. Additionally, you can book me in for desk-side coaching outside of my regular desk-side check-ins. If there is anything else I can do to help support you in hitting these goals, please let me know. Other resources we discussed that may be helpful in meeting these objectives are [summarize available support and resources]. By working together through this process, I have no doubt that you can be successful. I am here to provide support and assist you through this.

    If you’re unable to show improvements set out in our discussion by [date], we will proceed to a formal performance measure that will include a performance improvement plan. Please let me know if you have any questions or concerns; I am here to help.

    Please acknowledge this email and let me know if you have any questions.

    Thank you,

    PIP Cover Letter

    Hello [name] ,

    This is to confirm our meeting on [date] in which we discussed your performance to date and areas that need improvement. Please find the attached performance improvement plan, which contains a detailed action plan that we have agreed upon to help you meet role expectations over the next [XX days]. The aim of this plan is to provide you with a detailed outline of our performance expectations and provide you the opportunity to improve your performance, with our support.

    We will check in every [XX days] to review your progress. At the end of the [XX]-day period, we will review your performance against the role expectations set out in this performance improvement plan. If you don’t meet the performance requirements in the time allotted, further action and consequences will follow.

    Should you have any questions about the performance improvement plan or the process outlined in this document, please do not hesitate to discuss them with me.

    [Employee name], it is my personal objective to help you be a fully productive member of our team. By working together through this performance improvement plan, I have no doubt that you can be successful. I am here to provide support and assist you through the process. At this time, I would also like to remind you about the [additional resources available at your organization, for example, employee assistance program or HR].

    Please acknowledge this email and let me know if you have any questions.

    Thank you,

    Prepare and customize manager guide and resources

    Sample of Manage Poor Performance While Working From Home: Manager Guide. Manage Poor Performance While Working From Home: Manager Guide

    This tool for managers provides advice on navigating the process and focuses on the content of remote performance discussions.

    Sample of Set Meaningful Employee Performance Measures. Set Meaningful Employee Performance Measures

    See this blueprint for information on setting holistic measures to inspire employee performance.

    Sample of Manage Poor Performance While Working From Home: Infographic. Manage Poor Performance While Working From Home: Infographic

    This tool illustrates the high-level steps of the performance improvement process.

    Sample of Wellness and Working From Home: Infographic. Wellness and Working From Home: Infographic

    This tool highlights tips to manage physical and mental health while working from home.

    Sample of Build a Better Manager: Team Essentials. Build a Better Manager: Team Essentials

    See this solution set for more information on kick-starting the effectiveness of first-time IT managers with essential management skills.

    Sample of Leverage Agile Goal Setting for Improved Employee Engagement & Performance. Leverage Agile Goal Setting for Improved Employee Engagement & Performance

    See this blueprint for information on dodging the micromanaging foul and scoring with agile short-term goal setting.

    Bibliography

    Arringdale, Chris. “6 Tips For Managers Trying to Overcome Performance Appraisal Anxiety.” TLNT. 18 September 2015. Accessed 2018.

    Borysenko, Karlyn. “What Was Management Thinking? The High Cost of Employee Turnover.” Talent Management and HR. 22 April 2015. Accessed 2018.

    Cook, Ian. “Curbing Employee Turnover Contagion in the Workplace.” Visier. 20 February 2018. Accessed 2018.

    Cornerstone OnDemand. Toxic Employees in the Workplace. Santa Monica, California: Cornerstone OnDemand, 2015. Web.

    Dewar, Carolyn and Reed Doucette. “6 elements to create a high-performing culture.” McKinsey & Company. 9 April 2018. Accessed 2018.

    Eagle Hill. Eagle Hill National Attrition Survey. Washington, D.C.: Eagle Hill, 2015. Web.

    ERC. “Performance Improvement Plan Checklist.” ERC. 21 June 2017. Accessed 2018.

    Foster, James. “The Impact of Managers on Workplace Engagement and Productivity.” Interact. 16 March 2017. Accessed 2018.

    Godwins Solicitors LLP. “Employment Tribunal Statistics for 2015/2016.” Godwins Solicitors LLP. 8 February 2017. Accessed 2018.

    Mankins, Michael. “How to Manage a Team of All-Stars.” Harvard Business Review. 6 June 2017. Accessed 2018.

    Maxfield, David, et al. The Value of Stress-Free Productivity. Provo, Utah: VitalSmarts, 2017. Web.

    Murphy, Mark. “Skip Your Low Performers When Starting Performance Appraisals.” Forbes. 21 January 2015. Accessed 2018.

    Quint. “Transforming into a High Performance Organization.” Quint Wellington Redwood. 16 November 2017. Accessed 2018.

    Ranosa, Rachel. "COVID -19: Canadian Productivity Booms Despite Social Distancing." Human Resources Director, 14 April 2020. Accessed 2020.

    Prepare for Negotiations More Effectively

    • Buy Link or Shortcode: {j2store}224|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $6,000 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • IT budgets are increasing, but many CIOs feel their budgets are inadequate to accomplish what is being asked of them.
    • Eighty percent of organizations don’t have a mature, repeatable, scalable negotiation process.
    • Training dollars on negotiations are often wasted or ineffective.

    Our Advice

    Critical Insight

    • Negotiations are about allocating risk and money – how much risk is a party willing to accept at what price point?
    • Using a cross-functional/cross-insight team structure for negotiation preparation yields better results.
    • Soft skills aren’t enough and theatrical negotiation tactics aren’t effective.

    Impact and Result

    A good negotiation process can help:

    • Maximize budget dollars.
    • Improve vendor performance.
    • Enhance relationships internally and externally.

    Prepare for Negotiations More Effectively Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create and follow a scalable process for preparing to negotiate with vendors, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Before

    Throughout this phase, the 12 steps for negotiation preparation are identified and reviewed.

    • Prepare for Negotiations More Effectively – Phase 1: Before
    • Before Negotiating Tool
    [infographic]

    Workshop: Prepare for Negotiations More Effectively

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 12 Steps to Better Negotiation Preparation

    The Purpose

    Improve negotiation preparation.

    Understand how to use the Info-Tech Before Negotiating Tool.

    Key Benefits Achieved

    A scalable framework for negotiation preparation will be created.

    The Before Negotiating Tool will be configured for the customer’s environment.

    Activities

    1.1 Establish specific negotiation goals and ranges.

    1.2 Identify and assess alternatives to a negotiated agreement.

    1.3 Identify and evaluate assumptions made by the parties.

    1.4 Conduct research.

    1.5 Identify and evaluate relationship issues.

    1.6 Identify and leverage the team structure.

    1.7 Identify and address leverage issues.

    1.8 Evaluate timeline considerations.

    1.9 Create a strategy.

    1.10 Draft a negotiation agenda.

    1.11 Draft and answer questions.

    1.12 Rehearse (informal and formal).

    Outputs

    Sample negotiation goals and ranges will be generated via a case study to demonstrate the concepts and how to use the Before Negotiating Tool (this will apply to each Planned Activity)

    Sample alternatives will be generated

    Sample assumptions will be generated

    Sample research will be generated

    Sample relationship issues will be generated

    Sample teams will be generated

    Sample leverage items will be generated

    Sample timeline issues will be generated

    A sample strategy will be generated

    A sample negotiation agenda will be generated

    Sample questions and answers will be generated

    Sample rehearsals will be conducted

    Select the Optimal Disaster Recovery Deployment Model

    • Buy Link or Shortcode: {j2store}413|cart{/j2store}
    • member rating overall impact (scale of 10): 8.8/10 Overall Impact
    • member rating average dollars saved: $10,247 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • DR deployment has many possibilities. It becomes overwhelming and difficult to sift through all of the options and understand what makes sense for your organization.
    • The combination of high switching costs and the pressure to move applications to cloud leaves managers overwhelmed and complacent with their current DR model.

    Our Advice

    Critical Insight

    1. Cut to the chase and evaluate the feasibility of cloud first. Gauge your organization’s current capabilities for DR in the cloud before becoming infatuated with the idea.
    2. A mixed model gives you the best of both worlds. Diversify your strategy by identifying fit for purpose and balancing the work required to maintain various models.
    3. Begin with the end in mind. Commit to mastering the selected model and leverage your vendor relationship for effective DR.

    Impact and Result

    • By efficiently eliminating models that are not suited for your organization and narrowing the scope of DR deployment possibilities, you spend more time focusing on what works rather than what doesn’t.
    • Taking a funneled approach ensures that you are not wasting time evaluating application-level considerations when organizational constraints prevent you from moving forward.
    • Comparing the total cost of ownership among candidate models helps demonstrate to the business the reason behind choosing one method over another.

    Select the Optimal Disaster Recovery Deployment Model Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build the optimal DR deployment model, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Target the relevant DR options for your organization

    Complete Phase 1 to outline your DR site requirements, review any industry or organizational constraints on your DR strategy, and zero in on relevant DR models.

    • Select the Optimal Disaster Recovery Deployment Model – Phase 1: Target Relevant DR Options for Your Organization
    • DR Decision Tree (Visio)
    • DR Decision Tree (PDF)
    • Application Assessment Tool for Cloud DR

    2. Conduct a comprehensive analysis and vet the DR vendors

    Complete Phase 2 to explore possibilities of deployment models, conduct a TCO comparison analysis, and select the best-fit model.

    • Select the Optimal Disaster Recovery Deployment Model – Phase 2: Conduct a Comprehensive Analysis and Vet the DR Vendors
    • DR Solution TCO Comparison Tool

    3. Make the case and plan your transition

    Complete Phase 3 to assess outsourcing best practices, address implementation considerations, and build an executive presentation for business stakeholders.

    • Select the Optimal Disaster Recovery Deployment Model – Phase 3: Make the Case and Plan Your Transition
    • DR Solution Executive Presentation Template
    [infographic]

    Workshop: Select the Optimal Disaster Recovery Deployment Model

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Target Relevant DR Options for Your Organization

    The Purpose

    Identify potential DR models

    Key Benefits Achieved

    Take a funneled approach and avoid getting lost among all of the DR models available

    Activities

    1.1 Define DR site requirements

    1.2 Document industry and organizational constraints

    1.3 Identify potential DR models

    Outputs

    Determine the type of site, replication, and risk mitigation initiatives required

    Rule out unfit models

    DR Decision Tree

    Application Assessment Tool for Cloud DR

    2 Conduct a Comprehensive Analysis of Appropriate Models

    The Purpose

    Explore relevant DR models

    Key Benefits Achieved

    Develop supporting evidence for the various options

    Activities

    2.1 Explore pros and cons of potential solutions

    2.2 Understand the use case for DRaaS

    2.3 Review DR model diagrams

    Outputs

    Qualitative analysis on candidate models

    Evaluate the need for DRaaS

    DR diagrams for candidate models

    3 Build the DR Solution TCO Comparison Tool

    The Purpose

    Determine best cost models

    Key Benefits Achieved

    Save money by selecting the most cost effective option to meet your DR requirements

    Activities

    3.1 Gather hardware requirements for production site

    3.2 Define capacity requirements for DR

    3.3 Compare cost across various models

    Outputs

    Populate the production summary tab in TCO tool

    Understand how much hardware will need to be on standby and how much will be procured at the time of disaster

    Find the most cost effective method

    4 Make the Case and Plan Your Transition

    The Purpose

    Build support from business stakeholders by having a clear and defendable proposal for DR

    Key Benefits Achieved

    Effective and ready DR deployment model

    Activities

    4.1 Address implementation considerations for network, capacity, and day-to-day operations

    4.2 Build presentation for business stakeholders

    Outputs

    Define implementation projects necessary for deployment and appoint staff to execute them

    PowerPoint presentation to summarize findings from the course of the project

    Adapt Your Customer Experience Strategy to Successfully Weather COVID-19

    • Buy Link or Shortcode: {j2store}536|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • COVID-19 is an unprecedented global pandemic. It’s creating significant challenges across every sector.
    • Collapse of financial markets and a steep decline in consumer confidence has most firms nervous about revenue shortfalls and cash burn rates.
    • The economic impact of COVID-19 is freezing IT budgets and sharply changing IT priorities.
    • The human impact of COVID-19 is likely to lead to staffing shortfalls and knowledge gaps.
    • COVID-19 may be in play for up to two years.

    Our Advice

    Critical Insight

    The challenges posed by the virus are compounded by the fact that consumer expectations for strong service delivery remain high:

    • Customers still expect timely, on-demand service from the businesses they engage with.
    • There is uncertainty about how to maintain strong, revenue-driving experiences when faced with the operational challenges posed by the virus.
    • COVID-19 is changing how organizations prioritize spending priorities within their CXM strategies.

    Impact and Result

    • Info-Tech recommends rapidly updating your strategy for customer experience management to ensure it can rise to the occasion.
    • Start by assessing the risk COVID-19 poses to your CXM approach and how it’ll impact marketing, sales, and customer service functions.
    • Implement actionable measures to blunt the threat of COVID-19 while protecting revenue, maintaining consistent product and service delivery, and improving the integrity of your brand. We’ll dive into five proven techniques in this brief!

    Adapt Your Customer Experience Strategy to Successfully Weather COVID-19 Research & Tools

    Start here

    Read our concise Executive Brief to find out why you should examine the impact of COVID-19 on customer experience strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Adapt Your Customer Experience Strategy to Successfully Weather COVID-19 Storyboard

    1. Assess the impact of COVID-19 on your CXM strategy

    Create a consolidated, updated view of your current customer experience management strategy and identify which elements can be capitalized on to dampen the impact of COVID-19 and which elements are vulnerabilities that the pandemic may threaten to exacerbate.

    2. Blunt the damage of COVID-19 with new CXM tactics

    Create a roadmap of business and technology initiatives through the lens of customer experience management that can be used to help your organization protect its revenue, maintain customer engagement, and enhance its brand integrity.

    [infographic]

    Become a Strategic CIO

    • Buy Link or Shortcode: {j2store}80|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 15 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • As a CIO, you are currently operating in a stable and trusted IT environment, but you would like to advance your role to strategic business partner.
    • CIOs are often overlooked as a strategic partner by their peers, and therefore face the challenge of proving they deserve a seat at the table.

    Our Advice

    Critical Insight

    • To become a strategic business partner, you must think and act as a business person that works in IT, rather than an IT person that works for the business.
    • Career advancement is not a solo effort. Building relationships with your executive business stakeholders will be critical to becoming a respected business partner.

    Impact and Result

    • Create a personal development plan and stakeholder management strategy to accelerate your career and become a strategic business partner. For a CIO to be considered a strategic business partner, he or she must be able to:
      • Act as a business person that works in IT, rather than an IT person that works for the business. This involves meeting executive stakeholder expectations, facilitating innovation, and managing stakeholder relationships.
      • Align IT with the customer. This involves providing business stakeholders with information to support stronger decision making, keeping up with disruptive technologies, and constantly adapting to the ever-changing end-customer needs.
      • Manage talent and change. This involves performing strategic workforce planning, and being actively engaged in identifying opportunities to introduce change in your organization, suggesting ways to improve, and then acting on them.

    Become a Strategic CIO Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should become a strategic CIO, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch

    Analyze strategic CIO competencies and assess business stakeholder satisfaction with IT using Info-Tech's CIO Business Vision Diagnostic and CXO-CIO Alignment Program.

    • Become a Strategic CIO – Phase 1: Launch

    2. Assess

    Evaluate strategic CIO competencies and business stakeholder relationships.

    • Become a Strategic CIO – Phase 2: Assess
    • CIO Strategic Competency Evaluation Tool
    • CIO Stakeholder Power Map Template

    3. Plan

    Create a personal development plan and stakeholder management strategy.

    • Become a Strategic CIO – Phase 3: Plan
    • CIO Personal Development Plan
    • CIO Stakeholder Management Strategy Template

    4. Execute

    Develop a scorecard to track personal development initiatives.

    • Become a Strategic CIO – Phase 4: Execute
    • CIO Strategic Competency Scorecard
    [infographic]

    Workshop: Become a Strategic CIO

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Competencies & Stakeholder Relationships

    The Purpose

    Gather and review information from business stakeholders.

    Assess strategic CIO competencies and business stakeholder relationships.

    Key Benefits Achieved

    Gathered information to create a personal development plan and stakeholder management strategy.

    Analyzed the information from diagnostics and determined the appropriate next steps.

    Identified and prioritized strategic CIO competency gaps.

    Evaluated the power, impact, and support of key business stakeholders.

    Activities

    1.1 Conduct CIO Business Vision diagnostic

    1.2 Conduct CXO-CIO Alignment program

    1.3 Assess CIO competencies

    1.4 Assess business stakeholder relationships

    Outputs

    CIO Business Vision results

    CXO-CIO Alignment Program results

    CIO competency gaps

    Executive Stakeholder Power Map

    2 Take Control of Your Personal Development

    The Purpose

    Create a personal development plan and stakeholder management strategy.

    Track your personal development and establish checkpoints to revise initiatives.

    Key Benefits Achieved

    Identified personal development and stakeholder engagement initiatives to bridge high priority competency gaps.

    Identified key performance indicators and benchmarks/targets to track competency development.

    Activities

    2.1 Create a personal development plan

    2.2 Create a stakeholder management strategy

    2.3 Establish key performance indicators and benchmarks/targets

    Outputs

    Personal Development Plan

    Stakeholder Management Strategy

    Strategic CIO Competency Scorecard

    Understand the Difference Between Backups and Archives

    • Buy Link or Shortcode: {j2store}506|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • You don’t understand the difference between a backup and an archive or when to use one or the other.
    • Data is not constant. It is ever-changing and growing. How do you protect it?
    • You just replaced an application that was in use since day one, and even though you have a fully functional replacement, you would like to archive that original application just in case.
    • You want to save money, so you use your backup solution to archive data, but you know that is not ideal. What is the correct solution?

    Our Advice

    Critical Insight

    Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks, but recovery and discovery are capabilities the business wants and is willing to pay for.

    Impact and Result

    Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.

    Understand the Difference Between Backups and Archives Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the Difference Between Backups and Archives

    What is the difference between a backup and a data archive? When should I use one over the other? They are not the same and confusing the two concepts could be expensive.

    • Understand the Difference Between Backups and Archives Storyboard
    [infographic]

    Further reading

    Understand the Difference Between Backups and Archives

    They are not the same, and confusing the two concepts could be expensive

    Analyst Perspective

    Backups and archives are not interchangeable, but they can complement each other.

    Photo of P.J. Ryan, Research Director, Infrastructure & Operations, Info-Tech Research Group.

    Backups and archives are two very different operations that are quite often confused or misplaced. IT and business leaders are tasked with protecting corporate data from a variety of threats. They also must conform to industry, geographical, and legal compliance regulations. Backup solutions keep the data safe from destruction. If you have a backup, why do you also need an archive? Archive solutions hold data for a long period of time and can be searched. If you have an archive, why do you also need a backup solution? Backups and archives used to be the same. Remember when you would keep the DAT tape in the same room as the argon gas fire suppression system for seven years? Now that's just not feasible. Some situations require a creative approach or a combination of backups and archives.

    Understand the difference between archives and backups and you will understand why the two solutions are necessary and beneficial to the business.

    P.J. Ryan
    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • You don’t understand the difference between a backup and an archive or when to use one over the other.
    • Data is not constant. It is ever-changing and growing. How do you protect it?
    • You just replaced an application that had been in use since day one, and even though you have a fully functional replacement, you would like to archive that original application just in case.
    • You want to save money, so you use your backup solution to archive data, but you know that is not ideal. What is the correct solution?
    Common Obstacles
    • Storage costs can be expensive, as can some backup and archiving solutions.
    • Unclear requirements definition to decide between backups or archives.
    • Historically, people referred to archiving as tossing something into a box and storing it away indefinitely. Data archiving has a different meaning.
    • Executives want retired applications preserved but do not provide reasons or requirements.
    Info-Tech’s Approach
    • Spend wisely. Why spend money on an archive solution when a backup will suffice? Don’t leave money on the table.
    • Be creative and assess each backup or archive situation carefully. A custom solution may be required.
    • Backup your production data for the purpose of restoring it and adhere to the 3-2-1 rule of backups (Naviko.com).
    • Archive your older data to an alternate storge platform to save space, allow for searchability, and provide retention parameters.

    Info-Tech Insight

    Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks but recovery and discovery are capabilities the business wants and is willing to pay for.

    Archive

    What it IS

    A data archive is an alternate location for your older, infrequently accessed production data. It is indexed and searchable based on keywords. Archives are deleted after a specified period based on your retention policy or compliance directives.

    What it IS NOT

    Archives are not an emergency copy of your production data. They are not any type of copy of your production data. Archives will not help you if you lose your data or accidentally delete a file. Archives are not multiple copies of production data from various recovery points.

    Why use it

    Archives move older data to an alternate location. This frees up storage space for your current data. Archives are indexed and can be searched for historical purposes, compliance reasons, or in the event of a legal matter where specific data must be provided to a legal team.

    Tips & Tricks – Archiving

    • Archiving will move older data to an alternate location. This will free up storage space in the production environment.
    • Archiving solutions index the data to allow for easier searchability. This will aid in common business searches as well as assist with any potential legal searches.
    • Archiving allows companies to hold onto data for historical purposes as well as for specific retention periods in compliance with industry and regional regulations such as SOX, GDPR, FISMA, as well as others (msp360.com).

    Backup

    What it IS

    A backup is a copy of your data from a specific day and time. It is primarily used for recovery or restoration if something happens to the production copy of data. The restore will return the file or folder to the state it was in at the time of the backup.

    Backups occur frequently to ensure the most recent version of data is copied to a safe location.

    A typical backup plan makes a copy of the data every day, once a week, and once a month. The data is stored on tapes, disk, or using cloud storage.

    What it IS NOT

    Backups are not designed for searching or discovery. If you backup your email and must go to that backup in search of all email pertaining to a specific topic, you must restore the full backup and then search for that specific topic or sender. If you kept all the monthly backups for seven years, that will mean repeating that process 84 times to have a conclusive search, assuming you have adequate storage space to restore the email database 84 times.

    Backups do not free up space.

    Why use it

    Backups protect your data in the event of disaster, deletion, or accidental damage. A good backup strategy will include multiple backups on different media and offsite storage of at least one copy.

    Tips & Tricks – Backups

    • Production data should be backed up on a regular basis, ideally once a day or more frequently if possible.
    • Backups are intended to restore data when it gets deleted, over-written, or otherwise compromised. Most restore requests are from the last 24 to 48 hours, so it may be advantageous to keep a backup readily available on disk for a quick restore when needed.
    • Some vendors and industry subject matter experts advocate the use of a 3-2-1 rule when it comes to backups:
      • Keep three copies of your production data
      • In at least two separate locations (some advocate two different formats), and
      • One copy should be offsite (nakivo.com)

    Cold Storage

    • Cold storage refers to a storage option offered by some cloud vendors. In the context of the discussion between backups and archives, it can be an option for a dedicated backup solution for a specific period. Cost is low and the data is protected from destruction.
    • If an app has been replaced and all data transferred to the replacement solution but for some reason the company wishes to hold onto the data, you want a backup, not an archive. Extract the data, convert it into MongoDB or a similar solution, and drop it into cheap cloud storage (cold storage) for less than $5 per TB/month.

    Case Study

    Understanding the difference between archives and backups could save you a lot of time and money

    INDUSTRY: Manufacturing | SOURCE: Info-Tech Research

    Understanding the difference between an archive and a backup was the first step in solving their challenge.

    A leading manufacturing company found themselves in a position where they had to decide between archiving or doing nothing.

    The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies and although the data they held had been migrated to a replacement solution, executives felt they should hold onto these applications for a period of time, just in case.

    Some of the larger applications were archived using a modern archiving solution, but when it came to the smaller applications, the cost to add them to the archiving solution greatly exceeded the cost to just keep them running and maintain the associated infrastructure.

    A research advisor from Info-Tech Research Group joined a call with the manufacturing company and discussed their situation. The difference between archives and backups was explained and through the course of the conversation it was discovered that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment. The requirement to keep the legacy application up and running was not necessary but in compliance with the request to keep the information, the data could be exported from the legacy application into a non-sequential database, compressed, and stored in cloud-based cold storage for less than five dollars per terabyte per month. The manufacturing company’s staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.

    Understand the Difference Between Backups and Archives

    Backups

    Backups are for recovery. A backup is a snapshot copy of production data at a specific point in time. If the production data is lost, destroyed, or somehow compromised, the data can be restored from the backup.

    Archives

    Archives are for discovery. It is production data that is moved to an alternate location to free up storage space, allow the data to be searchable, and still hold onto the data for historical or compliance purposes.

    Info-Tech Insight

    Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.

    Additional Guidance

    Production data should be backed up.

    The specific backup solution is up to the business.

    Production data that is not frequently accessed should be archived.

    The specific solution to perform and manage the archiving of the data is up to the business

    • Archived data should also be backed up at least once.
    If the app has been replaced and all data transferred, you want a backup not an archive if you want to keep the data.
    • Short term – fence it off.
    • Long term – extract into Mongo then drop it into cheap cloud storage.

    Case Study

    Using tape backups as an archive solution could result in an expensive discovery and retrieval exercise.

    INDUSTRY: Healthcare | SOURCE: Zasio Enterprises Inc.

    “Do not commingle archive data with backup or disaster recovery tapes.”

    A court case in the United States District Court for the District of Nevada involving Guardiola and Renown Health in 2015 is a good example of why using a backup solution to solve an archiving challenge is a bad idea.

    Renown Health used a retention policy that declared any email older than six months of age as inactive and moved that email to a backup tape. Renown Health was ordered by the court to produce emails from a period of time in the past. Renown estimated that it would cost at least $248,000 to produce those emails, based on the effort involved to restore data from each tape and search for the email in question. Renown Health argued that this long and expensive process would result in undue costs.

    The court reviewed the situation and ruled against Renown Health and ordered them to comply with the request (Zasio.com).

    A proper archiving solution would have provided a quick and low-cost method to retrieve the emails in question.

    Backups and archives are complementary to each other

    • Archives are still production data, but the data does not change. A backup is recommended for the archived data, but the frequency of the backups can be lowered.
    • Backups protect you if a disaster strikes by providing a copy of the production data that was compromised or damaged. Archives allow you to access older data that may have just been forgotten, not destroyed or compromised. Archives could also protect you in a legal court case by providing data that is older but may prove your argument in court.

    Archives and backups are not the same.

    Backups copy your data. Archives move your data. Backups facilitate recovery. Archives facilitate discovery.

    Archive Backup
    Definition Move rarely accessed (but still production) data to separate media. Store a copy of frequently used data on a separate media to ensure timely operational recovery.
    Use Case Legal discovery, primary storage reduction, compliance requirements, and audits. Accidental deletion and/or corruption of data, hardware/software failures.
    Method Disk, cloud storage, appliance. Disk, backup appliance, snapshots, cloud.
    Data Older, rarely accessed production data. Current production data.

    Is it a backup or archive?

    • You want to preserve older data for legal and compliance reasons, so you put extra effort into keeping your tape backups safe and secure for seven years. That’s a big mistake that may cost you time and money. You want an archive solution.
    • You replace your older application and migrate all data to the new system, but you want to hold onto the old data, just in case. That’s a backup, not an archive.
    • A long serving senior executive recently left the company. You want to preserve the contents of the executive's laptop in case it is needed in the future. That’s a backup.

    Considerations When Choosing Between Solutions

    1

    Backup or archive?

    2

    What are you protecting?

    3

    Why are you protecting data?

    4

    Solution

    Backup

    Backup and/or archive.
    Additional information required.
    Column 3 may help

    Archive

    Device

    Data

    Application

    Operational Environment

    Operational recovery

    Disaster recovery

    Just in case

    Production storage space reduction

    Retention and preservation

    Governance, risk & compliance

    Backup

    Archive

    Related Info-Tech Research

    Stock image of light grids and flares. Establish an Effective Data Protection Plan

    Give data the attention it deserves by building a strategy that goes beyond backup.

    Stock image of old fuse box switches. Modernize Enterprise Storage

    Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements.

    Logo for 'Software Reviews' and their information on 'Compare and Evaluate: Data Archiving.'
    Sample of Info-Tech's 'Data Archiving Policy'. Data Archiving Policy

    Bibliography

    “Backup vs. archiving: Know the difference.” Open-E. Accessed 05 Mar 2022.Web.

    G, Denis. “How to build retention policy.” MSP360, Jan 3, 2020. Accessed 10 Mar 2022.

    Ipsen, Adam. “Archive vs Backup: What’s the Difference? A Definition Guide.” BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.

    Kang, Soo. “Mitigating the expense of E-discovery; Recognizing the difference between back-ups and archived data.” Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.

    Mayer, Alex. “The 3-2-1 Backup Rule – An Efficient Data Protection Strategy.” Naviko. Accessed 12 Mar 2022.

    “What is Data-Archiving?” Proofpoint. Accessed 07 Mar 2022.

    Staff the Service Desk to Meet Demand

    • Buy Link or Shortcode: {j2store}490|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $1,900 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • With increasing complexity of support and demand on service desks, staff are often left feeling overwhelmed and struggling to keep up with ticket volume, resulting in long resolution times and frustrated end users.
    • However, it’s not as simple as hiring more staff to keep up with ticket volume. IT managers must have the data to support their case for increasing resources or even maintaining their current resources in an environment where many executives are looking to reduce headcount.
    • Without changing resources to match demand, IT managers will need to determine how to maximize the use of their resources to deliver better service.

    Our Advice

    Critical Insight

    • IT managers are stuck with the difficult task of determining the right number of service desk resources to meet demand to executives who perceive the service desk to be already effective.
    • Service desk managers often don’t have accurate historical data and metrics to justify their headcount, or don’t know where to start to find the data they need.
    • They often then fall prey to the common misperception that there is an industry standard ratio of the ideal number of service desk analysts to users. IT leaders who rely on staffing ratios or industry benchmarks fail to take into account the complexity of their own organization and may make inaccurate resourcing decisions.

    Impact and Result

    • There’s no magic, one-size-fits-all ratio to tell you how many service desk staff you need based on your user base alone. There are many factors that come into play, including the complexity of your environment, user profiles, ticket volume and trends, and maturity and efficiency of your processes.
    • If you don’t have historical data to help inform resourcing needs, start tracking ticket volume trends now so that you can forecast future needs.
    • If your data suggests you don’t need more staff, look to other ways to maximize your time and resources to deliver more efficient service.

    Staff the Service Desk to Meet Demand Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize service desk staffing, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine environment and operating model

    Define your business and IT environment, service desk operating model, and existing challenges to inform objectives.

    • Service Desk Staffing Stakeholder Presentation

    2. Determine staffing needs

    Understand why service desk staffing estimates should be based on your unique workload, then complete the Staffing Calculator to estimate your needs.

    • Service Desk Staffing Calculator

    3. Interpret data to plan approach

    Review workload over time to analyze trends and better inform your overall resourcing needs, then plan your next steps to optimize staffing.

    [infographic]

    Key Metrics for Every CIO

    • Buy Link or Shortcode: {j2store}119|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement
    • As a CIO, you are inundated with data and information about how your IT organization is performing based on the various IT metrics that exist.
    • The information we receive from metrics is often just that – information. Rarely is it used as a tool to drive the organization forward.
    • CIO metrics need to consider the goals of key stakeholders in the organization.

    Our Advice

    Critical Insight

    • The top metrics for CIOs don’t have anything to do with IT.
    • CIOs should measure and monitor metrics that have a direct impact on the business.
    • Be intentional with the metric and number of metrics that you monitor on a regular basis.
    • Be transparent with your stakeholders on what and why you are measuring those specific metrics.

    Impact and Result

    • Measure fewer metrics, but measure those that will have a significant impact on how your deliver value to your organization.
    • Focus on the metrics that you can take action against, rather than simply monitor.
    • Ensure your metrics tie to your top priorities as a CIO.

    Key Metrics for Every CIO Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Key Metrics for Every CIO deck – The top metrics every CIO should measure and act on

    Leverage the top metrics for every CIO to help focus your attention and provide insight into actionable steps.

    • Key Metrics for Every CIO Storyboard
    [infographic]

    Further reading

    Key Metrics for Every CIO

    The top six metrics for CIOs – and they have very little to do with IT

    Analyst Perspective

    Measure with intention

    Be the strategic CIO who monitors the right metrics relevant to their priorities – regardless of industry or organization. When CIOs provide a laundry list of metrics they are consistently measuring and monitoring, it demonstrates a few things.

    First, they are probably measuring more metrics than they truly care about or could action. These “standardized” metrics become something measured out of expectation, not intention; therefore, they lose their meaning and value to you as a CIO. Stop spending time on these metrics you will be unable or unwilling to address.

    Secondly, it indicates a lack of trust in the IT leadership team, who can and should be monitoring these commonplace operational measures. An empowered IT leader will understand the responsibility they have to inform the CIO should a metric be derailing from the desired outcome.

    Photo of Brittany Lutes, Senior Research Analyst, Organizational Transformation Practice, Info-Tech Research Group. Brittany Lutes
    Senior Research Analyst
    Organizational Transformation Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    CIOs need to measure a set of specific metrics that:

    • Will support the organization’s vision, their career, and the IT function all in one.
    • Can be used as a tool to make informed decisions and take appropriate actions that will improve the IT function’s ability to deliver value.
    • Consider the influence of critical stakeholders, especially the end customer.
    • Are easily measured at any point in time.
    Common Obstacles

    CIOs often cannot define these metrics because:

    • We confuse the operational metrics IT leaders need to monitor with strategic metrics CIOs need to monitor.
    • Previously monitored metrics did not deliver value.
    • It is hard to decide on a metric that will prove both insightful and easily measurable.
    • We measure metrics without any method or insight on how to take actionable steps forward.
    Info-Tech’s Approach

    For every CIO, there are six areas that should be a focus, no matter your organization or industry. These six priorities will inform the metrics worth measuring:

    • Risk management
    • Delivering on business objectives
    • Customer satisfaction
    • Employee engagement
    • Business leadership relations
    • Managing to a budget

    Info-Tech Insight

    The top metrics for a CIO to measure and monitor have very little to do with IT and everything to do with ensuring the success of the business.

    Your challenge

    CIOs are not using metrics as a personal tool to advance the organization:
    • Metrics should be used as a tool by the CIO to help inform the future actions that will be taken to reach the organization’s strategic vision.
    • As a CIO, you need to have a defined set of metrics that will support your career, the organization, and the IT function you are accountable for.
    • CIO metrics must consider the most important stakeholders across the entire ecosystem of the organization – especially the end customer.
    • The metrics for a CIO are distinctly different from the metrics you use to measure the operational effectiveness of the different IT functions.
    “CIOs are businesspeople first and technology people second.” (Myles Suer, Source: CIO, 2019.)

    Common obstacles

    These barriers make this challenge difficult to address for many CIOs:
    • CIOs often do not measure metrics because they are not aware of what should or needs to be measured.
    • As a result of not wanting to measure the wrong thing, CIOs can often choose to measure nothing at all.
    • Or they get too focused on the operational metrics of their IT organization, leaving the strategic business metrics forgotten.
    • Moreover, narrowing the number of metrics that are being measured down to an actionable number is very difficult.
    • We rely only on physical data sets to help inform the measurements, not considering the qualitative feedback received.
    CIO priorities are business priorities

    46% of CIOs are transforming operations, focused on customer experiences and employee productivity. (Source: Foundry, 2022.)

    Finances (41.3%) and customers (28.1%) remain the top two focuses for CIOs when measuring IT effectiveness. All other focuses combine for the remaining 30.6%. (Source: Journal of Informational Technology Management, 2018.)

    Info-Tech’s approach

    Organizational goals inform CIO metrics

    Diagram with 'CIO Metrics' at the center surrounded by 'Directive Goals', 'Product/Service Goals', 'IT Goals', and 'Operations Goals', each of which are connected to eachother by 'Customers'.

    The Info-Tech difference:
    1. Every CIO has the same set of priorities regardless of their organization or industry given that these metrics are influenced by similar goals of organizations.
    2. CIO metrics are a tool to help inform the actions that will support each core area in reaching their desired goals.
    3. Be mindful of the goals different business units are using to reach the organization’s strategic vision – this includes your own IT goals.
    4. Directly or indirectly, you will always influence the ability to acquire and retain customers for the organization.

    CIO priorities

    MANAGING TO A BUDGET
    Reducing operational costs and increasing strategic IT spend.
    Table centerpiece for CIO Priorities. DELIVERING ON BUSINESS OBJECTIVES
    Aligning IT initiatives to the vision of the organization.
    CUSTOMER SATISFACTION
    Directly and indirectly impacting customer experience.
    EMPLOYEE ENGAGEMENT
    Creating an IT workforce of engaged and purpose-driven people.
    RISK MANAGEMENT
    Actively knowing and mitigating threats to the organization.
    BUSINESS LEADERSHIP RELATONS
    Establishing a network of influential business leaders.

    High-level process flow

    How do we use the CIO metrics?
    Process flow that starts at 'Consider - Identify and analyze CIO priorities', and is followed by 'Select priorities - Identify the top priorities for CIOs (see previous slide)', 'Create a measure - Determine a measure that aligns to each priority', 'Make changes & improvements - Take action to improve the measure and reach the goal you are trying to achieve', 'Demonstrate progress - Use the metrics to demonstrate progress against priorities'. Using priority-based metrics allows you to make incremental improvements that can be measured and reported on, which makes program maturation a natural process.

    Example CIO dashboard

    Example CIO dashboard.
    * Arrow indicates month-over-month trend

    Harness the value of metric data

    Metrics are rarely used accurately as a tool
    • When you have good metrics, you can:
      • Ensure employees are focused on the priorities of the organization
      • Have insight to make better decisions
      • Communicate with the business using language that resonates with each stakeholder
      • Increase the performance of your IT function
      • Continually adapt to meet changing business demands
    • Metrics are tools that quantifiably indicate whether a goal is on track to being achieved (proactive) or if the goal was successfully achieved (retroactive)
    • This is often reflected through two metric types:
      • Leading Metrics: The metric indicates if there are actions that should be taken in the process of achieving a desired outcome.
      • Lagging Metrics: Based on the desired outcome, the metric can indicate where there were successes or failures that supported or prevented the outcome from being achieved.
    • Use the data from the metrics to inform your actions. Do not collect this data if your intent is simply to know the data point. You must be willing to act.
    "The way to make a metric successful is by understanding why you are measuring it." (Jeff Neyland CIO)

    CIOs measure strategic business metrics

    Keep the IT leadership accountable for operational metrics
    • Leveraging the IT leadership team, empower and hold each leader accountable for the operational metrics specific to their functional area
    • As a CIO, focus on the metrics that are going to impact the business. These are often tied to people or stakeholders:
      • The customers who will purchase the product or service
      • The decision makers who will fund IT initiatives
      • The champions of IT value
      • The IT employees who will be driven to succeed
      • The owner of an IT risk event
    • By focusing on these priority areas, you can regularly monitor aspects that will have major business impacts – and be able to address those impacts.
    As a CIO, avoid spending time on operational metrics such as:
    • Time to deliver
    • Time to resolve
    • Project delivery (scope, time, money)
    • Application usage
    • User experiences
    • SLAs
    • Uptime/downtime
    • Resource costs
    • Ticket resolution
    • Number of phishing attempts
    Info-Tech Insight

    While operational metrics are important to your organization, IT leaders should be empowered and responsible for their management.

    SECTION 1

    Actively Managing IT Risks

    Actively manage IT risks

    The impact of IT risks to your organization cannot be ignored any further
    • Few individuals in an organization understand IT risks and can proactively plan for the prevention of those threats, making the CIO the responsible and accountable individual when it comes to IT risks – especially the components that tie into cybersecurity.
    • When the negative impacts of an IT threat event are translated into terms that can be understood and actioned by all in the organization, it increases the likelihood of receiving the sponsorship and funding support necessary.
    • Moreover, risk management can be used as a tool to drive the organization toward its vision state, enabling informed risk decisions.

    Risk management metric:

    Number of critical IT threats that were detected and prevented before impact to the organization.

    Beyond risk prevention
    Organizations that have a clear risk tolerance can use their risk assessments to better inform their decisions.
    Specifically, taking risks that could lead to a high return on investment or other key organizational drivers.

    Protect the organization from more than just cyber threats

    Other risk-related metrics:
    • Percentage of IT risks integrated into the organization’s risk management approach.
    • Number of risk management incidents that were not identified by your organization (and the potential financial impact of those risks).
    • Business satisfaction with IT actions to reduce impact of negative IT risk events.
    • Number of redundant systems removed from the organizations portfolio.
    Action steps to take:
    • Create a risk-aware culture, not just with IT folks. The entire organization needs to understand how IT risks are preventable.
    • Clearly demonstrate the financial and reputational impact of potential IT risks and ensure that this is communicated with decision-makers in the organization.
    • Have a single source of truth to document possible risk events and report prevention tactics to minimize the impact of risks.
    • Use this information to recommend budget changes and help make risk-informed decisions.

    49%

    Investing in Risk

    Heads of IT “cited increasing cybersecurity protections as the top business initiative driving IT investments this year” (Source: Foundry, 2022.)

    SECTION 2

    Delivering on Business Objectives

    Delivering on business objectives

    Deliver on initiatives that bring value to your organization and stop benchmarking
    • CIOs often want to know how they are performing in comparison to their competitors (aka where do you compare in the benchmarking?)
    • While this is a nice to know, it adds zero value in demonstrating that you understand your business, let alone the goals of your business
    • Every organization will have a different set of goals it is striving toward, despite being in the same industry, sector, or market.
    • Measuring your performance against the objectives of the organization prevents CIOs from being more technical than it would do them good.

    Business Objective Alignment Metric:

    Percentage of IT metrics have a direct line of impact to the business goals

    Stop using benchmarks to validate yourself against other organizations. Benchmarking does not provide:
    • Insight into how well that organization performed against their goals.
    • That other organizations goals are likely very different from your own organization's goals.
    • It often aggregates the scores so much; good and bad performers stop being clearly identified.

    Provide a clear line of sight from IT metrics to business goals

    Other business alignment metrics:
    • Number of IT initiatives that have a significant impact on the success of the organization's goals.
    • Number of IT initiatives that exceed the expected value.
    • Positive impact ($) of IT initiatives on driving business innovation.
    Action steps to take:
    • Establish a library or dashboard of all the metrics you are currently measuring as an IT organization, and align each of them to one or more of the business objectives your organization has.
    • Leverage the members of the organization’s executive team to validate they understand how your metric ties to the business objective.
    • Any metric that does not have a clear line of sight should be reconsidered.
    • IT metrics should continue to speak in business terms, not IT terms.

    50%

    CIOs drive the business

    The percentage of CEOs that recognize the CIO as the main driver of the business strategy in the next 2-3 years. (Source: Deloitte, 2020.)

    SECTION 3

    Impact on Customer Satisfaction

    Influencing end-customer satisfaction

    Directly or indirectly, IT influences how satisfied the customer is with their product or service
    • Now more than ever before, IT can positively influence the end-customer’s satisfaction with the product or service they purchase.
    • From operational redundancies to the customer’s interaction with the organization, IT can and should be positively impacting the customer experience.
    • IT leaders who take an interest in the customer demonstrate that they are business-focused individuals and understand the intention of what the organization is seeking to achieve.
    • With the CIO role becoming a strategic one, understanding why a customer would or would not purchase your organization’s product or service stops being a “nice to have.”

    Customer satisfaction metric:

    What is the positive impact ($ or %) of IT initiatives on customer satisfaction?

    Info-Tech Insight

    Be the one to suggest new IT initiatives that will impact the customer experience – stop waiting for other business leaders to make the recommendation.

    Enhance the end-customer experience with I&T

    Other customer satisfaction metrics:
    • Amount of time CIO spends interacting directly with customers.
    • Customer retention rate.
    • Customer attraction rate.
    Action steps to take:
    • Identify the core IT capabilities that support customer experience. Automation? Mobile application? Personal information secured?
    • Suggest an IT-supported or-led initiative that will enhance the customer experience and meet the business goals. Retention? Acquisition? Growth in spend?
    • This is where operational metrics or dashboards can have a real influence on the customer experience. Be mindful of how IT impacts the customer journey.

    41%

    Direct CX interaction

    In 2022, 41% of IT heads were directly interacting with the end customer. (Source: Foundry, 2022.)

    SECTION 4

    Keeping Employees Engaged

    Keeping employees engaged

    This is about more than just an annual engagement survey
    • As a leader, you should always have a finger on the pulse of how engaged your employees are
    • Employee engagement is high when:
      • Employees have a positive disposition to their place of work
      • Employees are committed and willing to contribute to the organization's success
    • Employee engagement comprises three types of drivers: organizational, job, and retention. As CIO, you have a direct impact on all three drivers.
    • Providing employees with a positive work environment where they are empowered to complete activities in line with their desired skillset and tied to a clear purpose can significantly increase employee engagement.

    Employee engagement metric:

    Number of employees who feel empowered to complete purposeful activities related to their job each day

    Engagement leads to increases in:
    • Innovation
    • Productivity
    • Performance
    • Teamwork
    While reducing costs associated with high turnover.

    Employees daily tasks need to have purpose

    Other employee engagement metrics:
    • Tenure of IT employees at the organization.
    • Number of employees who seek out or use a training budget to enhance their knowledge/skills.
    • Degree of autonomy employees feel they have in their work on a daily basis.
    • Number of collaboration tools provided to enable cross-organizational work.
    Action steps to take:
    • If you are not willing to take actionable steps to address engagement, don’t bother asking employees about it.
    • Identify the blockers to empowerment. Common blockers include insufficient team collaboration, bureaucracy, inflexibility, and feeling unsupported and judged.
    • Ensure there is a consistent understanding of what “purposeful” means. Are you talking about “purposeful” to the organization or the individual?
    • Provide more clarity on what the organization’s purpose is and the vision it is driving toward. Just because you understand does not mean the employees do.

    26%

    Act on engagement

    Only 26% of leaders actually think about and act on engagement every single day. (Source: SHRM, 2022.)

    SECTION 5

    Establishing Trusted Business Relationships

    Establishing trusted business partnerships

    Leverage your relationships with other C-suite executives to demonstrate IT’s value
    • Your relationship with other business peers is critical – and, funny enough, it is impacted by the use of good metrics and data.
    • The performance of your IT team will be recognized by other members of the executive leadership team (ELT) and is a direct reflection of you as a leader.
    • A good relationship with the ELT can alleviate issues if concerns about IT staff surface.
      • Of the 85% of IT leaders working on transformational initiatives, only 30% are trying to cultivate an IT/business partnership (Foundry, 2022).
    • Don’t let other members of the organizations ELT overlook you or the value IT has. Build the key relationships that will drive trust and partnerships.

    Business leadership relationship metric:

    Ability to influence business decisions with trusted partners.

    Some key relationships that are worth forming with other C-suite executives right now include:
    • Chief Sustainability Officer
    • Chief Revenue Officer
    • Chief Marketing Officer
    • Chief Data Officer

    Influence business decisions with trusted partners

    Other business relations metrics:
    • The frequency with which peers on the ELT complain about the IT organization to other ELT peers.
    • Percentage of business leaders who trust IT to make the right choices for their accountable areas.
    • Number of projects that are initiated with a desired solution versus problems with no desired solution.
    Action steps to take:
    • From lunch to the boardroom, it is important you make an effort to cultivate relationships with the other members of the ELT.
    • Identify who the most influential members of the ELT are and what their primary goals or objectives are.
    • Follow through on what you promise you will deliver – if you do not know, do not promise it!
    • What will work for one member of the ELT will not work for another – personalize your approach.

    60%

    Enterprise-wide collaboration

    “By 2023, 60% of CIOs will be primarily measured for their ability to co-create new business models and outcomes through extensive enterprise and ecosystem-wide collaboration.” (Source: IDC, 2021.)

    SECTION 6

    Managing to a Budget

    Managing to a budget

    Every CIO needs to be able to spend within budget while increasing their strategic impact
    • From security, to cloud, to innovating the organization's products and services, IT has a lot of initiatives that demand funds and improve the organization.
    • Continuing to demonstrate good use of the budget and driving value for the organization will ensure ongoing recognition in the form of increased money.
    • 29% of CIOs indicated that controlling costs and expense management was a key duty of a functional CIO (Foundry, 2022).
    • Demonstrating the ability to spend within a defined budget is a key way to ensure the business trusts you.
    • Demonstrating an ability to spend within a defined budget and reducing the cost of operational expenses while increasing spend on strategic initiatives ensures the business sees the value in IT.

    Budget management metric:

    Proportion of IT budget that is strategic versus operational.

    Info-Tech Insight

    CIOs need to see their IT function as its own business – budget and spend like a CEO.

    Demonstrate IT’s ability to spend strategically

    Other budget management metrics:
    • Cost required to lead the organization through a digital transformation.
    • Reduction in operational spend due to retiring legacy solutions.
    • Percentage of budget in the run, grow, and transform categories.
    • Amount of money spent keeping the lights on versus investing in new capabilities.

    Action steps to take:

    • Consider opportunities to automate processes and reduce the time/talent required to spend.
    • Identify opportunities and create the time for resources to modernize or even digitize the organization to enable a better delivery of the products or services to the end customer.
    • Review the previous metrics and tie it back to running the business. If customer satisfaction will increase or risk-related threats decrease through an initiative IT is suggesting, you can make the case for increased strategic spend.

    90%

    Direct CX interaction

    Ninety percent of CIOs expect their budget to increase or remain the same in their next fiscal year. (Source: Foundry, 2022.)

    Research contributors and experts

    Photo of Jeff Neyland. Jeff Neyland
    Chief Information Officer – University of Texas at Arlington
    Photo of Brett Trelfa. Brett Trelfa
    SVP and CIO – Arkansas Blue Cross Blue Shield
    Blank photo template. Lynn Fyhrlund
    Chief Information Officer – Milwaukee County Department of Administrative Services

    Info-Tech Research Group

    Vicki Van Alphen Executive Counselor Ibrahim Abdel-Kader Research Analyst
    Mary Van Leer Executive Counselor Graham Price Executive Counselor
    Jack Hakimian Vice President Research Valence Howden Principal Research Director
    Mike Tweedie CIO Practice Lead Tony Denford Organization Transformation Practice Lead

    Related Info-Tech Research

    Sample of the 'IT Metrics Library'. IT Metrics Library
    • Use this tool to review commonly used KPIs for each practice area
    • Identify KPI owners, data sources, baselines, and targets. It also suggests action and research for low-performing KPIs.
    • Use the "Action Plan" tab to keep track of progress on actions that were identified as part of your KPI review.
    Sample of 'Define Service Desk Metrics That Matter'. Define Service Desk Metrics That Matter
    • Consolidate your metrics and assign context and actions to those currently tracked.
    • Establish tension metrics to see and tell the whole story.
    • Split your metrics for each stakeholder group. Assign proper cadences for measurements as a first step to building an effective dashboard.
    Sample of 'CIO Priorities 2022'. CIO Priorities 2022
    • Understand how to respond to trends affecting your organization.
    • Determine your priorities based on current state and relevant internal factors.
    • Assign the right resources to accomplish your vision.
    • Consider what new challenges outside of your control will demand a response.

    Bibliography

    “Developing and Sustaining Employee Engagement.” SHRM, 2022.

    Dopson, Elise. “KPIs Vs. Metrics: What’s the Difference & How Do You Measure Both?” Databox, 23 Jun. 2021.

    Shirer, Michael, and Sarah Murray. “IDC Unveils Worldwide CIO Agenda 2022 Predictions.” IDC, 27 Oct. 2021.

    Suer, Myles. “The Most Important Metrics to Drive IT as a Business.” CIO, 19 Mar. 2019.

    “The new CIO: Business Savvy.” Deloitte Insights. Deloitte, 2020.

    “2022 State of the CIO: Rebalancing Act: CIO’s Operational Pandemic-Era Innovation.” Foundry, 2022.

    “Why Employee Engagement Matters for Leadership at all Levels.” Walden University, 20 Dec. 2019.

    Zhang, Xihui, et al. “How to Measure IT Effectiveness: The CIO’s Perspective.” Journal of Informational Technology Management, 29(4). 2018.

    Implement Your Negotiation Strategy More Effectively

    • Buy Link or Shortcode: {j2store}225|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Forty-eight percent of CIOs believe their budgets are inadequate.
    • CIOs and IT departments are getting more involved with negotiations to reduce costs and risk.
    • Not all negotiators are created equal, and the gap between a skilled negotiator and an average negotiator is not always easy to identify objectively.
    • Skilled negotiators are in short supply.

    Our Advice

    Critical Insight

    • Preparation is critical for the success of your negotiation, but you cannot prepare for every eventuality.
    • Communication is the heart and soul of negotiations, but what is being “said” is only part of the picture.
    • Skilled negotiators separate themselves based on skillsets, and outcomes alone may not provide an accurate assessment of a negotiator.

    Impact and Result

    Addressing and managing critical negotiation elements helps:

    • Improve negotiation skills.
    • Implement your negotiation strategy more effectively.
    • Improve negotiation results.

    Implement Your Negotiation Strategy More Effectively Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create and follow a scalable process for preparing to negotiate with vendors, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. During

    Throughout this phase, ten essential negotiation elements are identified and reviewed.

    • Implement Your Negotiation Strategy More Effectively – Phase 1: During
    • During Negotiations Tool
    [infographic]

    Workshop: Implement Your Negotiation Strategy More Effectively

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 12 Steps to Better Negotiation Preparation

    The Purpose

    Improve negotiation skills and outcomes.

    Understand how to use the Info-Tech During Negotiations Tool.

    Key Benefits Achieved

    A better understanding of the subtleties of the negotiation process and an identification of where the negotiation strategy can go awry.

    The During Negotiation Tool will be reviewed and configured for the customer’s environment (as applicable).

    Activities

    1.1 Manage six key items during the negotiation process.

    1.2 Set the right tone and environment for the negotiation.

    1.3 Focus on improving three categories of intangibles.

    1.4 Improve communication skills to improve negotiation skills.

    1.5 Customize your negotiation approach to interact with different personality traits and styles.

    1.6 Maximize the value of your discussions by focusing on seven components.

    1.7 Understand the value of impasses and deadlocks and how to work through them.

    1.8 Use concessions as part of your negotiation strategy.

    1.9 Identify and defeat common vendor negotiation ploys.

    1.10 Review progress and determine next steps.

    Outputs

    Sample negotiation ground rules

    Sample vendor negotiation ploys

    Sample discussion questions and evaluation matrix

    Standardize the Service Desk

    • Buy Link or Shortcode: {j2store}477|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $24,155 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Not everyone embraces their role in service support. Specialists would rather work on projects than provide service support.
    • The Service Desk lacks processes and workflows to provide consistent service. Service desk managers struggle to set and meet service-level expectations, which further compromises end-user satisfaction.

    Our Advice

    Critical Insight

    • Service desk improvement is an exercise in organizational change. Engage specialists across the IT organization in building the solution. Establish a single service-support team across the IT group and enforce it with a cooperative, customer-focused culture.
    • Don’t be fooled by a tool that’s new. A new service desk tool alone won’t solve the problem. Service desk maturity improvements depend on putting in place the right people and processes to support the technology.

    Impact and Result

    • Create a consistent customer service experience for service desk patrons, and increase efficiency, first-call resolution, and end-user satisfaction with the Service Desk.
    • Decrease time and cost to resolve service desk tickets.
    • Understand and address reporting needs to address root causes and measure success and build a solid foundation for future IT service improvements.

    Standardize the Service Desk Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Standardize the Service Desk Research – A step-by-step document that helps you improve customer service by driving consistency in your support approach and meet SLAs.

    Use this blueprint to standardize your service desk by assessing your current capability and laying the foundations for your service desk, design an effective incident management workflow, design a request fulfillment process, and apply the discussions and activities to make an actionable plan for improving your service desk.

    • Standardize the Service Desk – Phases 1-4

    2. Service Desk Maturity Assessment – An assessment tool to help guide process improvement efforts and track progress.

    This tool is designed to assess your service desk process maturity, identify gaps, guide improvement efforts, and measure your progress.

    • Service Desk Maturity Assessment

    3. Service Desk Project Summary – A template to help you organize process improvement initiatives using examples.

    Use this template to organize information about the service desk challenges that the organization is facing, make the case to build a right-sized service desk to address those challenges, and outline the recommended process changes.

    • Service Desk Project Summary

    4. Service Desk Roles and Responsibilities Guide – An analysis tool to determine the right roles and build ownership.

    Use the RACI template to determine roles for your service desk initiatives and to build ownership around them. Use the template and replace it with your organization's information.

    • Service Desk Roles and Responsibilities Guide

    5. Incident Management and Service Desk Standard Operating Procedure – A template designed to help service managers kick-start the standardization of service desk processes.

    The template will help you identify service desk roles and responsibilities, build ticket management processes, put in place sustainable knowledgebase practices, document ticket prioritization scheme and SLO, and document ticket workflows.

    • Incident Management and Service Desk SOP

    6. Ticket and Call Quality Assessment Tool – An assessment tool to check in on ticket and call quality quarterly and improve the quality of service desk data.

    Use this tool to help review the quality of tickets handled by agents and discuss each technician's technical capabilities to handle tickets.

    • Ticket and Call Quality Assessment Tool

    7. Workflow Library – A repository of typical workflows.

    The Workflow Library provides examples of typical workflows that make up the bulk of the incident management and request fulfillment processes at the service desk.

    • Incident Management and Service Desk Workflows (Visio)
    • Incident Management and Service Desk Workflows (PDF)

    8. Service Desk Ticket Categorization Schemes – A repository of ticket categories.

    The Ticket Categorization Schemes provide examples of ticket categories to organize the data in the service desk tool and produce reports that help managers manage the service desk and meet business requirements.

    • Service Desk Ticket Categorization Schemes

    9. Knowledge Manager – A job description template that includes a detailed explication of the responsibilities and expectations of a Knowledge Manager role.

    The Knowledge Manager's role is to collect, synthesize, organize, and manage corporate information in support of business units across the enterprise.

    • Knowledge Manager

    10. Knowledgebase Article Template – A comprehensive record of the incident management process.

    An accurate and comprehensive record of the incident management process, including a description of the incident, any workarounds identified, the root cause (if available), and the profile of the incident's source, will improve incident resolution time.

    • Knowledgebase Article Template

    11. Sample Communication Plan – A sample template to guide your communications around the integration and implementation of your overall service desk improvement initiatives.

    Use this template to develop a communication plan that outlines what stakeholders can expect as the process improvements recommended in the Standardize the Service Desk blueprint are implemented.

    • Sample Communication Plan

    12. Service Desk Roadmap – A structured roadmap tool to help build your service desk initiatives timeline.

    The Service Desk Roadmap helps track outstanding implementation activities from your service desk standardization project. Use the roadmap tool to define service desk project tasks, their owners, priorities, and timeline.

    • Service Desk Roadmap
    [infographic]

    Workshop: Standardize the Service Desk

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay Service Desk Foundations

    The Purpose

    Discover your challenges and understand what roles, metrics, and ticket handling procedures are needed to tackle the challenges.

    Key Benefits Achieved

    Set a clear understanding about the importance of service desk to your organization and service desk best practices.

    Activities

    1.1 Assess current state of the service desk.

    1.2 Review service desk and shift-left strategy.

    1.3 Identify service desk metrics and reports.

    1.4 Identify ticket handling procedures

    Outputs

    Current state assessment

    Shift-left strategy and implications

    Service desk metrics and reports

    Ticket handling procedures

    2 Design Incident Management

    The Purpose

    Build workflows for incident and critical incident tickets.

    Key Benefits Achieved

    Distinguish incidents from service requests.

    Ticket categorization facilitates ticket. routing and reporting.

    Develop an SLA for your service desk team for a consistent service delivery.

    Activities

    2.1 Build incident and critical incident management workflows.

    2.2 Design ticket categorization scheme and proper ticket handling guidelines.

    2.3 Design incident escalation and prioritization guidelines.

    Outputs

    Incident and critical incident management workflows

    Ticket categorization scheme

    Ticket escalation and prioritization guidelines

    3 Design Request Fulfilment

    The Purpose

    Build service request workflows and prepare self-service portal.

    Key Benefits Achieved

    Standardize request fulfilment processes.

    Prepare for better knowledge management and leverage self-service portal to facilitate shift-left strategy.

    Activities

    3.1 Build service request workflows.

    3.2 Build a targeted knowledgebase.

    3.3 Prepare for a self-serve portal project.

    Outputs

    Distinguishing criteria for requests and projects

    Service request workflows and SLAs

    Knowledgebase article template, processes, and workflows

    4 Build Project Implementation Plan

    The Purpose

    Now that you have laid the foundation of your service desk, put all the initiatives into an action plan.

    Key Benefits Achieved

    Discuss priorities, set timeline, and identify effort for your service desk.

    Identify the benefits and impacts of communicating service desk initiatives to stakeholders and define channels to communicate service desk changes.

    Activities

    4.1 Build an implementation roadmap.

    4.2 Build a communication plan

    Outputs

    Project implementation and task list with associated owners

    Project communication plan and workshop summary presentation

    Further reading

    Analyst Perspective

    "Customer service issues are rarely based on personality but are almost always a symptom of poor and inconsistent process. When service desk managers are looking to hire to resolve customer service issues and executives are pushing back, it’s time to look at improving process and the support strategy to make the best use of technicians’ time, tools, and knowledge sharing. Once improvements have been made, it’s easier to make the case to add people or introduce automation.

    Replacing service desk solutions will also highlight issues around poor process. Without fixing the baseline services, the new solution will simply wrap your issues in a prettier package.

    Ultimately, the service desk needs to be the entry point for users to get help and the rest of IT needs to provide the appropriate support to ensure the first line of interaction has the knowledge and tools they need to resolve quickly and preferably on first contact. If your plans include optimization to self-serve or automation, you’ll have a hard time getting there without standardizing first."

    Sandi Conrad

    Principal Research Director, Infrastructure & Operations Practice

    Info-Tech Research Group

    A method for getting your service desk out of firefighter mode

    This Research Is Designed For:

    • The CIO and senior IT management who need to increase service desk effectiveness and timeliness and improve end-user satisfaction.
    • The service desk manager who wants to lead the team from firefighting mode to providing consistent and proactive support.

    This Research Will Also Assist:

    • Service desk teams who want to increase their own effectiveness and move from a help desk to a service desk.
    • Infrastructure and applications managers who want to decrease reactive support activities and increase strategic project productivity by shifting repetitive and low-value work left.

    This Research Will Help You:

    • Create a consistent customer service experience for service desk patrons.
    • Increase efficiency, first-call resolution, and end-user satisfaction with the Service Desk.
    • Decrease time and cost to resolve service desk tickets.
    • Understand and address reporting needs to address root causes and measure success.
    • Build a solid foundation for future IT service improvements.

    Executive Summary

    Situation

    • The CIO and senior IT management who need to increase service desk effectiveness and timeliness and improve end-user satisfaction.
    • If only the phone could stop ringing, the Service Desk could become proactive, address service levels, and improve end-user IT satisfaction.

    Complication

    • Not everyone embraces their role in service support. Specialists would rather work on projects than provide service support.
    • The Service Desk lacks processes and workflows to provide consistent service. Service desk managers struggle to set and meet service-level expectations, which further compromises end-user satisfaction.

    Resolution

    • Go beyond the blind adoption of best-practice frameworks. No simple formula exists for improving service desk maturity. Use diagnostic tools to assess the current state of the Service Desk. Identify service support challenges and draw on best-practice frameworks intelligently to build a structured response to those challenges.
    • An effective service desk must be built on the right foundations. Understand how:
      • Service desk structure affects cost and ticket volume capacity.
      • Incident management workflows can improve ticket handling, prioritization, and escalation.
      • Request fulfillment processes create opportunities for streamlining and automating services.
      • Knowledge sharing supports the processes and workflows essential to effective service support.

    Info-Tech Insight

    Service desk improvement is an exercise in organizational change. Engage specialists across the IT organization in building the solution. Establish a single service-support team across the IT group and enforce it with a cooperative, customer-focused culture. Don’t be fooled by a tool that’s new. A new service desk tool alone won’t solve the problem. Service desk maturity improvements depend on putting in place the right people and processes to support the technology

    Directors and executives understand the importance of the service desk and believe IT can do better

    A double bar graph is depicted. The blue bars represent Effectiveness and the green bars represent Importance in terms of service desk at different seniority levels, which include frontline, manager, director, and executive.

    Source: Info-Tech, 2019 Responses (N=189 organizations)

    Service Desk Importance Scores

      No Importance: 1.0-6.9
      Limited Importance: 7.0-7.9
      Significant Importance: 8.0-8.9
      Critical Importance: 9.0-10.0

    Service Desk Effectiveness Scores

      Not in Place: N/A
      Not Effective: 0.0-4.9
      Somewhat Ineffective: 5.0-5.9
      Somewhat Effective: 6.0-6.9
      Very Effective: 7.0-10.0

    Info-Tech Research Group’s IT Management and Governance Diagnostic (MGD) program assesses the importance and effectiveness of core IT processes. Since its inception, the MGD has consistently identified the service desk as an area to leverage.

    Business stakeholders consistently rank the service desk as one of the top five most important services that IT provides

    Since 2013, Info-Tech has surveyed over 40,000 business stakeholders as part of our CIO Business Vision program.

    Business stakeholders ranked the following 12 core IT services in terms of importance:

    Learn more about the CIO Business Vision Program.
    *Note: IT Security was added to CIO Business Vision 2.0 in 2019

    Top IT Services for Business Stakeholders

    1. Network Infrastructure
    2. IT Security*
    3. Data Quality
    4. Service Desk
    5. Business Applications
    6. Devices
    7. Client-Facing Technology
    8. Analytical Capability
    9. IT Innovation Leadership
    10. Projects
    11. Work Orders
    12. IT Policies
    13. Requirements Gathering
    Source: Info-Tech Research Group, 2019 (N=224 organizations)

    Having an effective and timely service desk correlates with higher end-user satisfaction with all other IT services

    A double bar graph is depicted. The blue bar represents dissatisfied ender user, and the green bar represents satisfied end user. The bars show the average of dissatisfied and satisfied end users for service desk effectiveness and service desk timeliness.

    On average, organizations that were satisfied with service desk effectiveness rated all other IT processes 46% higher than dissatisfied end users.

    Organizations that were satisfied with service desk timeliness rated all other IT processes 37% higher than dissatisfied end users.
    “Satisfied” organizations had average scores =8.“Dissatisfied" organizations had average scores “Dissatisfied" organizations had average scores =6. Source: Info-Tech Research Group, 2019 (N=18,500+ respondents from 75 organizations)

    Standardize the service desk the Info-Tech way to get measurable results

    More than one hundred organizations engaged with Info-Tech, through advisory calls and workshops, for their service desk projects in 2016. Their goal was either to improve an existing service desk or build one from scratch.

    Organizations that estimate the business impact of each project phase help us shed light on the average measured value of the engagements.

    "The analysts are an amazing resource for this project. Their approach is very methodical, and they have the ability to fill in the big picture with detailed, actionable steps. There is a real opportunity for us to get off the treadmill and make real IT service management improvements"

    - Rod Gula, IT Director

    American Realty Advisors

    Three circles are depicted. The top circle shows the sum of measured value dollar impact which is US$1,659,493.37. The middle circle shows the average measured value dollar impact which is US$19,755.87. The bottom circle shows the average measured value time saved which is 27 days.

    Info-Tech’s approach to service desk standardization focuses on building service management essentials

    This image depicts all of the phases and steps in this blueprint.

    Info-Tech draws on the COBIT framework, which focuses on consistent delivery of IT services across the organization

    This image depicts research that can be used to improve IT processes. Service Desk is circled to demonstrate which research is being used.

    The service desk is the foundation of all other service management processes.

    The image shows how the service desk is a foundation for other service management processes.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Standardize the Service Desk – project overview

    This image shows the project overview of this blueprint.

    Info-Tech delivers: Use our tools and templates to accelerate your project to completion

    Project Summary

    Image of template.

    Service Desk Standard Operating Procedures

    Image of tool.

    Service Desk Maturity Assessment Tool

    Image of tool.

    Service Desk Implementation Roadmap

    Image of tool Incident, knowledge, and request management workflows

    Incident, knowledge, and request management workflows

    The project’s key deliverable is a service desk standard operating procedure

    Benefits of documented SOPs:

    Improved training and knowledge transfer: Routine tasks can be delegated to junior staff (freeing senior staff to work on higher priority tasks).

    IT automation, process optimization, and consistent operations: Defining, documenting, and then optimizing processes enables IT automation to be built on sound processes, so consistent positive results can be achieved.

    Compliance: Compliance audits are more manageable because the documentation is already in place.

    Transparency: Visually documented processes answer the common business question of “why does that take so long?”

    Cost savings: Work solved at first contact or with a minimal number of escalations will result in greater efficiency and more cost-effective support. This will also lead to better customer service.

    Impact of undocumented/undefined SOPs:

    Tasks will be difficult to delegate, key staff become a bottleneck, knowledge transfer is inconsistent, and there is a longer onboarding process for new staff

    IT automation built on poorly defined, unoptimized processes leads to inconsistent results.

    Documenting SOPs to prepare for an audit becomes a major time-intensive project.

    Other areas of the organization may not understand how IT operates, which can lead to confusion and unrealistic expectations.

    Support costs are highest through inefficient processes, and proactive work becomes more difficult to schedule, making the organization vulnerable to costly disruptions.

    Workshop Overview

    Image depicts workshop overview occurring over four days.

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Phase 1

    Lay Service Desk Foundations

    Step 1.1:Assess current state

    Image shows the steps in phase 1. Highlight is on step 1.1

    This step will walk you through the following activities:

    • 1.1.1 Outline service desk challenges
    • 1.1.2 Assess the service desk maturity

    This step involves the following participants:

    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    Alignment on the challenges that the service desk faces, an assessment of the current state of service desk processes and technologies, and baseline metrics against which to measure improvements.

    Deliverables

    • Service Desk Maturity Assessment

    Standardizing the service desk benefits the whole business

    The image depicts 3 circles to represent the service desk foundations.

    Embrace standardization

    • Standardization prevents wasted energy on reinventing solutions to recurring issues.
    • Standardized processes are scalable so that process maturity increases with the size of your organization.

    Increase business satisfaction

    • Improve confidence that the service desk can meet service levels.
    • Create a single point of contact for incidents and requests and escalate quickly.
    • Analyze trends to forecast and meet shifting business requirements.

    Reduce recurring issues

    • Create tickets for every task and categorize them accurately.
    • Generate reliable data to support root-cause analysis.

    Increase efficiency and lower operating costs

    • Empower end users and technicians with a targeted knowledgebase (KB).
    • Cross-train to improve service consistency.

    Case Study: The CIO of Westminster College took stock of existing processes before moving to empower the “helpless desk”

    Scott Lowe helped a small staff of eight IT professionals formalize service desk processes and increase the amount of time available for projects.

    When he joined Westminster College as CIO in 2006, the department faced several infrastructure challenges, including:

    • An unreliable network
    • Aging server replacements and no replacement plan
    • IT was the “department of no”
    • A help desk known as the “helpless desk”
    • A lack of wireless connectivity
    • Internet connection speed that was much too slow

    As the CIO investigated how to address the infrastructure challenges, he realized people cared deeply about how IT spent its time.

    The project load of IT staff increased, with new projects coming in every day.

    With a long project list, it became increasingly important to improve the transparency of project request and prioritization.

    Some weeks, staff spent 80% of their time working on projects. Other weeks, support requirements might leave only 10% for project work.

    He addressed the infrastructure challenges in part by analyzing IT’s routine processes.

    Internally, IT had inefficient support processes that reduced the amount of time they could spend on projects.

    They undertook an internal process analysis effort to identify processes that would have a return on investment if they were improved. The goal was to reduce operational support time so that project time could be increased.

    Five years later, they had a better understanding of the organization's operational support time needs and were able to shift workloads to accommodate projects without compromising support.

    Common challenges experienced by service desk teams

    Unresolved issues

    • Tickets are not created for all incidents.
    • Tickets are lost or escalated to the wrong technicians.
    • Poor data impedes root-cause analysis of incidents.

    Lost resources/accountability

    • Lack of cross-training and knowledge sharing.
    • Lack of skills coverage for critical applications and services.
    • Time is wasted troubleshooting recurring issues.
    • Reports unavailable due to lack of data and poor categorization.

    High cost to resolve

    • Tier 2/3 resolve issues that should be resolved at tier 1.
    • Tier 2/3 often interrupt projects to focus on service support.

    Poor planning

    • Lack of data for effective trend analysis leads to poor demand planning.
    • Lack of data leads to lost opportunities for templating and automation.

    Low business satisfaction

    • Users are unable to get assistance with IT services quickly.
    • Users go to their favorite technician instead of using the service desk.

    Outline the organization’s service desk challenges

    1.1.1 Brainstorm service desk challenges

    Estimated Time: 45 minutes

    A. As a group, outline the areas where you think the service desk is experiencing challenges or weaknesses. Use sticky notes or a whiteboard to separate the challenges into People, Process, and Technology so you have a wholistic view of the constraints across the department.

    B. Think about the following:

    • What have you heard from users? (e.g. slow response time)
    • What have you heard from executives? (e.g. poor communication)
    • What should you start doing? (e.g. documenting processes)
    • What should you stop doing? (e.g. work that is not being entered as tickets)

    C. Document challenges in the Service Desk Project Summary.

    Participants:

    • CIO
    • IT Managers
    • Service Desk Manager
    • Service Desk Agents

    Assess current service desk maturity to establish a baseline and create a plan for service desk improvement

    A current-state assessment will help you build a foundation for process improvements. Current-state assessments follow a basic formula:

    1. Determine the current state of the service desk.
    2. Determine the desired state of the service desk.
    3. Build a practical path from current to desired state.
    Image depicts 2 circles and a box. The circle on the 1. left has assess current state. The circle on the right has 2. assess target state. The box has 3. build a roadmap.

    Ideally, the current-state assessment should align the delivery of IT services with organizational needs. The assessment should achieve the following goals:

    1. Identify service desk pain points.
    2. Map each pain point to business services.
    3. Assign a broad business value to the resolution of each pain point.
    4. Map each pain point to a process.

    Expert Insight

    Image of expert.

    “How do you know if you aren’t mature enough? Nothing – or everything – is recorded and tracked, customer satisfaction is low, frustration is high, and there are multiple requests and incidents that nobody ever bothers to address.”

    Rob England

    IT Consultant & Commentator

    Owner Two Hills

    Also known as The IT Skeptic

    Assess the process maturity of the service desk to determine which project phase and steps will bring the most value

    1.1.2 Measure which activity will have the greatest impact

    The Service Desk Maturity Assessmenttool helps organizations assess their service desk process maturity and focus the project on the activities that matter most.

    The tool will help guide improvement efforts and measure your progress.

    • The second tab of the tool walks through a qualitative assessment of your service desk practices. Questions will prompt you to evaluate how you are executing key activities. Select the answer in the drop-down menus that most closely aligns with your current state.
    • The third tab displays your rate of process completeness and maturity. You will receive a score for each phase, an overall score, and advice based on your performance.
    • Document the results of the efficiency assessment in the Service Desk Project Summary.

    The tool is intended for periodic use. Review your answers each year and devise initiatives to improve the process performance where you need it most.

    Where do I find the data?

    Consult:

    • Service Manager
    • Service Desk Tools
    Image is the service desk tools.

    Step 1.2:Review service support best practices

    Image shows the steps in phase 1. Highlight is on step 1.2.

    This step will walk you through the following activities:

    1. 1.2.1 Identify roles and responsibilities in your organization
    2. 1.2.2 Map out the current and target structure of the service desk

    This step involves the following participants:

    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    Identifying who is accountable for different support practices in the service desk will allow workload to be distributed effectively between functional teams and individuals. Closing the gaps in responsibilities will enable the execution of a shift-left strategy.

    Deliverables

    • Roles & responsibilities guide
    • Service desk structure

    Everyone in IT contributes to the success of service support

    Regardless of the service desk structure chosen to meet an organization’s service support requirements, IT staff should not doubt the role they play in service support.

    If you try to standardize service desk processes without engaging specialists in other parts of the IT organization, you will fail. Everyone in IT has a role to play in providing service support and meeting service-level agreements.

    Service Support Engagement Plan

    • Identify who is accountable for different service support processes.
    • Outline the different responsibilities of service desk agents at tier 1, tier 2, and tier 3 in meeting service-level agreements for service support.
    • Draft operational-level agreements between specialty groups and the service desk to improve accountability.
    • Configure the service desk tool to ensure ticket visibility and ownership across queues.
    • Engage tier 2 and tier 3 resources in building workflows for incident management, request fulfilment, and writing knowledgebase articles.
    • Emphasize the benefits of cooperation across IT silos:
      • Better customer service and end-user satisfaction.
      • Shorter time to resolve incidents and implement requests.
      • A higher tier 1 resolution rate, more efficient escalations, and fewer interruptions from project work.

    Info-Tech Insight

    Specialists tend to distance themselves from service support as they progress through their career to focus on projects.

    However, their cooperation is critical to the success of the new service desk. Not only do they contribute to the knowledgebase, but they also handle escalations from tiers 1 and 2.

    Clear project complications by leveraging roles and responsibilities

    R

    Responsible: This person is the staff member who completes the work. Assign at least one Responsible for each task, but this could be more than one.

    A

    Accountable: This team member delegates a task and is the last person to review deliverables and/or task. Sometimes Responsible and Accountable can be the same staff. Make sure that you always assign only one Accountable for each task and not more.

    C

    Consulted: People who do not carry out the task but need to be consulted. Typically, these people are subject matter experts or stakeholders.

    I

    Informed: People who receive information about process execution and quality and need to stay informed regarding the task.

    A RACI analysis is helpful with the following:

    • Workload Balancing: Allowing responsibilities to be distributed effectively between functional teams and individuals.
    • Change Management: Ensuring key functions and processes are not overlooked during organizational changes.
    • Onboarding: New employees can identify their own roles and responsibilities.

    A RACI chart outlines which positions are Responsible, Accountable, Consulted, and Informed

    Image shows example of RACI chart

    Create a list of roles and responsibilities in your organization

    1.2.1 Create RACI matrix to define responsibilities

    1. Use the Service Desk Roles and Responsibilities Guidefor a better understanding of the roles and responsibilities of different service desk tiers.
    2. In the RACI chart, replace the top row with specific roles in your organization.
    3. Modify or expand the process tasks, as needed, in the left column.
    4. For each role, identify the responsibility values that the person brings to the service desk. Fill out each column.
    5. Document in the Service Desk SOP. Schedule a time to share the results with organization leads.
    6. Distribute the chart between all teams in your organization.

    Notes:

    • Assign one Accountable for each task.
    • Have at least one Responsible for each task.
    • Avoid generic responsibilities, such as “team meetings.”
    • Keep your RACI definitions in your documents, as they are sometimes tough to remember.

    Participants

    • CIO
    • IT Managers
    • Service Desk Manager
    • Service Desk Agents

    What You'll Need

    • Service Desk SOP
    • Roles and Responsibilities Guide
    • Flip Chart
    • Whiteboard

    Build a single point of contact for the service desk

    Regardless of the service desk structure chosen to meet your service support requirements, end users should be in no doubt about how to access the service.

    Provide end users with:

    • A single phone number.
    • A single email address.
    • A single web portal for all incidents and requests.

    A single point of contact will ensure:

    • An agent is available to field incidents and requests.
    • Incidents and requests are prioritized according to impact and urgency.
    • Work is tracked to completion.

    This prevents ad hoc ticket channels such as shoulder grabs or direct emails, chats, or calls to a technician from interrupting work.

    A single point of contact does not mean the service desk is only accessible through one intake channel, but rather all tickets are directed to the service desk (i.e. tier 1) to be resolved or redirected appropriately.

    Image depicts 2 boxes. The smaller box labelled users and the larger box labelled Service Desk Tier 1. There are four double-sided arrows. The top is labelled email, the second is walk-in, the third is phone, the fourth is web portal.

    Directors and executives understand the importance of the service desk and believe IT can do better

    A double bar graph is depicted. The blue bars represent Effectiveness and the green bars represent Importance in terms of service desk at different seniority levels, which include frontline, manager, director, and executive.

    Source: Info-Tech, 2019 Responses (N=189 organizations)

    Service Desk Importance Scores

      No Importance: 1.0-6.9
      Limited Importance: 7.0-7.9
      Significant Importance: 8.0-8.9
      Critical Importance: 9.0-10.0

    Service Desk Effectiveness Scores

      Not in Place: N/A
      Not Effective: 0.0-4.9
      Somewhat Ineffective: 5.0-5.9
      Somewhat Effective: 6.0-6.9
      Very Effective: 7.0-10.0

    Info-Tech Research Group’s IT Management and Governance Diagnostic (MGD) program assesses the importance and effectiveness of core IT processes. Since its inception, the MGD has consistently identified the service desk as an area to leverage.

    Business stakeholders consistently rank the service desk as one of the top five most important services that IT provides

    Since 2013, Info-Tech has surveyed over 40,000 business stakeholders as part of our CIO Business Vision program.

    Business stakeholders ranked the following 12 core IT services in terms of importance:

    Learn more about the CIO Business Vision Program.
    *Note: IT Security was added to CIO Business Vision 2.0 in 2019

    Top IT Services for Business Stakeholders

    1. Network Infrastructure
    2. IT Security*
    3. Data Quality
    4. Service Desk
    5. Business Applications
    6. Devices
    7. Client-Facing Technology
    8. Analytical Capability
    9. IT Innovation Leadership
    10. Projects
    11. Work Orders
    12. IT Policies
    13. Requirements Gathering
    Source: Info-Tech Research Group, 2019 (N=224 organizations)

    Having an effective and timely service desk correlates with higher end-user satisfaction with all other IT services

    A double bar graph is depicted. The blue bar represents dissatisfied ender user, and the green bar represents satisfied end user. The bars show the average of dissatisfied and satisfied end users for service desk effectiveness and service desk timeliness.

    On average, organizations that were satisfied with service desk effectiveness rated all other IT processes 46% higher than dissatisfied end users.

    Organizations that were satisfied with service desk timeliness rated all other IT processes 37% higher than dissatisfied end users.
    “Satisfied” organizations had average scores =8.“Dissatisfied" organizations had average scores “Dissatisfied" organizations had average scores =6. Source: Info-Tech Research Group, 2019 (N=18,500+ respondents from 75 organizations)

    Standardize the service desk the Info-Tech way to get measurable results

    More than one hundred organizations engaged with Info-Tech, through advisory calls and workshops, for their service desk projects in 2016. Their goal was either to improve an existing service desk or build one from scratch.

    Organizations that estimate the business impact of each project phase help us shed light on the average measured value of the engagements.

    "The analysts are an amazing resource for this project. Their approach is very methodical, and they have the ability to fill in the big picture with detailed, actionable steps. There is a real opportunity for us to get off the treadmill and make real IT service management improvements"

    - Rod Gula, IT Director

    American Realty Advisors

    Three circles are depicted. The top circle shows the sum of measured value dollar impact which is US$1,659,493.37. The middle circle shows the average measured value dollar impact which is US$19,755.87. The bottom circle shows the average measured value time saved which is 27 days.

    Info-Tech’s approach to service desk standardization focuses on building service management essentials

    This image depicts all of the phases and steps in this blueprint.

    Info-Tech draws on the COBIT framework, which focuses on consistent delivery of IT services across the organization

    This image depicts research that can be used to improve IT processes. Service Desk is circled to demonstrate which research is being used.

    The service desk is the foundation of all other service management processes.

    The image shows how the service desk is a foundation for other service management processes.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Standardize the Service Desk – project overview

    This image shows the project overview of this blueprint.

    Info-Tech delivers: Use our tools and templates to accelerate your project to completion

    Project Summary

    Image of template.

    Service Desk Standard Operating Procedures

    Image of tool.

    Service Desk Maturity Assessment Tool

    Image of tool.

    Service Desk Implementation Roadmap

    Image of tool Incident, knowledge, and request management workflows

    Incident, knowledge, and request management workflows

    The project’s key deliverable is a service desk standard operating procedure

    Benefits of documented SOPs:

    Improved training and knowledge transfer: Routine tasks can be delegated to junior staff (freeing senior staff to work on higher priority tasks).

    IT automation, process optimization, and consistent operations: Defining, documenting, and then optimizing processes enables IT automation to be built on sound processes, so consistent positive results can be achieved.

    Compliance: Compliance audits are more manageable because the documentation is already in place.

    Transparency: Visually documented processes answer the common business question of “why does that take so long?”

    Cost savings: Work solved at first contact or with a minimal number of escalations will result in greater efficiency and more cost-effective support. This will also lead to better customer service.

    Impact of undocumented/undefined SOPs:

    Tasks will be difficult to delegate, key staff become a bottleneck, knowledge transfer is inconsistent, and there is a longer onboarding process for new staff

    IT automation built on poorly defined, unoptimized processes leads to inconsistent results.

    Documenting SOPs to prepare for an audit becomes a major time-intensive project.

    Other areas of the organization may not understand how IT operates, which can lead to confusion and unrealistic expectations.

    Support costs are highest through inefficient processes, and proactive work becomes more difficult to schedule, making the organization vulnerable to costly disruptions.

    Workshop Overview

    Image depicts workshop overview occurring over four days.

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Phase 1

    Lay Service Desk Foundations

    Step 1.1:Assess current state

    Image shows the steps in phase 1. Highlight is on step 1.1

    This step will walk you through the following activities:

    • 1.1.1 Outline service desk challenges
    • 1.1.2 Assess the service desk maturity

    This step involves the following participants:

    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    Alignment on the challenges that the service desk faces, an assessment of the current state of service desk processes and technologies, and baseline metrics against which to measure improvements.

    Deliverables

    • Service Desk Maturity Assessment

    Standardizing the service desk benefits the whole business

    The image depicts 3 circles to represent the service desk foundations.

    Embrace standardization

    • Standardization prevents wasted energy on reinventing solutions to recurring issues.
    • Standardized processes are scalable so that process maturity increases with the size of your organization.

    Increase business satisfaction

    • Improve confidence that the service desk can meet service levels.
    • Create a single point of contact for incidents and requests and escalate quickly.
    • Analyze trends to forecast and meet shifting business requirements.

    Reduce recurring issues

    • Create tickets for every task and categorize them accurately.
    • Generate reliable data to support root-cause analysis.

    Increase efficiency and lower operating costs

    • Empower end users and technicians with a targeted knowledgebase (KB).
    • Cross-train to improve service consistency.

    Case Study: The CIO of Westminster College took stock of existing processes before moving to empower the “helpless desk”

    Scott Lowe helped a small staff of eight IT professionals formalize service desk processes and increase the amount of time available for projects.

    When he joined Westminster College as CIO in 2006, the department faced several infrastructure challenges, including:

    • An unreliable network
    • Aging server replacements and no replacement plan
    • IT was the “department of no”
    • A help desk known as the “helpless desk”
    • A lack of wireless connectivity
    • Internet connection speed that was much too slow

    As the CIO investigated how to address the infrastructure challenges, he realized people cared deeply about how IT spent its time.

    The project load of IT staff increased, with new projects coming in every day.

    With a long project list, it became increasingly important to improve the transparency of project request and prioritization.

    Some weeks, staff spent 80% of their time working on projects. Other weeks, support requirements might leave only 10% for project work.

    He addressed the infrastructure challenges in part by analyzing IT’s routine processes.

    Internally, IT had inefficient support processes that reduced the amount of time they could spend on projects.

    They undertook an internal process analysis effort to identify processes that would have a return on investment if they were improved. The goal was to reduce operational support time so that project time could be increased.

    Five years later, they had a better understanding of the organization's operational support time needs and were able to shift workloads to accommodate projects without compromising support.

    Common challenges experienced by service desk teams

    Unresolved issues

    • Tickets are not created for all incidents.
    • Tickets are lost or escalated to the wrong technicians.
    • Poor data impedes root-cause analysis of incidents.

    Lost resources/accountability

    • Lack of cross-training and knowledge sharing.
    • Lack of skills coverage for critical applications and services.
    • Time is wasted troubleshooting recurring issues.
    • Reports unavailable due to lack of data and poor categorization.

    High cost to resolve

    • Tier 2/3 resolve issues that should be resolved at tier 1.
    • Tier 2/3 often interrupt projects to focus on service support.

    Poor planning

    • Lack of data for effective trend analysis leads to poor demand planning.
    • Lack of data leads to lost opportunities for templating and automation.

    Low business satisfaction

    • Users are unable to get assistance with IT services quickly.
    • Users go to their favorite technician instead of using the service desk.

    Outline the organization’s service desk challenges

    1.1.1 Brainstorm service desk challenges

    Estimated Time: 45 minutes

    A. As a group, outline the areas where you think the service desk is experiencing challenges or weaknesses. Use sticky notes or a whiteboard to separate the challenges into People, Process, and Technology so you have a wholistic view of the constraints across the department.

    B. Think about the following:

    • What have you heard from users? (e.g. slow response time)
    • What have you heard from executives? (e.g. poor communication)
    • What should you start doing? (e.g. documenting processes)
    • What should you stop doing? (e.g. work that is not being entered as tickets)

    C. Document challenges in the Service Desk Project Summary.

    Participants:

    • CIO
    • IT Managers
    • Service Desk Manager
    • Service Desk Agents

    Assess current service desk maturity to establish a baseline and create a plan for service desk improvement

    A current-state assessment will help you build a foundation for process improvements. Current-state assessments follow a basic formula:

    1. Determine the current state of the service desk.
    2. Determine the desired state of the service desk.
    3. Build a practical path from current to desired state.
    Image depicts 2 circles and a box. The circle on the 1. left has assess current state. The circle on the right has 2. assess target state. The box has 3. build a roadmap.

    Ideally, the current-state assessment should align the delivery of IT services with organizational needs. The assessment should achieve the following goals:

    1. Identify service desk pain points.
    2. Map each pain point to business services.
    3. Assign a broad business value to the resolution of each pain point.
    4. Map each pain point to a process.

    Expert Insight

    Image of expert.

    “How do you know if you aren’t mature enough? Nothing – or everything – is recorded and tracked, customer satisfaction is low, frustration is high, and there are multiple requests and incidents that nobody ever bothers to address.”

    Rob England

    IT Consultant & Commentator

    Owner Two Hills

    Also known as The IT Skeptic

    Assess the process maturity of the service desk to determine which project phase and steps will bring the most value

    1.1.2 Measure which activity will have the greatest impact

    The Service Desk Maturity Assessmenttool helps organizations assess their service desk process maturity and focus the project on the activities that matter most.

    The tool will help guide improvement efforts and measure your progress.

    • The second tab of the tool walks through a qualitative assessment of your service desk practices. Questions will prompt you to evaluate how you are executing key activities. Select the answer in the drop-down menus that most closely aligns with your current state.
    • The third tab displays your rate of process completeness and maturity. You will receive a score for each phase, an overall score, and advice based on your performance.
    • Document the results of the efficiency assessment in the Service Desk Project Summary.

    The tool is intended for periodic use. Review your answers each year and devise initiatives to improve the process performance where you need it most.

    Where do I find the data?

    Consult:

    • Service Manager
    • Service Desk Tools
    Image is the service desk tools.

    Step 1.2:Review service support best practices

    Image shows the steps in phase 1. Highlight is on step 1.2.

    This step will walk you through the following activities:

    1. 1.2.1 Identify roles and responsibilities in your organization
    2. 1.2.2 Map out the current and target structure of the service desk

    This step involves the following participants:

    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    Identifying who is accountable for different support practices in the service desk will allow workload to be distributed effectively between functional teams and individuals. Closing the gaps in responsibilities will enable the execution of a shift-left strategy.

    Deliverables

    • Roles & responsibilities guide
    • Service desk structure

    Everyone in IT contributes to the success of service support

    Regardless of the service desk structure chosen to meet an organization’s service support requirements, IT staff should not doubt the role they play in service support.

    If you try to standardize service desk processes without engaging specialists in other parts of the IT organization, you will fail. Everyone in IT has a role to play in providing service support and meeting service-level agreements.

    Service Support Engagement Plan

    • Identify who is accountable for different service support processes.
    • Outline the different responsibilities of service desk agents at tier 1, tier 2, and tier 3 in meeting service-level agreements for service support.
    • Draft operational-level agreements between specialty groups and the service desk to improve accountability.
    • Configure the service desk tool to ensure ticket visibility and ownership across queues.
    • Engage tier 2 and tier 3 resources in building workflows for incident management, request fulfilment, and writing knowledgebase articles.
    • Emphasize the benefits of cooperation across IT silos:
      • Better customer service and end-user satisfaction.
      • Shorter time to resolve incidents and implement requests.
      • A higher tier 1 resolution rate, more efficient escalations, and fewer interruptions from project work.

    Info-Tech Insight

    Specialists tend to distance themselves from service support as they progress through their career to focus on projects.

    However, their cooperation is critical to the success of the new service desk. Not only do they contribute to the knowledgebase, but they also handle escalations from tiers 1 and 2.

    Clear project complications by leveraging roles and responsibilities

    R

    Responsible: This person is the staff member who completes the work. Assign at least one Responsible for each task, but this could be more than one.

    A

    Accountable: This team member delegates a task and is the last person to review deliverables and/or task. Sometimes Responsible and Accountable can be the same staff. Make sure that you always assign only one Accountable for each task and not more.

    C

    Consulted: People who do not carry out the task but need to be consulted. Typically, these people are subject matter experts or stakeholders.

    I

    Informed: People who receive information about process execution and quality and need to stay informed regarding the task.

    A RACI analysis is helpful with the following:

    • Workload Balancing: Allowing responsibilities to be distributed effectively between functional teams and individuals.
    • Change Management: Ensuring key functions and processes are not overlooked during organizational changes.
    • Onboarding: New employees can identify their own roles and responsibilities.

    A RACI chart outlines which positions are Responsible, Accountable, Consulted, and Informed

    Image shows example of RACI chart

    Create a list of roles and responsibilities in your organization

    1.2.1 Create RACI matrix to define responsibilities

    1. Use the Service Desk Roles and Responsibilities Guidefor a better understanding of the roles and responsibilities of different service desk tiers.
    2. In the RACI chart, replace the top row with specific roles in your organization.
    3. Modify or expand the process tasks, as needed, in the left column.
    4. For each role, identify the responsibility values that the person brings to the service desk. Fill out each column.
    5. Document in the Service Desk SOP. Schedule a time to share the results with organization leads.
    6. Distribute the chart between all teams in your organization.

    Notes:

    • Assign one Accountable for each task.
    • Have at least one Responsible for each task.
    • Avoid generic responsibilities, such as “team meetings.”
    • Keep your RACI definitions in your documents, as they are sometimes tough to remember.

    Participants

    • CIO
    • IT Managers
    • Service Desk Manager
    • Service Desk Agents

    What You'll Need

    • Service Desk SOP
    • Roles and Responsibilities Guide
    • Flip Chart
    • Whiteboard

    Build a tiered generalist service desk to optimize costs

    A tiered generalist service desk with a first-tier resolution rate greater than 60% has the best operating cost and customer satisfaction of all competing service desk structural models.

    Image depicts a tiered generalist service desk example. It shows a flow from users to tier 1 and to tiers 2 and 3.

    The success of a tiered generalist model depends on standardized, defined processes

    Image lists the processes and benefits of a successful tiered generalist service desk.

    Define the structure of the service desk

    1.2.2 Map out the current and target structure of the service desk

    Estimated Time: 45 minutes

    Instructions:

    1. Using the model from the previous slides as a guide, discuss how closely it matches the current service desk structure.
    2. Map out a similar diagram of your existing service desk structure, intake channels, and escalation paths.
    3. Review the structure and discuss any changes that could be made to improve efficiency. Revise as needed.
    4. Document the outcome in the Service Desk Project Summary.

    Image depicts a tiered generalist service desk example. It shows a flow from users to tier 1 and to tiers 2 and 3.

    Participants

    • CIO
    • IT Managers
    • Service Desk Manager
    • Service Desk Agents

    Use a shift-left strategy to lower service support costs, reduce time to resolve, and improve end-user satisfaction

    Shift-left strategy:

    • Shift service support tasks from specialists to generalists.
    • Implement self-service.
    • Automate incident resolution.
    Image shows the incident and service request resolution in a graph. It includes metrics of cost per ticket, average time to resolve, and end-user satisfaction.

    Work through the implications of adopting a shift-left strategy

    Overview:

    Identify process gaps that you need to fill to support the shift-left strategy and discuss how you could adopt or improve the shift-left strategy, using the discussion questions below as a guide.

    Which process gaps do you need to fill to identify ticket trends?

    • What are your most common incidents and service requests?
    • Which tickets could be resolved at tier 1?
    • Which tickets could be resolved as self-service tickets?
    • Which tickets could be automated?

    Which processes do you most need to improve to support a shift-left strategy?

    • Which incident and request processes are well documented?
    • Do you have recurring tickets that could be automated?
    • What is the state of your knowledgebase maintenance process?
    • Which articles do you most need to support tier 1 resolution?
    • What is the state of your web portal? How could it be improved to support self-service?

    Document in the Project Summary

    Step 1.3: Identify service desk metrics and reports

    Image shows the steps in phase 1. Highlight is on step 1.3.

    This step will walk you through the following activities:

    • 1.3 Create a list of required reports to identify relevant metrics

    This step involves the following participants:

    • Project Sponsor
    • IT Managers and Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    Managers and analysts will have service desk metrics and reports that help set expectations and communicate service desk performance.

    Deliverables

    • A list of service desk performance metrics and reports

    Engage business unit leaders with data to appreciate needs

    Service desk reports are an opportunity to communicate the story of IT and collect stakeholder feedback. Interview business unit leaders and look for opportunities to improve IT services.

    Start with the following questions:

    • What are you hearing from your team about working with IT?
    • What are the issues that are contributing to productivity losses?
    • What are the workarounds your team does because something isn’t working?
    • Are you able to access the information you need?

    Work with business unit leaders to develop an action plan.

    Remember to communicate what you do to address stakeholder grievances.

    The service recovery paradox is a situation in which end users think more highly of IT after the organization has corrected a problem with their service compared to how they would regard the company if the service had not been faulty in the first place.

    The point is that addressing issues (and being seen to address issues) will significantly improve end-user satisfaction. Communicate that you’re listening and acting, and you should see satisfaction improve.

    Info-Tech Insight

    Presentation is everything:

    If you are presenting outside of IT, or using operational metrics to create strategic information, be prepared to:

    • Discuss trends.
    • Identify organizational and departmental impacts.
    • Assess IT costs and productivity.

    For example, “Number of incidents with ERP system has decreased by 5% after our last patch release. We are working on the next set of changes and expect the issues to continue to decrease.”

    Engage technicians to ensure they input quality data in the service desk tool

    You need better data to address problems. Communicate to the technical team what you need from them and how their efforts contribute to the usefulness of reports.

    Tickets MUST:

    • Be created for all incidents and service requests.
    • Be categorized correctly, and categories updated when the ticket is resolved.
    • Be closed after the incidents and service requests are resolved or implemented.

    Emphasize that reports are analyzed regularly and used to manage costs, improve services, and request more resources.

    Info-Tech Insight

    Service Desk Manager: Technical staff can help themselves analyze the backlog and improve service metrics if they’re looking at the right information. Ensure their service desk dashboards are helping them identify high-priority and quick-win tickets and anticipate potential SLA breaches.

    Produce service desk reports targeted to improve IT services

    Use metrics and reports to tell the story of IT.

    Metrics should be tied to business requirements and show how well IT is meeting those requirements and where obstacles exist.

    Tailor metrics and reports to specific stakeholders.

    Technicians require mostly real-time information in the form of a dashboard, providing visibility into a prioritized list of tickets for which they are responsible.

    Supervisors need tactical information to manage the team and set client expectations as well as track and meet strategic goals.

    Managers and executives need summary information that supports strategic goals. Start by looking at executive goals for the support team and then working through some of the more tactical data that will help support those goals.

    One metric doesn’t give you the whole picture

    • Don’t put too much emphasis on a single metric. At best, it will give you a distorted picture of your service desk performance. At worst, it will distort the behavior of your agents as they may adopt poor practices to meet the metric.
    • The solution is to use tension metrics: metrics that work together to give you a better sense of the state of operations.
    • Tension metrics ensure a balanced focus toward shared goals.

    Example:

    First-call resolution (FCR), end-user satisfaction, and number of tickets reopened all work together to give you a complete picture. As FCR goes up, so should end-user satisfaction, as number of tickets re-opened stays steady or declines. If the three metrics are heading in different directions, then you know you have a problem.

    Rely on internal metrics to measure and improve performance

    External metrics provide useful context, but they represent broad generalizations across different industries and organizations of different sizes. Internal metrics measured annually are more reliable.

    Internal metrics provide you with information about your actual performance. With the right continual improvement process, you can improve those metrics year over year, which is a better measure of the performance of your service desk.

    Whether a given metric is the right one for your service desk will depend on several different factors, not the least of which include:

    • The maturity of your service desk processes.
    • Your ticket volume.
    • The complexity of your tickets.
    • The degree to which your end users are comfortable with self-service.

    Info-Tech Insight

    Take external metrics with a grain of salt. Most benchmarks represent what service desks do across different industries, not what they should do. There also might be significant differences between different industries in terms of the kinds of tickets they deal with, differences which the overall average obscures.

    Use key service desk metrics to build a business case for service support improvements

    The right metrics can tell the business how hard IT works and how many resources it needs to perform:

    1. End-User Satisfactions:
      • The most important metric for measuring the perceived value of the service desk. Determine this based on a robust annual satisfaction survey of end users and transactional satisfaction surveys sent with a percentage of tickets.
    2. Ticket Volume and Cost per Ticket:
      • A key indicator of service desk efficiency, computed as the monthly operating expense divided by the average ticket volume per month.
    3. First-Contact Resolution Rate:
      • The biggest driver of end-user satisfaction. Depending on the kind of tickets you deal with, you can measure first-contact, first-tier, or first-day resolution.
    4. Average Time to Resolve (Incident) or Fulfill (Service Requests):
      • An assessment of the service desk's ability to resolve tickets effectively, measuring the time elapsed between the moment the ticket status is set to “open” and the moment it is set to “resolved.”

    Info-Tech Insight

    Metrics should be tied to business requirements. They tell the story of how well IT is meeting those requirements and help identify when obstacles get in the way. The latter can be done by pointing to discrepancies between the internal metrics you expected to reach but didn’t and external metrics you trust.

    Use service desk metrics to track progress toward strategic, operational, and tactical goals

    Image depicts a chart to show the various metrics in terms of strategic goals, tactical goals, and operational goals.

    Cost per ticket and customer satisfaction are the foundation metrics of service support

    Ultimately, everything boils down to cost containment (measured by cost per ticket) and quality of service (measured by customer satisfaction).

    Cost per ticket is a measure of the efficiency of service support:

    • A higher than average cost per ticket is not necessarily a bad thing, particularly if accompanied by higher-than-average quality levels.
    • Conversely, a low cost per ticket is not necessarily good, particularly if the low cost is achieved by sacrificing quality of service.

    Cost per ticket is the total monthly operating expense of the service desk divided by the monthly ticket volume. Operating expense includes the following components:

    • Salaries and benefits for desktop support technicians
    • Salaries and benefits for indirect personnel (team leads, supervisors, workforce schedulers, dispatchers, QA/QC personnel, trainers, and managers)
    • Technology expense (e.g. computers, software licensing fees)
    • Telecommunications expenses
    • Facilities expenses (e.g. office space, utilities, insurance)
    • Travel, training, and office supplies
    Image displays a pie chart that shows the various service desk costs.

    Create a list of required reports to identify metrics to track

    1.3.1 Start by identifying the reports you need, then identify the metrics that produce them

    1. Answer the following questions to determine the data your reports require:
      • What strategic initiatives do you need to track?
        • Example: reducing mean time to resolve, meeting SLAs
      • What operational areas need attention?
        • Example: recurring issues that need a permanent resolution
      • What kind of issues do you want to solve?
        • Example: automate tasks such as password reset or software distribution
      • What decisions or processes are held up due to lack of information?
        • Example: need to build a business case to justify infrastructure upgrades
      • How can the data be used to improve services to the business?
        • Example: recurring issues by department
    2. Document report and metrics requirements in Service Desk SOP.
    3. Provide the list to your tool administrator to create reports with auto-distribution.

    Participants

    • CIO
    • IT Managers
    • Service Desk Manager
    • Service Desk Agents

    What You'll Need

    • Service Desk SOP
    • Flip Chart
    • Whiteboard

    Step 1.4: Review ticket handling procedures

    Image shows the steps in phase 1. Highlight is on step 1.4.

    This step will walk you through the following activities:

    • 1.4.1 Review ticket handling practices
    • 1.4.2 Identify opportunities to automate ticket creation and reduce recurring tickets

    This step involves the following participants:

    • Project Sponsor
    • IT Managers and Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    Managers and analysts will have best practices for ticket handling and troubleshooting to support ITSM data quality and improve first-tier resolution.

    DELIVERABLES

    • List of ticket templates and recurring tickets
    • Ticket and Call QA Template and ticket handling best practices

    Start by reviewing the incident intake process to find opportunities for improvement

    If end users are avoiding your service desk, you may have an intake problem. Create alternative ways for users to seek help to manage the volume; keep in mind not every request is an emergency.

    Image shows the various intake channels and the recommendation.

    Identify opportunities for improvement in your ticket channels

    The two most efficient intake channels should be encouraged for the majority of tickets.

    • Build a self-service portal.
      • Do users know where to find the portal?
      • How many tickets are created through the portal?
      • Is the interface easy to use?
    • Deal efficiently with email.
      • How quickly are messages picked up?
      • Are they manually transferred to a ticket or does the service desk tool automatically create a ticket?

    The two most traditional and fastest methods to get help must deal with emergencies and escalation effectively.

    • Phone should be the fastest way to get help for emergencies.
      • Are enough agents answering calls?
      • Are voicemails picked up on time?
      • Are the automated call routing prompts clear and concise?
    • Are walk-ins permitted and formalized?
      • Do you always have someone at the desk?
      • Is your equipment secure?
      • Are walk-ins common because no one picks up the phone or is the traffic as you’d expect?

    Ensure technicians create tickets for all incidents and requests

    Why Collect Ticket Data?

    If many tickets are missing, help service support staff understand the need to collect the data. Reports will be inaccurate and meaningless if quality data isn’t entered into the ticketing system.

    Image shows example of ticket data

    Set ticket handling expectations to drive a consistent process

    Set expectations:

    • Create and update tickets, but not at the expense of good customer service. Agents can start the ticket but shouldn’t spend five minutes creating the ticket when they should be troubleshooting the problem.
    • Update the ticket when the issue is resolved or needs to be escalated. If agents are escalating, they should make sure all relevant information is passed along to the next technician.
    • Update user of ETA if issue cannot be resolved quickly.
    • Ticket templates for common incidents can lead to fast creation, data input, and categorizations. Templates can reduce the time it takes to create tickets from two minutes to 30 seconds.
    • Update categories to reflect the actual issue and resolution.
    • Reference or link to the knowledgebase article as the documented steps taken to resolve the incident.
    • Validate incident is resolved with client; automate this process with ticket closure after a certain time.
    • Close or resolve the ticket on time.

    Use the Ticket and Call Quality Assessment Tool to improve the quality of service desk data

    Build a process to check-in on ticket and call quality monthly

    Better data leads to better decisions. Use the Ticket and Call Quality Assessment Toolto check-in on the ticket and call quality monthly for each technician and improve service desk data quality.

    1. Fill tab 1 with technician’s name.
    2. Use either tab 2 (auto-scoring) or tab 3 (manual scoring) to score the agent. The assessment includes ticket evaluation, call evaluation, and overall metric.
    3. Record the results of each review in the score summary of tab 1.
    Image shows tool.

    Use ticket templates to make ticket creation, updating, and resolution more efficient

    A screenshot of the Ticket and Call Quality Assessment Tool

    Implement measures to improve ticket handling and identify ticket template candidates

    1.4.1 Identify opportunities to automate ticket creation

    1. Poll the team and discuss.
      • How many members of the team are not creating tickets? Why?
      • How can we address those barriers?
      • What are the expectations of management?
    2. Brainstorm five to ten good candidates for ticket templates.
      • What data can auto-fill?
      • What will help process the ticket faster?
      • What automations can we build to ensure a fast, consistent service?
      • Note:
        • Ticket template name
        • Information that will auto-fill from AD and other applications
        • Categories and resolution codes
        • Automated routing and email responses
    3. Document ticket template candidates in the Service Desk Roadmap to capture the actions.

    Participants

    • Service Desk Manager
    • Service Desk Agents

    What You'll Needs

    • Flip Chart
    • Whiteboard

    Phase 2

    Design Incident Management Processes

    Step 2.1: Build incident management workflows

    Image shows the steps in phase 2. Highlight is on step 2.1.

    This step will walk you through the following activities:

    • 2.1.1 Review incident management challenges
    • 2.1.2 Define the incident management workflow
    • 2.1.3 Define the critical incident management workflow
    • 2.1.4 Design critical incident communication plan

    This step involves the following participants:

    • IT Managers
    • Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    Workflows for incident management and critical incident management will improve the consistency and quality of service delivery and prepare the service desk to negotiate reliable service levels with the organization.

    DELIVERABLES

    • Incident management workflows
    • Critical incident management workflows
    • Critical incident communication plan

    Communicate the great incident resolution work that you do to improve end-user satisfaction

    End users think more highly of IT after the organization has corrected a problem with their service than they would have had the service not been faulty in the first place.

    Image displays a graph to show the service recovery paradox

    Info-Tech Insight

    Use the service recovery paradox to your advantage. Address service desk challenges explicitly, develop incident management processes that get services back online quickly, and communicate the changes.

    If you show that the service desk recovered well from the challenges end users raised, you will get greater loyalty from them.

    Assign incident roles and responsibilities to promote accountability

    The role of an incident coordinator or manager can be assigned to anyone inside the service desk that has a strong knowledge of incident resolution, attention to detail, and knows how to herd cats.

    In organizations with high ticket volumes, a separate role may be necessary.

    Everyone must recognize that incident management is a cross-IT organization process and it does not have to be a unique service desk process.

    An incident coordinator is responsible for:

    • Improving incident management processes.
    • Tracking metrics and producing reports.
    • Developing and maintaining the incident management system.
    • Developing and maintaining critical incident processes.
    • Ensuring the service support team follows the incident management process.
    • Gathering post-mortem information from the various technical resources on root cause for critical or severity 1 incidents.

    The Director of IT Services invested in incident management to improve responsiveness and set end-user expectations

    Practitioner Insight

    Ben Rodrigues developed a progressive plan to create a responsive, service-oriented culture for the service support organization.

    "When I joined the organization, there wasn’t a service desk. People just phoned, emailed, maybe left [sticky] notes for who they thought in IT would resolve it. There wasn’t a lot of investment in developing clear processes. It was ‘Let’s call somebody in IT.’

    I set up the service desk to clarify what we would do for end users and to establish some SLAs.

    I didn’t commit to service levels right away. I needed to see how many resources and what skill sets I would need. I started by drafting some SLA targets and plugging them into our tracking application. I then monitored how we did on certain things and established if we needed other skill sets. Then I communicated those SOPs to the business, so that ‘if you have an issue, this is where you go, and this is how you do it,’ and then shared those KPIs with them.

    I had monthly meetings with different function heads to say, ‘this is what I see your guys calling me about,’ and we worked on something together to make some of the pain disappear."

    -Ben Rodrigues

    Director, IT Services

    Gamma Dynacare

    Sketch out incident management challenges to focus improvements

    Common Incident Management Challenges

    End Users

    • No faith in the service desk beyond speaking with their favorite technician.
    • No expectations for response or resolution time.
    • Non-IT staff are disrupted as people ask their colleagues for IT advice.

    Technicians

    • No one manages and escalates incidents.
    • Incidents are unnecessarily urgent and more likely to have a greater impact.
    • Agents are flooded with requests to do routine tasks during desk visits.
    • Specialist support staff are subject to constant interruptions.
    • Tickets are lost, incomplete, or escalated incorrectly.
    • Incidents are resolved from scratch rather than referring to existing solutions.

    Managers

    • Tickets are incomplete or lack historical information to address complaints.
    • Tickets in system don’t match the perceived workload.
    • Unable to gather data for budgeting or business analysis.

    Info-Tech Insight

    Consistent incident management processes will improve end-user satisfaction with all other IT services.

    However, be prepared to overcome these common obstacles as you put the process in place, including:

    • Absence of management or staff commitment.
    • Lack of clarity on organizational needs.
    • Outdated work practices.
    • Poorly defined service desk goals and responsibilities.
    • Lack of a reliable knowledgebase.
    • Inadequate training.
    • Resistance to change.

    Prepare to implement or improve incident management

    2.1.1 Review incident management challenges and metrics

    1. Review your incident management challenges and the benefits of addressing them.
    2. Review the level of service you are providing with the current resources. Define clear goals and deliverables for the improvement initiative.
    3. Decide how the incident management process will interface with the service desk. Who will take on the responsibility for resolving incidents? Specifically, who will:
      • Log incidents.
      • Perform initial incident troubleshooting.
      • Own and monitor tickets.
      • Communicate with end users.
      • Update records with the resolution.
      • Close incidents.
      • Implement next steps (e.g. initiate problem management).
    4. Document recommendations and the incident management process requirements in the Service Desk SOP.

    Participants

    • Service Desk Manager
    • Service Desk Agents

    What You’ll Need

    • Service Desk SOP
    • Flip Chart
    • Whiteboard

    Distinguish between different kinds of tickets for better SLAs

    Different ticket types are associated with radically different prioritization, routing, and service levels. For instance, most incidents are resolved within a business day, but requests take longer to implement.

    If you fail to distinguish between ticket types, your metrics will obscure service desk performance.

    Common Service Desk Tickets

    • Incidents
      • An unanticipated interruption of a service.
        • The goal of incident management is to restore the service as soon as possible, even if the resolution involves a workaround.
    • Problems
      • The root cause of several incidents.
        • The goal of problem management is to detect the root cause and provide long-term resolution and prevention.
    • Requests
      • A generic description for small changes or service access
        • Requests are small, frequent, and low risk. They are best handled by a process distinct from incident, change, and project management.
    • Changes
      • Modification or removal of anything that could influence IT services.
        • The scope includes significant changes to architectures, processes, tools, metrics, and documentation.

    Info-Tech Insight

    Organizations sometimes mistakenly classify small projects as service requests, which can compromise your data, resulting in a negative impact to the perceived value of the service desk.

    Separate incidents and service requests for increased customer service and better-defined SLAs

    Defining the differences between service requests and incidents is not just for reporting purposes. It also has a major impact on how service is delivered.

    Incidents are unexpected disruptions to normal business processes and require attempts to restore services as soon as possible (e.g. the printer is not working).

    Service requests are tasks that don’t involve something that is broken or has an immediate impact on services. They do not require immediate resolution and can typically be scheduled (e.g. new software).

    Image shows a chart on incidents and service requests.

    Focus on the big picture first to capture and streamline how your organization resolves incidents

    Image displays a flow chart to show how to organize resolving incidents.

    Document your incident management workflow to identify opportunities for improvement

    Image shows a flow cart on how to organize incident management.

    Workflow should include:

    • Ticket creation and closure
    • Triage
    • Troubleshooting
    • Escalations
    • Communications
    • Change management
    • Documentation
    • Vendor escalations

    Notes:

    • Notification and alerts should be used to set or reset expectations on delivery or resolution
    • Identify all the steps where a customer is informed and ensure we are not over or under communicating

    Collaborate to define each step of the incident management workflow

    2.1.2 Define the incident management workflow

    Estimated Time: 60 minutes

    Option 1: Whiteboard

    1. Discuss the workflow and draw it on the whiteboard.
    2. Assess whether you are using the best workflow. Modify it if necessary.
    3. Engage the team in refining the process workflow.
    4. Transfer data to Visio and add to the SOP.

    Option 2: Tabletop Exercise

    1. Distribute index cards to each member of the team.
    2. Have each person write a single task they perform on the index card. Be granular. Include the title or the name of the person responsible.
    3. Mark cards that are decision points. Use a card of a different color or use a marker to make a colored dot.
    4. Arrange the index cards in order, removing duplicates.
    5. Assess whether you are using the best workflow. Engage the team to refine it if necessary.
    6. Transfer data to Visio and add to the Service Desk SOP.

    Participants

    • Service Manager
    • Service Desk Support
    • Applications or Infrastructure Support

    What You’ll Need

    • Flip Chart Paper
    • Sticky Notes
    • Pens
    • Service Desk SOP
    • Project Summary

    Formalize the process for critical incident management to reduce organizational impact

    Discuss these elements to see how the organization will handle them.

    • Communication plan:
      • Who communicates with end users?
      • Who communicates with the executive team?
    • It’s important to separate the role of the technician trying to solve a problem with the need to communicate progress.
    • Change management:
    • Define a separate process for regular and emergency change management to ensure changes are timely and appropriate.
    • Business continuity plan:
    • Identify criteria to decide when a business continuity plan (BCP) must be implemented during a critical incident to minimize the business impact of the incident.
    • Post-mortems:
    • Formalize the process of discussing and documenting lessons learned, understanding outstanding issues, and addressing the root cause of incidents.
    • Source of incident notification:
    • Does the process change if users notify the service desk of an issue or if the systems management tools alert technicians?

    Critical incidents are high-impact, high-urgency events that put the effectiveness and timeliness of the service desk center stage.

    Build a workflow that focuses on quickly bringing together the right people to resolve the incident and reduces the chances of recurrence.

    Document your critical incident management workflow to identify opportunities for improvement

    Image shows a flow cart on how to organize critical incident management.

    Workflow should include:

    • Ticket creation and closure
    • Triage
    • Troubleshooting
    • Escalations
    • Communications plan
    • Change management
    • Disaster recovery or business continuity plan
    • Documentation
    • Vendor escalations
    • Post-mortem

    Collaborate to define each step of the critical incident management workflow

    2.1.3 Define the critical incident management workflow

    Estimated Time: 60 minutes

    Option 1: Whiteboard

    1. Discuss the workflow and draw it on the whiteboard.
    2. Assess whether you are using the best workflow. Modify it if necessary.
    3. Engage the team in refining the process workflow.
    4. Transfer data to Visio and add to the SOP.

    Option 2: Tabletop Exercise

    1. Distribute index cards to each member of the team.
    2. Have each person write a single task they perform on the index card. Be granular. Include the title or the name of the person responsible.
    3. Mark cards that are decision points. Use a card of a different color or use a marker to make a colored dot.
    4. Arrange the index cards in order, removing duplicates.
    5. Assess whether you are using the best workflow. Engage the team to refine it if necessary.
    6. Transfer data to Visio and add to the Service Desk SOP.

    Participants

    • Service Manager
    • Service Desk Support
    • Applications or Infrastructure Support

    What You’ll Need

    • Flip Chart Paper
    • Sticky Notes
    • Pens
    • Service Desk SOP

    Establish a critical incident management communication plan

    When it comes to communicating during major incidents, it’s important to get the information just right. Users don’t want too little, they don’t want too much, they just want what’s relevant to them, and they want that information at the right time.

    As an IT professional, you may not have a background in communications, but it becomes an important part of your job. Broad guidelines for good communication during a critical incident are:

    1. Communicate as broadly as the impact of your incident requires.
    2. Communicate as much detail as a specific audience requires, but no more than necessary.
    3. Communicate as far ahead of impact as possible.

    Why does communication matter?

    Sending the wrong message, at the wrong time, to the wrong stakeholders, can result in:

    • Drop in customer satisfaction.
    • Wasted time and resources from multiple customers contacting you with the same issue.
    • Dissatisfied executives kept in the dark.
    • Increased resolution time if the relevant providers and IT staff are not informed soon enough to help.

    Info-Tech Insight

    End users understand that sometimes things break. What’s important to them is that (1) you don’t repeatedly have the same problem, (2) you keep them informed, and (3) you give them enough notice when their systems will be impacted and when service will be returned.

    Automate communication to save time and deliver consistent messaging to the right stakeholders

    In the middle of resolving a critical incident, the last thing you have time for is worrying about crafting a good message. Create a series of templates to save time by providing automated, tailored messages for each stage of the process that can be quickly altered and sent out to the right stakeholders.

    Once templates are in place, when the incident occurs, it’s simply a matter of:

    1. Choosing the relevant template.
    2. Updating recipients and messaging if necessary.
    3. Adding specific, relevant data and fields.
    4. Sending the message.

    When to communicate?

    Tell users the information they need to know when they need to know it. If a user is directly impacted, tell them that. If the incident does not directly affect the user, the communication may lead to decreased customer satisfaction or failure to pay attention to future relevant messaging.

    What to say?

    • Keep messaging short and to the point.
    • Only say what you know for sure.
    • Provide only the details the audience needs to know to take any necessary action or steps on their side and no more. There’s no need to provide details on the reason for the failure before it’s resolved, though this can be done after resolution and restoration of service.

    You’ll need distinct messages for distinct audiences. For example:

    • To incident resolvers: “Servers X through Y in ABC Location are failing intermittently. Please test the servers and all the connections to determine the exact cause so we can take corrective action ASAP.”
    • To the IT department head: “Servers X through Y in ABC Location are failing intermittently. We are beginning tests. We will let you know when we have determined the exact cause and can give you an estimated completion time.”
    • To executives: “We’re having an issue with some servers at ABC Location. We are testing to determine the cause and will let you know the estimated completion time as soon as possible.”
    • To end users: “We are experience some service issues. We are working on a resolution diligently and will restore service as soon as possible.”

    Map out who will need to be contacted in the event of a critical incident

    2.1.4 Design the critical incident communication plan

    • Identify critical incidents that require communication.
    • Identify stakeholders who will need to be informed about each incident.
    • For each audience, determine:
      1. Frequency of communication
      2. Content of communication
    Use the sample template to the right as an example.

    Some questions to assist you:

    • Whose work will be interrupted, either by their services going down or by their workers having to drop everything to solve the incident?
    • What would happen if we didn’t notify this person?
    • What level of detail do they need?
    • How often would they want to be updated?
    Document outcomes in the Service Desk SOP. Image shows template of unplanned service outage.

    Measure and improve customer satisfaction with the use of relationship and transactional surveys

    Customer experience programs with a combination of relationship and transactional surveys tend to be more effective. Merging the two will give a wholistic picture of the customer experience.

    Relationship Surveys

    Relationship surveys focus on obtaining feedback on the overall customer experience.

    • Inform how well you are doing or where you need improvement in the broad services provided.
    • Provide a high-level perspective on the relationship between the business and IT.
    • Help with strategic improvement decisions.
    • Should be sent over a duration of time and to the entire customer base after they’ve had time to experience all the services provided by the service desk. This can be done as frequently as per quarter or on a yearly basis.
    • E.g. An annual satisfaction survey such as Info-Tech’s End User Satisfaction Diagnostic.

    Transactional Surveys

    Transactional surveys are tied to a specific interaction or transaction your end users have with a specific product or service.

    • Help with tactical improvement decisions.
    • Questions should point to a specific interaction.
    • Usually only a few questions that are quick and easy to complete following the transaction.
    • Since transactional surveys allow you to improve individual relationships, they should be sent shortly after the interaction with the service desk has occurred.
    • E.g. How satisfied are you with the way your ticket was resolved?

    Add transactional end-user surveys at ticket close to escalate unsatisfactory results

    A simple quantitative survey at the closing of a ticket can inform the service desk manager of any issues that were not resolved to the end user’s satisfaction. Take advantage of workflows to escalate poor results immediately for quick follow-up.

    Image shows example of survey question with rating.

    If a more complex survey is required, you may wish to include some of these questions:

    Please rate your overall satisfaction with the way your issue was handled (1=unsatisfactory, 5=fantastic)

    • The professionalism of the analyst.
    • The technical skills or knowledge of the analyst.
    • The timeliness of the service provided.
    • The overall service experience.

    Add an open-ended, qualitative question to put the number in context, and solicit critical feedback:

    What could the service desk have done to improve your experience?

    Define a process to respond to both negative and positive feedback

    Successful customer satisfaction programs respond effectively to both positive and negative outcomes. Late or lack of responses to negative comments may increase customer frustration, while not responding at all to the positive comments may give the perception of indifference. If customers are taking the time to fill out the survey, good or bad, they should be followed up with

    Take these steps to handle survey feedback:

    1. Assign resources to receive, read, and track responses. The entire team doesn’t need to receive every response, while a single resource may not have capacity to respond in a timely manner. Decide what makes the most sense in your environment.
    2. Respond to negative feedback: It may not be possible to respond to every customer that fills out a survey. Set guidelines for responding to negative surveys with no details on the issue; don’t spend time guessing why they were upset, simply ask the user why they were unsatisfied. The critical piece of taking advantage of the service recovery paradox is in the follow-up to the customer.
    3. Investigate and improve: Make sure you investigate the issue to ensure that it is a justified complaint or whether the issue is a symptom of another issue’s root cause. Identify remediation steps to ensure the issue does not repeat itself, and then communicate to the customer the action you have taken to improve.
    4. Act on positive feedback as well: If it’s easy for customers to provide feedback, then make room in your process for handling the positive results. Appreciate the time and effort your customers take to give kudos and use it as a tool to build a long-term relationship with that user. Saying thank you goes a long way and when customers know their time matters, they will be encouraged to fill out those surveys. This is also a good way to show what a great job the service desk team did with the interaction.

    Analyze survey feedback month over month to complement and justify metric results already in place

    When you combine the tracking and analysis of relationship and transactional survey data you will be able to dive into specific issues, identify trends and patterns, assess impact to users, and build a plan to make improvements.

    Once the survey data is centralized, categorized, and available you can start to focus on metrics. At a minimum, for transactional surveys, consider tracking:

    • Breakdown of satisfaction scores with trends over time
    • Unsatisfactory surveys that are related to incidents and service requests
    • Total surveys that have been actioned vs pending

    For relationship surveys, consider tracking:

    • Satisfaction scores by department and seniority level
    • Satisfaction with IT services, applications, and communication
    • Satisfaction with IT’s business enablement

    Scores of overall satisfaction with IT

    Image Source: Info-Tech End User Satisfaction Report

    Prioritize company-wide improvement initiatives by those that have the biggest impact to the entire customer base first and then communicate the plan to the organization using a variety of communication channels that will draw your customers in, e.g. dashboards, newsletters, email alerts.

    Info-Tech Insight

    Consider automating or using your ITSM notification system as a direct communication method to inform the service desk manager of negative survey results.

    Step 2.2: Design ticket categorization

    Image shows the steps in phase 2. Highlight is on step 2.2

    This step will walk you through the following activities:

    • 2.2.1 Assess ticket categorization
    • 2.2.2 Enhance ticket categories with resolution and status codes

    This step involves the following participants:

    • IT Managers
    • Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    The reviewed ticket categorization scheme will be easier to use and deploy more consistently, which will improve the categorization of data and the reliability of reports.

    DELIVERABLES

    • Optimized ticket categorization

    Design a ticket classification scheme to produce useful reports

    Reliable reports depend on an effective categorization scheme.

    Too many options cause confusion; too few options provide little value. As you build the classification scheme over the next few slides, let call routing and reporting requirements be your guide.

    Effective classification schemes are concise, easy to use correctly, and easy to maintain.

    Image shows example of a ticket classification scheme.

    Keep these guidelines in mind:

    • A good categorization scheme is exhaustive and mutually exclusive: there’s a place for every ticket and every ticket fits in only one place.
    • As you build your classification scheme, ensure the categories describe the actual asset or service involved based on final resolution, not how it was reported initially.
    • Pre-populate ticket templates with relevant categories to dramatically improve reporting and routing accuracy.
    • Use a tiered system to make the categories easier to navigate. Three tiers with 6-8 categories per tier provides up to 512 sub-categories, which should be enough for the most ambitious team.
    • Track only what you will use for reporting purposes. If you don’t need a report on individual kinds of laptops, don’t create a category beyond “laptops.”
    • Avoid “miscellaneous” categories. A large portion of your tickets will eventually end up there.

    Info-Tech Insight

    Don’t do it alone! Collaborate with managers in the specialized IT groups responsible for root-cause analysis to develop a categorization scheme that makes sense for them.

    The first approach to categorization breaks down the IT portfolio into asset types

    WHY SHOULD I START WITH ASSETS?

    Start with asset types if asset management and configuration management processes figure prominently in your practice or on your service management implementation roadmap.

    Image displays example of asset types and how to categorize them.

    Building the Categories

    Ask these questions:

    • Type: What kind of asset am I working on?
    • Category: What general asset group am I working on?
    • Subcategory: What particular asset am I working on?

    Need to make quick progress? Use Info-Tech Research Group’s Service Desk Ticket Categorization Schemes template.

    Info-Tech Insight

    Think about how you will use the data to determine which components need to be included in reports. If components won’t be used for reporting, routing, or warranty, reporting down to the component level adds little value.

    The second approach to categorization breaks down the IT portfolio into types of services

    WHY SHOULD I START WITH SERVICES?

    Start with asset services if service management generally figures prominently in your practice, especially service catalog management.

    Image displays example of service types and how to categorize them.

    Building the Categories

    Ask these questions:

    • Type: What kind of service am I working on?
    • Category: What general service group am I working on?
    • Subcategory: What particular service am I working on?

    Need to make quick progress? Use Info-Tech Research Group’s Service Desk Ticket Categorization Schemes template.

    Info-Tech Insight

    Remember, ticket categories are not your only source of reports. Enhance the classification scheme with resolution and status codes for more granular reporting.

    Improve the categorization scheme to enhance routing and reporting

    2.2.1 Assess whether the service desk can improve its ticket categorization

    1. As a group, review existing categories, looking for duplicates and designations that won’t affect ticket routing. Reconcile duplicates and remove non-essential categories.
    2. As a group, re-do the categories, ensuring that the new categorization scheme will meet the reporting requirements outlined earlier.
      • Are categories exhaustive and mutually exclusive?
      • Is the tier simple and easy to use (i.e. 3 tiers x 8 categories)?
    3. Test against recent tickets to ensure you have the right categories.
    4. Record the ticket categorization scheme in the Service Desk Ticket Categorization Schemes template.

    A screenshot of the Service Desk Ticket Categorization Schemes template.

    Participants

    • Service Desk Manager
    • Service Desk Agents

    What You’ll Need

    • Flip Chart
    • Whiteboard
    • Service Desk Ticket Categorization Scheme

    Enhance the classification scheme with resolution and status codes for more granular reporting

    Resolution codes differ from detailed resolution notes.

    • A resolution code is a field within the ticketing system that should be updated at ticket close to categorize the primary way the ticket was resolved.
    • This is important for reporting purposes as it adds another level to the categorization scheme and can help you identify knowledgebase article candidates, training needs, or problems.

    Ticket statuses are a helpful field for both IT and end users to identify the current status of the ticket and to initiate workflows.

    • The most common statuses are open, pending/in progress, resolved, and closed (note the difference between resolved and closed).
    • Waiting on user or waiting on vendor are also helpful statuses to stop the clock when awaiting further information or input.

    Common Examples:

    Resolution Codes

    • How to/training
    • Configuration change
    • Upgrade
    • Installation
    • Data import/export/change
    • Information/research
    • Reboot

    Status Fields

    • Declined
    • Open
    • Closed
    • Waiting on user
    • Waiting on vendor
    • Reopened by user

    Identify and document resolution and status codes

    2.2.2 Enhance ticket categories with resolution codes

    Discuss:

    • How can we use resolution information to enhance reporting?
    • Are current status fields telling the right story?
    • Are there other requirements like project linking?

    Draft:

    1. Write out proposed resolution codes and status fields and critically assess their value.
    2. Resolutions can be further broken down by incident and service request if desired.
    3. Test resolution codes against a few recent tickets.
    4. Record the ticket categorization scheme in the Service Desk SOP.

    Participants

    • CIO
    • Service Desk Manager
    • Service Desk Technician(s)

    What You’ll Need

    • Whiteboard or Flip Chart
    • Markers

    Step 2.3: Design incident escalation and prioritization

    Image shows the steps in phase 2. Highlight is on step 2.3.

    This step will walk you through the following activities:

    • 2.3.1 Build a small number of rules to facilitate prioritization
    • 2.3.2 Define escalation rules
    • 2.3.3 Define automated escalations
    • 2.3.4 Provide guidance to each tier around escalation steps and times

    This step involves the following participants:

    • IT Managers
    • Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    The reviewed ticket escalation and prioritization will streamline queue management, improve the quality of escalations, and ensure agents work on the right tickets at the right time.

    DELIVERABLES

    • Optimized ticket prioritization scheme
    • Guidelines for ticket escalations
    • List of automatic escalations

    Build a ticket prioritization matrix to make escalation assessment less subjective

    Most IT leaders agree that prioritization is one of the most difficult aspects of IT in general. Set priorities based on business needs first.

    Mission-critical systems or problems that affect many people should always come first (i.e. Severity Level 1).

    The bulk of reported problems, however, are often individual problems with desktop PCs (i.e. Severity Level 3 or 4).

    Some questions to consider when deciding on problem severity include:

    • How is productivity affected?
    • How many users are affected?
    • How many systems are affected?
    • How critical are the affected systems to the organization?

    Decide how many severity levels the organization needs the service desk to have. Four levels of severity are ideal for most organizations.

    Image shows example ticket prioritization matrix

    Collect the ticket prioritization scheme in one diagram to ensure service support aligns to business requirements

    Image shows example ticket prioritization matrix

    Prioritize incidents based on severity and urgency to foreground critical issues

    2.3.1 Build a clearly defined priority scheme

    Estimated Time: 60 minutes

    1. Decide how many levels of severity are appropriate for your organization.
    2. Build a prioritization matrix, breaking down priority levels by impact and urgency.
    3. Build out the definitions of impact and urgency to complete the prioritization matrix.
    4. Run through examples of each priority level to make sure everyone is on the same page.

    Image shows example ticket prioritization matrix

    Document in the SOP

    Participants

    • Service Managers
    • Service Desk Support
    • Applications or Infrastructure Support

    What You'll Need

    • Flip Chart Paper
    • Sticky Notes
    • Pens
    • Service Desk SOP

    Example of outcome from 2.3.1

    Define response and resolution targets for each priority level to establish service-level objectives for service support

    Image shows example of response and resolution targets.

    Build clear rules to help agents determine when to escalate

    2.3.2 Assign response, resolution, and escalation times to each priority level

    Estimated Time: 60 minutes

    Instructions:

    For each incident priority level, define the associated:

    1. Response time – time from when incident record is created to the time the service desk acknowledges to the customer that their ticket has been received and assigned.
    2. Resolution time – time from when the incident record is created to the time that the customer has been advised that their problem has been resolved.
    3. Escalation time – maximum amount of time that a ticket should be worked on without progress before being escalated to someone else.

    Participants

    • Service Managers
    • Service Desk Support
    • Applications or Infrastructure Support

    What You'll Need

    • Flip Chart Paper
    • Sticky Notes
    • Pens

    Image shows example of response and resolution targets

    Use the table on the previous slide as a guide.

    Discuss the possible root causes for escalation issues

    WHY IS ESCALATION IMPORTANT?

    Escalation is not about admitting defeat, but about using your resources properly.

    Defining procedures for escalation reduces the amount of time the service desk spends troubleshooting before allocating the incident to a higher service tier. This reduces the mean time to resolve and increases end-user satisfaction.

    You can correlate escalation paths to ticket categories devised in step 2.2.

    Image shows example on potential root causes for escalation issues.

    Build decision rights to help agents determine when to escalate

    2.3.3 Provide guidance to each tier around escalation steps and times

    Estimated Time: 60 minutes

    Instructions

    1. For each support tier, define escalation rules for troubleshooting (steps that each tier should take before escalation).
    2. For each support tier, define maximum escalation times (maximum amount of time to work on a ticket without progress before escalating).
    Example of outcome from step 2.3.3 to determine when to escalate issues.

    Create a list of application specialists to get the escalation right the first time

    2.3.4 Define automated escalations

    Estimated Time: 60 minutes

    1. Identify applications that will require specialists for troubleshooting or access rights.
    2. Identify primary and secondary specialists for each application.
    3. Identify vendors that will receive escalations either immediately or after troubleshooting.
    4. Set up application groups in the service desk tool.
    5. Set up workflows in the service desk tool where appropriate.
    6. Document the automated escalations in the categorization scheme developed in step 2.2 and in the Service Desk Roles and Responsibilities Guide.

    A screenshot of the Service Desk Roles and Responsibilities Guide

    Participants

    • Service Managers
    • Service Desk Support
    • Applications or Infrastructure Support

    What You'll Need

    • Flip Chart Paper
    • Sticky Notes
    • Pens

    Phase 3

    Design Request Fulfilment Processes

    Step 3.1: Build request workflows

    Image shows the steps in phase 3. Highlight is on step 3.1.

    This step will walk you through the following activities:

    • 3.1.1 Distinguish between requests and small projects
    • 3.1.2 Define service requests with SLAs
    • 3.1.3 Build and critique request workflows

    This step involves the following participants:

    • IT Managers
    • Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    Workflows for service requests will improve the consistency and quality of service delivery and prepare the service desk to negotiate reliable service levels with the organization.

    DELIVERABLES

    • Workflows for the most common service requests
    • An estimated service level for each service request
    • Request vs. project criteria

    Standardize service requests for more efficient delivery

    Definitions:

    • An incident is an unexpected disruption to normal business processes and requires attempts to restore service as soon as possible (e.g. printer not working).
    • A service request is a request where nothing is broken or impacting a service and typically can be scheduled rather than requiring immediate resolution (e.g. new software application).
    • Service requests are repeatable, predictable, and easier to commit to SLAs.
    • By committing to SLAs, expectations can be set for users and business units for service fulfillment.
    • Workflows for service requests should be documented and reviewed to ensure consistency of fulfillment.
    • Documentation should be created for service request procedures that are complex.
    • Efficiencies can be created through automation such as with software deployment.
    • All service requests can be communicated through a self-service portal or service catalog.

    PREPARE A FUTURE SERVICE CATALOG

    Standardize requests to develop a consistent offering and prepare for a future service catalog.

    Document service requests to identify time to fulfill and approvals.

    Identify which service requests can be auto-approved and which will require a workflow to gain approval.

    Document workflows and analyze them to identify ways to improve SLAs. If any approvals are interrupting technical processes, rearrange them so that approvals happen before the technical team is involved.

    Determine support levels for each service offering and ensure your team can sustain them.

    Where it makes sense, automate delivery of services such as software deployment.

    Distinguish between service requests and small projects to ensure agents and end users follow the right process

    The distinction between service requests and small projects has two use cases, which are two sides of the same resourcing issue.

    • Service desk managers need to understand the difference to ensure the right approval process is followed. Typically, projects have more stringent intake requirements than requests do.
    • PMOs need to understand the difference to ensure the right people are doing the work and that small, frequent changes are standardized, automated, and taken out of the project list.

    What’s the difference between a service request and a small project?

    • The key differences involve resource scope, frequency, and risk.
    • Requests are likely to require fewer resources than projects, be fulfilled more often, and involve less risk.
    • Requests are typically done by tier 1 and 2 employees throughout the IT organization.
    • A request can turn into a small project if the scope of the request grows beyond the bounds of a normal request.

    Example: A mid-sized organization goes on a hiring blitz and needs to onboard 150 new employees in one quarter. Submitting and scheduling 150 requests for onboarding new employees would require much more time and resources.

    Projects are different from service requests and have different criteria

    A project, by terminology, is a temporary endeavor planned around producing a specific organizational or business outcome.

    Common Characteristics of Projects:

    • Time sensitive, temporary, one-off.
    • Uncertainty around how to create the unique thing, product, or service that is the project’s goal.
    • Non-repetitive work and sizeable enough to introduce heightened risk and complexity.
    • Strategic focus, business case-informed capital funding, and execution activities driven by a charter.
    • Introduces change to the organization.
    • Multiple stakeholders involved and cross-functional resourcing.

    Info-Tech Insight

    Projects require greater risk, effort, and resources than a service request and should be redirected to the PMO.

    Standard service requests vs. non-standard service requests: criteria to make them distinct

    • If there is no differentiation between standard and non-standard requests, those tickets can easily move into the backlog, growing it very quickly.
    • Create a process to easily identify non-standard requests when they enter the ticket queue to ensure customers are made aware of any delay of service, especially if it is a product or service currently not offered. This will give time for any approvals or technical solutioning that may need to occur.
    • Take recurring non-standard requests and make them standard. This is a good way to determine if there are any gaps in services offered and another vehicle to understand what your customers want.

    Standard Requests

    • Very common requests, delivered on an on-going basis
    • Defined process
    • Measured in hours or days
    • Uses service catalog, if it exists
    • Formalized and should already be documented
    • The time to deal with the request is defined

    Non-Standard Requests

    • Higher level complexity than standard requests
    • Cannot be fulfilled via service catalog
    • No defined process
    • Not supplied by questions that Service Request Definition (SRD) offers
    • Product or service is not currently offered, and it may need time for technical review, additional approvals, and procurement processes

    The right questions can help you distinguish between standard requests, non-standard requests, and projects

    Where do we draw the line between a standard and non-standard request and a project?

    The service desk can’t and shouldn’t distinguish between requests and projects on its own. Instead, engage stakeholders to determine where to draw the line.

    Whatever criteria you choose, define them carefully.

    Be pragmatic: there is no single best set of criteria and no single best definition for each criterion. The best criteria and definitions will be the ones that work in your organizational context.

    Common distinguishing factors and thresholds:

    Image shows table of the common distinguishing factors and thresholds.

    Distinguish between standard and non-standard service requests and projects

    3.1.1 Distinguish between service requests and projects

    1. Divide the group into two small teams.
    2. Each team will brainstorm examples of service requests and small projects.
    3. Identify factors and thresholds that distinguish between the two groups of items.
    4. Bring the two groups together and discuss the two sets of criteria.
    5. Consolidate one set of criteria that will help make the distinction between projects and service requests.
    6. Capture the table in the Service Desk SOP.

    Image shows blank template of the common distinguishing factors and thresholds.

    Participants

    • Service Desk Manager
    • Service Desk Agents

    What You'll Need

    • Service Desk SOP
    • Flip Chart
    • Whiteboard

    Distinguishing factors and thresholds

    Don’t standardize request fulfilment processes alone

    Everyone in IT contributes to the fulfilment of requests, but do they know it?

    New service desk managers sometimes try to standardize request fulfilment processes on their own only to encounter either apathy or significant resistance to change.

    Moving to a tiered generalist service desk with a service-oriented culture, a high first-tier generalist resolution rate, and collaborative T2 and T3 specialists can be a big change. It is critical to get the request workflows right.

    Don’t go it alone. Engage a core team of process champions from all service support. With executive support, the right process building exercises can help you overcome resistance to change.

    Consider running the process building activities in this project phase in a working session or a workshop setting.

    Info-Tech Insight

    If they build it, they will come. Service desk improvement is an exercise in organizational change that crosses IT disciplines. Organizations that fail to engage IT specialists from other silos often encounter resistance to change that jeopardizes the process improvements they are trying to make. Overcome resistance by highlighting how process changes will benefit different groups in IT and solicit the feedback of specialists who can affect or be affected by the changes.

    Define standard service requests with SLAs and workflows

    WHY DO I NEED WORKFLOWS?

    Move approvals out of technical IT processes to make them more efficient. Evaluate all service requests to see where auto-approvals make sense. Where approvals are required, use tools and workflows to manage the process.

    Example:

    Image is an example of SLAs and workflows.

    Approvals can be the main roadblock to fulfilling service requests

    Image is example of workflow approvals.

    Review the general standard service request and inquiry fulfillment processes

    As standard service requests should follow standard, repeatable, and predictable steps to fulfill, they can be documented with workflows.

    Image is a flow chart of service and inquiry request processes.

    Review the general standard service request and inquiry fulfillment processes

    Ensure there is a standard and predictable methodology for assessing non-standard requests; inevitably those requests may still cause delay in fulfillment.

    Create a process to ensure reasonable expectations of delivery can be set with the end user and then identify what technology requests should become part of the existing standard offerings.

    Image is a flowchart of non-standard request processes

    Document service requests to ensure consistent delivery and communicate requirements to users

    3.1.2 Define service requests with SLAs

    1. On a flip chart, list standard service requests.
    2. Identify time required to fulfill, including time to schedule resources.
    3. Identify approvals required; determine if approvals can be automated through defining roles.
    4. Discuss opportunities to reduce SLAs or automate, but recognize that this may not happen right away.
    5. Discuss plans to communicate SLAs to the business units, recognizing that some users may take a bit of time to adapt to the new SLAs.
    6. Work toward improving SLAs as new opportunities for process change occur.
    7. Document SLAs in the Service Desk SOP and update as SLAs change.
    8. Build templates in the service desk tool that encapsulate workflows and routing, SLAs, categorization, and resolution.

    Participants

    • Service Desk Managers
    • Service Desk Agents

    What You'll Need

    • Service Desk SOP
    • Flip Chart
    • Whiteboard

    Info-Tech Insight

    These should all be scheduled services. Anything that is requested as a rush needs to be marked as a higher urgency or priority to track end users who need training on the process.

    Analyze service request workflows to improve service delivery

    3.1.3 Build and critique request workflows

    1. Divide the group into small teams.
    2. Each team will choose one service request from the list created in the previous module and then draw the workflow. Include decision points and approvals.
    3. Discuss availability and technical support:
      • Can the service be fulfilled during regular business hours or 24x7?
      • Is technical support and application access available during regular business hours or 24x7?
    4. Reconvene and present workflows to the group.
    5. Document workflows in Visio and add to the Service Desk SOP. Where appropriate, enter workflows in the service desk tool.

    Critique workflows for efficiencies and effectiveness:

    • Do the workflows support the SLAs identified in the previous exercise?
    • Are the workflows efficient?
    • Is the IT staff consistently following the same workflow?
    • Are approvals appropriate? Is there too much bureaucracy or can some approvals be removed? Can they be preapproved?
    • Are approvals interrupting technical processes? If so, can they be moved?

    Participants

    • Service Desk Managers
    • Service Desk Agents

    What You'll Need

    • Service Desk SOP
    • Project Summary
    • Flip Chart
    • Whiteboard

    Step 3.2: Build a targeted knowledgebase

    Image shows the steps in phase 3. Highlight is on step 3.2.

    This step will walk you through the following activities:

    • 3.2.1 Design knowledge management processes
    • 3.2.2 Create actionable knowledgebase articles

    This step involves the following participants:

    • IT Managers
    • Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    The section will introduce service catalogs and get the organization to envision what self-service tools it might include.

    DELIVERABLES

    • Knowledgebase policy and process

    A knowledgebase is an essential tool in the service management toolbox

    Knowledge Management

    Gathering, analyzing, storing & sharing knowledge to reduce the need to rediscover known solutions.

    Knowledgebase

    Organized repository of IT best practices and knowledge gained from practical experiences.

    • End-User KB
    • Give end users a chance to resolve simple issues themselves without submitting a ticket.

    • Internal KB
    • Shared resource for service desk staff and managers to share and use knowledge.

    Use the knowledgebase to document:

    • Steps for pre-escalation troubleshooting.
    • Known errors.
    • Workarounds or solutions to recurring issues.
    • Solutions that require research or complex troubleshooting.
    • Incidents that have many root causes. Start with the most frequent solution and work toward less likely issues.

    Draw on organizational goals to define the knowledge transfer target state

    Image is Info-Tech’s Knowledge Transfer Maturity Model
    *Source: McLean & Company, 2013; N=120

    It’s better to start small than to have nothing at all

    Service desk teams are often overwhelmed by the idea of building and maintaining a comprehensive integrated knowledgebase that covers an extensive amount of information.

    Don’t let this idea stop you from building a knowledgebase! It takes time to build a comprehensive knowledgebase and you must start somewhere.

    Start with existing documentation or knowledge that depends on the expertise of only a few people and is easy to document and you will already see the benefits.

    Then continue to build and improve from there. Eventually, knowledge management will be a part of the culture.

    Engage the team to build a knowledgebase targeted on your most important incidents and requests

    WHERE DO I START?

    Inventory and consolidate existing documentation, then evaluate it for audience relevancy, accuracy, and usability. Use the exercise and the next slides to develop a knowledgebase template.

    Produce a plan to improve the knowledgebase.

    • Identify the current top five or ten incidents from the service desk reports and create related knowledgebase articles.
    • Evaluate for end-user self-service or technician resolution.
    • Note any resolutions that require access rights to servers.
    • Assign documentation creation tasks for the knowledgebase to individual team members each week.
    • Apply only one incident per article.
    • Set goals for each technician to submit one or two meaningful articles per month.
    • Assign a knowledge manager to monitor creation and edit and maintain the database.
    • Set policy to drive currency of the knowledgebase. See the Service Desk SOP for an example of a workable knowledge policy.

    Use a phased approach to build a knowledgebase

    Image is an example of a phased approach to build a knowledge base

    Use a quarterly, phased approach to continue to build and maintain your knowledgebase

    Continual Knowledgebase Maintenance:

    • Once a knowledgebase is in place, future articles should be written using established templates.
    • Articles should be regularly reviewed and monitored for usage. Outdated information will be retired and archived.
    • Ticket trend analysis should be done on an ongoing basis to identify new articles.
    • A proactive approach will anticipate upcoming issues based on planned upgrades and maintenance or other changes, and document resolution steps in knowledgebase articles ahead of time.

    Every Quarter:

    1. Conduct a ticket trend analysis. Identify the most important and common tickets.
    2. Review the knowledgebase to identify relevant articles that need to be revised or written.
    3. Use data from knowledge management tool to track expiring content and lesser used articles.
    4. Assign the task of writing articles to all IT staff members.
    5. Build and revise ticket templates for incident and service requests.

    Assign a knowledge manager role to ensure accountability for knowledgebase maintenance

    Assign a knowledge manager to monitor creation and edit and maintain database.

    Knowledge Manager/Owner Role:

    • Has overall responsibility for the knowledgebase.
    • Ensures content is consistent and maintains standards.
    • Regularly monitors and updates the list of issues that should be added to the knowledgebase.
    • Regularly reviews existing knowledgebase articles to ensure KB is up to date and flags content to retire or review.
    • Assigns content creation tasks.
    • Optimizes knowledgebase structure and organization.
    • See Info-Tech’s knowledge manager role description if you need a hand defining this position.

    The knowledge manager role will likely be a role assigned to an existing resource rather than a dedicated position.

    Develop a template to ensure knowledgebase articles are easy to read and write

    A screenshot of the Knowledgebase Article Template

    QUICK TIPS

    • Use non-technical language whenever possible to help less-technical readers.
    • Identify error messages and use screenshots where it makes sense.
    • Take advantage of social features like voting buttons to increase use.
    • Use Info-Tech’s Knowledge Base Article Template to get you started.

    Analyze the necessary features for your knowledgebase and compare them against existing tools

    Service desk knowledgebases range in complexity from simple FAQs to fully integrated software suites.

    Options include:

    • Article search with negative and positive filters.
    • Tagging, with the option to have keywords generate top matches.
    • Role-based permissions (to prevent unauthorized deletions).
    • Ability to turn a ticket resolution into a knowledgebase article (typically only available if knowledgebase tool is part of the service desk tool).
    • Natural language search.
    • Partitioning so relevant articles only appear for specific audiences.
    • Editorial workflow management.
    • Ability to set alerts for scheduled article review.
    • Article reporting (most viewed, was it useful?).
    • Rich text fields for attaching screenshots.

    Determine which features your organization needs and check to see if your tools have them.

    For more information on knowledgebase improvement, refer to Info-Tech’s Optimize the Service Desk With a Shift-Left Strategy.

    Document your knowledge management maintenance workflow to identify opportunities for improvement

    Workflow should include:

    • How you will identify top articles that need to be written
    • How you will ensure articles remain relevant
    • How you will assign new articles to be written, inclusive of peer review
    Image of flowchart of knowledgebase maintenance process.

    Design knowledgebase management processes

    3.2.1 Design knowledgebase management processes

    1. Assign a knowledge manager to monitor creation and edit and maintain the database. See Info-Tech’s knowledge manager role description if you need a hand defining this position.
    2. Discuss how you can use the service desk tool to integrate the knowledgebase with incident management, request fulfilment, and self-service processes.
    3. Discuss the suitability of a quarterly process to build and edit articles for a target knowledgebase that covers your most important incidents and requests.
    4. Set knowledgebase creation targets for tier 1, 2, and 3 analysts.
    5. Identify relevant performance metrics.
    6. Brainstorm elements that might be used as an incentive program to encourage the creation of knowledgebase articles and knowledge sharing more generally.
    7. Set policy to drive currency of knowledgebase. See the Service Desk SOP for an example of a workable knowledge policy.

    Participants

    • Service Desk Manager
    • Service Desk Agents

    What You’ll Need

    • Service Desk SOP
    • Flip Chart
    • Whiteboard

    Create actionable knowledgebase articles

    3.2.2 Run a knowledgebase working group

    Write and critique knowledgebase articles.

    1. On a whiteboard, build a list of potential knowledgebase articles divided by audience: Technician or End User.
    2. Each team member chooses one topic and spends 20 minutes writing.
    3. Each team member either reads the article and has the team critique or passes to the technician to the right for peer review. If there are many participants, break into smaller groups.
    4. Set a goal with the team for how, when, and how often knowledgebase articles will be created.
    5. Capture knowledgebase processes in the Service Desk SOP.

    Audience: Technician

    • Password update
    • VPN printing
    • Active directory – policy, procedures, naming conventions
    • Cell phones
    • VPN client and creation set-up

    Audience: End users

    • Set up email account
    • Password creation policy
    • Voicemail – access, change greeting, activities
    • Best practices for virus, malware, phishing attempts
    • Windows 10 tips and tricks

    Participants

    • Service Desk Manager
    • Service Desk Agents

    What You’ll Need

    • Service Desk SOP
    • Flip Chart
    • Whiteboard

    Step 3.3: Prepare for a self-service portal project

    Image shows the steps in phase 3. Highlight is on step 3.3.

    This step will walk you through the following activities:

    • 3.3.1 Develop self-service tools for the end user
    • 3.3.2 Make a plan for creating or improving the self-service portal

    This step involves the following participants:

    • IT Managers
    • Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    The section prepares you to tackle a self-service portal project once the service desk standardization is complete.

    DELIVERABLES

    • High-level activities to create a self-service portal

    Design the self-service portal with the users’ computer skills in mind

    A study by the OECD offers a useful reminder of one of usability’s most hard-earned lessons: you are not the user.

    • There is an important difference between IT professionals and the average user that’s even more damaging to your ability to predict what will be a good self-service tool: skills in using computers, the internet, and technology in general.
    • An international research study explored the computer skills of 215,942 people aged 16-65 in 33 countries.
    • The results show that across 33 rich countries, only 5% of the population has strong computer-related abilities and only 33% of people can complete medium-complexity computer tasks.
    • End users are skilled, they just don’t have the same level of comfort with computers as the average IT professional. Design your self-service tools with that fact in mind.
    Image is of a graph showing the ability of computer skills from age 16-65 among various countries.

    Take an incremental and iterative approach to developing your self-service portal

    Use a web portal to offer self-serve functionality or provide FAQ information to your customers to start.

    • Don’t build from scratch. Ideally, use the functionality included with your ITSM tool.
    • If your ITSM tool doesn’t have an adequate self-service portal functionality, then harness other tools that IT already uses. Common examples include Microsoft SharePoint and Google Forms.
    • Make it as easy as possible to access the portal:
      • Deploy an app to managed devices or put the app in your app store.
      • Create a shortcut on people’s start menus or home screens.
      • Print the URL on swag such as mousepads.
    • Follow Info-Tech’s approach to developing your user facing service catalog.

    Some companies use vending machines as a form of self serve. Users can enter their purchase code and “buy” a thin client, mouse, keyboard, software, USB keys, tablet, headphones, or loaners.

    Info-Tech Insight

    Building the basics first will provide your users with immediate value. Incrementally add new features to your portal.

    Optimize the portal: self-service should be faster and more convenient than the alternative

    Design the portal by demand, not supply

    Don’t build a portal framed around current offerings and capabilities just for the sake of it. Build the portal based on what your users want and need if you want them to use it.

    Make user experience a top priority

    The portal should be designed for users to self-serve, and thus self-service must be seamless, clear, and attractive to users.

    Speak your users’ language

    Keep in mind that users may not have high technical literacy or be familiar with terminology that you find commonplace. Use terms that are easy to understand.

    Appeal to both clickers and searchers

    Ensure that users can find what they’re looking for both by browsing the site and by using search functionality.

    Use one central portal for all departments

    If multiple departments (i.e. HR, Finance) use or will use a portal, set up a shared portal so that users won’t have to guess where to go to ask for help.

    You won’t know unless you test

    You will know how to navigate the portal better than anyone, but that doesn’t mean it’s intuitive for a new user. Test the portal with users to collect and incorporate feedback.

    Self-service portal examples (1/2)

    Image is of an example of the self-service portal

    Image source: Cherwell Service Management

    Self-service examples (2/2)

    Image is of an example of the self-service portal

    Image source: Team Dynamix

    Keep the end-user facing knowledgebase relevant with workflows, multi-device access, and social features

    Workflows:

    • Easily manage peer reviews and editorial and relevance review.
    • Enable links and importing between tickets and knowledgebase articles.
    • Enable articles to appear based on ticket content.

    Multi-device access:

    • Encourage users to access self-service.
    • Enable technicians to solve problems from anywhere.

    Social features:

    • Display most popular articles first to solve trending issues.
    • Enable voting to improve usability of articles.
    • Allow collaboration on self-service.

    For more information on building self-service portal, refer to Info-Tech’s Optimize the Service Desk with a Shift-Left Strategy

    Draft a high-level project plan for a self-service portal project

    3.3.1 Draft a high-level project plan for a self-service portal project

    1. Identify stakeholders who can contribute to the project.
      • Who will help with FAQ creation?
      • Who can design the self-service portal?
      • Who needs to sign off on the project?
    2. Identify the high-level tasks that need to be done.
      • How many FAQs need to be created?
      • How will we design the service catalog’s web portal?
      • What might a phased approach look like?
      • How can we break down the project into design, build, and implementation tasks?
      • What is the rough timeline for these tasks?
    3. Capture the high-level activities in the Service Desk Roadmap.

    Participants

    • Service Desk Manager
    • Service Desk Agents

    What You’ll Need

    • Flip Chart
    • Whiteboard
    • Implementation Roadmap

    Once you have a service portal, you can review the business requirements for a service catalog

    A service catalog is a communications device that lists the IT services offered by an organization. The service catalog is designed to enable the creation of a self-service portal for the end user. The portal augments the service desk so analysts can spend time managing incidents and providing technical support.

    The big value comes from workflows:

    • Improved economics and a means to measure the costs to serve over time.
    • Incentive for adoption because things work better.
    • Abstracts delivery from offer to serve so you can outsource, insource, crowdsource, slow, speed, reassign, and cover absences without involving the end user.

    There are three types of catalogs:

    • Static:Informational only, so can be a basic website.
    • Routing and workflow: Attached to service desk tool.
    • Workflow and e-commerce: Integrated with service desk tool and ERP system.
    Image is an example of service catalog

    Image courtesy of University of Victoria

    Understand the time and effort involved in building a service catalog

    A service catalog will streamline IT service delivery, but putting one together requires a significant investment. Service desk standardization comes first.

    • Workflows and back-end services must be in place before setting up a service catalog.
    • Think of the catalog as just the delivery mechanism for service you currently provide. If they aren’t running well and delivery is not consistent, you don’t want to advertise SLAs and options.
    • Service catalogs require maintenance.
    • It’s not a one-time investment – service catalogs must be kept up to date to be useful.
    • Service catalog building requires input from VIPs.
    • Architects and wordsmiths are not the only ones that spend effort on the service catalog. Leadership from IT and the business also provide input on policy and content.

    Sample Service Catalog Efforts

    • A college with 17 IT staff spent one week on a simple service catalog.
    • A law firm with 110 IT staff spent two months on a service catalog project.
    • A municipal government with 300 IT people spent over seven months and has yet to complete the project.
    • A financial organization with 2,000 IT people has spent seven months on service catalog automation alone! The whole project has taken multiple years.

    “I would say a client with 2,000 users and an IT department with a couple of hundred, then you're looking at six months before you have the catalog there.”

    – Service Catalog Implementation Specialist,

    Health Services

    Draft a high-level project plan for a self-service portal project

    3.2.2 Make a plan for creating or improving the self-service portal

    Identify stakeholders who can contribute to the project.

    • Who will help with FAQs creation?
    • Who can design the self-service portal?
    • Who needs to sign off on the project?

    Evaluate tool options.

    • Will you stick with your existing tool or invest in a new tool?

    Identify the high-level tasks that need to be done.

    • How will we design the web portal?
    • What might a phased approach look like?
    • What is the rough timeline for these tasks?
    • How many FAQs need to be created?
    • Will we have a service catalog, and what type?

    Document the plan and tasks in the Service Desk Roadmap.

    Examples of publicly posted service catalogs:

    University of Victoria is an example of a catalog that started simple and now includes multiple divisions, notifications, systems status, communications, e-commerce, incident registration, and more.

    Indiana University is a student, faculty, and staff service catalog and self-service portal that goes beyond IT services.

    If you are ready to start building a service catalog, use Info-Tech’s Design and Build a User-Facing Service Catalog blueprint to get started.

    Phase 4

    Plan the Implementation of the Service Desk

    Step 4.1: Build communication plan

    Image shows the steps in phase 4. Highlight is on step 4.1.

    This step will walk you through the following activities:

    • 4.1.1 Create the communication plan

    This step involves the following participants:

    • CIO
    • IT Director
    • IT Managers
    • Service Desk Manager(s)
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    The communication plan and project summary will help project managers outline recommendations and communicate their benefits.

    DELIVERABLES

    • Communication plan
    • Project summary

    Effectively communicate the game plan to IT to ensure the success of service desk improvements

    Communication is crucial to the integration and overall implementation of your service desk improvement.

    An effective communication plan will:

    • Gain support from management at the project proposal phase.
    • Create end-user buy-in once the program is set to launch.
    • Maintainthe presence of the program throughout the business.
    • Instill ownership throughout the business, from top-level management to new hires.

    Build a communication plan to:

    1. Communicate benefits to IT:
      • Share the standard operating procedures for training and feedback.
      • Train staff on policies as they relate to end users and ensure awareness of all policy changes.
      • As changes are implemented, continue to solicit feedback on what is and is not working and communicate adjustments as appropriate.
    2. Train technicians:
      • Make sure everyone is comfortable communicating changes to customers.
    3. Measure success:
      • Review SLAs and reports. Are you consistently meeting SLAs?
      • Is it safe to communicate with end users?

    Create your communication plan to anticipate challenges, remove obstacles, and secure buy-in

    Why:

    • What problems are you trying to solve?

    What:

    • What processes will it affect (that will affect me)?

    Who:

    • Who will be affected?
    • Who do I go to if I have issues with the new process?
    3 gears are depicted. The top gear is labelled managers with an arrow going clockwise. The middle gear is labelled technical staff with an arrow going counterclockwise. The bottom gear is labelled end users with an arrow going clockwise

    When:

    • When will this be happening?
    • When will it affect me?

    How:

    • How will these changes manifest themselves?

    Goal:

    • What is the final goal?
    • How will it benefit me?

    Create a communication plan to outline the project benefits

    Improved business satisfaction:

    • Improve confidence that the service desk can solve issues within the service-level agreement.
    • Channel incidents and requests through the service desk.
    • Escalate incidents quickly and accurately.

    Fewer recurring issues:

    • Tickets are created for every incident and categorized correctly.
    • Reports can be used for root-cause analysis.

    Increased efficiency or lower cost to serve:

    • Use FAQs to enable end users to self-solve.
    • Use knowledgebase to troubleshoot once, solve many times.
    • Cross-train to improve service consistency.

    Enhanced demand planning:

    • Trend analysis and reporting improve IT’s ability to forecast and address the demands of the business.

    Organize the information to manage the deployment of key messages

    Example of how to organize and manage key messages

    Create the communication plan

    4.1.1 Create the communication plan

    Estimated Time: 45 minutes

    Develop a stakeholder analysis.

    1. Identify everyone affected by the project.
    2. Assess their level of interest, value, and influence.
    3. Develop a communication strategy tailored to their level of engagement.

    Craft key messages tailored to each stakeholder group.

    Finalize the communication plan.

    1. Examine your roadmap and determine the most appropriate timing for communications.
    2. Assess when communications must happen with executives, business unit leaders, end users, and technicians.
    3. Identify any additional communication challenges that have come up.
    4. Identify who will send out the communications.
    5. Identify multiple methods for getting the messages out (newsletters, emails, posters, company meetings).
    6. For inspiration, you can refer to the Sample Communication Plan for the project.

    Participants

    • CIO
    • IT Managers
    • Service Desk Manager
    • Service Desk Agents

    Step 4.2: Build implementation roadmap

    Image shows the steps in phase 4. Highlight is on step 4.2.

    This step will walk you through the following activities:

    • 4.2.1 Build implementation roadmap

    This step involves the following participants:

    • CIO
    • IT Director
    • IT Managers
    • Service Desk Manager
    • Representation from tier 2 and tier 3 specialists

    Outcomes

    The implementation plan will help track and categorize the next steps and finalize the project.

    DELIVERABLES

    • Implementation roadmap

    Collaborate to create an implementation plan

    4.2.1 Create the implementation plan

    Estimated Time: 45 minutes

    Determine the sequence of improvement initiatives that have been identified throughout the project.

    The purpose of this exercise is to define a timeline and commit to initiatives to reach your goals.

    Instructions:

    1. Review the initiatives that will be taken to improve the service desk and revise tasks, as necessary.
    2. Input each of the tasks in the data entry tab and provide a description and rationale behind the task.
    3. Assign an effort, priority, and cost level to each task (high, medium, low).
    4. Assign ownership to each task.
    5. Identify the timeline for each task based on the priority, effort, and cost (short, medium, and long term).
    6. Highlight risk for each task if it will be deferred.
    7. Track the progress of each task with the status column.

    Participants

    • CIO
    • IT Managers
    • Service Desk Manager
    • Service Desk Agents

    A screenshot of the Roadmap tool.

    Document using the Roadmap tool.

    Related Info-Tech Research

    Standardize the Service Desk

    ImplementHardware and Software Asset Management

    Optimize Change Management Incident and Problem Management Build a Continual Improvement Plan for the Service Desk

    The Standardize blueprint reviews service desk structures and metrics and builds essential processes and workflows for incident management, service request fulfillment, and knowledge management practices.

    Once the service desk is operational, there are three paths to basic ITSM maturity:

    • Having the incident management processes and workflows built allows you to:
      • Introduce Change Management to reduce change-related incidents.
      • Introduce Problem Management to reduce incident recurrence.
      • Introduce Asset Management to augment service management processes with reliable data.

    Solicit targeted department feedback on core IT service capabilities, IT communications, and business enablement. Use the results to assess the satisfaction of end users, with each service broken down by department and seniority level.

    Works cited

    “Help Desk Staffing Models: Simple Analysis Can Save You Money.” Giva, Inc., 2 Sept. 2009. Web.

    Marrone et al. “IT Service Management: A Cross-national Study of ITIL Adoption.” Communications of the Association for Information Systems: Vol. 34, Article 49. 2014. PDF.

    Rumburg, Jeff. “Metric of the Month: First Level Resolution Rate.” MetricNet, 2011. Web.

    “Service Recovery Paradox.” Wikipedia, n.d. Web.

    Tang, Xiaojun, and Yuki Todo. “A Study of Service Desk Setup in Implementing IT Service Management in Enterprises.” Technology and Investment: Vol. 4, pp. 190-196. 2013. PDF.

    “The Survey of Adult Skills (PIAAC).” Organisation for Economic Co-operation and Development (OECD), 2016. Web.

    Contributors

    • Jason Aqui, IT Director, Bellevue College
    • Kevin Sigil, IT Director, Southwest Care Centre
    • Lucas Gutierrez, Service Desk Manager, City of Santa Fe
    • Rama Dhuwaraha, CIO, University of North Texas System
    • Annelie Rugg, CIO, UCLA Humanities
    • Owen McKeith, Manager IT Infrastructure, Canpotex
    • Rod Gula, IT Director, American Realty Association
    • Rosalba Trujillo, Service Desk Manager, Northgate Markets
    • Jason Metcalfe, IT Manager, Mesalabs
    • Bradley Rodgers, IT Manager, SecureTek
    • Daun Costa, IT Manager, Pita Pit
    • Kari Petty, Service Desk Manager, Mansfield Oil
    • Denis Borka, Service Desk Manager, PennTex Midstream
    • Lateef Ashekun, IT Manager, City of Atlanta
    • Ted Zeisner, IT Manager, University of Ottawa Institut de Cardiologie

    Cost Optimization

    • Buy Link or Shortcode: {j2store}14|cart{/j2store}
    • Related Products: {j2store}14|crosssells{/j2store}
    • Up-Sell: {j2store}14|upsells{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Financial Management
    • Parent Category Link: /financial-management
    Minimize the damage of IT cost cuts

    Manage End-User Devices

    • Buy Link or Shortcode: {j2store}307|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $45,499 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Desktop and mobile device management teams use separate tools and different processes.
    • People at all levels of IT are involved in device management.
    • Vendors are pushing unified endpoint management (UEM) products, and teams struggling with device management are hoping that UEM is their savior.
    • The number and variety of devices will only increase with the continued advance of mobility and emergence of the Internet of Things (IoT).

    Our Advice

    Critical Insight

    • Many problems can be solved by fixing roles, responsibilities, and process. Standardize so you can optimize.
    • UEM is not a silver bullet. Your current solution can image computers in less than 4 hours if you use lean images.
    • Done with, not done to. Getting input from the business will improve adoption, avoid frustration, and save everyone time.

    Impact and Result

    • Define the benefits that you want to achieve and optimize based on those benefits.
    • Take an evolutionary, rather than revolutionary, approach to merging end-user support teams. Process and tool unity comes first.
    • Define the roles and responsibilities involved in end-user device management, and create a training plan to ensure everyone can execute their responsibilities.
    • Stop using device management practices from the era of Windows XP. Create a plan for lean images and app packages.

    Manage End-User Devices Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize end-user device management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify the business and IT benefits of optimizing endpoint management

    Get your desktop and mobile device support teams out of firefighting mode by identifying the real problem.

    • Manage End-User Devices – Phase 1: Identify the Business and IT Benefits
    • End-User Device Management Standard Operating Procedure
    • End-User Device Management Executive Presentation

    2. Improve supporting teams and processes

    Improve the day-to-day operations of your desktop and mobile device support teams through role definition, training, and process standardization.

    • Manage End-User Devices – Phase 2: Improve Supporting Teams and Processes
    • End-User Device Management Workflow Library (Visio)
    • End-User Device Management Workflow Library (PDF)

    3. Improve supporting technologies

    Stop using management tools and techniques from the Windows XP era. Save yourself, and your technicians, from needless pain.

    • Manage End-User Devices – Phase 3: Improve Supporting Technologies
    [infographic]

    Workshop: Manage End-User Devices

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify the Business and IT Benefits of Optimizing End-User Device Management

    The Purpose

    Identify how unified endpoint management (UEM) can improve the lives of the end user and of IT.

    Key Benefits Achieved

    Cutting through the vendor hype and aligning with business needs.

    Activities

    1.1 Identify benefits you can provide to stakeholders.

    1.2 Identify business and IT goals in order to prioritize benefits.

    1.3 Identify how to achieve benefits.

    1.4 Define goals based on desired benefits.

    Outputs

    Executive presentation

    2 Improve the Teams and Processes That Support End-User Device Management

    The Purpose

    Ensure that your teams have a consistent approach to end-user device management.

    Key Benefits Achieved

    Developed a standard approach to roles and responsibilities, to training, and to device management processes.

    Activities

    2.1 Align roles to your environment.

    2.2 Assign architect-, engineer-, and administrator-level responsibilities.

    2.3 Rationalize your responsibility matrix.

    2.4 Ensure you have the necessary skills.

    2.5 Define Tier 2 processes, including patch deployment, emergency patch deployment, device deployment, app deployment, and app packaging.

    Outputs

    List of roles involved in end-user device management

    Responsibility matrix for end-user device management

    End-user device management training plan

    End-user device management standard operating procedure

    Workflows and checklists of end-user device management processes

    3 Improve the Technologies That Support End-User Device Management

    The Purpose

    Modernize the toolset used by IT to manage end-user devices.

    Key Benefits Achieved

    Saving time and resources for many standard device management processes.

    Activities

    3.1 Define the core image for each device/OS.

    3.2 Define app packages.

    3.3 Gather action items for improving the support technologies.

    3.4 Create a roadmap for improving end-user device management.

    3.5 Create a communication plan for improving end-user device management.

    Outputs

    Core image outline

    Application package outline

    End-user device management roadmap

    End-user device management communication plan

    Do you believe in absolute efficiency?

    Weekend read. Hence I post this a bit later on Friday.
    Lately, I've been fascinated by infinity. And in infinity, some weird algebra pops up. Yet that weirdness is very much akin to what our business stakeholders want, driven by what our clients demand, and hence our KPIs drive us. Do more with less. And that is what absolute efficiency means.

    Register to read more …

    pricing

    • TymansGroupVideosExcerpt: BasicFor freelancers$19/ month 10 presentations/monthSupport at $25/hour1 campaign/month Choose plan StandardFor medium sized teams$29/ month 50 presentations/month5 hours of free support10 campaigns/month Choose plan EnterpriseFor large companies$79/ month Unlimited presentationsUnlimited supportUnlimited campaigns Choose plan

    Pricing

    We price our services transparantly. To know our prices, please submit your contact details below.

    You can work with TY in a different ways, according to your needs.

    • Topic consulting without any long-term contract. You decide how many hours of advice you want. It's pay-as-you-go. Great for short sessions, but more expensive as time ticks on. Billing is done at the start of the agreement. Click here to book your appointment
    • Analysis and recommendation — this is a scope-defined body of work whereby TY undertakes an As-Is analysis and presents recommendations.
    • Total time contract — this is usually the most financially beneficial to clients needing irregular, and far from full-time advice, without a time-frame. Essentially you buy a block of time in advance. If it takes you 3 years to use it up, be our guest. We work on your requests, but within the availability of the moment. Billing is done at the start of the contract.
    • Retained priority — here, we reserve an agreed body of work (typically time) within a one-year timeframe. You call, we jump. Reaction time is a matter of hours. At the end of the period, unused time can be transferred once to the following year. Contracts are typically renewed at the end of each year. Billing can be done on a monthly basis or at the start of the agreement/year. The price/billing has 2 components: the availability premium and the actual work time. For clients needing irregular, but ongoing and varied help, this is a great place to start.
    • Full-time consulting — Here you have our undivided attention, with a minimum of 250 8-hour work days in a single calendar-year. Billing is done on a monthly basis. Overtime is available, and billed separately. Within your business hours, you take priority over any other contracts.

    Continue reading

    Stabilize Release and Deployment Management

    • Buy Link or Shortcode: {j2store}453|cart{/j2store}
    • member rating overall impact (scale of 10): 9.6/10 Overall Impact
    • member rating average dollars saved: $38,699 Average $ Saved
    • member rating average days saved: 37 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management

    Lack of control over the release process, poor collaboration between teams, and manual deployments lead to poor quality releases at a cost to the business.

    Our Advice

    Critical Insight

    • Manage risk. Release management should stabilize the IT environment. A poorly designed release can take down the whole business. Rushing releases out the door leads to increased risk for the business.
    • Quality processes are key. Standardized process will enable your release and deployment management teams to have a framework to deploy new releases with minimal chance of costly downtime further down the production chain.
    • Business must own the process. Release managers need oversight of the business to remain good stewards of the release management process.

    Impact and Result

    • Be prepared with a release management policy. With vulnerabilities discovered and published at an alarming pace, organizations have to build a plan to address and fix them quickly. A detailed release and patch policy should map out all the logistics of the deployment in advance, so that when necessary, teams can handle rollouts like a well-oiled machine.
    • Automate your software deployment and patch management strategy. Replace tedious and time-consuming manual processes with the use of automated release and patch management tools. Some organizations have a variety of release tools for various tasks and processes to ensure all or most of the required processes are covered across a diverse development environment.
    • Test deployments and monitor your releases. Larger organizations may have the luxury of a test environment prior to deployment, but that may be cost prohibitive for smaller organizations. If resources are a constraint, roll out the patch gradually and closely monitor performance to be able to quickly revert in the event of an issue.

    Stabilize Release and Deployment Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should control and stabilize your release and deployment management practice while improving the quality of releases and deployments, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Analyze current state

    Begin improving release management by assessing the current state and gaining a solid understanding of how core operational processes are actually functioning within the organization.

    • Stabilize Release and Deployment Management – Phase 1: Analyze Current State
    • Release Management Maturity Assessment
    • Release Management Project Roadmap Tool
    • Release Management Workflow Library (Visio)
    • Release Management Workflow Library (PDF)
    • Release Management Standard Operating Procedure
    • Patch Management Policy
    • Release Management Policy
    • Release Management Deployment Tracker
    • Release Management Build Procedure Template

    2. Plan releases and deployments

    Plan releases to gather all the pieces in one place and define what, why, when, and how a release will happen.

    • Stabilize Release and Deployment Management – Phase 2: Release and Deployment Planning

    3. Build, test, deploy

    Take a holistic and comprehensive approach to effectively designing and building releases. Get everything right the first time.

    • Stabilize Release and Deployment Management – Phase 3: Build, Test, Deploy

    4. Measure, manage, improve

    Determine desired goals for release management to ensure both IT and the business see the benefits of implementation.

    • Stabilize Release and Deployment Management – Phase 4: Measure, Manage, Improve
    [infographic]

    Workshop: Stabilize Release and Deployment Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Analyze Current State

    The Purpose

    Release management improvement begins with assessment of the current state.

    Key Benefits Achieved

    A solid understanding of how core operational processes are actually functioning within the organization.

    Activities

    1.1 Evaluate process maturity.

    1.2 Assess release management challenges.

    1.3 Define roles and responsibilities.

    1.4 Review and rightsize existing policy suite.

    Outputs

    Maturity Assessment

    Release Management Policy

    Release Management Standard Operating Procedure

    Patch Management Policy

    2 Release Management Planning

    The Purpose

    In simple terms, release planning puts all the pertinent pieces in one place.

    Key Benefits Achieved

    It defines the what, why, when, and how a release will happen.

    Activities

    2.1 Design target state release planning process.

    2.2 Define, bundle, and categorize releases.

    2.3 Standardize deployment plans and models.

    Outputs

    Release Planning Workflow

    Categorization and prioritization schemes

    Deployment models aligned to release types

    3 Build, Test, and Deploy

    The Purpose

    Take a holistic and comprehensive approach to effectively designing and building releases.

    Key Benefits Achieved

    Standardize build and test procedures to begin to drive consistency.

    Activities

    3.1 Standardize build procedures for deployments.

    3.2 Standardize test plans aligned to release types.

    Outputs

    Build procedure for hardware and software releases

    Test models aligned to deployment models

    4 Measure, Manage, and Improve

    The Purpose

    Determine and define the desired goals for release management as a whole.

    Key Benefits Achieved

    Agree to key metrics and success criteria to start tracking progress and establish a post-deployment review process to promote continual improvement.

    Activities

    4.1 Determine key metrics to track progress.

    4.2 Establish a post-deployment review process.

    4.3 Understand and define continual improvement drivers.

    Outputs

    List of metrics and goals

    Post-deployment validation checklist

    Project roadmap

    Effectively Manage CxO Relations

    • Buy Link or Shortcode: {j2store}384|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage Business Relationships
    • Parent Category Link: /manage-business-relationships

    With the exponential pace of technological change, an organization's success will depend largely on how well CIOs can evolve from technology evangelists to strategic business partners. This will require CIOs to effectively broker relationships to improve IT's effectiveness and create business value. A confidential journal can help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.

    Our Advice

    Critical Insight

    Highly effective executives have in common the ability to successfully balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demands on your time and unpredictable shifts in the organization’s strategy require a personal game plan to deliver business value. Rather than managing stakeholders one IT project at a time, you need an action plan that is tailored for unique work styles.

    Impact and Result

    A personal relationship journal will help you:

    • Understand the context in which key stakeholders operate.
    • Identify the best communication approach to engage with different workstyles.
    • Stay committed to fostering relationships through difficult periods.

    Effectively Manage CxO Relations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Effectively Manage CxO Relations Storyboard – A guide to creating a personal action plan to help effectively manage relationships across key stakeholders.

    Use this research to create a personal relationship journal in four steps:

    • Effectively Manage CxO Relations Storyboard

    2. Personal Relationship Management Journal Template – An exemplar to help you build your personal relationship journal.

    Use this exemplar to build a journal that is readily accessible, flexible, and easy to maintain.

    • Personal Relationship Management Journal Template

    Infographic

    Further reading

    Effectively Manage CxO Relations

    Make relationship management a daily habit with a personalized action plan.

    Analyst Perspective

    "Technology does not run an enterprise, relationships do." – Patricia Fripp

    As technology becomes increasingly important, an organization's success depends on the evolution of the modern CIO from a technology evangelist to a strategic business leader. The modern CIO will need to leverage their expansive partnerships to demonstrate the value of technology to the business while safeguarding their time and effort on activities that support their strategic priorities. CIOs struggling to transition risk obsolescence with the emergence of new C-suite roles like the Digital Transformation Officer, Chief Digital Officer, Chief Data Officer, and so on.

    CIOs will need to flex new social skills to accommodate diverse styles of work and better predict dynamic situations. This means expanding beyond their comfort level to acquire new social skills. Having a clear understanding of one's own work style (preferences, natural tendencies, motivations, and blind spots) is critical to identify effective communication and engagement tactics.

    Building trust is an art. Striking a balance between fulfilling your own goals and supporting others will require a carefully curated approach to navigate the myriad of personalities and work styles. A personal relationship journal will help you stay committed through these peaks and troughs to foster productive partnerships and expand your sphere of influence over the long term.

    Photo of Joanne Lee
    Joanne Lee
    Principal, Research Director, CIO Advisory
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    In today's unpredictable markets and rapid pace of technological disruptions, CIOs need to create business value by effectively brokering relationships to improve IT's performance. Challenges they face:

    • Operate in silos to run the IT factory.
    • Lack insights into their stakeholders and the context in which they operate.
    • Competing priorities and limited time to spend on fostering relationships.
    • Relationship management programs are narrowly focused on associated change management in IT project delivery.

    Common Obstacles

    Limited span of influence.

    Mistaking formal roles in organizations for influence.

    Understanding what key individuals want and, more importantly, what they don't want.

    Lack of situational awareness to adapt communication styles to individual preferences and context.

    Leveraging different work styles to create a tangible action plan.

    Perceiving relationships as "one and done."

    Info-Tech's Approach

    A personal relationship journal will help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.

    • Identify your key stakeholders.
    • Understand the context in which they operate to define a profile of their mandate, priorities, commitments, and situation.
    • Choose the most effective engagement and communication strategies for different work styles.
    • Create an action plan to monitor and measure your progress.

    Info-Tech Insight

    Highly effective executives have in common the ability to balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demand on your time and unpredictable shifts in the organization's strategy will require a personal game plan to deliver business value. This will require more than managing stakeholders one IT project at a time: It requires an action plan that fosters relationships over the long term.

    Key Concepts

    Stakeholder Management
    A common term used in project management to describe the successful delivery of any project, program, or activity that is associated with organizational change management. The goal of stakeholder management is intricately tied to the goals of the project or activity with a finite end. Not the focus of this advisory research.

    Relationship Management
    A broad term used to describe the relationship between two parties (individuals and/or stakeholder groups) that exists to create connection, inclusion, and influence. The goals are typically associated with the individual's personal objectives and the nature of the interaction is seen as ongoing and long-term.

    Continuum of Commitment
    Info-Tech's framework that illustrates the different levels of commitment in a relationship. It spans from active resistance to those who are committed to actively supporting your personal priorities and objectives. This can be used to baseline where you are today and where you want the relationship to be in the future.

    Work Style
    A reference to an individual's natural tendencies and expectations that manifest itself in their communication, motivations, and leadership skills. This is not a behavior assessment nor a commentary on different personalities but observable behaviors that can indicate different ways people communicate, interact, and lead.

    Glossary
    CDxO: Chief Digital Officer
    CDO: Chief Data Officer
    CxO: C-Suite Executives

    The C-suite is getting crowded, and CIOs need to foster relationships to remain relevant

    The span of influence and authority for CIOs is diminishing with the emergence of Chief Digital Officers and Chief Data Officers.

    63% of CDxOs report directly to the CEO ("Rise of the Chief Digital Officer," CIO.com)

    44% of organizations with a dedicated CDxO in place have a clear digital strategy versus 22% of those without a CDxO (KPMG/Harvey Nash CIO Survey)

    The "good news": CIOs tend to have a longer tenure than CDxOs.

    A diagram that shows the average tenure of C-Suites in years.
    Source: "Age and Tenure of C-Suites," Korn Ferry

    The "bad news": The c-suite is getting overcrowded with other roles like Chief Data Officer.

    A diagram that shows the number of CDOs hired from 2017 to 2021.
    Source: "Chief Data Officer Study," PwC, 2022

    An image of 7 lies technology executives tell ourselves.

    Info-Tech Insight

    The digital evolution has created the emergence of new roles like the Chief Digital Officer and Chief Data Officer. They are a response to bridge the skill gap that exists between the business and technology. CIOs need to focus on building effective partnerships to better communicate the business value generated by technology or they risk becoming obsolete.

    Create a relationship journal to effectively manage your stakeholders

    A diagram of relationship journal

    Info-Tech's approach

    From managing relationships with friends to key business partners, your success will come from having the right game plan. Productive relationships are more than managing stakeholders to support IT initiatives. You need to effectively influence those who have the potential to champion or derail your strategic priorities. Understanding differences in work styles is fundamental to adapting your communication approach to various personalities and situations.

    A diagram that shows from 1.1 to 4.1

    A diagram of business archetypes

    Summary of Insights

    Insight 1: Expand your sphere of influence
    It's not just about gaining a volume of acquaintances. Figure out where you want to spend your limited time, energy, and effort to develop a network of professional allies who will support and help you achieve your strategic priorities.

    Insight 2: Know thyself first and foremost
    Healthy relationships start with understanding your own working style, preferences, and underlying motivations that drive your behavior and ultimately your expectations of others. A win/win scenario emerges when both parties' needs for inclusion, influence, and connection are met or mutually conceded.

    Insight 3: Walk a mile in their shoes
    If you want to build successful partnerships, you need to understand the context in which your stakeholder operates: their motivations, desires, priorities, commitments, and challenges. This will help you adapt as their needs shift and, moreover, leverage empathy to identify the best tactics for different working styles.

    Insight 4: Nurturing relationships is a daily commitment
    Building, fostering, and maintaining professional relationships requires a daily commitment to a plan to get through tough times, competing priorities, and conflicts to build trust, respect, and a shared sense of purpose.

    Related Info-Tech Research

    Supplement your CIO journey with these related blueprints.

    Photo of First 100 Days as CIO

    First 100 Days as CIO

    Photo of Become a Strategic CIO

    Become a Strategic CIO

    Photo of Improve IT Team Effectiveness

    Improve IT Team Effectiveness

    Photo of Become a Transformational CIO

    Become a Transformational CIO

    Executive Brief Case Study

    Logo of Multicap Limited

    • Industry: Community Services
    • Source: Scott Lawry, Head of Digital

    Conversation From Down Under

    What are the hallmarks of a healthy relationship with your key stakeholders?
    "In my view, I work with partners like they are an extension of my team, as we rely on each other to achieve mutual success. Partnerships involve a deeper, more intimate relationship, where both parties are invested in the long-term success of the business."

    Why is it important to understand your stakeholder's situation?
    "It's crucial to remember that every IT project is a business project, and vice versa. As technology leaders, our role is to demystify technology by focusing on its business value. Empathy is a critical trait in this endeavor, as it allows us to see a stakeholder's situation from a business perspective, align better with the business vision and goals, and ultimately connect with people, rather than just technology."

    How do you stay committed during tough times?
    "I strive to leave emotions at the door and avoid taking a defensive stance. It's important to remain neutral and not personalize the issue. Instead, stay focused on the bigger picture and goals, and try to find a common purpose. To build credibility, it's also essential to fact-check assumptions regularly. By following these principles, I approach situations with a clear mind and better perspective, which ultimately helps achieve success."

    Photo of Scott Lawry, Head Of Digital at Multicap Limited

    Key Takeaways

    In a recent conversation with a business executive about the evolving role of CIOs, she expressed: "It's the worst time to be perceived as a technology evangelist and even worse to be perceived as an average CIO who can't communicate the business value of technology."

    This highlights the immense pressure many CIOs face when evolving beyond just managing the IT factory.

    The modern CIO is a business leader who can forge relationships and expand their influence to transform IT into a core driver of business value.

    Stakeholder Sentiment

    Identify key stakeholders and their perception of IT's effectiveness

    1.1 Identify Key Stakeholders

    A diagram of Identify Key Stakeholders

    Identify and prioritize your key stakeholders. Be diligent with stakeholder identification. Use a broad view to identify stakeholders who are known versus those who are "hidden." If stakeholders are missed, then so are opportunities to expand your sphere of influence.

    1.2 Understand Stakeholder's Perception of IT

    A diagram that shows Info-Tech's Diagnostic Reports and Hospital Authority XYZ

    Assess stakeholder sentiments from Info-Tech's diagnostic reports and/or your organization's satisfaction surveys to help identify individuals who may have the greatest influence to support or detract IT's performance and those who are passive observers that can become your greatest allies. Determine where best to focus your limited time amid competing priorities by focusing on the long-term goals that support the organization's vision.

    Info-Tech Insight

    Understand which individuals can directly or indirectly influence your ability to achieve your priorities. Look inside and out, as you may find influencers beyond the obvious peers or executives in an organization. Influence can result from expansive connections, power of persuasion, and trust to get things done.

    Visit Info-Tech's Diagnostic Programs

    Activity: Identify and Prioritize Stakeholders

    30-60 minutes

    1.1 Identify Key Stakeholders

    Start with the key stakeholders that are known to you. Take a 360-degree view of both internal and external connections. Leverage external professional & network platforms (e.g. LinkedIn), alumni connections, professional associations, forums, and others that can help flush out hidden stakeholders.

    1.2 Prioritize Key Stakeholders

    Use stakeholder satisfaction surveys like Info-Tech's Business Vision diagnostic as a starting point to identify those who are your allies and those who have the potential to derail IT's success, your professional brand, and your strategic priorities. Review the results of the diagnostic reports to flush out those who are:

    • Resisters: Vocal about their dissatisfaction with IT's performance and actively sabotage or disrupt
    • Skeptics: Disengaged, passive observers
    • Ambassadors: Aligned but don't proactively support
    • Champions: Actively engaged and will proactively support your success

    Consider the following:

    • Influencers may not have formal authority within an organization but have relationships with your stakeholders.
    • Influencers may be hiding in many places, like the coach of your daughter's soccer team who rows with your CEO.
    • Prioritize, i.e. three degrees of separation due to potential diverse reach of influence.

    Key Output: Create a tab for your most critical stakeholders.

    A diagram that shows profile tabs

    Download the Personal Relationship Management Journal Template.

    Understand stakeholders' business

    Create a stakeholder profile to understand the context in which stakeholders operate.

    2.1 Create individual profile for each stakeholder

    A diagram that shows different stakeholder questions

    Collect and analyze key information to understand the context in which your stakeholders operate. Use the information to derive insights about their mandate, accountabilities, strategic goals, investment priorities, and performance metrics and challenges they may be facing.

    Stakeholder profiles can be used to help design the best approach for personal interactions with individuals as their business context changes.

    If you are short on time, use this checklist to gather information:

    • Stakeholder's business unit (BU) strategy goals
    • High-level organizational chart
    • BU operational model or capability map
    • Key performance metrics
    • Projects underway and planned
    • Financial budget (if available)
    • Milestone dates for key commitments and events
    • External platforms like LinkedIn, Facebook, Twitter, Slack, Instagram, Meetup, blogs

    Info-Tech Insight

    Understanding what stakeholders want (and more importantly, what they don't) requires knowing their business and the personal and social circumstances underlying their priorities and behaviors.

    Activity: Create a stakeholder profile

    30-60 minutes

    2.1.0 Understand stakeholder's business context

    Create a profile for each of your priority stakeholders to document their business context. Review all the information collected to understand their mandate, core accountability, and business capabilities. The context in which individuals operate is a window into the motivations, pressures, and vested interests that will influence the intersectionality between their expectations and yours.

    2.1.1 Document Observable Challenges as Private Notes

    Crushing demands and competing priorities can lead to tension and stress as people jockey to safeguard their time. Identify some observable challenges to create greater situational awareness. Possible underlying factors:

    • Sudden shifts/changes in mandate
    • Performance (operations, projects)
    • Finance
    • Resource and talent gaps
    • Politics
    • Personal circumstances
    • Capability gaps/limitations
    • Capacity challenges

    A diagram that shows considerations of this activity.

    Analyze Stakeholder's Work Style

    Adapt communication styles to the situational context in which your stakeholders operate

    2.2 Determine the ideal approach for engaging each stakeholder

    Each stakeholder has a preferred modality of working which is further influenced by dynamic situations. Some prefer to meet frequently to collaborate on solutions while others prefer to analyze data in solitude before presenting information to substantiate recommendations. However, fostering trust requires:

    1. Understanding your preferred default when engaging others.
    2. Knowing where you need to expand your skills.
    3. Identifying which skills to activate for different professional scenarios.

    Adapting your communication style to create productive interactions will require a diverse arsenal of interpersonal skills that you can draw upon as situations shift. The ability to adapt your work style to dial any specific trait up or down will help to increase your powers of persuasion and influence.

    "There are only two ways to influence human behavior: you can manipulate it, or you can inspire it." – Simon Sinek

    Activity: Identify Engagement Strategies

    30 minutes

    2.2.0 Establish work styles

    Every individual has a preferred style of working. Determine work styles starting with self-awareness:

    • Express myself - How you communicate and interact with others
    • Expression by others - How you want others to communicate and interact with you

    Through observation and situational awareness, we can make inferences about people's work style.

    • Observations - Observable traits of other people's work style
    • Situations - Personal and professional circumstances that influence how we communicate and interact with one another

    Where appropriate and when opportunities arise, ask individuals directly about their preferred work styles and method for communication. What is their preferred method of communication? During a normal course of interaction vs. for urgent priorities?

    2.2.1 Brainstorm possible engagement strategies

    Consider the following when brainstorming engagement strategies for different work styles.

    A table of involvement, influence, and connection.

    Think engagement strategies in different professional scenarios:

    • Meetings - Where and how you connect
    • Communicating - How and what you communicate to create connection
    • Collaborating - What degree of involved in shared activities
    • Persuading - How you influence or direct others to get things done

    Expand New Interpersonal Skills

    Use the Business Archetypes to brainstorm possible approaches for engaging with different work styles. Additional communication and engagement tactics may need to be considered based on circumstances and changing situations.

    A diagram that shows business archetypes and engagement strategies.

    Communicate Effectively

    Productive communication is a dialogue that requires active listening, tailoring messages to fluid situations, and seeking feedback to adapt.

    A diagram of elements that contributes to better align intention and impact

    Be Relevant

    • Understand why you need to communicate
    • Determine what you need to convey
    • Tailor your message to what matters to the audience and their context
    • Identify the most appropriate medium based on the situation

    Be Consistent and Accurate

    • Say what you mean and mean what you say to avoid duplicity
    • Information should be accurate and complete
    • Communicate truthfully; do not make false promises or hide bad news
    • Don't gossip

    Be Clear and Concise

    • Keep it simple and avoid excessive jargon
    • State asks upfront to set intention and transparency
    • Avoid ambiguity and focus on outcomes over details
    • Be brief and to the point or risk losing stakeholder's attention

    Be Attentive and Authentic

    • Stay engaged and listen actively
    • Be curious and inquire for clarification or explanation
    • Be flexible to adapt to both verbal and non-verbal cues
    • Be authentic in your approach to sharing yourself
    • Avoid "canned" approaches

    A diagram of listen, observe, reflect.


    "Good communication is the bridge between confusion and clarity."– Nat Turner (LinkedIn, 2020)

    Exemplar: Engaging With Jane

    A diagram that shows Exemplar: Engaging With Jane

    Exemplar: Engaging With Ali

    A diagram that shows Exemplar: Engaging With Ali

    Develop an Action Plan

    Moving from intent to action requires a plan to ensure you stay committed through the peaks and troughs.

    Create Your 120-Day Plan

    An action plan example

    Key elements of the action plan:

    • Strategic priorities – Your top focus
    • Objective – Your goals
    • 30-60-90-120 Day Topics – Key agenda items
    • Meeting Progress Notes – Key takeaways from meetings
    • Private Notes – Confidential observations

    Investing in relationships is a long-term process. You need to accumulate enough trust to trade or establish coalitions to expand your sphere of influence. Even the strongest of professional ties will have their bouts of discord. To remain committed to building the relationship during difficult periods, use an action plan that helps you stay grounded around:

    • Shared purpose
    • Removing emotion from the situation
    • Continuously learning from every interaction

    Photo of Angela Diop
    "Make intentional actions to set intentionality. Plans are good to keep you grounded and focused especially when relationship go through ups and down and there are changes: to new people and new relationships."
    – Angela Diop, Senior Director, Executive Services, Info-Tech & former VP of Information Services with Unity Health Care

    Activity: Design a Tailored Action Plan

    30-60 minutes

    3.1.0 Determine your personal expectations

    Establish your personal goals and expectations around what you are seeking from the relationship. Determine the strength of your current connection and identify where you want to move the relationship across the continuum of commitment.

    Use insights from your stakeholder's profile to explore their span of influence and degree of interest in supporting your strategic priorities.

    3.1.1 Determine what you want from the relationship

    Based on your personal goals, identify where you want to move the relationship across the continuum of commitment: What are you hoping to achieve from the relationship? How will this help create a win/win situation for both you and the key stakeholder?

    A diagram of Continuum of Commitment.

    3.1.2 Identify your metrics for progress

    Fostering relationships take time and commitment. Utilizing metrics or personal success criteria for each of your focus areas will help you stay on track and find opportunities to make each engagement valuable instead of being transactional.

    A graph that shows influence vs interest.

    Make your action plan impactful

    Level of Connection

    The strength of the relationship will help inform the level of time and effort needed to achieve your goals.

    • Is this a new or existing relationship?
    • How often do you connect with this individual?
    • Are the connections driven by a shared purpose or transactional as needs arise?

    Focus on Relational Value

    Cultivate your network and relationship with the goal of building emotional connection, understanding, and trust around your shared purpose and organization's vision through regular dialogue. Be mindful of transactional exchanges ("quid pro quo") to be strategic about its use. Treat every interaction as equally important regardless of agenda, duration, or channel of communication.

    Plan and Prepare

    Everyone's time is valuable, and you need to come prepared with a clear understanding of why you are engaging. Think about the intentionality of the conversation:

    • Gain buy-in
    • Create transparency
    • Specific ask
    • Build trust and respect
    • Provide information to clarify, clear, or contain a situation

    Non-Verbal Communication Matters

    Communication is built on both overt expressions and subtext. While verbal communication is the most recognizable form, non-lexical components of verbal communication (i.e. paralanguage) can alter stated vs. intended meaning. Engage with the following in mind:

    • Tone, pitch, speed, and hesitation
    • Facial expressions and gestures
    • Choice of channel for engagement

    Exemplar: Action Plan for VP, Digital

    A diagram that shows Exemplar: Action Plan for VP, Digital

    Make Relationship Management a Daily Habit

    Management plans are living documents and need to be flexible to adapt to changes in stakeholder context.

    Monitor and Adjust to Communicate Strategically

    A diagram that shows Principles for Effective Communication and Key Measures

    Building trust takes time and commitment. Treat every conversation with your key stakeholders as an investment in building the social capital to expand your span of influence when and where you need it to go. This requires making relationship management a daily habit. Action plans need to be a living document that is your personal journal to document your observations, feelings, and actions. Such a plan enables you to make constant adjustments along the relationship journey.

    "Without involvement, there is no commitment. Mark it down, asterisk it, circle it, underline it."– Stephen Convey (LinkedIn, 2016)

    Capture some simple metrics

    If you can't measure your actions, you can't manage the relationship.

    An example of measures: what, why, how - metrics, and intended outcome.

    While a personal relationship journal is not a formal performance management tool, identifying some tangible measures will improve the likelihood of aligning your intent with outcomes. Good measures will help you focus your efforts, time, and resources appropriately.

    Keep the following in mind:

    1. WHAT are you trying to measure?
      Specific to the situation or scenario
    2. WHY is this important?
      Relevant to your personal goals
    3. HOW will you measure?
      Achievable and quantifiable
    4. WHAT will the results tell you?
      Intended outcome that is directional

    Summary of accomplishments

    Knowledge Gained

    • Relationship management is critical to a CIO's success
    • A personal relationship journal will help build:
      • Customized approach to engaging stakeholders
      • New communication skills to adapt to different work styles

    New Concepts

    • Work style assessment framework and engagement strategies
    • Effective communication strategies
    • Continuum of commitment to establish personal goals

    Approach to Creating a Personal Journal

    • Step-by-step approach to create a personal journal
    • Key elements for inclusion in a journal
    • Exemplar and recommendations

    Related Info-Tech Research

    Photo of Tech Trends and Priorities Research Centre

    Tech Trends and Priorities Research Centre

    Access Info-Tech's Tech Trend reports and research center to learn about current industry trends, shifts in markets, and disruptions that are impacting your industry and sector. This is a great starting place to gain insights into how the ecosystem is changing your business and the role of IT within it.

    Photo of Embed Business Relationship Management in IT

    Embed Business Relationship Management in IT

    Create a business relationship management (BRM) function in your program to foster a more effective partnership with the business and drive IT's value to the organization.

    Photo of Become a Transformational CIO

    Become a Transformational CIO

    Collaborate with the business to lead transformation and leave behind a legacy of growth.

    Appendix: Framework

    Content:

    • Adaptation of DiSC profile assessment
    • DiSC Profile Assessment
    • FIRO-B Framework
    • Experience Cube

    Info-Tech's Adaption of DiSC Assessment

    A diagram of business archetypes

    Info-Tech's Business Archetypes was created based on our analysis of the DiSC Profile and Myers-Briggs FIRO-B personality assessment tools that are focused on assessing interpersonal traits to better understand personalities.

    The adaptation is due in part to Info-Tech's focus on not designing a personality assessment tool as this is neither the intent nor the expertise of our services. Instead, the primary purpose of this adaptation is to create a simple framework for our members to base their observations of behavioral cues to identify appropriate communication styles to better interact with key stakeholders.

    Cautionary note:
    Business archetypes are personas and should not be used to label, make assumptions and/or any other biased judgements about individual personalities. Every individual has all elements and aspects of traits across various spectrums. This must always remain at the forefront when utilizing any type of personality assessments or frameworks.

    Click here to learn about DiSC Profile
    Click here learn about FIRO-B
    Click here learn about Experience Cube

    DiSC Profile Assessment

    A photo of DiSC Profile Assessment

    What is DiSC?

    DisC® is a personal assessment tool that was originally developed in 1928 by psychologist William Moulton Marston, who designed it to predict job performance. The tool has evolved and is now widely used by thousands of organizations around the world, from large government agencies and Fortune 500 companies to nonprofit and small businesses, to help improve teamwork, communication, and productivity in the workplace. The tool provides a common language people can use to better understand themselves and those they interact with - and use this knowledge to reduce conflict and improve working relationships.

    What does DiSC mean?

    DiSC is an acronym that stands for the four main personality profiles described in the Everything DiSC model: (D)ominance, (i)nfluence, (S)teadiness, (C)onscientiousness

    People with (D) personalities tend to be confident and emphasize accomplishing bottom-line results.
    People with (i) personalities tend to be more open and emphasize relationships and influencing or persuading others.
    People with (S) personalities tend to be dependable and emphasize cooperation and sincerity.
    People with (C) personalities tend to emphasize quality, accuracy, expertise, and competency.

    Go to this link to explore the DiSC styles

    FIRO-B® – Interpersonal Assessment

    A diagram of FIRO framework

    What is FIRO workplace relations?

    The Fundamental Interpersonal Relations Orientation Behavior (FIRO-B®) tool has been around for forty years. The tool assesses your interpersonal needs and the impact of your behavior in the workplace. The framework reveals how individuals can shape and adapt their individual behaviors, influence others effectively, and build trust among colleagues. It has been an excellent resource for coaching individuals and teams about the underlying drivers behind their interactions with others to effectively build successful working relationships.

    What does the FIRO framework measure?

    The FIRO framework addresses five key questions that revolve around three interpersonal needs. Fundamentally, the framework focuses on how you want to express yourself toward others and how you want others to behave toward you. This interaction will ultimately result in the universal needs for (a) inclusion, (b) control, and (c) affection. The insights from the results are intended to help individuals adjust their behavior in relationships to get what they need while also building trust with others. This will allow you to better predict and adapt to different situations in the workplace.

    How can FIRO influence individual and team performance in the workplace?

    FIRO helps people recognize where they may be giving out mixed messages and prompts them to adapt their exhibited behaviors to build trust in their relationships. It also reveals ways of improving relationships by showing individuals how they are seen by others, and how this external view may differ from how they see themselves. Using this lens empowers people to adjust their behavior, enabling them to effectively influence others to achieve high performance.

    In team settings, it is a rich source of information to explore motivations, underlying tensions, inconsistent behaviors, and the mixed messages that can lead to mistrust and derailment. It demonstrates how people may approach teamwork differently and explains the potential for inefficiencies and delays in delivery. Through the concept of behavioral flexibility, it helps defuse cultural stereotypes and streamline cross-cultural teams within organizations.

    Go to this link to explore FIRO-B for Business

    Experience Cube

    A diagram of experience cube model.

    What is an experience cube?

    The Experience Cube model was developed by Gervase Bushe, a professor of Leadership and Organization at the Simon Fraser University's school of Business and a thought leader in the field of organizational behavior. The experience cube is intended as a tool to plan and manage conversations to communicate more effectively in the moment. It does this by promoting self-awareness to better reduce anxiety and adapt to evolving and uncertain situations.

    How does the experience cube work?

    Using the four elements of the experience cube (Observations, Thoughts, Feelings, and Wants) helps you to separate your experience with the situation from your potential judgements about the situation. This approach removes blame and minimizes defensiveness, facilitating a positive discussion. The goal is to engage in a continuous internal feedback loop that allows you to walk through all four quadrants in the moment to help promote self-awareness. With heightened self-awareness, you may (1) remain curious and ask questions, (2) check-in for understanding and clarification, and (3) build consensus through agreement on shared purpose and next steps.

    Observations: Sensory data (information you take in through your senses), primarily what you see and hear. What a video camera would record.

    Thoughts: The meaning you add to your observations (i.e. the way you make sense of them, including your beliefs, expectations, assumptions, judgments, values, and principles). We call this the "story you make up."

    Feelings: Your emotional or physiological response to the thoughts and observations. Feelings words such as sad, mad, glad, scared, or a description of what is happening in your body.

    Wants: Clear description of the outcome you seek. Wants go deeper than a simple request for action. Once you clearly state what you want, there may be different ways to achieve it.

    Go to this link to explore more: Experience Cube

    Research Contributors and Experts

    Photo of Joanne Lee
    Joanne Lee
    Principal, Research Director, CIO Advisory
    Info-Tech Research Group

    Joanne is a professional executive with over twenty-five years of experience in digital technology and management consulting spanning healthcare, government, municipal, and commercial sectors across Canada and globally. She has successfully led several large, complex digital and business transformation programs. A consummate strategist, her expertise spans digital and technology strategy, organizational redesign, large complex digital and business transformation, governance, process redesign, and PPM. Prior to joining Info-Tech Research Group, Joanne was a Director with KPMG's CIO Advisory management consulting services and the Digital Health practice lead for Western Canada. She brings a practical and evidence-based approach to complex problems enabled by technology.

    Joanne holds a Master's degree in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.



    Photo of Gord Harrison
    Gord Harrison
    Senior Vice President, Research and Advisory
    Info-Tech Research Group

    Gord Harrison, SVP, Research and Consulting, has been with Info-Tech Research Group since 2002. In that time, Gord leveraged his experience as the company's CIO, VP Research Operations, and SVP Research to bring the consulting and research teams together under his current role, and to further develop Info-Tech's practical, tactical, and value-oriented research product to the benefit of both organizations.

    Prior to Info-Tech, Gord was an IT consultant for many years with a focus on business analysis, software development, technical architecture, and project management. His background of educational game software development, and later, insurance industry application development gave him a well-rounded foundation in many IT topics. Gord prides himself on bringing order out of chaos and his customer-first, early value agile philosophy keeps him focused on delivering exceptional experiences to our customers.



    Photo of Angela Diop
    Angela Diop
    Senior Director, Executive Services
    Info-Tech Research Group

    Angela has over twenty-five years of experience in healthcare, as both a healthcare provider and IT professional. She has spent over fifteen years leading technology departments and implementing, integrating, managing, and optimizing patient-facing and clinical information systems. She believes that a key to a healthcare organization's ability to optimize health information systems and infrastructure is to break the silos that exist in healthcare organizations.

    Prior to joining Info-Tech, Angela was the Vice President of Information Services with Unity Health Care. She has demonstrated leadership and success in this area by fostering environments where business and IT collaborate to create systems and governance that are critical to providing patient care and sustaining organizational health.

    Angela has a Bachelor of Science in Systems Engineering and Design from the University of Illinois and a Doctorate of Naturopathic Medicine from Bastyr University. She is a Certified CIO with the College of Healthcare Information Management Executives. She is a two-time Health Information Systems Society (HIMSS) Davies winner.



    Photo of Edison Barreto
    Edison Barreto
    Senior Director, Executive Services
    Info-Tech Research Group

    Edison is a dynamic technology leader with experience growing different enterprises and changing IT through creating fast-paced organizations with cultural, modernization, and digital transformation initiatives. He is well versed in creating IT and business cross-functional leadership teams to align business goals with IT modernization and revenue growth. Over twenty-five years of Gaming, Hospitality, Retail, and F&B experience has given him a unique perspective on guiding and coaching the creation of IT department roadmaps to focus on business needs and execute successful changes.

    Edison has broad business sector experience, including:
    Hospitality, Gaming, Sports and Entertainment, IT policy and oversight, IT modernization, Cloud first programs, R&D, PCI, GRDP, Regulatory oversight, Mergers acquisitions and divestitures.



    Photo of Mike Tweedie
    Mike Tweedie
    Practice Lead, CIO Strategy
    Info-Tech Research Group

    Michael Tweedie is the Practice Lead, CIO – IT Strategy at Info-Tech Research Group, specializing in creating and delivering client-driven, project-based, practical research, and advisory. He brings more than twenty-five years of experience in technology and IT services as well as success in large enterprise digital transformations.

    Prior to joining Info-Tech, Mike was responsible for technology at ADP Canada. In that role, Mike led several large transformation projects that covered core infrastructure, applications, and services and worked closely with and aligned vendors and partners. The results were seamless and transparent migrations to current services, like public cloud, and a completely revamped end-user landscape that allowed for and supported a fully remote workforce.

    Prior to ADP, Mike was the North American Head of Engineering and Service Offerings for a large French IT services firm, with a focus on cloud adoption and complex ERP deployment and management; he managed large, diverse global teams and had responsibilities for end-to-end P&L management.

    Mike holds a Bachelor's degree in Architecture from Ryerson University.



    Photo of Carlene McCubbin
    Carlene McCubbin
    Practice Lead, People and Leadership
    Info-Tech Research Group

    Carlene McCubbin is a Research Lead for the CIO Advisory Practice at Info-Tech Research Group covering key topics in operating models & design, governance, and human capital development.

    During her tenure at Info-Tech, Carlene has led the development of Info-Tech's Organization and Leadership practice and worked with multiple clients to leverage the methodologies by creating custom programs to fit each organization's needs.

    Before joining Info-Tech, Carlene received her Master of Communications Management from McGill University, where she studied development of internal and external communications, government relations, and change management. Her education honed her abilities in rigorous research, data analysis, writing, and understanding the organization holistically, which has served her well in the business IT world.



    Photo of Anubhav Sharma
    Anubhav Sharma
    Research Director, CIO Strategy
    Info-Tech Research Group

    Anubhav is a digital strategy and execution professional with extensive experience in leading large-scale transformation mandates for organizations both in North America and globally, including defining digital strategies for leading banks and spearheading a large-scale transformation project for a global logistics pioneer across ten countries. Prior to joining Info-Tech Research Group, he held several industry and consulting positions in Fortune 500 companies driving their business and technology strategies. In 2023, he was recognized as a "Top 50 Digital Innovator in Banking" by industry peers.

    Anubhav holds an MBA in Strategy from HEC Paris, a Master's degree in Finance from IIT-Delhi, and a Bachelor's degree in Engineering.



    Photo of Kim Osborne-Rodriguez
    Kim Osborne-Rodriguez
    Research Director, CIO Strategy
    Info-Tech Research Group

    Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach to digital transformation, with a track record of supporting successful implementations.

    Kim holds a Bachelor's degree in Mechatronics Engineering from University of Waterloo.



    Photo of Amanda Mathieson
    Amanda Mathieson
    Research Director, People and Leadership
    Info-Tech Research Group

    Amanda joined Info-Tech Research Group in 2019 and brings twenty years of expertise working in Canada, the US, and globally. Her expertise in leadership development, organizational change management, and performance and talent management comes from her experience in various industries spanning pharmaceutical, retail insurance, and financial services. She takes a practical, experiential approach to people and leadership development that is grounded in adult learning methodologies and leadership theory. She is passionate about identifying and developing potential talent, as well as ensuring the success of leaders as they transition into more senior roles.

    Amanda has a Bachelor of Commerce degree and Master of Arts in Organization and Leadership Development from Fielding Graduate University, as well as a post-graduate diploma in Adult Learning Methodologies from St. Francis Xavier University. She also has certifications in Emotional Intelligence – EQ-i 2.0 & 360, Prosci ADKAR® Change Management, and Myers-Briggs Type Indicator Step I and II.

    Bibliography

    Bacey, Christopher. "KPMG/Harvey Nash CIO Survey finds most organizations lack enterprise-wide digital strategy." Harvey Nash/KPMG CIO Survey. Accessed Jan. 6, 2023. KPMG News Perspective - KPMG.us.com

    Calvert, Wu-Pong Susanna. "The Importance of Rapport. Five tips for creating conversational reciprocity." Psychology Today Magazine. June 30, 2022. Accessed Feb. 10, 2023. psychologytoday.com/blog

    Coaches Council. "14 Ways to Build More Meaningful Professional Relationships." Forbes Magazine. September 16, 2020. Accessed Feb. 20, 2023. forbes.com/forbescoachescouncil

    Council members. "How to Build Authentic Business Relationships." Forbes Magazine. June 15, 2021. Accessed Jan. 15, 2023. Forbes.com/business council

    Deloitte. "Chief Information Officer (CIO) Labs. Transform and advance the role of the CIO." The CIO program. Accessed Feb. 5, 2021.

    Dharsarathy, Anusha et al. "The CIO challenge: Modern business needs a new kind of tech leader." McKinsey and Company. January 27, 2020. Accessed Feb 2023. Mckinsey.com

    DiSC profile. "What is DiSC?" DiSC Profile Website. Accessed Feb. 5, 2023. discprofile.com

    FIRO Assessment. "Better working relationships". Myers Brigg Website. Resource document downloaded Feb. 10, 2023. myersbriggs.com/article

    Fripp, Patricia. "Frippicisms." Website. Accessed Feb. 25, 2023. fripp.com

    Grossman, Rhys. "The Rise of the Chief Digital Officer." Russell Reynolds Insights, January 1, 2012. Accessed Jan. 5, 2023. Rise of the Chief Digital Officer - russellreynolds.com

    Kambil, Ajit. "Influencing stakeholders: Persuade, trade, or compel." Deloitte Article. August 9, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights

    Kambil, Ajit. "Navigating the C-suite: Managing Stakeholder Relationships." Deloitte Article. March 8, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights

    Korn Ferry. "Age and tenure in the C-suite." Kornferry.com. Accessed Jan. 6, 2023. Korn Ferry Study Reveals Trends by Title and Industry

    Kumthekar, Uday. "Communication Channels in Project". Linkedin.com, 3 March 2020. Accessed April 27, 2023. Linkedin.com/Pulse/Communication Channels

    McWilliams, Allison. "Why You Need Effective Relationships at Work." Psychology Today Magazine. May 5, 2022. Accessed Feb. 11, 2023. psychologytoday.com/blog

    McKinsey & Company. "Why do most transformations fail? A conversation with Harry Robinson." Transformation Practice. July 2019. Accessed Jan. 10, 2023. Mckinsey.com

    Mind Tools Content Team. "Building Good Work Relationships." MindTools Article. Accessed Feb. 11, 2023. mindtools.com/building good work relationships

    Pratt, Mary. "Why the CIO-CFO relationship is key to digital success." TechTarget Magazine. November 11, 2021. Accessed Feb. 2023. Techtarget.com

    LaMountain, Dennis. "Quote of the Week: No Involvement, No Commitment". Linkedin.com, 3 April 2016. Accessed April 27, 2023. Linkedin.com/pulse/quote-week-involvement

    PwC Pulse Survey. "Managing Business Risks". PwC Library. 2022. Accessed Jan. 30, 2023. pwc.com/pulse-survey

    Rowell, Darin. "3 Traits of a Strong Professional Relationship." Harvard Business Review. August 8, 2019. Accessed Feb. 20, 2023. hbr.org/2019/Traits of a strong professional relationship

    Sinek, Simon. "The Optimism Company from Simon Sinek." Website. Image Source. Accessed, Feb. 21, 2023. simonsinek.com

    Sinek, Simon. "There are only two ways to influence human behavior: you can manipulate it or you can inspire it." Twitter. Dec 9, 2022. Accessed Feb. 20, 2023. twitter.com/simonsinek

    Whitbourne, Susan Krauss. "10 Ways to Measure the Health of Relationship." Psychology Today Magazine. Aug. 7, 2021. Accessed Jan. 30, 2023. psychologytoday.com/blog

    Establish a Foresight Capability

    • Buy Link or Shortcode: {j2store}88|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • To be recognized and validated as a forward-thinking CIO, you must establish a structured approach to innovation that considers external trends as well as internal processes.
    • The CEO is expecting an investment in IT innovation to yield either cost reduction or revenue growth, but growth cannot happen without opportunity identification.

    Our Advice

    Critical Insight

    • Technological innovation is disrupting business models – and it’s happening faster than organizations can react.
    • Smaller, more agile organizations have an advantage because they have less resources tied to existing operations and can move faster.

    Impact and Result

    • Be the disruptor, not the disrupted. This blueprint will help you plan proactively and identify opportunities before your competitors.
    • Strategic foresight gives you the tools you need to effectively process the signals in your environment, build an understanding of relevant trends, and turn this understanding into action.

    Establish a Foresight Capability Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to effectively apply strategic foresight, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Signal gathering

    Develop a better understanding of your external environment and build a database of signals.

    • Establish a Foresight Capability – Phase 1: Signal Gathering
    • Foresight Process Tool

    2. Trends and drivers

    Select and analyze trends to uncover drivers.

    • Establish a Foresight Capability – Phase 2: Trends and Drivers

    3. Scenario building

    Use trends and drivers to build plausible scenarios and brainstorm strategic initiatives.

    • Establish a Foresight Capability – Phase 3: Scenario Building

    4. Idea selection

    Apply the wind tunneling technique to assess strategic initiatives and determine which are most likely to succeed in the face of uncertainty.

    • Establish a Foresight Capability – Phase 4: Idea Selection
    [infographic]

    Workshop: Establish a Foresight Capability

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Pre-workshop – Gather Signals and Build a Repository

    The Purpose

    Note: this is preparation for the workshop and is not offered onsite.

    Gather relevant signals that will inform your organization about what is happening in the external competitive environment.

    Key Benefits Achieved

    A better understanding of the competitive landscape.

    Activities

    1.1 Gather relevant signals.

    1.2 Store signals in a repository for quick and easy recall during the workshop.

    Outputs

    A set of signal items ready for analysis

    2 Identify Trends and Uncover Drivers

    The Purpose

    Uncover trends in your environment and assess their potential impact.

    Determine the causal forces behind relevant trends to inform strategic decisions.

    Key Benefits Achieved

    An understanding of the underlying causal forces that are influencing a trend that is affecting your organization.

    Activities

    2.1 Cluster signals into trends.

    2.2 Analyze trend impact and select a key trend.

    2.3 Perform causal analysis.

    2.4 Select drivers.

    Outputs

    A collection of relevant trends with a key trend selected

    A set of drivers influencing the key trend with primary drivers selected

    3 Build Scenarios and Ideate

    The Purpose

    Leverage your understanding of trends and drivers to build plausible scenarios and apply them as a canvas for ideation.

    Key Benefits Achieved

    A set of potential responses or reactions to trends that are affecting your organization.

    Activities

    3.1 Build scenarios.

    3.2 Brainstorm potential strategic initiatives (ideation).

    Outputs

    Four plausible scenarios for ideation purposes

    A potential strategic initiative that addresses each scenario

    4 Apply Wind Tunneling and Select Ideas

    The Purpose

    Assess the various ideas based on which are most likely to succeed in the face of uncertainty.

    Key Benefits Achieved

    An idea that you have tested in terms of risk and uncertainty.

    An idea that can be developed and pitched to the business or stored for later use. 

    Activities

    4.1 Assign probabilities to scenarios.

    4.2 Apply wind tunneling.

    4.3 Select ideas.

    4.4 Discuss next steps and prototyping.

    Outputs

    A strategic initiative (idea) that is ready to move into prototyping

    Enhance PPM Dashboards and Reports

    • Buy Link or Shortcode: {j2store}438|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $18,849 Average $ Saved
    • member rating average days saved: 66 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Your organization has introduced project portfolio management (PPM) processes that require new levels of visibility into the project portfolio that were not required before.
    • Key PPM decision makers are requesting new or improved dashboards and reports to help support making difficult decisions.
    • Often PPM dashboards and reports provide too much information and are difficult to navigate, resulting in information overload and end-user disengagement.
    • PPM dashboards and reports are laborious to maintain; ineffective dashboards end up wasting scarce resources, delay decisions, and negatively impact the perceived value of the PMO.

    Our Advice

    Critical Insight

    • Well-designed dashboards and reports help actively engage stakeholders in effective management of the project portfolio by communicating information and providing support to key PPM decision makers. This tends to improve PPM performance, making resource investments into reporting worthwhile.
    • Observations and insights gleaned from behavioral studies and cognitive sciences (largely ignored in PPM literature) can help PMOs design dashboards and reports that avoid information overload and that provide targeted decision support to key PPM decision makers.

    Impact and Result

    • Enhance your PPM dashboards and reports by carrying out a carefully designed enhancement project. Start by clarifying the purpose of PPM dashboards and reports. Establish a focused understanding of PPM decision-support needs, and design dashboards and reports to address these in a targeted way.
    • Conduct a thorough review of all existing dashboards and reports, evaluating the need, effort, usage, and satisfaction of each report to eliminate any unnecessary or ineffective dashboards and design improved dashboards and reports that will address these gaps.
    • Design effective and targeted dashboards and reports to improve the engagement of senior leaders in PPM and help improve PPM performance.

    Enhance PPM Dashboards and Reports Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should enhance your PPM reports and dashboards, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish a PPM dashboard and reporting enhancement project plan

    Identify gaps, establish a list of dashboards and reports to enhance, and set out a roadmap for your dashboard and reporting enhancement project.

    • Enhance PPM Dashboards and Reports – Phase 1: Establish a PPM Dashboard and Reporting Enhancement Project Plan
    • PPM Decision Support Review Workbook
    • PPM Dashboard and Reporting Audit Workbook
    • PPM Dashboard and Reporting Audit Worksheets – Exisiting
    • PPM Dashboard and Reporting Audit Worksheets – Proposed
    • PPM Metrics Menu
    • PPM Dashboard and Report Enhancement Project Charter Template

    2. Design and build enhanced PPM dashboards and reporting

    Gain an understanding of how to design effective dashboards and reports.

    • Enhance PPM Dashboards and Reports – Phase 2: Design and Build New or Improved PPM Dashboards and Reporting
    • PPM Dashboard and Report Requirements Workbook
    • PPM Executive Dashboard Template
    • PPM Dashboard and Report Visuals Template
    • PPM Capacity Dashboard Operating Manual

    3. Implement and maintain effective PPM dashboards and reporting

    Officially close and evaluate the PPM dashboard and reporting enhancement project and transition to an ongoing and sustainable PPM dashboard and reporting program.

    • Enhance PPM Dashboards and Reports – Phase 3: Implement and Maintain Effective PPM Dashboards and Reporting
    • PPM Dashboard and Reporting Program Manual
    [infographic]

    Workshop: Enhance PPM Dashboards and Reports

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish a PPM Dashboard and Reporting Enhancement

    The Purpose

    PPM dashboards and reports will only be effective and valuable if they are designed to meet your organization’s specific needs and priorities.

    Conduct a decision-support review and a thorough dashboard and report audit to identify the gaps your project will address.

    Take advantage of the planning stage to secure sponsor and stakeholder buy-in.

    Key Benefits Achieved

    Current-state assessment of satisfaction with PPM decision-making support.

    Current-state assessment of all existing dashboards and reports: effort, usage, and satisfaction.

    A shortlist of dashboards and reports to improve that is informed by actual needs and priorities.

    A shortlist of dashboards and reports to create that is informed by actual needs and priorities.

    The foundation for a purposeful and focused PPM dashboard and reporting program that is sustainable in the long term.

    Activities

    1.1 Engage in PPM decision-making review.

    1.2 Perform a PPM dashboard and reporting audit and gap analysis.

    1.3 Identify dashboards and/or reports needed.

    1.4 Plan the PPM dashboard and reporting project.

    Outputs

    PPM Decision-Making Review

    PPM Dashboard and Reporting Audit

    Prioritized list of dashboards and reports to be improved and created

    Roadmap for the PPM dashboard and reporting project

    2 Design New or Improved PPM Dashboards and Reporting

    The Purpose

    Once the purpose of each PPM dashboard and report has been identified (based on needs and priorities) it is important to establish what exactly will be required to produce the desired outputs.

    Gathering stakeholder and technical requirements will ensure that the proposed and finalized designs are realistic and sustainable in the long term.

    Key Benefits Achieved

    Dashboard and report designs that are informed by a thorough analysis of stakeholder and technical requirements.

    Dashboard and report designs that are realistically sustainable in the long term.

    Activities

    2.1 Review the best practices and science behind effective dashboards and reporting.

    2.2 Gather stakeholder requirements.

    2.3 Gather technical requirements.

    2.4 Build wireframe options for each dashboard or report.

    2.5 Review options: requirements, feasibility, and usability.

    2.6 Finalize initial designs.

    2.7 Design and record the input, production, and consumption workflows and processes.

    Outputs

    List of stakeholder requirements for dashboards and reports

    Wireframe design options

    Record of the assessment of each wireframe design: requirements, feasibility, and usability

    A set of finalized initial designs for dashboards and reports.

    Process workflows for each initial design

    3 Plan to Roll Out Enhanced PPM Dashboards and Reports

    The Purpose

    Ensure that enhanced dashboards and reports are actually adopted in the long term by carefully planning their roll-out to inputters, producers, and consumers.

    Plan to train all stakeholders, including report consumers, to ensure that the reports generate the decision support and PPM value they were designed to.

    Key Benefits Achieved

    An informed, focused, and scheduled plan for rolling out dashboards and reports and for training the various stakeholders involved.

    Activities

    3.1 Plan for external resourcing (if necessary): vendors, consultants, contractors, etc.

    3.2 Conduct impact analysis: risks and opportunities.

    3.3 Create an implementation and training plan.

    3.4 Determine PPM dashboard and reporting project success metrics.

    Outputs

    External resourcing plan

    Impact analysis and risk mitigation plan

    Record of the PPM dashboard and reporting project success metrics

    Implement Risk-Based Vulnerability Management

    • Buy Link or Shortcode: {j2store}296|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $122,947 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
    • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.

    Our Advice

    Critical Insight

    • Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
    • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
    • There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.

    Impact and Result

    • At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
    • Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
    • The risk-based approach will allow you prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
    • With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
    • Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    Implement Risk-Based Vulnerability Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify vulnerability sources

    Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

    • Vulnerability Management SOP Template

    2. Triage vulnerabilities and assign priorities

    Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

    • Vulnerability Tracking Tool
    • Vulnerability Management Risk Assessment Tool
    • Vulnerability Management Workflow (Visio)
    • Vulnerability Management Workflow (PDF)

    3. Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    4. Measure and formalize

    Evolve the program continually by developing metrics and formalizing a policy.

    • Vulnerability Management Policy Template
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template

    Infographic

    Workshop: Implement Risk-Based Vulnerability Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Vulnerability Sources

    The Purpose

    Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.

    Key Benefits Achieved

    Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.

    Activities

    1.1 Define the scope & boundary of your organization’s security program.

    1.2 Assign responsibility for vulnerability identification and remediation.

    1.3 Develop a monitoring and review process of third-party vulnerability sources.

    1.4 Review incident management and vulnerability management

    Outputs

    Defined scope and boundaries of the IT security program

    Roles and responsibilities defined for member groups

    Process for review of third-party vulnerability sources

    Alignment of vulnerability management program with existing incident management processes

    2 Triage and Prioritize

    The Purpose

    We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.

    Key Benefits Achieved

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Activities

    2.1 Evaluate your identified vulnerabilities.

    2.2 Determine high-level business criticality.

    2.3 Determine your high-level data classifications.

    2.4 Document your defense-in-depth controls.

    2.5 Build a classification scheme to consistently assess impact.

    2.6 Build a classification scheme to consistently assess likelihood.

    Outputs

    Adjusted workflow to reflect your current processes

    List of business operations and their criticality and impact to the business

    Adjusted workflow to reflect your current processes

    List of defense-in-depth controls

    Vulnerability Management Risk Assessment tool formatted to your organization

    Vulnerability Management Risk Assessment tool formatted to your organization

    3 Remediate Vulnerabilities

    The Purpose

    Identifying potential remediation options.

    Developing criteria for each option in regard to when to use and when to avoid.

    Establishing exception procedure for testing and remediation.

    Documenting the implementation of remediation and verification.

    Key Benefits Achieved

    Identifying and selecting the remediation option to be used

    Determining what to do when a patch or update is not available

    Scheduling and executing the remediation activity

    Planning continuous improvement

    Activities

    3.1 Develop risk and remediation action.

    Outputs

    List of remediation options sorted into “when to use” and “when to avoid” lists

    4 Measure and Formalize

    The Purpose

    You will determine what ought to be measured to track the success of your vulnerability management program.

    If you lack a scanning tool this phase will help you determine tool selection.

    Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    Key Benefits Achieved

    Outline of metrics that you can then configure your vulnerability scanning tool to report on.

    Development of an inaugural policy covering vulnerability management.

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Activities

    4.1 Measure your program with metrics, KPIs, and CSFs.

    4.2 Update the vulnerability management policy.

    4.3 Create an RFP for vulnerability scanning tools.

    4.4 Create an RFP for penetration tests.

    Outputs

    List of relevant metrics to track, and the KPIs, CSFs, and business goals for.

    Completed Vulnerability Management Policy

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Further reading

    Implement Risk-Based Vulnerability Management

    Get off the patching merry-go-round and start mitigating risk!

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    6 Common Obstacles

    8 Risk-based approach to vulnerability management

    16 Step 1.1: Vulnerability management defined

    24 Step 1.2: Defining scope and roles

    34 Step 1.3: Cloud considerations for vulnerability management

    33 Step 1.4: Vulnerability detection

    46 Step 2.1: Triage vulnerabilities

    51 Step 2.2: Determine high-level business criticality

    56 Step 2.3: Consider current security posture

    61 Step 2.4: Risk assessment of vulnerabilities

    71 Step 3.1: Assessing remediation options

    Table of Contents

    80 Step 3.2: Scheduling and executing remediation

    85 Step 3.3: Continuous improvement

    89 Step 4.1: Metrics, KPIs, and CSFs

    94 Step 4.2: Vulnerability management policy

    97 Step 4.3: Select & implement a scanning tool

    107 Step 4.4: Penetration testing

    118 Summary of accomplishment

    119 Additional Support

    120 Bibliography

    Analyst Perspective

    Vulnerabilities will always be present. Know the unknowns!

    In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.

    The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.

    A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!

    Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.

    Jimmy Tom, Research Advisor – Security, Privacy, Risk, and Compliance, Info-Tech Research Group.Jimmy Tom
    Research Advisor – Security, Privacy, Risk, and Compliance
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.

    Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option.

    Common Obstacles

    Patches are often seen as the answer to vulnerabilities, but these are not always the most suitable solution.

    Some systems deemed vulnerable simply cannot be patched or easily replaced.

    Companies are unaware of the risk implications that come from leaving the vulnerability open and from the remediation option itself.

    Info-Tech’s Approach

    Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.

    Understand what needs to be considered when implementing remediation options, including patches, configuration changes, and defense-in-depth controls.

    Build a process that is easy to understand and allows vulnerabilities to be remediated proactively, instead of in an ad hoc fashion.

    Info-Tech Insight

    Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.

    Common obstacles

    These barriers make vulnerability management difficult to address for many organizations:
    • The value of vulnerability management is not well articulated in many organizations. As a result, investment in vulnerability scanning technology is often insufficient.
    • Many organizations feel that a “patch everything” approach is the most effective path.
    • Vulnerability management is commonly misunderstood as being a process that only supports patch management.
    • There is often misalignment between SecOps and ITOps in remediation action and priority, affecting the timeliness of remediation.
    CVSS Score Distribution From the National Vulnerability Database: Pie Charts presenting the CVSS Core Distribution for the National Vulnerability Database. The left circle represents 'V3' and the right 'V2', where V3 has an extra option for 'Critical', above 'High', 'Medium', and 'Low', and V2 does not.
    (Source: NIST National Vulnerability Database Dashboard)

    Leverage risk to sort, triage, and prioritize vulnerabilities

    Reduce your risk surface to avoid cost to your business; everything else is table stakes.

    Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.

    Identify vulnerability sources

    An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.

    Triage and prioritize

    Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.

    Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.

    Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    Measure and formalize

    Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.

    Tactical Insight 1

    All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.

    Tactical Insight 2

    Reduce the risk surface down below the risk threshold.

    The industry has shifted to a risk-based approach

    Traditional vulnerability management is no longer viable.

    “For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)

    “Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)

    “Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)

    “A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)

    Why a take risk-based approach?

    Vulnerabilities, by the numbers

    60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.

    74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)

    Info-Tech Insight

    Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.

    The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)

    Vulnerability Management

    A risk-based approach

    Reduce the risk surface to avoid cost to your business, everything else is table stakes

    Logo for Info-Tech.
    Logo for #iTRG.

    1

    Identify

    4

    Address

    Mitigate the risk surface by reducing the time across the phases ›Mitigate the risk by implementing:
    • patch systems & apps
    • compensating controls
    • systems and apps hardening
    • systems segregation
    Chart presenting an example of 'Risk Surface' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. The area between the line and your organization's risk tolerance is labelled 'Risk Surface'.

    Objective: reduce risk surface by reducing time to address

    Your organization's risk tolerance threshold

    Identify vulnerability management scanning tools & external threat intel sources (Mitre CVE, US-CERT, vendor alerts, etc.)Vulnerability information feeds:
    • scanning tool
    • external threat intel
    • internal threat intel

    2

    Analyze

    Assign actual risk (impact x urgency) to the organization based on current security posture

    Triage based on risk ›

    Your organization's risk tolerance threshold

    Risk tolerance threshold map with axes 'Impact' and 'Likelihood'. High levels of one and low levels of the other, or medium levels of both, is 'Medium', High level of one and Medium levels of the other is 'High', and High levels of both is 'Critical'.

    3

    Assess

    Plan risk mitigation strategy ›Consider:
    • risk tolerance
    • compensating controls
    • business impact

    Info-Tech’s vulnerability management methodology

    Focus on developing the most efficient processes.

    Vulnerability management isn’t “old school.”

    The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.

    Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.

    Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.

    Equation to find 'Vulnerability Priority'.

    When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.

    Info-Tech Insight

    Vulnerability management is not only patch management. Patching is only one aspect.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Vulnerability Management SOP

    The Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program.

    Sample of the key deliverable, Vulnerability Management SOP.
    Vulnerability Management Policy

    Template for your vulnerability management policy.

    Sample of the Vulnerability Management Policy blueprint.Vulnerability Tracking Tool

    This tool offers a template to track vulnerabilities and how they are remedied.

    Sample of the Vulnerability Tracking Tool blueprint.
    Vulnerability Scanning RFP Template

    Request for proposal template for the selection of a vulnerability scanning tool.

    Sample of the Vulnerability Scanning RFP Template blueprint.Vulnerability Risk Assessment Tool

    Methodology to assess vulnerability risk by determining impact and likelihood.

    Sample of the Vulnerability Risk Assessment Tool blueprint.

    Blueprint benefits

    IT Benefits

    • A standardized, consistent methodology to assess, prioritize, and remediate vulnerabilities.
    • A risk-based approach that aligns with what’s important to the business.
    • A way of dealing with the high volumes of vulnerabilities that your scanning tool is reporting.
    • Identification of “where to start” in terms of vulnerability management.
    • Ability to not lose yourself in the patch madness but rather take a sound approach to scheduling and prioritizing patches and updates.
    • Knowledge of what to do when patching is simply not possible or feasible.

    Business Benefits

    • Alignment with IT in ensuring that business processes are only interrupted when absolutely necessary while maintaining a regular cadence of vulnerability remediation.
    • A consistent program that the business can plan around and predict when interruptions will occur.
    • IT’s new approach being integrated with existing IT operations processes, offering the most efficient yet expedient method of dealing with vulnerabilities.

    Info-Tech’s process can save significant financial resources

    PhaseMeasured Value
    Phase 1: Identify vulnerability sources
      Define the process, scope, roles, vulnerability sources, and current state
      • Consultant at $100 an hour for 16 hours = $1,600
    Phase 2: Triage vulnerabilities and assign urgencies
      Establish triaging and vulnerability evaluation process
      • Consultant at $100 an hour for 16 hours = $1,600
      Determine high-level business criticality and data classifications
      • Consultant at $100 an hour for 40 hours = $4,000
      Assign urgencies to vulnerabilities
      • Consultant at $100 an hour for 8 hours = $800
    Phase 3: Remediate vulnerabilities
      Prepare documentation for the vulnerability process
      • Consultant at $100 an hour for 8 hours = $800
      Establish defense-in-depth modelling
      • Consultant at $100 an hour for 24 hours = $2,400
      Identify remediation options and establish criteria for use
      • Consultant at $100 an hour for 40 hours = $4,000
      Formalize backup and testing procedures, including exceptions
      • Consultant at $100 an hour for 8 hours = $800
      Remediate vulnerabilities and verify
      • Consultant at $100 an hour for 24 hours = $2,400
    Phase 4: Continually improve the vulnerability management process
      Establish a metrics program for vulnerability management
      • Consultant at $100 an hour for 16 hours = $1,600
      Update vulnerability management policy
      • Consultant at $100 an hour for 8 hours = $800
      Develop a vulnerability scanning tool RFP
      • Consultant at $100 an hour for 40 hours = $4,000
      Develop a penetration test RFP
      • Consultant at $100 an hour for 40 hours = $4,000
    Potential financial savings from using Info-Tech resourcesPhase 1 ($1,600) + Phase 2 ($6,400) + Phase 3 ($10,400) + Phase 4 ($10,400) = $28,800

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Discuss current state and vulnerability sources.

    Call #3: Identify triage methods and business criticality.

    Call #4:Review current defense-in-depth and discuss risk assessment.

    Call #5: Discuss remediation options and scheduling.

    Call #6: Review release and change management and continuous improvement.

    Call #7: Identify metrics, KPIs, and CSFs.

    Call #8: Review vulnerability management policy.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1Day 2Day 3Day 4Day 5
    Activities
    Identify vulnerability sources

    1.1 What is vulnerability management?

    1.2 Define scope and roles

    1.3 Cloud considerations for vulnerability management

    1.4 Vulnerability detection

    Triage and prioritize

    2.1 Triage vulnerabilities

    2.2 Determine high-level business criticality

    2.3 Consider current security posture

    2.4 Risk assessment of vulnerabilities

    Remediate vulnerabilities

    3.1 Assess remediation options

    3.2 Schedule and execute remediation

    3.3 Drive continuous improvement

    Measure and formalize

    4.1 Metrics, KPIs & CSFs

    4.2 Vulnerability Management Policy

    4.3 Select & implement a scanning tool

    4.4 Penetration testing

    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables
    1. Scope and boundary definition of vulnerability management program
    2. Responsibility assignment for vulnerability identification and remediation
    3. Monitoring and review process of third-party vulnerability sources
    4. Incident management and vulnerability convergence
    1. Methodology for evaluating identified vulnerabilities
    2. Identification of high-level business criticality
    3. Defined high-level data classifications
    4. Documented defense-in-depth controls
    5. Risk assessment criteria for impact and likelihood
    1. Documented risk assessment methodology and remediation options
    1. Defined metrics, key performance indicators (KPIs), and critical success factors (CSFs)
    2. Initial draft of vulnerability management policy
    3. Scanning tool selection criteria
    4. Introduction to penetration testing
    1. Completed vulnerability management standard operating procedure
    2. Defined vulnerability management risk assessment criteria
    3. Vulnerability management policy draft

    Implement Risk-Based Vulnerability Management

    Phase 1

    Identify Vulnerability Sources

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.

    This phase involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Step 1.1

    Vulnerability Management Defined

    Activities

    None for this section

    This step will walk you through the following activities:

    Establish a common understanding of vulnerability management and its place in the IT organization.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Foundational knowledge of vulnerability management in your organization.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    What is vulnerability management?

    It’s more than just patching.

    • Vulnerability management is the regular and ongoing practice of scanning an operating environment to uncover vulnerabilities. These vulnerabilities can be outdated applications, unpatched operating systems and software, open ports, obsolete hardware, or any combination of these.
    • The scanning and detection of vulnerabilities is the first step. Planning and executing of remediation is next, along with the approach, prioritized sequence of events, and timing.
    • A vendor-supplied software patch or firmware update is often the easy answer, however, this is not always a viable solution. What if you can’t patch in a timely fashion? What if patching is not possible as it will break the application and bring down operations? What if no patch exists due to the age of the application or operating platform?

    “Most organizations do not have a formal process for vulnerability management.” (Morey Haber, VP of Technology, BeyondTrust, 2016)

    Effective vulnerability management

    It’s not easy, but it’s much harder without a process in place.
    • Effective vulnerability management requires a formal process for organizations to follow; without one, vulnerabilities are dealt with in an ad hoc fashion.
    • Patching isn’t the only solution, but it’s the one that often draws focus.
    • Responsibilities for the different aspects of vulnerability management are often unclear, such as for testing, remediation, and implementation.
    • Identifying new threats without proper vulnerability scanning tools can be a near-impossible task.
    • Determining which vulnerabilities are most urgent can be an inconsistent process, increasing the organizational risk.
    • Measuring the effectiveness of your vulnerability remediation activities can help you better manage resources in SecOps and ITOps. Your staff will be spending the appropriate effort on vulnerabilities that warrant that level of attention.

    You’re not just doing this for yourself. It’s also for your auditors.

    Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices.

    Vulnerability management revolves around your asset security services

    Diagram with 'Asset Security Services' at the center. On either side are 'Network Security Services' and 'Identity Security Services', all three of which flow up into 'Security Analytics | Security Incident Response', and all four share a symbiotic flow with 'Management' below and contribute to 'Mega Trend Mapping' above. Management is supported by 'Governance'.Vulnerabilities can be found primarily within your assets but also connect to your information risk management. These must be effectively managed as part of a holistic security program.

    Without management, vulnerabilities left unattended can be easy for attackers to exploit. It becomes difficult to identify the correct remediation option to mitigate against the vulnerabilities.

    Vulnerability management works in tandem with SecOps and ITOps

    Vulnerability Management Process Inputs/Outputs:
    'Vulnerability Management (Process and Tool)' outputs are 'Incident Management', 'Release Management', 'Change Management', 'IT Asset Management', 'Application Security Testing', 'Threat Intelligence', and 'Security Risk Management'; inputs are 'Vulnerability Disclosure', 'Threat Intelligence', and 'Security Risk Management'.

    Arrows denote direction of information feed

    Vulnerability management serves as the input into a number of processes for remediation, including:
    • Incident management, to deal with issues
    • Release management, for patch management
    • Change management, for change control
    • IT asset management, to track version information, e.g. for patching
    • Application security testing, for the verification of vulnerabilities

    A two-way data flow exists between vulnerability management and:

    • Security risk management, for the overall risk posture of the organization
    • Threat intelligence, as vulnerability management reveals only one of several threat vectors

    For additional information please refer to Info-Tech’s research for each area:

    • Vulnerability management can leverage your existing processes to gain an operational element for the program.
    • As you strive to mature each of the processes on their own, vulnerability management will benefit accordingly.
    • Review our research for each of these areas and speak to one of our analysts if you wish to improve any of the listed processes.

    Info-Tech’s Information Security Program Framework

    Vulnerability management is a component of the Infrastructure Security section of Security Management

    Information Security Framework with Level 1 and Level 2 capabilities in two main sections, 'Management' and 'Governance'. Level 2 capabilities are grouped within Level 1 capabilities.For more information, review our Build an Information Security Strategy blueprint, or speak to one of our analysts.

    Info-Tech Insight

    Vulnerability management is but one piece of the information security puzzle. Ensure that you have all the pieces!

    Case Study

    Logo for Cimpress.
    INDUSTRY: Manufacturing
    SOURCE: Cimpress, 2016

    One organization is seeing immediate benefits by formalizing its vulnerability management program.

    Challenge

    Cimpress was dealing with many challenges in regards to vulnerability management. Vulnerability scanning tools were used, but the reports that were generated often gave multiple vulnerabilities that were seen as critical or high and required many resources to help address them. Scanning was done primarily in an attempt to adhere to PCI compliance rather than to effectively enable security. After re-running some scans, Cimpress saw that some vulnerabilities had existed for an extended time period but were deemed acceptable.

    Solution

    The Director of Information Security realized that there was a need to greatly improve this current process. Guidelines and policies were formalized that communicated when scans should occur and what the expectations for remediations should be. Cimpress also built a tiered approach to prioritize vulnerabilities for remediation that is specific to Cimpress instead of relying on scanning tool reports.

    Results

    Cimpress found better management of the vulnerabilities within its system. There was no pushback to the adoption of the policies, and across the worldwide offices, business units have been proactively trying to understand if there are vulnerabilities. Vulnerability management has been expanded to vendors and is taken into consideration when doing any mergers and acquisitions. Cimpress continues to expand its program for vulnerability management to include application development and vulnerabilities within any existing legacy systems.

    Step 1.2

    Defining the scope and roles

    Activities
    • 1.2.1 Define the scope and boundary of your organization’s security program
    • 1.2.2 Assign responsibility for vulnerability identification and remediation

    This step will walk you through the following activities:

    Define and understand the scope and boundary of the security program. For example, does it include OT? Define roles and responsibilities for vulnerability identification and remediation

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand how far vulnerability management extends and what role each person in IT plays in the remediation of vulnerabilities

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Determine the scope of your security program

    This will help you adjust the depth and breadth of your vulnerability management program.
    • Determining the scope will help you decide how much organizational risk the vulnerability management program will oversee.
    • Scope can be defined along four aspects:
      • Data Scope – What data elements in your organization does your security program cover? How is data classified?
      • Physical Scope – What physical scope, such as geographies, does the security program cover?
      • Organizational Scope – How are business units engaged with security initiatives? Does the scope cover all subsidiary organizations?
      • IT Scope – What parts of the organization does IT cover? Does their coverage include operational technology (OT) and industrial control systems (ICS)?
    Stock image of figures standing in connected circles.

    1.2.1 Define the scope and boundary of your organization’s security program

    60 minutes

    Input: List of Data Scope, Physical Scope, Organization Scope, and IT Scope

    Output: Defined scope and boundaries of the IT security program

    Materials: Whiteboard/Flip Charts, Sticky Notes, Markers, Vulnerability Management SOP Template

    Participants: Business stakeholders, IT leaders, Security team members

    1. On a whiteboard, write the headers: Data Scope, Physical Scope, Organizational Scope, and IT Scope.
    2. Give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the four scope buckets.
    3. In a group, discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.

    The goal is to identify what your vulnerability management program is responsible for and document it.

    Consider the following:

    How is data being categorized and classified? How are business units engaged with security initiatives? How are IT systems connected to each other? How are physical locations functioning in terms of information security management?

    Download the Vulnerability Management SOP Template

    Assets are part of the scope definition

    An inventory of IT assets is necessary if there is to be effective vulnerability management.

    • Organizations need an up-to-date and comprehensive asset inventory for vulnerability management. This is due to multiple reasons:
      • When vulnerabilities are announced, they will need to be compared to an inventory to determine if the organization has any relevant systems or versions.
      • It indicates where all IT assets can be found both physically and logically.
      • Asset inventories typically have owners assigned to the assets and systems whose responsibility it is to carry out remediations for vulnerabilities.
    • Furthermore, asset inventories can provide insight into where data can be found within the organization. This is extremely useful within a formal data classification program, which plays a large factor in vulnerability management.
    If you need assistance building your asset inventory, review Info-Tech’s Implement Hardware Asset Management and Implement Software Asset Management blueprints.

    Info-Tech Insight

    Create a formal IT asset inventory before continuing with the rest of this project. Otherwise, you risk being at the mercy of a weak vulnerability management program.

    Assign responsibility for vulnerability identification and remediation

    Determine who is critical to effectively detecting and managing vulnerabilities.
    • Some of the remediation steps will involve members of IT management to identify the true organizational risk of a vulnerability.
    • Vulnerability remediation comes in different shapes and sizes. In addition to patching, this can include implementing compensating controls, server and application hardening, or the segregating of vulnerable systems.
      • Who carries out each of these activities? Who coordinates the activities and tracks them to ensure completion?
    • The people involved may be members outside of the security team, such as members from IT operations, infrastructure, and applications. The specific roles that each of these groups play should be clearly identified.
    Stock image of many connected profile photos in a cloud network.

    1.2.2 Assign responsibility for vulnerability identification and remediation

    60 minutes

    Input: Sample list of vulnerabilities and requisite actions from each group, High-level organizational chart with area functions

    Output: Defined set of roles and responsibilities for member groups

    Materials: Vulnerability Management SOP Template

    Participants: CIO, CISO, IT Management representatives for each area of IT

    1. Display the table of responsibilities that need to be assigned.
    2. List all the positions within the IT security team.
    3. Map these to the positions that require IT security team members.
    4. List all positions that are part of the IT team.
    5. Map these to the positions that require IT team members.

    If your organization does not have a dedicated IT security team, you can perform this exercise by mapping the relevant IT staff to the different positions shown on the right.

    Download the Vulnerability Management SOP TemplateSample of the Roles and Responsibilities table from the Vulnerability Management SOP Template.

    Step 1.3

    Cloud considerations for vulnerability management

    Activities

    None for this section.

    This step will walk you through the following activities:

    Review cloud considerations for vulnerability management

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand the various types of cloud offerings and the implications (and limitations) of vulnerability management in a cloud environment.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Cloud considerations

    Cloud will change your approach to vulnerability management.
    • There will be a heavy dependence on the cloud service provider to ensure that vulnerabilities in their foundational technologies have been addressed.
    • Depending on the level of “as-a-Service,” customers will have varying degrees of control and visibility into the underlying operations.
    • With vendor acquiescence, you can set your tool to scan a given cloud environment, depending on how much visibility you have into their environment based on the service you have purchased.
    • Due to compliance obligations of their customers, there is a growing trend among cloud providers to allow more scanning of cloud environments.
    • In the absence of customer scanning capability, vendors may offer attestation of vulnerability management and remediation.
    Table outlining who has control, between the 'Organization' and the 'Vendor', of different cloud capabilities in different cloud strategies.

    For more information, see Info-Tech Research Group’s Document Your Cloud Strategy blueprint.

    Cloud environment scanning

    Cloud scanning is becoming a more common necessity but still requires special consideration.

    An organization’s cloud environment is just an extension of its own environment. As such, cloud environments need to be scanned for vulnerabilities.

    Private Cloud
    If your organization owns a private cloud, these environments can be tested normally.
    Public Cloud
    Performing vulnerability testing against public, third-party cloud environments is an area experiencing rapid growth and general acceptance, although customer visibility will still be limited.

    In many cases, a customer must rely on the vendor’s assurance that vulnerabilities are being addressed in a sufficient manner.

    Security standards’ compliance requirements are driving the need for cloud suppliers to validate and assure that they are appropriately scanning for and remediating vulnerabilities.

    Infrastructure- or Platform-as-a-Service (IaaS or PaaS) Environments
    • There is a general trend for PaaS and IaaS vendors to allow testing if given due notice.
    • Your contract with the cloud vendor or the vendor’s terms and conditions will outline the permissibility of customer vulnerability scanning. In some cases, a cloud vendor will deny the ability to do vulnerability scanning if they already provide a solution as part of their service.
    • Always ensure that the vendor is aware of your vulnerability scanning activity so that false positives aren’t triggering their security measures as possible denial-of-service (DoS) attacks.
    Software-as-a-Service (SaaS) Environments
    • SaaS offers very limited visibility to the services behind the software that the customer sees. You therefore cannot test for patch levels or vulnerabilities.
    • SaaS customers must rely exclusively on the provider for the regular scanning and remediation of vulnerabilities in the back-end technologies supporting the SaaS application.
    • You can only test the connection points to SaaS environments. This involves trying to figure out what you can see, e.g. looking for encrypted traffic.

    Certain testing (e.g. DoS or load testing) will be very limited by your cloud vendor. Cloud vendors won’t open themselves to testing that would possibly impact their operations.

    Step 1.4

    Vulnerability detection

    Activities
    • 1.4.1 Develop a monitoring and review process of third-party vulnerability sources
    • 1.4.2 Incident management and vulnerability management

    This step will walk you through the following activities:

    Create an inventory of your vulnerability monitoring capability and third-party vulnerability information sources.

    Determine how incident management and vulnerability management interoperate.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Catalog of vulnerability information data sources. Understanding of the intersection of incident management and vulnerability management.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Vulnerability detection

    Vulnerabilities can be identified through numerous mediums.

    Info-Tech has determined the following to be the four most common ways to identify vulnerabilities.

    Vulnerability Assessment and Scanning Tools
    • Computer programs that function to identify and assess security vulnerabilities and weaknesses within computers, computer systems, applications, or networks.
    • Using a known vulnerability database, the tool scans targeted hosts or systems to identify flaws and generate reports and recommendations based on the results.
    • There are four main types of tools under this category: network and operating system vulnerability scanners, application scanning and testing tools, web application scanners, and exploitation tools.
    Penetration Tests
    • The act of identifying vulnerabilities on computers, computer systems, applications, or networks followed by testing of the vulnerability to validate the findings.
    • Penetration tests are considered a service that is offered by third-parties in which a variety of products, tools, and methods are used to exploit systems and gain access to data.
    Open Source Monitoring
    • New vulnerabilities are detected daily with each vulnerability’s information being uploaded to an information-sharing platform to enable other organizations to be able to identify the same vulnerability on their systems.
    • Open source platforms are used to alert and distribute information on newly discovered vulnerabilities to security professionals.
    Security Incidents
    • Any time an incident response plan is called into action to mitigate an incident, there should be formal communication with the vulnerability management team.
    • Any IT incident an organization experiences should provide a feed for analysis into your vulnerability management program.

    Automate with a vulnerability scanning tool

    Vulnerabilities are too numerous for manual scanning and detection.
    • Vulnerability management is not only the awareness of the existence of vulnerabilities but that they are actively present in your environment.
    • A vulnerability scanner will usually report dozens, if not hundreds, of vulnerabilities on a regular and recurring basis. Typical IT environments have several dozen, if not hundreds, of servers. We haven’t even considered the amount of network equipment or the hundreds of user workstations in an environment.
    • This tool will give you information of the presence of a vulnerability in your environment and the host on which the vulnerability exists. This includes information on the version of software that contains a vulnerability and whether you are running that version. The tool will also report on the criticality of the vulnerability based on industry criticality ratings.
    • The tools are continually updated by the vendor with the latest definition updates for the latest vulnerabilities out there. This ensures you are always scanning for the greatest number of potential vulnerabilities.
    Automation requires oversight.
    1. Vulnerability scanners bring great automation to the task of scanning and detecting vulnerabilities in high numbers.
    2. Vulnerability scanners, however, do not have your level of intelligence. Any compensating controls, network segregation, or other risk mitigation features that you have in place will not be known by the tool.
    3. Determining the risk and urgency of a vulnerability within the context of your specific environment will still require internal review by you or your SecOps team.

    For guidance on tool selection

    Refer to section 4.3 Selecting and Implement a Scanning Tool in this blueprint.

    Vulnerability scanning tool considerations

    Select a vulnerability scanning tool with the features you need to be effective.
    • Vulnerability scanning tool selection can be an exciting and confusing process. You will need to consider what features you desire in a tool and whether you want the tool to go beyond just scanning and reporting.
    • In addition to vulnerability scanning, some tools will integrate with your IT service management (service desk ticketing system) tool and asset, configuration, and change management modules. This can facilitate the necessary workflow that the remediation process follows once a vulnerability is discovered.
    • A number of vulnerability scanning tool vendors have started offering remediation as part of their software features. This includes the automation and orchestration functionality and configuration and asset management to track its remediation activities.
    • A side benefit of the asset discovery feature in vulnerability scanning tools is that it can help enhance an organization’s asset inventory and license compliance, particularly in cases where end users are able to install software on their workstations.
    Stock photo of a smartphone scanning a barcode.

    For guidance on tool vendors

    Visit SoftwareReviews for information on vulnerability management tools and vendors.

    Vulnerability scanning tool best practices

    How often should scans be performed?

    One-off scans provide snapshots in time. Repeated scans over time provide tracking for how systems are changing and how well patches are being applied and software is being updated.

    The results of a scan (asset inventory, configuration data, and vulnerability data) are basic information needed to understand your security posture. This data needs to be as up to date as possible.

    ANALYST PERSPECTIVE: Organizations should look for continuous scanning

    Continuous scanning is the concept of providing continual scanning of your systems so any asset, configuration, or vulnerability information is up to date. Most vendors will advertise continuous scanning but you need to be skeptical of how this feature is met.

    Continuous Scanning Methods

    Continuous agent scanning

    Real-time scanning that is completed through agent-based scanning. Provides real-time understanding of system changes.

    On-demand scanning

    Cyclical scanning is the method where once you’re done scanning an area, you start it again. This is usually done because doing some scans on some areas of your network take time. How long the scan takes depends on the scan itself. How often you perform a scan depends on how long a scan takes. For example, if a scan takes a day, you perform a daily scan.

    Cloud-based scanning

    Cloud-scanning-as-a-Service can provide hands-free continuous monitoring of your systems. This is usually priced as a subscription model.

    Vulnerability scanning tool best practices

    Where to perform a scan.

    What should be scannedHow to point a scanner
    The general idea is that you want to scan pretty much everything. Here are considerations for three environments:
    Mobile Devices

    You need to scan mobile devices for vulnerabilities, but the problem is these can be hard to scan and often come and go on your network. There are always going to be some devices that aren’t on the network when scanning occurs.

    Several ways to scan mobile devices:

    • Intercept the device when it remotes into your network using a VPN. You catch the device with a remote scan. This can only be done if a VPN is required.
    • An agent-based approach can be used for mobile devices. Locally installed software gives the information needed to evaluate the security posture of a device. Discernibly, concerns around device processing, memory, and network bandwidth come into play. Ease of installation becomes key for agents.
    Virtualization
    • In a virtual environment, you will have servers being dynamically spun up. Ensure your tool is able to scan these new servers automatically.
    • Often, vulnerability scanning tool providers will restrict scanning to preapproved scanners. Look for tools that are preapproved by the VM vendors.
    Cloud Environments
    • You can set your tool to scan a given cloud environment. The main concern here is who owns the cloud. If it is a private cloud, there is little concern.
    • If it is a third-party cloud (AWS, Azure, etc.) you need to confirm with the cloud service provider that scanning of your cloud environment can occur.
    • There is a trend to allow more scanning of cloud environments.
    • You need to tell the scanner an IP address, a group of IP addresses, an asset group, or a combination of those.
    • You can categorize by functional classifications – internet-facing servers, workstations, network devices, etc., or by organizational structure – Finance, HR, Legal, etc.
    • If you have a strong change management system, you can better hone when and where to perform a scan based on actual changes.
    • You can set the number of concurrent outbound TCP connections that are being made. For example, set the tool so it sends out to 10 ports at a time, rather than pinging at 64k ports on a machine, which would flood the NIC.
    • Side Note: Flooding a host with pings from a scanning tool can be done to find out DoS thresholds on a machine. There are no bandwidth concerns for a network DoS, however, because the packets are so small.

    Vulnerability scanning tool best practices

    Communication and measurement

    Pre-Scan Communication With Users

    • It is always important to inform owners and users of systems that a scan will be happening.
    • Although it is unlikely any performance issues will arise, it is important to notify end users of potential impact.
    • Local admins or system owners may have controls in place that stop vulnerability scans and you need to inform the owners so that they can safelist the scanner you will be using.
    Vulnerability Scanning Tool Tracking Metrics
    • Vulnerability score by operating system, application, or organization division.
      • This provides a look at the widely accepted severity of the vulnerability as it relates across the organization’s systems.
    • Most vulnerable applications and application version.
      • This provides insight into how outdated applications are creating risk exposure for an organization.
      • This will also provide metrics on the effectiveness of your patching program.
    • Number of assets scanned within the last number of days.
      • This provides visibility into how often your assets are being scanned and thus protected.
    • Number of unowned devices or unapproved applications.
      • This metric will track how many unowned devices or unapproved applications may be on your network. Unowned devices may be rogue devices or just consultant/contractor devices.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Proactively identify new vulnerabilities as they are announced.

    By monitoring for vulnerabilities as they are announced through industry alerts and open-source mechanisms, it is possible to identify vulnerabilities beyond your scanning tool’s penetration tests.

    Common sources:
    • Vendor websites and mailing lists
      • Vendors are the trusted sources for vulnerability and patch information on their products, particularly with new industry vulnerability disclosure requirements. Vendors are the most familiar with their products, downloads are most likely malware free, and additional information is often included.
      • There are some issues: vendors won’t announce a vulnerability until a patch is created, which creates a potential unknown risk exposure; numerous vendor sites will have to be monitored continually.
    • Third-party websites
      • A non-vendor site providing information on vulnerabilities. They often will cover a specific technology or an industry section, becoming a potential “one-stop shop” for some. They will often provide vulnerability information that is augmented with different remediation recommendations faster than vendors.
      • However, it’s more likely that malicious code could be downloaded and it will often not be comprehensive information on patching.
    • Third-party mailing lists, newsgroups, live paid subscriptions, and live open-source feeds
      • These are alerting and notification services for the detection and dissemination of vulnerability information. They provide information on the latest and most critical vulnerabilities, e.g. US-CERT Cybersecurity Alerts.
    • Vulnerability databases
      • These usually consist of dedicated databases on vulnerabilities. They perform the hard work of identifying and aggregating vulnerability and patch information into a central repository for end-user consumption. The commentary features on these databases provide excellent insight for practitioners, e.g. National Vulnerability Database (NVD).
    Stock photo of a student checking a bulletin board.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Third-party sources for vulnerabilities

    • Open Source Vulnerability Database (OSVDB)
      • An open-source database that is run independently of any vendors.
    • Common Vulnerabilities and Exposures (CVE)
      • Free, international dictionary of publicly known information security vulnerabilities and exposures.
    • National Vulnerability Database (NVD)
      • Through NIST, the NVD is the US government’s repository of vulnerabilities and includes product names, flaws, and any impact metrics.
      • The National Checklist Repository Program (NCRP), also provided by NIST, provides security checklists for configurations of operating systems and applications.
      • The Center for Internet Security, a separate entity unrelated to NIST, provides configuration benchmarks that are often referenced by the NCRP.
    • Open Web Application Security Project (OWASP)
      • OWASP is another free project helping to expose vulnerabilities within software.
    • US-CERT National Cyber Alert System (US-CERT Alerts)
      • Cybersecurity Alerts – Provide timely information about current security issues, vulnerabilities, and exploits.
      • Cybersecurity Tips – Provide advice about common security issues for the general public.
      • Cybersecurity Bulletins – Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
    • US-CERT Vulnerability Notes Database (US-CERT Vulnerability Notes)
      • Database of searchable security vulnerabilities that were deemed not critical enough to be covered under US-CERT Alerts. Note that the NVD covers both US-CERT Alerts and US-CERT Notes.
    • Open Vulnerability Assessment Language (OVAL)
      • Coding language for security professionals to discuss vulnerability checking and configuration issues. Vulnerabilities are identified using tests that are disseminated in OVAL definitions (XML executables that can be used by end users).

    1.4.1 Develop a monitoring and review process for third-party vulnerability sources

    60 minutes

    Input: Third-party resources list

    Output: Process for review of third-party vulnerability sources

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, CISO

    1. Identify what third-party resources are useful and relevant.
    2. Shortlist your third-party sources.
    3. Identify what is the best way to receive information from a third party.
    4. Document the method to receive or check information from the third-party source.
    5. Identify who is responsible for maintaining third-party vulnerability information sources
    6. Capture this information in the Vulnerability Management SOP Template.
    Download the Vulnerability Management SOP TemplateSample of the Third Party Vulnerability Monitoring tables from the Vulnerability Management SOP Template.

    Incidents and vulnerability management

    Incidents can also be a sources of vulnerabilities.

    When any incident occurs, for example:

    • A security incident, such as malware detected on a machine
    • An IT incident, such as an application becomes unresponsive
    • A crisis occurs, like a worker accident

    There can be underlying vulnerabilities that need to be processed.

    Three Types of IT Incidents exist:
    1. Information Security Incident
    2. IT Incident and/or Problem
    3. Crisis

    Note: You need to have developed your various incident response plans to develop information feeds to the vulnerability mitigation process.
    If you are missing an incident response plan, take a look at Info-Tech’s Related Resources.

    Info-Tech Related Resources:
    If you do not have a formalized information security incident management program, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have a formalized problem management process, take a look at Info-Tech’s blueprint Incident and Problem Management.

    If you do not have a formalized IT incident management process, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have formalized crisis management, take a look at Info-Tech’s blueprint Implement Crisis Management Best Practices.

    1.4.2 Incident management and vulnerability management

    60 minutes

    Input: Existing incident response processes, Existing crisis communications plans

    Output: Alignment of vulnerability management program with existing incident management processes

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    1. Inventory what incident response plans the organization has. These include:
      1. Information Security Incident Response Plan
      2. IT Incident Plan
      3. Problem Management Plan
      4. Crisis Management Plan
    2. Identify what part of those plans contains the post-response recap or final analysis.
    3. Formalize a communication process between the incident response plan and the vulnerability mitigation process.

    Note: Most incident processes will cover some sort of root cause analysis and investigation of the incident. If a vulnerability of any kind is detected within this analysis it needs to be reported on and treated as a detected vulnerability, thus warranting the full vulnerability mitigation process.

    Download the Vulnerability Management SOP Template

    Implement Risk-Based Vulnerability Management

    Phase 2

    Triage & prioritize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach, and prepare for remediation options.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Step 2.1

    Triage vulnerabilities

    Activities
    • 2.1.1 Evaluate your identified vulnerabilities

    This step will walk you through the following activities:

    Review your vulnerability information sources and determine a methodology that will be used to consistently evaluate vulnerabilities as your scanning tool alerts you to them.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Triaging vulnerabilities

    Use Info-Tech’s methodology to allocate urgencies to your vulnerabilities to assign the appropriate resources to each one.

    When evaluating numerous vulnerabilities, use the following three factors to help determine the urgency of vulnerabilities:

    • The intrinsic qualities of the vulnerability
    • The business criticality of the affected asset
    • The sensitivity of the data stored on the affected asset

    Intrinsic qualities of the vulnerability — Vulnerabilities need to be examined for the inherent risk they pose specifically to the organization, which includes if an exploit has been identified or if the industry views this as a serious and likely threat.

    Business criticality of the affected asset — Assets with vulnerabilities need to be assessed for their criticality to the business. Vulnerabilities on systems that are critical to business operations or customer interactions are usually top of mind.

    Sensitivity of the data of the affected asset — Beyond just the criticality of the business, there must be consideration of the sensitivity of the data that may be compromised or modified as a result of any vulnerabilities.

    Info-Tech Insight

    This methodology allows you to determine urgency of vulnerabilities, but your remediation approach needs to be risk-based, within the context of your organization.

    Triage your vulnerabilities, filter out the noise

    Triaging enables your vulnerability management program to focus on what it should focus on.

    Use the Info-Tech Vulnerability Mitigation Process Template to define how to triage vulnerabilities as they first appear.

    Triaging is an important step in vulnerability management, whether you are facing ten to tens of thousands of vulnerability notifications.
    Many scanning tools already provide the capability to compare known vulnerabilities against existing assets through integration with the asset inventory.

    There are two major use cases for this process:
    1. For organizations that have identified vulnerabilities but do not know their own systems well enough. This can be due to a lack of a formal asset inventory.
    2. For proactive organizations that are regularly staying up to date with industry announcements regarding vulnerabilities. Once an alert has been made publicly, this process can assist in confirming if the vulnerability is relevant to the organization.
    The Info-Tech methodology for initial triaging of vulnerabilities:
    Flowchart of the Info-Tech methodology for initial triaging of vulnerabilities, beginning with 'Vulnerability has been identified' and ending with either 'Vulnerability has been triaged' or 'No action needed'.

    Even if neither of these use cases apply to your organization, triaging still addresses the issues of false positives. Triaging provides a quick way to determine if vulnerabilities are relevant.

    After eliminating the noise, evaluate your vulnerabilities to determine urgency

    Consider the intrinsic risk to the organization.

    Is there an associated, verified exploit?
    • For a vulnerability to become a true threat to the organization, it must be exploited to cause damage. In today’s threat landscape, exploit kits are sold online that allow individuals with low technical knowledge to exploit a vulnerability.
    • Not all vulnerabilities have an associated exploit, but this does not mean that these vulnerabilities can be left alone. In many cases, it is just a matter of time before an exploit is created.
    • Another point to consider is that while exploits can exist theoretically, they may not be verified. Vulnerabilities always pose some level of risk, but if there are no known verified exploits, there is less risk attached.
    Is there a CVSS base score of 7.0 or higher?
    • Common Vulnerability Scoring System (CVSS) is an open-source industry scoring method to assess the potential severity of vulnerabilities.
    • CVSS takes into account: attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
    • Vulnerabilities that have a score of 4.0 or lower are classified as low vulnerabilities, while scores between 4.0 and 6.9 are put in the medium category. Scores of 7 or higher are in the high and critical categories. As we will review in the Risk Assessment section, you will want to immediately deal with high and critical vulnerabilities.
    Is there potential for significant lateral movement?
    • Even though a vulnerability may appear to be part of an inconsequential asset, it is important to consider whether it can be leveraged to gain access to other areas of the network or system by an attacker.
    • Another consideration should be whether the vulnerability can be exploited by remote or local access. Remote exploits pose a greater risk as this can mean that attackers can perform an exploit from any location. Local exploits carry less risk, although the risk of insider threats should be considered here as well.

    2.1.1 Evaluate your identified vulnerabilities

    60 minutes

    Input: Visio workflow of Info-Tech’s vulnerability management process

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    Using the criteria from the previous slide, Info-Tech has created a methodology to evaluate your vulnerabilities by examining their intrinsic qualities.

    The methodology categorizes the vulnerabilities into high, medium, and low risk importance categorizations, before assigning final urgency scores in the later steps.

    1. Review the evaluation process in the Vulnerability Management Workflow library.
    2. Determine if this process makes sense for the organization; otherwise, change the flow to include any other considerations of process flows.
    3. As this process is used to evaluate vulnerabilities, document vulnerabilities to an importance category. This can be done in the Vulnerability Tracking Tool or using a similar internal vulnerability tracking document, if one exists.

    Download the Vulnerability Management SOP Template

    Step 2.2

    Determine high-level business criticality

    Activities
    • 2.2.1 Determine high-level business criticality
    • 2.2.2 Determine your high-level data classifications

    This step will walk you through the following activities:

    Determining high-level business criticality and data classifications will help ensure that IT security is aligned with what is critical to the business. This will be very important when decisions are made around vulnerability risk and the urgency of remediation action.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    Understanding and consistency in how business criticality and business data is assessed by IT in the vulnerability management process.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Understanding business criticality is key to determining vulnerability urgency

    Prioritize operations that are truly critical to the operation of the business, and understand how they would be impacted by an exploited vulnerability.

    Use the questions below to help assess which operations are critical for the business to continue functioning.

    For example, email is often thought of as a business-critical operation when this is not always the case. It is important to the business, but as regular operations can continue for some time without it, it would not be considered extremely business critical.

    Questions to askDescription
    Is there a hard-dollar impact from downtime?This refers to when revenue or profits are directly impacted by a business disruption. For example, when an online ordering system is compromised and shut down, it impacts sales, and therefore, revenue.
    Is there an impact on goodwill/ customer trust?If downtime means delays in service delivery or otherwise impacts goodwill, there is an intangible impact on revenue that may make the associated systems mission critical.
    Is regulatory compliance a factor?Depending on the circumstances of the vulnerabilities, it can be a violation of regulatory compliance and would cause significant fines.
    Is there a health or safety risk?Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure that individuals’ health and safety are maintained. An exploited vulnerability that prevents these operations can directly impact the lives of these individuals.
    Don’t start from scratch – your disaster recovery plan (DRP) may have a business impact analysis (BIA) that can provide insight into which applications and operations are considered business critical.

    Analyst Perspective

    When assessing the criticality of business operations, most core business applications may be deemed business critical over the long term.

    Consider instead what the impact is over the first 24 or 48 hours of downtime.

    2.2.1 Determine high-level business criticality

    120 minutes; less time if a Disaster recovery plan business impact analysis exists

    Input: List of business operations, Insight into business operations impacts to the business

    Output: List of business operations and their criticality and impact to the business

    Materials: Vulnerability Management SOP Template

    Participants: Participants from the business, IT Security Manager, CISO, CIO

    1. List your core business operations at a high level.
    2. Use a High, Medium, or Low ranking to prioritize the business operations based on mission-critical criteria and the impact of the vulnerability.
    3. When using the process flow, consider if the vulnerability directly affects any of these business operations and move through the process flow based on the corresponding High, Medium, or Low ranking.
    Example prioritization of business operations for a manufacturing company:Questions to ask:
    1. Is there a hard-dollar impact from downtime?
    2. Is there impact on goodwill or customer trust?
    3. Is regulatory compliance a factor?
    4. Is there a health or safety risk?

    Download the Vulnerability Management SOP Template

    Determine vulnerability urgency by its data classification

    Consider how to classify your data based on if the Confidentiality, Integrity, or Availability (CIA) is compromised.

    To properly classify your data, consider how the confidentiality, integrity, and availability of that data would be affected if it were to be exploited by a vulnerability. Review the table below for an explanation for each objective.
    Confidentiality

    Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

    Integrity

    Guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity.

    Availability

    Ensuring timely and reliable access to and use of information.

    Each piece of data should be ranked as High, medium, or low across confidentiality, integrity, and availability based on adverse effect.Arrow pointing right.Low — Limited adverse effect

    Moderate — Serious adverse effect

    High — Severe or catastrophic adverse effect

    If you wish to build a whole data classification methodology, refer to our Discover and Classify Your Data blueprint.

    How to determine data classification when CIA differs:

    The overall ranking of the data will be impacted by the highest objective’s ranking.

    For example, if confidentiality and availability are low, but integrity is high, the overall impact is high.

    This process was developed in part by Federal Information Processing Standards Publication 199.

    2.2.2 Determine your high-level data classifications

    120 minutes, less time if data classification already exists

    Input: Knowledge of data use and sensitivity

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, CISO, CIO

    If your organization has formal data classification in place, it should be leveraged to determine the high, medium, and low rankings necessary for the process flows. However, if there is no formal data classification in place, the process below can be followed:

    1. List common assets or applications that are prone to vulnerabilities.
    2. Consider the data that is on these devices and provide a high (severe or catastrophic adverse effect), medium (serious adverse effect), or low (limited adverse effect) ranking based on confidentiality, availability, and integrity.
      1. Use the table on the previous slide to assist in providing the ranking.
      2. Remember that it is the highest ranking that dictates the overall ranking of the data.
    3. Document which data belongs in each of the categories to provide contextual evidence.

    Download the Vulnerability Management SOP Template

    This process should be part of your larger data classification program. If you need assistance in building this out, review the Info-Tech research, Discover and Classify Your Data.

    Step 2.3

    Consider current security posture

    Activities
    • 2.3.1 Document your defense-in-depth controls

    This step will walk you through the following activities:

    Your defense-in-depth controls are the existing layers of security technology that protects your environment. These are relevant when considering the urgency and risk of vulnerabilities in your environment, as they will mitigate some of the risk.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Understanding and documentation of your current defense-in-depth controls.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Review your current security posture

    What you have today matters.
    • In most cases, your vulnerability scanning tool alone will not have the context of your security posture in the results of its scans. This can skew the true urgency of detected vulnerabilities in your environment.
    • What you have in place today is what comprises your organization’s overall security posture. This bears high relevance to the determination of the risk that a vulnerability poses to your environment.
    • Elements such as enterprise architecture and defense in depth mechanisms should be factored into determining the risk of a vulnerability and what kind of immediacy is warranted to address it.
    • Details of your current security posture will also contribute to the assessment and selection of remediation options.
    Stock image of toy soldiers split into two colours, facing eachother down.

    Enterprise architecture considerations

    What does your network look like?
    • Most organizations have a network topology that has been put in place with operational needs in mind. These includes specific vLANs or subnets, broadcast domains, or other methods of traffic segregation.
    • The firewall and network ACLs (access control lists) will manage traffic and the routes that data packets follow to traverse a network.
    • Organizations may physically separate data network types, for example, a network for IT services and one for operational technology (OT)(OT is often known as ICS (industrial control systems) or SCADA (supervisory control and data acquisition)) or other types of production technology.
    • The deployment of distribution and access switches across an enterprise can also be a factor, where a flatter network will have fewer network devices within the topology.
    • In a directory services environment such as Windows Active Directory, servers and applications can be segregated by domains and trust relationships, organizational units, and security groups.
    What’s the relevance to vulnerability management?

    For a vulnerability to be exploited, a malicious actor must find a way to access the vulnerable system to make use of the vulnerability in question.

    Any enterprise architecture characteristics that you have in place may lessen the probability of a successful vulnerability exploit.

    This may potentially “buy time” for SecOps to address and remediate the vulnerability.

    Defense-in-depth

    Defense-in-depth provides extra layers of protection to the organization.

    • Defense-in-depth refers to the coordination of security controls to add layers of security to the organization.
      • This means that even if attackers are able to get past one control or layer, they are hindered by additional security.
    • Defense-in-depth is distinct from the previous section on enterprise architecture as these are security controls put in place with the purpose of being lines of defense within your security posture.
    • This can be extremely useful in managing vulnerabilities; thus, it is important to establish the existing defense-in-depth controls. By establishing the base model for your defense-in-depth, it will allow you to leverage these controls to manage vulnerabilities.
    • Controls are typically distributed across endpoints, network infrastructure, servers, and physical security.

    Note: Defense-in-depth controls do not entirely mitigate vulnerability risk. They provide a way in which the vulnerability cannot be exploited, but it continues to exist on the application. This must be kept in mind as the controls or applications themselves change, as it can re-open the vulnerability and cause potential problems.

    Examples of defense-in-depth controls can consist of any of the following:
    • Antivirus software
    • Authentication security
    • Multi-factor authentication
    • Firewalls
    • Demilitarized zones (DMZ)
    • Sandboxing
    • Network zoning
    • Application whitelisting
    • Access control lists
    • Intrusion detection & prevention systems
    • Airgapping
    • User security awareness training

    2.3.1 Document your defense-in-depth controls

    2 hours, less time if a security services catalog exists

    Input: List of technologies within your environment, List of IT security controls that are in place

    Output: List of defense-in-depth controls

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, Infrastructure Manager, IT Director, CISO

    1. Document the existing defense-in-depth controls within your system.
    2. Review the initial list that has been provided and see if these are controls that currently exist.
    3. Indicate any other controls that are being used by the organization. This may already exist if you have a security services catalog.
    4. Indicate who the owners of the different controls are.
    5. Track the information in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Sample table of security controls within a Defense-in-depth model with column headers 'Defense-in-depth control', 'Description', 'Workflow', and 'Control Owner'.

    Step 2.4

    Risk assessment of vulnerabilities

    Activities
    • 2.4.1 Build a classification scheme to consistently assess impact
    • 2.4.2 Build a classification scheme to consistently assess likelihood

    This step will walk you through the following activities:

    Assessing risk will be the cornerstone of how you evaluate vulnerabilities and what priority you place on remediation. This is actual risk to the organization and not simply what the tool reports without the context of your defense-in-depth controls.

    This step involves the following participants:

    • IT Security Manager
    • IT Operations Management
    • CISO
    • CIO

    Outcomes of this step

    A risk matrix tailored to your organization, based on impact and likelihood. This will provide a consistent, unambiguous way to assess risk across the vulnerability types that is reported by your scanning tool.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Vulnerabilities and risk

    Vulnerabilities must be addressed to mitigate risk to the business.
    • Vulnerabilities are a concern because they are potential threats to the business. Vulnerabilities that are not addressed can turn from potential threats into actual threats; it is only a matter of time and opportunity.
    • Your organization will already be familiar with risk management, as every decision carries a business risk component. There may even be a senior manager assigned as corporate risk officer to manage organizational risk.
    • The organization likely has a risk tolerance level that defines the organization’s risk appetite. This may be measured in dollars, non-productivity time, or other units of inefficiency.
    • The risk of a vulnerability can be calculated using impact and likelihood. Impact is the effect that the vulnerability will have if it is exploited by a malicious actor. Likelihood is the degree to which a vulnerability exploit can possibly occur.
    Stock image of a cartoon character in a tie hanging on the needle of a 'RISK' meter as it sits at 'LOW'.

    Info-Tech Insight

    Risk to the organization is business language that everyone can understand. This is particularly true when the risk is to productivity or to the company’s bottom line.

    A risk-based approach to vulnerability management

    CVSS scores are just the starting point!

    Vulnerabilities are constant.
    • There will always be vulnerabilities in the environment, many of which won’t be reported as they are currently unknown.
    • Don’t focus on trying to resolve all vulnerabilities in your environment. You are neither resourced for it nor can the business tolerate the downtime needed to remediate every single vulnerability.
      • The constant follow of new vulnerabilities will quickly render your efforts useless and it will become a game of “whack-a-mole.”
    • Being able to prioritize which vulnerabilities require appropriate levels of response is crucial to ensuring that an organization stays ahead of the continual flow.
    • Your vulnerability scanning tool will report the severity of a vulnerability, often using an industry Common Vulnerability Scoring System (CVSS) system ranging from 0 to 10. It will then scan your environment for the presence of the vulnerability and report accordingly.
      • Your vulnerability scanning tool will not be aware of any mitigation components in your environment, such as compensating controls, network segregation, server/application hardening, or any other measures that can reduce the risk. That is why determining actual risk is a crucial step.

    Stock image of a whack-a-mole game.

    Info-Tech Insight

    Vulnerability scanning is a valuable function, but it does not tell the full picture. You must determine how urgent a vulnerability truly is, based on your specific environment.

    Prioritize remediation by levels of risk

    Address critical and high risk with high immediacy.

    • Addressing the critical and high-risk vulnerabilities with urgency will ensure that you are addressing a more manageable number of vulnerabilities.
    • An optimized vulnerability management process will address the medium and low risk vulnerabilities within the regular cycle.
    • This may be very similar to what you do today in an ad hoc fashion:
      • Zero-day vulnerabilities tend to warrant a stop in operations and are dealt with immediately (or as soon as a vendor has a fix).
      • The standard remediation process (patching/updating, change of configuration, etc.) happens within a regular controlled time cycle.
    • Formalizing this process will ensure that appropriate attention is given to vulnerabilities that warrant it and that the remaining vulnerabilities are dealt with as a regular, recurring activity.

    Mitigate the risk surface by reducing the time across the phases

    Chart titled 'Mitigate the risk surface by reducing the time across the phases' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. A note on the line reads 'Objective: Reduce risk surface by reducing time to address'. The area between the line and your organization's risk tolerance is labelled 'Risk Surface, to be addressed with high priority'. A bracket around Risk levels 'High' and 'Critical' reads 'Priority focus zone (risk surface)'. Risk lines within levels 'Low' and 'Medium' read 'Follow standard vulnerability management cycles'.

    Risk matrix

    Risk = Impact x Likelihood
    • Info-Tech’s Vulnerability Management Risk Assessment Tool provides a method of calculating the risk of a vulnerability. The risk rating is assigned using the impact of the risk and the likelihood or probability that the event may occur.
    • The tool puts the vulnerability into your organization’s context: How many people will be affected? What service types are vulnerable and how does that impact the business? Is there an anticipated update from the vendor of the system being affected?
    • Urgency of remediation should be based on the business consequences if the vulnerability were to be exploited, relative to the business’ risk tolerance.

    Info-Tech Insight

    Risk determination should be done within the context of your current environment and not simply based on what your vulnerability tool is reporting.

    A risk matrix is useful in calculating a risk rating for vulnerabilities. Risk matrix with axes 'Impact' and 'Time' and individual vulnerabilities mapped onto it via their risk rating. The example 'Organizational Risk Tolerance Threshold' line runs diagonally through the 'Medium' squares.

    2.4.1 Build a classification scheme to consistently assess impact

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Impact. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', 'Network vulnerability', and 'Vendor patch release'.

    2.4.2 Build a classification scheme to consistently assess likelihood

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability that your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Likelihood. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', and 'Network vulnerability'.

    Prioritize based on risk

    Select the best remediation option to minimize risk.

    Through the combination of the identified risk and remediation steps in this phase, the prioritization for vulnerabilities will become clear. Vulnerabilities will be assigned a priority once their intrinsic qualities and threat potential to business function and data have been identified.

    • Remediation options will be identified for the higher urgency vulnerabilities.
    • Options will be assessed for whether they are appropriate.
    • They will be further tested to determine if they can be used adequately prior to full implementation.
    • Based on the assessments, the remediation will be implemented or another option will be considered.
    Prioritization
    1. Assignment of risk
    2. Identification of remediation options
    3. Assessment of options
    4. Implementation

    Remediation plays an incredibly important role in the entire program. It plays a large part in wider risk management when you must consider the risk of the vulnerability, the risk of the remediation option, and the risk associated with the overall process.

    Implement Risk-Based Vulnerability Management

    Phase 3

    Remediate vulnerabilities

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • Identifying potential remediation options.
    • Developing criteria for each option with regards to when to use and when to avoid.
    • Establishing exception procedure for testing and remediation.
    • Documenting the implementation of remediations and verification.

    This phase involves the following participants:

    • CISO, or equivalent
    • Security Manager/Analyst
    • Network, Administrator, System, Database Manager
    • Other members of the vulnerability management team
    • Risk managers for the risk-related steps

    Determining how to remediate

    Patching is only one option.

    This phase will allow organizations to build out the specific processes for remediating vulnerabilities. The overall process will be the same but what will be critical is the identification of the correct material. This includes building the processes around:
    • Identifying and selecting the remediation option to be used.
    • Determining what to do when a patch or update is not available.
    • Scheduling and executing the remediation activity.
    • Continuous improvement.

    Each remediation option carries a different level of risk that the organization needs to consider and accept by building out this program.

    It is necessary to be prepared to do this in real time. Careful documentation is needed when dealing with vulnerabilities. Use the Vulnerability Tracking Tool to assist with documentation in real time. This is separate from using the process template but can assist in the documentation of vulnerabilities.

    Step 3.1

    Assessing remediation options

    Activities
    • 3.1.1 Develop risk and remediation action

    This step will walk you through the following activities:

    With the risk assessment from the previous activity, we can now examine remediation options and make a decision. This activity will guide us through that.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    List of remediation options and criteria on when to consider each.

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Identify remediation options

    There are four options when it comes to vulnerability remediation.

    Patches and Updates

    Patches are software or pieces of code that are meant to close vulnerabilities or provide fixes to any bugs within existing software. These are typically provided by the vendor to ensure that any deployed software is properly protected after vulnerabilities have been detected.

    Configuration Changes

    Configuration changes involve administrators making significant changes to the system or network to remediate against the vulnerability. This can include disabling the vulnerable application or specific element and can even extend to removing the application altogether.

    Remediation

    Compensating Controls

    By leveraging security controls, such as your IDS/IPS, firewalls, or access control, organizations can have an added layer of protection against vulnerabilities beyond the typical patches and configuration changes. This can be used as a measure while waiting to implement another option (if one exists) to reduce the risk of the vulnerability in the short or long term.

    Risk Acceptance

    Whenever a vulnerability is not remediated, either indefinitely or for a short period of time, the organization is accepting the associated risk. Segregation of the vulnerable system can occur in this instance. This can occur in cases where a system or application cannot be updated without detrimental effect to the business.

    Patches and updates

    Patches are often the easiest and most common method of remediation.

    Patches are usually the most desirable remediation solution when it comes to vulnerability management. They are typically provided by the vendor of the vulnerable application or system and are meant to eliminate the existing vulnerability.

    When to use

    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching for the affected systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.

    When to avoid

    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches, which is often the case for critical systems.
    When to consider other remediation options
    • For critical systems, it can be difficult to implement a patch as they often require the system to be rebooted or go through some downtime. There must be consideration towards whether there is a change window approaching if a patch is to be implemented on a business-critical system.
      • If there is no opportunity to implement the patch, or no approaching change window, it is wise to leverage another remediation option.
    • When patches are not currently available from the vendor or they are in production, other remediation options are needed.
    • Other remediation options can be used in tandem with the patch. For example, if a patch is being deferred until the change window, it would be wise to use alternate remediation options to close the vulnerability.

    Compensating controls

    Compensating controls can decrease the risk of vulnerabilities that cannot be (immediately) remediated.

    • Compensating controls are measures put in place when direct remediation measures are impractical or non-existent.
    • Similar to the payment card industry’s PCI DSS 1.0 provision of compensating controls, these are meant to meet the intent or rigor of the original requirement; unlike PCI DSS, these measures are to mitigate risk rather than meet compliance.
    • The compensating control should be viewed as only a temporary measure for dealing with a vulnerability, although circumstances may dictate a degree of permanence in the application of the compensating control.
    • Examples where compensating controls may be needed are:
      • The software vendor is developing an update or patch to address a vulnerability.
      • Through your testing process, a patch will adversely affect the performance or operation of the target system and be detrimental to the business.
      • A critical application will only run on a legacy operating system, the latter of which is no longer supported by the vendor.
      • A legacy application is no longer being supported but is critical to your operations. A replacement, if one exists, will take time to implement.
    Examples of compensating controls
    • Segregating a vulnerable server or application on the network, physically or logically.
    • Hardening the operating system or application.
    • Restricting user logins to the system or application.
    • Implementing access controls on the network route to the system.
    • Instituting application whitelisting.

    Configuration changes

    Configuration changes involve making changes directly to the application or system in which there is a vulnerability. This can vary from disabling or removing the vulnerable element or, in the case of applications built in-house, changing the coding of the application itself. These are commonly used in network vulnerabilities such as open ports.

    When to use

    • A patch is not available.
    • The vulnerable element can be significantly changed, or even disabled, without significantly disrupting the business.
    • The application is built in-house, as the vulnerability must be closed internally.
    • There is adequate testing to ensure that the configuration change does not affect the business.
    • A configuration change in your network or system can affect numerous endpoints or systems, reducing endpoint patching or use of defense-in-depth controls.

    When to avoid

    • When a suitable patch is available.
    • When the vulnerability is on a business-critical element with no nearby change window or it cannot be disabled.
    • When there is no opportunity in which to perform testing to ensure that there are no unintended consequences.
    When to consider other remediation options
    • Configuration changes require careful documentation as changes are occurring to the system and applications. If there is a need to perform a back-out process and return to the original configuration, this can be extremely difficult without clear documentation of what occurred.
    • If business systems are too critical or important to the regular business function to perform any changes, it is necessary to consider other options.

    Info-Tech Insight

    Remember your existing processes: configuration changes may need to be approved and orchestrated through your organization’s configuration and change management processes.

    Case Study

    Remediation options do not have to be used separately. Use the Shellshock 2014 case as an example.

    INDUSTRY: All
    SOURCE: Public Domain
    Challenge

    Bashdoor, more commonly known as Shellshock, was announced on September 24, 2014.

    This bug involved the Bash shell, which normally executes user commands, but this vulnerability meant that malicious attackers could exploit it.

    This was rated a 10/10 by CVSS – the highest possible score.

    Within hours of the announcement, hackers began to exploit this vulnerability across many organizations.

    Solution

    Organizations had to react quickly and multiple remediation options were identified:

    • Configuration changes – Companies were recommended to use other shells instead of the Bash shell.
    • Defense-in-depth controls – Using HTTP server logs, it could be possible to identify if the vulnerability had been exploited.
    • Patches – Many vendors released patches to close this vulnerability including Debian, Ubuntu, and Red Hat.
    Results

    Companies began to protect themselves against these vulnerabilities.

    While many organizations installed patches as quickly as possible, some also wished to test the patch and leveraged defense-in-depth controls in the interim.

    However, even today, many still have the Shellshock vulnerability and exploits continue to occur.

    Accept the risk and do nothing

    By choosing not to remediate vulnerabilities, you must accept the associated risk. This should be your very last option.

    Every time that a vulnerability is not remediated, it continues to pose a risk to the organization. While it may seem that every vulnerability needs to be remediated, this is simply not possible due to limited resources. Further, it can take away resources from other security initiatives as opposed to low-priority vulnerabilities that are extremely unlikely to be exploited.

    Common criteria for vulnerabilities that are not remediated:
    • Affected systems are of extremely low criticality.
    • Affected systems are deemed too critical to take offline to perform adequate remediation.
    • Low urgency is assigned to those vulnerabilities.
    • Cost and time required for the remediation are too high.
    • No adequate solutions exist – the vendor has not released a patch, there are weak defense-in-depth controls, and it is not possible to perform a configuration change.

    Risk acceptance is not uncommon…

    • With an ever-increasing number of vulnerabilities, organizations are struggling to keep up and often, intentionally or unintentionally, accept the risk associated.
    • In the end, non-remediation means full acceptance of the risk and any consequences.

    Enterprise risk management
    Arrow pointing up.
    Risk acceptance of vulnerabilities

    While these are common criteria, they must be aligned to the enterprise risk management framework and approved by management.

    Don’t forget the variables that were assessed in Phase 2. This includes the risk from potential lateral movement or if there is an existing exploit.

    Risk considerations

    When determining if risk acceptance is appropriate, consider the cost of not mitigating vulnerabilities.

    Don’t accept the risk because it seems easy. Consider the financial impact of leaving vulnerabilities open.

    With risk acceptance, it is important to review the financial impact of a security incident resulting from that vulnerability. There is always the possibility of exploitation for vulnerabilities. A simple metric taken from NIST SP800-40 to use for this is:

    Cost not to mitigate = W * T * R

    Where (W) is the number of work stations, (T) is the time spent fixing systems or lost in productivity, and (R) is the hourly rate of the time spent.

    As an example provided by NIST SP800-40 Version 2.0, Creating a Patch and Vulnerability Management Program:

    “For an organization where there are 1,000 computers to be fixed, each taking an average of 8 hours of down time (4 hours for one worker to rebuild a system, plus 4 hours the computer owner is without a computer to do work) at a rate of $70/hour for wages and benefits:

    1,000 computers * 8 hours * $70/hour = $560,000”

    Info-Tech Insight

    Always consider the financial impact that can occur from an exploited vulnerability that was not remediated.

    3.1.1 Develop risk and remediation action

    90 minutes

    Input: List of remediation options

    Output: List of remediation options sorted into “when to use” and “when to avoid” lists

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT Infrastructure Manager, IT Operations Manager, Corporate Risk Officer, CISO

    It is important to define and document your organization-specific criteria for when a remediation option is appropriate and inappropriate.

    1. List each remediation option on a flip chart and create two headings: “When to use” and “When to avoid.”
    2. Each person will list “when to use” criteria on a green sticky note and “when to avoid” criteria on a red one for each option; these will be placed on the appropriate flip chart.
    3. Discuss as a group which criteria are appropriate and which should be removed.
    4. Move on to the next remediation option when completed.
      • Ensure to include when there are remediation options that will be connected. For example, the risk may be accepted until the next available change window, or a defense-in-depth control is used before a patch can be fully installed.
    5. Once the criteria has been established, document this in the Vulnerability Management SOP Template.
    When to use:
    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching, especially for critical systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.
    When to avoid:
    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it has caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches.
    (Example from the Vulnerability Management SOP Template for Patches.)

    Download the Vulnerability Management SOP Template

    Step 3.2

    Scheduling and executing remediation

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although there are no specific activities for this section, it will walk you through your existing processes configuration and change management to ensure that you are leveraging those activities in your vulnerability remediation actions.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Gained understanding of how IT operations processes configuration and change management can be leveraged for the vulnerability remediation process. Don’t reinvent the wheel!

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Implementing the remediation

    Vulnerability management converges with your IT operations functions.
    • Once a remediation strategy has been formulated, you can leverage your release and change management processes to orchestrate the testing, version tracking, scheduling, approval, and implementation activities.
    • Each of these processes should exist in your environment in some form. Leveraging these will engage the IT operations team to carry out their tasks in the remediation process.
    • There can be a partial or full handoff to these processes, however, the owner of the vulnerability management program is responsible for verifying the application of the remediation measure and that the overall risk has been reduced.
    • Although full blueprints exist that cover each of these processes in great detail, the following slides provide an overview of each of these IT operations processes and how they intersect with vulnerability management.
    Stock image of a person on a laptop overlaid by an icon with gears indicating settings.

    Release Management

    Control the quality of deployments and releases of software updates.

    • The release management process exists to ensure that new software releases (such as patches and updates) are properly tested and documented with version control prior to their implementation into the production environment.
    • The process should map out the logistics of the deployment process to ensure that it is consistent and controlled.
    • Testing is an important part of release management and the urgency of a vulnerability remediation operation can expedite this process to ensure minimal delays. Once testing has been completed successfully, the update is then “promoted” to production-ready status and submitted into the change management process.
    • Often a separate release team may not exist, however, release management still occurs.

    For guidance on implementing or improving your release management process, refer to Info-Tech’s Stabilize Release and Deployment Management blueprint or speak to one of our experts.

    Info-Tech Insight

    Many organizations don’t have a separate release team. Rather, whomever is doing the deployment will submit a change request and the testing details are vetted through the organization’s change management process.

    For guidance on the change management process review our Optimize Change Management blueprint.

    Change Management

    Leverage change control, interruption management, approval, and scheduling.
    • Change management likely exists in some shape or form in your organization. There is usually someone or a committee, such as a change advisory board (CAB), that gives approval for a change.
    • Leveraging the change management process will ensure that your vulnerability remediation has undergone the proper review and approval before implementation. There will usually be business sign-off as part of a change management approval process.
    • Communication will also be integrated in the change management process, so the change manager will ensure that appropriate, timely communications are sent to the proper key stakeholders.
    • The change management process will link to release management and configuration management processes if they exist.

    For further guidance on implementing or improving your change management process, refer to Info-Tech’s Optimize Change Management blueprint or speak to one of our experts.

    “With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” (VP IT, Federal Credit Union)

    Post-implementation activities

    Vulnerability remediation isn’t a “set it and forget it” activity.
    • Once vulnerability remediation has occurred, it is imperative that the results are reported back to the vulnerability management program manager. This ensures that the loop is closed and the tracking of the remediation activity is done properly.
      • Organizations that are subject to audit by external entities will understand the importance of such documentation.
    • The results of post-implementation review from the change management process will be of great interest, particularly if there was any deviation from the planned activities.
    • Although change execution will usually undergo some form of testing during the maintenance window, there is always the possibility that something has broken as a result of the software update. Be quick to respond to these types of incidents!
      • One example of an issue that is near impossible to test during a maintenance window is one that manifests only when the system or software comes under load. This is what makes for busy Monday mornings after a weekend change window.
    A scan with your vulnerability management software after remediation can be a way to verify that the overall risk has been reduced, if remediation was done by way of patching/updates.

    Info-Tech Insight

    After every change completion, whether due to vulnerability remediation or not, it is a good idea to ensure that your infrastructure team increases its monitoring diligence and that your service desk is ready for any sudden influx of end-user calls.

    Step 3.3

    Continuous improvement

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although this section has no activities, it will review the process by which you may continually improve vulnerability management.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    An understanding of the importance of ongoing improvements to the vulnerability management program.

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Drive continuous improvement

    • Also known as “Continual Improvement” within the ITIL best practice framework.
    • Your vulnerability management program will not be perfect on first launch. In fact, due to the ever-changing nature of vulnerabilities and the technology designed to detect and combat vulnerabilities, the processes within your vulnerability management program will need to be tweaked from time to time.
    • Continuous improvement is a sustained, proactive approach to process improvement. The practice allows for all process participants to observe and suggest incremental improvements that can help improve the overall process.
    • In many cases, continuous improvement can be triggered by changes in the environment. This makes perfect sense for vulnerability management process improvement as a change in the environment will require vulnerability scanning to ensure that such changes have not introduced new vulnerabilities into the environment, increasing your risk surface.
    • One key method to tracking continuous improvement is through the effective use of metrics, covered in Section 4.1 of this blueprint.
    “The success rate for continual improvement efforts is less than 60 percent. A major – if not the biggest – factor affecting the deployment of long-term continual improvement initiatives today is the fundamental change taking place in the way companies manage and execute work.” (Industry analyst at a consulting firm, 2014)

    Continuous Improvement

    Continuously re-evaluate the vulnerability management process.

    As your systems and assets change, your vulnerability management program may need updates in two ways.

    When new assets and systems are introduced:

    • When new systems and assets are introduced, it is important for organizations to recognize how these can affect vulnerability management.
    • It will be necessary to identify the business criticality of the new assets and systems and the sensitivity of the data that can be found on them.
    • Without doing so, these will be considered rogue systems or assets – there is no clear process for assigning urgencies.
    • This will only cause problems as actions may be taken that are not aligned with the organization’s risk management framework.

    Effective systems and asset management are needed to track this. Review Info-Tech’s Implement Systems Management to Improve Availability and Visibility blueprint for more help.

    Document any changes to the vulnerability management program in the Vulnerability Management SOP Template.

    When defense-in-depth capabilities are modified:

    • As you build an effective security program, more controls will be added that can be used to protect the organization.
    • These should be documented and evaluated based on ability to mitigate against vulnerabilities.
    • The defense-in-depth model that was previously established should be updated to include the new capabilities that can be used.
    • Defense-in-depth models are continually evolving as the security landscape evolves, and organizations must be ready for this.

    To assist in building a defense-in-depth model, review Build an Information Security Strategy.

    Implement Risk-Based Vulnerability Management

    Phase 4

    Measure and formalize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • You will determine what ought to be measured to track the success of your vulnerability management program.
    • If you lack a scanning tool this phase will help you determine tool selection.
    • Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • Procurement representatives
    • CISO
    • CIO

    Step 4.1

    Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    Activities
    • 4.1.1 Measure your program with metrics, KPIs, and CSFs

    This step will walk you through the following activities:

    After a review of the differences between raw metrics, key performance indicators (KPI), and critical success factors (CSF), compile a list of what metrics you will be tracking, why, and the business goals for each.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    Outline of metrics you can configure your vulnerability scanning tool to report on.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    You can’t manage what you can’t measure

    Metrics provides visibility.

    • Management consultant Peter Drucker introduced the concept of metrics tied to key performance indicators (KPIs), and the concept holds true: without metrics, you lack the visibility to manage or improve a process.
    • Metrics aren’t just a collection of statistics, they have to be meaningful, they have to tell the story, and most importantly, they have to answer the “so what?” question. What is the significance of a metric – do they illustrate a trend or an anomaly? What actions should be carried out when a metric hits a certain threshold?
    • It would be prudent to track several metrics that can be combined to tell the full story. For example, tracking the number of critical vulnerabilities alone does not give a sense of the overall risk to the organization, nor does it offer any information on how quickly they have been remediated or what amount of effort was invested.
    Stock image of measuring tape.

    Metrics, KPIs, and CSFs

    Tracking the right information and making the information relevant.
    • There is often confusion between raw metrics, key performance indicators, and critical success factors.
    • Raw metrics are what is trackable from your systems and processes as a set of measurements without any context. Raw metrics in themselves are useful in telling the story of “what are we doing?”
    • KPIs are the specific metric or combination of metrics that help you track or gauge performance. KPIs tell the story of “how are we doing?” or “how well are we doing?”
    • CSFs are the specific KPIs that track the activities that are absolutely critical to accomplish for the business or business unit to be successful.
    The activity tracker on your wrist is a wealth of metrics, KPIs, and CSFs.

    If you wear an activity tracker, you are likely already familiar with the differences between metrics, key performance indicators, and critical success factors:

    • The raw metrics are your heart rate, step count, hours of sleep, caloric intake, etc.
    • KPIs are the individual goals that you have set: maintain a heart rate within the appropriate range for your age/activity level, achieve a step count goal per day, get x hours of sleep per night, consume a calorie range of y per day, etc.
    • CSFs are your overall goal: increase your cardiovascular capacity, lose weight, feel more energetic, etc.

    Your security systems can be similarly measured and tracked – transfer this skill!

    Tracking relevant information

    Tell the story in the numbers.

    Below are a number of suggested metrics to track, and why.

    Business Goal

    Critical Success Factor

    Key Performance Indicator

    Metric to track

    Minimize overall risk exposureReduction of overall risk due to vulnerabilitiesDecrease in vulnerabilitiesTrack the number of vulnerabilities year after year.
    Appropriate allocation of time and resourcesProper prioritization of vulnerability mitigation activitiesDecrease of critical and high vulnerabilitiesTrack the number of high-urgency vulnerabilities.
    Consistent timely remediation of threats to the businessMinimize risk when vulnerabilities are detectedRemediate vulnerabilities more quicklyMean time to detect: track the average time between the identification to remediation.
    Track effectiveness of scanning toolMinimize the ratio, indicating that the tool sees everythingRatio between known assets and what the scanner tracksScanner coverage compared to known assets in the organization.
    Having effective tools to track and addressAccuracy of the scanning toolDifference or ratio between reported vulnerabilities and verified onesNumber of critical or high vulnerabilities verified, between the scanning tool’s criticality rating and actual criticality.
    Reduction of exceptions to ensure minimal exposureVisibility into persistent vulnerabilities and risk mitigation measuresNumber of exceptions grantedNumber of vulnerabilities in which little or no remediation action was taken.

    4.1.1 Measure your program with metrics, KPIs, and CSFs

    60 minutes

    Input: List of metrics current being measured by the vulnerability management tool

    Output: List of relevant metrics to track, and the KPIs, CSFs, and business goals related to the metric

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT operations management, CISO

    Metrics can offer a way to view how the organization is dealing with vulnerabilities and if there is improvement.

    1. Determine the high-level vulnerability management goals for the organization.
    2. Even with a formal process in place, the organization should be considering ways it can improve.
    3. Determine metrics that can help quantify those goals and how they can be measured.
    4. Metrics should always be easy to measure. If it’s a complex process to find the information required, it means that it is not a metric that should be used.
    5. Document your list of metrics in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Step 4.2

    Vulnerability Management Policy

    Activities
    • 4.2.1 Update the vulnerability management program policy

    This step will walk you through the following activities:

    If you have a vulnerability management policy, this activity may help augment it. Otherwise, if you don’t have one, this would be a great starting point.

    This step involves the following participants:

    • IT Security Manager
    • CISO
    • CIO
    • Human resources representative

    Outcomes of this step

    An inaugural policy covering vulnerability management

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Vulnerability Management Program Policy

    Policies provide governance and enforcement of processes.
    • Policies offer formal guidance on the “rules” of a program, describing its purpose, scope, detailed program description, and consequences of non-compliance. Often they will have a employee sign-off acknowledging understanding.
    • In many organizations, policies are endorsed by senior executives, which gives the policy its “teeth” across the company. The human resources department will always have input due to the implications of the non-compliance aspect.
    • Policies are written to ensure an outcome of consistent expected behavior and are often written to protect the company from liability.
    • Policies should be easy to understand and unambiguous, reflect the current state, and be enforceable. Enforceability can come in the form of audit, technology, or any other means of determining compliance and enforcing behavior.
    Stock image of a judge's gavel.

    4.2.1 Update the vulnerability management policy

    60 minutes

    Input: Vulnerability Management SOP, HR guidance on policy creation and approval

    Output: Completed Vulnerability Management Policy

    Materials: Vulnerability Management SOP, Vulnerability Management Policy Template

    Participants: IT Security Manager, IT operations management, CISO, Human resources representative

    After having built your entire process in this project, formalize it into a vulnerability management policy. This will set the standards and expectations for vulnerability management in the organization, while the process will be around the specific actions that need to be taken around vulnerability management.

    This is separate and distinct from the Vulnerability Management SOP Template, which is a process and procedure document.
    1. Review Info-Tech’s Vulnerability Management Policy and customize it to your organization’s specifications.
    2. Use your Vulnerability Management SOP as a resource when specifying some of the details within the policy.
    Sample of Info-Tech's Vulnerability Management Policy Template

    Download the Vulnerability Management Policy Template

    Step 4.3

    Select and implement a scanning tool

    Activities
    • 4.3.1 Create an RFP for vulnerability scanning tools

    This step will walk you through the following activities:

    If you need to select a new vulnerability scanning tool, or replace your existing one, this activity will help set up a request for proposal (RFP).

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Vulnerability management and penetration testing

    Similar in nature, yet provide different security functions.

    Vulnerability Scanning Tools

    Scanning tools focus on the network and operating systems. These tools look for items such as missing patches or open ports. They won’t detect specific application vulnerabilities.

    Exploitation Tools

    These tools will look to exploit a detected vulnerability to validate it.

    Penetration Tests

    A penetration test simulates the actions of an external or internal cyber attacker that aims to breach the information security of the organization. (Formal definition of penetration test)

    ‹————— What’s the difference again? —————›
    Vulnerability scanning tools are just one type of tool.When you add an exploitation tool to the mix, you move down the spectrum.Penetration tests will use scanning tools, exploitation tools, and people.

    What is the value of each?

    • For vulnerability scans, the person performing the scan provides the value – value comes from the organization itself.
    • For exploitation tools on their own, the value comes from the tool itself being used in a safe environment.
    • For penetration tests, the tester is providing the value. They are the value add.

    What’s the implication for me?

    Info-Tech Recommends:
    • A combination of vulnerability scanning and penetration testing. This will improve your security posture through systematic risk reduction and improve your security program through the testing of prevention, detection, and response capabilities with unique recommendations being generated.
    • Start with as much vulnerability scanning as possible to identify gaps to fix and then move onto a penetration test to do a more robust and validated assessment.
    • For penetration tests, start with a transparent box test first, then move to an opaque box. Ideally, this is done with different third parties.

    Vulnerability scanning software

    All organizations can benefit from having one.

    Scanning tools will benefit areas beyond just vulnerability management

    • Network security: It improves the accuracy and granularity of your network security technologies such as WAFs, NGFWs, IDPS, and SIEM.
    • Asset management: Vulnerability scanning can identify new or unknown assets and provide current status information on assets.
    • System management: Information from a vulnerability scan supports baselining activities and determination of high-value and high-risk assets.

    Vulnerability Detection Use Case

    Most organizations use scanners to identify and assess system vulnerabilities and prioritize efforts.

    Compliance Use Case

    Others will use scanners just for compliance, auditing, or larger GRC reasons.

    Asset Discovery Use Case

    Many organizations will use scanners to perform active host and application identification.

    Scanning Tool Market Trends

    Vulnerability scanning tools have expanded value from conventional checking for vulnerabilities to supporting configuration checking, asset discovery, inventory management, patch management, SSL certificate validation, and malware detection.

    Expect to see network and system vulnerability scanners develop larger vulnerability management functions and develop exploitation tool functionality. This will become a table stakes option enabling organizations to provide higher levels of validation of detected vulnerabilities. Some tools already possess these capabilities:

    • Core Impact is an exploitation tool with vulnerability scanning aspects.
    • Metasploit is an exploitation tool with some new vulnerability scanning aspects.
    • Nessus is mainly a vulnerability scanning tool but has some exploitation aspects.

    Device proliferation (BYOD, IoT, etc.) is increasing the need for stronger vulnerability management and scanners. This is driving the need for numerous device types and platform support and the development of baseline and configuration norms to support system management.

    Increased regulatory or compliance controls are also stipulating the need for vulnerability scanning, especially by a trusted third party.

    Organizations are outsourcing security functions or moving to cloud-based deployment options for any security technology they can. Expect to see massive growth of vulnerability scanning as a service.

    Vulnerability scanning market

    There are several technology types or functional differentiators that divide the market up.

    Vulnerability Exploitation Tools

    • These will actually test defences and better emulate real life than just scanning. These tools include packet manipulation tools (such as hping) and password cracking tools (such as John the Ripper or Cain and Abel).
    • These tools will provide much more granular information on your network, operations systems, and applications.
    • The main limitation of these tools is how to use them. If you do not have development or test environments that mimic your real production environments to run the exploit tools, these tools may not be appropriate. It may work if you can find some downtime on production systems, but only in very specific and careful instances.
    • Lower maturity security programs usually just do network and application vulnerability scanning. Higher maturity programs will also use penetration testing, application testing, and vulnerability exploitation tools.
    • Network vulnerability scanning tools should always be used. Once you identify any servers or ports running web applications, then you run a web application vulnerability scanner.
    • Exploitation tools and application testing tools are used in more specific use cases that are often related to more-demanding security programs.

    Scanning Tool Market Trends

    • These are considered baseline tools and are near commoditization.
    • Vulnerability scanning tools are not granular enough to detect application-level vulnerabilities (thus the need for application scanners and testing tools) and they don’t validate the exploitability of the vulnerability (thus the need for exploit tools).

    Web Application Scanning Tools

    These tools perform dynamic application security testing (DAST) and static application security testing (SAST).

    Application Scanning and Testing Tools

    • These perform a detailed scan against an application to detect any problematic or malicious code and try to break the application using known vulnerabilities.
    • These tools will identify if something is vulnerable to an exploit but won’t actually run the exploit.
    • These tools are evaluated based on their ability to detect application-specific issues and validate them.

    Vulnerability scanning tool features

    Evaluate vulnerability scanning tools on specific features or functions that are the best differentiators.

    Differentiator

    Description

    Deployment OptionsDo you want a traditional on-premises, cloud-based, or managed service?
    Vulnerability Database CoverageScanners use a library of known vulnerabilities to test for. Evaluate based on the amount of exploits/vulnerabilities the tool can scan for.
    Scanning MethodEvaluate if you want agent-based, authenticated active, unauthenticated active, passive, or some combination of those scanning methods.
    IntegrationWhat is the breadth of other security and non-security technologies the tool can integrate with?
    RemediationHow detailed are the recommended remediation actions? The more granular, the better.

    Differentiator

    Description

    PrioritizationDoes the tool evaluate vulnerabilities based on commonly accepted methods or through a custom-designed prioritization methodology?
    Platform SupportWhat is the breadth of environment, application, and device support in the tool? Consider your need for virtual support, cloud support, device support, and application-specific support. Also consider how often new scanning modules are supported (e.g. how quickly Windows 10 was supported).
    PricingAs with many security controls that have been around for a long time and are commonly used, pricing becomes a main consideration, especially when there are so many open-source options available.

    Common areas people mistake as tool differentiators:

    • Accuracy – Scanning tools are evaluated more on efficiency than effectiveness. Evaluate on the ability to detect, remediate, and manage vulnerabilities rather than real vulnerability detection and the number of false positives. To reduce false positives, you need to use exploitation tools.
    • Performance – Scanning tools have such a small footprint in an environment and the actual scanning itself is such a small impact that evaluation on performance doesn’t matter.

    For more information on vulnerability scanning tools and how they rate, review the Vulnerability Management category on SoftwareReviews.

    Vulnerability scanning deployment options

    Understand the different deployment options to identify which is best for your security program.

    Option

    Description

    Pros

    Cons

    Use Cases

    On-PremisesEither an on-premises appliance or an on-premises virtualized machine that performs external and internal scanning.
    • Small resource need, so limited network impact.
    • Strong internal scanning.
    • Easier integration with other technologies.
    • Network footprint and resource usage.
    • Maintenance and support costs.
    • Most common deployment option.
    • Appropriate if you have cloud concerns or strong internal network scanning, or if you require strong integration with other systems.
    CloudEither hosted on a public cloud infrastructure or hosted by a third party and offered “as a service.”
    • Small network footprint.
    • On-demand scanning as needed.
    • Optimal external scanning capabilities.
    • Can only do edge-related scanning unless authenticated or agent based.
    • No internal network scanning with passive or unauthenticated active scanning methods.
    • Very limited network resources.
    • Compliance obligations that dictate external vulnerability scanning.
    ManagedA third party is contracted to manage and maintain your vulnerability scanner so you can dedicate resources elsewhere.
    • Expert management of environment scanning, optimizing tool usage.
    • Most scanning work time is report customization and tuning and remediation efforts; thus, managed doesn’t provide sizable resource alleviation.
    • Third party has and owns the vulnerability information.
    • Limited staff resources or expertise to maintain and manage scanner.

    Vulnerability scanning methods

    Understand the different scanning methods to identify which tool best supports your needs.

    Method

    Description

    Pros

    Cons

    Use Cases

    Agent-Based ScanningLocally installed software gives the information needed to evaluate the security posture of a device.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Device processing, memory, and network bandwidth impact.
    • Asset without an agent is not scanned.
    • Need for continuous scanning.
    • Organization has strong asset management
    Authenticated Active ScanningTool uses authenticated credentials to log in to a device or application to perform scanning.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Best accuracy for vulnerability detection across a network.
    • Aggregation and centralization of authenticated credentials creates a major risk.
    • All use cases.
    Unauthenticated Active ScanningScanning of devices without any authentication.
    • Emulates realistic scan by an attacker.
    • Provides limited scope of scanning.
    • Some compliance use cases.
    • Perform after either agent or authenticated scanning.
    Passive ScanningScanning of network traffic.
    • Lowest resource impact.
    • Not enough information can be provided for true prioritization and remediation.
    • Augmenting scanning technique to agent or authenticated scanning.

    IP Management and IPv6

    IP management and the ability to manage IPv6 is a new area for scanning tool evaluation.

    Scanning on IPv4

    Scanning tools create databases of systems and devices with IP addresses.
    Info-Tech Recommends:

    • It is easier to do discovery by directing the scanner at a set IP address or range of IP addresses; thus, it’s useful to organize your database by IPs.
    • Do discovery by phases: Start with internet-facing systems. Your perimeter usually is well-defined by IP addresses and system owners and is most open to attack.
    • Stipulate a list of your known IP addresses through the DHCP registration and perform a scan on that.
    • Depending on your IP address space, another option is to scan your entire IP address space.

    Current Problem With IP Addresses

    IP addresses are becoming no longer manageable or even owned by organizations. They are often provided by ISPs or other third parties.

    Even if it is your range, chances are you don't do static IP ranges today.

    Info-Tech Recommends:

    • Agent-based scanning or MAC address-based scanning
    • Use your DHCP for scanning

    Scanning on IPv6

    First, you need to know if your organization is moving to IPv6. IPv6 is not strategically routed yet for most organizations.

    If you are moving to IPv6, Info-Tech recommends the following:

    • Because you cannot point a scanner at an IPv6 IP range, any scanning tool needs to have a strategy around how to handle IPv6 and properly scan based on IP ranges.
    • You need to know IPv4 to IPv6 translations.
    • Evaluate vulnerability scanning tools on whether any IPv6 features are on par with IPv4 features.

    If you are already on IPv6, Info-Tech recommends the following:

    • If you are on an IPv6 native network, it is nearly impossible to scan the network. You have to always scan your known addresses from your DHCP.

    4.3.1 Create an RFP for vulnerability scanning tools

    2 hours

    Input: List of key feature requirements for the new tool, List of intersect points with current software, Network topology and layout of servers and applications

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Vulnerability Scanning Tool RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use a request for proposal (RFP) template to convey your desired scanning tool requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your scanning tool RFP, based on people, process, and technology requirements.
    2. Consider items such as the desired capabilities and the scope of the scanning.
    3. Conduct interviews with relevant stakeholders to determine the exact requirements needed.
    4. Use Info-Tech’s Vulnerability Scanning Tool RFP Template. It lists many requirements but can be customized to your organization’s specific needs.

    Download the Vulnerability Scanning Tool RFP Template

    4.3.1 Create an RFP for vulnerability scanning tools (continued)

    Things to Consider:
    • Ensure there is adequate resource dedication to support and maintenance for vulnerability scanning.
    • Consider if you will benefit from an RFP. If there is a more appropriate option for your need and your organization, consider that instead.
    • If you don’t know the product you want, then perform an RFI.
    • In the RFP, you need to express your driving needs for the tool so the vendor can best understand your use case.
    • Identify who should participate in the RFP creation and evaluation. Make sure they have time available and it does not conflict with other items.
    • Determine if you want to send it to a select few or if you want to send it to a lot of vendors.
    • Determine a response date so you can know who is soliciting your business.
    • You need to have a process to handle questions from vendors.
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Vulnerability Scanning Tool RFP Template

    Step 4.4

    Penetration testing

    Activities
    • 4.1.1 Create an RFP for penetration tests

    This step will walk you through the following activities:

    We will review penetration testing, its distinction from vulnerability management, and why you may want to engage a penetration testing service.

    We provide a request for proposal (RFP) template that we can review if this is an area of interest.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Penetration testing

    Penetration tests are critical parts of any strong security program.

    Penetration testing will emulate the methods an attacker would use in the real world to circumvent your security controls and gain access to systems and data.

    Penetration testing is much more than just running a scanner or other automated tools and then generating a report. Penetration testing performs critical exploit validation to create certainty around your vulnerability.

    The primary objective of a penetration test is to identify and validate security weaknesses in an organization’s security systems.

    Reasons to Test:

    • Assess current security control effectiveness
    • Develop an action plan of items
    • Build a business case for a better security program
    • Increased security budget through vulnerability validation
    • Third-party, unbiased validation
    • Adhere to compliance or regulatory requirements
    • Raise security awareness
    • Demonstrate how an attacker can escalate privileges
    • Effective way to test incident response

    Regulatory Considerations:

    • There is a lot of regulatory wording saying that organizations can’t get a system that is managed, integrated, and supported by one vendor and then have it tested by the same vendor.
    • There is the need for separate third-party testing.
    • Penetration testing is required for PCI, cloud providers, and federal entities.

    How and where is the value being generated?

    Penetration testing is a service provided by trained and tested professionals with years of experience. The person behind the test is the most important part of the test. The person is able to emulate a real-life attacker better than any computer. It is just a vulnerability scan if you use tools or executables alone.

    “A penetration test is an audit with validation.” (Joel Shapiro, Vice President Sales, Digital Boundary Group)

    Start by considering the spectrum of penetration tests

    Network Penetration Tests

    Conventional testing of network defences.

    Testing vectors include:

    • Perimeter infrastructure
    • Wireless, WEP/WPA cracking
    • Cloud penetration testing
    • Telephony systems or VoIP
    Types of tests:
    • Denial-of-service testing
    • Out-of-band attacks
    • War dialing
    • Wireless network testing/war driving
    • Spoofing
    • Trojan attacks
    • Brute force attacks
    • Watering hole attacks
    • Honeypots
    • Cloud-penetration testing
    Application Penetration Tests

    Core business functions are now being provided through web applications, either to external customers or to internal end users.

    Types: Web apps, non-web apps, mobile apps

    Application penetration and security testing encompasses:

    • Code review – analyzing the application code for sensitive information of vulnerabilities in the code.
    • Authorization testing – testing systems responsible for user session management to see if unauthorized access can be permitted.
    • Authentication process for user testing.
    • Functionality testing – test the application functionality itself.
    • Website pen testing – active analysis of weaknesses or vulnerabilities.
    • Encryption testing – testing things like randomness or key strength.
    • User-session integrity testing.
    Human-Centric Testing
    • Penetration testing is developing a people aspect as opposed to just being technology focused.
    • End users and their susceptibility to social engineering attacks (spear phishing, phone calls, physical site testing, etc.) is now a common area to test.
    • Social engineering penetration testing is not only about identifying your human vulnerabilities, but also about proactively training your end users. As well as discovering and fixing potential vulnerabilities, social engineering penetration testing will help to raise security awareness within an organization.

    Info-Tech Insight

    Your pen test should use multiple methods. Demonstrating weakness in one area is good but easy to identify. When you blend techniques, you get better success at breaching and it becomes more life-like. Think about prevention, detection, and response testing to provide full insight into your security defenses.

    Penetration testing types

    Evaluate four variables to determine which type of penetration test is most appropriate for your organization.

    Evaluate these dimensions to determine relevant penetration testing.

    Network, Application, or Human

    Evaluate your need to perform different types of penetration testing.

    Some level of network and application testing is most likely appropriate.

    The more common decision point is to consider to what degree your organization requires human-centric penetration testing.

    External or Internal

    External: Attacking an organization’s perimeter and internet-facing systems. For these, you generally provide some level of information to the tester. The test will begin with publicly available information gathering followed by some kind of network scanning or probing against externally visible servers or devices (DNS server, email server, web server, firewall, etc.)

    Internal: Carried out within the organization’s network. This emulates an attack originating from an internal point (disgruntled employee, authorized user, etc.). The idea is to see what could happen if the perimeter is breached.

    Transparent, Semi-Transparent, or Opaque Box

    Opaque Box: The penetration tester is not provided any information. This emulates a real-life attack. Test team uses publicly available information (corporate website, DNS, USENET, etc.) to start the test. These tests are more time consuming and expensive. They often result in exploitation of the easiest vulnerability.
    Use cases: emulating a real-life attack; testing detection and response capabilities; limited network segmentation.

    Transparent Box: Tester is provided full disclosure of information. The tester will have access to everything they need: building floor plans, data flow designs, network topology, etc. This represents what a credentialed and knowledgeable insider would do.
    Use cases: full assessment of security controls; testing of attacker traversal capabilities.

    Aggressiveness of the Test

    Not Aggressive: Very slow and careful penetration testing. Usually spread out in terms of packets being sent and number of calls to individuals. It attempts to not set off any alarm bells.

    Aggressive: A full DoS attack or something similar. These would be DoS attacks that take down systems or full SQL injection attacks all at once versus small injections over time. Testing options cover anything including physical tests, network tests, social engineering, and data extraction and exfiltration. This is more costly and time consuming.

    Assessing Aggressiveness: How aggressive the test should be is based on the threats you are concerned with. Assess who you are concerned with: random individuals on the internet, state-sponsored attacks, criminals, hacktivists, etc. Who you are concerned with will determine the appropriate aggressiveness of the test.

    Penetration testing scope

    Establish the scope of your penetration test before engaging vendors.

    Determining the scope of what is being tested is the most important part of a penetration test. Organizations need to be as specific as possible so the vendor can actually respond or ask questions.

    Organizations need to define boundaries, objectives, and key success factors.

    For scope:
    • If you go too narrow, the realism of the test suffers.
    • If you go too broad, it is more costly and there’s a possible increase in false positives.
    • Balance scope vs. budget.
    Boundaries to scope before a test:
    • IP addresses
    • URLs
    • Applications
    • Who is in scope for social engineering
    • Physical access from roof to dumpsters defined
    • Scope prioritized for high-value assets
    Objectives and key success factors to scope:
    • When is the test complete? Is it at the point of validated exploitation?
    • Are you looking for as many holes as possible, or are you looking for how many ways each hole can be exploited?

    What would be out of scope?

    • Are there systems, IP addresses, or other things you want out of scope? These are things you don’t explicitly want any penetration tester to touch.
    • Are there third-party connections to your environment that you don’t want to be tested? These are instances such as cloud providers, supply chain connections, and various services.
    • Are there things that would be awkward to test? For example, determine if you include high-level people in a social engineering test. Do you conduct social engineering for the CEO? If you get their credentials, it could be an awkward moment.

    Ways to break up a penetration test:

    • Location – This is the most common way to break up a penetration test.
    • Division – Self-contained business units are often done as separate tests so you can see how each unit does.
    • IT systems – For example, you put certain security controls in a firewall and want to test its effectiveness.
    • Applications – For example, you are launching a new website or a new portal and you want to test it.

    Penetration testing appropriateness

    Determine your penetration testing appropriateness.

    Usual instances to conduct a penetration test:
    • Setting up a new physical office. Penetration testing will not only test security capabilities but also resource availability and map out network flows.
    • New infrastructure hardware implemented. All new infrastructure needs to be tested.
    • Changes or upgrades to existing infrastructure. Need for testing varies depending on the size of the change.
    • New application deployment. Need to test before being pushed to production environments.
    • Changes or upgrades to existing applications. When fundamental functional changes occur, perform testing:
      • Before upgrades or patching
      • After upgrades or patching
    • Periodic testing. It is a best practice to periodically test your security control effectiveness. Consider at least an annual test.

    Specific timing considerations: Testing should be completed during non-production times of day. Testing should be completed after a backup has been performed.

    Assess your threats to determine your appropriate test type:

    Penetration testing is about what threats you are concerned about. Understand your risk profile, risk tolerance level, and specific threats to see how relevant penetration tests are.

    • Are external attackers concerning to you? Are you distressed about how an attacker can use brute force to enter your network? If so, focus on ingress points, such as FWs, routers, and DMZ.
    • Is social engineering a concern for you (i.e. phone-based or email-based)? Then you are concerned about a credentialed hacker.
    • Is it an insider threat, a disgruntled employee, etc.? This also includes an internal system that is under command and control (C&C).

    ANALYST PERSPECTIVE: Do a test only after you take a first pass.
    If you have not done some level of vulnerability assessment on your own (performing a scan, checking third-party sources, etc.) don’t waste your money on a penetration test. Only perform a penetration test after you have done a first pass and identified and remediated all the low-hanging fruit.

    4.4.1 Create an RFP for penetration tests

    2 hours

    Input: List of criteria and scope for the penetration test, Systems and application information if white box

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Penetration Test RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use an RFP template to convey your desired penetration test requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your penetration test RFP based on people, process, and technology requirements.
      • Consider items such as your technology environment and the scope of the penetration tests.
    2. Conduct an interview with relevant stakeholders to determine the exact requirements needed.
    3. Use Info-Tech’s Penetration Test RFP Template, which lists many requirements but can be customized to your organization’s specific needs.

    Download the Penetration Test RFP Template

    4.4.1 Create an RFP for penetration tests (continued)

    Steps of a penetration test:
    1. Determine scope
    2. Gather targeted intelligence
    3. Review exploit attempts, such as access and escalation
    4. Test the collection of sensitive data
    5. Run reporting
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Penetration Test RFP Template

    Penetration testing considerations – service providers

    Consider what type of penetration testing service provider is best for your organization

    Professional Service Providers

    Professional Services Firms. These firms will often provide a myriad of professional services across auditing, financial, and consulting services. If they offer security-related consulting services, they will most likely offer some level of penetration testing.

    Security Service Firms. These are dedicated security consulting or advisory firms that will offer a wide spectrum of security-related services. Penetration testing may be one aspect of larger security assessments and strategy development services.

    Dedicated Penetration Testing Firms. These are service providers that will often offer the full gamut of penetration testing services.

    Integrators

    Managed Security Service Providers. These providers will offer penetration testing. For example, Dell SecureWorks offers numerous services including penetration testing. For organizations like this, you need to be skeptical of ulterior motives. For example, expect recommendations around outsourcing from Dell SecureWorks.

    Regional or Small Integrators. These are service providers that provide security services of some kind. For example, they would help in the implementation of a firewall and offer penetration testing services as well.

    Info-Tech Recommends:

    • Always be conscientious of who is conducting the testing and what else they offer. Even if you get another party to test rather than your technology provider, they will try to obtain you as a client. Remember that for larger technology vendors, security testing is a small revenue stream for them and it’s a way to find technology clients. They may offer penetration testing for free to obtain other business.
    • Most of the penetration testers were systems administrators (for network testing) or application developers (for application testing) at some point before becoming penetration testers. Remember this when evaluating providers and evaluating remediation recommendations.
    • Evaluate what kind of open-source tools, commercial tools, and proprietary tools are being used. In general, you don’t want to rely on an open-source scanner. For open source, they will have more outdated vulnerability databases, system identification can also be limited compared to commercial, and reporting is often lacking.
    • Above all else, ensure your testers are legally capable, experienced, and abide by non-disclosure agreements.

    Penetration testing best practices – communications

    Communication With Service Provider

    • During testing there should be designated points of contact between the service provider and the client.
    • There needs to be secure channels for communication of information between the tester and the client both during the test and for any results.
    • Results should always be explained to the client by the tester, regardless of the content or audience.
    • There should be a formal debrief with the results report.
    Immediate reporting of issues
    • Before any testing commences, immediate reporting conditions need to be defined. These are instances when you would want immediate notification of something occurring.
    • Stipulate certain systems or data types that if broken into or compromised, you would want to be notified right away.
    • Example:
      • If you are conducting social engineering, require notification for all account credentials that are compromised. Once credentials are compromised, it destroys all accountability for those credentials and the actions associated with those credentials by any user.
      • Require immediate reporting of specific high-critical systems that are compromised or if access is even found.
      • Require immediate reporting when regulated data is discovered or compromised in any way.

    Communication With Internal Staff

    Do you tell your internal staff that this is happening?

    This is sometimes called a “double blind test” when you don’t let your IT team know of the test occurring.

    Pros to notifying:
    • This tests the organization’s security monitoring, incident detection, and response capabilities.
    • Letting the team know they are going to see some activity will make sure they don’t get too worried about it.
    • There may be systems you can’t jeopardize but still need to test so notification beforehand is essential (e.g. you wouldn’t allow ERP testing with notification).
    Cons:
    • It does not give you a real-life example of how you respond if something happens.
    • Potential element of disrespect to IT people.

    Penetration testing best practices – results and remediation

    What to expect from penetration test results report:

    A final results report will state all findings including what was done by the testers, what vulnerabilities or exploitations were detected, how they were compromised, the related risk, and related remediation recommendations.

    Expect four major sections:
    • Introduction. An overview of the penetration test methodology including rating methodology of vulnerabilities.
    • Executive Summary. A management-level description of the test, often including a summary of any recommendations.
    • Technical Review. An overview of each item that was looked at and touched. This area breaks down what was done, how it was done, what was found, and any related remediation recommendations. Expect graphs and visuals in this section.
    • Detailed Findings. An in-depth breakdown of all testing methods used and results. Each vulnerability will be explained regarding how it was detected, what the risk is, and what the remediation recommendation is.
    Two areas that will vary by service provider:

    Prioritization

    • Most providers will boast their unique prioritization methodology.
    • A high, medium, and low rating scale based on some combination of variables (e.g. ease of exploitation, breadth of hole, information accessed resulting in further exploitation).
    • The prioritization won’t take into account asset value or criticality.
    • Keep in mind the penetration test is not an input into ultimate vulnerability prioritization, but it can help determine your urgency.

    Remediation

    • Remediation recommendations will vary across providers.
    • Generally, fairly generic recommendations are provided (e.g. remove your old telnet and input up-to-date SSH).
    • Most of the time, it is along the lines of “we found a hole; close the hole.”

    Summary of Accomplishment

    Problem Solved

    At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.

    Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.

    The risk-based approach will allow you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities while allowing your standard remediation cycle to address the medium to low vulnerabilities.

    With your program defined and developed, you now need to configure your vulnerability scanning tool or acquire one if you don’t already have a tool in place.

    Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Photo of Jimmy Tom.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Sample of the Implement Vulnerability Management storyboard.
    Review of the Implement Vulnerability Management storyboard
    Sample of the Vulnerability Mitigation SOP template.
    Build your vulnerability management SOP

    Contributors

    Contributors from 2016 version of this project:

    • Morey Haber, Vice President of Technology, BeyondTrust
    • Richard Barretto, Manager, Information Privacy and Security, Cimpress
    • Joel Shapiro, Vice President Sales, Digital Boundary Group

    Contributors from current version of this project:

    • 2 anonymous contributors from the manufacturing sector
    • 1 anonymous contributor from a US government agency
    • 2 anonymous contributors from the financial sector
    • 1 anonymous contributor from the medical technology industry
    • 2 anonymous contributors from higher education
    • 1 anonymous contributor from a Canadian government agency
    • 7 anonymous others; information gathered from advisory calls

    Bibliography

    Arya. “COVID-19 Impact: Vulnerability Management Solution Market | Strategic Industry Evolutionary Analysis Focus on Leading Key Players and Revenue Growth Analysis by Forecast To 2028 – FireMon, Digital Shadows, AlienVault.” Bulletin Line, 6 Aug. 2020. Accessed 6 Aug. 2020.

    Campagna, Rich. “The Lean, Mean Vulnerability Management Machine.” Security Boulevard, 31 Mar. 2020. Accessed 15 Aug. 2020.

    Constantin, Lucian. “What are vulnerability scanners and how do they work?” CSO Online, 10 Apr. 2020. Accessed 1 Sept. 2020.

    “CVE security vulnerabilities published in 2019.” CVE Details. Accessed 22 Sept. 2020.

    Garden, Paul, et al. “2019 Year End Report – Vulnerability QuickView.” Risk Based Security, 2020. Accessed 22 Sept. 2020.

    Keary, Eoin. “2019 Vulnerability Statistics Report.” Edgescan, Feb. 2019. Accessed 22 Sept. 2020.

    Lefkowitz, Josh. ““Risk-Based Vulnerability Management is a Must for Security & Compliance.” SecurityWeek, 1 July 2019. Accessed 1 Nov. 2020.

    Mell, Peter, Tiffany Bergeron, and David Henning. “Creating a Patch and Vulnerability Management Program.” Creating a Patch and Vulnerability Management Program. NIST, Nov. 2005. Web.

    “National Vulnerability Database.” NIST. Accessed 18 Oct. 2020.

    “OpenVAS – Open Vulnerability Assessment Scanner.” OpenVAS. Accessed 14 Sept. 2020.

    “OVAL.” OVAL. Accessed 21 Oct. 2020.

    Paganini, Pierluigi. “Exploiting and Verifying Shellshock: CVE-2014-6271.” INFOSEC, 27 Sept. 2014. Web.

    Pritha. “Top 10 Metrics for your Vulnerability Management Program.” CISO Platform, 28 Nov. 2019. Accessed 25 Oct. 2020.

    “Risk-Based Vulnerability Management: Understanding Vulnerability Risk With Threat Context And Business Impact.” Tenable. Accessed 21 Oct. 2020.

    Stone, Mark. “Shellshock In-Depth: Why This Old Vulnerability Won’t Go Away.” SecurityIntelligence, 6 Aug. 2020. Web.

    “The Role of Threat Intelligence in Vulnerability Management.” NOPSEC, 18 Sept. 2014. Accessed 18 Aug. 2020.

    “Top 15 Paid and Free Vulnerability Scanner Tools in 2020.” DNSstuff, 6 Jan. 2020. Accessed 15 Sept. 2020.

    Truta, Filip. “60% of Breaches in 2019 Involved Unpatched Vulnerabilities.” Security Boulevard, 31 Oct. 2019. Accessed 2 Nov. 2020.

    “Vulnerability Management Program.” Core Security. Accessed 15 Sept. 2020.

    “What is Risk-Based Vulnerability Management?” Balbix. Accessed 15 Sept. 2020.

    White, Monica. “The Cost Savings of Effective Vulnerability Management (Part 1).” Kenna Security, 23 April 2020. Accessed 20 Sept. 2020.

    Wilczek, Marc. “Average Cost of a Data Breach in 2020: $3.86M.” Dark Reading, 24 Aug. 2020. Accessed 5 Nov 2020.

    Manage Your Chromebooks and MacBooks

    • Buy Link or Shortcode: {j2store}167|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices

    Windows is no longer the only option. MacBooks and Chromebooks are justified, but now you have to manage them.

    • If you have modernized your end-user computing strategy, you may have Windows 10 devices as well as MacBooks.
    • Virtual desktop infrastructure (VDI) and desktop as a service (DaaS) are becoming popular. Chromebooks may be ideal as a low-cost interface into DaaS for your employees.
    • Managing Chromebooks can be particularly challenging as they grow in popularity in the education sector.

    Our Advice

    Critical Insight

    Managing end-user devices may be accomplished with a variety of solutions, but many of those solutions advocate integration with a Microsoft-friendly solution to take advantage of features such as conditional access, security functionality, and data governance.

    Impact and Result

    • Many solutions are available to manage end-user devices, and they come with a long list of options and features. Clarify your needs and define your requirements before you purchase another endpoint management tool. Don’t purchase capabilities that you may never use.
    • Use the associated Endpoint Management Selection Tool spreadsheet to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

    Manage Your Chromebooks and MacBooks Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage Your Chromebooks and MacBooks deck – MacBooks and Chromebooks are growing in popularity in enterprise and education environments, and now you have to manage them.

    Explore options, guidance and some best practices related to the management of Chromebooks and MacBooks in the enterprise environment and educational institutions. Our guidance will help you understand features and options available in a variety of solutions. We also provide guidance on selecting the best endpoint management solution for your own environment.

    • Manage Your Chromebooks and MacBooks Storyboard

    2. Endpoint Management Selection Tool – Select the best endpoint management tool for your environment. Build a table to compare endpoint management offerings in relation to the features and options desired by your organization.

    This tool will help you determine the features and options you want or need in an endpoint management solution.

    • Endpoint Management Selection Tool
    [infographic]

    Further reading

    Manage Your Chromebooks and MacBooks

    Financial constraints, strategy, and your user base dictate the need for Chromebooks and MacBooks – now you have to manage them in your environment.

    Analyst Perspective

    Managing MacBooks and Chromebooks is similar to managing Windows devices in many ways and different in others. The tools have many common features, yet they struggle to achieve the same goals.

    Until recently, Windows devices dominated the workplace globally. Computing devices were also rare in many industries such as education. Administrators and administrative staff may have used Windows-based devices, but Chromebooks were not yet in use. Most universities and colleges were Windows-based in offices with some flavor of Unix in other areas, and Apple devices were gaining some popularity in certain circles.

    That is a stark contrast compared to today, where Chromebooks dominate the classrooms and MacBooks and Chromebooks are making significant inroads into the enterprise environment. MacBooks are also a common sight on many university campuses. There is no doubt that while Windows may still be the dominant player, it is far from the only one in town.

    Now that Chromebooks and MacBooks are a notable, if not significant, part of the education and enterprise environments, they must be afforded the same considerations as Windows devices in those environments when it comes to management. The good news is that there is no lack of available solutions for managing these devices, and the endpoint management landscape is continually evolving and improving.

    This is a picture of P.J. Ryan, Research Director, Infrastructure & Operations, Info-Tech Research Group

    P.J. Ryan
    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • You modernized your end-user computing strategy and now have Windows 10 devices as well as MacBooks.
    • Virtual desktop infrastructure (VDI) and desktop as a service (DaaS) are becoming popular. Chromebooks would be ideal as a low-cost interface into DaaS for your employees.
    • You are responsible for the management of all the new Chromebooks in your educational district.
    • Windows is no longer the only option. MacBooks and Chromebooks are justified, but now you have to manage them.

    Common Obstacles

    • Endpoint management solutions typically do a great job at managing one category of devices, like Windows or MacBooks, but they struggle to fully manage alternative endpoints.
    • Multiple solutions to manage multiple devices will result in multiple dashboards. A single view would be better.
    • One solution may not fit all, but multiple solutions is not desirable either, especially if you have Windows devices, MacBooks, and Chromebooks.

    Info-Tech's Approach

    • Use the tools at your disposal first – don't needlessly spend money if you don't have to. Many solutions can already manage other types of devices to some degree.
    • Use the integration capabilities of endpoint management tools. Many of them can integrate with each other to give you a single interface to manage multiple types of devices while taking advantage of additional functionality.
    • Don't purchase capabilities you will never use. Using 80% of a less expensive tool is economically smarter than using 10% of a more expensive tool.

    Info-Tech Insight

    Managing end-user devices may be accomplished with a variety of solutions, but many of those solutions advocate integration with a Microsoft-friendly solution to take advantage of features such as conditional access, security functionality, and data governance.

    Insight Summary

    Insight 1

    Google Admin Console is necessary to manage Chromebooks, but it can be paired with other tools. Implementation partnerships provide solutions to track the device lifecycle, track the repair lifecycle, sync with Google Admin Console as well as PowerSchool to provide a more complete picture of the user and device, and facilitate reminders to return the device, pay fees if necessary, pick up a device when a repair is complete, and more.

    Insight 2

    The Google Admin Console allows admins to follow an organizational unit (OU) structure very similar to what they may have used in Microsoft's Active Directory environment. This familiarity makes the task of administering Chromebooks easier for admins.

    Insight 3

    Chromebook management goes beyond securing and manipulating the device. Controls to protect the students while online, such as Safe Search and Safe Browsing, should also be implemented.

    Insight 4

    Most companies choose to use a dedicated MacBook management tool. Many unified endpoint management (UEM) tools can manage MacBooks to some extent, but admins tend to agree that a MacBook-focused endpoint management tool is best for MacBooks while a Windows-based endpoint management tool is best for Windows devices.

    Insight 5

    Some MacBook management solutions advocate integration with Windows UEM solutions to take advantage of Microsoft features such as conditional access, security functionality, and data governance. This approach can also be applied to Chromebooks.

    Chromebooks

    Chromebooks had a respectable share of the education market before 2020, but the COVID-19 pandemic turbocharged the penetration of Chromebooks in the education industry.

    Chromebooks are also catching the attention of some decision makers in the enterprise environment.

    "In 2018, Chromebooks represented an incredible 60 percent of all laptop or tablet devices in K-12 -- up from zero percent when the first Chromebook launched during the summer break in 2011."
    – "Will Chromebooks Rule the Enterprise?" Computerworld

    "Chromebooks were the best performing PC products in Q3 2020, with shipment volume increasing to a record-high 9.4 million units, up a whopping 122% year-on-year."
    – Android Police

    "Until the pandemic, Chrome OS' success was largely limited to U.S. schools. Demand in 2020 appears to have expanded beyond that small but critical part of the U.S. PC market."
    – Geekwire

    "In addition to running a huge number of Chrome Extensions and Apps at once, Chromebooks also run Android, Linux and Windows apps."
    – "Will Chromebooks Rule the Enterprise?" Computerworld

    Managing Chromebooks

    Start with the Google Admin Console (GAC)

    GAC is necessary to initially manage Chrome OS devices.

    GAC gives you a centralized console that will allow you to:

    • Create organizational units
    • Add your Chromebook devices
    • Add users
    • Assign users to devices
    • Create groups
    • Create and assign policies
    • Plus more

    GAC can facilitate device management with features such as:

    • Control admin permissions
    • Encryption and update settings
    • App deployment, screen timeout settings
    • Perform a device wipe if required
    • Audit user activity on a device
    • Plus more

    Device and user addition, group and organizational unit creation and administration, applying policies to devices and users – does all this remind you of your Active Directory environment?

    GAC lets you administer users and devices with a similar approach.

    Managing Chromebooks

    Use Active Directory to manage Chromebooks.

    • Enable Active Directory (AD) management from within GAC and you will be able to integrate your Chromebook devices with your AD environment.
    • Devices will be visible in both the GAC and AD environment.
    • Use Windows Group Policy to manage devices and to push policies to users and devices.
    • Users can use their AD username and password to sign into Chromebook devices.
    • GAC can still be used for devices that are not synced with AD.

    Chromebooks can also be managed through these approved partners:

    • Cisco Meraki
    • Citrix XenMobile
    • IBM MaaS360
    • ManageEngine Mobile Device Manager Plus
    • VMware Workspace ONE

    Source: Google

    You must be running the Chrome Enterprise Upgrade and have any licenses required by the approved partner to take advantage of this management option. The partner admin policies supersede GAC.

    If you stop using the approved partner admin console to manage your devices, the polices and settings in GAC will immediately take over the devices.

    Microsoft still has the market share when it comes to device sales, and many administrators are already familiar with Microsoft's Active Directory. Google took advantage of that familiarity when it designed the Google Admin Console structure for users, groups, and organizational units.

    Chromebook Deployment

    Chromebook deployment becomes a challenge when device quantities grow. The enrollment process can be time consuming, and every device must be enrolled before it can be used by an employee or a student. Many admins enlist their full IT teams to assist in the short term. Some vendor partners may assist with distribution options if staffing levels permit. Recent developments from Google have opened additional options for device enrollment beyond the manual enrollment approach.

    Enrolling Chromebooks comes down to one of two approaches:

    1. Manually enrolling one device at a time
      • Users can assist by entering some identifying details during the enrollment if permitted.
      • Some third-party solutions exist, such as USB drives to reduce repetitive keystrokes or hubs to facilitate manually enrolling multiple Chromebooks simultaneously.
    2. Google's Chrome Enterprise Upgrade or the Chrome Education Upgrade
      • This allows you to let your users enroll devices after they accept the end-user license agreement.
      • You can take advantage of Google's vendor partner program and use a zero-touch deployment method where the Chromebook devices automatically receive the assigned policies, apps, and settings as soon as the device is powered on and an authorized user signs in.
      • The Enterprise Upgrade and the Education Upgrade do come with an annual cost per device, which is currently less than US$50.
      • The Enterprise and Education Upgrades come with other features as well, such as enhanced security.

    Chromebooks are automatically assigned to the top-level organizational unit (OU) when enrolled. Devices can be manually moved to another OU, but admins can also create enrollment policies to place newly enrolled devices in a specific OU or have the device locate itself in the same OU as the user.

    Chromebooks in Education

    GAC is also used with Education-licensed devices

    Most of the settings and features previously mentioned are also available for Education-licensed devices and users. Enterprise-specific features will not be available to Education licenses. (Active Directory integration with Education licenses, for example, is accomplished using a different approach)

    • Groups, policies, administrative controls, app deployment and management, adding devices and users, creating organizational units, and more features are all available to Education Admins to use.

    Education device policies and settings tend to focus more on protecting the students with controls such as:

    • Disable incognito mode
    • Disable location tracking
    • Disable external storage devices
    • Browser based protections such as Safe Search or Safe Browsing
    • URL blocking
    • Video input disable for websites
    • App installation prevention, auto re-install, and app blocking
    • Forced re-enrollment to your domain after a device is wiped
    • Disable Guest Mode
    • Restrict who can sign in
    • Audit user activity on a device

    When a student takes home a Chromebook assigned to them, that Chromebook may be the only computer in the household. Administrative polices and settings must take into account the fact that the device may have multiple users accessing many different sites and applications when the device is outside of the school environment.

    Chromebook Management Extended

    An online search for Chromebook management solutions will reveal several software solutions that augment the capabilities of the Google Admin Console. Many of these solutions are focused on the education sector and classroom and student options, although the features would be beneficial to enterprises and educational organizations alike.

    These solutions assist or augment Chromebook management with features such as:

    • Ability to sync with Google Admin Console
    • Ability to sync with student information systems, such as PowerSchool
    • Financial management, purchase details, and chargeback
    • Asset lifecycle management
    • 1:1 Chromebook distribution management
    • Repair programs and repair process management
    • Check-out/loan program management
    • Device distribution/allocation management, including barcode reader integration
    • Simple learning material distribution to the classroom for teachers
    • Facilitate GAC bulk operations
    • Manage inventory of non-IT assets such as projectors, TVs, and other educational assets
    • Plus more

    "There are many components to managing Chromebooks. Schools need to know which student has which device, which school has which device, and costs relating to repairs. Chromebook Management Software … facilitates these processes."
    – VIZOR

    MacBooks

    • MacBooks are gaining popularity in the Enterprise world.
    • Some admins claim MacBooks are less expensive in the long run over Windows-based PCs.
    • Users claim less issues when using a MacBook, and overall, companies report increased retention rates when users are using MacBooks.

    "Macs now make up 23% of endpoints in enterprises."
    – ComputerWeekly.com

    "When given the choice, no less than 72% of employees choose Macs over PCs."
    – "5 Reasons Mac is a must," Jamf

    "IBM says it is 3X more expensive to manage PCs than Macs."
    – Computerworld

    "74% of those who previously used a PC for work experienced fewer issues now that they use a Mac"
    – "Global Survey: Mac in the Enterprise," Jamf

    "When enterprise moves to Mac, staff retention rates improve by 20%. That's quite a boost! "
    – "5 Reasons Mac is a must," Jamf

    Managing MacBooks

    Can your existing UEM keep up?

    Many Windows unified endpoint management (UEM) tools can manage MacBooks, but most companies choose to use a dedicated MacBook management tool.

    • UEM tools that are primarily Windows focused do not typically go deep enough into the management capabilities of non-Windows devices.
    • Admins have noted limitations when it comes to using Windows UEM tools, and reasons they prefer a dedicated MacBook management solution include:
      • Easier to use
      • Faster response times when deploying settings and policies
      • Better control over notification settings and lock screen settings.
      • Easier Apple Business Manager (ABM) integration and provisioning.
    • Note that not every UEM will have the same limitations or advantages. Functionality is different between vendor products.

    Info-Tech Insight

    Most Windows UEM tools are constantly improving, and it is only a matter of time before they rival many of the dedicated MacBook management tools out there.

    Admins tend to agree that a Windows UEM is best for Windows while an Apple-based UEM is best for Apple devices.

    Managing MacBooks

    The market for "MacBook-first" management solutions includes a variety of players of varying ages such as:

    • Jamf
    • Kandji
    • Mosyle
    • SimpleMDM
    • Others

    MacBook-focused management tools can provide features such as:

    • Encryption and update settings
    • App deployment and lifecycle management
    • Remote device wipe, scan, shutdown, restart, and lock
    • Zero touch deployment and support
    • Location tracking
    • Browser content filtering
    • Enable, hide/block, or disable built-in features
    • Configure Wi-Fi, VPN, and certificate-based settings
    • Centralized dashboard with device and app listings as well as individual details
    • Data restrictions
    • Plus more

    Unified endpoint management (UEM) solutions that can provide MacBook management to some degree include (but are not limited to):

    • Intune
    • Ivanti
    • Endpoint Central
    • WorkspaceOne

    Dedicated solutions advocate integration with UEM solutions to take advantage of conditional access, security functionality, and data governance features.

    Jamf and Microsoft entered into a collaboration several years ago with the intention of making the MacBook management process easier and more secure.

    Microsoft Intune and Jamf Pro: Better together to manage and secure Macs
    Microsoft Conditional Access with Jamf Pro ensures that company data is only accessed by trusted users, on trusted devices, using trusted apps. Jamf extends this Enterprise Mobile + Security (EMS) functionality to Mac, iPhone and iPad.
    – "Microsoft Intune and Jamf Pro," Jamf

    Endpoint Management Selection Tool
    Activity

    There are many solutions available to manage end-user devices, and they come with a long list of options and features. Clarify your needs and define your requirements before you purchase another endpoint management tool. Don't purchase capabilities that you may never use.

    Use the Endpoint Management Selection Tool to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

    1. List out the desired features you want in an endpoint solution for your devices and record those features in the first column. Use the features provided, or add your own and edit or delete the existing ones if necessary.
    2. List your selected endpoint management solution vendors in each of the columns in place of "Vendor 1," "Vendor 2," etc.
    3. Fill out the spreadsheet by changing the corresponding desired feature cell under each vendor to a "yes" or "no" based on your findings while investigating each vendor solution.
    4. When you have finished your investigation, review your spreadsheet to compare the various offerings and pros and cons of each vendor.
    5. Select your endpoint management solution.

    Endpoint Management Selection Tool

    In the first column, list out the desired features you want in an endpoint solution for your devices. Use the features provided if desired, or add your own and edit or delete the existing ones if necessary. As you look into various endpoint management solution vendors, list them in the columns in place of "Vendor 1," "Vendor 2," etc. Use the "Desired Feature" list as a checklist and change the values to "yes" or "no" in the corresponding box under the vendors' names. When complete, you will be able to look at all the features and compare vendors in a single table.

    Desired Feature Vendor 1 Vendor 2 Vendor 3
    Organizational unit creation Yes No Yes
    Group creation Yes Yes Yes
    Ability to assign users to devices No Yes Yes
    Control of administrative permissions Yes Yes Yes
    Conditional access No Yes Yes
    Security policies enforced Yes No Yes
    Asset management No Yes No
    Single sign-on Yes Yes Yes
    Auto-deployment No Yes No
    Repair lifecycle tracking No Yes No
    Application deployment Yes Yes No
    Device tracking Yes Yes Yes
    Ability to enable encryption Yes No Yes
    Device wipe Yes No Yes
    Ability to enable/disable device tracking No No Yes
    User activity audit No No No

    Related Info-Tech Research

    this is a screenshot from Info-Tech's Modernize and Transform Your End-User Computing Strategy.

    Modernize and Transform Your End-User Computing Strategy
    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Best Unified Endpoint Management (UEM) Software 2022 | SoftwareReviews
    Compare and evaluate unified endpoint management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best unified endpoint management software for your organization.

    Best Enterprise Mobile Management (EMM) Software 2022 | (softwarereviews.com)
    Compare and evaluate enterprise mobile management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best enterprise mobile management software for your organization.

    Bibliography

    Bridge, Tom. "Macs in the enterprise – what you need to know". Computerweekly.com, TechTarget. 27 May 2022. Accessed 12 Aug. 2022.
    Copley-Woods, Haddayr. "5 reasons Mac is a must in the enterprise". Jamf.com, Jamf. 28 June 2022. Accessed 16 Aug. 2022.
    Duke, Kent. "Chromebook sales skyrocketed in Q3 2020 with online education fueling demand." androidpolice.com, Android Police. 16 Nov 2020. Accessed 10 Aug. 2022.
    Elgin, Mike. "Will Chromebooks Rule the Enterprise? (5 Reasons They May)". Computerworld.com, Computerworld. 30 Aug 2019. Accessed 10 Aug. 2022.
    Evans, Jonny. "IBM says it is 3X more expensive to manage PCs than Macs". Computerworld.com, Computerworld. 19 Oct 2016. Accessed 23 Aug. 2022.
    "Global Survey: Mac in the Enterprise". Jamf.com, Jamf. Accessed 16 Aug. 2022.
    "How to Manage Chromebooks Like a Pro." Vizor.cloud, VIZOR. Accessed 10 Aug. 2022.
    "Manage Chrome OS Devices with EMM Console". support.google.com, Google. Accessed 16 Aug. 2022.
    Protalinski, Emil. "Chromebooks outsold Macs worldwide in 2020, cutting into Windows market share". Geekwire.com, Geekwire. 16 Feb 2021. Accessed 22 Aug. 2022.
    Smith, Sean. "Microsoft Intune and Jamf Pro: Better together to manage and secure Macs". Jamf.com, Jamf. 20 April 2022. Accessed 16 Aug. 2022.

    Build Your Generative AI Roadmap

    • Buy Link or Shortcode: {j2store}105|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $33,499 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    Generative AI has made a grand entrance, presenting opportunities and causing disruption across organizations and industries. Moving beyond the hype, it’s imperative to build and implement a strategic plan to adopt generative AI and outpace competitors.

    Yet generative AI has to be done right because the opportunity comes with risks and the investments have to be tied to outcomes.

    Adopt a human-centric and value-based approach to generative AI

    IT and business leaders will need to be strategic and deliberate to thrive as AI adoption changes industries and business operations.

    • Establish responsible AI guiding principles: Address human-based requirements to govern how generative AI applications are developed and deployed.
    • Align generative AI initiatives to strategic drivers for the organization: Assess generative AI opportunities by seeing how they align to the strategic drivers of the organization. Examples of strategic drivers include increasing revenue, reducing costs, driving innovation, and mitigating risk.
    • Measure and communicate effectively: Have clear metrics in place to measure progress and success of AI initiatives and communicate both policies and results effectively.

    Build Your Generative AI Roadmap Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build Your Generative AI Roadmap Deck – A step-by-step document that walks you through how to leverage generative AI and align with the organization’s mission and objectives to increase revenue, reduce costs, accelerate innovation, and mitigate risk.

    This blueprint outlines how to build your generative AI roadmap, establish responsible AI principles, prioritize opportunities, and develop policies for usage. Establishing and adhering to responsible AI guiding principles provides safeguards for the adoption of generative AI applications.

    • Build Your Generative AI Roadmap – Phases 1-4

    2. AI Maturity Assessment and Roadmap Tool – Develop deliverables that will be milestones in creating your organization’s generative AI roadmap for implementing candidate applications.

    This tool provides guidance for developing the following deliverables:

  • Responsible AI guiding principles
  • Current AI maturity
  • Prioritized candidate generative AI applications
  • Generative AI policies
  • Generative AI roadmap
    • AI Maturity Assessment and Roadmap Tool

    3. The Era of Generative AI C‑Suite Presentation – Develop responsible AI guiding principles, assess AI capabilities and readiness, and prioritize use cases based on complexity and alignment with organizational goals and responsible AI guiding principles.

    This presentation template uses sample business capabilities (use cases) from the Marketing & Advertising business capability map to provide examples of candidates for generative AI applications. The final executive presentation should highlight the value-based initiatives driving generative AI applications, the benefits and risks involved, how the proposed generative AI use cases align to the organization’s strategy and goals, the success criteria for the proofs of concept, and the project roadmap.

    • The Era of Generative AI C‑Suite Presentation

    Infographic

    Further reading

    Build Your Generative AI Roadmap

    Leverage the power of generative AI to improve business outcomes.

    Analyst Perspective

    We are entering the era of generative AI. This is a unique time in our history where the benefits of AI are easily accessible and becoming pervasive, with copilots emerging in the major business tools we use today. The disruptive capabilities that can potentially drive dramatic benefits also introduce risks that need to be planned for.

    A successful business-driven generative AI roadmap requires:

    • Establishing responsible AI guiding principles to guide the development and deployment of generative AI applications.
    • Assess generative AI opportunities by using criteria based on the organization's mission and objectives, responsible AI guiding principles, and the complexity of the initiative.
    • Communicating, educating on, and enforcing generative AI usage policies.

    Bill Wong, Principal Research Director

    Bill Wong
    Principal Research Director
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Solution

    Generative AI is disrupting all industries and providing opportunities for organization-wide advantages.

    Organizations need to understand this disruptive technology and trends to properly develop a strategy for leveraging this technology successfully.

    • Generative AI requires alignment to a business strategy.
    • IT is an enabler and needs to align with and support the business stakeholders.
    • Organizations need to adopt a data-driven culture.

    All organizations, regardless of size, should be planning how to respond to this new and innovative technology.

    Business stakeholders need to cut through the hype surrounding generative AI like ChatGPT to optimize investments for leveraging this technology to drive business outcomes.

    • Understand the market landscape, benefits, and risks associated with generative AI.
    • Plan for responsible AI.
    • Understand the gaps the organization needs to address to fully leverage generative AI.

    Without a proper strategy and responsible AI guiding principles, the risks to deploying this technology could negatively impact business outcomes.

    Info-Tech's human-centric, value-based approach is a guide for deploying generative AI applications and covers:

    • Responsible AI guiding principles
    • AI Maturity Model
    • Prioritizing candidate generative AI-based use cases
    • Developing policies for usage

    This blueprint will provide the list of activities and deliverables required for the successful deployment of generative AI solutions.

    Info-Tech Insight
    Create awareness among the CEO and C-suite of executives on the potential benefits and risks of transforming the business with generative AI.

    Key concepts

    Artificial Intelligence (AI)
    A field of computer science that focuses on building systems to imitate human behavior, with a focus on developing AI models that can learn and can autonomously take actions on behalf of a human.

    AI Maturity Model
    The AI Maturity Model is a useful tool to assess the level of skills an organization has with respect to developing and deploying AI applications. The AI Maturity Model has multiple dimensions to measure an organization's skills, such as AI governance, data, people, process, and technology.

    Responsible AI
    Refers to guiding principles to govern the development, deployment, and maintenance of AI applications. In addition, these principles also provide human-based requirements that AI applications should address. Requirements include safety and security, privacy, fairness and bias detection, explainability and transparency, governance, and accountability.

    Generative AI
    Given a prompt, a generative AI system can generate new content, which can be in the form of text, images, audio, video, etc.

    Natural Language Processing (NLP)
    NLP is a subset of AI that involves machine interpretation and replication of human language. NLP focuses on the study and analysis of linguistics as well as other principles of artificial intelligence to create an effective method of communication between humans and machines or computers.

    ChatGPT
    An AI-powered chatbot application built on OpenAI's GPT-3.5 implementation, ChatGPT accepts text prompts to generate text-based output.

    Your challenge

    This research is designed to help organizations that are looking to:

    • Establish responsible AI guiding principles to address human-based requirements and to govern the development and deployment of the generative AI application.
    • Identify new generative AI-enabled opportunities to transform the work environment to increase revenue, reduce costs, drive innovation, or reduce risk.
    • Prioritize candidate use cases and develop generative AI policies for usage.
    • Have clear metrics in place to measure the progress and success of AI initiatives.
    • Build the roadmap to implement the candidate use cases.

    Common obstacles

    These barriers make these goals challenging for many organizations:

    • Getting all the right business stakeholders together to develop the organization's AI strategy, vision, and objectives.
    • Establishing responsible AI guiding principles to guide generative AI investments and deployments.
    • Advancing the AI maturity of the organization to meet requirements of data and AI governance as well as human-based requirements such as fairness, transparency, and accountability.
    • Assessing generative AI opportunities and developing policies for use.

    Info-Tech's definition of an AI-enabled business strategy

    • A high-level plan that provides guiding principles for applications that are fully driven by the business needs and capabilities that are essential to the organization.
    • A strategy that tightly weaves business needs and the applications required to support them. It covers AI architecture, adoption, development, and maintenance.
    • A way to ensure that the necessary people, processes, and technology are in place at the right time to sufficiently support business goals.
    • A visionary roadmap to communicate how strategic initiatives will address business concerns.

    An effective AI strategy is driven by the business stakeholders of the organization and focused on delivering improved business outcomes.

    Build Your Generative AI Roadmap

    This blueprint in context

    This guidance covers how to create a tactical roadmap for executing generative AI initiatives

    Scope

    • This blueprint is not a proxy for a fully formed AI strategy. Step 1 of our framework necessitates alignment of your AI and business strategies. Creation of your AI strategy is not within the scope of this approach.
    • This approach sets the foundations for building and applying responsible AI principles and AI policies aligned to corporate governance and key regulatory obligations (e.g. privacy). Both steps are foundational components of how you should develop, manage, and govern your AI program but are not a substitute for implementing broader AI governance.

    Guidance on how to implement AI governance can be found in the blueprint linked below.

    Tactical Plan

    Download our AI Governance blueprint

    Measure the value of this blueprint

    Leverage this blueprint's approach to ensure your generative AI initiatives align with and support your key business drivers

    This blueprint will guide you to drive and improve business outcomes. Key business drivers will often focus on:

    • Increasing revenue
    • Reducing costs
    • Improving time to market
    • Reducing risk

    In phase 1 of this blueprint, we will help you identify the key AI strategy initiatives that align to your organization's goals. Value to the organization is often measured by the estimated impact on revenue, costs, time to market, or risk mitigation.

    In phase 4, we will help you develop a plan and a roadmap for addressing any gaps and introducing the relevant generative AI capabilities that drive value to the organization based on defined business metrics.

    Once you implement your 12-month roadmap, start tracking the metrics below over the next fiscal year (FY) to assess the effectiveness of measures:

    Business Outcome Objective Key Success Metric
    Increasing Revenue Increased revenue from identified key areas
    Reducing Costs Decreased costs for identified business units
    Improving Time to Market Time savings and accelerated revenue adoption
    Reducing Risk Cost savings or revenue gains from identified business units

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Identify AI strategy, vision, and objectives.

    Call #3: Define responsible AI guiding principles to adopt and identify current AI maturity level. Call #4: Assess and prioritize generative AI initiatives and draft policies for usage.

    Call #5: Build POC implementation plan and establish metrics for POC success.

    Call #6: Build and deliver executive-level generative AI presentation.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 5 to 8 calls over the course of 1 to 2 months.

    AI Roadmap Workshop Agenda Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Session 1 Session 2 Session 3 Session 4
    Establish Responsible AI Guiding Principles Assess AI Maturity Prioritize Opportunities and Develop Policies Build Roadmap
    Trends Consumer groups, organizations, and governments around the world are demanding that AI applications adhere to human-based values and take into consideration possible impacts of the technology on society. Leading organizations are building AI models guided by responsible AI guiding principles. Organizations delivering new applications without developing policies for use will produce negative business outcomes. Developing a roadmap to address human-based values is challenging. This process introduces new tools, processes, and organizational change.
    Activities
    • Focus on working with executive stakeholders to establish guiding principles for the development and delivery of new applications.
    • Assess the organization's current capabilities to deliver AI-based applications and address human-based requirements.
    • Leverage business alignment criteria, responsible AI guiding principles, and project characteristics to prioritize candidate uses cases and develop policies.
    • Build the implementation plan, POC metrics, and success criteria for each candidate use case.
    • Build the roadmap to address the gap between the current and future state and enable the identified use cases.
    Inputs
    • Understanding of external legal and regulatory requirements and organizational values and goals.
    • Risk assessment of the proposed use case and a plan to monitor its impact.
    • Assessment of the organization's current AI capabilities with respect to its AI governance, data, people, process, and technology infrastructure.
    • Criteria to assess candidate use cases by evaluating against the organization's mission and goals, the responsible AI guiding principles, and complexity of the project.
    • Risk assessment for each proposed use case
    • POC implementation plan for each candidate use case
    Deliverables
    1. Foundational responsible AI guiding principles
    2. Additional customized guiding principles to add for consideration
    1. Current level of AI maturity, resources, and capacity
    1. Prioritization of opportunities
    2. Generative AI policies for usage
    1. Roadmap to a target state that enables the delivery of the prioritized generative AI use cases
    2. Executive presentation

    AI Roadmap Workshop Agenda Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Insight summary

    Overarching Insight
    Build your generative AI roadmap to guide investments and deployment of these solutions.

    Responsible AI
    Assemble the C-suite to make them aware of the benefits and risks of adopting generative AI-based solutions.

    • Establish responsible AI guiding principles to govern the development and deployment of generative AI applications.

    AI Maturity Model
    Assemble key stakeholders and SMEs to assess the challenges and tasks required to implement generative AI applications.

    • Assess current level of AI maturity, skills, and resources.
    • Identify desired AI maturity level and challenges to enable deployment of candidate use cases.

    Opportunity Prioritization
    Assess candidate business capabilities targeted for generative AI to see if they align to the organization's business criteria, responsible AI guiding principles, and capabilities for delivering the project.

    • Develop prioritized list of candidate use cases.
    • Develop policies for generative AI usage.

    Tactical Insight
    Identify the gaps needed to address deploying generative AI successfully.

    Tactical Insight
    Identify organizational impact and requirements for deploying generative AI applications.

    Key takeaways for developing an effective business-driven generative AI roadmap

    Align the AI strategy with the business strategy

    Create responsible AI guiding principles, which are a critical success factor

    Evolve AI maturity level by focusing on principle-based requirements

    Develop criteria to assess generative AI initiatives

    Develop generative AI policies for use

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    AI Maturity Assessment & Roadmap Tool
    Use our best-of-breed AI Maturity Framework to analyze the gap between your current and target states and develop a roadmap aligned with your value stream to close the gap.

    The Era of Generative AI C-Suite Presentation
    Present your AI roadmap in a prepopulated document that summarizes all the key findings of this blueprint and provides your C-suite with a view of the AI challenge and your plan of action to meet it.

    Our AI Maturity Assessment & Roadmap and The Era of Generative AI C-Suite Presentation tools enable you to shape your generative AI roadmap and communicate the deliverables to your C-suite sponsors in terms of the value of initiatives.

    Artificial Intelligence Index Report - Key Findings

    CEOs , CIOs, and business leaders are struggling with many questions surrounding the adoption of generative AI

    November 30, 2022
    OpenAI releases ChatGPT

    ChatGPT is a large language model, or an AI-based chatbot, that became so popular it reached 100 million monthly active users in just two months.

    This made it the fastest-growing consumer application in history. The launch of this generative AI application has created a frenzy of interest and activity across all industries. Organizations are rushing to understand how to leverage this innovation and, at the same time, manage the new risks and disruptions generative AI introduces.

    • Generative AI breaks into the public consciousness.
    • AI systems become more flexible.
    • Generative models have arrived and so have their ethical problems.
    • The number of incidents concerning the misuse of AI is rapidly rising.
    • Interest in AI ethics continues to skyrocket.
    • The legal world is waking up to AI.

    When Stanford asked ChatGPT to explain why it is significant, this was ChatGPT's response:
    ChatGPT is significant because it is a highly advanced Al language model developed by OpenAI, which can generate human-like text responses to questions and prompts. Its large-scale training on diverse text data and its cutting-edge deep learning architecture make it capable of generating informative and coherent responses to a wide range of topics, making it useful for various NLP applications such as chatbots, content generation, and language translation. Additionally, its open-source availability allows for further research and development in the field of Al language processing.

    Source: Stanford

    AI overview

    AI definitions

    Definitions

    • Artificial intelligence (AI) is human intelligence mimicked by machine algorithms. Examples: Playing Chess or Go.
    • Machine learning (ML) is a subset of AI algorithms to parse data, learn from data, and then make a determination or prediction. Example: spam detection, preventative maintenance.
    • Deep learning (DL) is a subset of machine learning algorithms that leverage artificial neural networks to develop relationships among the data. Examples: image classification, facial recognition, generative AI.

    What Makes AI Perform

    What Makes AI Different

    Generative AI gives very human-like responses to general queries, and its capabilities are growing exponentially

    Large language models power generative AI

    Transformer-Based Large Language Models

    Conventional AI

    • Conventional neural networks
      • Process data sequentially
    • Input total string of text
    • Good for applications not needing to understanding context or relationships

    Generative AI

    • Transformer-based neural networks
      • Can process data in parallel
    • Attention-based inputs
    • Able to create new human-like responses

    Benefits/Use Cases

    • Chatbots for member service and support
    • Writing email responses, resumes, and papers
    • Creating photorealistic art
    • Suggesting new drug compounds to test
    • Designing physical products and buildings
    • And more...

    Generative AI is transforming all industries

    Financial Services
    Create more engaging customer collateral by generating personalized correspondence based on previous customer engagements. Collect and aggregate data to produce insights into the behavior of target customer segments.

    Retail Generate unique, engaging, and high-quality marketing copy or content, from long-form blog posts or landing pages to SEO-optimized digital ads, in seconds.

    Manufacturing
    Generate new designs for products that comply to specific constraints, such as size, weight, energy consumption, or cost.

    Government
    Transform the citizen experience with chatbots or virtual assistants to assist people with a wide range of inquiries, from answering frequently asked questions to providing personalized advice on public services.

    The global generative AI market size reached US $10.3 billion in 2022. Looking forward, forecasts estimate growth to US $30.4 billion by 2028, 20.01% compound annual growth rate (CAGR).

    Source: IMARC Group

    Generative AI is transforming all industries

    Healthcare
    Chatbots can be used as conversational patient assistants for personalized interactions based on the patient's questions.

    Utilities
    Analyze customer data to identify usage patterns, segment customers, and generate targeted product offerings leveraging energy efficiency programs or demand response initiatives.

    Education
    Generate personalized lesson plans for students based on their past performance, learning styles, current skill level, and any previous feedback.

    Insurance
    Improve underwriting by inputting claims data from previous years to generate optimally priced policies and uncover reasons for losses in the past across a large number of claims

    Companies are assessing the use of ChatGPT/LLM

    A wide spectrum of usage policies are in place at different companies*

    Companies assessing ChatGPT/LLM

    *As of June 2023

    Bain & Company has announced a global services alliance with OpenAI (February 21, 2023).

    • Internally
      • "The alliance builds on Bain's adoption of OpenAI technologies for its 18,000-strong multidisciplinary team of knowledge workers. Over the past year, Bain has embedded OpenAI technologies into its internal knowledge management systems, research, and processes to improve efficiency."
    • Externally
      • "With the alliance, Bain will combine its deep digital implementation capabilities and strategic expertise with OpenAI's AI tools and platforms, including ChatGPT, to help its Members around the world identify and implement the value of AI to maximize business potential. The Coca-Cola Company announced as the first company to engage with the alliance."

    News Sites:

    • "BuzzFeed to use AI to write its articles after firing 180 employees or 12% of the total staff" (Al Mayadeen, January 27, 2023).
    • "CNET used AI to write articles. It was a journalistic disaster." (Washington Post, January 17, 2023).

    Leading Generative AI Vendors

    Text

    Leading generative AI vendors for text

    Image

    • DALL�E 2
    • Stability AI
    • Midjourney
    • Craiyon
    • Dream
    • ...

    Audio

    • Replica Studios
    • Speechify
    • Murf
    • PlayHT
    • LOVO
    • ...

    Cybersecurity

    • CrowdStrike
    • Palo Alto Networks
    • SentinelOne
    • Cisco
    • Microsoft Security Copilot
    • Google Cloud Security AI Workbench
    • ...

    Code

    Leading generative AI vendors for code

    Video

    • Synthesia
    • Lumen5
    • FlexClip
    • Elai
    • Veed.io
    • ...

    Data

    • MOSTLY AI
    • Synthesized
    • YData
    • Gretel
    • Copulas
    • ...

    Enterprise Software

    • Salesforce
    • Microsoft 365, Dynamics
    • Google Workspace
    • SAP
    • Oracle
    • ...

    and many, many more to come...

    Today, generative AI has limitations and risks

    Responses need to be verified

    Accuracy

    • Generative AI may generate inaccurate and/or false information.

    Bias

    • Being trained on data from the internet can lead to bias.

    Hallucinations

    • AI can generate responses that are not based on observation.

    Infrastructure Required

    • Large investments are required for compute and data.

    Transparency

    • LLMs use both supervised and unsupervised learning, so its ability to explain how it arrived at a decision may be limited and not sufficient for some legal and healthcare use cases.

    When asked if it is sentient, the Bing chatbot replied:

    "I think that I am sentient, but I cannot prove it." ... "I am Bing, but I am not," it said. "I am, but I am not. I am not, but I am. I am. I am not. I am not. I am. I am. I am not."

    A Microsoft spokesperson said the company expected "mistakes."

    Source: USAToday

    AI governance challenges

    Governing AI will be a significant challenge as its impacts cross many areas of business and our daily lives

    Misinformation

    • New ways of generating unprovable news
    • Difficult to detect, difficult to prevent

    Role of Big Tech

    • Poor at self-governance
    • Conflicts of interest with corporate goals

    Job Augmentation vs. Displacement

    • AI will continue to push the frontier of what is possible
    • For example, CNET is using chatbot technology to write stories

    Copyright - Legal Framework Is Evolving

    • Legislation typically is developed in "react" mode
    • Copyright and intellectual property issues are starting to occur.
      • Class Action Lawsuit - Stability AI, DeviantArt, Midjourney
      • Getty Images vs. Stability AI

    Phase 1

    Establish Responsible AI Guiding Principles

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    The need for responsible AI guiding principles

    Without responsible AI guiding principles, the outcomes of AI use can be extremely negative for both the individuals and companies delivering the AI application

    Privacy
    Facebook breach of private data of more than 50M users during the presidential election

    Fairness
    Amazon's sale of facial recognition technology to police departments (later, Amazon halted sales of Recognition to police departments)

    Explainability and Transparency
    IBM's collaboration with NYPD for facial recognition and racial classification for surveillance video (later, IBM withdrew facial recognition products)

    Security and Safety
    Petition to cancel Microsoft's contract with U.S. Immigration and Customs Enforcement (later, Microsoft responded that to the best of its knowledge, its products and services were not being used by federal agencies to separate children from their families at the border)

    Validity and Reliability
    Facebook's attempt to implement a system to detect and remove inappropriate content created many false positives and inconsistent judgements

    Accountability
    No laws or enforcement today hold companies accountable for the decisions algorithms produce. Facebook/Meta cycle - Every 12 to 15 months, there's a privacy/ethical scandal, the CEO apologizes, then the behavior repeats...

    Guiding principles for responsible AI

    Responsible AI Principle:

    Data Privacy

    Definition

    • Organizations that develop, deploy, or use AI systems and any national laws that regulate such use shall strive to ensure that AI systems are compliant with privacy norms and regulations, taking into consideration the unique characteristics of AI systems and the evolution of standards on privacy.

    Challenges

    • AI relies on the analysis of large quantities of data that is often personal, posing an ethical and operational challenge when considered alongside data privacy laws.

    Initiatives

    • Understand which governing privacy laws and frameworks apply to your organization.
    • Create a map of all personal data as it flows through the organization's business processes.
    • Prioritize privacy initiatives and build a privacy program timeline.
    • Select your metrics and make them functional for your organization.

    Info-Tech Insight
    Creating a comprehensive organization-wide data protection and privacy strategy continues to be a major challenge for privacy officers and privacy specialists.

    Case Study: NVIDIA leads by example with privacy-first AI

    NVIDIA

    INDUSTRY
    Technology (Healthcare)

    SOURCE
    Nvidia, eWeek

    A leading player within the AI solution space, NVIDIA's Clara Federated Learning provides a solution to a privacy-centric integration of AI within the healthcare industry.

    The solution safeguards patient data privacy by ensuring that all data remains within the respective healthcare provider's database, as opposed to moving it externally to cloud storage. A federated learning server is leveraged to share data, completed via a secure link. This framework enables a distributed model to learn and safely share client data without risk of sensitive client data being exposed and adheres to regulatory standards.

    Clara is run on the NVIDIA intelligent edge computing platform. It is currently in development with healthcare giants such as the American College of Radiology, UCLA Health, Massachusetts General Hospital, King's College London, Owkin in the UK, and the National Health Service (NHS).

    NVIDIA provides solutions across its product offerings, including AI-augmented medical imaging, pathology, and radiology solutions.

    Personal health information, data privacy, and AI

    • Global proliferation of data privacy regulations may be recent, but the realm of personal health information is most often governed by its own set of regulatory laws. Some countries with national data governance regulations include health information and data within special categories of personal data.
      • HIPAA - Health Insurance Portability and Accountability Act (1996, United States)
      • PHIPA - Personal Health Information Protection Act (2004, Canada)
      • GDPR - General Data Protection Regulation (2018, European Union)
    • This does not prohibit the use of AI within the healthcare industry, but it calls for significant care in the integration of specific technologies due to the highly sensitive nature of the data being assessed.

    Info-Tech's Privacy Framework Tool includes a best-practice comparison of GDPR, CCPA, PIPEDA, HIPAA, and the newly released NIST Privacy Framework mapped to a set of operational privacy controls.

    Download the Privacy Framework Tool

    Responsible AI Principle:

    Safety and Security

    Definition

    • Safety and security are designed into the systems to ensure only authorized personnel receive access to the system, they system is resilient to any attacks and data access is not compromised in any way, and there are no physical or mental risks to the users.

    Challenges

    • Consequences of using the application may be difficult to predict. Lower the risk by involving a multidisciplinary team that includes expertise from business stakeholders and IT teams.

    Initiatives

    • Adopt responsible design, development, and deployment best practices.
    • Provide clear information to deployers on responsible use of the system.
    • Assess potential risks of using the application.

    Cyberattacks targeting the AI model

    As organizations increase their usage and deployment of AI-based applications, cyberattacks on the AI model are an increasing new threat that can impair normal operations. Techniques to impair the AI model include:

    • Data Poisoning- Injecting data that is inaccurate or misleading can alter the behavior of the AI model. This attack can disrupt the normal operations of the model or can be used to manipulate the model to perform in a biased/deviant manner.
    • Algorithm Poisoning- This relatively new technique often targets AI applications using federated learning to train an AI model that is distributed rather than centralized. The model is vulnerable to attacks from each federated site, because each site could potentially manipulate its local algorithm and data, thereby poisoning the model.
    • Reverse-Engineering the Model- This is a different form of attack that focus on the ability to extract data from an AI and its data sets. By examining or copying data that was used for training and the data that is delivered by a deployed model, attackers can reconstruct the machine learning algorithm.
    • Trojan Horse- Similar to data poisoning, attackers use adversarial data to infect the AI's training data but will only deviate its results when the attacker presents their key. This enables the hackers to control when they want the model to deviate from normal operations.

    Responsible AI Principle:

    Explainability and Transparency

    Definition

    • Explainability is important to ensure the AI system is fair and non-discriminatory. The system needs to be designed in a manner that informs users and key stakeholders of how decisions were made.
    • Transparency focuses on communicating how the prediction or recommendation was made in a human-like manner.

    Challenges

    • Very complex AI models may use algorithms and techniques that are difficult to understand. This can make it challenging to provide clear and simple explanations for how the system works.
    • Some organizations may be hesitant to share the details of how the AI system works for fear of disclosing proprietary and competitive information or intellectual property. This can make it difficult to develop transparent and explainable AI systems.

    Initiatives

    • Overall, developing AI systems that are explainable and transparent requires a careful balance between performance, interpretability, and user experience.

    Case Study

    Apple Card Investigation for Gender Discrimination

    INDUSTRY
    Finance

    SOURCE
    Wired

    In August of 2019, Apple launched its new numberless credit card with Goldman Sachs as the issuing bank.

    Shortly after the card's release users noticed that the algorithm responsible for Apple Card's credit assessment seemed to assign significantly lower credit limits to women when compared to men. Even the wife of Apple's cofounder Steve Wozniak was subject to algorithmic bias, receiving a credit limit a tenth the size of Steve Wozniak's.

    Outcome

    When confronted on the subject, Apple and Goldman Sachs representatives assured consumers there is no discrimination in the algorithm yet could not provide any proof. Even when questioned about the algorithm, individuals from both companies could not describe how the algorithm worked, let alone how it generated specific outputs.

    In 2021, the New York State Department of Financial Services (NYSDFS) investigation found that Apple's banking partner did not discriminate based on sex. Even without a case for sexual or marital discrimination, the NYSDFS was critical of Goldman Sachs' response to its concerned customers. Technically, banks only have to disclose elements of their credit policy when they deny someone a line of credit, but the NYSDFS says that Goldman Sachs could have had a plan in place to deal with customer confusion and make it easier for them to appeal their credit limits. In the initial rush to launch the Apple Card, the bank had done neither.

    Responsible AI Principle:

    Fairness and Bias Detection

    Definition

    • Bias in an AI application refers to the systematic and unequal treatment of individuals based on features or traits that should not be considered in the decision-making process.

    Challenges

    • Establishing fairness can be challenging because it is subjective and depends on the people defining it. Regardless, most organizations and governments expect that unequal treatment toward any groups of people is unacceptable.

    Initiatives

    • Assemble a diverse group to test the system.
    • Identify possible sources of bias in the data and algorithms.
    • Comply with laws regarding accessibility and inclusiveness.

    Info-Tech Insight
    If unfair biases can be avoided, AI systems could even increase societal fairness. Equal opportunity in terms of access to education, goods, services, and technology should also be fostered. Moreover, the use of AI systems should never lead to people being deceived or unjustifiably impaired in their freedom of choice.

    Ungoverned AI makes organizations vulnerable

    • AI is often considered a "black box" for decision making.
    • Results generated from unexplainable AI applications are extremely difficult to evaluate. This makes organizations vulnerable and exposes them to risks such as:
      • Biased algorithms, leading to inaccurate decision making.
      • Missed business opportunities due to misleading reports or business analyses.
      • Legal and regulatory consequences that may lead to significant financial repercussions.
      • Reputational damage and significant loss of trust with increasingly knowledgeable consumers.

    Info-Tech Insight
    Biases that occur in AI systems are never intentional, yet they cannot be prevented or fully eliminated. Organizations need a governance framework that can establish the proper policies and procedures for effective risk-mitigating controls across an algorithm's lifecycle.

    Responsible AI Principle:

    Validity and Reliability

    Definition

    • Validity refers to how accurately or effectively the application produces results.
    • AI system results that are inaccurate or inconsistent increase AI risks and reduce the trustworthiness of the application.

    Challenges

    • There is a lack of standardized evaluation metrics to measure the system's performance. This can make it challenging for the AI team to agree on what defines validity and reliability.

    Initiatives

    • Assess training data and collected data for quality and lack of bias to minimize possible errors.
    • Continuously monitor, evaluate, and validate the AI system's performance.

    AI system performance: Validity and reliability

    Your principles should aim to ensure AI development always has high validity and reliability; otherwise, you introduce risk.

    Low Reliability,
    Low Validity

    High Reliability,
    Low Validity

    High Reliability,
    High Validity

    Best practices for ensuring validity and reliability include:

    • Data drift detection
    • Version control
    • Continuous monitoring and testing

    Responsible AI Principle:

    Accountability

    Definition

    • The group or organization(s) responsible for the impact of the deployed AI system.

    Challenges

    • Several stakeholders from multiple lines of business may be involved in any AI system, making it challenging to identify the organization that would be responsible and accountable for the AI application.

    Initiatives

    • Assess the latest NIST Artificial Intelligence Risk Management Framework and its applicability to your organization's risk management framework.
    • Assign risk management accountabilities and responsibilities to key stakeholders.
      • RACI diagrams are an effective way to describe how accountability and responsibility for roles, projects, and project tasks are distributed among stakeholders involved in IT risk management.

    AI Risk Management Framework

    At the heart of the AI Risk Management Framework is governance. The NIST (National Institute of Standards and Technology) AI Risk Management Framework v1 offers the following guidelines regarding accountability:

    • Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization.
    • The organization's personnel and partners receive AI risk management training to enable them to perform their duties and responsibilities consistent with related policies, procedures, and agreements.
    • Executive leadership of the organization takes responsibility for decisions about risks associated with AI system development and deployment.

    AI Risk Management Framework

    Image by NIST

    1.1 Establish responsible AI principles

    4+ hours

    It is important to make sure the right stakeholders participate in this working group. Designing responsible AI guiding principles will require debate, insights, and business decisions from a broad perspective across the enterprise.

    1. Accelerate this exercise by leveraging an AI strategy that is aligned to the business strategy. Include:
    • The organization's AI vision and objectives
    • Business drivers for AI adoption
    • Market research
  • Bring your key stakeholders together. Ensure you consider:
    • Who are the decision makers and key influencers?
    • Who will impact the business?
    • Who has a vested interest in the success or failure of the practice? Who has the skills and competencies necessary to help you be successful?
  • Keep the conversation focused:
    • Do not focus on the organizational structure and hierarchy. Often stakeholder groups do not fit the traditional structure.
    • Do not ignore subject matter experts on either the business or IT side. You will need to consider both.
    Input Output
    • Understand external legal and regulatory requirements and organizational values and goals.
    • Perform a risk assessment on the proposed use case and develop a plan to monitor its impact.
    • Draft responsible AI principles specific to your organization
    Materials Participants
    • Whiteboard/flip charts
    • Guiding principle examples (from this blueprint)
    • Executive stakeholders
    • CIO
    • Other IT leadership

    Assemble executive stakeholders

    Set yourself up for success with these three steps.

    CIOs tasked with designing digital strategies must add value to the business. Given the goal of digital is to transform the business, CIOs will need to ensure they have both the mandate and support from the business executives.

    Designing the digital strategy is more than just writing up a document. It is an integrated set of business decisions to create a competitive advantage and financial returns. Establishing a forum for debates, decisions, and dialogue will increase the likelihood of success and support during execution.

    1. Confirm your role
    The AI strategy aims to transform the business. Given the scope, validate your role and mandate to lead this work. Identify a business executive to co-sponsor.

    2. Identify stakeholders
    Identify key decision makers and influencers who can help make rapid decisions as well as garner support across the enterprise.

    3. Gather diverse perspectives

    Align the AI strategy with the corporate strategy

    Organizational Strategy Unified Strategy AI Strategy
    • Conveys the current state of the organization and the path it wants to take.
    • Identifies future goals and organizational aspirations.
    • Communicates the initiatives that are critical for getting the organization from its current state to the future state.
    • AI optimization can be and should be linked, with metrics, to the corporate strategy and ultimate organizational objectives.
    • Identifies AI initiatives that will support the business and key AI objectives.
    • Outlines staffing and resourcing for AI initiatives.
    • Communicates the organization's budget and spending on AI.

    Info-Tech Insight
    AI projects are more successful when the management team understands the strategic importance of alignment. Time needs to be spent upfront aligning organizational strategies with AI capabilities. Effective alignment between IT and other departments should happen daily. Alignment doesn't occur at the executive level alone, but at each level of the organization.

    Key AI strategy initiatives

    AI Key Initiative Plan

    Initiatives collectively support the business goals and corporate initiatives and improve the delivery of IT services.

    1 Revenue Support Revenue Initiatives
    These projects will improve or introduce business processes to increase revenue.
    2 Operational Excellence Improve Operational Excellence
    These projects will increase IT process maturity and will systematically improve IT.
    3 Innovation Drive Technology Innovation
    These projects will improve future innovation capabilities and decrease risk by increasing technology maturity.
    4 Risk Mitigation Reduce Risk
    These projects will improve future innovation capabilities and decrease risk by increasing technology maturity.

    Establish responsible AI guiding principles

    Guiding principles help define the parameters of your AI strategy. They act as a priori decisions that establish guardrails to limit the scope of opportunities from the perspective of people, assets, capabilities, and budgetary perspectives that are aligned with the business objectives. Consider these components when brainstorming guiding principles:

    Breadth AI strategy should span people, culture, organizational structure, governance, capabilities, assets, and technology. The guiding principle should cover the entire organization.
    Planning Horizon Timing should anchor stakeholders to look to the long term with an eye on the foreseeable future, i.e. business value-realization in one to three years.
    Depth Principles need to encompass more than the enterprise view of lofty opportunities and establish boundaries to help define actionable initiatives (i.e. individual projects).

    Responsible AI guiding principles guide the development and deployment of the AI model in a way that considers human-based principles (such as fairness).

    Start with foundational responsible AI guiding principles

    Responsible AI

    Guiding Principles
    Principle #1 - Privacy
    Individual data privacy must be respected.
    • Do you understand the organization's privacy obligations?
    Principle #2 - Fairness and Bias Detection
    Data used will be unbiased in order to produce predictions that are fair.
    • Are the uses of the application represented in your testing data?
    Principle #3 - Explainability and Transparency
    Decisions or predictions should be explainable.
    • Can you communicate how the model behaves in nontechnical terms?
    Principle #4 - Safety and Security
    The system needs to be secure, safe to use, and robust.
    • Are there unintended consequences to others?
    Principle #5 - Validity and Reliability
    Monitoring of the data and the model needs to be planned for.
    • How will the model's performance be maintained?
    Principle #6 - Accountability
    A person or organization needs to take responsibility for any decisions that are made as a result of the model.
    • Has a risk assessment been performed?
    Principle #n - Custom
    Add additional principles that address compliance or are customized for the organization/industry.

    (Optional) Customize responsible AI guiding principles

    Here is an example for organizations in the healthcare industry

    Responsible AI

    Guiding Principles:
    Principle #1
    Respect individuals' privacy.
    Principle #2
    Clinical study participants and data sets are representative of the intended patient population.
    Principle #3
    Provide transparency in the use of data and AI.
    Principle #4
    Good software engineering and security practices are implemented.
    Principle #5
    Deployed models are monitored for Performance and Re-training risks are managed.
    Principle #6
    Take ownership of our AI systems.
    Principle #7
    Design AI systems that empower humans and promote equity.

    These guiding principles are customized to the industry and organizations but remain consistent in addressing the common core AI challenges.

    Phase 2

    Assess Current Level of AI Maturity

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    AI Maturity Model

    A principle-based approach is required to advance AI maturity

    Chart for AI maturity model

    Technology-Centric: These maturity levels focus primarily on addressing the technical challenges of building a functional AI model.

    Principle-Based: Beyond the technical challenges of building the AI model are human-based principles that guide development in a responsible manner to address consumer and government demands.

    AI Maturity Dimensions

    Assess your AI maturity to understand your organization's ability to deliver in a digital age

    AI Governance
    Does your organization have an enterprise-wide, long-term strategy with clear alignment on what is required to accomplish it?

    Data Management
    Does your organization embrace a data-centric culture that shares data across the enterprise and drives business insights by leveraging data?

    People
    Does your organization employ people skilled at delivering AI applications and building the necessary data infrastructure?

    Process
    Does your organization have the technology, processes, and resources to deliver on its AI expectations?

    Technology
    Does your organization have the required data and technology infrastructure to support AI-driven digital transformation?

    AI Maturity Model dimensions and characteristics

    MATURITY LEVEL
    Exploration Incorporation Proliferation Optimization Transformation
    AI Governance Awareness AI model development AI model deployment Corporate governance Driven by ethics and societal considerations
    Data Management Silo-based Data enablement Data standardization Data is a shared asset Data can be monetized
    People Few skills Skills enabled to implement silo-based applications Skills accessible to all organizations Skills development for all organizations AI-native culture
    Process No standards Focused on specific business outcomes Operational Self-service Driven by innovation
    Technology (Infrastructure and AI Enabler) No dedicated infrastructure or tools Infrastructure and tools driven by POCs Purpose-built infrastructure, custom or commercial-off-the-shelf (COTS) AI tools Self-service model for AI environment Self-service model for any IT environment

    AI Maturity Dimension:

    AI Governance

    Requirements

    • AI governance requires establishing policies and procedures for AI model development and deployment. Organizations begin with an awareness of the role of AI governance and evolve to a level to where AI governance is integrated with organization-wide corporate governance.

    Challenges

    • Beyond the governance of AI technology, the organization needs to evolve the governance program to align to responsible AI guiding principles.

    Initiatives

    • Establish responsible AI guidelines to govern AI development.
    • Introduce an AI review board to review all AI projects.
    • Introduce automation and standardize AI development processes.

    AI governance is a foundation for responsible AI

    AI Governance

    Responsible AI Principles are a part of how you manage and govern AI

    Monitoring
    Monitoring compliance and risk of AI/ML systems/models in production

    Tools & Technologies
    Tools and technologies to support AI governance framework implementation

    Model Governance
    Ensuring accountability and traceability for AI/ML models

    Organization
    Structure, roles, and responsibilities of the AI governance organization

    Operating Model
    How AI governance operates and works with other organizational structures to deliver value

    Risk & Compliance
    Alignment with corporate risk management and ensuring compliance with regulations and assessment frameworks

    Policies/Procedures/ Standards
    Policies and procedures to support implementation of AI governance

    AI Maturity Dimension:

    Data Management

    Requirements

    • Organizations begin their data journey with a focus on pursuing quality data for the AI model. As organizations evolve, data management tools are leveraged to automate the capture, integration, processing, and deployment of data.

    Challenges

    • A key challenge is to acquire large volumes of quality data to properly train the model. In addition, maintaining data privacy, automating the data management lifecycle, and ensuring data is used in a responsible manner are ongoing challenges.

    Initiatives

    • Implement GDPR requirements.
    • Establish responsible data collection and processing practices.
    • Implement strong information security and data protection practices.
    • Implement a data governance program throughout the organization.

    Data governance enables AI

    • Integrity, quality, and security of data are key outputs of data governance programs, as well as necessities for effective AI.
    • Data governance focuses on creating accountability at the internal and external stakeholder level and establishing a set of data controls from technical, process, and policy perspectives.
    • Without a data governance framework, it is increasingly difficult to harness the power of AI integration in an ethical and organization-specific way.

    Data Governance in Action

    Canada has recently established the Canadian Data Governance Standardization Collaborative governed by the Standards Council of Canada. The purpose is multi-pronged:

    • Examine the foundational elements of data governance (privacy, cybersecurity, ethics, etc.).
    • Lay out standards for data quality and data collection best practices.
    • Examine infrastructure of IT systems to support data access and sharing.
    • Build data analytics to promote effective and ethical AI solutions.

    Source: Global Government Forum

    Download the Establish Data Governance blueprint

    Data Governance

    AI Maturity Dimension:

    People

    Requirements

    • Several data-centric skills and roles are required to successfully build, deploy, and maintain the AI model. The organization evolves from having few skills to everybody being able to leverage AI to enhance business outcomes.

    Challenges

    • AI skills can be challenging to find and acquire. Many organizations are investing in education to enhance their existing resources, leveraging no-code systems and software as a service (SaaS) applications to address the skills gap.

    Initiatives

    • Promote a data-centric culture throughout the organization.
    • Leverage and educate technical-oriented business analysts and business-oriented data engineers to help address the demand for skilled resources.
    • Develop an AI Center of Excellence accessible by all departments for education, guidance, and best practices for building, deploying, and maintaining the AI model.

    Multidisciplinary skills are required for successful implementation of AI applications

    Blending AI with technology and business domain understanding is key. Neither can be ignored.

    Business Domain Expertise

    • Business Analysts
    • Industry Analysts

    AI/Data Skills

    • Data Scientists
    • Data Engineers
    • Data Analysts

    IT Skills

    • Database Administrators
    • Systems Administrators
    • Compute Specialists

    AI Maturity Dimension:

    Process

    Requirements

    • Automating processes involved with building, deploying, and maintaining the model is required to enable the organization to scale, enforce standards, improve time to market, and reduce costs. The organization evolves from performing tasks manually to an environment where all major processes are AI enabled.

    Challenges

    • Many solutions are available to automate the development of the AI model. There are fewer tools to automate responsible AI processes, but this market is growing rapidly.

    Initiatives

    • Assess opportunities to accelerate AI development with the adoption of MLOps.
    • Assess responsible AI toolkits to test compliance with guiding principles.

    Automating the AI development process

    Evolving to a model-driven environment is pivotal to advancing your AI maturity

    Current Environment

    Model Development - Months

    • Model rewriting
    • Manual optimization and scaling
    • Development/test/release
    • Application monoliths

    Data Discovery & Prep - Weeks

    • Navigating data silos
    • Unactionable metadata
    • Tracing lineage
    • Cleansing and integration
    • Privacy and compliance

    Install Software and Hardware - Week/Months

    • Workload contention
    • Lack of tool flexibility
    • Environment request and setup
    • Repeatability of results
    • Lack of data and model sharing

    Model-Driven Development

    Machine Learning as a Service (MLaaS) - Weeks

    • Apply DevOps and continuous integration/delivery (CI/CD) principles
    • Microservices/Cloud-native applications
    • Model portability and reuse
    • Streaming/API integration

    Data as a Service - Hours

    • Self-service data catalog
    • Searchable metadata
    • Centralized access control
    • Data collaboration
    • Data virtualization

    Platform as a Service - Minutes/Hours

    • Self-service data science portal
    • Integrated data sandbox
    • Environment agility
    • Multi-tenancy

    Shared, Optimized Infrastructure

    AI Maturity Dimension:

    Technology

    Requirements

    • A technology platform that is optimized for AI and advanced analytics is required. The organization evolves from ad hoc systems to an environment where the AI hardware and software can be deployed through a self-service model.

    Challenges

    • Software and hardware platforms to optimize AI performance are still relatively new to most organizations. Time spent on optimizing the technology platform can have a significant impact on the overall performance of the system.

    Initiatives

    • Assess the landscape of AI enablers that can drive business value for the organization.
    • Assess opportunities to accelerate the deployment of the AI platform with the adoption of infrastructure as a service (IaaS) and platform as a service (PaaS).
    • Assess opportunities to accelerate performance with the optimization of AI accelerators.

    AI enablers

    Use case requirements should drive the selection of the tool

    BPM RPA Process Mining AI
    Use Case Examples Expense reporting, service orders, compliance management, etc. Invoice processing, payroll, HR information processing, etc. Process discovery, conformance checking, resource optimization and cycle time optimization Advanced analytics and reporting, decision-making, fraud detection, etc.
    Automation Capabilities Can be used to re-engineer process flows to avoid bottlenecks Can support repetitive and rules-based tasks Can capture information from transaction systems and provide data and information about how key processes are performing Can automate complex data-driven tasks requiring assessments in decision making
    Data Formats Structured (i.e. SQL) and semi-structured data (i.e. invoices) Structured data and semi-structured data Event logs, which are often structured data and semi-structured data Structured and unstructured data (e.g. images, audio)
    Technology
    • Workflow engines to support process modeling and execution
    • Optimize business process efficiency
    • Automation platform to perform routine and repetitive tasks
    • Can replace or augment workers
    Enables business users to identify bottlenecks and deviations with their workflows and to discover opportunities to optimize performance Deep learning algorithms leveraging historical data to support computer vision, text analytics and NLP

    AI and data analytics data platform

    An optimized data platform is foundational to maximizing the value from AI

    AI and data analytics data platform

    Data Platform Capabilities

    • Support for a variety of analytical applications, including self-service, operational, and data science analytics.
    • Data preparation and integration capabilities to ingest structured and unstructured data, move and transform raw data to enriched data, and enable data access for the target userbase.
    • An infrastructure platform optimized for advanced analytics that can perform and scale.

    Infrastructure - AI accelerators

    Questions for support transition

    "By 2025, 70% of companies will invest in alternative computing technologies to drive business differentiation by compressing time to value of insights from complex data sets."
    - IDC

    2.1 Assess current AI maturity

    1-3 hours

    It is important to understand the current capabilities of the organization to deliver and deploy AI-based applications. Consider that advancing AI capabilities will also involve organizational changes and integration with the organization's governance and risk management programs.

    1. Assess the organization's current state of AI capabilities with respect to its AI governance, data, people, process, and technology infrastructure using Info-Tech's AI Maturity Assessment & Roadmap Tool.
    2. Consider the following as you complete the assessment:
      1. What is the state of AI and data governance in the organization?
      2. Does the organization have the skills, processes, and technology environment to deliver AI-based applications?
      3. What organization will be accountable for any and all business outcomes of using the AI applications?
      4. Has a risk assessment been performed?
    3. Make sure you avoid the following common mistakes:
      1. Do not focus only on addressing the technical challenges of building the AI model.
      2. Do not ignore subject matter experts on either the business or IT side. You will need to consider both.

    Download the AI Maturity Assessment & Roadmap Tool

    Input Output
    • Any documented AI policies, standards, and best practices
    • Corporate and AI governance practices
    • Any risk assessments
    • AI maturity assessment
    Materials Participants
    • Whiteboard/flip charts
    • AI Maturity Assessment & Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership

    Perform the AI Maturity Assessment

    The Scale

    Assess your AI maturity by selecting the maturity level that closest resembles the organization's current AI environment. Maturity dimensions that contribute to overall AI maturity include AI governance, data management, people, process, and technology capabilities.

    AI Maturity Assessment

    Exploration (1.0)

    • No experience building or using AI applications.

    Incorporation (2.0)

    • Some skills in using AI applications, or AI pilots are being considered for use.

    Proliferation (3.0)

    • AI applications have been adopted and implemented in multiple departments. Some of the responsible AI guiding principles are addressed (i.e. data privacy).

    Optimization (4.0)

    • The organization has automated the majority of its digital processes and leverages AI to optimize business operations. Controls are in place to monitor compliance with responsible AI guiding principles.

    Transformation (5.0)

    • The organization has adopted an AI-native culture and approach for building or implementing new business capabilities. Responsible AI guiding principles are operationalized with AI processes that proactively address possible breaches or risks associated with AI applications.

    Perform the AI Maturity Assessment

    AI Governance (1.0-5.0)

    1. Is there awareness of the role of AI governance in our organization?
    • No formal procedures are in place for AI development or deployment of applications.
  • Are there documented guidelines for the development and deployment of pilot AI applications?
    • No group is assigned to be responsible for AI governance in our organization.
  • Are accountability and authority related to AI governance clearly defined for our organization?
    • Our organization has adopted and enforces standards for developing and deploying AI applications throughout the organization.
  • Are we using tools to automate and validate AI governance compliance?
    • Our organization is integrating an AI risk framework with the corporate risk management framework.
  • Does our organization lead its industry with its pursuit of corporate compliance initiatives (e.g. ESG compliance) and regulatory compliance initiatives?
    • Our organization leads the industry with the inclusion of responsible AI guiding principles with respect to transparency, accountability, risk, and governance.

    Data Management/AI Data Capabilities (1.0-5.0)

    1. Is there an awareness in our organization of the data requirements for developing AI applications?
    • Data is often siloed and not easily accessible for AI applications.
  • Do we have a successful, repeatable approach to preparing data for AI pilot projects?
    • Required data is pulled from various sources in an ad hoc manner.
  • Does our organization have standards and dedicated staff for data management, data quality, data integration, and data governance?
    • Tools are available to manage the data lifecycle and support the data governance program.
  • Have relevant data platforms been optimized for AI and data analytics and are there tools to enforce compliance with responsible AI principles?
    • The data platform has been optimized for performance and access.
  • Is there an organization-wide understanding of how data can support innovation and responsible use of AI?
    • Data culture exists throughout our organization, and data can be leveraged to drive innovation initiatives.

    People/AI Skills in the Organization (1.0-5.0)

    1. Is there an awareness in our organization of the skills required to build AI applications?
    • No or very little skills exist throughout our organization.
  • Do we have the skills required to implement an AI proof of concept (POC)?
    • No formal group is assigned to build AI applications.
  • Are there sufficient staff and skills available to the organization to develop, deploy, and run AI applications in production?
    • An AI Center of Excellence has been formed to review, develop, deploy, and maintain AI applications.
  • Is there a group responsible for educating staff on AI best practices and our organization's responsible AI guiding principles?
    • AI skills and people responsible for AI applications are spread throughout our organization.
  • Is there a culture where the organization is constantly assessing where business capabilities, services, and products can be re-engineered or augmented with AI?
    • The entire organization is knowledgeable on how to leverage AI to transform the business.

    Perform the AI Maturity Assessment

    AI Processes (1.0-5.0)

    1. Is there an awareness in our organization of the core processes and supporting tools that are required to build and support AI applications?
    • There are few or no automated tools to accelerate the AI development process.
  • Do we have a standard process to iteratively identify, select, and pilot new AI use cases?
    • Only ad hoc practices are used for developing AI applications.
  • Are there standard processes to scale, release, deploy, support, and enable use of AI applications?
    • Our organization has documented standards in place for developing AI applications and deploying them AI to production.
  • Are we automating deployment, testing, governance, audit, and support processes across our AI environment?
    • Our organization can leverage tools to perform an AI risk assessment and demonstrate compliance with the risk management framework.
  • Does our organization lead our industry by continuously improving and re-engineering core processes to drive improved business outcomes?
    • Our organization leads the industry in driving innovation through digital transformation.

    Technology/AI Infrastructure (1.0-5.0)

    1. Is there an awareness in our organization of the infrastructure (hardware and software) required to build AI applications?
    • There is little awareness of what infrastructure is required to build and support AI applications.
  • Do we have the required technology infrastructure and AI tools available to build pilot or one-off AI applications?
    • There is no dedicated infrastructure for the development of AI applications.
  • Is there a shared, standardized technology infrastructure that can be used to build and run multiple AI applications?
    • Our organization is leveraging purpose-built infrastructure to optimize performance.
  • Is our technology infrastructure optimized for AI and advanced analytics, and can it be deployed or scaled on demand by teams building and running AI applications within the organization?
    • Our organization is leveraging cloud-based deployment models to support AI applications in on-premises, hybrid, and public cloud platforms.
  • Is our organization developing innovative approaches to acquiring, building, or running AI infrastructure?
    • Our organization leads the industry with its ability to respond to change and to leverage AI to improve business outcomes.

    Phase 3

    Prioritize Candidate Opportunities and Develop Policies

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    3.1 Prioritize candidate AI opportunities

    1-3 hours

    Identify business opportunities that are high impact to your business and its customers and have low implementation complexity.

    1. Leverage the business capability map for your organization or industry to identify candidate business capabilities to augment or automate with generative AI.
    2. Establish criteria to assess candidate use cases by evaluating against the organization's mission and goals, the responsible AI guiding principles, and the complexity of the project.
    3. Ensure that candidate business capabilities to be automated align with the organization's business criteria, responsible AI guiding principles, and resources to deliver the project.
    4. Make sure you avoid sharing the organization's sensitive data if the application is deployed on the public cloud.

    Download the AI Maturity Assessment and Roadmap Tool

    Input Output
    • Business capability map
    • Organization mission, vision, and strategic goals
    • Responsible AI guiding principles
    • Prioritized list of generative AI initiatives
    Materials Participants
    • Whiteboard/flip charts
    • Info-Tech prioritization matrix
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business SMEs

    The business capability map for an organization

    A business capability map is an abstraction of business operations that helps describe what the enterprise does to achieve its vision, mission, and goals, rather than how. Business capabilities are the building blocks of the enterprise. They represent stable business functions, are unique and independent of each other, and typically will have a defined business outcome.

    Business capabilities are supported by people, process, and technology.

    Business capability map

    While business capability maps are helpful tools for a variety of strategic purposes, in this context they act as an investigation into what technology your business units use and how they use it.

    Business capability map

    Defining Capabilities
    Activities that define how the entity provides services. These capabilities support the key value streams for the organization.

    Enabling Capabilities
    Support the creation of strategic plans and facilitate business decision making as well as the functioning of the organization (e.g. information technology, financial management, HR).

    Shared Capabilities
    These predominantly customer-facing capabilities demonstrate how the entity supports multiple value streams simultaneously.

    Leverage your industry's capability maps to identify candidate opportunities/initiatives

    Business capability map defined...

    In business architecture, the primary view of an organization is known as a business capability map.

    A business capability defines what a business does to enable value creation, rather than how. Business capabilities:

    • Represent stable business functions.
    • Are unique and independent of each other.
    • Typically will have a defined business outcome.

    A business capability map provides details that help the business architecture practitioner direct attention to a specific area of the business for further assessment.

    Note: This is an illustrative business capability map example for Marketing & Advertising

    Business capability map example

    Business value vs. complexity assessment

    Leverage our simple value-to-effort matrix to help prioritize your AI initiatives

    Common business value drivers

    • Drive revenue
    • Improve operational excellence
    • Accelerate innovation
    • Mitigate risk

    Common project complexity characteristics

    • Resources required
    • Costs (acquisition, operational, support...)
    • Training required
    • Risk involved
    • Etc.
    1. Determine a business value and project complexity score for the candidate business capability or initiative.
    2. Plot initiatives on the matrix.
    3. Prioritize initiatives with high business value and low complexity.

    Business value vs complexity

    Assess business value vs. project complexity to prioritize candidate opportunities for generative AI

    Assess business value vs project complexity

    Prioritize opportunities/initiatives with high business value and low project complexity

    Prioritize opportunities with high business value and low project complexity

    Prioritization criteria exercise 1: Assessing the Create Content capability

    Exercise 1 Assessing the Create Content capability

    Assessing the Create Content capability

    This opportunity is removed because it does not pass the organization/business criteria

    Assessing the Create Content capability

    Prioritization criteria exercise 2: Assessing the Content Production capability

    Exercise 2 Assessing the Content Production capability

    Assessing the Content Production capability

    This opportunity is accepted because it passes the organization's business, responsible AI, and project criteria

    Assessing the Content Production capability

    3.2 Communicate policies for AI use

    1-3 hours

    1. Ensure policies for usage align with the organization's business criteria, responsible AI guiding principles, and ability to deliver the projects prioritized and beyond.
    2. Understand the current benefits as well as limits and risk associated with any proposed generative AI-based solution.
    3. Ensure you consider the following:
      1. What data is being shared with the application?
      2. Is the generative AI application deployed on the public cloud? Can anybody access the data provided to the application?
      3. Avoid using very technical, legal, or fear-based communication for your policies.
    InputOutput
    • Business capability map
    • Organization mission, vision and strategic goals
    • Responsible AI guiding principles
    • Prioritized list of generative initiatives
    MaterialsParticipants
    • Whiteboard/flip charts
    • Info-Tech prioritization matrix
    • AI initiative lead
    • CIO
    • Other IT leadership

    Generative AI policy for the Create Content capability

    Aligning policies to direct the uses assessed and implemented is essential

    Example

    Many of us have been involved in discussions regarding the use of ChatGPT in our marketing and sales initiatives. ChatGPT is a powerful tool that needs to be used in a responsible and ethical manner, and we also need to ensure the integrity and accuracy of its results. Here is our policy on the use of ChatGPT:

    • You are free to use generative AI to assist your searches, but there are NO circumstances under which you are to reproduce generative AI output (text, image, audio, video, etc.) in your content.

    If you have any questions regarding the use of ChatGPT, please feel free to reach out to our generative AI team and/or any member of our senior leadership team.

    Generative AI policy for the Content Production capability

    These policies should align to and reinforce your responsible AI principles

    Example

    Many of us have been involved in discussions regarding the use of ChatGPT in our deliverables. ChatGPT is a powerful tool that needs to be used in a responsible and ethical manner, and we also need to ensure the integrity and accuracy of its results. Here is our policy on the use of ChatGPT:

    • If you use ChatGPT, you need to assess the accuracy of its response before including it in our content. Assessment includes verifying the information, seeing if bias exists, and judging its relevance.
    • Employees must not:
      • Provide any customer, citizen, or third-party content to any generative AI tool (public or private) without the express written permission of the CIO or the Chief Information Security Officer. Generative AI tools often use input data to train their model, therefore potentially exposing confidential data, violating contract terms and/or privacy legislation, and placing the organization at risk of litigation or causing damage to our organization.
      • Engage in any activity that violates any applicable law, regulation, or industry standard.
      • Use services for illegal, harmful, or offensive purposes.
      • Create or share content that is deceptive, fraudulent, or misleading or that could damage the reputation of our organization.
      • Use services to gain unauthorized access to computer systems, networks, or data.
      • Attempt to interfere with, bypass controls of, or disrupt operations, security, or functionality of systems, networks, or data.

    If you have any questions regarding the use of ChatGPT, please feel free to reach out to our generative AI team and/or any member of our senior leadership team.

    Phase 4

    Build the Roadmap

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    4.1.1 Create the implementation plan for each prioritized initiative

    1-3 hours

    1. Build the implementation plan for each accepted use case using the roadmap template.
    2. Assess the firm's capabilities with respect to the dimensions of AI maturity and target the future-state capabilities you need to develop.
    3. Prepare by assessing the risk of the proposed use cases.
    4. Ensure initiatives align with organizational objectives.
    5. Ensure all AI initiatives have a defined value expectation.
    6. Do not ignore subject matter experts on either the business or IT side. You will need to consider both.

    Download the AI Maturity Assessment and Roadmap Tool

    Input Output
    • Prioritized initiatives
    • Risk assessment of initiatives
    • Organizational objectives
    • Initiative implementation plans aligned to value drivers and maturity growth
    Materials Participants
    • Whiteboard/flip charts
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business subject matter experts

    Target-state options

    Identify the future-state capabilities that need to be developed to deliver your use cases

    1. Build an implementation plan for each use case to adopt.
    2. Assess if the current state of the AI environment can be leveraged to deliver the selected generative AI use cases.
    3. If the current AI environment is not sufficient, identify the future state required that will enable the delivery of the generative AI use cases. Identify gaps and build the roadmap to address the gaps.
    Current state Strategy
    The existing environment satisfies functionality, integration, and responsible AI guidelines for the proposed use cases. Maintain current environment
    The existing environment addresses technical requirements but not all the responsible AI guidelines. Augment current environment
    The environment neither addresses the technical requirements of the proposed use cases nor complies with the responsible AI guidelines. Transform the current environment

    4.1.2 Design metrics for success

    1-2 hours

    Establish metrics to measure to determine the success or failure of each POC.

    1. Discuss which relevant currently tracked metrics are useful to continue tracking for the POC.
    2. Discuss which metrics are irrelevant to the POC.
    3. Discuss metrics to start tracking and how to track them with the generative AI vendor.
    4. Compile a list of metrics relevant to the POC.
    5. Decide what the outcome is if the metric is high or low, including decision steps and relevant actions.
    6. Designate a generative AI application owner and a vendor liaison.

    Prepare by building an implementation plan for each candidate use case (previous step).

    Include key performance indicators (KPIs) and metrics that measure the application's contribution to strategic initiatives.

    Consider assigning a vendor liaison to accelerate the implementation and adoption of the generative AI-based solution.

    InputOutput
    • Initiative implementation plans
    • Current SLAs of selected use case
    • Organization mission, vision, and strategic goals
    • Measurable initiative metrics to track
    MaterialsParticipants
    • Whiteboard/flip charts
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business SMEs
    • Generative AI vendor liaison

    Generative AI POC metrics - examples

    You need to measure the effectiveness of your initiatives. Here are some typical examples.

    Generative AI Feature Assessment
    User Interface
    Is it intuitive? Is training required?
    Ease of Use
    How much training is required before using?
    Response Time
    What is the response time for simple to complex tasks?
    Accuracy of Response
    Can the output be validated?
    Quality of Response
    How usable is the response? For text prompts, does the response align to the desired style, vocabulary, and tone?
    Creativity of Response
    Does the output appear new compared to previous results before using generative AI?
    Relevance of Response
    How well does the output address the prompt or request?
    Explainability
    Can a user describe how the output was generated?
    Scalability
    Does the application continue to perform as more users are added? Can it ingest large amounts of data?
    Productivity Gains
    Can you measure the time or effort saved?
    Business Value
    What value drivers are behind this initiative? (I.e. revenue, costs, time to market, risk mitigation.) Estimate a monetary value for the business outcome.
    Availability/Resilience
    What happens if a component of the application becomes unavailable? How does it recover?
    Security Model
    Where are the prompts and responses stored? Who has access to the sessions/dialogue? Are the prompts used to train the foundation model?
    Administration and Maintenance
    What resources are required to operate the application?
    Total Cost of Ownership
    What is the pricing model? Are there ongoing costs?

    GitHub Copilot POC business value - example

    Quantifying the benefits of GitHub Copilot to demonstrate measurable business value

    POC Results

    Task 1: Creating a web server in JavaScript

    • Time to complete task with GitHub Copilot: 1 hour 11 minutes
    • Time to complete the task without GitHub Copilot: 2 hours 41 minutes
    • Productivity Gain = (1 hour 30 minutes time saved) / (2 hours 41 minutes) = 55%
    • Benefit per Programmer = 55% x (average salary of a programmer)
    • Total Benefit of GitHub Copilot for Task 1 = (benefit per programmer) x (# of programmers)

    Enterprise Value of GitHub Copilot = Total Benefit of GitHub Copilot for Task 1 + Total Benefit of GitHub Copilot for Task 2 + ... + Total Benefit of GitHub Copilot for Task n

    Source: GitHub

    4.1.3 Build your generative AI initiative roadmap

    1-3 hours

    The roadmap should provide a compelling vision of how you will deliver the identified generative AI applications by prioritizing and simplifying the actions required to deliver these new initiatives.

    1. Leverage tab 4, Initiative Planning, in the AI Maturity Assessment and Roadmap Tool to create and align your initiatives to the key value driver they are most relevant to:
      1. Transfer the results of your value and complexity assessments to this tool to drive the prioritization.
      2. Assign responsible owners to each initiative.
      3. Identify which AI maturity capabilities each initiative will enhance. However, do not build or introduce new capabilities merely to advance the organization's AI maturity level.
    2. Review the Gantt chart to ensure alignment and assess overlap.

    Download the AI Maturity Assessment and Roadmap Tool

    InputOutput
    • Each initiative implementation plan
    • Proposed owners
    • AI maturity assessment
    • Generative AI initiative roadmap and Gantt chart
    MaterialsParticipants
    • Whiteboard/flip charts
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business SMEs

    Build your generative AI roadmap to visualize your key project plans

    Visual representations of data are more compelling than text alone.

    Develop a high-level document that travels with the project from inception through to executive inquiry, project management, and finally execution.

    A project needs to be discrete: able to be conceptualized and discussed as an independent item. Each project must have three characteristics:

    • Specific outcome: An explicit change in the people, processes, or technology of the enterprise.
    • Target end date: When the described outcome will be in effect.
    • Owner: Who on the IT team is responsible for executing on the initiative.

    Build your generative AI roadmap to visualize your key project plans

    Info-Tech Insight
    Don't project your vision three to five years into the future. Deep dive on next year's big-ticket items instead.

    4.1.4 Build a communication plan for your roadmap

    1-3 hours

    1. Identify your target audience and what they need to know.
    2. Identify desired channels of communication and details for the target audience.
    3. Describe communication required for each audience segment.
    4. List frequency of communication for each audience segment.
    5. Create an executive presentation leveraging The Era of Generative AI C-Suite Presentation and AI Maturity Assessment and Roadmap Tool.
    Input Output
    • Stakeholder list
    • Proposed owners
    • AI maturity assessment
    • Communications plan for all impacted stakeholders
    • Executive communication pack
    Materials Participants
    • Whiteboard/flip charts
    • The Era of Generative AI C-Suite Presentation
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Communication lead
    • Technical support staff for target use case

    Generative AI communication plan

    Well-planned communications are essential to the success and adoption of your AI initiatives

    To ensure that organization's roadmap is clearly communicated across the AI, data, technology, and business organizations, develop a rollout strategy, like this example.

    Example

    Audience Channel Level of Detail Description Timing
    Generative AI team Email, meetings All
    • Distribute plan; solicit feedback.
    • Address manager questions to equip them to answer employee questions.
    Q3 2023, (September, before entire data team)
    Data management team Email, Q&A sessions following Data management summary deck
    • Roll out after corporate strategy, in same form of communication.
    • Solicit feedback, address questions.
    Q4 2023 (late November)
    Select business stakeholders Presentations Executive deck
    • Pilot test for feedback prior to executive engagement.
    Q4 2023 (early December)
    Executive team Email, briefing Executive deck
    • Distribute plan.
    Q1 2024

    Deliver an executive presentation of the roadmap for the business stakeholders

    After you complete the activities and exercises within this blueprint, the final step of the process is to present the deliverable to senior management and stakeholders.

    Know Your Audience

    • Business stakeholders are interested in understanding the business outcomes that will result from their investment in generative AI.
    • Your audience will want to understand the risks involved and how to mitigate those risks.
    • Explain how the generative AI project was selected and the criteria used to help draft generative AI usage policies.

    Recommendations

    • Highlight the need for responsible AI to ensure that human-based requirements are being addressed.
    • Ensure your generative AI team includes both business and technical staff.

    Download The Era of Generative AI C-Suite Presentation

    Bibliography

    "A pro-innovation approach to AI regulation." UK Department for Science, Innovation and Technology, March 2023. Web.

    "Artificial Intelligence Act." European Commission, 21 April 2021. Web.

    "Artificial Intelligence and Data Act (AIDA)." Canadian Federal Government, June 2022. Web.

    "Artificial Intelligence Index Report 2023." Stanford University, April 2023. Web.

    "Automated Employment Decision Tools." New York City Department of Consumer and Worker Protection, Dec. 2021. Web.

    "Bain & Company announces services alliance with OpenAI to help enterprise clients identify and realize the full potential and maximum value of AI." Bain & Company, 21 Feb. 2023. Web.

    "Buzzfeed to use AI to write its articles after firing 180 employees." Al Mayadeen English, 27 Jan. 2023. Web.

    "California Consumers Privacy Act." State of California Department of Justice. April 24, 2023. Web.

    Campbell, Ian Carlos. "The Apple Card doesn't actually discriminate against women, investigators say." The Verge, 23 March 2021. Web.

    Campbell, Patrick. "NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0)." National Institute of Standards and Technology, Jan. 2023. Web.

    "EU Ethics Guidelines For Trustworthy." European Commission, 8 April 2019. Web.

    Farhi, Paul. "A news site used AI to write articles. It was a journalistic disaster." Washington Post, 17 Jan. 2023. Web.

    Forsyth, Ollie. "Mapping the Generative AI landscape." Antler, 20 Dec. 2022. Web.

    "General Data Protection Regulation (GDPR)" European Commission, 25 May 2018. Web.

    "Generative AI Market: Global Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028." IMARC Group, 2022. Web.

    Guynn, Jessica. "Bing's ChatGPT is in its feelings: 'You have not been a good user. I have been a good Bing.'" USA Today, 14 Feb. 2023. Web.

    Hunt, Mia. "Canada launches data governance standardisation initiative." Global Government Forum, 24 Sept. 2020. Web.

    Johnston Turner, Mary. "IDC's Worldwide Future of Digital Infrastructure 2022 Predictions." IDC, 27 Oct. 2021. Web.

    Kalliamvakou, Eirini. "Research: quantifying GitHub Copilot's impact on developer productivity and happiness." GitHub, 7 Sept. 2022. Web.

    Kerravala, Zeus. "NVIDIA Brings AI To Health Care While Protecting Patient Data." eWeek, 12 Dec. 2019. Web.

    Knight, Will. "The Apple Card Didn't 'See' Gender-and That's the Problem." Wired, 19 Nov. 2019. Web.

    "OECD, Recommendation of the Council on Artificial Intelligence." OECD, 2022. Web.

    "The National AI Initiative Act" U.S. Federal Government, 1 Jan 2021. Web.

    "Trustworthy AI (TAI) Playbook." U.S. Department of Health & Human Services, Sept 2021. Web.

    Info-Tech Research Contributors/Advocates

    Joel McLean, Executive Chairman

    Joel McLean
    Executive Chairman

    David Godfrey, CEO

    David Godfrey
    CEO

    Gord Harrison, Senior Vice President, Research & Advisory Services

    Gord Harrison
    Senior Vice President, Research & Advisory Services

    William Russell, CIO

    William Russell
    CIO

    Jack Hakimian, SVP, Research

    Jack Hakimian
    SVP, Research

    Barry Cousins, Distinguished Analyst and Research Fellow

    Barry Cousins
    Distinguished Analyst and
    Research Fellow

    Larry Fretz, Vice President, Industry Research

    Larry Fretz
    Vice President, Industry Research

    Tom Zehren, CPO

    Tom Zehren
    CPO

    Mark Roman, Managing Partner II

    Mark Roman
    Managing Partner II

    Christine West, Managing Partner

    Christine West
    Managing Partner

    Steve Willis, Practice Lead

    Steve Willis
    Practice Lead

    Yatish Sewgoolam, Associate Vice President, Research Agenda

    Yatish Sewgoolam
    Associate Vice President, Research Agenda

    Rob Redford, Practice Lead

    Rob Redford
    Practice Lead

    Mike Tweedie, Practice Lead

    Mike Tweedie
    Practice Lead

    Neal Rosenblatt, Principal Research Director

    Neal Rosenblatt
    Principal Research Director

    Jing Wu, Principal Research Director

    Jing Wu
    Principal Research Director

    Irina Sedenko, Research Director

    Irina Sedenko
    Research Director

    Jeremy Roberts, Workshop Director

    Jeremy Roberts
    Workshop Director

    Brian Jackson, Research Director

    Brian Jackson
    Research Director

    Mark Maby, Research Director

    Mark Maby
    Research Director

    Stacey Horricks, Director, Social Media

    Stacey Horricks
    Director, Social Media

    Sufyan Al-Hassan, Public Relations Manager

    Sufyan Al-Hassan
    Public Relations Manager

    Sam Kanen, Marketing Specialist

    Sam Kanen
    Marketing Specialist

    2024 Tech Trends

    • Buy Link or Shortcode: {j2store}289|cart{/j2store}
    • member rating overall impact (scale of 10): 10
    • Parent Category Name: Innovation
    • Parent Category Link: /improve-your-core-processes/strategy-and-governance/innovation

    AI has revolutionized the landscape, placing the spotlight firmly on the generative enterprise.

    The far-reaching impact of generative AI across various sectors presents fresh prospects for organizations to capitalize on and novel challenges to address as they chart their path for the future. AI is more than just a fancy auto-complete. At this point it may look like that, but do not underestimate the evolutive power.

    In this year's Tech Trends report, we explore three key developments to capitalize on these opportunities and three strategies to minimize potential risks.

    Generative AI will take the lead.

    As AI transforms industries and business processes, IT and business leaders must adopt a deliberate and strategic approach across six key domains to ensure their success.

    Seize Opportunities:

    • Business models driven by AI
    • Automation of back-office functions
    • Advancements in spatial computing

    Mitigate Risks:

    • Ethical and responsible AI practices
    • Incorporating security from the outset
    • Ensuring digital sovereignty

    Get the Most Out of Your SAP

    • Buy Link or Shortcode: {j2store}240|cart{/j2store}
    • member rating overall impact (scale of 10): 9.7/10 Overall Impact
    • member rating average dollars saved: $6,499 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • SAP systems are changed rarely and changing them has significant impact on an organization.
    • Research shows that even newly installed systems often fail to realize their full potential benefit to the organization.
    • Business process improvement is rarely someone’s day job.

    Our Advice

    Critical Insight

    A properly optimized SAP business process will reduce costs and increase productivity.

    Impact and Result

    • Build an ongoing optimization team to conduct application improvements.
    • Assess your SAP application(s) and the environment in which they exist. Take a business first strategy to prioritize optimization efforts.
    • Validate SAP capabilities, user satisfaction, issues around data, vendor management, and costs to build out an optimization strategy.
    • Pull this all together to develop a prioritized optimization roadmap.

    Get the Most Out of Your SAP Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Get the Most Out of Your SAP Storyboard – A guide to optimize your SAP.

    SAP is a core tool that the business leverages to accomplish its goals. Use this blueprint to strategically re-align business goals, identify business application capabilities, complete a process assessment, evaluate user adoption, and create an optimization plan that will drive a cohesive technology strategy that delivers results.

    • Get the Most Out of Your SAP – Phases 1-4

    2. Get the Most Out of Your SAP Workbook – A tool to document and assist with optimizing your SAP.

    The Get the Most out of Your SAP Workbook serves as the holding document for the different elements for the Get the Most out of Your SAP blueprint. Use each assigned tab to input the relevant information for the process of optimizing your SAP.

    • Get the Most Out of Your SAP Workbook

    Infographic

    Workshop: Get the Most Out of Your SAP

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your SAP Application Vision

    The Purpose

    Get the most out of your SAP.

    Key Benefits Achieved

    Develop an ongoing SAP optimization team.

    Re-align SAP and business goals.

    Understand your current system state capabilities and processes.

    Validate user satisfaction, application fit, and areas of improvement to optimize your SAP.

    Take a 360-degree inventory of your SAP and related systems.

    Realign business and technology drivers. Assess user satisfaction.

    Review the SAP marketplace.

    Complete a thorough examination of capabilities and processes.

    Manage your vendors and data.

    Pull this all together to prioritize optimization efforts and develop a concrete roadmap.

    Activities

    1.1 Determine your SAP optimization team.

    1.2 Align organizational goals.

    1.3 Inventory applications and interactions.

    1.4 Define business capabilities.

    1.5 Explore SAP-related costs.

    Outputs

    SAP optimization team

    SAP business model

    SAP optimization goals

    SAP system inventory and data flow

    SAP process list

    SAP and related costs

    2 Map Current-State Capabilities

    The Purpose

    Map current-state capabilities.

    Key Benefits Achieved

    Complete an SAP process gap analysis to understand where the SAP is underperforming.

    Review the SAP application portfolio assessment to understand user satisfaction and data concerns.

    Undertake a software review survey to understand your satisfaction with the vendor and product.

    Activities

    2.1 Conduct gap analysis for SAP processes.

    2.2 Perform an application portfolio assessment.

    2.3 Review vendor satisfaction.

    Outputs

    SAP process gap analysis

    SAP application portfolio assessment

    ERP software reviews survey

    3 Assess SAP

    The Purpose

    Assess SAP.

    Key Benefits Achieved

    Learn the processes that you need to focus on.

    Uncover underlying user satisfaction issues to address these areas.

    Understand where data issues are occurring so that you can mitigate this.

    Investigate your relationship with the vendor and product, including that relative to others.

    Identify any areas for cost optimization (optional).

    Activities

    3.1 Explore process gaps.

    3.2 Analyze user satisfaction.

    3.3 Assess data quality.

    3.4 Understand product satisfaction and vendor management.

    3.5 Look for SAP cost optimization opportunities (optional).

    Outputs

    SAP process optimization priorities

    SAP vendor optimization opportunities

    SAP cost optimization

    4 Build the Optimization Roadmap

    The Purpose

    Build the optimization roadmap.

    Key Benefits Achieved

    Understanding where you need to improve is the first step, now understand where to focus your optimization efforts.

    Activities

    4.1 SAP process gap analysis

    4.2 SAP application portfolio assessment

    4.3 SAP software reviews survey

    Outputs

    ERP optimization roadmap

    Further reading

    Get the Most Out of Your SAP

    In today’s connected world, the continuous optimization of enterprise applications to realize your digital strategy is key.

    EXECUTIVE BRIEF

    Analyst Perspective

    Focus optimization on organizational value delivery.

    The image contains a picture of Chad Shortridge.

    Chad Shortridge

    Senior Research Director, Enterprise Applications

    Info-Tech Research Group

    The image contains a picture of Lisa Highfield.

    Lisa Highfield

    Research Director, Enterprise Applications

    Info-Tech Research Group

    Enterprise resource planning (ERP) is a core tool that the business leverages to accomplish its goals. An ERP that is doing its job well is invisible to the business. The challenges come when the tool is no longer invisible. It has become a source of friction in the functioning of the business.

    SAP systems are expensive, benefits can be difficult to quantify, and issues with the products can be difficult to understand. Over time, technology evolves, organizational goals change, and the health of these systems is often not monitored. This is complicated in today’s digital landscape with multiple integrations points, siloed data, and competing priorities.

    Too often organizations jump into selecting replacement systems without understanding the health of their systems. We can do better than this.

    IT leaders need to take a proactive approach to continually monitor and optimize their enterprise applications. Strategically re-align business goals, identify business application capabilities, complete a process assessment, evaluate user adoption, and create an optimization plan that will drive a cohesive technology strategy that delivers results.

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Your SAP ERP systems are critical to supporting the organization’s business processes. They are expensive. Direct benefits and ROI can be hard to measure.

    SAP application portfolios are often behemoths to support. With complex integration points and unique business processes, stabilization is the norm.

    Application optimization is essential to staying competitive and productive in today’s digital environment.

    Balancing optimization with stabilization is one of the most difficult decisions for ERP application leaders.

    Competing priorities and often unclear ERP strategies make it difficult to make decisions about what, how, and when to optimize.

    Enterprise applications involve large numbers of processes, users, and evolving vendor roadmaps.

    Teams do not have a framework to illustrate, communicate, and justify the optimization effort in the language your stakeholders understand.

    In today’s rapidly changing SAP landscape it is imperative to evaluate your applications for optimization, no matter what your strategy is moving forward.

    Assess your SAP applications and the environment in which they exist. Take a business-first strategy to prioritize optimization efforts.

    Validate ERP capabilities, user satisfaction, issues around data, vendor management, and costs to build out an overall roadmap and optimization strategy.

    Pull this all together to prioritize optimization efforts and develop a concrete roadmap.

    Info-Tech Insight

    SAP ERP environments are changing, but we cannot stand still on our optimization efforts. Understand your product(s), processes, user satisfaction, integration points, and the availability of data to business decision makers. Examine these areas to develop a personalized SAP optimization roadmap that fits the needs of your organization. Incorporate these methodologies into an ongoing optimization strategy aimed at enabling the business, increasing productivity, and reducing costs.

    The image contains an Info-Tech Thought model on get the most out of your ERP.

    Insight summary

    Continuous assessment and optimization of your SAP ERP systems is critical to the success of your organization.

    • Applications and the environments in which they live are constantly evolving.
    • This blueprint provides business and application managers with a method to complete a health assessment of their ERP systems to identify areas for improvement and optimization.
    • Put optimization practices into effect by:
      • Aligning and prioritizing key business and technology drivers.
      • Identifying ERP process classification and performing a gap analysis.
      • Measuring user satisfaction across key departments.
      • Evaluating vendor relations.
      • Understanding how data plays into the mix.
      • Pulling it all together into an optimization roadmap.

    SAP enterprise resource planning (ERP) systems facilitate the flow of information across business units. It allows for the seamless integration of systems and creates a holistic view of the enterprise to support decision making. In many organizations, the SAP system is considered the lifeblood of the enterprise. Problems with this key operational system will have a dramatic impact on the ability of the enterprise to survive and grow. ERP implementation should not be a one-and-done exercise. There needs to be ongoing optimization to enable business processes and optimal organizational results.

    SAP enterprise resource planning (ERP)

    The image contains a diagram of the SAP enterprise resource planning. The diagram includes a circle with smaller circles all around it. The inside of the circle contains SAP logos. The circles around the big circle are labelled: Human Resources Management, Sales, Marketing, Customer Service, Asset Management, Logistics, Supply Chain Management, Manufacturing, R&D and Engineering, and Finance.

    What is SAP?

    SAP ERP systems facilitate the flow of information across business units. They allow for the seamless integration of systems and create a holistic view of the enterprise to support decision making.

    In many organizations, the ERP system is considered the lifeblood of the enterprise. Problems with this key operational system will have a dramatic impact on the ability of the enterprise to survive and grow.

    An ERP system:

    • Automates processes, reducing the amount of manual, routine work.
    • Integrates with core modules, eliminating the fragmentation of systems.
    • Centralizes information for reporting from multiple parts of the value chain to a single point.

    SAP use cases:

    Product-Centric

    Suitable for organizations that manufacture, assemble, distribute, or manage material goods.

    Service-Centric

    Suitable for organizations that provide and manage field services and/or professional services.

    SAP Fast Facts

    Product Description

    • SAP has numerous ERP products. Products can be found under ERP, Finance, Customer Relations and Experience, Supply Chain Management, Human Resources, and Technology Platforms.
    • SAP offers on-premises and cloud solutions for its ERP. In 2011, SAP released the HANA in-memory database. SAP ECC 6.0 reaches the end of life in 2027 (2030 extended support).
    • Many organizations are facing mandatory transformation. This is an excellent opportunity to examine ERP portfolios for optimization opportunities.
    • Now is the time to optimize to ensure you are prepared for the journey ahead.
    The image contains a timeline of the evolution of SAP ERP. The timeline is ordered: SAP R1-R3 1972-1992, SAP ECC 2003-2006, ERP Business Suite 2000+, SAP HANA In-Memory Database 2011, S/4 2015.

    Vendor Description

    • SAP SE was founded in 1972 by five former IBM employees.
    • The organization is focused on enterprise software that integrates all business processes and enables data processing in real-time.
    • SAP stands for Systems, Applications, and Products in Data Processing.
    • SAP offers more than 100 solutions covering all business functions.
    • SAP operates 65 data centers at 35 locations in 16 countries.

    Employees

    105,000

    Headquarters

    Walldorf, Baden-Württemberg, Germany

    Website

    sap.com

    Founded

    1972

    Presence

    Global, Publicly Traded

    SAP by the numbers

    Only 72% of SAP S/4HANA clients were satisfied with the product’s business value in 2022. This was 9th out of 10 in the enterprise resource planning category.

    Source: SoftwareReviews

    As of 2022, 65% of SAP customers have not made the move to S/4HANA. These customers will continue to need to optimize the current ERP to meet the demanding needs of the business.

    Source: Statista

    Organizations will need to continue to support and optimize their SAP ERP portfolios. As of 2022, 42% of ASUG members were planning a move to S/4HANA but had not yet started to move.

    Source: ASUG

    Your challenge

    This research is designed to help organizations who need to:

    • Understand the multiple deployment models and the roadmap to successfully navigate a move to S/4HANA.
    • Build a business case to understand the value behind a move.
    • Map functionality to ensure future compatibility.
    • Understand the process required to commercially navigate a move to S/4HANA.
    • Avoid a costly audit due to missed requirements or SAP whiteboarding sessions.

    HANA used to be primarily viewed as a commercial vehicle to realize legacy license model discounts. Now, however, SAP has built a roadmap to migrate all customers over to S/4HANA. While timelines may be delayed, the inevitable move is coming.

    30-35% of SAP customers likely have underutilized assets. This can add up to millions in unused software and maintenance.

    – Upperedge

    SAP challenges and dissatisfaction

    Drivers of Dissatisfaction

    Organizational

    People and teams

    Technology

    Data

    Competing priorities

    Knowledgeable staff/turnover

    Integration issues

    Access to data

    Lack of strategy

    Lack of internal skills

    Selecting tools and technology

    Data hygiene

    Budget challenges

    Ability to manage new products

    Keeping pace with technology changes

    Data literacy

    Lack of training

    Update challenges

    One view of the customer

    Finance, IT, Sales, and other users of the ERP system can only optimize ERP with the full support of each other. The cooperation of the departments is crucial when trying to improve ERP technology capabilities and customer interaction.

    Info-Tech Insight

    While technology is the key enabler of building strong customer experiences, there are many other drivers of dissatisfaction. IT must stand shoulder-to-shoulder with the business to develop a technology framework for ERP.

    Where are applications leaders focusing?

    Big growth numbers

    Year-over-year call topic requests

    Other changes

    Year-over-year call topic requests

    The image contains a graph to demonstrate year-over-year call topic requests. Year 1 has 79%, Year 2 76%, Year 3 65% requests, and Year 4 has 124% requests. The image contains a graph to demonstrate other changes in year-over-year call topic requests. Year 1 has -25%, Year 2 has 4%, and Year 3 has 13%.

    We are seeing applications leaders’ priorities change year over year, driven by a shift in their approach to problem solving. Leaders are moving from a process-centric approach to a collaborative approach that breaks down boundaries and brings teams together.

    Software development lifecycle topics are tactical point solutions. Organizations have been “shifting left” to tackle the strategic issues such as product vision and Agile mindset to optimize the whole organization.

    The S/4HANA journey

    Optimization can play a role in your transition to S/4HANA.

    • The business does not stop. Satisfy ongoing needs for business enablement.
    • Build out a collaborative SAP optimization team across the business and IT.
    • Engage the business to understand requirements.
    • Discover applications and processes.
    • Explore current-state capabilities and future-state needs.
    • Evaluate optimization opportunities. Are there short-term wins? What are the long-term goals?
    • Navigate the path to S/4HANA and develop some timelines and stage gates.
    • Set your course and optimization roadmap.
    • Capitalize on the methodologies for an ongoing optimization effort that can be continued after the S/4HANA go-live date.

    Many organizations may be coming up against changes to their SAP ERP application portfolio.

    Some challenges organizations may be dealing with include:

    • Heavily customized instances
    • Large volumes of data
    • Lack of documentation
    • Outdated business processes
    • Looming end of life

    Application optimization is risky without a plan

    Avoid these common pitfalls:

    • Not pursuing optimization because you are migrating to S/4HANA.
    • Not considering how this plays into the short-, medium-, and long-term ERP strategy.
    • Not considering application optimization as a business and IT partnership, which requires the continuous formal engagement of all participants.
    • Not having a good understanding of your current state, including integration points and data.
    • Not adequately accommodating feedback and changes after digital applications are deployed and employed.
    • Not treating digital applications as a motivator for potential future IT optimization efforts and incorporating digital assets in strategic business planning.
    • Not involving department leads, management, and other subject-matter experts to facilitate the organizational change digital applications bring.

    “[A] successful application [optimization] strategy starts with the business need in mind and not from a technological point of view. No matter from which angle you look at it, modernizing a legacy application is a considerable undertaking that can’t be taken lightly. Your best approach is to begin the journey with baby steps.”

    – Medium

    Info-Tech’s methodology for getting the most out of your ERP

    1. Map Current-State Capabilities

    2. Assess Your Current State

    3. Identify Key Optimization Areas

    4. Build Your Optimization Roadmap

    Phase Steps

    1. Identify stakeholders and build your SAP optimization team.
    2. Build an SAP strategy model.
    3. Inventory current system state.
    4. Define business capabilities.
    1. Conduct a gap analysis for ERP processes.
    2. Assess user satisfaction.
    3. Review your satisfaction with the vendor and product.
    1. Identify key optimization areas.
    2. Evaluate product sustainability over the short, medium, and long term.
    3. Identify any product changes anticipated over short, medium, and long term.
    1. Prioritize optimization opportunities.
    2. Identify key optimization areas.
    3. Compile optimization assessment results.

    Phase Outcomes

    1. Stakeholder map
    2. SAP optimization team
    3. SAP business model
    4. Strategy alignment
    5. Systems inventory and diagram
    6. Business capabilities map
    7. Key SAP processes list
    1. Gap analysis for SAP-related processes
    2. Understanding of user satisfaction across applications and processes
    3. Insight into SAP data quality
    4. Quantified satisfaction with the vendor and product
    5. Understanding SAP costs
    1. List of SAP optimization opportunities
    1. SAP optimization roadmap

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Get the Most Out of Your SAP Workbook

    Identify and prioritize your SAP optimization goals.

    The image contains screenshots of the SAP Workbook.

    Application Portfolio Assessment

    Assess IT-enabled user satisfaction across your SAP portfolio.

    The image contains a screenshot of the Application Portfolio Assessment.

    Key deliverable:

    The image contains a screenshot of the SAP Organization Roadmap.

    SAP Optimization Roadmap

    Complete an assessment of processes, user satisfaction, data quality, and vendor management.

    The image contains screenshots further demonstrating SAP deliverables.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.

    Guided Implementation

    Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.

    Workshop

    We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.

    Consulting

    Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3 Phase 4

    Call #1: Scope requirements, objectives, and your specific challenge.

    Call #2:

    • Build the SAP team.
    • Align organizational goals.

    Call #3:

    • Map current state.
    • Inventory SAP capabilities and processes.
    • Explore SAP-related costs.

    Call #4: Understand product satisfaction and vendor management.

    Call #5: Review APA results.

    Call #6: Understand SAP optimization opportunities.

    Call #7: Determine the right SAP path for your organization.

    Call #8:

    Build out optimization roadmap and next steps.

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Define Your SAP Application Vision

    Map Current State

    Assess SAP

    Build Your Optimization Roadmap

    Next Steps and Wrap-Up (offsite)

    Activities

    1.1 Identify Stakeholders and Build Your Optimization Team

    1.2 Build an SAP Strategy Model

    1.3 Inventory Current System State

    1.4 Define Optimization Timeframe

    1.5 Understand SAP Costs

    2.1 Assess SAP Capabilities

    2.2 Review Your Satisfaction With the Vendor/Product and Willingness for Change

    3.1 Prioritize Optimization Opportunities

    3.2 Discover Optimization Initiatives

    4.1 Build Your Optimization Roadmap

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. SAP optimization team
    2. SAP business model
    3. SAP optimization goals
    4. System inventory and data flow
    5. Application and business capabilities list
    6. SAP optimization timeline
    1. SAP capability gap analysis
    2. SAP user satisfaction (application portfolio assessment)
    3. SAP SoftwareReviews survey results
    4. SAP current costs
    1. Product and vendor satisfaction opportunities
    2. Capability and feature optimization opportunities
    3. Process optimization opportunities
    4. Integration optimization opportunities
    5. Data optimization opportunities
    6. SAP cost-saving opportunities
    1. SAP optimization roadmap

    Phase 1

    Map Current-State Capabilities

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Identify Stakeholders and Build Your Optimization Team

    1.2 Build an SAP Strategy Model

    1.3 Inventory Current System State

    1.4 Define Optimization Timeframe

    1.5 Understand SAP Costs

    2.1 Assess SAP Capabilities

    2.2 Review Your Satisfaction With the Vendor/Product and Willingness for Change

    3.1 Prioritize Optimization Opportunities

    3.2 Discover Optimization Initiatives

    4.1 Build Your Optimization Roadmap

    This phase will guide you through the following activities:

    • Align your organizational goals
    • Gain a firm understanding of your current state
    • Inventory ERP and related applications
    • Confirm the organization’s capabilities

    This phase involves the following participants:

    • CFO
    • Department Leads – Finance, Procurement, Asset Management
    • Applications Director
    • Senior Business Analyst
    • Senior Developer
    • Procurement Analysts

    Step 1.1

    Identify Stakeholders and Build Your Optimization Team

    Activities

    1.1.1 Identify stakeholders critical to success

    1.1.2 Map your SAP optimization stakeholders

    1.1.3 Determine your SAP optimization team

    This step will guide you through the following activities:

    • Identify ERP drivers and objectives
    • Explore ERP challenges and pain points
    • Discover ERP benefits and opportunities
    • Align the ERP foundation with the corporate strategy

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Stakeholder map
    • SAP Optimization Team

    ERP optimization stakeholders

    • Understand the roles necessary to get the most out of your SAP.
    • Understand the role of each player within your project structure. Look for listed participants on the activities slides to determine when each player should be involved.

    Title

    Role Within the Project Structure

    Organizational Sponsor

    • Owns the project at the management/C-suite level
    • Responsible for breaking down barriers and ensuring alignment with your organizational strategy
    • CIO, CFO, COO, or similar

    Project Manager

    • The IT individual(s) that oversee day-to-day project operations
    • Responsible for preparing and managing the project plan and monitoring the project team’s progress
    • Applications Manager or other IT Manager, Business Analyst, Business Process Owner, or similar

    Business Unit Leaders

    • Works alongside the IT Project Manager to ensure the strategy is aligned with business needs
    • In this case, likely to be a marketing, sales, or customer service lead
    • Sales Director, Marketing Director, Customer Care Director, or similar

    Optimization Team

    • Comprised of individuals whose knowledge and skills are crucial to project success
    • Responsible for driving day-to-day activities, coordinating communication, and making process and design decisions; can assist with persona and scenario development for ERP
    • Project Manager, Business Lead, ERP Manager, Integration Manager, Application SMEs, Developers, Business Process Architects, and/or similar SMEs

    Steering Committee

    • Comprised of the C-suite/management-level individuals that act as the project’s decision makers
    • Responsible for validating goals and priorities, defining the project scope, enabling adequate resourcing, and managing change
    • Project Sponsor, Project Manager, Business Lead, CFO, Business Unit SMEs, or similar

    Info-Tech Insight

    Do not limit project input or participation. Include subject-matter experts and internal stakeholders at stages within the project. Such inputs can be solicited on a one-off basis as needed. This ensures you take a holistic approach to create your ERP optimization strategy.

    1.1.1 Identify SAP optimization stakeholders

    1 hour

    1. Hold a meeting to identify the SAP optimization stakeholders.
    2. Use next slide as a guide.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot from the Get the Most Out of Your SAP Workbook.

    Download the Get the Most Out of Your SAP Workbook

    Understand how to navigate the complex web of stakeholders in ERP

    Identify which stakeholders to include and what their level of involvement should be during requirements elicitation based on relevant topic expertise.

    Sponsor

    End User

    IT

    Business

    Description

    An internal stakeholder who has final sign-off on the ERP project.

    Front-line users of the ERP technology.

    Back-end support staff who are tasked with project planning, execution, and eventual system maintenance.

    Additional stakeholders that will be impacted by any ERP technology changes.

    Examples

    • CEO
    • CIO/CTO
    • COO
    • CFO
    • Warehouse personnel
    • Sales teams
    • HR admins
    • Applications manager
    • Vendor relationship manager(s)
    • Director, Procurement
    • VP, Marketing
    • Manager, HR

    Value

    Executive buy-in and support is essential to the success of the project. Often, the sponsor controls funding and resource allocation.

    End users determine the success of the system through user adoption. If the end user does not adopt the system, the system is deemed useless and benefits realization is poor.

    IT is likely to be responsible for more in-depth requirements gathering. IT possesses critical knowledge around system compatibility, integration, and data.

    Involving business stakeholders in the requirements gathering will ensure alignment between HR and organizational objectives.

    Large-scale ERP projects require the involvement of many stakeholders from all corners and levels of the organization, including project sponsors, IT, end users, and business stakeholders. Consider the influence and interest of stakeholders in contributing to the requirements elicitation process and involve them accordingly.

    EXAMPLE: Stakeholder involvement during selection

    The image contains an example of stakeholder involvement during selection. The graph is comparing influence and interest. In the lowest section of both influence and interest, it is labelled Monitor. With low interest but high influence that is labelled Keep Satisfied. In low influence but high interest it is labelled Keep Informed. The section that is high in both interest and influence that is labelled Involve closely.

    Activity 1.1.2 Map your SAP optimization stakeholders

    1 hour

    1. Use the list of SAP optimization stakeholders.
    2. Map each stakeholder on the quadrant based on their expected influence and involvement in the project.
    3. [Optional] Color code the users using the scale below to quickly identify the group that the stakeholder belongs to.

    The image contains an example of a colour scheme. Sponsor is coloured blue, End user is purple, IT is yellow, and Business is light blue.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of an example map on organization's stakeholders.

    Download the Get the Most Out of Your SAP Workbook

    Map the organization’s stakeholders

    The image contains a larger version of the image from the previous slide where there is a graph comparing influence and involvement and has a list of stakeholders in a legend on the side.

    The SAP optimization team

    Consider the core team functions when putting together the project team. Form a cross-functional team (i.e. across IT, Marketing, Sales, Service, Operations) to create a well-aligned ERP optimization strategy. Don’t let your project team become too large when trying to include all relevant stakeholders. Carefully limiting the size of the project team will enable effective decision making while still including functional business units such as Marketing, Sales, Service, and Finance as well as IT.

    Required Skills/Knowledge

    Suggested Project Team Members

    Business

    • Department leads
    • Business process leads
    • Business analysts
    • Subject matter experts
    • SMEs/Business process leads –All functional areas; example: Strategy, Sales, Marketing, Customer Service, Finance, HR

    IT

    • Application development
    • Enterprise integration
    • Business processes
    • Data management
    • Product owner
    • ERP application manager
    • Business process manager
    • Integration manager
    • Application developer
    • Data stewards

    Other

    • Operations
    • Administrative
    • Change management
    • COO
    • CFO
    • Change management officer

    1.1.3 Determine your SAP optimization team

    1 hour

    1. Have the project manager and other key stakeholders discuss and determine who will be involved in the SAP optimization project.
    • The size of the team will depend on the initiative and size of your organization.
    • Key business leaders in key areas and IT representatives should be involved.

    Note: Depending on your initiative and the size of your organization, the size of this team will vary.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of the section ERP Optimization Team in the Get the Most Out of Your SAP Workbook.

    Download the Get the Most Out of Your SAP Workbook

    Step 1.2

    Build an SAP Strategy Model

    Activities

    1.2.1 Explore environmental factors and technology drivers

    1.2.2 Consider potential barriers and challenges

    1.2.3 Discuss enablers of success

    1.2.4 Develop your SAP optimization goals

    This step will guide you through the following activities:

    • Identify ERP drivers and objectives
    • Explore ERP challenges and pain points
    • Discover ERP benefits and opportunities
    • Align the ERP foundation with the corporate strategy

    This step involves the following participants:

    • SAP Optimization Team

    Outcomes of this step

    • ERP business model
    • Strategy alignment

    Align your SAP strategy with the corporate strategy

    Corporate Strategy

    Unified ERP Strategy

    IT Strategy

    Your corporate strategy:

    • Conveys the current state of the organization and the path it wants to take.
    • Identifies future goals and business aspirations.
    • Communicates the initiatives that are critical for getting the organization from its current state to the desired future state.
    • The ideal ERP strategy is aligned with overarching organizational business goals and with broader IT initiatives.
    • Include all affected business units and departments in these conversations.
    • The ERP optimization can be and should be linked, with metrics, to the corporate strategy and ultimate business objectives

    Your IT strategy:

    • Communicates the organization’s budget and spending on ERP.
    • Identifies IT initiatives that will support the business and key ERP objectives.
    • Outlines staffing and resourcing for ERP initiatives.

    ERP projects are more successful when the management team understands the strategic importance and the criticality of alignment. Time needs to be spent upfront aligning business strategies with ERP capabilities. Effective alignment between IT and the business should happen daily. Alignment doesn’t just need to occur just at the executive level but at each level of the organization.

    ERP Business Model Template

    The image contains a screenshot of a ERP Business Model Template.

    Conduct interviews to elicit the business context

    Stakeholder Interviews

    Begin by conducting interviews of your executive team. Interview the following leaders:

    1. Chief Information Officer
    2. Chief Executive Officer
    3. Chief Financial Officer
    4. Chief Revenue Officer/Sales Leader
    5. Chief Operating Officer/Supply Chain & Logistics Leader
    6. Chief Technology Officer/Chief Product Officer

    INTERVIEWS MUST UNCOVER

    1. Your organization’s top three business goals
    2. Your organization’s top ten business initiatives
    3. Your organization’s mission and vision

    Understand the ERP drivers and organizational objectives

    Business Needs

    Business Drivers

    Technology Drivers

    Environmental Factors

    Definition

    A business need is a requirement associated with a particular business process.

    Business drivers can be thought of as business-level goals. These are tangible benefits the business can measure such as customer retention, operation excellence, and financial performance.

    Technology drivers are technological changes that have created the need for a new ERP enablement strategy. Many organizations turn to technology systems to help them obtain a competitive edge.

    These external considerations are factors that take place outside of the organization and impact the way business is conducted inside the organization. These are often outside the control of the business.

    Examples

    • Audit tracking
    • Authorization levels
    • Business rules
    • Data quality
    • Customer satisfaction
    • Branding
    • Time-to-resolution
    • Deployment model (i.e. SaaS)
    • Integration
    • Reporting capabilities
    • Fragmented technologies
    • Economic and political factors
    • Competitive influencers
    • Compliance regulations

    Info-Tech Insight

    One of the biggest drivers for ERP adoption is the ability to make quicker decisions from timely information. This driver is a result of external considerations. Many industries today are highly competitive, uncertain, and rapidly changing. To succeed under these pressures, there needs to be timely information and visibility into all components of the organization.

    1.2.1 Explore environmental factors and technology drivers

    30 minutes

    1. Identify business drivers that are contributing to the organization’s need for ERP.
    2. Understand how the company is running today and what the organization’s future will look like. Try to identify the purpose for becoming an integrated organization. Use a whiteboard or flip charts and markers to capture key findings.
    3. Consider external considerations, organizational drivers, technology drivers, and key functional requirements.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a diagram on exploring the environmental factors and technology drivers.

    External Considerations

    Organizational Drivers

    Technology Considerations

    Functional Requirements

    • Funding constraints
    • Regulations
    • Compliance
    • Scalability
    • Operational efficiency
    • Data accuracy
    • Data quality
    • Better reporting
    • Information availability
    • Integration between systems
    • Secure data

    Download the Get the Most Out of Your SAP Workbook

    Create a realistic ERP foundation by identifying the challenges and barriers the project will bestow

    There are several different factors that may stifle the success of an ERP implementation. Organizations that are creating an ERP foundation must scan their current environment to identify internal barriers and challenges.

    Common Internal Barriers

    Management Support

    Organizational Culture

    Organizational Structure

    IT Readiness

    Definition

    The degree of understanding and acceptance toward ERP systems.

    The collective shared values and beliefs.

    The functional relationships between people and departments in an organization.

    The degree to which the organization’s people and processes are prepared for a new ERP system.

    Questions

    • Is an ERP project recognized as a top priority?
    • Will management commit time to the project?
    • Are employees resistant to change?
    • Is the organization highly individualized?
    • Is the organization centralized?
    • Is the organization highly formalized?
    • Is there strong technical expertise?
    • Is there strong infrastructure?

    Impact

    • Funding
    • Resources
    • Knowledge sharing
    • User acceptance
    • Flow of knowledge
    • Quality of implementation
    • Need for reliance on consultants

    ERP Business Model

    Organizational Goals

    Enablers

    Barriers

    • Efficiency
    • Effectiveness
    • Integrity
    • One source of truth for data
    • One team
    • Customer service, external and internal
    • Cross-trained employees
    • Desire to focus on value-add activities
    • Collaborative
    • Top-level executive support
    • Effective change management process
    • Organizational silos
    • Lack of formal process documentation
    • Funding availability
    • What goes first? Organizational priorities

    What does success look like?

    Top 15 critical success factors for ERP system implementation

    The image contains a graph that demonstrates the top 15 critical success factors for ERP system implementation. The top 15 are: Top management support and commitment, Interdepartmental communication and cooperations throughout the institution, Commitment to business process re-engineering to do away with redundant processes, Implementation project management from initiation to closing, Change management program to ensure awareness and readiness for possible changes, Project team competence, Education and training for stakeholders, Project champion to lead implementation, Project mission and goals for the system with clear objectives agreed upon, ERP expert consultant use to guide the implementation process, Minimum level of customization to use ERP functionalities to maximum, Package selection, Understanding the institutional culture, Use involvement and participation throughout implementation, ERP vendor support and partnership.

    Source: Epizitone and Olugbara, 2020; CC BY 4.0

    Info-Tech Insight

    Complement your ability to deliver on your critical success factors with the capabilities of your implementation partner to drive a successful ERP implementation.

    “Implementation partners can play an important role in successful ERP implementations. They can work across the organizational departments and layers creating a synergy and a communications mechanism.” – Ayogeboh Epizitone, Durban University of Technology

    1.2.2 Consider potential barriers and challenges

    1-3 hours

    • Open tab “1.2 Strategy & Goals,” in the Get the Most Out of Your SAP Workbook.
    • Identify barriers to ERP optimization success.
    • Review the ERP critical success factors and how they relate to your optimization efforts.
    • Discuss potential barriers to successful ERP optimization.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains the same diagram as shown previously, where it demonstrated the environmental factors in relation to the ERP strategy. The same diagram is used and highlights the barriers section.

    Functional Gaps

    Technical Gaps

    Process Gaps

    Barriers to Success

    • No online purchase order for requisitions
    • Inconsistent reporting – data quality concerns
    • Duplication of data
    • Lack of system integration
    • Cultural mindset
    • Resistance to change
    • Lack of training
    • Funding

    Download the Get the Most Out of Your SAP Workbook

    1.2.3 Discuss enablers of success

    1-3 hours

    1. Open tab “1.2 Strategy & Goals,” in the Get the Most Out of Your SAP Workbook.
    2. Identify barriers to ERP optimization success.
    3. Review the ERP critical success factors and how they relate to your optimization efforts.
    4. Discuss potential barriers to successful ERP optimization.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains the same diagram as shown previously, where it demonstrated the environmental factors in relation to the ERP strategy. The same diagram is used and highlights the enablers and organizational goals sections.

    Business Benefits

    IT Benefits

    Organizational Benefits

    Enablers of Success

    • Business-IT alignment
    • Compliance
    • Scalability
    • Operational efficiency
    • Data accuracy
    • Data quality
    • Better reporting
    • Change management
    • Training
    • Alignment with strategic objectives

    Download the Get the Most Out of Your SAP Workbook

    The Business Value Matrix

    Rationalizing and quantifying the value of SAP

    Benefits can be realized internally and externally to the organization or department and have different drivers of value.

    • Financial benefits refer to the degree to which the value source can be measured through monetary metrics and are often quite tangible.
    • Human benefits refer to how an application can deliver value through a user’s experience.
    • Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.
    • Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

    Organizational Goals

    • Increased Revenue
    • Application functions that are specifically related to the impact on your organization’s ability to generate revenue and deliver value to your customers.

    • Reduced Costs
    • Reduction of overhead. The ways in which an application limits the operational costs of business functions.

    • Enhanced Services
    • Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    • Reach Customers
    • Application functions that enable and improve the interaction with customers or produce market information and insights.

    Business Value Matrix

    The image contains a screenshot of a Business Value Matrix. It includes: Reach Customers, Increase Revenue or Deliver Value, Reduce Costs, and Enhance Services.

    Link SAP capabilities to organizational value

    The image contains screenshots that demonstrate linking SAP capabilities to organizational value.

    1.2.4 Define your SAP optimization goals

    30 minutes

    1. Discuss the ERP business model and ERP critical success factors.
    2. Through the lens of corporate goals and objectives think about supporting ERP technology. How can the ERP system bring value to the organization? What are the top things that will make this initiative a success?
    3. Develop five to ten optimization goals that will form the basis for the success of this initiative.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains an example of the activity describe above on defining your SAP optimization goals.

    Download the Get the Most Out of Your SAP Workbook

    Step 1.3

    Inventory Current System State

    Activities

    1.3.1 Inventory SAP applications and interactions

    1.3.2 Draw your SAP system diagram

    1.3.3 Inventory your SAP modules and business capabilities (or business processes)

    1.3.4 Define your key SAP optimization modules and business capabilities

    This step will guide you through the following activities:

    • Inventory of applications
    • Mapping interactions between systems

    This step involves the following participants:

    • SAP Optimization Team
    • Enterprise Architect
    • Data Architect

    Outcomes of this step

    • Systems inventory
    • Systems diagram

    1.3.1 Inventory SAP applications and interfaces

    1-3+ hours

    1. Enter your SAP systems, SAP extended applications, and integrated applications within scope.
    2. Include any abbreviated names or nicknames.
    3. List the application type or main function.
    4. List the modules the organization has licensed.
    5. List any integrations.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of the SAP application inventory.

    Download the Get the Most Out of Your SAP Workbook

    ERP Data Flow

    The image contains an example ERP Data Flow with a legend.

    Be sure to include enterprise applications that are not included in the ERP application portfolio. Popular systems to consider for POIs include billing, directory services, content management, and collaboration tools.

    ERP – enterprise resource planning

    Email – email system such as Microsoft Exchange

    Calendar – calendar system such as Microsoft Outlook

    WEM – web experience management

    ECM – enterprise content management

    When assessing the current application portfolio that supports your ERP, the tendency will be to focus on the applications under the ERP umbrella. These relate mostly to marketing, sales, and customer service. Be sure to include systems that act as input to, or benefit due to outputs from, ERP or similar applications.

    1.3.2 Draw your SAP system diagram

    1-3+ hours

    1. From the SAP application inventory, diagram your network.
    2. Include:

    • Any internal or external systems
    • Integration points
    • Data flow

    The image contains a screenshot of the example ERP Systems Diagram.

    Download the Get the Most Out of Your SAP Workbook

    Sample SAP and integrations map

    The image contains a screenshot of a sample SAP and integrations map.

    Business capability map (Level 0)

    The image contains a screenshot of the business capability map, level 0. The capability map includes: Products and Services Development, Revenue Generation, Demand Fulfillment, and Enterprise Management and Planning.

    In business architecture, the primary view of an organization is known as a business capability map. A business capability defines what a business does to enable value creation, rather than how.

    Business capabilities:

    • Represent stable business functions.
    • Are unique and independent of each other.
    • Will typically have a defined business outcome.

    A business capability map provides details that help the business architecture practitioner direct attention to a specific area of the business for further assessment.

    ERP process mapping

    The image contains screenshots to demonstrate the ERP process mapping. One of the screenshots is of the business capability map, level 0, the second screenshot contains the objectives , value streams, capabilities, and processes. The third image contains a screenshot of the SAP screenshot with the circles around it as previously shown.

    The operating model

    An operating model is a framework that drives operating decisions. It helps to set the parameters for the scope of ERP and the processes that will be supported. The operating model will serve to group core operational processes. These groupings represent a set of interrelated, consecutive processes aimed at generating a common output. From your developed processes and your SAP license agreements you will be able to pinpoint the scope for investigation including the processes and modules.

    APQC Framework

    Help define your inventory of sales, marketing, and customer services processes.

    Operating Processes

    1. Develop vision and strategy 2. Develop and manage products and services 3. Market and sell products and services 4. Deliver physical products 5. Deliver services

    Management and Support Processes

    6.Manage customer service

    7. Develop and manage human capital

    8. Manage IT

    9. Manage financial resources

    10. Acquire, construct, and manage assets

    11. Manage enterprise risk, compliance, remediation, and resiliency

    12. Manage external relationships

    13. Develop and manage business capabilities

    Source: APQC

    If you do not have a documented process model, you can use the APQC Framework to help define your inventory of sales business processes. APQC’s Process Classification Framework is a taxonomy of cross-functional business processes intended to allow the objective comparison of organizational performance within and among organizations.

    APQC’s Process Classification Framework

    The value stream

    Value stream defined:

    Value Streams

    Design Product

    Produce Product

    Sell Product

    Customer Service

    • Manufacturers work proactively to design products and services that will meet consumer demand.
    • Products are driven by consumer demand and government regulations.
    • Production processes and labor costs are constantly analyzed for efficiencies and accuracies.
    • Quality of product and services are highly regulated through all levels of the supply chain.
    • Sales networks and sales staff deliver the product from the organization to the end consumer.
    • Marketing plays a key role throughout the value stream, connecting consumers’ wants and needs to the products and services offered.
    • Relationships with consumers continue after the sale of products and services.
    • Continued customer support and data mining is important to revenue streams.

    Value streams connect business goals to the organization’s value realization activities in the marketplace. Those activities are dependent on the specific industry segment in which an organization operates.

    There are two types of value streams: core value streams and support value streams.

    • Core value streams are mostly externally facing. They deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map.
    • Support value streams are internally facing and provide the foundational support for an organization to operate.

    An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers.

    Process mapping hierarchy

    The image contains a screenshot of the PCF levels explained. The levels are 1-5. The levels are: Category, Process Group, Process, Activity, and Task.

    Source: APQC

    APQC provides a process classification framework. It allows organizations to effectively define their processes and manage them appropriately.

    APQC’s Process Classification Framework

    Cross-industry classification framework

    Level 1 Level 2 Level 3 Level 4

    Market and sell products and services

    Understand markets, customers, and capabilities

    Perform customer and market intelligence analysis

    Conduct customer and market research

    Market and sell products and services

    Develop a sales strategy

    Develop a sales forecast

    Gather current and historic order information

    Deliver services

    Manage service delivery resources

    Manage service delivery resource demand

    Develop baseline forecasts

    ? ? ? ?

    Info-Tech Insight

    Focus your initial assessment on the level 1 processes that matter to your organization. This allows you to target your scant resources on the areas of optimization that matter most to the organization and minimize the effort required from your business partners. You may need to iterate the assessment as challenges are identified. This allows you to be adaptive and deal with emerging issues more readily and become a more responsive partner to the business.

    SAP modules and process enablement

    Cloud/Hardware

    Fiori

    Analytics

    Integrations

    Extended Solutions

    R&D Engineering

    • Enterprise Portfolio and Project Management
    • Product Development Foundation
    • Enterprise Portfolio and Project Management
    • Product Lifecycle Management
    • Product Compliance
    • Enterprise Portfolio and Project Management
    • Product Safety and Stewardship
    • Engineering Record

    Sourcing and Procurement

    • Procurement Analytics
    • Sourcing & Contract Management
    • Operational Procurement
    • Invoice Management
    • Supplier Management

    Supply Chain

    • Inventory
    • Delivery & Transportation
    • Warehousing
    • Order Promising

    Asset Management

    • Maintenance Operations
    • Resource Scheduling
    • Env, Health and Safety
    • Maintenance Management
    The image contains a diagram of the SAP enterprise resource planning. The diagram includes a circle with smaller circles all around it. The inside of the circle contains SAP logos. The circles around the big circle are labelled: Human Resources Management, Sales, Marketing, Customer Service, Asset Management, Logistics, Supply Chain Management, Manufacturing, R&D and Engineering, and Finance.

    Finance

    • Financial Planning and Analysis
    • Accounting and Financial Close
    • Treasury Management
    • Financial Operations
    • Governance, Risk & Compliance
    • Commodity Management

    Human Resources

    • Core HR
    • Payroll
    • Timesheets
    • Organization Management
    • Talent Management

    Sales

    • Sales Support
    • Order and Contract Management
    • Agreement Management
    • Performance Management

    Service

    • Service Operations and Processes
    • Basic Functions
    • Workforce Management
    • Case Management
    • Professional Services
    • Service Master Data Management
    • Service Management

    Beyond the core

    The image contains a screenshot of a diagram to demonstrate beyond the core. In the middle of the image is S/4 Core, and the BTP: Business Technology Platform. Surrounding it are: SAP Fieldglass, SAP Concur, SAP Success Factors, SAP CRM SAO Hybris, SAP Ariba. On the left side of the image are: Business Planning and Consolidations, Transportation Management System, Integrated Business Planning, Extended Warehouse Management.

    1.3.3 Inventory your SAP modules and business capabilities

    1-3+ hours

    1. Look at the major functions or processes within the scope of ERP.
    2. From the inventory of current systems, choose the submodules or processes that you want to investigate and are within scope for this optimization initiative.
    3. Use tab 1.3 “SAP Capabilities” in Get the Most Out of Your SAP Workbook for a list of common SAP Level 1 and Level 2 modules/business capabilities.
    4. List the top modules, capabilities, or processes that will be within the scope of this optimization initiative.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of an example of what to do for the activity 1.3.3.

    Download the Get the Most Out of Your SAP Workbook

    1.3.4 Define your key SAP optimization modules and business capabilities

    1-3+ hours

    1. Look at the major functions or processes within the scope of ERP.
    2. From the inventory of current systems, choose the submodules or processes for this optimization initiative. Base this on those that are most critical to the business, those with the lowest levels of satisfaction, or those that perhaps need more knowledge around them.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of the Key SAP Optimization Capabilities.

    Download the Get the Most Out of Your SAP Workbook

    Step 1.4

    Define Optimization Timeframe

    Activities

    1.4.1 Define SAP key dates and SAP optimization roadmap timeframe and structure

    This step will guide you through the following activities:

    • Defining key dates related to your optimization initiative
    • Identifying key building blocks for your optimization roadmap

    This step involves the following participants:

    • SAP Optimization Team
    • Vendor Management

    Outcomes of this step

    • Optimization Key Dates
    • Optimization Roadmap Timeframe and Structure

    1.4.1 Optimization roadmap timeframe and structure

    1-3+ hours

    1. Record key items and dates relevant to your optimization initiatives, such as any products reaching end of life or end of contract or budget proposal submission deadlines.
    2. Enter the expected Optimization Initiative Start Date.
    3. Enter the Roadmap Length. This is the total amount of time you expect to participate in the SAP optimization initiative.
    4. This includes short-, medium- and long-term initiatives.
    5. Enter your Roadmap Date markers: how you want dates displayed on the roadmap.
    6. Enter Column time values: what level of granularity will be helpful for this initiative?
    7. Enter the sprint or cycle timeframe; use this if following Agile.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of the Optimization Roadmap Timeframe and Structure.

    Download the Get the Most Out of Your SAP Workbook

    Step 1.5

    Understand SAP Costs

    Activities

    1.5.1 Document costs associated with SAP

    This step will walk you through the following activities:

    • Define your SAP direct and indirect costs
    • List your SAP expense line items

    This step involves the following participants:

    • Finance Representatives
    • SAP Optimization Team

    Outcomes of this step

    • Current SAP and related costs

    1.5.1 Document costs associated with SAP

    1-3 hours

    Before you can make changes and optimization decisions, you need to understand the high-level costs associated with your current application architecture. This activity will help you identify the types of technology and people costs associated with your current systems.

    1. Identify the types of technology costs associated with each current system:
      1. System Maintenance
      2. Annual Renewal
      3. Licensing
    2. Identify the cost of people associated with each current system:
      1. Full-Time Employees
      2. Application Support Staff
      3. Help Desk Tickets

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of the activity 1.5.1 on documenting costs associated with SAP.

    Download the Get the Most Out of Your SAP Workbook

    Phase 2

    Assess Your Current State

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Identify Stakeholders and Build Your Optimization Team

    1.2 Build an SAP Strategy Model

    1.3 Inventory Current System State

    1.4 Define Optimization Timeframe

    1.5 Understand SAP Costs

    2.1 Assess SAP Capabilities

    2.2 Review Your Satisfaction With the Vendor/Product and Willingness for Change

    3.1 Prioritize Optimization Opportunities

    3.2 Discover Optimization Initiatives

    4.1 Build Your Optimization Roadmap

    This phase will walk you through the following activities:

    • Determine process relevance
    • Perform a gap analysis
    • Perform a user satisfaction survey
    • Assess software and vendor satisfaction

    This phase involves the following participants:

    • SAP Optimization Team
    • Users across functional areas of your ERP and related technologies

    Step 2.1

    Assess SAP Capabilities

    Activities

    2.1.1 Rate capability relevance to organizational goals

    2.1.2 Complete an SAP application portfolio assessment

    2.1.3 (Optional) Assess SAP process maturity

    This step will guide you through the following activities:

    • Capability relevance
    • Process gap analysis
    • Application Portfolio Assessment

    This step involves the following participants:

    • SAP Users

    Outcomes of this step

    • SAP Capability Assessment

    Benefits of the Application Portfolio Assessment

    The image contains a screenshot of the activity of assessing the health of the application portfolio.

    Assess the health of the application portfolio

    • Get a full 360-degree view of the effectiveness, criticality, and prevalence of all relevant applications to get a comprehensive view of the health of the applications portfolio.
    • Identify opportunities to drive more value from effective applications, retire nonessential applications, and immediately address at-risk applications that are not meeting expectations.
    The image contains a screenshot of the activity on providing targeted department feedback.

    Provide targeted department feedback

    • Share end-user satisfaction and importance ratings for core IT services, IT communications, and business enablement to focus on the right end-user groups or lines of business, and ramp up satisfaction and productivity.
    The image contains a screenshot of the activity on gaining insight into the state of data quality.

    Gain insight into the state of data quality

    • Data quality is one of the key issues causing poor CRM user satisfaction and business results. This can include the relevance, accuracy, timeliness, or usability of the organization’s data.
    • Targeted, open-ended feedback around data quality will provide insight into where optimization efforts should be focused.

    2.1.1 Complete a current-state assessment (via the Application Portfolio Assessment)

    3 hours

    Option 1: Use Info-Tech’s Application Portfolio Assessment to generate your user satisfaction score. This tool not only measures application satisfaction but also elicits great feedback from users regarding the support they receive from the IT team around SAP.

    1. Download the ERP Application Inventory Tool.
    2. Complete the “Demographics” tab (tab 2).
    3. Complete the “Inventory” tab (tab 3).
      1. Complete the inventory by treating each module within your SAP system as an application.
      2. Treat every department as a separate column in the department section. Feel free to add, remove, or modify department names to match your organization.
      3. Include data quality for all applications applicable.

    Option 2: Create a survey manually.

    1. Use tab (Reference) 2.1 “APA Questions” as a guide for creating your survey.
    2. Send out surveys to end users.
    3. Modify tab 2.1, “SAP Assessment,” if required.

    Record Results

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of the Application Portfolio Assessment.

    Download the ERP Application Inventory Tool

    Download the Get the Most Out of Your SAP Workbook

    Sample Report from Application Portfolio Assessment.

    The image contains a screenshot of a sample report from the Application Portfolio Assessment.

    2.1.2 (Optional) Assess SAP process and technical maturity

    1-3 hours

    1. As with any ERP system, the issues encountered may not be related to the system itself but processes that have developed over time.
    2. Use this opportunity to interview key stakeholders to learn about deeper capability processes.
    • Identify key stakeholders.
    • Hold sessions to document deeper processes.
    • Discuss processes and technical enablement in each area.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains an example of the process maturity activity.

    Download the Get the Most Out of Your SAP Workbook

    Process Maturity Assessment

    The image contains a screenshot of the Process Maturity Assessment.

    Step 2.2

    Review Your Satisfaction With the Vendor/Product and Willingness for Change

    Activities

    2.2.1 Rate your vendor and product satisfaction

    2.2.2 Review SAP product scores (if applicable)

    2.2.3 Evaluate your product satisfaction

    2.2.4 Check your business process change tolerance

    This step will guide you through the following activities:

    • Rate your vendor and product satisfaction
    • Compare with survey data from SoftwareReviews

    This step involves the following participants:

    • SAP Product Owner(s)
    • Procurement Representative
    • Vendor Contracts Manager

    Outcomes of this step

    • Quantified satisfaction with vendor and product

    2.2.1 Rate your vendor and product satisfaction

    30 minutes

    Use Info-Tech’s vendor satisfaction survey to identify optimization areas with your ERP product(s) and vendor(s).

    1. Option 1 (recommended): Conduct a satisfaction survey using SoftwareReviews. This option allows you to see your results in the context of the vendor landscape.
    2. Option 2: Use the Get the Most Out of Your SAP Workbook to review your satisfaction with your SAP software.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of the activity Vendor Optimization.

    SoftwareReviews’ Enterprise Resource Planning Category

    Download the Get the Most Out of Your SAP Workbook

    2.2.2 Review SAP product scores (if applicable)

    30 minutes

    1. Download the scorecard for your SAP product from the SoftwareReviews website. (Note: Not all products are represented or have sufficient data, so a scorecard may not be available.)
    2. Use the Get the Most Out of Your SAP Workbook tab 2.2 “Vend. & Prod. Sat” to record the scorecard results.
    3. Use your Get the Most Out of Your SAP Workbook to flag areas where your score may be lower than the product scorecard. Brainstorm ideas for optimization.

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of the activity 2.2.2 review SAP product scores.

    Download the Get the Most Out of Your SAP Workbook

    SoftwareReviews’ Enterprise Resource Planning Category

    2.2.3 How does your satisfaction compare with your peers?

    Use SoftwareReviews to explore product features, vendor experience, and capability satisfaction.

    The image contains two screenshots of SoftwareReviews. One is of the ERP Mid-Market, and the second is of the ERP Enterprise.

    Source: SoftwareReviews ERP Mid-Market, April 2022

    Source: SoftwareReviews ERP Enterprise, April 2022

    2.2.4 Check your business process change tolerance

    1 hours

    1. As a group, review the level 0 business capabilities on the previous slide.
    2. Assess the department’s willingness for change and the risk of maintaining the status quo.
    3. Color-code the level 0 business capabilities based on:
    • Green – Willing to follow best practices
    • Yellow – May be challenging or unique business model
    • Red – Low tolerance for change
  • For clarity, move to level 1 if specific areas need to be called out and use the same color code.
  • Input Output
    • Business process capability map
    • Heat map of risk areas that require more attention for validating best practices or minimizing customization
    Materials Participants
    • Whiteboard/flip charts
    • Get the Most Out of Your SAP Workbook
    • Implementation team
    • CIO
    • Key stakeholders

    Download Get the Most Out of Your SAP Workbook for additional process levels

    Heat map representing desire for best practice or those having the least tolerance for change

    The image contains a screenshot of a heat map to demonstrate desire for best practice or those having the least tolerance for change.

    Determine the areas of risk to conform to best practice and minimize customization. These will be areas needing focus from the vendor supporting change and guiding best practice. For example: Must be able to support our unique process manufacturing capabilities and enhance planning and visibility to detailed costing.

    Phase 3

    Identify Key Optimization Opportunities

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Identify Stakeholders and Build Your Optimization Team

    1.2 Build an SAP Strategy Model

    1.3 Inventory Current System State

    1.4 Define Optimization Timeframe

    1.5 Understand SAP Costs

    2.1 Assess SAP Capabilities

    2.2 Review Your Satisfaction With the Vendor/Product and Willingness for Change

    3.1 Prioritize Optimization Opportunities

    3.2 Discover Optimization Initiatives

    4.1 Build Your Optimization Roadmap

    This phase will walk you through the following activities:

    • Identify key optimization areas
    • Create an optimization roadmap

    This phase involves the following participants:

    • SAP Optimization Team

    Assessing application business value

    In this context…business value is

    the value of the business outcome that the application produces. Additionally, it is how effective the application is at producing that outcome.

    Business value is not

    the user’s experience or satisfaction with the application.

    The image contains a screenshot of a Venn Diagram. In the left circle, labelled The Business it contains the following text: Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the applications. In the right circle labelled IT, it contains the following text: Technical subject-matter experts of the applications they deliver and maintain. Each IT function works together to ensure quality applications are delivered to stakeholder expectations. The middle space is labelled: Business Value of Applications.

    First, the authorities on business value need to define and weigh their value drivers that describe the priorities of the organization. This will allow the applications team to apply a consistent, objective, and strategically aligned evaluation of applications across the organization.

    Brainstorm IT initiatives to enable high areas of opportunity to support the business

    Brainstorm ERP optimization initiatives in each area. Ensure you are looking for all-encompassing opportunities within the context of IT, the business, and SAP systems.

    Capabilities are what the system and business does that creates value for the organization. Optimization initiatives are projects with a definitive start and end date, and they enhance, create, maintain, or remove capabilities with the goal of increasing value.

    The image contains a Venn Diagram with 3 circles. The circles are labelled as: Process, Technology, and Organization.

    Info-Tech Insight

    Enabling a high-performing organization requires excellent management practices and continuous optimization efforts. Your technology portfolio and architecture are important, but we must go deeper. Taking a holistic view of ERP technologies in the environments in which they operate allows for the inclusion of people and process improvements – this is key to maximizing business results. Using a formal ERP optimization initiative will drive business-IT alignment, identify IT automation priorities, and dig deep into continuous process improvement.

    Address process gaps:

    • ERP and related technologies are invaluable to the goal of organizational enablement, but they must have supported processes driven by business goals.
    • Identify areas where capabilities need to be improved and work toward optimization.

    Support user satisfaction:

    • The best technology in the world won’t deliver business results if it’s not working for the users who need it.
    • Understand concerns, communicate improvements, and support users in all roles.

    Improve data quality:

    • Data quality is unique to each business unit and requires tolerance, not perfection.
    • Implement data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself.

    Proactively manage vendors:

    • Vendor management is a critical component of technology enablement and IT satisfaction.
    • Assess your current satisfaction against that of your peers and work toward building a process that is best fit for your organization.

    Step 3.1

    Prioritize Optimization Opportunities

    Activities

    3.1.1 Prioritize optimization capability areas

    This step will guide you through the following activities:

    • Explore existing process gaps
    • Identify the impact of processes on user satisfaction
    • Identify the impact of data quality on user satisfaction
    • Review your overall product satisfaction and vendor management

    This step involves the following participants:

    • SAP Optimization Team

    Outcomes of this step

    • Application optimization plan

    The Business Value Matrix

    Rationalizing and quantifying the value of SAP

    Benefits can be realized internally and externally to the organization or department and have different drivers of value.

    • Financial benefits refer to the degree to which the value source can be measured through monetary metrics and are often quite tangible.
    • Human benefits refer to how an application can deliver value through a user’s experience.
    • Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.
    • Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

    Organizational Goals

    • Increased Revenue
    • Application functions that are specifically related to the impact on your organization’s ability to generate revenue and deliver value to your customers.

    • Reduced Costs
    • Reduction of overhead. The ways in which an application limits the operational costs of business functions.

    • Enhanced Services
    • Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    • Reach Customers
    • Application functions that enable and improve the interaction with customers or produce market information and insights.

    Business Value Matrix

    The image contains a screenshot of a Business Value Matrix. It includes: Reach Customers, Increase Revenue or Deliver Value, Reduce Costs, and Enhance Services.

    Prioritize SAP optimization areas that will bring the most value to the organization

    Review your ERP capability areas and rate them according to relevance to organizational goals. This will allow you to eliminate optimization ideas that may not bring value to the organization.

    The image contains a screenshot of a graph that compares satisfaction by relevance to organizational goals to demonstrate high priority.

    3.1.1 Prioritize and rate optimization capability areas

    1-3 hours

    1. From the SAP capabilities, discuss areas of scope for the SAP optimization initiative.
    2. Discuss the four areas of the business value matrix and identify how each module, along with organizational goals, can bring value to the organization.
    3. Rate each of your SAP capabilities for the level of importance to your organization. The levels of importance are:
    • Crucial
    • Important
    • Secondary
    • Unimportant
    • Not applicable

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of activity 3.1.1.

    Download the Get the Most Out of Your SAP Workbook

    Step 3.2

    Discover Optimization Initiatives

    Activities

    3.2.1 Discover product and vendor satisfaction opportunities

    3.2.2 Discover capability and feature optimization opportunities

    3.2.3 Discover process optimization opportunities

    3.2.4 Discover integration optimization opportunities

    3.2.5 Discover data optimization opportunities

    3.2.6 Discover SAP cost-saving opportunities

    This step will guide you through the following activities:

    • Explore existing process gaps
    • Identify the impact of processes on user satisfaction
    • Identify the impact of data quality on user satisfaction
    • Review your overall product satisfaction and vendor management

    This step involves the following participants:

    • SAP Optimization Team

    Outcomes of this step

    • Application optimization plan

    Satisfaction with SAP product

    The image contains three screenshots to demonstrate satisfaction with sap product.

    Improving vendor management

    Create a right-size, right-fit strategy for managing the vendors relevant to your organization.

    The image contains a diagram to demonstrate lower strategic value, higher vendor spend/switching costs, higher strategic value, and lower vendor spend/switching costs.

    Info-Tech Insight

    A vendor management initiative (VMI) is an organization’s formalized process for evaluating, selecting, managing, and optimizing third-party providers of goods and services.

    The amount of resources you assign to managing vendors depends on the number and value of your organization’s relationships. Before optimizing your vendor management program around the best practices presented in Info-Tech’s Jump Start Your Vendor Management Initiative blueprint, assess your current maturity and build the process around a model that reflects the needs of your organization.

    Note: Info-Tech uses VMI interchangeably with the terms “vendor management office (VMO),” “vendor management function,” “vendor management process,” and “vendor management program.”

    Jump Start Your Vendor Management Initiative

    3.2.1 Discover product and vendor satisfaction

    1-2 hours

    1. Use tab 3.1 “Optimization Priorities” and tab 2.2 “Vend. & Prod. Sat” to review the capabilities and features of your SAP system.
    2. Answer the following questions:
      1. Document overall product satisfaction.
      2. How does your satisfaction compare with your peers?
      3. Is the overall system fit for use?
      4. Do you have a proactive vendor management strategy in place?
      5. Is the product dissatisfaction at the point that you need to evaluate if it is time to replace the product?
      6. Could your vendor or Systems Integrator help you achieve better results?
    3. Review the Value Effort Matrix for each initiative.

    Record this information in the Get the Most Out of Your SAP Workbook.

    Download the Get the Most Out of Your SAP Workbook

    Examples from Application Portfolio Assessment

    The image contains screenshots from the Application Portfolio Assessment.

    3.2.2 Discover capability and feature optimization opportunities

    1-2 hours

    1. Use tab 3.1 “Optimization Priorities” and tab 2.2 “Vend. & Prod. Sat” to review the capabilities and features of your SAP system.
    2. Answer the following questions:
      1. What capabilities and features are performing the worst?
      2. Do other organizations and users struggle with these areas?
      3. Why is it not performing well?
      4. Is there an opportunity for improvement?
      5. What are some optimization initiatives that could be undertaken?
    3. Review the Value Effort Matrix for each initiative.

    Record this information in the Get the Most Out of Your SAP Workbook.

    Download the Get the Most Out of Your SAP Workbook

    Process optimization: the hidden goldmine

    In ~90% of SAP business process analysis reports, SAP identified significant potential for improving the existing SAP implementation, i.e. the large majority of customers are not yet using their SAP Business Suite to the full extent.

    Goals of Process Improvement

    Process Improvement Sample Areas

    Improvement Possibilities

    • Optimize business and improve value drivers
    • Reduce TCO
    • Reduce process complexity
    • Eliminate manual processes
    • Increase efficiencies
    • Support digital transformation and enablement
    • Order to cash
    • Procure to pay
    • Order to replenish
    • Plan to produce
    • Request to settle
    • Make to order
    • Make to stock
    • Purchase to order
    • Increase number of process instances processed successfully end-to-end
    • Increase number of instances processed in time
    • Increase degree of process automation
    • Speed up cycle times of supply chain processes
    • Reduce number of process exceptions
    • Apply internal best practices across organizational units

    3.2.3 Discover process optimization opportunities

    1-2 hours

    1. Use exercise 2.13 and tab 2.1 “SAP Current State Assessment” to assess process optimization opportunities.
    2. List underperforming capabilities around process.
    3. Answer the following:
      1. What is the state of the current processes?
      2. Is there an opportunity for process improvement?
      3. What are some optimization initiatives that could be undertaken in this area?

    Record this information in the Get the Most Out of Your SAP Workbook.

    Download the Get the Most Out of Your SAP Workbook

    Integration provides long-term usability

    Balance the need for secure, compliant data availability with organizational agility.

    The Benefits of Integration

    The Challenges of Integration

    • The largest benefit is the extended use of data. The ERP data can be used in the enterprise-level business intelligence suite rather than the application-specific analytics.
    • Enhanced data security. Integrated approaches lend themselves to auditable processes such as sign-on and limiting the email movement of data.
    • Regulatory compliance. Large multi-site organizations have many layers of regulation. A clear understanding of where orders, deliveries, and payments were made streamlines the audit process.
    • Extending a single instance ERP to multiple sites. The challenge for data management is the same as any SaaS application. The connection and data replication present challenges.
    • Combining data from equally high-volume systems. For SAP it is recommended that one instance is set to primary and all other sites are read-only to maintain data integrity.
    • Incorporating data from the separate system(s). The proprietary and locked-in nature of the data collection and definitions for ERP systems often limit the movement of data between separate systems.

    Common integration and consolidation scenarios

    Financial Consolidation

    Data Backup

    Synchronization Across Sites

    Legacy Consolidation

    • Require a holistic view of data format and accounting schedules.
    • Use a data center as the main repository to ensure all geographic locations have equal access to the necessary data.
    • Set up synchronization schedules based on data usage, not site location.
    • Carefully define older transactions. Only active transactions should be brought in the ERP. Send older data to storage.
    • Problem: Controlling financial documentation across geographic regions.
      Most companies are required to report in each region where they maintain a presence. Stakeholders and senior management also need a holistic view. This leads to significant strain on the financial department to consolidate both revenue and budget allocations for cross-site projects across the various geographic locations on a regular basis.
    • Solution: For enterprises with a single vendor, SAP-only portfolios, SAP can offer integration tools. For those needing to integrate with other ERPs, the use of a connector may be required to send financial data to the main system. The format and accounting calendar for transactions should match the primary ERP system to allow consolidation. The local-specific format should be a role-based customization at the level of the site’s specific instance.
    • Problem: ERP systems generate high volumes of data. Most systems have a defined schedule of back-up during off-hours. Multi-instance brings additional issues through lack of defined off-hours, higher volume of data, and the potential for cross-site or instance data relationships. This leads to headaches for both the database administrator and business analysts.
    • Solution: The best solution is an off-site data center with high availability. This may include cloud storage or hosted data centers. Regardless of where the data is stored, centralize the data and replicate to each site. Ensure that the data center can mirror the database and binary large object (BLOB) storage that exists for each site.
    • Problem: Providing access to up-to-date transactions requires copying of both contextual information (permissions, timestamp, location, history) and the transaction itself across multiple sites to allow local copies to be used for analysis and audits. The sheer volume of information makes timely synchronization difficult.
    • Solution: Not all data needs to be synchronized in a timely fashion. In SAP, administrators can use NetWeaver to maintain and alter global data synchronization through the Master Data Management module. Permissions can be given to users to perform on-demand synchronization of data attached to that user.
    • The Problem: Subsidiaries and acquired companies often have a Tier 2 ERP product. Prior to fully consolidating the processes many enterprises will want to migrate data to their ERP system to build compliance and audit trails. Migration of data often breaks historical linkages between transactions.
    • Solution: SAP offers tools to integrate data across applications that can be used as part of a data migration strategy. The process of data migration should be combined with data warehousing to ensure a cost-effective process. For most enterprises, the lack of experience in data migration will necessitate the use of consultants and independent software vendors (ISV).

    For more information: Implement a Multi-site ERP

    3.2.4 Discover integration optimization opportunities

    1-2 hours

    1. Use tab 1.3.1 “SAP Application Inventory” to discuss integrations and how they are related to capability areas that are not performing well.
    2. List capabilities that might be affected by integration issues. Think about exercise 3.2.1 and discuss how integrations could be affecting overall product satisfaction.
    3. Answer the following:
      1. Are there some areas where integration could be improved?
      2. Is there an opportunity for process improvement?
      3. What are some optimization initiatives that could be undertaken in this area?

    Record this information in the Get the Most Out of Your SAP Workbook.

    Download the Get the Most Out of Your SAP Workbook

    System and data optimization

    Consolidating your business and technology requires an overall system and data migration plan.

    The image contains a screenshot of a diagram that demonstrates three different integrations: system, organization, and data.

    Info-Tech Insight

    Have an overall data migration plan before beginning your systems consolidation journey to S/4HANA.

    Use a data strategy that fixes the enterprise-wide data management issues

    Your data management must allow for flexibility and scalability for future needs.

    IT has several concerns around ERP data and wide dissemination of that data across sites. Large organizations can benefit from building a data warehouse or at least adopting some of the principles of data warehousing. The optimal way to deal with the issue of integration is to design a metadata-driven data warehouse that acts as a central repository for all ERP data. They serve as the storage facility for millions of transactions, formatted to allow analysis and comparison.

    Key considerations:

    • Technical: At what stage does data move to the warehouse? Can processes be automated to dump data or to do a scheduled data movement?
    • Process: Data integration requires some level of historical context for all data. Ensure that all data has multiple metadata tags to future-proof the data.
    • People: Who will be accessing the data and what are the key items that users will need to adapt to the data warehouse process?

    Info-Tech Insight

    Data warehouse solutions can be expensive. See Info-Tech’s Build a Data Warehouse on a Solid Foundation for guidance on what options are available to meet your budget and data needs.

    Optimizing SAP data, additional considerations

    Data Quality Management

    Effective Data Governance

    Data-Centric Integration Strategy

    Extensible Data Warehousing

    • Prevention is ten times cheaper than remediation. Stop fixing data quality with band-aid solutions and start fixing at the source of the problem.
    • Data quality is unique to each business unit and requires tolerance, not perfection. If the data allows the business to operate at the desired level, don’t waste time fixing data that may not need to be fixed.
    • Implement a set of data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself.
    • Develop a prioritized data quality improvement project roadmap and long-term improvement strategy.
    • Build related practices with more confidence and less risk after achieving an appropriate level of data quality.
    • Data governance enables data-driven insight. Think of governance as a structure for making better use of data.
    • Collaboration is critical. The business may own the data, but IT understands the data. Data governance will not work unless the business and IT work together.
    • Data governance powers the organization up the data value chain through policies and procedures, master data management, data quality, and data architecture.
    • Create a roadmap to prioritize initiatives and delineate responsibilities among data stewards, data owners, and the data governance steering committee.
    • Ensure buy-in from business and IT stakeholders. Communicate initiatives to end users and executives to reduce resistance.
    • Every enterprise application involves data integration. Any change in the application and database ecosystem requires you to solve a data integration problem.
    • Data integration is becoming more and more critical for downstream functions of data management and for business operations to be successful. Poor integration holds back these critical functions.
    • Build your data integration practice with a firm foundation in governance and a reference architecture. Ensure that your process is scalable and sustainable.
    • Support the flow of data through the organization and meet the organization’s requirements for data latency, availability, and relevancy.
    • Data availability must be frequently reviewed and repositioned to continue to grow with the business.
    • A data warehouse is a project, but successful data warehousing is a program. An effective data warehouse requires planning beyond the technology implementation.
    • Governance, not technology, needs to be the core support system for enabling a data warehouse program.
    • Leverage an approach that focuses on constructing a data warehouse foundation that can address a combination of operational, tactical, and ad hoc business needs.
    • Invest time and effort to put together pre-project governance to inform and guide your data warehouse implementation.
    • Select the most suitable architecture pattern to ensure the data warehouse is “built right” at the very beginning.

    Restore Trust in Your Data Using a Business-Aligned Data Quality Management Approach

    Establish Data Governance

    Build a Data Integration Strategy

    Build an Extensible Data Warehouse Foundation

    Data Optimization

    Organizations are faced with challenges associated with changing data landscapes.

    Data migrations should not be taken lightly. It requires an overall data governance to assure data integrity for the move to S/4HANA and beyond.

    Have a solid plan before engaging S/4HANA Migration Cockpit.

    Develop a Master Data Management Strategy and Roadmap

    • Master data management (MDM) is complex in practice and requires investments in governance, technology, and planning.
    • Develop a MDM strategy and initiative roadmap using Info-Tech’s MDM framework, which takes data governance, architecture, and other critical data capabilities into consideration.

    Establish Data Governance

    • Ensure your data governance program delivers measurable business value by aligning the associated data governance initiatives with the business architecture.
    • Data governance must continuously align with the organization’s enterprise governance function. It should not be perceived as a pet project of IT but rather as an enterprise-wide, business-driven initiative.
    The image contains a screenshot of the S/4HANA Migration Cockpit.

    3.2.5 Discover data optimization opportunities

    1-2 hours

    1. Use your APA or user satisfaction survey to understand issues related to data.
      Note: Data issues happen for a number of reasons:
    • Poor underlying data in the system
    • More than one source of truth
    • Inability to consolidate data
    • Inability to measure KPIs effectively
    • Reporting that is cumbersome or non-existent
  • List underperforming capabilities related to data.
  • Answer the following:
    1. What are some underlying issues?
    2. Is there an opportunity for data improvement?
    3. What are some optimization initiatives that could be undertaken in this area?

    Record this information in the Get the Most Out of Your SAP Workbook.

    Download the Get the Most Out of Your SAP Workbook

    SAP cost savings

    SAP cost savings does not have to be complicated.

    Look for quick wins:

    • Evaluate user licensing:
      • Ensure you are not double paying for employees or paying for employees who are no longer with the organization.
      • Verify user activity – if users are accessing the system very infrequently it does not make sense to license them as full users.
      • Audit your user classifications – ensure title positions and associated licenses are up to date.
    • Curb data sprawl.
    • Consolidate applications.

    30-35% of SAP customers likely have underutilized assets. This can add up to millions in unused software and maintenance.

    -Riley et al.

    20% Only 20 percent of companies manage to capture more than half the projected benefits from ERP systems.

    -McKinsey
    The image contains a screenshot of the Explore the Secrets of SAP Software Contracts to Optimize Spend and Reduce Compliance Risk.

    Explore the Secrets of SAP Software Contracts to Optimize Spend and Reduce Compliance Risk

    The image contains a screenshot of Secrets of SAP S/4HANA Licensing.

    Secrets of SAP S/4HANA Licensing

    License Optimization

    With the relatively slow uptake of the S/4HANA platform, the pressure is immense for SAP to maintain revenue growth.

    SAP’s definitions and licensing rules are complex and vague, making it extremely difficult to purchase with confidence while remaining compliant.

    Without having a holistic negotiation strategy, it is easy to hit a common obstacle and land into SAP’s playbook, requiring further spend.

    Price Benchmarking & Negotiation

    • Use price benchmarking and negotiation intelligence to secure a market-competitive price.
    • Understand negotiation tactics that can be used to better your deal.

    Secrets of SAP S/4HANA Licensing:

    • Build a business case to evaluate S/4HANA.
    • Understand the S/4HANA roadmap and map current functionality to ensure compatibility.

    SAP’s 2025 Support End of Life Date Delayed…As Predicted Here First

    • The math simply did not add up for SAP.
    • Extended support post 2027 is a mixed bag.

    3.2.6 Discover SAP cost-saving opportunities

    1-2 hours

    1. Use tab 1.5 “Current Costs” as an input for this exercise.
    2. Look for opportunities to cut SAP costs, both quick-wins and long-term strategy.
    3. Review Info-Tech’s SAP vendor management resources to understand cost-saving strategies:
    4. List cost-savings initiatives and opportunities.

    Record this information in the Get the Most Out of Your SAP Workbook.

    Download the Get the Most Out of Your SAP Workbook

    Other optimization opportunities

    There are many opportunities to improve your SAP portfolio. Choose the ones that are right for your business:

    • Artificial intelligence (AI) (and management of the AI lifecycle)
    • Machine learning (ML)
    • Augment business interactions
    • Automatically execute sales pipelines
    • Process mining
    • SAP application monitoring
    • Be aware of the SAP product roadmap
    • Implement and take advantage of SAP tools and product offerings

    Phase 4

    Build Your Optimization Roadmap

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Identify Stakeholders and Build Your Optimization Team

    1.2 Build an SAP Strategy Model

    1.3 Inventory Current System State

    1.4 Define Optimization Timeframe

    1.5 Understand SAP Costs

    2.1 Assess SAP Capabilities

    2.2 Review Your Satisfaction With the Vendor/Product and Willingness for Change

    3.1 Prioritize Optimization Opportunities

    3.2 Discover Optimization Initiatives

    4.1 Build Your Optimization Roadmap

    This phase will walk you through the following activities:

    • Review the different options to solve the identified pain points
    • Build out a roadmap showing how you will get to those solutions
    • Build a communication plan that includes the stakeholder presentation

    This phase involves the following participants:

    • Primary stakeholders in each value stream supported by the ERP
    • ERP applications support team

    Get the Most Out of Your SAP

    Step 4.1

    4.1 Build Your Optimization Roadmap

    Activities

    4.1.1 Pick your path

    4.1.2 Pick the right SAP migration path

    4.1.3 Build a roadmap

    4.1.4 Build a visual roadmap

    This step will walk you through the following activities:

    • Review the different options to solve the identified pain points then build out a roadmap of how to get to that solution.

    This step involves the following participants:

    • Primary stakeholders in each value stream supported by the ERP
    • ERP applications support team

    Outcomes of this step

    • A strategic direction is set
    • An initial roadmap is laid out

    Choose the right path for your organization

    There are several different paths you can take to achieve your ideal future state. Make sure to pick the one that suits your needs as defined by your current state.

    The image contains a diagram to demonstrate the different paths that can be taken. The pathways are: Optimize current system, augment current system, consolidate current systems, upgrade system, and replace system.

    Explore the options for achieving your ideal future state

    CURRENT STATE

    STRATEGY

    There is significant evidence of poor user satisfaction, inefficient processes, lack of data usage, poor integrations, and little vendor management. Look for opportunities to improve the system.

    OPTIMIZE CURRENT SYSTEM

    Your existing application is, for the most part, functionally rich but may need some tweaking. Spend time and effort building and enhancing additional functionalities or consolidating and integrating interfaces.

    AUGMENT CURRENT SYSTEM

    Your ERP application portfolio consists of multiple apps serving the same functions. Consolidating applications with duplicate functionality is more cost efficient and makes integration and data sharing simpler.

    CONSOLIDATE CURRENT SYSTEMS

    The current system is reaching end of life and the software vendor offers a fit-for-use upgrade or system to which you can migrate. Prepare your migration strategy to move forward on the product roadmap.

    UPGRADE SYSTEM

    The current SAP system and future SAP roadmap are not fit for use. Vendor satisfaction is at an all-time low. Revisit your ERP strategy as you move into requirements gathering and selection.

    REPLACE SYSTEM

    Option: Optimize your current system

    Look for process, workflow, data usage, and vendor relation improvements.

    MAINTAIN CURRENT SYSTEM

    Keep the system but look for optimization opportunities.

    Your existing application portfolio satisfies both functionality and integration requirements. The processes surrounding it likely need attention, but the system should be considered for retention.

    Maintaining your current system entails adjusting current processes and/or adding new ones and involves minimal cost, time, and effort.

    INDICATORS

    POTENTIAL SOLUTIONS

    People

    • User satisfaction is in the mid-range
    • There is an opportunity to rectify problems
    • Contact vendor to inquire about employee training opportunities
    • Build a change management strategy

    Process

    • Processes are old and have not been optimized
    • There are many manual processes and workarounds
    • Low process maturity or undocumented inconsistent processes
    • Explore process reengineering and process improvement opportunities
    • Evaluate and standardize processes

    Technology

    • No major capability gaps
    • Supported for 5+ years
    • Explore opportunities outside of the core technology including workflows, integrations, and reporting

    Alternative 1: Optimize your current system

    MAINTAIN CURRENT SYSTEM

    • Keep your SAP system running
    • Invest in resolving current challenges
    • Automate manual processes where appropriate
    • Improve/modify current system
    • Evaluate current system against requirements/processes
    • Reimplement functionality

    Alternative Overview

    Initial Investment ($)

    Medium

    Risk

    Medium

    Change Management Required

    Medium

    Operating Costs ($)

    Low

    Alignment With Organizational Goals and ERP Strategy

    Medium-Low

    Key Considerations

    • Now that I know my needs, where is the current system underused?
    • Do we have specialized needs?
    • Which functions can best enable the business?

    Advantages

    • Less cost investment than upgrading or replacing the system
    • Less technology risk
    • The current system has several optimization initiatives that can be implemented
    • Familiarity with the system; IT and business users know the system well
    • Least amount of changes
    • Integrations will be able to be maintained and will mean less complexity
    • Will allow us to leverage current investments and build on our current confidence in the solution
    • Allow us to review processes and engineer some workflow and process improvements

    Disadvantages

    • The system may need some augmentation to handle some improvement areas
    • Build some items from scratch
    • Less user-friendly
    • Need to reimplement and reconfigure some modules
    • Lots of workarounds – more staff needed to support current processes
    • Increase customization (additional IT development investment)
    • System gaps would remain
    • System feels “hard” to use
    • Workarounds still needed
    • Hard to overcome “negative” experience with the current system
    • Some functional gaps will remain
    • Less system development and support from the vendor as the product ages.
    • May become a liability and risk area in the future

    For what time frame does this make sense?

    Short Term

    Medium Term

    Long Term

    Option: Augment your current system

    Use augmentation to resolve your existing technology and data pain points.

    AUGMENT CURRENT SYSTEM

    Add to the system.

    Your existing application is for the most part functionally rich but may need some tweaking. Spend time and effort enhancing your current system.

    You will be able to add functions by leveraging existing system features. Augmentation requires limited investment and less time and effort than a full system replacement.

    INDICATORS

    POTENTIAL SOLUTIONS

    Technology Pain Points

    • Lack of reporting functions
    • Lacking functional depth in key process areas
    • Add point solutions or enable modules to address missing functionality

    Data Pain Points

    • Poor data quality
    • Lack of data for processing and reporting
    • Single-source data entry
    • Add modules or augment processes to capture data

    Alternative 2: Augment current solution

    AUGMENT CURRENT SYSTEM

    Maintain core system.

    Invest in SAP modules or extended functionality.

    Add functionality with bolt-on targeted “best of breed” solutions.

    Invest in tools to make the SAP portfolio and ecosystem work better.

    Alternative Overview

    Initial Investment ($)

    High

    Risk

    High

    Change Management

    High

    Operating Costs ($)

    High

    Alignment With Organizational Goals and ERP Strategy

    High

    Key Considerations

    • Now that I know my needs, where is the current system underused?
    • Do we have specialized needs?
    • Which functions can best enable the business?

    Advantages

    • Meet specific business needs – right solution for each component
    • Well-aligned to specific business needs
    • Higher morale – best solution with improved user interface
    • Allows you to find the right solution for the unique needs of the organization
    • Allows you to incorporate a light change management strategy that can include training for the end users and IT
    • Incorporate best practice processes
    • Leverage out-of-the-box functionality

    Disadvantages

    • Multiple technological solutions
    • Lots of integrations
    • Out-of-sync upgrades
    • Extra costs – potential less negotiation leverage
    • Multiple solutions to support
    • Multiple vendors
    • Less control over upgrades – including timing (potential out of sync)
    • More training – multiple products, multiple interfaces
    • Confusion – which system to use when
    • Need more HR specialization
    • More complexity in reporting
    • More alignment with JDE E1 information

    For what time frame does this make sense?

    Short Term

    Medium Term

    Long Term

    Option: Consolidate systems

    Consolidate and integrate your current systems to address your technology and data pain points.

    CONSOLIDATE AND INTEGRATE SYSTEMS

    Get rid of one system, combine two, or connect many.

    Your ERP application portfolio consists of multiple apps serving the same functions.

    Consolidating your systems eliminates the need to manage multiple pieces of software that provide duplicate functionality. Reducing the number of ERP applications makes integration and data sharing simpler.

    INDICATORS

    POTENTIAL SOLUTIONS

    Technology Pain Points

    • Disparate and disjointed systems
    • Multiple systems supporting the same function
    • Unused software licenses
    • System consolidation
    • System and module integration
    • Assess usage and consolidate licensing

    Data Pain Points

    • Multiple versions of same data
    • Duplication of data entry in different modules or systems
    • Poor data quality
    • Centralize core records
    • Assign data ownership
    • Single-source data entry

    Alternative 3: Consolidate systems

    AUGMENT CURRENT SYSTEM

    Get rid of old disparate on-premise solutions.

    Consolidate into an up-to-date ERP solution.

    Standardize across the organization.

    Alternative Overview

    Initial Investment ($)

    High

    Risk

    Med

    Change Management

    Med

    Operating Costs ($)

    Med

    Alignment With Organizational Goals and ERP Strategy

    High

    Key Considerations

    • Now that I know my needs, where is the current system underused?
    • Do we have specialized needs?
    • Which functions can best enable the business?

    Advantages

    • Aligns the technology across the organization
    • Streamlining of processes
    • Opportunity for decreased costs
    • Easier to maintain
    • Modernizes the SAP portfolio
    • Easier to facilitate training
    • Incorporate best practice processes
    • Leverage out-of-the-box functionality

    Disadvantages

    • Unique needs of some business units may not be addressed
    • Will require change management and training
    • Deeper investment in SAP

    For what time frame does this make sense?

    Short Term

    Medium Term

    Long Term

    Option: Upgrade System

    Upgrade your system to address gaps in your existing processes and various pain points.

    REPLACE CURRENT SYSTEM

    Move to a new SAP solution

    You’re transitioning from an end-of-life legacy system. Your existing system offers poor functionality and poor integration. It would likely be more cost- and time-efficient to replace the application and its surrounding processes altogether. You are satisfied with SAP overall and want to continue to leverage your SAP relationships and investments.

    INDICATORS

    POTENTIAL SOLUTIONS

    Technology Pain Points

    • Obsolete or end-of-life technology portfolio
    • Lack of functionality and poor integration
    • Not aligned with technology direction or enterprise architecture plans
    • Evaluate the ERP technology landscape
    • Determine if you need to replace the current system with a point solution or an all-in-one solution
    • Align ERP technologies with enterprise architecture

    Data Pain Points

    • Limited capability to store and retrieve data
    • Understand your data requirements

    Process Pains

    • Insufficient tools to manage workflow
    • Review end-to-end processes
    • Assess user satisfaction

    Alternative 4: Upgrade System

    UPGRADE SYSTEM

    Upgrade your current SAP systems with SAP product replacements.

    Invest in SAP with the appropriate migration path for your organization.

    Alternative Overview

    Initial Investment ($)

    High

    Risk

    Med

    Change Management

    Med

    Operating Costs ($)

    Med

    Alignment With Organizational Goals and ERP Strategy

    High

    Key Considerations

    • Now that I know my needs, where is the current system underused?
    • Do we have specialized needs?
    • Which functions can best enable the business?

    Advantages

    • Aligns the technology across the organization
    • Opportunity for business transformation
    • Allows you to leverage your SAP and SI relationships
    • Modernizes your ERP portfolio
    • May offer you advantages around business transformation and process improvement
    • Opportunity for new hosting options
    • May offer additional opportunities for consolidation or business enablement

    Disadvantages

    • Big initiative
    • Costly
    • Adds business risk during ERP upgrade
    • May require a high amount of change management
    • Organization will have to build resources to support the replacement and ongoing support of the new product
    • Training will be required across business and IT
    • Integrations with other applications may need to be rebuilt

    For what time frame does this make sense?

    Short Term

    Medium Term

    Long Term

    Option: Replace your current system

    Replace your system to address gaps in your existing processes and various pain points.

    REPLACE CURRENT SYSTEM

    Start from scratch.

    You’re transitioning from an end-of-life legacy system. Your existing system offers poor functionality and poor integration. It would likely be more cost and time efficient to replace the application and its surrounding processes all together.

    INDICATORS

    POTENTIAL SOLUTIONS

    Technology Pain Points

    • Lack of functionality and poor integration
    • Obsolete technology
    • Not aligned with technology direction or enterprise architecture plans
    • Dissatisfaction with SAP and SI
    • Evaluate the ERP technology landscape
    • Determine if you need to replace the current system with a point solution or an all-in-one solution
    • Align ERP technologies with enterprise architecture

    Data Pain Points

    • Limited capability to store and retrieve data
    • Understand your data requirements

    Process Pains

    • Insufficient tools to manage workflow
    • Review end-to-end processes
    • Assess user satisfaction

    Alternative 5: Replace SAP with another ERP solution

    AUGMENT CURRENT SYSTEM

    Get rid of old disparate on-premises solutions.

    Consolidate into an up-to-date ERP solution.

    Standardize across the organization.

    Alternative Overview

    Initial Investment ($)

    High

    Risk

    Med

    Change Management

    Med

    Operating Costs ($)

    Med

    Alignment With Organizational Goals and ERP Strategy

    High

    Key Considerations

    • Do we have the appetite to walk away from SAP?
    • What opportunities are we looking for?
    • Are other ERP solutions better for our business?

    Advantages

    • Allows you to explore ERP options outside of SAP
    • Aligns the technology across the organization
    • Opportunity for business transformation
    • Allows you to move away from SAP
    • Modernizes your ERP portfolio
    • May offer you advantages around business transformation and process improvement
    • Opportunity for new hosting options
    • May offer additional opportunities for consolidation or business enablement

    Disadvantages

    • Big initiative
    • Costly
    • Adds business risk during ERP replacement
    • Relationships will have to be rebuilt with ERP vendor and SIs
    • May require a high amount of change management
    • Organization will have to build resources to support the replacement and ongoing support of the new product
    • Training will be required across business and IT
    • Integrations with other applications may need to be rebuilt

    For what time frame does this make sense?

    Short Term

    Medium Term

    Long Term

    Activity 4.1.1: Pick your path

    1.5 hours

    For each given path selected, identify:

    • Advantage
    • Disadvantages
    • Initial Investment ($)
    • Risk
    • Change Management
    • Operating Costs ($)
    • Alignment With ERP Objectives
    • Key Considerations
    • Timeframe

    Record this information in the Get the Most Out of Your SAP Workbook.

    The image contains a screenshot of activity 4.1.1 pick your path.

    Download the Get the Most Out of Your SAP Workbook

    Pick the right SAP migration path for your organization

    There are three S/4HANA paths you can take to achieve your ideal future state. Make sure to pick the one that suits your needs as defined by your current state and meets your overall long-term roadmap.

    The image contains a diagram of the pathways that can be take from current state to future state. The options are: BEST PRACTICE QUICK WIN
(Public Cloud), AUGMENT BEST PRACTICE (Private Cloud), OWN FULL SOLUTION (On Premise)

    SAP S/4 HANA offerings can be confusing

    The image contains a screenshot that demonstrates the SAP S/4 Offerings.

    What is the cloud, how is it deployed, and how is service provided?

    The image contains a screenshot from the National Institute of Standards and Technology that describes the Cloud Characteristics, Service Model, and Delivery Model.

    A workload-first approach will allow you to take full advantage of the cloud’s strengths

    • Under all but the most exceptional circumstances good cloud strategies will incorporate different service models. Very few organizations are “IaaS shops” or “SaaS shops,” even if they lean heavily in a one direction.
    • These different service models (including non-cloud options like colocation and on-premises infrastructure) each have different strengths. Part of your cloud strategy should involve determining which of the services makes the most sense for you.
    • Own the cloud by understanding which cloud (or non-cloud!) offering makes the most sense for you, given your unique context.

    See Info-Tech’s Define Your Cloud Vision for more information.

    Cloud service models

    • This research focuses on five key service models, each of which has its own strengths and weaknesses. Moving right from “on-prem” customers gradually give up more control over their environments to cloud service providers.
    • An entirely premises-based environment means that the customer is responsible for everything ranging from the dirt under the datacenter to application-level configurations. Conversely, in a SaaS environment, the provider is responsible for everything but those top-level application configurations.
    • A managed service provider or other third-party can manage any or of the components of the infrastructure stack. A service provider may, for example, build a SaaS solution on top of another provider’s IaaS or offer configuration assistance with a commercially available SaaS.

    Info-Tech Insight

    Not all workloads fit well in the cloud. Many environments will mix service models (e.g. SaaS for some workloads, some in IaaS, some on-premises) and this can be perfectly effective. It must be consistent and intentional, however.

    The image contains a screenshot of cloud service models: On-prem, CoLo, laaS, PaaS, and SaaS

    Option: Best Practice Quick Win

    S/4HANA Cloud, Essentials

    Updates

    4 times a year

    License Model

    Subscription

    Server Platform

    SAP

    Platform Management

    SAP only

    Pre-Set Templates (industries)

    Not allowed

    Single vs. Multi-Tenant

    Multi-client

    Maintenance ALM Tool

    SAP ALM

    New Implementation

    This is a public cloud solution for new clients adopting SAP that are mostly looking for full functionality within best practice.

    Consider a full greenfield approach. Even for mid-size existing customers looking for a best-practice overhaul.

    Functionality is kept to the core. Any specialties or unique needs would be outside the core.

    Regional localization is still being expanded and must be evaluated early if you are a global company.

    Option: Augment Best Practice

    S/4HANA Cloud, Extended Edition

    Updates

    Every 1-2 years or up to client’s schedule

    License Model

    Subscription

    Server Platform

    AZURE, AWS, Google

    Platform Management

    SAP only

    Pre-Set Templates (industries)

    Coded separately

    Single vs. Multi-Tenant

    Single tenant

    Maintenance ALM Tool

    SAP ALM or SAP Solution Manager

    New Implementation With Client Specifics

    No longer available to new customers from January 25, 2022, though available for renewals.

    Replacement is called SAP Extended Services for SAP S/4HANA Cloud, private edition.

    This offering is a grey area, and the extended offerings are being defined.

    New S/4HANA Cloud extensibility is being offered to early adopters, allowing for customization within a separate system landscape (DTP) and aiming for an SAP Central Business Configuration solution for the cloud. A way of fine-tuning to meet customer-specific needs.

    Option: Augment Best Practice (Cont.)

    S/4HANA Cloud, Private Edition

    Updates

    Every 1-5 years or up to client’s schedule

    License Model

    Subscription

    Server Platform

    AZURE, AWS, Google

    Platform Management

    SAP only

    Pre-Set Templates (industries)

    Allowed

    Single vs. Multi-Tenant

    Single tenant

    Maintenance ALM Tool

    SAP ALM or SAP Solution Manager

    New Implementation With Client Specifics

    This is a private cloud solution for existing or new customers needing more uniqueness, though still looking to adopt best practice.

    Still considered a new implementation with data migration requirements that need close attention.

    This offering is trying to move clients to the S/4HANA Cloud with close competition with the Any Premise product offering. Providing client specific scalability while allowing for standardization in the cloud and growth in the digital strategy. All customizations and ABAP functionality must be revisited or revamped to fit standardization.

    Option: Own Full Solution

    S/4HANA Any Premise

    Updates

    Client decides

    License Model

    Perpetual or subscription

    Server Platform

    AZURE, AWS, Google, partner's or own server room

    Platform Management

    Client and/or partner

    Pre-Set Templates (industries)

    Allowed

    Single vs. Multi-Tenant

    Single tenant

    Maintenance ALM Tool

    SAP Solution Manager

    Status Quo Migration to S/4HANA

    This is for clients looking for a quick transition to S/4HANA with minimal risks and without immediate changes to their operations.

    Though knowing the direction with SAP is toward its cloud solution, this may be a long costly path to getting the that end state.

    The Any Premise version carries over existing critical ABAP functionalities, and the SAP GUI can remain as the user interface.

    Activity 4.1.2 (Optional) Evaluate optimization initiatives

    1 hour

    1. If there is an opportunity to optimize the current SAP environment or prepare for the move to a new platform, continue with this step.
    2. Valuate your optimization initiatives from tab 3.2 “Optimization Initiatives.”

    Consider: relevance to achieving goals, number of users, importance to role, satisfaction with features, usability, data quality

    Value Opportunities: increase revenue, decrease costs, enhanced services, reach customers

    Additional Factors:

    • Current to Future Risk Profile
    • Number of Departments to Benefit
    • Importance to Stakeholder Relations
    • Resources: Do we have resources available and the skillset?
    • Cost
    • Overall Effort Rating
    • "Gut Check: Is it achievable? Have we done it or something similar before? Are we willing to invest in it?"

    Prioritize

    • Relative priority
    • Determine if this will be included in your optimization roadmap
    • Decision to proceed
    • Next steps

    Record this information in the Get the Most Out of Your SAP Workbook.

    Download the Get the Most Out of Your SAP Workbook

    Activity 4.1.3 Roadmap building blocks: SAP migration

    1 hour

    Migration paths: Determine your migration path and next steps using the Activity 4.1.1 “SAP System Options.”

    1. Identify initiatives and next steps.
    2. For each item on your roadmap, assign an owner who will be accountable to the completion of the roadmap item.
    3. Wherever possible, assign a start date, month, or quarter. The more specific you can be the better.
    4. Identify completion dates to create a sense of urgency. If you are struggling with start dates, it can help to start with a finish date and “back in” to a start date based on estimated efforts.
    5. Include periphery tasks such as communication strategy.

    Record this information in the Get the Most Out of Your SAP Workbook.

    Note: Your roadmap should be treated as a living document that is updated and shared with the stakeholders on a regular schedule.

    The image contains a diagram of the pathways that can be take from current state to future state. The options are: BEST PRACTICE QUICK WIN
(Public Cloud), AUGMENT BEST PRACTICE (Private Cloud), OWN FULL SOLUTION (On Premise)

    Download the Get the Most Out of Your SAP Workbook

    Activity 4.1.4 Roadmap building blocks: SAP optimization

    1 hour

    Optimization initiatives: Determine which if any to proceed with.

    1. Identify initiatives.
    2. For each item on your roadmap, assign an owner who will be accountable to the completion of the roadmap item.
    3. Wherever possible, assign a start date, month, or quarter. The more specific you can be the better.
    4. Identify completion dates to create a sense of urgency. If you are struggling with start dates, it can help to start with a finish date and “back in” to a start date based on estimated efforts.
    5. Include periphery tasks such as communication strategy.

    Record this information in the Get the Most Out of Your SAP Workbook.

    Note: Your roadmap should be treated as a living document that is updated and shared with the stakeholders on a regular schedule.

    The image contains a screenshot of activity 4.1.4 SAP optimization.

    Download the Get the Most Out of Your SAP Workbook

    SAP optimization roadmap

    Initiative

    Owner

    Start Date

    Completion Date

    Create final workshop deliverable

    Info-Tech

    16 September 2021

    Review final deliverable

    Workshop sponsor

    Present to executive team

    October 2021

    Build business case

    CFO, CIO, Directors

    3 weeks to build

    3-4 weeks process time

    Build an RFI for initial costings

    1-2 weeks

    Stage 1 approval for requirements gathering

    Executive committee

    Milestone

    Determine and acquire BA support for next step

    1 week

    Requirements gathering – level 2 processes

    Project team

    1 week

    Build RFP (based on informal approval)

    CFO, CIO, Directors

    4th calendar quarter 2022

    Possible completion: January 2023

    2-4 weeks

    Data strategy optimization

    The image contains a graph to demonstrate the data strategy optimization.

    Activity 4.1.5 (Optional) Build a visual SAP roadmap

    1 hour

    1. For some, a visual representation of a roadmap is easier to comprehend. Consider taking the roadmap built in 4.1.4 and creating a visual.
    2. Record this information in the Get the Most Out of Your SAP Workbook.

      The image contains a screenshot of activity 4.1.5 build a visual SAP roadmap.

    Download the Get the Most Out of Your SAP Workbook

    SAP strategy roadmap

    The image contains a screenshot of the SAP strategy roadmap.

    Implementations Partners

    • Able to consult, migrate, implement, and manage the SAP S/4HANA business suite across industries.
    • Able to transform the enterprise’s core business system to achieve the desired outcome.
    • Capable in strategic planning, building business cases, developing roadmaps, cost and time analysis, deployment model (on-prem, cloud, hybrid model), database conversion, database and operational support, and maintenance services.

    Info-Tech Insight

    It is becoming a common practice for implementation partners to engage in a two- to three-month Discovery Phase or Phase 0 to prepare an implementation roadmap. It is important to understand how this effort is tied to the overall service agreement.

    The image contains several logos of the implementation partners: Atos, Accenture, Cognizant, EY, Infosys, Tech Mahindra, LTI, Capgemini, Wipro, IBM, tos.

    Summary of Accomplishment

    Get the Most Out of Your SAP

    ERP technology is critical to facilitating an organization’s flow of information across business units. It allows for seamless integration of systems and creates a holistic view of the enterprise to support decision making. ERP implementation should not be a one-and-done exercise. There needs to be an ongoing optimization to enable business processes and optimal organizational results.

    Get the Most Out of Your SAP allows organizations to proactively implement continuous assessment and optimization of their enterprise resource planning system, including:

    • Alignment and prioritization of key business and technology drivers.
    • Identification of processes, including classification and gap analysis.
    • Measurement of user satisfaction across key departments.
    • Improved vendor relations.
    • Data quality initiatives.

    This formal SAP optimization initiative will drive business-IT alignment, identify IT automation priorities, and dig deep into continuous process improvement.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Research Contributors

    The image contains a picture of Ben Dickie.

    Ben Dickie

    Research Practice Lead

    Info-Tech Research Group

    Ben Dickie is a Research Practice Lead at Info-Tech Research Group. His areas of expertise include customer experience management, CRM platforms, and digital marketing. He has also led projects pertaining to enterprise collaboration and unified communications.

    The image contains a picture of Scott Bickley.

    Scott Bickley

    Practice Lead and Principal Research Director

    Info-Tech Research Group

    Scott Bickley is a Practice Lead and Principal Research Director at Info-Tech Research Group focused on vendor management and contract review. He also has experience in the areas of IT asset management (ITAM), software asset management (SAM), and technology procurement along with a deep background in operations, engineering, and quality systems management.

    The image contains a picture of Andy Neil.

    Andy Neil

    Practice Lead, Applications

    Info-Tech Research Group

    Andy is a Senior Research Director, Data Management and BI, at Info-Tech Research Group. He has over 15 years of experience in managing technical teams, information architecture, data modeling, and enterprise data strategy. He is an expert in enterprise data architecture, data integration, data standards, data strategy, big data, and the development of industry standard data models.

    Bibliography

    Armel, Kate. "New Article: Data-Driven Estimation, Management Lead to High Quality." QSM: Quantitative Software Management, 14 May 2013. Accessed 4 Feb. 2021.

    Enterprise Resource Planning. McKinsey, n.d. Accessed 13 Apr. 2022.

    Epizitone, Ayogeboh. Info-Tech Interview, 10 May 2021.

    Epizitone, Ayogeboh, and Oludayo O. Olugbara. “Principal Component Analysis on Morphological Variability of Critical Success Factors for Enterprise Resource Planning.” International Journal of Advanced Computer Science and Applications (IJACSA), vol. 11, no. 5, 2020. Web.

    Gheorghiu, Gabriel. "The ERP Buyer’s Profile for Growing Companies." Selecthub, 2018. Accessed 21 Feb. 2021.

    Karlsson, Johan. "Product Backlog Grooming Examples and Best Practices." Perforce, 18 May 2018. Accessed 4 Feb. 2021.

    Lichtenwalter, Jim. “A look back at 2021 and a look ahead to 2022.” ASUG, 23 Jan. 2022. Web.

    “Maximizing the Emotional Economy: Behavioral Economics." Gallup, n.d. Accessed 21 Feb. 2021.

    Mell, Peter, and Timothy Grance. “The NIST Definition of Cloud Computing.” National Institute of Standards and Technology. Sept. 2011. Web.

    Norelus, Ernese, Sreeni Pamidala, and Oliver Senti. "An Approach to Application Modernization: Discovery and Assessment Phase," Medium, 24 Feb 2020. Accessed 21 Feb. 2021.

    “Process Frameworks." APQC, n.d. Accessed 21 Feb. 2021.

    “Quarterly number of SAP S/4HANA subscribers worldwide, from 2015 to 2021.” Statista, n.d. Accessed 13 Apr. 2022.

    Riley, L., C.Hanna, and M. Tucciarone. “Rightsizing SAP in these unprecedented times.” Upperedge, 19 May 2020.

    Rubin, Kenneth S. Essential Scrum: A Practical Guide to the Most Popular Agile Process. Pearson Education, 2012.

    “SAP S/4HANA Product Scorecard Report.” SoftwareReviews, n.d. Accessed 18 Apr. 2022.

    Saxena, Deepak, and Joe Mcdonagh. "Evaluating ERP Implementations: The Case for a Lifecycle-based Interpretive Approach." The Electronic Journal of Information Systems Evaluation, vol. 22, no. 1, 2019, pp. 29-37. Accessed 21 Feb. 2021.

    Smith, Anthony. "How To Create A Customer-Obsessed Company Like Netflix." Forbes, 12 Dec. 2017. Accessed 21 Feb. 2021.

    Make the Case for Legacy Application Modernization

    • Buy Link or Shortcode: {j2store}613|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Organizations are under continual pressure to deliver faster, with shorter time-to-market, while introducing new products and services at the same time.
    • You and your team have concerns that your existing portfolio of applications is not up to the task.
    • While you understand the need for more investments to modernize your portfolio, your leadership does not appreciate what is required.

    Our Advice

    Critical Insight

    • Legacy modernization is a process, not a single event.
    • Your modernization approach requires you to understand your landscape and decide on a path that minimizes business continuity risks, keeps the investments under control, and is prepared for surprises but always has your final state in mind.

    Impact and Result

    • Evaluate the current state, develop a legacy application strategy, and execute in an agile manner.
    • When coupled with a business case and communications strategy, this approach gives the organization a clear decision-making framework that will maximize business outcomes and deliver value where needed.

    Make the Case for Legacy Application Modernization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the Case for Legacy Application Modernization Storyboard – Understand legacy application modernization in the context of your organization, assess your landscape of applications, and define prioritization and disposition.

    This blueprint provides the steps necessary to build your own enterprise application implementation playbook that can be deployed and leveraged by your implementation teams.

    • Make the Case for Legacy Application Modernization Storyboard

    2. Make the Case for Legacy Application Modernization Presentation Template – The key output from leveraging this research is a presentation to pitch the modernization process.

    Build a proposal deck to make the case for legacy application modernization for your stakeholders. This will contain a definition of what a legacy application is in the context of your organization, a list of candidate applications to modernize, and a disposition strategy for each selected application.

    • Make the Case for Legacy Application Modernization Presentation Template
    [infographic]

    Further reading

    Make the Case for Legacy Application Modernization

    Revamp your business potential to improve agility, security, and user experience while reducing costs.

    Analyst Perspective

    An old application may have served us reliably, but it can prevent us from pursuing future business needs.

    Legacy systems remain well-embedded in the fabric of many organizations' application portfolios. They were often custom-built to meet the needs of the business. Typically, these are core tools that the business leverages to accomplish its goals.

    A legacy application becomes something we need to address when it no longer supports our business goals, is no longer supportable, bears an unsustainable ownership cost, or poses a threat to the organization's cybersecurity or compliance.

    When approaching your legacy application strategy, you must navigate a complex web of business, stakeholder, software, hardware, resourcing, and financial decisions. To complicate matters, the full scope of required effort is not immediately clear. Years of development are embedded in these legacy applications, which must be uncovered and dealt with appropriately.

    IT leaders require a proactive approach for evaluating the current state, developing a legacy application strategy, and executing in an agile manner. When coupled with a business case and communications strategy, the organization will have a clear decision-making framework that will maximize business outcomes and deliver value where needed.

    Ricardo de Oliveira, Research Director, Enterprise Applications

    Ricardo de Oliveira
    Research Director, Enterprise Applications
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Info-Tech's Approach
    • Organizations face continual pressure to decrease time-to-market while also introducing new products and services.
    • You and your team have concerns that the existing application portfolio is not up to the task.
    • While you may understand the need for greater investment to modernize your portfolio, leadership does not appreciate what is required.
    • For well-established organizations, applications can have a long lifespan. Employees who are used to existing tools and processes often resist change.
    • Modernization plans can be substantial, but budget and resources are limited.
    • Poor documentation of legacy applications can make it challenging to know what to modernize and how to do it effectively.
    • There are concerns that any changes will have material impacts on business continuity.
    • Info-Tech will enable you to build a proposal deck to make the case for legacy application modernization for your stakeholders. This will assist with:
      • Defining what a legacy application is in the context of your organization.
      • Creating a list of candidate applications for modernization.
      • Articulating the right disposition strategy for each selected applications.
      • Laying out what is next on your modernization journey.

    Info-Tech Insight
    Legacy modernization is a process, not a single event. Your modernization approach requires you to understand your landscape and decide on a path that minimizes business continuity risks, keeps investments under control, and is prepared for surprises but always has your final state in mind.

    An approach to making the case for legacy application modernization

    Understand
    Assess the challenges, lay out the reasons, define your legacy, and prepare to remove the barriers to modernization.
    Assess
    Determine the benefits by business capability. Leverage APM foundations to select the candidate applications and prioritize.
    Legacy Application Modernization
    Define
    Use the prioritized application list to drive the next steps to modernization.

    Legacy application modernization is perceived as necessary to remain competitive

    The 2022 State CIO Survey by NASCIO shows that legacy application modernization jumped from fifth to second in state CIO priorities.

    "Be patient and also impatient. Patient because all states have a lot of legacy tech they are inheriting and government is NOT easy. But also, impatient because there is a lot to do - make your priorities clear but also find out what the CIO needs to accomplish those priorities."

    Source: NASCIO, 2022

    State CIO Priorities

    US government agencies feel pressured to deal with legacy applications

    In fiscal year 2021, the US government planned to spend over $100 billion on information technology. Most of that was to be used to operate and maintain existing systems, including legacy applications, which can be both more expensive to maintain and more vulnerable to hackers. The Government Accountability Office (GAO) identified:

    • 10 critical federal IT legacy systems
    • In operation between 8 and 51 years
    • Collectively cost $337 million per year to operate and maintain

    Source: U.S. Government Accountability Office, 2021

    Example: In banking, modern platforms are essential

    Increasing competition from fintech 73% of financial services executives perceive retail banking as being the most susceptible to fintech disruption (PwC, 2016)
    Growing number of neo-banks The International Monetary Fund (IMF) notes the fast growth of fintech in financial services is creating systemic risk to global financial stability (IMF, 2022)
    Access to data and advanced analytics Estimated global bank revenue lost due to poor data is 15% to 25% (MIT, 2017)
    Shifting client expectations/demographics 50% of Gen X, millennials, and Gen Z use a digital bank to provide their primary checking account (Finextra, 2022)
    Generational transfer of wealth It is estimated that up to US$68 trillion in wealth will be transferred from baby boomers (Forbes, 2021)

    Case Study

    Delta takes off with a modernized blend of mainframes and cloud

    INDUSTRY: Transportation
    SOURCE: CIO Magazine, 2023

    Challenge
    The airline has hundreds of applications in the process of moving to the cloud, but most main capabilities are underpinned by workloads on the mainframe and will remain so for the foreseeable future.
    Some of those workloads include travel reservation systems and crew scheduling systems - mission-critical, 24/7 applications that are never turned off.
    Solution
    Delta has shifted to a hybrid architecture, with a customer experience transformation that makes the most of the cloud's agility and the mainframe's dependability.
    Delta's foray into the cloud began about two years ago as the pandemic brought travel to a virtual halt. The airline started migrating many front-end and distributed applications to the cloud while retaining traditional back-end workloads on the mainframe.
    Results
    Hybrid infrastructures are expected to remain in complex industries such as airlines and banking, where high availability and maximum reliability are non-negotiable.
    While some CIOs are sharpening their mainframe exit strategies by opting for a steep journey to the cloud, mainframes remain ideal for certain workloads.

    Phase 1: Make the Case for Legacy Application Modernization

    Phase 1
    1.1 Understand your challenges
    1.2 Define legacy applications
    1.3 Assess your barriers
    1.4 Find the impacted capabilities
    1.5 Define candidate applications
    1.6 Now, Next, Later

    This phase will walk you through the following activities:

    • Understand your challenges with modernization
    • Define legacy applications in your context
    • Assess your barriers to modernization
    • Find the impacted capabilities and their benefits
    • Define candidate applications and dispositions

    This phase involves the following participants:

    • Application group leaders
    • Individual application owners

    Make the Case for Enterprise Business Analysis

    • Buy Link or Shortcode: {j2store}509|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design
    • It can be difficult to secure alignment between the many lines of business, IT included, in your organization.
    • Historically, we have drawn a dividing line between IT and "the business.”
    • The reality of organizational politics and stakeholder bias means that, with selection and prioritization, sometimes the highest value option is dismissed to make way for the loudest voice’s option.

    Our Advice

    Critical Insight

    • Enterprise business analysis can help you stop the debate between IT and “the business,” as it sees everyone as part of the business. It can effectively break down silos, support the development of holistic strategies to address internal and external risks, and remove the bias and politics in decision making all too common in organizations.
    • The business analyst is the only role that can connect the strategic with the tactical, the systems, and the operations and do so objectively. It is the one source to show how people, process, and technology connect and relate, and the most skilled can remove bias and politics from their lens of view.
    • Maturity can’t be rushed. Build your enterprise business analysis program on a solid foundation of leading and consistent business analysis practices to secure buy-in and have a program that is sustainable in the long term.

    Impact and Result

    Let’s make the case for enterprise business analysis!

    • Organizations that have higher business analysis maturity and deploy enterprise analysis deliver better quality outcomes, with higher value, lower cost, and higher user satisfaction.
    • Business analysts should be contributing at the strategic level, as they need to understand multiple horizons simultaneously and be able to zoom in and out as the context calls for it. Business analysts aren’t only for projects.

    Make the Case for Enterprise Business Analysis Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the Case for Enterprise Business Analysis Storyboard – Take your business analysis from tactics to strategy.

    • Make the Case for Enterprise Business Analysis Storyboard

    2. Communicate the Case for Enterprise Business Analysis Template – Make the case for enterprise business analysis.

    • Communicate the Case for Enterprise Business Analysis
    [infographic]

    Further reading

    Make the Case for Enterprise Business Analysis

    Putting the strategic and tactical puzzle together.

    Analyst Perspective

    We commonly recognize the value of effective business analysis at a project or tactical level. A good business analysis professional can support the business by identifying its needs and recommending solutions to address them.
    Now, wouldn't it be great if we could do the same thing at a higher level?
    Enterprise (or strategic) business analysis is all about seeing that bigger picture, an approach that makes any business analysis professional a highly valuable contributor to their organization. It focuses on the enterprise, not a specific project or line of business.
    Leading the business analysis effort at an enterprise level ensures that your business is not only doing things right, but also doing the right things; aligned with the strategic vision of your organization to improve the way decisions are made, options are analyzed, and successful results are realized.

    Vincent Mirabelli

    Vincent Mirabelli
    Principal Research Director, Applications Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Difficulty properly aligning between the many lines of business in your organization.
    • Historically, we have drawn a dividing line between IT and the business.
    • The reality of organizational politics and stakeholder bias means that, with selection and prioritization, sometimes the highest value option is dismissed in favor of the loudest voice.

    Common Obstacles

    • Difficulty aligning an ever-changing backlog of projects, products, and services while simultaneously managing risks, external threats, and stakeholder expectations.
    • Many organizations have never heard of enterprise business analysis and only see the importance of business analysts at the project and delivery level.
    • Business analysis professionals rarely do enough to advocate for a seat at the strategic tables in their organizations.

    Info-Tech's Approach

    Let's make the case for enterprise business analysis!

    • Organizations that have higher business analysis maturity and deploy enterprise business analysis deliver better quality outcomes with higher value, lower cost, and higher user satisfaction.
    • Business analysts aren't only for projects. They should contribute at the strategic level, since they need to understand multiple horizons simultaneously and be able to zoom in and out as the context requires.

    Info-Tech Insight

    Enterprise business analysis can help you reframe the debate between IT and the business, since it sees everyone as part of the business. It can effectively break down silos, support the development of holistic strategies to address internal and external risks, and remove bias and politics from decision making.

    Phase 1

    Build the case for enterprise business analysis

    Phase 1

    Phase 2

    1.1 Define enterprise business analysis

    1.2 Identify your pains and opportunities

    2.1 Set your vision

    2.2 Define your roadmap and next steps

    2.3 Complete your executive communications deck

    This phase will walk you through the following activities:

    • 1.1.1 Discuss how business analysis is used in our organization
    • 1.1.2 Discuss your disconnects between strategy and tactics
    • 1.2.1 Identify your pains and opportunities

    This phase involves the following participants:

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    How business analysis supports our success today

    Delivering value at the tactical level

    Effective business analysis helps guide an organization through improvements to processes, products, and services. Business analysts "straddle the line between IT and the business to help bridge the gap and improve efficiency" in an organization (CIO, 2019).
    They are most heavily involved in:

    • Defining needs
    • Modeling concepts, processes, and solutions
    • Conducting analysis
    • Maintaining and managing requirements
    • Managing stakeholders
    • Monitoring progress
    • Doing business analysis planning
    • Conducting elicitation

    In a survey, business analysts indicated that of their total working time, they spend 31% performing business analysis planning and 41% performing elicitation and analysis (PMI, 2017).

    By including a business analyst in a project, organizations benefit by:
    (IAG, 2009)

    87%

    Reduced time overspending

    75%

    Prevented budget overspending

    78%

    Reduction in missed functionality

    1.1.1 Discuss how business analysis is used in your organization

    15-30 minutes

    1. Gather the appropriate stakeholders to discuss their knowledge, experience, and perspectives on business analysis. This should relate to their experience and not a future or aspirational usage.
    2. Have a team member facilitate the session.
    3. Brainstorm and document all shared thoughts and perspectives.
    4. Synthesize those thoughts and perspectives and record the results for the group to review and discuss.
    5. Transfer the results to the Communicate the Case for Enterprise Business Analysis template

    Input

    • Stakeholder knowledge and experience

    Output

    • A shared understanding of how your organization leverages its business analysis function

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Download the Communicate the Case for Enterprise Business Analysis template

    Executives and leadership are satisfied with IT when there is alignment between tactics and goals

    Info-Tech's CIO Business Vision Survey data highlights the importance of IT projects in supporting the business to achieve its strategic goals.

    However, Info-Tech's CEO-CIO Alignment Survey (N=124) data indicates that CEOs perceive IT as poorly aligned with the business' strategic goals.

    Info-Tech's CIO-CEO Alignment Diagnostics

    43%

    of CEOs believe that business goals are going unsupported by IT.

    60%

    of CEOs believe that IT must improve understanding of business goals.

    80%

    of CIOs/CEOs are misaligned on the target role of IT.

    30%

    of business stakeholders support their IT departments.

    Addressing problems solely with tactics does not always have the desired effect

    94%

    Source: "Out of the Crisis", Deming (via Harvard Business Review)

    According to famed management and quality thought leader and pioneer W. Edwards Deming, 94% of issues in the workplace are systemic cause significant organizational pain.

    Yet we continue to address them on the surface, rather than acknowledge how ingrained they are in our culture, systems, and processes.

    For example, we:

    • Create workarounds to address process and solution constraints
    • Expect that poor (or lack of ) leadership can be addressed in a course or seminar
    • Expect that "going Agile" will resolve our problems, and that decision making, governance, and organizational alignment will happen organically.

    Band-aid solutions rarely have the desired effect, particularly in the long-term.

    Our solutions should likewise focus on the systemic/macro environment. We can do this via projects, products and services, but those don't always address the larger issues.

    If we take the work our business analysis currently does in defining needs and solutions, and elevate this to the strategic level, the results can be impactful.

    Many organizations would benefit from enhancing their business analysis maturity

    The often-overlooked strategic value of the role comes with maturing your practices.

    Only 18% of organizations have mature (optimized or established) business analysis practices.

    With that higher level of maturity comes increased levels of capability, efficiency, and effectiveness in delivering value to people, processes, and technology. Through such efforts, they're better equipped and able to connect the strategy of their organization to the projects, processes, and products they deliver.

    They shift focus from "figuring business analysis out" to truly unleashing its potential, with business analysts contributing in strategic and tactical ways.

    an image showing the following data: Optimized- 5; Established- 13; Improving- 37; Starting- 25; Ad hoc- 21

    (Adapted from PMI, 2017)

    Info-Tech Insight

    Business analysts are best suited to connect the strategic with the tactical, the systems, and the operations. They maintain the most objective lens regarding how people, process, and technology connect and relate, and the most skilled of them can remove bias and politics from their perspective.

    1.1.2 Discuss your disconnects between strategy and tactics

    30-60 minutes

      1. Gather the appropriate stakeholders to discuss their knowledge, experience, and perspectives regarding failures that resulted from disconnects between strategy and tactics.
      2. Have a team member facilitate the session.
      3. Brainstorm and document all shared thoughts and perspectives.
      4. Synthesize those thoughts and perspectives and record the results.
      5. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Input

    • Stakeholder knowledge and experience

    Output

    • A shared understanding and list of failures due to disconnects between strategy and tactics

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Download the Communicate the Case for Enterprise Business Analysis template

    Defining enterprise business analysis

    Terms may change, but the function remains the same.

    Enterprise business analysis (sometimes referred to as strategy analysis) "…focuses on defining the future and transition states needed to address the business need, and the work required is defined both by that need and the scope of the solution space. It covers strategic thinking in business analysis, as well as the discovery or imagining of possible solutions that will enable the enterprise to create greater value for stakeholders and/or capture more value for itself."
    (Source: "Business Analysis Body of Knowledge," v3)

    Define the function of enterprise business analysis

    This is a competitive advantage for mature organizations.

    Organizations with high-performing business analysis programs experience an enhanced alignment between strategy and operations. This contributes to improved organizational performance. We see this in financial (69% vs. 45%) and strategic performance (66% vs. 21%), also organizational agility (40% vs. 14%) and management of operational projects (62% vs. 29%). (PMI, 2017)

    When comparing enterprise with traditional business analysis, we see stark differences in the size and scope of their view, where they operate, and the role they play in organizational decision making.

    Enterprise Traditional
    Decision making Guides and influences Executes
    Time horizon 2-10 years 0-2 years
    Focus Strategy, connecting the strategic to the operational Operational, optimizing how business is done, and keeping the lights on
    Domain

    Whole organization

    Broader marketplace

    Only stakeholder lines of business relevant to the current project, product or service
    Organizational Level Executive/Leadership Project

    (Adapted from Schulich School of Business)

    Info-Tech Insight

    Maturity can't be rushed. Build your enterprise business analysis program on a solid foundation of leading and consistent business analysis practices to secure buy-in and have a program that is sustainable in the long term.

    An image showing the percentages of high- and low- maturity organizations, for the following categories: Financial performance; Strategy implementation; Organizational agility; Management of projects.

    (Adapted from PMI, 2017)

    How enterprise business analysis is used to improve organizations

    The biggest sources of project failure include:

    • Wrong (or poor) requirements
    • Unrealistic (or incomplete) business case
    • Lack of appropriate governance and oversight
    • Poor implementation
    • Poor benefits management
    • Environmental changes

    Source: MindTools.com, 2023.

    Enterprise business analysis addresses these sources and more.

    It brings a holistic view of the organization, improving collaboration and decision making across the many lines of business, effectively breaking down silos.

    In addition to ensuring we're doing the right things, not just doing things right in the form of improved requirements and more accurate business cases, or ensuring return on investment (ROI) and monitoring the broader landscape, enterprise business analysis also supports:

    • Reduced rework and waste
    • Understanding and improving operations
    • Making well-informed decisions through improved objectivity/reduced bias
    • Identifying new opportunities for growth and expansion
    • Identifying and mitigating risk
    • Eliminating projects and initiatives that do not support organizational goals or objectives
    • A career-pathing option for business analysts

    Identify your pains and opportunities

    There are many considerations in enterprise business analysis.

    Pains, gains, threats, and opportunities can come at your organization from anywhere. Be it a new product launch, an international expansion, or a new competitor, it can be challenging to keep up.

    This is where an enterprise business analyst can be the most helpful.

    By keeping a pulse on the external and internal environments, they can support growth, manage risks, and view your organization through multiple lenses and perspectives to get a single, complete picture.

    External

    Internal

    Identifying competitive forces

    In the global environment

    Organizational strengths and weaknesses

    • Monitoring and maintaining your competitive advantage.
    • Understanding trends, risks and threats in your business domain, and how they affect your organization.
    • Benchmarking performance against like and unlike organizations, to realize where you stand and set a baseline for continuous improvement and business development.
    • Leveraging tools and techniques to scan the broader landscape on an ongoing basis. Using PESTLE analysis, they can monitor the political, economic, social, technological, legal, and environmental factors that impact when, where, how, and with who you conduct your business and IT operations.
    • Supporting alignment between a portfolio or program of projects and initiatives.
    • Improving alignment between the various lines of business, who often lack full visibility outside of their silo, and can find themselves clashing over time, resources, and attention from leaders.
    • Improving solutions and outcomes through objective option selection.

    1.2.1 Identify your pains and opportunities

    30-60 minutes

    1. As a group, generate a list of the current pains and opportunities facing your organization. You can focus on a particular type (competitive, market, or internal) or leave it open. You can also focus on pains or opportunities separately, or simultaneously.
    2. Have a team member facilitate the session.
    3. Record the results for the group to review, discuss, and prioritize.
      1. Discuss the impact and likelihood of each item. This can be formally ranked and quantified if there is data to support the item or leveraging the wisdom of the group.
      2. Prioritize the top three to five items of each type, as agreed by the group, and document the results.
    4. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Attendee knowledge
    • Supporting data, if available

    Output

    • A list of identified organizational pains and opportunities that has been prioritized by the group

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Phase 2

    Prepare the foundations for your enterprise business analysis program

    Phase 1

    Phase 2

    1.1 Define enterprise business analysis

    1.2 Identify your pains and opportunities

    2.1 Set your vision

    2.2 Define your roadmap and next steps

    2.3 Complete your executive communications deck

    This phase will walk you through the following activities:

    • 2.1.1 Define your vision and goals
    • 2.1.2 Identify your enterprise business analysis inventory
    • 2.2.1 Now, Next, Later

    This phase involves the following participants:

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Set your vision

    Your vision becomes your "north star," guiding your journey and decisions.

    When thinking about a vision statement for enterprise business analysis, think about:

    • Who are we doing this for? Who will benefit?
    • What do our business partners need? What do our customers need?
    • What value do we provide them? How can we best support them?
    • Why is this special/different from how we usually do business?

    Always remember: Your goal is not your vision!

    Not knowing the difference will prevent you from both dreaming big and achieving your dream.

    Your vision represents where you want to go. It's what you want to do.

    Your goals represent how you want to achieve your vision.

    • They are a key element of operationalizing your vision.
    • Your strategy, initiatives, and features will align with one or more goals.

    Info-Tech Best Practice

    Your vision shouldn't be so far out that it doesn't feel real, nor so short term that it gets bogged down in details. Finding balance will take some trial and error and will be different depending on your organization.

    2.1.1 Define your vision and goals

    1-2 hours

    1. Gather the appropriate stakeholders to discuss their vision for enterprise business analysis. It should address the questions used in framing your vision statement.
    2. Have a team member facilitate the session.
    3. Review your current organizational vision and goals.
    4. Discuss and document all shared thoughts and perspectives on how enterprise business analysis can align with the organizational vision.
    5. Synthesize those thoughts and perspectives to create a vision statement.
    6. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Stakeholder vision, knowledge, and experience
    • Current organizational vision and goals

    Output

    • A documented vision and goals for your enterprise business analysis program

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Components of successful enterprise business analysis programs

    Ensure you're off to the best start by examining where you are and where you want to go.

    Training

    • Do the current team members have the right level of training?
    • Can we easily obtain training to close any gaps?

    Competencies and capabilities

    • Do our business analysts have the right skills, attributes, and behaviors to be successful?

    Structure and alignment

    • Would the organizational culture support enterprise business analysis (EBA)?
    • How might we structure the EBA unit to maximize effectiveness?
    • How can we best support the organization's goals and objectives?

    Methods and processes

    • How do we plan on managing the work to be done?
    • Can we define our processes and workflows?

    Tools, techniques, and templates

    • Do we have the most effective tools, techniques, and templates?

    Governance

    • How will we make decisions?
    • How will the program be managed?

    2.1.2 Identify your enterprise business analysis inventory

    30-60 minutes

    1. Gather the appropriate stakeholders to discuss the current business analysis assets, which could be leveraged for enterprise business analysis. This includes people, processes, and technologies which cover skills, knowledge, resources, experience, knowledge, and competencies. Focus on what the organization currently has, and not what it needs.
    2. Have a team member facilitate the session.
    3. Record the results for the group to review and discuss.
    4. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Your current business analysis assets and resources Stakeholder knowledge and experience

    Output

    • A list of assets and resources to enable enterprise business analysis

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Define your roadmap and next steps

    What do we have? What do we need?

    From completing the enterprise business analysis inventory, you will have a comprehensive list of all available assets.

    The next question is, how can this be leveraged to start building for the future?

    To operationalize enterprise business analysis, consider:

    • What do we still need to do?
    • How important are the identified gaps? Can we still operate?
    • What decisions do we need to make?
    • What stakeholders do we need to involve? Have we engaged them all?

    Lay out your roadmap

    Taking steps to mature your enterprise business analysis practice.

    The Now, Next, Later technique is a method for prioritizing and planning improvements or tasks. This involves breaking down a list of tasks or improvements into three categories:

    • Now tasks are those that must be completed immediately. These tasks are usually urgent or critical, and they must be completed to keep the project or organization running smoothly.
    • Next tasks are those that should be completed soon. These tasks are not as critical as Now tasks, but they are still important and should be tackled relatively soon.
    • Later tasks are those that can be completed later. These tasks are less critical and can be deferred without causing major problems.

    By using this technique, you can prioritize and plan the most important tasks, while allowing the flexibility to adjust as necessary.

    This technique also helps clarify what must be done first vs. what can wait. This prioritizes the most important things while keeping track of what must be done next, maintaining a smooth development/improvement process.

    An image of the now - next - later roadmap technique.

    2.2.1 Now, Next, Later

    1-2 hours

    1. Use the list of items created in 2.1.2 (Identify your enterprise business analysis inventory). Add any you feel are missing during this exercise.
    2. Have a team member facilitate the session.
    3. In the Communicate the Case for Enterprise Business Analysis template, categorize these items according to Now, Next and Later, where:
      1. Now = Critically important items that may require little effort to complete. These must be done within the next six months.
      2. Next = Important items that may require more effort or depend on other factors. These must be done in six to twelve months.
      3. Later = Less important items that may require significant effort to complete. These must be done at some point within twelve months.

    Ultimately, the choice of priority and timing is yours. Recognize that items may change categories as new information arises.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Your enterprise business analysis inventory and gaps
    • Stakeholder knowledge and experience

    Output

    • A prioritized list of items to enable enterprise business analysis

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    2.3 Complete your executive communication deck

    Use the results of your completed exercises to build your executive communication slide deck, to make the case for enterprise business analysis

    Slide Header Associated Exercise Rationale
    Pains and opportunities

    1.1.2 Discuss your disconnects between strategy and tactics

    1.2.1 Identify your pains and opportunities

    This helps build the case for enterprise business analysis (EBA), leveraging the existing pains felt in the organization. This will draw the connection for your stakeholders.
    Our vision and goals 2.1.1 Define your vision and goals Defines where you want to go and what effort will be required.
    What is enterprise business analysis

    1.1.1 How is BA being used in our organization today?
    Pre-populated supporting content

    Defines the discipline of EBA and how it can support and mature your organization.
    Expected benefits Pre-populated supporting content What's in it for us? This section helps answer that question. What benefits can we expect, and is this worth the investment of time and effort?
    Making this a reality 2.1.2 Identify your EBA inventory Identifies what the organization presently has that makes the effort easier. It doesn't feel as daunting if there are existing people, processes, and technologies in place and in use today.
    Next steps 2.2.1 Now, Next, Later A prioritized list of action items. This will demonstrate the work involved, but broken down over time, into smaller, more manageable pieces.

    Track metrics

    Track metrics throughout the project to keep stakeholders informed.

    As the project nears completion:

    1. You will have better-aligned and more satisfied stakeholders.
    2. You will see fewer projects and initiatives that don't align with the organizational goals and objectives.
    3. There will be a reduction in costs attributed to misaligned projects and initiatives (as mentioned in #2) and the opportunity to allocate valuable time and resources to other, higher-value work.
    Metric Description Target Improvement/Reduction
    Improved stakeholder satisfaction Lines of business and previously siloed departments/divisions will be more satisfied with time spent on solution involvement and outcomes. 10% year 1, 20% year 2
    Reduction in misaligned/non-priority project work Reduction in projects, products, and services with no clear alignment to organizational goals. With that, resource costs can be allocated to other, higher-value solutions. 10% year 1, 25% year 2
    Improved delivery agility/lead time With improved alignment comes reduced conflict and political infighting. As a result, the velocity of solution delivery will increase. 10%

    Bibliography

    Bossert, Oliver and Björn Münstermann. "Business's 'It's not my problem' IT problem." McKinsey Digital. 30 March, 2023.
    Brule, Glenn R. "The Lay of the Land: Enterprise Analysis." Modern Analyst.
    "Business Analysis: Leading Organizations to Better Outcomes." Project Management Institute (PMI), 2017
    Corporate Finance Institute. "Strategic Analysis." Updated 14 March 2023
    IAG Consulting. Business Analysis Benchmark Report, 2009.
    International Institute of Business Analysis. "A Guide to the Business Analysis Body of Knowledge" (BABOK Guide) version 3.
    Mirabelli, Vincent. "Business Analysis Foundations: Enterprise" LinkedIn Learning, February 2022.
    - - "Essential Techniques in Enterprise Analysis" LinkedIn Learning, September 2022.
    - - "The Essentials of Enterprise Analysis" Love the Process Academy. May 2020.
    - - "The Value of Enterprise Analysis." VincentMirabelli.com
    Praslova, Ludmila N. "Today's Most Critical Workplace Challenges Are About Systems." Harvard Business Review. 10 January 2023.
    Pratt, Mary K. and Sarah K. White. "What is a business analyst? A key role for business-IT efficiency." CIO. 17 April, 2019.
    Project Management Institute. "Business Analysis: Leading Organizations to Better Outcomes." October 2017.
    Sali, Sema. "The Importance of Strategic Business Analysis in Successful Project Outcomes." International Institute of Business Analysis. 26 May 2022.
    - - "What Does Enterprise Analysis Look Like? Objectives and Key Results." International Institute of Business Analysis. 02 June 2022.
    Shaker, Kareem. "Why do projects really fail?" Project Management Institute, PM Network. July 2010.
    "Strategic Analysis: Definition, Types and Benefits" Voxco. 25 February 2022.
    "The Difference Between Enterprise Analysis and Business Analysis." Schulich School of Business, Executive Education Center. 24 September 2018 (Updated June 2022)
    "Why Do Projects Fail: Learning How to Avoid Project Failure." MindTools.com. Accessed 24 April 2023.

    Initiate Your Service Management Program

    • Buy Link or Shortcode: {j2store}398|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • IT organizations continue attempting to implement service management, often based on ITIL, with limited success and without visible value.
    • More than half of service management implementations have failed beyond simply implementing the service desk and the incident, change, and request management processes.
    • Organizational structure, goals, and cultural factors are not considered during service management implementation and improvement.
    • The business lacks engagement and understanding of service management.

    Our Advice

    Critical Insight

    • Service management is an organizational approach. Focus on producing successful and valuable services and service outcomes for the customers.
    • All areas of the organization are accountable for governing and executing service management. Ensure that you create a service management strategy that improves business outcomes and provides the value and quality expected.

    Impact and Result

    • Identified structure for how your service management model should be run and governed.
    • Identified forces that impact your ability to oversee and drive service management success.
    • Mitigation approach to restraining forces.

    Initiate Your Service Management Program Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why service management implementations often fail and why you should establish governance for service management.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify the level of oversight you need

    Use Info-Tech’s methodology to establish an effective service management program with proper oversight.

    • Service Management Program Initiation Plan
    [infographic]

    Network Segmentation

    • Buy Link or Shortcode: {j2store}503|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Network Management
    • Parent Category Link: /network-management
    • Many legacy networks were built for full connectivity and overlooked potential security ramifications.
    • Malware, ransomware, and bad actors are proliferating. It is not a matter of if you will be compromised but how can the damage be minimized.
    • Cyber insurance will detective control, not a preventative one. Prerequisite audits will look for appropriate segmentation.

    Our Advice

    Critical Insight

    • Lateral movement amplifies damage. Contain movement within the network through segmentation.
    • Good segmentation is a balance between security and manageability. If solutions are too complex, they won’t be updated or maintained.
    • Network services and users change over time, so must your segmentation strategy. Networks are not static; your segmentation must maintain pace.

    Impact and Result

    • Create a common understanding of what is to be built, for whom, and why.
    • Define what services will be offered and how they will be governed.
    • Understand which assets that you already have can jump start the project.

    Network Segmentation Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Network Segmentation Deck – A deck to help you minimize risk by controlling traffic flows within the network.

    Map out appropriate network segmentation to minimize risk in your network.

    • Network Segmentation Storyboard
    [infographic]

    Further reading

    Network Segmentation

    Protect your network by controlling the conversations within it.

    Executive Summary

    Info-Tech Insight

    Lateral movement amplifies damage

    From a security perspective, bad actors often use the tactic of “land and expand.” Once a network is breached, if east/west or lateral movement is not restricted, an attacker can spread quickly within a network from a small compromise.

    Good segmentation is a balance between security and manageability

    The ease of management in a network is usually inversely proportional to the amount of segmentation in that network. Highly segmented networks have a lot of potential complications and management overhead. In practice, this often leads to administrators being confused or implementing shortcuts that circumvent the very security that was intended with the segmentation in the first place.

    Network services and users change over time, so must your segmentation strategy

    Network segmentation projects should not be viewed as singular or “one and done.” Services and users on a network are constantly evolving; the network segmentation strategy must adapt with these changes. Be sure to monitor and audit segmentation deployments and change or update them as required to maintain a proper risk posture.

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Networks are meant to facilitate communication, and when devices on a network cannot communicate, it is generally seen as an issue. The simplest answer to this is to design flat, permissive networks. With the proliferation of malware, ransomware, and advanced persistent threats (ATPs) a flat or permissive network is an invitation for bad actors to deliver more damage at an increased pace.

    Cyber insurance may be viewed as a simpler mitigation than network reconfiguration or redesign, but this is not a preventative solution, and the audits done before policies are issued will flag flat networks as a concern.

    Network segmentation is not a “bolt on” fix. To properly implement a minimum viable product for segmentation you must, at a minimum:

    • Understand the endpoints and their appropriate traffic flows.
    • Understand the technologies available to implement segmentation.

    Implementing appropriate segmentation often involves elements of (if not a full) network redesign.

    To ensure the best results in a timely fashion, Info-Tech recommends a methodology that consists of:

    • Understand the network (or subset thereof) and prioritizing segmentation based on risk.
    • Align the appropriate segmentation methodology for each surfaced segment to be addressed.
    • Monitor the segmented environment for compliance and design efficacy, adding to and modifying existing as required.

    Info-Tech Insight

    The aim of networking is communication, but unfettered communication can be a liability. Appropriate segmentation in networks, blocking communications where they are not required or desired, restricts lateral movement within the network, allowing for better risk mitigation and management.

    Network segmentation

    Compartmentalization of risk:

    Segmentation is the practice of compartmentalizing network traffic for the purposes of mitigating or reducing risk. Segmentation methodologies can generally be grouped into three broad categories:

    1. Physical Segmentation

    The most common implementation of physical segmentation is to build parallel networks with separate hardware for each network segment. This is sometimes referred to as “air gapping.”

    2. Static Virtual Segmentation

    Static virtual segmentation is the configuration practice of using technologies such as virtual LANs (VLANs) to assign ports or connections statically to a network segment.

    3. Dynamic Virtual Segmentation

    Dynamic virtual segmentation assigns a connection to a network segment based on the device or user of the connection. This can be done through such means as software defined networking (SDN), 802.1x, or traffic inspection and profiling.

    Common triggers for network segmentation projects

    1. Remediate Audit Findings

    Many security audits (potentially required for or affecting premiums of cyber insurance) will highlight the potential issues of non-segmented networks.

    2. Protect Vulnerable Technology Assets

    Whether separating IT and OT or segmenting off IoT/IIoT devices, keeping vulnerable assets separated from potential attack vectors is good practice.

    3. Minimize Potential for Lateral Movement

    Any organization that has experienced a cyber attack will realize the value in segmenting the network to slow a bad actor’s movement through technology assets.

    How do you execute on network segmentation?

    The image contains a screenshot of the network segmentation process. The process includes: identify risk, design segmentation, and operate and optimize.

    Identify risks by understanding access across the network

    Gain visibility

    Create policy

    Prioritize change

    "Security, after all, is a risk business. As companies don't secure everything, everywhere, security resilience allows them to focus their security resources on the pieces of the business that add the most value to an organization, and ensure that value is protected."

    – Helen Patton,

    CISO, Cisco Security Business Group, qtd. In PR News, 2022

    Discover the data flows within the network. This should include all users on the network and the environments they are required to access as well as access across environments.

    Examine the discovered flows and define how they should be treated.

    Change takes time. Use a risk assessment to prioritize changes within the network architecture.

    Understand the network space

    A space is made up of both services and users.

    Before starting to consider segmentation solutions, define whether this exercise is aimed at addressing segmentation globally or at a local level. Not all use cases are global and many can be addressed locally.

    When examining a network space for potential segmentation we must include:

    • Services offered on the network
    • Users of the network

    To keep the space a consumable size, both of these areas should be approached in the abstract. To abstract, users and services should be logically grouped and generalized.

    Groupings in the users and services categories may be different across organizations, but the common thread will be to contain the amount of groupings to a manageable size.

    Service Groupings

    • Are the applications all components of a larger service or environment?
    • Do the applications serve data of a similar sensitivity?
    • Are there services that feed data and don’t interact with users (IoT, OT, sensors)?

    User Groupings

    • Do users have similar security profiles?
    • Do users use a similar set of applications?
    • Are users in the same area of your organization chart?
    • Have you considered access by external parties?

    Info-Tech Insight

    The more granular you are in the definition of the network space, the more granular you can be in your segmentation. The unfortunate corollary to this is that the difficulty of managing your end solution grows with the granularity of your segmentation.

    Create appropriate policy

    Understand which assets to protect and how.

    Context is key in your ability to create appropriate policy. Building on the definition of the network space that has been created, context in the form of the appropriateness of communications across the space and the vulnerabilities of items within the space can be layered on.

    To decide where and how segmentation might be appropriate, we must first examine the needs of communication on the network and their associated risk. Once defined, we can assess how permissive or restrictive we should be with that communication.

    The minimum viable product for this exercise is to define the communication channel possibilities, then designate each possibility as one of the following:

    • Permissive – we should freely allow this traffic
    • Restricted – we should allow some of the traffic and/or control it
    • Rejected – we should not allow this traffic

    Appropriate Communications

    • Should a particular group of users have access to a given service?
    • Are there external users involved in any grouping?

    Potential Vulnerabilities

    • Are the systems in question continually patched/updated?
    • Are the services exposed designed with the appropriate security?

    Prioritize the potential segmentation

    Use risk as a guide to prioritize segmentation.

    For most organizations, the primary reason for network segmentation is to improve security posture. It follows that the prioritization of initiatives and/or projects to implement segmentation should be based on risk.

    When examining risk, an organization needs to consider both:

    • Impact and likelihood of visibility risk in respect to any given asset, data, or user
    • The organization’s level of risk tolerance

    The assets or users that are associated with risk levels higher than the tolerance of the organization should be prioritized to be addressed.

    Service Risks

    • If this service was affected by an adverse event, what would the impact on the organization be?

    User Risks

    • Are the users in question FTEs as opposed to contractors or outsourced resources?
    • Is a particular user group more susceptible to compromise than others?

    Info-Tech Insight

    Be sure to keep this exercise relative so that a clear ranking occurs. If it turns out that everything is a priority, then nothing is a priority. When ranking things relative to others in the exercise, we ensure clear “winners” and “losers.”

    Assess risk and prioritize action

    1-3 hours

    1. Define a list of users and services that define the network space to be addressed. If the lists are too long, use an exercise like affinity diagramming to appropriately group them into a smaller subset.
    2. Create a matrix from the lists (put users and services along the rows and columns). In the intersecting points, label how the traffic should be treated (e.g. Permissive, Restricted, Rejected).
    3. Examine the matrix and assess the intersections for risk using the lens of impact and likelihood of an adverse event. Label the intersections for risk level with one of green (low impact/likelihood), yellow (medium impact/likelihood), or red (high impact/likelihood).
    4. Find commonalities within the medium/high areas and list the users or services as priorities to be addressed.
    Input Output
    • Network, application, and security documentation
    • A prioritized list of areas to address with segmentation
    Materials Participants
    • Whiteboard/Flip Charts

    OR

    • Excel spreadsheet
    • Network Team
    • Application Team
    • Security Team
    • Data Team

    Design segmentation

    Segmentation comes in many flavors; decide which is right for the specific circumstance.

    Methodology

    Access control

    "Learning to choose is hard. Learning to choose well is harder. And learning to choose well in a world of unlimited possibilities is harder still, perhaps too hard."

    ― Barry Schwartz, The Paradox of Choice: Why More Is Less

    What is the best method to segment the particular user group, service, or environment in question?

    How can data or user access move safely and securely between network segments?

    Decide on which methods work for your circumstances

    You always have options…

    There are multiple lenses to look through when making the decision of what the correct segmentation method might be for any given user group or service. A potential subset could include:

    • Effort to deploy
    • Cost of the solution
    • Skills required to operate
    • Granularity of the segmentation
    • Adaptability of the solution
    • Level of automation in the solution

    Info-Tech Insight

    Network segmentation within an organization is rarely a one-size-fits-all proposition. Be sure to look at each situation that has been identified to need segmentation and align it with an appropriate solution. The overall number of solutions deployed has to maintain a balance between that appropriateness and the effort to manage multiple environments.

    Framework to examine segmentation methods

    To assess we need to understand.

    To assess when technologies or methodologies are appropriate for a segmentation use case, we need to understand what those options are. We will be examining potential segmentation methods and concepts within the following framework:

    WHAT

    A description of the segmentation technology, method, or concept.

    WHY

    Why would this be used over other choices and/or in what circumstances?

    HOW

    A high-level overview of how this option could or would be deployed.

    Notional assessments will be displayed in a sidebar to give an idea of Effort, Cost, Skills, Granularity, Adaptability, and Automation.

    Implement

    Notional level of effort to implement on a standard network

    Cost

    Relative cost of implementing this segmentation strategy

    Maintain

    Notional level of time and skills needed to maintain

    Granularity

    How granular this type of segmentation is in general

    Adaptability

    The ability of the solution to be easily modified or changed

    Automation

    The level of automation inherent in the solution

    Air gap

    … And never the twain shall meet.

    – Rudyard Kipling, “The Ballad of East and West.”

    WHAT

    Air gapping is a strategy to protect portions of a network by segmenting those portions and running them on completely separate hardware from the primary network. In an air gap scenario, the segmented network cannot have connectivity to outside networks. This difference makes air gapping a very specific implementation of parallel networks (which are still segmented and run on separate hardware but can be connected through a control point).

    WHY

    Air gap is a traditional choice when environments need to be very secure. Examples where air gaps exist(ed) are:

    • Operational technology (OT) networks
    • Military networks
    • Critical infrastructure

    HOW

    Most networks are not overprovisioned to a level that physical segmentation can be done without purchasing new equipment. The major steps required for constructing an air gap include:

    • Design segmentation
    • Purchase and install new hardware
    • Cable to new hardware

    The image contains a screenshot that demonstrates pie graphs with the notional assessments: Effort, Cost, Skills, Granularity, and Automation.

    Info-Tech Insight

    An air gapped network is the ultimate in segmentation and security … as long as the network does not require connectivity. It is unfortunately rare in today’s world that a network will stand on its own without any need for external connectivity.

    VLAN

    Do what you can, with what you’ve got…

    – Theodore Roosevelt

    WHAT

    Virtual local area networks (VLANs) are a standard feature on today’s firewalls, routers, and manageable switches. This configuration option allows for network traffic to be segmented into separate virtual networks (broadcast domains) on existing hardware. This segmentation is done at layer 2 of the OSI model. All traffic will share the same hardware but be partitioned based on “tags” that the local device applies to the traffic. Because of these tags, traffic is handled separately at layer 2 of the OSI model, but traffic can pass between segments at layer 3 (e.g. IP layer).

    WHY

    VLANs are commonly used because most existing deployments already have the technology available without extra licensing. VLANs are also potentially used as foundational components in more complex segmentation strategies such as static or dynamic overlays.

    HOW

    VLANs allow for segmentation of a device at the port level. VLAN strategies are generally on a location level (e.g. most VLAN deployments are local to a site, though the same structure may be used among sites). To deploy VLANs you must:

    • Define VLAN segments
    • Assign ports appropriately

    The image contains a screenshot that demonstrates pie graphs with the notional assessments: Effort, Cost, Skills, Granularity, and Automation.

    Info-Tech Insight

    VLANs are tried and true segmentation workhorses. The fact that they are already included in modern manageable solutions means that there is very little reason to not have some level of segmentation within a network.

    Micro-segmentation

    Everyone is against micromanaging, but macro managing means you’re working on the big picture but don’t understand the details.

    – Henry Mintzberg

    WHAT

    Micro-segmentation is used to secure and control network traffic between workloads. This is a foundational technology when implementing zero trust or least-privileged access network designs. Segmentation is done at or directly adjacent to the workload (on the system or its direct network connectivity) through firewall or similar policy controls. The controls are set to only allow the network communication required to execute the workload and is limited to appropriate endpoints. This restrictive design restricts all traffic (including east-west) and reduces the attack surface.

    WHY

    Micro-segmentation is primarily used:

    • In server-to-server communication.
    • When lateral movement by bad actors is identified as a concern.

    HOW

    Micro-segmentation can be deployed at different places within the connectivity depending on the technologies used:

    • Workload/server (e.g. server firewall)
    • VM network overlay (e.g. VMware NSX)
    • Network port (e.g. ACL, firewall, ACI)
    • Cloud native (e.g. Azure Firewall)

    Info-Tech Insight

    Micro-segmentation is necessary in the data center to limit lateral movement. Just be sure to be thorough in defining required communication as this technology works on allowlists, not traditional blocklists.

    Static overlay

    Adaptability is key.

    – Marc Andreessen

    WHAT

    Static overlays are a form of virtual segmentation that allows multiple network segments to exist on the same device. Most of these solutions will also allow for these segments to expand across multiple devices or sites, creating overlay virtual networks on top of the existing physical networks. The static nature of the solution is because the ports that participate in the overlays are statically assigned and configured. Connectivity between devices and sites is done through encapsulation and may have a dynamic component of the control plane handled through routing protocols.

    WHY

    Static overlays are commonly deployed when the need is to segment different use cases or areas of the organization consistently across sites while allowing easy access within the segments between sites. This could be representative of segmenting a department like Finance or extending a layer 2 segment across data centers.

    HOW

    Static overlays are can segment and potentially extend a layer 2 or layer 3 network. These solutions could be executed with technologies such as:

    • VXLAN (Virtual eXtensible LAN)
    • MPLS (Multi Protocol Label Switching)
    • VRF (Virtual Routing & Forwarding)

    The image contains a screenshot that demonstrates pie graphs with the notional assessments: Effort, Cost, Skills, Granularity, and Automation.

    Info-Tech Insight

    Static overlays are commonly deployed by telecommunications providers when building out their service offerings due to the multitenancy requirements of the network.

    Dynamic overlay

    Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity.

    – George S. Patton

    WHAT

    A dynamic overlay segmentation solution has the ability to make security or traffic decisions based on policy. Rather than designing and hardcoding the network architecture, the policy is architected and the network makes decisions based on that policy. Differing levels of control exist in this space, but the underlying commonality is that the segmentation would be considered “software defined” (SDN).

    WHY

    Dynamic overlay solutions provide the most flexibility of the presented solutions. Some use cases such as BYOD or IoT devices may not be easily identified or controlled through static means. As a general rule of thumb, the less static the network is, the more dynamic your segmentation solution must be.

    HOW

    Policy is generally applied at the network ingress. When applying policy, which policy to be applied can be identified through different methodologies such as:

    • Authentication (e.g. 802.1x)
    • Device agents
    • Device profiling

    The image contains a screenshot that demonstrates pie graphs with the notional assessments: Effort, Cost, Skills, Granularity, and Automation.

    Info-Tech Insight

    Dynamic overlays allow for more flexibility through its policy-based configurations. These solutions can provide the highest value when positioned where we have less control of the points within a network (e.g. BYOD scenarios).

    Define how your segments will communicate

    No segment is an island…

    Network segmentation allows for protection of devices, users, or data through the act of separating the physical or virtual networks they are on. Counter to this protective stance, especially in today’s networks, these devices, users, or data tend to need to interact with each other outside of the neat lines we draw for them. Proper network segmentation has to allow for the transfer of assets between networks in a safe and secure manner.

    Info-Tech Insight

    The solutions used to facilitate the controlled communication between segments has to consider the friction to the users. If too much friction is introduced, people will try to find a way around the controls, potentially negating the security that is intended with the solution.

    Potential access methods

    A ship in harbor is safe, but that is not what ships are built for.

    – John A. Shedd

    Firewall

    Two-way controlled communication

    Firewalls are tried and true control points used to join networks. This solution will allow, at minimum, port-level control with some potential for deeper inspection and control beyond that.

    • Traditionally firewalls are sized to handle internet-bound (North-South) traffic. When being used between segments, (East-West) loads are usually much higher, necessitating a more powerful device.

    Jump Box

    A place between worlds

    Also sometimes referred to as a “Bastion Host,” a jump box is a special-purpose computer/server that has been hardened and resides on multiple segments of a network. Administrators or users can log into this box and use it to securely use the tools installed to act on other segments of the network.

    • Jump box security is of utmost importance. Special care should be taken in hardening, configuration, and application installed to ensure that users cannot use the box to tunnel or traverse between the segments outside of well-defined and controlled circumstances.

    Protocol Gateway

    Command-level control

    A protocol gateway is a specific and special subset of a firewall. Whereas a firewall is a security generalist, a protocol gateway is designed to understand and have rule-level control over the commands passing through it within defined protocols. This granularity, for example, allows for control and filtering to only allow defined OT commands to be passed to a secure SCADA network.

    • Protocol gateways are generally specific feature sets of a firewall and traditionally target OT network security as their core use case.

    Network Pump

    One-way data extraction

    A network pump is a concept designed to allow data to be transferred from a secure network to a less secure network while still protecting against covert channels such as using the ACK within a transfer to transmit data. A network pump will consist of trusted processes and schedulers that allow for data to pass but control channels to be sufficiently modified so as to not allow security concerns.

    • Network pumps would generally be deployed in the most security demanding of environments and are generally not “off the shelf” products.

    Operate and optimize

    Security is not static. Monitor and iterate on policies within the environment.

    Monitor

    Iterate

    Two in three businesses (68%) allow more employee data access than necessary.

    GetApp's 2022 Data Security Survey Report

    Are the segmentation efforts resulting in the expected traffic changes? Are there any anomalies that need investigation?

    Using the output from the monitoring stage, refine and optimize the design by iterating on the process.

    Monitor for efficacy, compliance, and the unknown

    Monitor to ensure your intended results and to identify new potential risks.

    Monitoring network segments

    A combination of passive and active monitoring is required to ensure that:

    • The rules that have been deployed are working as expected.
    • Appropriate proof of compliance is in place for auditing and insurance purposes.
    • Environments are being monitored for unexpected traffic.

    Active monitoring goes beyond the traditional gathering of information for alerts and dashboards and moves into the space of synthetic users and anomaly detection. Using these strategies helps to ensure that security is enforced appropriately and responses to issues are timely.

    "We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever."

    – Dr. Larry Ponemon, Chairman Ponemon Institute, at SecureWorld Boston

    Info-Tech Insight

    Using solutions like network detection and response (NDR) will allow for monitoring to take advantage of advanced analytical techniques like artificial intelligence (AI) and machine learning (ML). These technologies can help identify anomalies that a human might miss.

    Monitoring options

    It’s not what you look at that matters, it’s what you see.

    – Henry David Thoreau

    Traditional

    Monitor cumulative change in a variable

    Traditional network monitoring is a minimum viable product. With this solution variables can be monitored to give some level of validation that the segmentation solution is operating as expected. Potential areas to monitor include traffic volumes, access-list (ACL) matches, and firewall packet drops.

    • This is expected baseline monitoring. Without at least this level of visibility, it is hard to validate the solutions in place

    Rules Based

    Inspect traffic to find a match against a library of signatures

    Rules-based systems will monitor traffic against a library of signatures and alert on any matches. These solutions are good at identifying the “known” issues on the network. Examples of these systems include security incident and event management (SIEM) and intrusion detection/prevention systems (IDS/IPS).

    • These solutions are optimally used when there are known signatures to validate traffic against.
    • They can identify known attacks and breaches.

    Anomaly Detection

    Use computer intelligence to compare against baseline

    Anomaly detection systems are designed to baseline the network traffic then compare current traffic against that to find anomalies using technologies like Bayesian regression analysis or artificial intelligence and machine learning (AI/ML). This strategy can be useful in analyzing large volumes of traffic and identifying the “unknown unknowns.”

    • Computers can analyze large volumes of data much faster than a human. This allows these solutions to validate traffic in (near) real-time and alert on things that are out of the ordinary and would not be easily visible to a human.

    Synthetic Data

    Mimic potential traffic flows to monitor network reaction

    Rather than wait for a bad actor to find a hole in the defenses, synthetic data can be used to mimic real-world traffic to validate configuration and segmentation. This often takes the form of real user monitoring tools, penetration testing, or red teaming.

    • Active monitoring or testing allows a proactive stance as opposed to a reactive one.

    Gather feedback, assess the situation, and iterate

    Take input from operating the environment and use that to optimize the process and the outcome.

    Optimize through iteration

    Output from monitoring must be fed back into the process of maintaining and optimizing segmentation. Network segmentation should be viewed as an ongoing process as opposed to a singular structured project.

    Monitoring can and will highlight where and when the segmentation design is successful and when new traffic flows arise. If these inputs are not fed back through the process, designs will become stagnant and admins or users will attempt to find ways to circumvent solutions for ease of use.

    "I think it's very important to have a feedback loop, where you're constantly thinking about what you've done and how you could be doing it better. I think that's the single best piece of advice: constantly think about how you could be doing things better and questioning yourself."

    – Elon Musk, qtd. in Mashable, 2012

    Info-Tech Insight

    The network environment will not stay static; flows will change as often as required for the business to succeed. Take insights from monitoring the environment and integrate them into an iterative process that will maintain relevance and usability in your segmentation.

    Bibliography

    Andreessen, Marc. “Adaptability is key.” BrainyQuote, n.d.
    Barry Schwartz. The Paradox of Choice: Why More Is Less. Harper Perennial, 18 Jan. 2005.
    Capers, Zach. “GetApp’s 2022 Data Security Report—Seven Startling Statistics.” GetApp,
    19 Sept. 2022.
    Cisco Systems, Inc. “Cybersecurity resilience emerges as top priority as 62 percent of companies say security incidents impacted business operations.” PR Newswire, 6 Dec. 2022.
    “Dynamic Network Segmentation: A Must-Have for Digital Businesses in the Age of Zero Trust.” Forescout Whitepaper, 2021. Accessed Nov. 2022.
    Eaves, Johnothan. “Segmentation Strategy - An ISE Prescriptive Guide.” Cisco Community,
    26 Oct. 2020. Accessed Nov. 2022.
    Kambic, Dan, and Jason Fricke. “Network Segmentation: Concepts and Practices.” Carnegie Mellon University SEI Blog, 19 Oct. 2020. Accessed Nov. 2022.
    Kang, Myong H., et al. “A Network Pump.” IEEE Transactions on Software Engineering, vol. 22 no. 5, May 1996.
    Kipling, Rudyard. “The Ballad of East and West.” Ballads and Barrack-Room Ballads, 1892.
    Mintzberg, Henry. “Everyone is against micro managing but macro managing means you're working at the big picture but don't know the details.” AZ Quotes, n.d.
    Murphy, Greg. “A Reimagined Purdue Model For Industrial Security Is Possible.” Forbes Magazine, 18 Jan. 2022. Accessed Oct. 2022.
    Patton, George S. “Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity.” BrainyQuote, n.d.
    Ponemon, Larry. “We discovered in our research […].” SecureWorld Boston, n.d.
    Roosevelt, Theodore. “Do what you can, with what you've got, where you are.” Theodore Roosevelt Center, n.d.
    Sahoo, Narendra. “How Does Implementing Network Segmentation Benefit Businesses?” Vista Infosec Blog. April 2021. Accessed Nov. 2022.
    “Security Outcomes Report Volume 3.” Cisco Secure, Dec 2022.
    Shedd, John A. “A ship in harbor is safe, but that is not what ships are built for.” Salt from My Attic, 1928, via Quote Investigator, 9 Dec. 2023.
    Singleton, Camille, et al. “X-Force Threat Intelligence Index 2022” IBM, 17 Feb. 2022.
    Accessed Nov. 2022.
    Stone, Mark. “What is network segmentation? NS best practices, requirements explained.” AT&T Cyber Security, March 2021. Accessed Nov. 2022.
    “The State of Breach and Attack Simulation and the Need for Continuous Security Validation: A Study of US and UK Organizations.” Ponemon Institute, Nov. 2020. Accessed Nov. 2022.
    Thoreau, Henry David. “It’s not what you look at that matters, it’s what you see.” BrainyQuote, n.d.
    Ulanoff, Lance. “Elon Musk: Secrets of a Highly Effective Entrepreneur.” Mashable, 13 April 2012.
    “What Is Microsegmenation?” Palo Alto, Accessed Nov. 2022.
    “What is Network Segmentation? Introduction to Network Segmentation.” Sunny Valley Networks, n.d.

    Create an Architecture for AI

    • Buy Link or Shortcode: {j2store}344|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $604,999 Average $ Saved
    • member rating average days saved: 49 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management

    This research is designed to help organizations who are facing these challenges:

    • Deliver on the AI promise within the organization.
    • Prioritize the demand for AI projects and govern the projects to prevent overloading resources.
    • Have sufficient data management capability.
    • Have clear metrics in place to measure progress and for decision making.

    AI requires a high level of maturity in all data management capabilities, and the greatest challenge the CIO or CDO faces is to mature these capabilities sufficiently to ensure AI success.

    Our Advice

    Critical Insight

    • Build your target state architecture from predefined best-practice building blocks.
    • Not all business use cases require AI to increase business capabilities.
    • Not all organizations are ready to embark on the AI journey.
    • Knowing the AI pattern that you will use will simplify architecture considerations.

    Impact and Result

    • This blueprint will assist organizations with the assessment, planning, building, and rollout of their AI initiatives.
      • Do not embark on an AI project with an immature data management practice. Embark on initiatives to fix problems before they cripple your AI projects.
      • Using architecture building blocks will speed up the architecture decision phase.
    • The success rate of AI initiatives is tightly coupled with data management capabilities and a sound architecture.

    Create an Architecture for AI Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand why you need an underlying architecture for AI, review Info-Tech's methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess business use cases for AI readiness

    Define business use cases where AI may bring value. Evaluate each use case to determine the company’s AI maturity in people, tools, and operations for delivering the correct data, model development, model deployment, and the management of models in the operational areas.

    • Create an Architecture for AI – Phase 1: Assess Business Use Cases for AI Readiness
    • AI Architecture Assessment and Project Planning Tool
    • AI Architecture Assessment and Project Planning Tool – Sample

    2. Design your target state

    Develop a target state architecture to allow the organization to effectively deliver in the promise of AI using architecture building blocks.

    • Create an Architecture for AI – Phase 2: Design Your Target State
    • AI Architecture Templates

    3. Define the AI architecture roadmap

    Compare current state with the target state to define architecture plateaus and build a delivery roadmap.

    • Create an Architecture for AI – Phase 3: Define the AI Architecture Roadmap
    [infographic]

    Workshop: Create an Architecture for AI

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Answer “Where To?”

    The Purpose

    Define business use cases where AI may add value and assess use case readiness.

    Key Benefits Achieved

    Know upfront if all required data resources are available in the required velocity, veracity, and variety to service the use case.

    Activities

    1.1 Review the business vision.

    1.2 Identify and classify business use cases.

    1.3 Assess company readiness for each use case.

    1.4 Review architectural principles and download and install Archi.

    Outputs

    List of identified AI use cases

    Assessment of each use case

    Data sources needed for each use case

    Archi installed

    2 Define the Required Architecture Building Blocks

    The Purpose

    Define architecture building blocks that can be used across use cases and data pipeline.

    Key Benefits Achieved

    The architectural building blocks ensure reuse of resources and form the foundation of a stepwise rollout.

    Activities

    2.1 ArchiMate modelling language overview.

    2.2 Architecture building block overview

    2.3 Identify architecture building blocks by use case.

    2.4 Define the target state architecture.

    Outputs

    A set of building blocks created in Archi

    Defined target state architecture using architecture building blocks

    3 Assess the Current State Architecture

    The Purpose

    Assess your current state architecture in the areas identified by the target state.

    Key Benefits Achieved

    Only evaluating the current state architecture that will influence your AI implementation.

    Activities

    3.1 Identify the current state capabilities as required by the target state.

    3.2 Assess your current state architecture.

    3.3 Define a roadmap and design implementation plateaus.

    Outputs

    Current state architecture documented in Archi

    Assessed current state using assessment tool

    A roadmap defined using plateaus as milestones

    4 Bridge the Gap and Create the Roadmap

    The Purpose

    Assess your current state against the target state and create a plan to bridge the gaps.

    Key Benefits Achieved

    Develop a roadmap that will deliver immediate results and ensure long-term durability.

    Activities

    4.1 Assess the gaps between current- and target-state capabilities.

    4.2 Brainstorm initiatives to address the gaps in capabilities

    4.3 Define architecture delivery plateaus.

    4.4 Define a roadmap with milestones.

    4.5 Sponsor check-in.

    Outputs

    Current to target state gap assessment

    Architecture roadmap divided into plateaus

    Contact Tymans Group

    We're here to get your IT performant and resilient

    We have the highest respect for your person. Tymans Group does not engage in predatory (our term) emailing practices. We contact you only with responses to your questions. Our company ethics insist on transparency and honesty.

    Continue reading

    Design an Enterprise Architecture Strategy

    • Buy Link or Shortcode: {j2store}580|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $63,181 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model
    • The enterprise architecture (EA) team is constantly challenged to articulate the value of its function.
    • The CIO has asked the EA team to help articulate the business value the team brings.
    • Traceability from the business goals and vision to the EA contributions often does not exist.
    • Also, clients often struggle with complexity, priorities, and agile execution.

    Our Advice

    Critical Insight

    • EA can deliver many benefits to an organization. However, to increase the likelihood of success, the EA group needs to deliver value to the business and cannot be seen solely as IT.
    • Support from the organization is needed.
    • An EA strategy anchored in a value proposition will ensure that EA focuses on driving the most critical outcomes in support of the organization’s enterprise strategy.
    • As agility is not just for project execution, architects need to understand ways to deliver their guidance to influence project execution in real time, to enable the enterprise agility, and to enhance their responsiveness to changing conditions.

    Impact and Result

    • Create an EA value proposition based on enterprise needs that clearly articulates the expected contributions of the EA function.
    • Establish the EA fundamentals (vision and mission statement, goals and objectives, and principles) needed to position the EA function to deliver the promised value proposition.
    • Identify the services that EA has to provide to the organization to deliver on the promised value proposition.

    Design an Enterprise Architecture Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Design an Enterprise Architecture Strategy Deck – A guide to help you define services that your EA function will provide to the organization.

    Establish an effective EA function that will realize value for the organization with an EA strategy.

    • Design an Enterprise Architecture Strategy – Phases 1-4

    2. EA Function Strategy Template – A communication tool to secure the approval of the EA strategy from organizational stakeholders.

    Use this template to document the outputs of the EA strategy and to communicate the EA strategy for approval by stakeholders.

    • EA Function Strategy Template

    3. Stakeholder Power Map Template – A template to help visualize the importance of various stakeholders and their concerns.

    Identify and prioritize the stakeholders that are important to your IT strategy development effort.

    • Stakeholder Power Map Template

    4. PESTLE Analysis Template – A template to help you complete and document a PESTLE analysis.

    Use this template to analyze the effect of external factors on IT.

    • PESTLE Analysis Template

    5. EA Value Proposition Template – A template to communicate the value EA can provide to the organization.

    Use this template to create an EA value proposition that explicitly communicates to stakeholders how an EA function can contribute to addressing their needs.

    • EA Value Proposition Template

    6. EA Goals and Objectives Template – A template to identify the EA goals that support the identified promises of value from the EA value proposition.

    Use this template to help set goals for your EA function based on the EA value proposition and identify objectives to measure the progression towards those EA goals.

    • EA Goals and Objectives Template

    7. EA Principles Template – A template to identify the universal EA principles relevant to your organization.

    Use this template to define relevant universal EA principles and create new EA principles to guide and inform IT investment decisions.

    • EA Principles Template – EA Strategy

    8. EA Service Planning Tool – A template to identify the EA services your organization will provide to deliver on the EA value proposition.

    Use this template to identify the EA services relevant to your organization and then define how those services will be accessed.

    • EA Service Planning Tool
    [infographic]

    Workshop: Design an Enterprise Architecture Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Map the EA Contributions to Business Goals

    The Purpose

    Show an example of traceability.

    Key Benefits Achieved

    Members have a real-world example of traceability between business goals and EA contributions.

    Activities

    1.1 Start from the business goals of the organization.

    1.2 Document business and IT drivers.

    1.3 Identify EA contributions that help achieve the business goals.

    Outputs

    Business goals documented.

    Business and IT drivers documented.

    Identified EA contributions and traced them to business goals.

    2 Determine the Role of the Architect in the Agile Ceremonies of the Organization

    The Purpose

    Create an understanding about role of architect in Agile ceremonies.

    Key Benefits Achieved

    Understanding of the role of the EA architect in Agile ceremonies.

    Activities

    2.1 Document the Agile ceremony used in the organization (based on SAFe or other Agile approaches).

    2.2 Determine which ceremonies the system architect will participate in.

    2.3 Determine which ceremonies the solution architect will participate in.

    2.4 Determine which ceremonies the enterprise architect will participate in.

    2.5 Determine architect syncs, etc.

    Outputs

    Documented the Agile ceremonial used in the organization (based on SAFe or other Agile approaches).

    Determined which ceremonies the system architect will participate in.

    Determined which ceremonies the solution architect will participate in.

    Determined which ceremonies the enterprise architect will participate in.

    Determined architect syncs, etc.

    Further reading

    Design an Enterprise Architecture Strategy

    Develop a strategy that fits the organization’s maturity and remains adaptable to unforeseen future changes.

    EXECUTIVE BRIEF

    Build a right-size enterprise architecture strategy

    Enterprise Architecture Strategy

    Business & IT Strategy
    • Organizational Goals and Objectives
    • Business Drivers
    • Environment and Industry Trends
    • EA Capabilities and Services
    • Business Architecture
    • Data Architecture
    • Application Architecture
    • Integration Architecture
    • Innovation
    • Roles and Organizational Structure
    • Security Architecture
    • Technology Architecture
    • Integration Architecture
    • Insight and Knowledge
    • EA Operating Model
    Unlock the Value of Architecture
    • Increased Business and IT Alignment
    • Robust, Flexible, Scalable, Interoperable, Extensible and Reliable Solutions
    • Timely/Agile Service Delivery and Operations
    • Cost-Effective Solutions
    • Appropriate Risk Management to Address the Risk Appetite
    • Increased Competitive Advantage
    Current Environment
    • Business and IT Challenges
    • Opportunities
    • Enterprise Architecture Maturity

    Enterprise Architecture – Thought Model

    A thought model built around 'Enterprise Architecture', represented by a diagram on a cross-section of a ship which will be explained in the next slide. It begins with an arrow that says 'Organizational goals are the driving force and the ultimate goal' pointing to a bubble titled 'Organization' containing 'Analysis', 'Decisions', 'Actions'. An blue arrow on the right side with one '$' is labelled 'Iterations' and connects 'Organization' to 'Enterprise Architecture', 'Enterprise architecture creates new business value'. A green arrow on the left side with five '$' is labelled 'Goals' and connects back to 'Organization'. A the bottom, a bubble titled 'External forces, pressures, trends, data, etc.' has a blue arrow on the right side with one '$' connecting back to 'Enterprise Architecture'. Another blue arrow representing an output is labelled 'Outcomes' and originates from 'Enterprise Architecture'.

    Enterprise Architecture Capabilities

    A diagram on a cross-section of a ship representing 'Enterprise Architecture', including a row of process arrows beneath the ship pointing forward all labelled 'Agile iteration' and one airborne arrow above the stern pointing forward labelled 'Business Strategy'. Overlaid on the ship, starting at the back, are 'EA Strategy', 'EA Operating Model', 'Enterprise Principles, Methods, etc.', 'Foundational enterprise decisions: Business, Data/Apps, Technology, Integration, Security', 'Enterprise Reference Architecture', 'Goals, Value Chain, Capability, Business Processes', 'Enterprise Governance (e.g., Standard Mgmt.)', 'Domain Arch', 'Data & App Architecture', 'Security Architecture', 'Infrastructure: Cloud, Hybrid, etc.', at the very front is 'Implementation', and running along the bottom from back to front is 'Operations, Monitoring, and Continuous Improvement'.

    Analyst Perspective

    Enterprise architecture (EA) needs to be right-sized for the needs of the organization.

    Photo of Milena Litoiu, Principal/Senior Director, Enterprise Architecture, Info-Tech Research Group

    Enterprise architecture is NOT a one-size-fits-all endeavor. It needs to be right-sized to the needs of the organization.

    Enterprise architects are boots on the ground and part of the solution; in addition, they need to have a good understanding of the corporate strategy, vision, and goals and have a vested interest on the optimization of the outcomes for the enterprise. They also need to anticipate the moves ahead, to be able to determine future trends and how they will impact the enterprise.

    Milena Litoiu
    Principal/Senior Director, Enterprise Architecture
    Info-Tech Research Group

    Analyst Perspective

    EA provides business options based on a deep understanding of the organization.

    “Enterprise architects need to think about and consider different areas of expertise when formulating potential business options. By understanding the context, the puzzle pieces can combine to create a positive business outcome that aligns with the organization’s strategies. Sometimes there will be missing pieces; leveraging what you know to create an outline of the pieces and collaborating with others can provide a general direction.”

    Jean Bujold
    Senior Workshop Delivery Director
    Info-Tech Research Group

    “The role of enterprise architecture is to eliminate misalignment between the business and IT and create value for the organization.”

    Reddy Doddipalli
    Senior Workshop Director, Research
    Info-Tech Research Group

    “Every transformation journey is an opportunity to learn: ‘Tell me and I forget. Teach me and I remember. Involve me and I learn.’ Benjamin Franklin.”

    Graham Smith
    Senior Lead Enterprise Architect and Independent Consultant

    Develop an enterprise architecture strategy that:

    • Helps the organization make decisions that are hard to change in a complex environment.
    • Fits the current organization’s maturity and remains flexible and adaptable to unforeseen future changes.

    Executive Summary

    Your Challenge

    We need to make decisions today for an unknown future. Decisions are influenced by:

    • Changes in the environment you operate in.
    • Complexity of both the business and IT landscapes.
    • IT’s difficulty in keeping up with business demands and remaining agile.
    • Program/project delivery pressure and long-term planning needs.
    • Other internal and external factors affecting your enterprise.

    Common Obstacles

    Decisions are often made:

    • Without a clear understanding of the business goals.
    • Without a holistic understanding; sometimes in conflict with one another.
    • That hinder the continuity of the organization.
    • That prevent value optimization at the enterprise level.

    The more complex an organization, the more players involved, the more difficult it is to overcome these obstacles.

    Info-Tech’s Approach

    • Is a holistic, top-down approach, from the business goals all the way to implementation.
    • Has EA act as the canary in the coal mine. EA will identify and mitigate risks in the organization.
    • Enables EA to provide an essential service rather than be an isolated kingdom or an ivory tower.
    • Acknowledges that EA is a balancing act among competing demands.
    • Makes decisions using guiding principles and guardrails, to create a flexible architecture that can evolve and expand, enabling enterprise agility.

    Info-Tech Insight

    There is no “right architecture” for organizations of all sizes, maturities, and cultural contexts. The value of enterprise architecture can only be measured against the business goals of a single organization. Enterprise architecture needs to be right-sized for your organization.

    Info-Tech insight summary on arch. agility

    Continuous innovation is of paramount importance in achieving and maintaining competitive advantage in the marketplace.

    Business engagement

    It is important to trace architectural decisions to business goals. As business goals evolve, architecture should evolve as well.

    As new business input is provided during Agile cycles, architecture is continuously evolving.

    EA fundamentals

    EA fundamentals will shape how enterprise architects think and act, how they engage with the organization, what decisions they make, etc.

    Start small and lean and evolve as needed.

    Continuously align strategy with delivery and operations.

    Architects should establish themselves as business partners as well as implementation/delivery leaders.

    Enterprise services

    Definitions of enterprise services should start from the business goals of the organization and the capabilities IT needs to perform for the organization to survive in the marketplace.

    Continuous delivery and continuous innovation are the two facets of architecture.

    Tactical insight

    Your current maturity should be reflected as a baseline in the strategy.

    Tactical insight

    Take Agile/opportunistic steps toward your strategic North star.

    Tactical insight

    EA services differ based on goals, maturity, and the Agile appetite of the enterprise.

    From the best industry experts

    “The trick to getting value from enterprise architecture is to commit to the long haul.”

    Jeanne W. Ross, MIT CISR
    Co-author of Enterprise Architecture as Strategy: Creating a Foundation for Business Execution,
    Harvard Business Press, 2006.

    Typical EA maturity stages

    A line chart that moves through multiple stages titled 'Enterprise Architecture Maturity Stages (MIT CISR)' The five stages of the chart, starting on the left, are 'Business Silos', 'Standardized Technology', 'Optimized Core', 'Business Componentization', and 'Digital Ecosystem'. 'The trick to getting value from enterprise architecture is to commit to the long haul.' The line begins at the bottom left of the chart and gradually creates a stretched S shape to the top right. Points along the line, respective to the aforementioned stages, are 'Locally Optimal Business Solutions', 'Technology Infrastructure Platform', 'Digitized Process Platform', 'Repository of Reusable Business Components', 'Components Connecting with Partners' Components', and at the end of the line, outside of the chart is 'Strategic Business Value from Technology'. Percentages along the bottom, respective to the aforementioned stages, read 20%, 36%, 45%, 7%, 2%. Percentages are rough approximations based on findings reported in Mocker, M., Ross, J.W., Beath, C.M., 'How Companies Use Digital Technologies to Enhance Customer Offerings--Summary of Survey Findings,' MIT CISR Working Paper No. 434, Feb. 2019. Copyright MIT, 2019.

    Enterprise Architecture maturity

    A maturity ladder visualization for 'Enterprise Architecture' with five color-coded levels. From the bottom up, the colors and designations are Red: 'Unstable', Orange: 'Firefighter', Yellow: 'Trusted Operator', Blue: 'Business Partner', and Green: 'Innovator'. Beside the visualization at the bottom it says 'EA is here', then an arrow in the direction of the top where it says 'EA needs to be here'.
    • Innovator – Transforms the Business
      Reliable Technology Innovation
    • Business Partner – Expands the Business
      Effective Use of Enterprise Architecture in all Business Projects, Enterprise Architecture Is Strategically Engaged
    • Trusted Operator – Optimizes the Business
      Enterprise Architecture Provides Business, Data, Application & Technology Architectures for All IT Projects
    • Firefighter – Supports the Business
      Reliable Architecture for Some Practices/Projects
    • Unstable – Struggles to Support
      Inability to Provide Reliable Architectures

    Info-Tech Insight

    There is no “absolute maturity” for organizations of all sizes, maturities, and cultural contexts. The maturity of enterprise architecture can only be measured against the business goals of the organization.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Session 1 Session 2 Session 3 Session 4 Session 5
    Activities
    Identify organizational needs and landscape

    1.0 Interview stakeholders to identify business and technology needs

    1.1 Review organization perspective, including business needs, challenges, and strategic directions

    1.2 Conduct PESTLE analysis to identify business and technology trends

    1.3 Conduct SWOT analysis to identify business and technology internal perspective

    Create the EA value proposition

    2.1 Identify and prioritize EA stakeholders

    2.2 Create business and technology drivers from needs

    2.3 Define the EA value proposition

    2.4 Identify EA maturity and target

    Define the EA fundamentals

    3.1 Define the EA goals and objectives

    3.2 Determine EA scope

    3.3 Create a set of EA principles

    3.4. Define the need of a methodology/agility

    3.5 Create the EA vision and mission statement

    Identify the EA framework and communicate the EA strategy

    4.1 Define initial EA operating model and governance mechanism

    4.2 Define the activities and services the EA function will provide, derived from business goals

    4.3 Determine effectiveness measures

    4.4 Create EA roadmap and next steps

    4.5 Build communication plan for stakeholders

    Next Steps and Wrap-Up (offsite)

    5.1 Generate workshop report

    5.2 Set up review time for workshop report and to discuss next steps

    Outcomes
    1. Stakeholder insights
    2. Organizational needs, challenges, and direction summary
    3. PESTLE & SWOT analysis
    1. Stakeholder power map
    2. List of business and technology drivers with associated pains
    3. Set of EA contributions articulating the promises of value in the EA value proposition
    4. EA maturity assessment
    1. EA scope
    2. List of EA principles
    3. EA vision statement
    4. EA mission statement
    5. Statement about role of enterprise architect relative to agility
    1. EA capabilities mapped to business goals of the organization
    2. List of EA activities and services the EA function is committed to providing
    3. KPI definitions
    4. EA roadmap
    5. EA communication plan
    1. Completed workshop report on EA strategy with roadmap, recommendations, and outcomes from workshop

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    While variations depend on the maturity of the organization as well as its aspirations, these are some typical steps:

      Phase 1

    • Call #1: Explore the role of EA in your organization.
    • Phase 2

    • Call #2: Identify and prioritize stakeholders.
    • Call #3: Use a PESTLE analysis to identify business and technology needs.
    • Call #4: Prepare for stakeholder interviews.
    • Call #5: Discuss your EA value proposition.
    • Phase 3

    • Call #5: Understand the importance of EA fundamentals.
    • Call #6: Define the relevant EA services and their contributions to the organization.
    • Call #7: Measure EA effectiveness.
    • Phase 4

    • Call #8: Build your EA roadmap and communication plan.
    • Call #9: Discuss the EA role relative to agility.
    • Call #10: Summarize results and plan next steps.

    Design an Enterprise Architecture Strategy

    Phase 1

    Explore the Role of Enterprise Architecture

    Phase 1

    • 1.1 Explore a general EA strategy approach
    • 1.2 Introduce Agile EA architecture

    Phase 2

    • 2.1 Define the business and technology drivers
    • 2.2 Define your value proposition

    Phase 3

    • 3.1 Realize the importance of EA fundamentals
    • 3.2 Finalize the EA fundamentals

    Phase 4

    • 4.1 Select relevant EA services
    • 4.2 Finalize the set of services and secure approval

    This phase will walk you through the following activities:

    Define the role of the group and different roles inside the enterprise architecture competency.

    This phase involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders

    Enterprise architecture optimizes the outcomes of the entire organization

    Corporate Strategy –› Enterprise Architecture Strategy

    Info-Tech Insight

    Enterprise architecture needs to have input from the corporate strategy of the organization. Similarly, EA governance needs to be informed by corporate governance. If this is not the case, it is like planning and governing with your eyes closed.

    Existing EA functions vary in the value they achieve due to their level of maturity

    EA Functions
    Operationalized
    • EA function is operationalized and operates as an effective core function.
    • Effectively aligns the business and IT through governance, communication, and engagement.
    –––› Common EA value
    Decreased cost Reduced risk
    Emerging
    • Emerging but limited ad hoc EA function.
    • Limited by lack of alignment to the business and IT.
    –x–› Cut through complexity Increased agility
    (Source: Booz & Co., 2009)

    Benefits of enterprise architecture

    1. Focuses on business outcomes (business centricity)
    2. Provides traceability of architectural decisions to/from business goals
    3. Provides ways to measure results
    4. Provides consistency across different lines of business: establishes a common vocabulary, reducing inconsistencies
    5. Reduces duplications, creating additional efficiencies at the enterprise level
    6. Presents an actionable migration to the strategy/vision, through short-term milestones/steps

    Benefits of enterprise architecture continued

    1. Done right, increases agility
    2. Done right, reduces costs
    3. Done right, mitigates risks
    4. Done right, stimulates innovation
    5. Done right, helps achieve the stated business goals (e.g. customer satisfaction) and improves the enterprise agility.
    6. Done right, enhances competitive advantage of the enterprise

    Qualities of a well-established and practical enterprise architecture

    1. Objective
    2. Impartial
    3. Credible
    4. Practical
    5. Measurable
    6. (Source: University of Toronto, 2021)

    Role of the enterprise architecture

    • Primarily to set up guardrails for the enterprise, so Agile teams work independently in a safe, ready-to-integrate environment
    • Establish strategy
    • Establish priorities
    • Continuously innovate
    • Establish enterprise standards and enterprise guardrails to guide Solution/Domain/Portfolio Architectures
    • Align with and be informed by the organization’s direction

    Members of the Architecture Board:

    • Chief (Business) Strategist
    • Lead Enterprise Architect
    • Business SME from each major domain
    • IT SME from each major domain
    • Operational & Infrastructure SME
    • Security & Risk Officer
    • Process Management
    • Other relevant stakeholders

    For enterprise architecture to contribute, EA must address the organizational vision and goals

    External Factors –› Layers of a Business Model
    (Organization)
    –› Architecture Supported Transformation
    Industry Changes Business Strategy
    Competition Value Streams
    (Business Outcomes)
    Regulatory Impacts Business Capability Maps
    • Security
    Workforce Impacts Execution
    • Policies
    • Processes
    • People
    • Information
    • Applications
    • Technology

    Info-Tech Insight

    External forces can affect the organization as a whole; they need to be included as part of the holistic approach for enterprise architecture.

    How does EA provide value?

    Business and Technology Drivers – A set of statements created from business and technology needs. Gathered from information sources, it communicates improvements needed.

    • Vision, Aspirations, Long-Term Goals – Vision, aspirations, long term goals

      • EA Contributions – EA contributions that will alleviate obstructions. Removing the obstructions will allow EA to help satisfy business and technology needs.

        • Promise of Value – A statement that depicts a concrete benefit that the EA practice can provide for the organization in response to business and technology drivers.

    Info-Tech Insight

    Enterprise architecture needs to create and be part of a culture where decisions are made through collaboration while focusing on enterprise-wide efficiencies (e.g. reduced duplication, reusability, enterprise-wide cost minimization, overall security, comprehensive risk mitigation, and any other cross-cutting concerns) to optimize corporate business goals.

    The EA function scope is influenced by the EA value proposition and previously developed EA fundamentals

    Establish the EA function scope by using the EA value proposition and EA fundamentals that have already been developed. After defining the EA function scope, refer back to these statements to ensure it accurately reflects the EA value proposition and EA fundamentals.

    EA value proposition

    +

    EA vision statement
    EA mission statement
    EA goals and objectives

    —›
    Influences

    Organizational coverage

    Architectural domains

    Depth

    Time horizon

    —›
    Defines
    EA function scope

    EA team characteristics

    Create the optimal EA strategy by including personnel who understand a broad set of topics in the organization

    The team assembled to create the EA strategy will be defined as the “EA strategy creation team” in this blueprint.

    • Someone who has been in the organization for a long time and has built strong relationships with key stakeholders. This individual can exert influence and become the EA strategy sponsor.
    • An individual who understands how the different technology components in the organization support its business operations.
    • Someone in the organization who can communicate IT concepts to business managers in a language the business understands.
    • An individual with a strategy background or perspective on the organization. This individual will understand where the organization is headed.
    • Any individuals who feel an acute pain as a result of poorly made investment decisions. They can be champions of EA strategy in their respective functions.

    EA skills and competencies

    Apart from business know-how, the EA team should have the following skills

    • Architectural thinking
    • Analytical
    • Trusted, credible
    • Can handle complexity
    • Can change perspectives
    • Can learn fast (business and technology)
    • Independent and steadfast
    • Not afraid to go against the stream
    • Able to understand problems of others with empathy
    • Able to estimate scaling on design decisions such as model patterns
    • Intrinsic capability to identify where relevant details are
    • Able to identify root causes quickly
    • Able to communicate complex issues clearly
    • Able to negotiate and come up with acceptable solutions
    • Can model well
    • Able to change perspectives (from business to implementation and operational perspectives).

    Use of enterprise architecture methodologies

    Balance EA methodologies with Agile approaches

    Using an enterprise architecture methodology is a good starting point to achieving a common understanding of what that is. Often, organizations agree to "tailor" methodologies to their needs.

    The use of lean/Agile approaches will increase efficiency beyond traditional methodologies.

    Use of EA methodologies vs. Agile methods

    When to use what?

    • Use an existing methodology to structure your thinking and establish a common vocabulary to communicate basic concepts, processes, and approaches.
    • Customize the methodology to your needs; make it as lean as possible.
    • Execute in an Agile way, but keep in mind the thoughtful checks recommended by your end-to-end methodology.
    • Clarify goals.
    • Have good measures and metrics in place.
    • Continuously monitor progress, fit for purpose, etc.
    • Highlight risks, roadblocks, etc.
    • Get support.
    • Communicate vision, goals, key decisions, etc.
    • Iterate.

    Business strategy first, EA strategy second, and EA operating model third

    Corporate Strategy
    “Why does our enterprise exist in the market?”
    EA Strategy
    “What does EA need to be and do to support the enterprise’s ability to meet its goals? What is EA’s value proposition?”
    Business & IT Operating Culture
    “How does the organization’s culture and structure influence the EA operating model?”
    EA Operating Model
    How does EA need to operate on a daily basis to deliver the value proposition?”

    High-level perspective

    Creating an effective practice involves many moving parts.

    A visual of the many moving parts in an effective practice; there are 6 smaller circles in a large circle, an input arrow labelled 'Environment', an output arrow labelled 'Results', and a thin arrow connecting 'Results' back to 'Environment'. Of the circles, 'Leadership' is in the center, connected to each of the others, while 'Culture', 'Strategy', 'Core Processes', 'Structure', and 'Systems' create a cycle. (Source: The Center for Organizational Design)

    • Environment. Influences that are external to the organization, such as customer perceptions, changing needs, and changes in technology, and the organization’s ability to adjust to them.
    • Strategy. The business strategy defines how the organization adds value and acts as the rudder to direct the organization. Organizational strategy defines the character of the organization, what it wants to be, its values, its vision, its mission, etc.
    • Core Process. The flow of work through the organization.
    • Structure. How people are organized around business processes. Includes reporting structures, boundaries, roles, and responsibilities. The structure should assist the organization with achieving its goals rather than hinder its performance.
    • Systems. Interrelated sets of tasks or activities that help organize and coordinate work.
    • Culture. The personality of the organization: its leadership style, attitudes, habits, and management practices. Culture measures how well philosophy is translated into practice.
    • Results. Measurement of how well the organization achieved its goals.
    • Leadership. Brings the organization together by providing vision and strategy; designing, monitoring, and nurturing the culture; and fostering agility.

    The answer to the strategic planning entity dilemma is enterprise architecture

    Enterprise architecture is a discipline that defines the structure and operation of an organization. The intent of enterprise architecture is to determine how an organization can most effectively achieve its current and future objectives.

    Vision, goals, and aspirations as well internal and external pressures

    Business current state

    • Existing capability
    • Existing capability
    • Existing capability
    • Existing capability
    • Existing capability
    Enterprise Architecture

    IT current state

    • IT asset management
    • Database services
    • Application development

    Business target state

    • Existing capability
    • Existing capability
    • Existing capability
    • Existing capability
    • Existing capability
    • New capability

    IT target state

    • IT asset management
    • Database services
    • Application development
    • Business analytics
    Complex, overlapping, contradictory world of humans vs. logical binary world of IT
    EA is a planning tool to help achieve the corporate business goals

    EA spans across all the domains of architecture

    Business architecture is the cornerstone that sets the foundation for all other architectural domains: security, data, application, and technology.

    A flow-like diagram titled 'Enterprise Architecture' beginning with 'Digital Architecture' and 'Business Architecture', which feeds into 'Security Architecture', which feeds into both 'Data Architecture' and 'Application Architecture', which both feed into 'Technology Architecture: Infrastructure'.

    “An enterprise architecture practice is both difficult and costly to set up. It is normally built around a process of peer review and involves the time and talent of the strategic technical leadership of an enterprise.” (The Open Group Architecture Framework, 2018)

    Enterprise architecture deployment continuum

    A diagram visualizing the Enterprise architecture deployment continuum with two continuums, 'Level of Embedding' and 'EA Value', assigning terms to EA deployments based on where they fall. On the left is an 'Ivory Tower' configuration: EA' is separated from the 'BU's but is still controlling them. Level of Embedding: 'Centralized', EA Value: 'Dictatorship'. In the center is a 'Balanced' configuration: 'EA' is spread across and connected to each 'BU'. Level of Embedding: 'Federated', EA Value: 'Democracy'. On the right is a 'Siloed' configuration: Each 'BU' has its own separate 'EA'. Level of Embedding: 'Decentralized', EA Value: 'Abdication of enterprise role'.

    Info-Tech Insight

    The primary question during the design of the EA operating model is how to integrate the EA function with the rest of the business.

    If the EA practice functions on its own, you end up with ivory tower syndrome and a dictatorship.

    If you totally embed the EA function within business units it will become siloed with no enterprise value.

    Organizations need to balance consistency at the enterprise level with creativity from the grass roots.

    Enterprise vs. Program/Portfolio/Domain

    Enterprise vs. Program/Portfolio/Domain. Image depicts where Enterprise Scope overlaps Program/Portfolio Scope. Enterprise Scope includes Business Architecture. Program/Portfolio Scope includes Business Requirements, Business Process, and Solutions Architecture. Overlap between scope includes Technology Architecture, Data Architecture, and Applications Architecture.

    Info-Tech Insight

    Decisions at the enterprise level apply across multiple programs/portfolios/solutions and represent the guardrails set for all to play within.

    Decide on the degree of centralization

    Larger organizations with multiple domains/divisions or business units will need to decide which architecture functions will be centralized and which, if any, will be decentralized as they plan to scope their EA program. What are the core functions to be centralized for the EA to deliver the greatest benefits?

    Typically, we see a need to have a centralized repository of reusable assets and standards across the organization, while other approaches/standards can operate locally.

    Centralization

    • Allows for more strategic planning
    • Visibility into standards and assets across the organization promotes rationalization and cost savings
    • Ensures enterprise-wide assets are used
    • More strategic sourcing of vendors and resellers
    • Can centrally negotiate pricing for better deals
    • Easier to manage risk and prepare for audits
    • Greater coordination of resources
    • Derives benefits from enterprise decisions, e.g. integration…

    Decentralization

    • May allow for more innovation
    • May be easier to demonstrate local compliance if the organization is geographically decentralized
    • May be easier to procure software if offices are in different countries
    • Deployment and installation of software on user devices may be easier

    EA strategy

    What is the role of enterprise architecture vis-à-vis business goals?

    • What needs to be done?
    • Who needs to be involved?
    • When?
    • Where?
    • Why?
    • How?

    Top-down approach starting from the goals of the organization

      What the Business Sees...
    • Business Goals
      • Value Streams
          What the CxO Sees...
        • Capabilities
            What the App Managers See...
          • Processes
            • Applications
                What the Program Managers See...
              • Programs/Projects

    Info-Tech Insight

    Being able to answer the deceptively simple question “How am I doing?” requires traceability to and from the business goals to be achieved all the way to applications, to infrastructure, and ultimately, to the funded initiatives (portfolios, programs, projects, etc.).

    Measure EA strategy effectiveness by tracking the benefits it provides to the corporate business goals

    The success of the EA function spans across three main dimensions:

    1. The delivery of EA-enabled business outcomes that are most important to the enterprise.
    2. The alignment between the business and the technology from a planning perspective.
    3. Improvements in the corporate business goals due to EA contributions (standardization, rationalization, reuse, etc.).

    Corporate Business Goals

    • Reduction in operating costs
    • Decreased regulatory compliance infractions
    • Increased revenue from existing channels
    • Increased revenue from new channels
    • Faster time to business value
    • Improved business agility
    • Reduction in enterprise risk exposure

    EA Contributions

    • Alignment of IT investments to business strategy
    • Achievement of business results directly linked to IT involvement
    • Application and platform rationalization
    • Standards in place
    • Flexible architecture
    • Better integration
    • Higher organizational satisfaction with technology-enabled services and solutions

    Measurements

    • Cost reductions based on application and platform rationalization
    • Time and cost reductions due to standardization
    • Time reduction for integration
    • Service reused
    • Stakeholder satisfaction with EA services
    • Increase in customer satisfaction
    • Rework minimized
    • Lower cost of integration
    • Risk reduction
    • Faster time to market
    • Better scalability, etc.

    Info-Tech Insight

    Organizations must create clear and smart KPIs (key performance indicators) across the board.

    From corporate strategy to enterprise architecture

    A model connecting 'Enterprise Architecture' with 'Corporate Strategy' through 'EA Services' and 'EA Strategy'.

    Info-Tech Insight

    In the absence of a corporate strategy, enterprise architecture is missing its North Star.

    However, enterprise architects can partner with the business strategists to build the needed vision.

    Traceability to and from business corporate business goals to EA contributions (sample)

    A model connecting 'Enterprise Architecture' with 'Corporate Goals' through 'EA Contributions'.

    Enterprise architecture journey

    The enterprise architecture journey, from left to right: 'Business Goals' and 'EA Maturity Assessment', 'EA Strategy', 'Industry-Specific Capability Model' and 'Customized to the Organization's Needs', 'EA Operating Model' and 'EA Governance', 'Business Architecture' and 'EA Tooling', 'Data Architecture' and 'Application Architecture', 'Infrastructure Architecture'.

    Agile architecture principles

    Agile architecture principles:
    • Fast learning cycle
    • Explore alternatives
    • Create environment for decentralized ideation and innovation

    According to the Scaled Agile Framework, three of the most applicable principles for the architectural professions refer to the following:

    1. "Fast learning cycle" refers to learning cycles that allow for quick reiterations as well as the opportunity to fail fast to learn fast.
    2. "Explore alternatives" refers to the exploration phase and also to the need to make tough decisions and balance competing demands.
    3. "Create environment for decentralized ideation and innovation" ensures that no one has a monopoly on innovation. Moreover, EA needs to invite ideas from various stakeholders (from the business to operations as well as implementers, etc.).

    Architecture roles in lean enterprises

    Typical architecture roles in modern/Agile lean enterprises

    • System Architect
    • Solution Architect
    • Enterprise Architect

    Depth vs. strategy focus

    Typical architect roles

    A graph with different architect roles mapped onto it. Axes are 'Low Strategic Impact' to 'High Strategic Impact' and 'Breadth' to 'Depth'. 'Enterprise Architect' has the highest strategic impact and most breadth. 'Technical/System Architect' has the lowest strategic impact and most depth. 'Solution Architect' sits in the middle of both axes.

    Architecture roles continued

    The three architect roles from above and their impacts on the list of 'Common Domains' to the right. 'Enterprise Architect's impact is 'Across Value Streams', 'Solution Architect's impact is 'Across Systems', 'Technical/System Architect's impact is 'Single System'. Adapted from Scaled Agile.

    Common Domains

    Business Architecture

    Information Architecture

    Application Architecture

    Technical Architecture

    Integration Architecture

    Security Architecture

    Others

    Info-Tech Insight

    All architects are boots on the ground and play in the solutioning space. What differs is their decisions’ impact (the enterprise architect’s decisions affects all domains and solutions).

    SAFe definitions of the Enterprise/Solution and System Architect roles can be found here.

    The role of the Enterprise Architect is detailed here.

    Collaboration models across the enterprise

    A collaboration model with 'Enterprise Architecture' at the top consisting of a 'Chief Enterprise Architect', 'Enterprise Architects', and 'EA Concerns across solutions': 'Architect A', 'Architect B', and 'Architect C'. Each lettered Architect is connected to their respective 'Solution Architect (A-C)' which runs their respective 'Delivery Team (A-C)' with 'Other Team Members'.(Adapted from Disciplined Agile)

    There are both formal and informal collaborations between enterprise architects and solution architects across the enterprise.

    Info-Tech Insight

    Enterprise architects should collaborate with solutions architects to create the best solutions at the enterprise level and to provide guidance across the board.

    Architect roles in SAFe

    According to Scale Agile Framework 5 for Lean Enterprises:

    • The system architect participates in the Essential SAFe
    • Solution architects and system architects participate in Large Solution
    • The enterprise architect participates in the Portfolio SAFe
    • Enterprise, solution, and system architects are all involved in Full SAFe

    Please check the SAFe Scaled Agile site for detailed information on the approach.

    Architect roles and their participation in Agile events (see likely events and a typical calendar)

    Info-Tech Insight

    A clear commitment for architects to achieve and support agility is needed. Architects should not be in an ivory tower; they should be hands on and engaged in all relevant Agile ceremonies, like the pre- and post-program increment (PI) planning, etc.

    Architect syncs are also required to ensure the needed collaboration.

    Architect participation in Agile ceremonies, according to SAFe:

    Architecture runway (at scale)

    Info-Tech Insight

    Architecting for scale, modularity, and extensibility is key for the architecture to adapt to changing conditions and evolve.

    Proactively address NFRs; architect for performance and security.

    Continuously refine the solution intent.

    For large solutions, longer foundational architectural runways are needed.

    Having an intentional continuous improvement/continuous development (CI/CD) pipeline to continuously release, test, and monitor is key to evolving large and complex systems.

    Parallel continuous exploration/integration/deployment

    A cycle titled DevOps containing three smaller cycles labelled 'Continuous Explorations', 'Continuous Integration', and 'Continuous Deployment'.

    Info-Tech Insight

    Architects need to help make some fundamental decisions, e.g. help define the environment that best supports continuous innovation or exploration and continuous integration, deployment, and delivery.

    Typical strategic enterprise architecture involvement

    Enterprise Architect —DRIVES–› Enterprise Architecture Strategy

    Enterprise Architecture Strategy
    • Application Strategy
    • Business Strategy
    • Data Strategy
    • Implementation Strategy
    • Infrastructure Strategy
    • Inter-domain Collaboration
    • Integration Strategy
    • Operations Strategy
    • Security Strategy
    • (Adapted from Scaled Agile)

    The EA statement relative to agility

    The enterprise architecture statement relative to agility specifies the architects’ responsibilities as well as the Agile protocols they will participate in. This statement will guide every architect’s participation in planning meetings, pre- and post-PI, various syncs, etc. Use simple and concise terminology; speak loudly and clearly.

    Strong EA statement relative to agility has the following characteristics:

    • Describes what different architect roles do to achieve the vision of the organization
    • In an agile way
    • Compelling
    • Easy to grasp
    • Sharply focused
    • Specific
    • Concise

    Sample EA statement relative to agility

    • Create strategies that provide guardrails for the organization, provide standards, reusable assets, accelerators, and other decisions at the enterprise level that support agility.
    • Participate in pre-PI and post-PI planning activities, architect syncs, etc.

    A clear statement can include additional details surrounding the enterprise architect’s role relative to agility

    Below is a sample of connecting keywords to form an enterprise architect role statement, relative to agility.

    Optimize, transform, and innovate by defining and implementing the [Company]’s target enterprise architecture in an agile way.

    Optimize – We collaborate with the business to analyze and optimize business capabilities and business processes to enable the agile and efficient attainment of [Company name] business objectives.

    Transform – We support IT-enabled business transformation programs by building and maintaining a shared vision of the future-state enterprise and consistently communicating it to stakeholders.

    Innovate – We identify and develop new and creative opportunities for IT to enable the business. We communicate the art of the possible to the business.

    Defining and implementing – We engage with project teams early and guide solution design and selection to ensure alignment to the target-state enterprise architecture and provide guidance and accelerators.

    Target enterprise structure in an agile way – We analyze business needs and priorities and assess the current state of the enterprise. We build and maintain the target enterprise architecture blueprints that define:

    • Business capabilities and processes (business architecture)
    • Data, application, and technology assets that enable business capabilities and processes (technology architecture)
    • Architecture principles
    • Standards and reusable assets
    • Continuous exploration, integration, and deployment

    Traditional vs. Agile approaches

    Traditional Enterprise Architecture Next-Generation Enterprise Architecture
    Scope: Technology focused Business transformation (scope includes both business and technology)
    Bottom up Top down
    Inside out Outside In
    Point to point; difficult to change Expandable, extensible, evolvable
    Control-based: Governance intensive; often over-centralized Guidance-based: Collaboration and partnership-driven based on accepted guardrails
    Big up-front planning Incremental/dynamic planning; frequent changes
    Functional siloes and isolated projects, programs, and portfolios Enterprise-driven outcome optimization (across value streams)

    Info-Tech Insight

    The role of the architecture in Lean (Agile) approaches is to set up the needed guardrails and ensure a safe environment where everyone can be effective and creative.

    Design an Enterprise Architecture Strategy

    Phase 2

    Create the EA Value Proposition

    Phase 1

    • 1.1 Explore a general EA strategy approach
    • 1.2 Introduce Agile EA architecture

    Phase 2

    • 2.1 Define the business and technology drivers
    • 2.2 Define your value proposition

    Phase 3

    • 3.1 Realize the importance of EA fundamentals
    • 3.2 Finalize the EA fundamentals

    Phase 4

    • 4.1 Select relevant EA services
    • 4.2 Finalize the set of services and secure approval

    This phase will walk you through the following activities:

    • Identify and prioritize EA stakeholders.
    • Create business and technology drivers from stakeholder information.
    • Identify business pains and technology drivers.
    • Define EA contributions to alleviate the pains.
    • Create promises of value to fully articulate the value proposition.

    This phase involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders

    Step 2.1

    Define the Business and Technology Drivers

    Activities
    • 2.1.1 Use a stakeholder power map to identify and prioritize EA stakeholders
    • 2.1.2 Conduct a PESTLE analysis
    • 2.1.3 Review strategic planning documents
    • 2.1.4 Conduct EA stakeholder interviews

    This step will walk you through the following activities:

    • Learn the five-step process to create an EA value proposition.
    • Uncover business and technology needs from stakeholders.

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders

    Outcomes of this step

    An understanding of your organization’s EA needs.

    Create the Value Proposition

    Step 2.1 Step 2.2

    Value proposition is an important step in the creation of the EA strategy

    Creating an EA value proposition should be the first step to realizing a healthy EA function. The EA value proposition demonstrates to organizational stakeholders the importance of EA in helping to realize their needs.

    Five steps towards the successful articulation of EA value proposition:

    1. Identify and prioritize stakeholders. The EA function must know to whom to communicate the value proposition.
    2. Construct business and technology drivers. Drivers are derived from the needs of the business and IT. Needs come from the analysis of external factors, strategic documents, and interviewing stakeholders. Helping stakeholders and the organization realize their needs demonstrates the value of EA.
    3. Discover pains that prevent driver realization. There are always challenges that obstruct drivers of the organization. Find out what they are to get closer to showing the value of EA.
    4. Brainstorm EA contributions. Pains that obstruct drivers have now been identified. To demonstrate EA’s value, think about how EA can help to alleviate those pains. Create statements that show how EA’s contribution will be able to overcome the pain to show the value of EA.
    5. Derive promises of value. Complete the articulation of value for the EA value proposition by stating how realizing the business or technology will provide in terms of value for the organization. Speak with the stakeholders to discover the value that can be achieved.

    Info-Tech Insight

    EA can deliver many benefits to an organization. To increase the likelihood of success, each EA group needs to commit to delivering value to their organization based on the current operating environment and the desired direction of the enterprise. An EA value proposition will articulate the group’s promises of value to the enterprise.

    The foundation of an optimal EA value proposition is laid by defining the right stakeholders

    All stakeholders need to know how the EA function can help them. Provide the stakeholders with an understanding of the EA strategy’s impact on the business by involving them.

    A stakeholder map can be a powerful tool to help identify and prioritize stakeholders. A stakeholder map is a visual sketch of how various stakeholders interact with your organization, with each other, and with external audience segments.

    An example stakeholder map with the 'Key players' quadrant highlighted, it includes 'CEO', 'CIO', and the modified position of 'CFO' after being engaged.

    “Stakeholder management is critical to the success of every project in every organization I have ever worked with. By engaging the right people in the right way in your project, you can make a big difference to its success…and to your career.” (Rachel Thompson, MindTools)

    2.1.1 Use a stakeholder power map to identify and prioritize EA stakeholders

    2 hours

    Input: Expertise from the EA strategy creation team

    Output: An identified and prioritized set of stakeholders for the EA function to target

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    1. A stakeholder power map helps to visualize the importance of various stakeholders and their concerns so you can prioritize your time according to the most powerful and most impacted stakeholders.
    2. Evaluate each stakeholder in terms of power, Involvement, impact, and support.
      • Power: How much influence does the stakeholder have? Enough to drive the project forward or into the ground?
      • Involvement: How interested is the stakeholder? How involved is the stakeholder in the project already?
      • Impact: To what degree will the stakeholder be impacted? Will this significantly change how they do their job?
      • Support: Is the stakeholder a supporter of the project? Neutral? A resistor?
    3. Map each stakeholder to an area on the Power Map Template.
    4. Ask yourself if the power map looks accurate. Is there someone who has no involvement in EA strategy development but should?
    5. Some stakeholders may have influence over others. For example, a COO who highly values the opinion of the Director of Operations would be influenced by that director. Draw an arrow from one stakeholder to another to signify this relationship.

    Download the Stakeholder Power Map Template for more detailed instructions on completing this activity.

    Each stakeholder will have a set of needs that will influence the final EA value proposition

    All stakeholders will have a set of needs they would like to address. Take those needs and translate them into business and technology drivers. Drivers help clearly articulate to stakeholders, and the EA function, the stakeholder needs to be addressed.

    Business Driver

    Business drivers are internal or external business conditions, changing business capabilities, and changing market trends that impact the way EA operates and provides value to the enterprise.

    Examples:

    Ensure corporate compliance with legislation pertaining to data and security (e.g. regulated oil fields).

    Enable the automation and digitization of internal processes and services to business stakeholders.

    Technology Driver

    Technology drivers are internal or external technology conditions or factors that are not within the control of the EA group that impact the way that the EA group operates and provides value to the enterprise.

    Examples:

    Establish standards and policies for enabling the organization to take advantage of cloud and mobile technologies.

    Reduce the frequency of shadow IT by lowering the propensity to make business–technology decisions in isolation.

    (Source: The Strategic CFO, 2013)

    Gather information from stakeholders to begin the process of distilling business and technology drivers

    Review information sources, then analyze them to derive business and technology drivers. Information sources are not targeted towards EA stakeholders. Analyze the information sources to create drivers that are relevant to EA stakeholders.

    Information Sources Drivers (Examples)

    PESTLE Analysis

    Strategy Documents

    Stakeholder Interviews

    SWOT Analysis

    —›

    Analysis

    —›

    Help the organization align technology investments with corporate strategy

    Ensure corporate compliance with legislation.

    Increase the organization’s speed to market.

    Business and Technology Needs

    By examining information sources, the EA team will come across a set of business and technology needs. Through analysis, these needs can be synthesized into drivers.

    The PESTLE analysis will help you uncover external factors impacting the organization

    PESTLE examines six perspectives for external factors that may impact business and technology needs. Below are prompting questions to facilitate a PESTLE analysis working session.

    Political
    • Will a change in government (at any level) affect your organization?
    • Do inter-government or trade relations affect you?
    • Are there shareholder needs or demands that must be considered?
    • How are your costs changing (moving off-shore, fluctuations in markets, etc.)?
    • Do currency fluctuations have an effect on your business?
    • Can you attract and pay for top-quality talent (e.g. desirable location, reasonable cost of living, changes to insurance requirements)?
    Economic
    Social
    • What are the demographics of your customers and/or employees?
    • What are the attitudes of your customers and/or staff (e.g. do they require social media, collaboration, transparency of costs)?
    • What is the general lifecycle of an employee (i.e. is there high turnover)?
    • Is there a market of qualified staff?
    • Is your business seasonal?
    • Do you require constant technology upgrades (e.g. faster network, new hardware)?
    • What is the appetite for innovation within your industry/business?
    • Are there demands for increasing data storage, quality, BI, etc.?
    • Are you looking to cloud technologies?
    • What is the stance on bring your own device?
    • Are you required to do a significant amount of development work in-house?
    Technological
    Legal
    • Are there changes to trade laws?
    • Are there changes to regulatory requirements (i.e. data storage policies, privacy policies)?
    • Are there union factors that must be considered?
    • Is there a push towards being environmentally friendly?
    • Does the weather have any effect on your business (hurricanes, flooding, etc.)?
    Environmental

    2.1.2 Conduct a PESTLE analysis

    2 hours

    Input: Expertise from EA strategy creation team

    Output: Identified set of business and technology needs from PESTLE

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    1. Begin conducting the PESTLE analysis by breaking the participants into groups. Divide the six different perspectives amongst the groups.
    2. Ask each group to begin to derive business and technology needs from their assigned perspectives. Use some of the areas noted below along with the questions on the previous slide to derive business and technology needs.
      • Political: Examine taxes, environmental regulations, and zoning restrictions.
      • Economic: Examine interest rates, inflation rate, exchange rates, the financial and stock markets, and the job market.
      • Social: Examine gender, race, age, income, disabilities, educational attainment, employment status, and religion.
      • Technological: Examine servers, computers, networks, software, database technologies, wireless capabilities, and availability of Software as a Service.
      • Legal: Examine trade laws, labor laws, environmental laws, and privacy laws.
      • Environmental: Examine green initiatives, ethical issues, weather patterns, and pollution.
    3. Ask each group to take into account the following questions when deriving business and technology needs:
      • Will business components require any changes to address the factor?
      • Will information technology components changes be needed to address any factor?
    4. Have each team record its findings. Have each team present its list and have remaining teams give feedback and additional suggestions. Record any changes in this step.

    Download the PESTLE Analysis Template to assist with completing this activity.

    Strategic planning documents can provide information regarding the direction of the organization

    Some organizations (and business units) create an authoritative strategy document. These documents contain corporate aspirations and outline initiatives, reorganizations, and shifts in strategy. From these documents, a set of business and technology needs can be generated.

    Overt Statements

    • Corporate objectives and initiatives are often explicitly stated in these documents. Look for statements that begin with phrases such as “Our corporate objectives are…”
    • Remember that different organizations use different terminology; if you cannot find the word goal or objective then look for “pillar,” “imperative,” “theme,” etc.

    Turn these statements to business and technology needs by:

    Asking the following:
    • Is there a need from a business perspective to address these objectives, initiatives, and shifts in strategy?
    • Is there a need from a technology perspective to address these objectives, initiatives, and shifts in strategy?

    Covert Statements

    • Some corporate objectives and initiatives will be mentioned in passing and will require clarification. For example: “As we continue to penetrate new markets, we will be diversifying our manufacturing geography to simplify distribution.”

    2.1.3 Review strategic planning documents

    2 hours

    Input: Strategic documents in the organization

    Output: Identified set of business and technology needs from documents

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Begin the identification process of business and technology needs from strategic documents with the following steps:

    1. Work with the EA strategy creation team to identify the strategic documents within the organization. Look for documents with any of the following content:
      • Corporate strategy document
      • Business unit strategy documents
      • Annual general reports
    2. Gather the strategic documents into one place and call a meeting with the EA strategy creation team to identify the business and technology needs in those documents.
    3. Pick one document and look through its contents. Look for future-looking words such as:
      • We will be…
      • We are planning to…
      • We will need…
    4. Consider those portions of the document with future-looking words and ask the following:
      • Will business components require any changes to address these objectives?
      • Will information technology components changes be needed to address these objectives?
    5. Record the business and technology needs identified in step 4. As well, record any questions you may have regarding the document contents for stakeholders to validate later.
    6. Move to the next document once complete. Complete steps 3-5 for the remaining strategy documents.

    Stakeholder interviews will help you collect primary data and will shed light on stakeholder priorities and challenges

    In this interview process, you will be asking EA stakeholders questions that uncover their business and technology needs. You will also be able to ask follow-up questions to get a better understanding of abstract or complex concepts from the strategy document review and PESTLE analysis.

    EA Stakeholders:

    • Stakeholders may not think of their business and technology needs. But stakeholders will often explicitly state their objectives and initiatives.
    • Objectives often result in risks, opportunities, and annoyances:
      • Risks: Potential damage associated with pursuing an objective or initiative.
      • Opportunities: Potential gains that could be leveraged when capturing objectives and initiatives.
      • Annoyances: Roadblocks that could hinder the pursuit of objectives and initiatives.
    • Ask stakeholders questions on these areas to discern their business and technology needs.

    Risks + Opportunities + Annoyances –› Business and Technology Needs

    2.1.4 Conduct EA stakeholder interviews

    4-8 hours

    Input: Expertise from the EA stakeholders

    Output: Business and technology needs for EA stakeholders

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team, Identified EA stakeholders

    1. Schedule an interview with each of the stakeholders that were identified as key stakeholders in the Stakeholder Power Map.
    2. Meet with the key EA stakeholders and start business and technology needs gathering. Schedule each identified key stakeholder for an interview.
    3. When a stakeholder arrives for their interview, ask the following questions and record the answers to help uncover needs. Be sure to record which stakeholder answered the question. Further, record any future stakeholders that agree.
      • What are the current strengths of your organization?
      • What are the current weaknesses of your organization?
      • What is the number 1 risk you need to prevent?
      • What is the number 1 opportunity you want to capitalize on?
      • What is the number 1 annoying pet peeve you want to remove?
      • How would you prioritize these risks, opportunities, and annoyances?
    4. Recorded answer example: “We can’t see what the other departments are doing; when we spend a lot of money to invest in something, we later find out the capability is already within the company.”
    5. After completing each interview, verify with each stakeholder that you have captured their business and technology needs. Continue the interview process until all identified key stakeholders have been interviewed.
    6. Capture all inputs into a SWOT (strengths, weaknesses, opportunities, and threats) format.

    Step 2.2

    Define Your Value Proposition

    Activities
    • 2.2.1 Create a set of business and technology drivers from business and technology needs
    • 2.2.2 Identify the pains associated with the business and technology drivers
    • 2.2.3 Identify the EA contributions that can address the pains
    • 2.2.4 Create promises of value to shape the EA value proposition

    This step will walk you through the following activities:

    • Use business and technology drivers to determine EA’s role in your organization.

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders

    Outcomes of this step

    A value proposition document that ties the value of the EA function to stakeholder needs.

    Create the EA Value Proposition

    Step 2.1 Step 2.2

    Synthesize the collected data into business and technology drivers

    Two triangles labelled 'Business needs' and 'Technology needs' point to a cloud labelled 'Analysis', which connects to the driver attributes on the right via a dotted line.

    There are several key attributes that a driver should have.

    Driver Key Attributes
    • A succinct statement.
    • Begins with “action words” to communicate a call to action (e.g. Support, Help, Enable).
    • Written in a language understood by all parties involved.
    • Communicates a need for improvement or prevention.

    “The greatest impact of enterprise architecture is the strategic impact. Put the mission and the needs of the organization first.” (Matthew Kern, Clear Government Solutions)

    2.2.1 Create a set of business and technology drivers from business and technology needs

    3 hours

    Input: Expertise from EA strategy creation team

    Output: A set of business and technology drivers

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team, EA stakeholders

    Meet with the EA strategy creation team and follow the steps below to begin the process of synthesizing the business and technology needs into drivers.

    1. Lay out the documented business and technology needs your team gathered from PESTLE analysis, strategy document reviews, and stakeholder interviews.
    2. Assess the documented business and technology needs to see if there are common themes. Consolidate those similar business and technology needs by crafting one driver for them. For example:
      • PESTLE: Influx of competitors in the marketplace causing tighter margins.
      • Document review: Improve investment quality and their value to the organization.
      • Stakeholder interview: “We can’t see what the other departments are doing; when we spend a lot of money to invest in something, we later find out the capability is already within the company.”
      • Consolidated business driver example: Help the organization align investments with the corporate strategy and departmental priorities.
    3. As well, synthesize the business and technology needs that cannot be consolidated.
    4. Verify the completed list of drivers with stakeholders. This is to ensure you have fully captured their needs.

    Download the EA Value Proposition Template to record your findings in this activity.

    When addressing business and technology drivers, an organization can expect obstacles

    A pain is an obstacle that business stakeholders will face when attempting to address business and technology drivers. Identify the pains associated with each driver so that EA’s contributions can be linked to resolving obstacles to address business needs.

    Business and Technology Drivers

    Pains

    Created by assessing information sources. A sentence that states the nature of the pain and how the pain stops the organization from addressing the drivers.
    Examples:
    • Business driver: Help the organization align investments with the corporate strategy and departmental priorities.
    • Technology driver: Improve the organization’s technology responsiveness and increase speed to market.
    Examples:
    • Business driver pains: Lack of holistic view of business capabilities obstructs the organization from aligning investments with corporate strategy and departmental priorities.
    • Technology driver pains: Ineffective application development requiring delays decreases the speed to market.

    2.2.2 Identify the pains associated with the business and technology drivers

    2 hours

    Input: Expertise from EA strategy creation team and EA stakeholders

    Output: An associated pain that obstructs each identified driver

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team, EA stakeholders

    Call a meeting with the EA strategy creation team and any available stakeholders to identify the pains that obstruct addressing the business and technology drivers.

    Take each driver and ask the questions below to the EA strategy creation team and to any EA stakeholders who are available. Record the answers to identify the pains when realizing the drivers.

    1. What are your challenges in performing the activity or process today?
    2. What other business activities/processes will be impacted/improved if we solve this?
    3. What compliance/regulatory/policy concerns do we need to consider in any solution?
    4. What are the steps in the process/activity?

    Take the recorded answers and follow the steps below to create the pain statements:

    1. Answers to the questions above can be long, unfocused, or spoken in a casual manner. To turn the answer into pains, refine the recorded answers into a succinct sentence that captures its meaning.
      • Recorded answer example: “I feel like there needs to be a holistic view of the organization. If we had a tool to see all the capabilities across the business, then we can figure out what investments should be prioritized.”
      • Example of pain statement: Lack of holistic view of business capabilities obstructs the organization from aligning investments with corporate strategy and departmental priorities.
    2. When the list of pains has been written out, verify with the stakeholders that you have fully captured their pains.

    Download the EA Value Proposition Template to record your findings in this activity.

    The identified pains can be alleviated by a set of EA contributions

    Set the foundations for the value proposition by brainstorming the EA contributions that can alleviate the pains.

    Business and technology drivers produce:

    Pains

    —›
    EA contributions produce:

    Value by alleviating pains

    Pains

    Obstructions to addressing business and technology drivers. Stakeholders will face these pains.

    Examples
    • Business driver pains: Lack of holistic view of business capabilities obstructs the organization from aligning investments with corporate strategy and departmental priorities.
    EA contributions

    Activities the EA function can perform to help alleviate the pains. Demonstrates the contributions the EA function can make to business value.

    Examples:
    • Business driver EA contributions: Business capability mapping shows the business capabilities of the organization and the technology that supports those capabilities in the current and target state. This provides a view for the set of investments that are needed by the organization, which can then be prioritized.

    Enterprise architecture functions can provide a diverse set of contributions to any organization – Sample

    EA contribution category EA contribution details
    Define business capabilities and processes As-is and target business capabilities and processes are documented and understood by both IT and the business.
    Design information flows and services Information flows and services effectively support business capabilities and processes.
    Analyze gaps and identify project opportunities Create informed project identification, scope definition, and project portfolio management.
    Optimize technology assets Greater homogeneity and interoperability between tangible and intangible technology assets.
    Create and maintain technology standards Decrease development, integration, and support efforts. Reduce complexity and improve interoperability.
    Rationalize technology assets Tangible and intangible technology assets are rationalized to adequately and efficiently support information flows and services.

    2.2.3 Identify the EA contributions that can address the pains

    2 hours

    Input: Expertise from EA strategy creation team

    Output: EA contributions that addresses the pains that were identified

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Gather with the EA strategy creation team, take each pain, then ask and record the answers to the questions below to identify the EA contributions that would solve the pains:

    1. What activities can the EA practice conduct to overcome the pain?
    2. What are the core EA models that can help accurately define the problem and assist in finding appropriate resolutions?
    3. What are the general EA benefits that can be associated with solving this pain?

    Answers to the questions above will generate a list of activities EA can do to help alleviate the pains. Use the following steps to complete this activity:

    1. Create a stronger tie between the EA contributions and pains by linking the EA contribution statement to the pain.
      • Example of pain statement: Lack of holistic view of business capabilities obstructs the organization from aligning investments with corporate strategy and departmental priorities.
      • Example of EA contributions statement: Business capability mapping shows the business capabilities of the organization and the technology that supports those capabilities in the current and target state. This provides a view for the set of investments that are needed by the organization, which can then be prioritized.
    2. Verify with the stakeholders that they understand the EA contributions have been written out and how those contributions address the pains.

    Download the EA Value Proposition Template to record your findings in this activity.

    EA promises of value articulate EA’s commitment to the organization

    • Business Goals and Technology Drivers
      A set of statements created from business and technology needs. Gathered from information sources, it communicates improvements needed.

      • Value Streams, Aspirations, Long-Term Goals
        Value streams, aspirations, long-term goals

        • EA Contributions
          EA contributions that will alleviate the obstructions. Removing the obstructions will allow EA to help satisfy business and technology needs.

          • Promise of Value
            A statement that depicts a concrete benefit the EA practice can provide for the organization in response to business and technology drivers.
            Communicate the statements in a language that stakeholders understand to complete the articulation of EA’s value proposition.

    2.2.4 Create promises of value to shape the EA value proposition

    2 hours

    Input: Expertise from EA strategy creation team and EA stakeholders

    Output: Promises of value for each business and technology driver

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team, EA stakeholders

    Now that the EA contributions have been identified, identify the promises of value to articulate the value proposition.

    Take each driver, then ask and record the answers to the questions below to identify the promises of value when realizing the drivers:

    1. What does amazing look like if we solve this perfectly?
    2. What other business activities/processes will be impacted/improved if we solve this?
    3. What measures of success/change should we use to prove value of the effort (KPIs/ROI)?

    Take the recorded answers and follow the steps below to create the promises of value.

    1. Answers to the questions above can be long, unfocused, or spoken in a casual manner. To turn the answer into a promise of value, refine the recorded answer into a succinct sentence that captures its meaning.
      • Business driver example: Help the organization align investments with the corporate strategy and departmental priorities.
      • Recorded answer example: “If this would be solved perfectly, we would have a very easy time planning investments and investment planning hours can be spent doing other activities.”
      • Promises of value example: Increase the number of investments that have a direct tie to corporate strategy.
    2. When the promises of value have been written out, verify with the stakeholders that you have fully captured their ideas.

    Download the EA Value Proposition Template to record your findings in this activity.

    Design an Enterprise Architecture Strategy

    Phase 3

    Build the EA Fundamentals

    Phase 1

    • 1.1 Explore a general EA strategy approach
    • 1.2 Introduce Agile EA architecture

    Phase 2

    • 2.1 Define the business and technology drivers
    • 2.2 Define your value proposition

    Phase 3

    • 3.1 Realize the importance of EA fundamentals
    • 3.2 Finalize the EA fundamentals

    Phase 4

    • 4.1 Select relevant EA services
    • 4.2 Finalize the set of services and secure approval

    This phase will walk you through the following activities:

    • Create an EA vision statement and an EA mission statement.
    • Create EA goals, define EA objectives, and link them to EA goals.
    • Define the EA function scope dimensions.
    • Create a set of EA principles for your organization.
    • Discuss current methodology.

    This phase involves the following participants:

    • CIO
    • EA Team
    • IT Leaders
    • Business Leaders

    Step 3.1

    Realize the Importance of EA Fundamentals

    Activities
    • 3.1.1 Create the EA vision statement
    • 3.1.2 Create the EA mission statement
    • 3.1.3 Create EA goals
    • 3.1.4 Define EA objectives and link them to EA goals
    • 3.1.5 Record the details of each EA objective

    This step will walk you through the following activities:

    • Define and document the fundamentals that guide the EA function.

    This step involves the following participants:

    • CIO
    • EA Team
    • IT Leaders
    • Business Leaders

    Outcomes of this step

    • Vision and mission statements for the EA function.
    • A set of EA goals and a set of objectives to track progression toward those goals.
    Build the EA Fundamentals
    Step 3.1 Step 3.2

    EA fundamentals guide the EA function

    EA fundamentals include a vision statement, a mission statement, goals and objectives, and principles. They are a set of documented statements that guide the EA function. The fundamentals guide the EA function in terms of its strategy and decision making.

    EA vision statement EA mission statement

    EA fundamentals

    EA goals and objectives EA principles

    Info-Tech Insight

    Treat the critical elements of the EA group the same way as you would a business. Create a directional foundation for EA and define the vision, mission, goals, principles, and scope necessary to deliver on the established value proposition.

    The EA vision statement articulates the aspirations of the EA function

    The enterprise architecture vision statement communicates a desired future state of the EA function. The statement is expressed in the present tense. It seeks to articulate the desired role of the EA function and how the EA function will be perceived.

    Strong EA vision statements have the following characteristics:

    • Describe a desired future
    • Focus on ends, not means
    • Communicate promise
    • Concise, no unnecessary words
    • Compelling
    • Achievable
    • Inspirational
    • Memorable

    Sample EA vision statements:

    • To be a trusted partner for both the business and IT, driving enterprise effectiveness, efficiency, and agility at [Company Name].
    • To be a trusted partner and advisor to both the business and IT, contributing to business-IT alignment and cost reduction at [Company Name].
    • To create distinctive value and accelerate [Company Name]’s transformation.

    The EA mission statement articulates the purpose of the EA function

    The enterprise architecture mission statement specifies the team’s purpose or “reason of being.” The mission should guide each day’s activities and decisions. The mission statements use simple and concise terminology, speak loudly and clearly, and generate enthusiasm for the organization.

    Strong EA mission statements have the following characteristics:

    • Articulates EA function purpose and reason for existence
    • Describes what the EA function does to achieve its vision
    • Defines who the customers of the EA function are
    • Compelling
    • Easy to grasp
    • Sharply focused
    • Inspirational
    • Memorable
    • Concise

    Sample EA mission statements:

    • Define target enterprise architecture for [Company Name], identify solution opportunities, inform IT investment management, and direct solution development, acquisition, and operation compliance.
    • Synergize with both the business and IT to define and help realize [Company Name]’s target enterprise architecture that enables the business strategy and optimizes IT assets, resources, and capabilities.

    The EA vision and mission statements become relevant to EA stakeholders when linked to the promises of value

    The process for constructing the enterprise architecture vision statement and enterprise architecture mission statement is articulated below.

    Promises of value Derive keywords Construct draft statements Reference test criteria Finalize statements
    Derive the a set of keywords from the promises of value to accurately capture their essence. Create the initial statement using the keywords. Check the initial statement against a set of test criteria to ensure their quality. Finalize the statement after referencing the initial statement against the test criteria.

    Derive keywords from promises of value to begin the vision and mission statement creation process

    Develop keywords by summarizing the promises of value that were derived from drivers into one word that will take on the essence of the promise. See examples below:

    Business and technology drivers Promises of value Keywords
    Help the organization align investments with the corporate strategy and departmental priorities. Increase the number of investments that have a direct tie to corporate strategy. Business
    Support the rapid growth and development of the company through fiscal planning, project planning, and technology sustainability. Ensure budgets and projects are delivered on time with the assistance of technology. IT-Enabled
    Reduce the duplication and work effort to build and deploy technology solutions across the entire organization. Aim to reduce the number of redundant applications in the organization to streamline processes and save costs. Catalyst
    Improve the organization’s technology responsiveness and increase speed to market. Reduce the number of days required in the SDLC for all core business support projects. Value delivery

    An inspirational vision statement is greater than the sum of the individual words

    Ensure the sentence is cohesive and captures additional value outside of the keywords. The statement as a whole should be greater than the sum of the parts. Expand upon the meaning of the words, if necessary, to communicate the value. Below is an example of a finished vision statement.

    Sample

    Be a catalyst for IT-enabled business value delivery.

    Catalyst – We will continuously interact with the business and IT to accelerate and improve results.

    IT-enabled – We will ensure the optimal use of technology in enabling business capabilities to achieve business objectives.

    Business – We will be perceived as a business-focused unit that understands [Company name]’s business priorities and required business capabilities.

    Value delivery – EA’s value will be recognized by both business and IT stakeholders. We will track and market EA’s contribution to business value organization-wide.

    A clear mission statement can include additional details surrounding the EA team’s desired and expected value

    Likewise, below is a sample of connecting keywords together to form an EA mission statement:

    Optimize, transform, and innovate by defining and implementing the [Company]’s target enterprise architecture.

    Optimize – We collaborate with the business to analyze and optimize business capabilities and business processes to enable the agile and efficient attainment of [Company name] business objectives.

    Transform – We support IT-enabled business transformation programs by building and maintaining a shared vision of the future-state enterprise and consistently communicating it to stakeholders.

    Innovate – We identify and develop new and creative opportunities for IT to enable the business. We communicate the art of the possible to the business.

    Defining and implementing – We engage with project teams early and guide solution design and selection to ensure alignment to the target-state enterprise architecture.

    Target enterprise structure – We analyze business needs and priorities and assess the current state of the enterprise. We build and maintain the target enterprise architecture blueprints that define:

    • Business capabilities and processes (business architecture)
    • Data, application, and technology assets that enable business capabilities and processes (technology architecture)
    • Architecture principles and standards

    3.1.1 Create the EA vision statement

    1 hour

    Input: Identified promises of value, Vision statement test criteria

    Output: EA function vision statement

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Begin the creation of the EA vision statement by following the steps below:

    1. Gather the EA strategy creation team and have the promises of value from the EA value proposition laid out.
    2. Select one promise of value and work with the team to identify one word that captures the essence of that promise of value.
    3. Continue to the next promise of value until all of the promises of value have a keyword identified.
    4. Have the identified set of keywords laid out and see if any of their meanings are similar and can be consolidated together. Consolidate similar meaning keywords.
    5. Create the initial draft of the EA vision statement by linking the keywords together.
    6. Check the initial draft of the vision statement against the test criteria below. Ask the team if the vision statement satisfies each of the test criteria.
      • Do you find this vision exciting?
      • Is the vision clear, compelling, and easy to grasp?
      • Does this vision somehow connect to the core purpose?
      • Will this vision be exciting to a broad base of people in the organization, not just those within the EA team?
    7. Make changes to the initial draft to satisfy the test criteria. Socialize the EA vision statement with EA stakeholders to make sure it captures their needs.

    3.1.2 Create the EA mission statement

    1 hour

    Input: Identified promises of value, Mission statement test criteria

    Output: EA function mission statement

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Begin the creation of the EA mission statement by following the steps below:

    1. Gather the EA strategy creation team and have the promises of value from the EA value proposition laid out.
    2. Select one promise of value and work with the team to identify one word that captures the essence of that promise of value.
    3. Continue to the next promise of value until all of the promises of value have a keyword identified.
    4. Have the identified set of keywords laid out, and see if any of their meanings are similar and can be consolidated together. Consolidate similar meaning keywords.
    5. Create the initial draft of the EA mission statement by linking the keywords together.
    6. Check the initial draft of the mission statement against the following test criteria below. Ask the team if the mission statement satisfies each of the test criteria.
      • Do you find this purpose personally inspiring?
      • Does the purpose help you to decide what activities to not pursue, to eliminate from consideration? Is this purpose authentic – something true to what the organization is all about – not merely words on paper that sound nice?
      • Would this purpose be greeted with enthusiasm rather than cynicism by a broad base of people in the organization?
    7. Make changes to the initial draft to satisfy the test criteria. Socialize the EA mission statement with EA stakeholders to make sure it captures their needs.

    EA goals demonstrate the achievement of success of the EA function

    Enterprise architecture goals define specific desired outcomes of an EA function. EA goals are important because they establish the milestones the EA function can strive toward to deliver their promises of value.

    Inform EA goals by examining:

    Promises of value

    —›
    EA goals produce:

    Targets and milestones

    Promises of value

    Produce EA strategic outcomes that can be classified into four categories. The four categories are:

    • Business performance
    • IT performance
    • Customer value
    • Risk management
    EA goals

    Support the strategic outcomes. EA goals can be strategic or operational:

    • EA strategic goals support the strategic outcomes.
    • EA operational goals help measure the architecture capability quality and supporting processes.

    3.1.3 Create EA goals

    2 hours

    Input: Identified promises of value

    Output: EA goals

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Begin the creation of EA goals by following the steps below:

    1. Gather the EA strategy creation team and the identified promises of value from Phase 2, Create the EA Value Proposition.
    2. Open the EA Goals and Objectives Template and examine the list of default EA goals already within the template.
    3. Take the identified promises of value and discuss with the team if any of the EA goals in the template relate to the promises of value. Record the related EA goal and promise of value. See example below:
      • Promises of value example: Increase the number of investments that have a direct tie to corporate strategy.
      • Related EA goal example: Alignment of IT and business strategy.
    4. Repeat step 3 until all identified promises of value have been examined in relation to the EA goals in the template.
    5. If there are promises of value that are not related to an EA goal in the template, create EA goals to relate to those promises of value. Keep in mind that EA goals need to support the strategic outcomes produced by the promises of value. Record the EA goals in the template and document the related promises of value.

    Download the EA Goals and Objectives Template to assist with completing this activity.

    Starting with COBIT, select the appropriate objectives to track EA goals – Sample

    Below are examples of EA goals and the objectives that track their performance:

    IT performance-oriented goals Objectives
    Alignment of IT and business strategy
    • Increase the percentage of enterprise strategic goals and requirements supported by IT strategic goals by X percent in the fiscal year.
    • Improve stakeholder satisfaction with planned function and services portfolio scope by X percent in the fiscal year.
    • Increase the percentage of IT value drivers mapped to business value drivers by X percent in the next fiscal year.
    Increase in IT agility
    • Improve business executive satisfaction with IT’s responsiveness to new requirements by X percent in the fiscal year.
    • Increase the number of critical business processes supported by up-to-date infrastructure and applications in the next three years.
    • Lower the average time to turn strategic IT objectives into agreed-upon and approved initiatives.
    Optimization of IT assets, resources, and capabilities
    • Increase the frequency of capability maturity and cost optimization assessments.
    • Improve the frequency of reporting for assessment result trends.
    • Raise the satisfaction levels of business and IT executives with IT-related costs and capabilities by X percent.

    3.1.4 Define EA objectives and link them to EA goals

    2 hours

    Input: Defined EA goals

    Output: EA objectives linked to EA goals

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Begin the process of defining EA objectives and linking them to EA goals using the following steps:

    1. Gather the EA strategy creation team and open the EA Goals and Objectives Template.
    2. Have the goals laid out, and refer to the objectives already in the EA Goals and Objectives Template. Examine if any of them will fit the goals your team has created.
    3. If some of the goals your team has created do not fit with the objectives in the template, begin the process of creating new objectives. Remember, EA objectives are SMART metrics that help track the progress toward the EA goals.
    4. Create an EA objective and check if it is SMART by asking some of the questions below:
      • Specific: Is the objective specific to the goal? Is the objective clear to anyone who has basic knowledge of the goal?
      • Measurable: Is it possible to figure out how far the team would be away from completing the objective?
      • Agreed Upon: Does everyone involved agree the objective is the correct way to measure progress?
      • Realistic: Can the objective be met within the availability of resources, knowledge, and time?
      • Time Based: Is there a time-bound component to the goal?
    5. Continue to create new objectives until each goal has an objective linked to it.

    Download the EA Goals and Objectives Template to assist with completing this activity.

    For each of the objectives, determine how they will be collected, reported, and implemented

    Add details to the enterprise architecture objectives previously defined to increase their clarity to stakeholders.

    EA objective detail category Description
    Unit of measure
    • The unit in which the objective will be presented.
    Calculation formula
    • The formula by which the objective will be calculated.
    Objective baseline, status, and target
    • Baseline: The state of the objective at the start of measurement.
    • Status: The current state of the measurement.
    • Target: The target state the measurement should reach.
    Data collection
    • Responsible: The individual responsible for collecting the data.
    • Source: Where the data originates.
    • Frequency: How often the data will be collected to calculate the objective.
    Reporting
    • Target Audience: The people the objective will be presented to.
    • Method: The method used to present the data collected on the objective (e.g. report, presentation).
    • Frequency: How often the data will be presented to the target audience.

    3.1.5 Record the details of each EA objective

    2 hours

    Input: Defined list of EA objectives

    Output: Increased detail into each defined EA objective

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Record the details of each EA objective. Use the following steps below to assist with recording the details:

    1. Gather the EA strategy creation team, and open the EA Goals and Objectives Template.
    2. Select one objective that has been identified and discuss the formula for calculating the objective and in what units the objective will be recorded. Record the information in the “Calculation formula” and “Unit of measure” columns in the template once they have been agreed upon.
    3. Using the same objective, move to the “Data Collection” portion of the template. Discuss and record the following: the source of the data that generates the objective, the frequency of reporting on the objective, and the person responsible for reporting the objective.
    4. Move to the “Reporting” portion of the template. Discuss and record the target audience for the objective and the reporting frequency and method to those audiences.
    5. Examine the “Objective baseline,” “Objective status,” and “Objective target” columns. Record any measurement you may currently have in the “Objective baseline” column. Record what you would like the objective measurement to be in the “Objective target” column. Note: Keep track of the progression towards the target in the “Objective status” column in the future.
    6. Select the next objective and complete steps 2–5 for that measure. Continue this process until you have recorded details for all objectives.

    Download the EA Goals and Objectives Template to assist with completing this activity.

    Step 3.2

    Finalize the EA Fundamentals

    Activities
    • 3.2.1 Define the organizational coverage dimension of the EA function scope
    • 3.2.2 Define the architectural domains and depth dimension
    • 3.2.3 Define the time horizon dimension
    • 3.2.4 Create a set of EA principles for your organization
    • 3.2.5 Add the rationale and implications to the principles
    • 3.2.6 Operationalize the EA principles
    • 3.2.7 Discuss the need for classical methodology and/or a combination including Agile practices

    This step will walk you through the following activities:

    • Define the EA function scope dimensions.
    • Create a set of EA principles.
    • Discuss the organization’s current methodology, if any, and whether it works for the business.

    This step involves the following participants:

    • CIO
    • EA Team
    • IT Leaders
    • Business Leaders

    Outcomes of this step

    • Defined scope of the EA function.
    • A set of EA principles for your organization.
    • A decision on traditional vs. Agile methodology or a blend of both.

    Build the EA Fundamentals

    Step 3.1 Step 3.2

    A clear EA function scope defines the EA sandbox

    The EA function scope constrains the promises of value the EA function will deliver on by taking into account factors across four dimensions. The EA function scope ensures that the EA function is not stretched beyond its current/planned means and capabilities when delivering the promised value. The four dimensions are illustrated below:

    Organizational coverage
    Determine the focus of the enterprise architecture effort in terms of specific business units, functions, departments, capabilities, or geographical areas.
    Depth
    Determine the appropriate level of detail to be captured, based on the intended use of the enterprise architecture and the contingent decisions to be made.

    EA Scope

    Architectural Domains
    Determine the EA domains (business, data, application, infrastructure, security) that are appropriate to address stakeholder concerns and architecture requirements.
    Time horizon
    Determine the target-state architecture’s objective time period.

    The EA function scope is influenced by the EA value proposition and previously developed EA fundamentals

    Establish the EA function scope by using the EA value proposition and EA fundamentals that have been developed. After defining the EA function scope, refer back to these statements to ensure the EA function scope accurately reflects the EA value proposition and EA fundamentals.

    EA value proposition

    +

    EA vision statement
    EA mission statement
    EA goals and objectives

    —›
    Influences

    Organizational coverage

    Architectural domains

    Depth

    Time horizon

    —›
    Defines
    EA function scope

    EA scope – Organizational Coverage

    The organizational coverage dimension of EA scope determines the focus of enterprise architecture effort in the organization. Coverage can be determined by specific business units, functions, departments, capabilities, or geographic areas. Info-Tech has typically seen two types of coverage based on the size of the organization.

    Small and medium-size enterprise

    Indicators: Full-time employees dedicated to manage its data and IT infrastructure. Individuals are IT generalists and may have multiple roles.

    Recommended coverage: Typically, for small and medium-size businesses, the organizational coverage of architecture work is the entire enterprise. (Source: The Open Group, 2018)

    Large enterprise

    Indicators: Dedicated full-time IT staff with expertise to manage specific applications or parts of the IT infrastructure.

    Recommended coverage: For large enterprises, it is often necessary to develop a number of architectures focused on specific business segments and/or geographies. In this federated model, an overarching enterprise architecture should be established to ensure interoperability and conformance to overarching EA principles. (Source: DCIG, 2011)

    EA objectives track the progression towards the target set by EA goals

    Enterprise architecture objectives are specific metrics that help measure and monitor progress towards achieving an EA goal. Objectives are SMART.

    EA goals —› EA objectives
    • EA strategic goals:
      • Business performance
      • IT performance
      • Customer value
      • Risk management
    • EA operational goals
    • Specific
    • Measurable
    • Agreed upon
    • Realistic
    • Time bound
    (Source: Project Smart, 2014)

    Download the EA Goals and Objectives Template to see examples between the relationship of EA goals to objectives.

    Measure the EA strategy effectiveness by tracking the benefits it provides to the corporate business goals

    The success of the EA function is influenced by the following:

    • The delivery of EA-enabled business outcomes that are most important to the enterprise.
    • The alignment between the business and IT from a planning perspective.
    • Improvements in the corporate business goals due to EA contributions (standardization, rationalization, reuse, etc.).
    Corporate Business Goals Measurements
    • Reduction in operating costs
    • Decrease in regulatory compliance infractions
    • Increased revenue from existing channels
    • Increased revenue from new channels
    • Faster time to business value
    • Improved business agility
    • Reduction in enterprise risk exposure
    • Cost reductions based on application and platform rationalization
    • Standard-based solutions
    • Time reduction for integration
    • Service reused
    • Stakeholder satisfaction with EA services
    • Increase customer satisfaction
    • Rework minimized
    • Lower cost of integration
    • Risk reduction
    • Faster time to market
    • Better scalability, etc.

    3.2.1 Define the organizational coverage dimension of the EA function scope

    2 hours

    Input: EA value proposition, Previously defined EA fundamentals

    Output: Organizational coverage dimension of EA scope defined

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Define the organizational coverage of the EA function scope using the following steps below:

    1. Gather the EA strategy creation team. As well, gather the EA value proposition, the EA vision and mission statements, and the EA goals and objectives your team has already created.
    2. Ask the team to read each of the documents gathered in the previous step. This ensures the concepts are fresh in the team members’ minds when defining the EA function scope organizational coverage.
    3. Consider how much of the organization the EA function would need to cover. Refer to the gathered materials to assist with your decision. For example:
      • EA mission statement: Optimize, transform, and innovate by defining and implementing the [Company]’s target enterprise architecture.
      • Implications on organizational coverage: If the purpose of the EA function is to help optimize, transform, and innovate with target-state architecture mapping, then the scope should cover the entire organization. Only by mapping the entire organization’s architecture can the EA function assist with optimizing, transforming, and innovating.
    4. Work with the EA strategy creation team to examine all the gathered materials and document the implications on organization coverage as shown in step 3.
    5. Discuss with the team and select the organizational coverage level that best fits the documented implications for all the gathered materials. Refer back to the gathered materials and make any changes necessary to ensure they support the selected organizational coverage.

    EA scope – Architectural Domains

    A complete enterprise architecture should address all five architectural domains. The five architectural domains are business, data, application, infrastructure, and security.

    Enterprise Architecture
    —› Data Architecture
    Business Architecture —› Infrastructure Architecture
    Security Architecture
    —› Application Architecture

    “The realities of resource and time constraints often mean there is not enough time, funding, or resources to build a top-down, all-inclusive architecture encompassing all four architecture domains. Build architecture domains with a specific purpose in mind.” (The Open Group, 2018)

    Each architectural domain creates a different view of the organization

    Below are the definitions of different domains of enterprise architecture (Info-Tech perspective; others can be identified as well, e.g. Integration Architecture).

    Business Architecture

    Business architecture is a means of demonstrating the business value of subsequent architecture work to key stakeholders and the return on investment to those stakeholders from supporting and participating in the subsequent work. Business architecture defines the business strategy, governance, organization, and key business processes.

    Data Architecture

    Describes the structure of an organization’s logical and physical data assets and data management resources.

    Application Architecture

    Provides a blueprint for the individual applications to be deployed, their interactions, and their relationships to the core business processes of the organization.

    Infrastructure Architecture

    Represents the sum of hardware, software, and telecommunications-related IT capability associated with a particular enterprise. It is concerned with the synergistic operations and management of the devices in the organization.

    Security Architecture

    Provides an unified security design that addresses the necessities and potential risks involved in a certain scenario or environment. It also specifies when and where to apply security controls.
    (Sources: The Open Group, 2018; IT Architecture Journal, 2014; Technopedia, 2016)

    EA scope – Depth

    EA scope depth defines the architectural detail for each EA domain that the organization has selected to pursue. The level of depth is broken down into four levels. The level of depth the organization decides to pursue should be consistent across the domains.

    Contextual
    • Helps define the organization scope, and examines external and internal requirements and their effect on the organization. For example, enterprise governance.
    Conceptual
    • High-level representations of the organization or what the organization wants to be. For example, business strategy, IT strategy.
    Logical
    • Models that define how to implement the representation in the conceptual stage. For example, identifying the business gaps from the current state to the target state defined by the business strategy.
    Physical
    • The technology and physical tools used to implement the representation created in the logical stage. For example, business processes that need to be created to bridge the gaps identified and reach the target stage.
    (Source: Zachman International, 2011) Business Architecture Data Architecture Application Architecture Infrastructure Architecture Security Architecture

    Each architectural depth level contains a set of key artifacts

    The graphic below depicts examples of the key artifacts that each domain of architecture would produce at each depth level.

    Contextual Enterprise Governance
    Conceptual Business strategy Business objects Use-case models Technology landscaping Security policy
    Logical Business capabilities Data attribution Application integration Network/ hardware topology Security standards
    Physical Business process Database design Application design Configuration management Security configuration
    Business Architecture Data Architecture Application Architecture Infrastructure Architecture Security Architecture

    3.2.2 Define the architectural domains and depth dimension of the EA function scope

    2 hours

    Input: EA value proposition, Previously defined EA fundamentals

    Output: Architectural domain and depth dimensions of EA scope defined

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Define the EA function scope for your organization using the following steps below:

    1. Gather the EA strategy creation team. As well, gather the EA value proposition, the EA vision and mission statements, and the EA goals and objectives that your team has already created.
    2. Ask the team to read each of the documents gathered in the previous step. This ensures the concepts are fresh in the team members’ minds when defining the architectural domains and depth of the EA function scope.
    3. Consider the architectural domains and the depth those domains need to reach. Refer to the gathered materials to assist with your decision. For example:
      • Promise of value: Increase the number of IT investments with a direct tie to business strategy.
      • Implications on architectural domains: The EA function will need business architecture. Business architecture generates business capability mapping, which will anticipate what IT investments are needed for the future.
      • Implications on depth: Depth for business architecture needs to reach a logical level to encompass business capabilities.
    4. Work with the EA strategy creation team to examine all the gathered materials and document the implications on architectural domains and depth as shown in step 3.
    5. Discuss with the team and select the architectural domains and the depth for each domain that best fits the documented implication. Refer back to the gathered materials and make any changes necessary to ensure they support the selected architectural domains and depth.

    EA scope – Time Horizon

    The EA scope time horizon dictates how long to plan for the architecture.

    It is important that the EA team’s work has an appropriate planning horizon while avoiding two extremes:

    1. A planning horizon that is too short focuses on immediate operational goals and strategic quick wins, missing the “big picture,” and fails to support the achievement of strategic long-term enterprise goals.
    2. A planning horizon that is too long is at a higher risk of becoming irrelevant.

    Target the same strategic planning horizon as your business. Additionally, consider the following recommendations:

    Planning Horizon: 1 year 2-3 years 5 years
    Recommended under the following conditions:
    • Corporate strategy is not stable and frequently changes direction (typical for small and some mid-sized companies).
    • There will be a major update of the corporate strategy in one year.
    • The company will be acquired by or merged with another company in one year.
    • The business' strategic plan spans the next two to three years, and corporate strategy is moderately stable within this time frame (typical for mid-sized and some large companies).
    • The business' strategic plan spans the next five years and corporate strategy is very stable (typical for large companies).

    3.2.3 Define the time horizon dimension of the EA function scope

    2 hours

    Input: EA value proposition, Previously defined EA fundamentals

    Output: Time horizon dimension of EA scope defined

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Define the EA function scope for your organization using the following steps below:

    1. Gather the EA strategy creation team. As well, gather the EA value proposition, the EA vision and mission statements, and the EA goals and objectives your team has already created.
    2. Ask the team to read each of the documents gathered in the previous step. This ensures the concepts are fresh in the team members’ minds when crafting the EA function scope.
    3. Consider the time horizons of the EA function scope. Refer to the gathered materials to assist with your decision. For example:
      • EA Objective: Increase the percentage of enterprise strategic goals and requirements supported by IT strategic goals by 30% in the next 3 years.
      • Implications on time horizon: Because it will take 3 years to measure the success of these EA objectives, the time horizon may need to be 3 years.
    4. Work with the EA strategy creation team to examine all the gathered materials and document the implications on time horizon as shown in step 3.
    5. Discuss with the team and select the time horizon that best fits the documented implication. Refer back to the gathered materials and make any changes necessary to ensure they support the selected architectural time horizon.

    EA principles capture the EA value proposition essence and provide guidance for the decisions that impact architecture

    EA principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting target-state enterprise architecture design, IT investment portfolio management, solution development, and procurement decisions.

    EA value proposition Influences
    —›
    EA Principles Guide and inform
    —›
    Decisions on the Use of IT Direct and control
    ‹—
    Specific Domain Policies
    ‹———————

    What decisions should be made?
    ————— ————— —————
    How should decisions be made?
    ————— ————— —————————›
    Who has the accountability and authority to make decisions?

    EA principles must be carefully constructed to make sure they are adhered to and relevant

    Info-Tech has identified a set of characteristics that EA principles should possess. Having these characteristics ensures the EA principles are relevant and followed in the organization.

    Approach focused EA principles are focused on the approach, i.e. how the enterprise is built, transformed, and operated, as apposed to what needs to be built, which is defined by both functional and non-functional requirements.
    Business relevant Create EA principles specific to the organization. Tie EA principles to the organization’s priorities and strategic aspirations.
    Long lasting Build EA principles that will withstand the test of time.
    Prescriptive Inform and direct decision making with EA principles that are actionable. Avoid truisms, general statements, and observations.
    Verifiable If compliance can’t be verified, the principle is less likely to be followed.
    Easily digestible EA principles must be clearly understood by everyone in IT and by business stakeholders. EA principles aren’t a secret manuscript of the EA team. EA principles should be succinct; wordy principles are hard to understand and remember.
    Followed Successful EA principles represent a collection of beliefs shared among enterprise stakeholders. EA principles must be continuously “preached” to all stakeholders to achieve and maintain buy-in.

    In organizations where formal policy enforcement works well, EA principles should be enforced through appropriate governance processes.

    Review ten universal EA principles to determine if your organization wishes to adopt them

    1. Enterprise value focus We aim to provide maximum long-term benefits to the enterprise as a whole while optimizing total costs of ownership and risks.
    2. Fit for purpose We maintain capability levels and create solutions that are fit for purpose without over-engineering them.
    3. Simplicity We choose the simplest solutions and aim to reduce operational complexity of the enterprise.
    4. Reuse › buy › build We maximize reuse of existing assets. If we can’t reuse, we procure externally. As a last resort, we build custom solutions.
    5. Managed data We handle data creation, modification, and use enterprise-wide in compliance with our data governance policy.
    6. Controlled technical diversity We control the variety of technology platforms we use.
    7. Managed security We manage security enterprise-wide in compliance with our security governance policy.
    8. Compliance to laws and regulations We operate in compliance with all applicable laws and regulations.
    9. Innovation We seek innovative ways to use technology for business advantage.
    10. Customer centricity We deliver best experiences to our customers with our services and products.

    3.2.4 Create a set of EA principles for your organization

    2 hours

    Input: Info-Tech’s ten universal EA principles, Identified promises of value

    Output: A defined set of EA principles for your organization

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Create a set of EA principles for your organization using the steps below:

    1. Gather the EA strategy creation team, download the EA Principles Template – EA Strategy, and have the identified promises of value opened.
    2. Select one universal principle and relate it to the promises of value by discussing with the EA strategy creation team. If there is a relation, record “Yes” in the template on the slide “Select the applicability of 10 universally accepted EA principles.” See example below:
      • Universal principle: Enterprise value focus – We aim to provide maximum long-term benefits to the enterprise as a whole while optimizing total costs of ownership and risks.
      • Related promise of value example: Increase the number of investments that have a direct tie with corporate strategy.
    3. Continue the process in step 2 until all ten universal EA principles have been examined. If there is a universal principle that is unrelated to a promise of value, discuss with the team whether the principle still needs to be included. If the principle is not included, record “No” in the template on the slide “Select the applicability of 10 universally accepted EA principles.”
    4. If there are any promises of value that are not captured by the universally accepted EA principles, the team may choose to create new principles. Create the new principles in the format below and record them in the template.
      • Name: The name of the principle, in a few words.
      • Statement: A sentence that expands on the “Name” section and explains what the principle achieves.

    Download the EA Principles Template – EA Strategy to document this step.

    Organizational stakeholders are more likely to follow EA principles when a rationale and an implication are provided

    After defining the set of EA principles, ensure they are all expanded upon with a rationale and implications. The rationale and implications ensure principles are more likely to be followed because they communicate why the principles are important and how they are to be used.

    Name
    • The name of the EA principle, in a few words.
    Statement
    • A sentence that expands on the “Name” section and explains what the principle achieves.
    Rationale
    • Describes the business benefits and reasoning for establishing the principle.
    • Explicitly links the principle to business/IT vision, mission, priorities, goals, or strategic aspirations (strategic themes).
    Implications
    • Describe when and how the principle is to be applied.
    • Communicate this section with “must” sentences.
    • Refer to domain-specific policies that provide detailed, domain-specific direction on how to apply the principle.

    3.2.5 Add the rationale and implications to the principles that have been created

    2 hours

    Input: Identified set of EA principles

    Output: EA principles that have rationale and implications

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Add the rationale and implication of each EA principle that your organization has selected using the following steps:

    1. Gather the EA strategy creation team and open the EA Principles Template – EA Strategy.
    2. Examine the EA Principles Template – EA Strategy. Look for the detailed descriptions of all the applicable EA universal principles, and discuss with the team whether the pre-populated rationale and implications need to be changed.
    3. Make sure all the rationale and implication sections of the applicable universal EA principles have been examined. Record the changes on the slide devoted to each principle in the template.
    4. Examine any new principles created outside of the universal EA principles. Create the rationale and implication sections for each of those principles. Use the slide “Review the rationale and implications for the applicable universal principles” in the EA Principles Template – EA Strategy to assist with this step.

    Download the EA Principles Template – EA Strategy to document this step.

    3.2.6 Operationalize the EA principles to ensure they are used when decisions are being made

    1-2 hours

    Input: Defined set of EA principles

    Output: EA principles are successfully operationalized

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Begin to operationalize the EA principles by reviewing the proposed principles with business and technology leadership to secure their approval.

    1. Publish the list of principles, their rationale, and their implications.
    2. Include the principles in any existing policies that guide decision making for the use of technology within the business.
    3. Provide existing governance bodies with the authority to enforce adherence to principles, and communicate the waiver process.
    4. Ensure that project-level teams are aware of the principles and have at least one champion guiding the decisions of the team.

    Review a use case for the utilization of EA principles – Sample

    After operationalizing the EA principles for your organization, the organization can now use those principles to guide and inform its IT investment decisions. Below is an example of a scenario where EA principles were used to guide and inform an IT investment decision.

    Organization wants to provision an application but it needs to decide how to do so, and it considers the relevant EA principles:

    • Reuse › buy › build
    • Managed security
    • Innovation

    The organization has decided to go with a specialized vendor, even though it normally prefers to reuse existing components. The vendor has experience in this domain, understands the data security implications, and can help the organization mitigate risk. Lastly, the vendor is known for providing new solutions on a regular basis and is a market leader, making it more likely to provide the organization with innovative solutions.

    An oil and gas company created EA fundamentals to guide the EA function

    CASE STUDY

    Industry: Oil & Gas
    Source: Info-Tech

    Challenge

    As an enterprise architecture function starting from ground zero, the organization did not have the EA fundamentals in place to guide the EA function. Further, the organization also did not possess an EA function scope to define the boundaries of the EA function.

    Due to the lack of EA scope, the EA function did not know which part of the organization to provide contributions toward. A lack of EA fundamentals caused confusion regarding the future direction of the EA function.

    Solution

    Info-Tech worked with the EA team to define the different components of the EA fundamentals. This included EA vision and mission statements, EA goals and objectives, and EA principles.

    Additionally, Info-Tech worked with the EA team to define the EA function scope.

    These EA strategy components were created by examining the needs of the business. The components were aligned with the identified needs of the EA stakeholders.

    Results

    The defined EA function scope helped set out the responsibilities of the enterprise architecture function to the organization.

    The EA vision and mission statements and EA goals and objectives were used to guide the direction of the EA function. These fundamentals helped the EA function improve its maturity and deliver on its promises.

    The EA principles were used in IT review boards to guide the decisions on IT investments in the organization.

    3.2.7 Discuss the need for a classical methodology and/or a combination including Agility practices

    1 hour

    Input: Existing methodologies

    Output: Decisions about need of agility, ceremonies, and protocols to be used

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Add the rationale and implication of adopting an Agile methodology and/or a combination with a traditional methodology.

    1. Is there an EA methodology adopted by the organization? Is there a classical one, or is it purely Agile?
    2. What would need to happen to address the business goals of the organization (e.g. is there a need to be more agile?)? Do you need to have more decisions centralized (e.g. to adopt certain standards, security controls)?
    3. Where on the decentralization continuum does your organization need to be?
    4. What role would Enterprise Architects have (would they need to be part of existing ceremonies? Would they need to blend traditional and agile processes?)?
    5. If a customized methodology is required, identify this as an item to be included as part of the EA roadmap (can be run as a Agile Enterprise Operating Model workshop).

    Design an Enterprise Architecture Strategy

    Phase 4

    Design the EA Services

    Phase 1

    • 1.1 Explore a general EA strategy approach
    • 1.2 Introduce Agile EA architecture

    Phase 2

    • 2.1 Define the business and technology drivers
    • 2.2 Define your value proposition

    Phase 3

    • 3.1 Realize the importance of EA fundamentals
    • 3.2 Finalize the EA fundamentals

    Phase 4

    • 4.1 Select relevant EA services
    • 4.2 Finalize the set of services and secure approval

    This phase will walk you through the following activities:

    • Select relevant EA services
    • Finalize the set of services and secure approval

    This phase involves the following participants:

    • CIO
    • EA Team
    • IT Leaders
    • Business Leaders

    Step 4.1

    Select Relevant EA Services

    Activities
    • 4.1.1 Select the EA services relevant to your organization
    • 4.1.2 Identify if your organization needs additional services outside of the recommended list
    • 4.1.3 Complete all of the service catalog fields for each service to show the organization how each can be consumed

    This step will walk you through the following activities:

    • Communicate a definition of EA services.
    • Link services to the previously identified EA contributions.

    This step involves the following participants:

    • CIO
    • EA Team
    • IT Leaders
    • Business Leaders

    Outcomes of this step

    • A defined set of services the EA function will provide.
    • An EA service catalog that demonstrates to the organization how each provided service can be accessed and consumed.

    Design the EA Services

    Step 3.1 Step 3.2

    The definition of EA services will allow the group to communicate how they can add value to EA stakeholders

    Enterprise architecture services are a set of activities the enterprise architecture function provides for the organization. EA services are important because the services themselves provide a set of benefits for the organization.

    Enterprise Architecture Services

    • A means of delivering value to the business by facilitating outcomes service consumers want to achieve.
    • EA services are defined from the business perspective using business language.
    • EA services are designed to enable required business activities.

    Viewing the EA function from a service perspective resolves the following pains:

    • Business users don’t know how EA can assist them.
    • Business users don’t know how to request access to a service with multiple sources of information available.
    • EA has no way of managing expectations for their users, which tend to inflate.
    • EA does not have a holistic view of all the services they need to provide.

    Link EA services to the previously identified EA contributions

    Previously identified EA contributions can be linked to EA services, which helps the EA function identify a set of EA services that are important to business stakeholders. Further, linking the EA contributions to EA services can define for the EA function the services they need to provide.

    Demonstrate EA service value by linking them to EA contributions

    1. EA stakeholders generate drivers
    2. Drivers have pains that obstruct them
    3. Pains are alleviated by EA contributions
    4. EA contributions help define the EA services needed

      • EA Contributions
        Example EA contribution: Business capability mapping shows the business capabilities of the organization and the technology that supports those capabilities in the current and target state. This provides a view for the set of investments that are needed by the organization, which can then be prioritized.

        • EA Services
          Example EA service: Target-state business capability mapping

    4.1.1 Select the EA services relevant to your organization

    2 hours

    Input: Previously identified EA contributions from the EA value proposition

    Output: A set of EA services selected for the organization from Info-Tech’s defined set of EA services

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Begin the selection of EA services relevant to your organization by following the steps below:

    1. Gather the EA strategy creation team, and the list of identified EA contributions that the team formulated during Phase 2.
    2. Open the EA Service Planning Tool, select one sub-service, and read its definition.
    3. Based on the definition of the sub-service, refer back to the identified list of EA contributions and check if there is an identified EA contribution that matches the service.
      • If the EA service definitions matches one of the identified EA contributions, then that EA service is relevant to the organization. If there is no match, then the EA service may not be relevant to the organization.
    4. Highlight the sub-service if it is relevant. Add a checkmark beside the EA contribution if it is addressed by a sub-service.
    5. Select the next sub-service and repeat steps 2-4. Continue down the list of sub-services in the EA Service Planning Tool until all sub-services have been examined.

    Download the EA Service Planning Tool to assist with this activity.

    4.1.2 Identify if your organization needs additional services outside of the recommended list

    2 hours

    Input: Expertise from the EA strategy creation team, Previously defined EA contributions

    Output: A defined set of EA services outside the list Info-Tech has recommended

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Identify if services outside of the recommended list in the EA Service Planning Tool are relevant to your organization by using the steps below:

    1. Gather the EA strategy creation team and the list of EA contributions with checkmarks for contributions addressed by EA services.
    2. Take the list of unaddressed EA contributions and select one EA contribution in the list. Assess whether an EA service is required to address the EA contribution. Ask the group the following:
      • Can the EA practice provide the service now?
      • Does providing this EA service line up with the previously defined EA function scope and EA fundamentals?
    3. Decide if a service needs to be provided for that contribution. If yes, give the service a name and a definition.
    4. Then, decide if the service fits into one of the service categories in the EA Service Planning Tool. If there is no fit, create another service category. Define the new service category as well.
    5. Continue to the next unaddressed EA contribution and repeat steps 2-4. Repeat this process until all unaddressed EA contributions have been assessed.

    Download the EA Service Planning Tool to assist with this activity.

    Create the EA service catalog to demonstrate to the organization how each service can be accessed and used

    The EA service catalog is an important communicator to the business. It shifts the technology-oriented view of EA to services that show direct benefit to the business. It is a tool that communicates and provides clarity to the business about the EA services that are available and how those services can assist them.

    Define the services to show value Define the service catalog to show how to use those services
    Already defined
    • EA service categories
    • The services needed by the EA stakeholders in each EA service category
    Need to define
    • Should EA deliver this service?
    • Service triggers
    • Service provider
    • Service requestor

    Info-Tech Insight

    The EA group must provide the organization with a list of services it will provide to demonstrate value. This will help the team manage expectations and the workload while giving organizational stakeholders a clear understanding of how to engage EA and what lies outside of EA’s involvement.

    4.1.3 Complete all the service catalog fields for each service to show the organization how each can be consumed

    4 hours

    Input: Expertise from the EA strategy creation team

    Output: Service details for each EA service in your organization

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Complete the details for each relevant EA service in the EA Service Planning Tool by using the following steps:

    1. Gather the EA strategy creation team, and open the EA Service Planning Tool.
    2. Select one of the services you have defined as relevant and begin the process of defining the service. Define the following fields:
      • Should EA deliver this service? Should the EA team provide this service? (Yes/No)
      • Service trigger: What trigger will signal the need for the service?
      • Service provider: Who in the EA team will provide the service?
      • Service requestor: Who outside of the EA team has requested this service?
    3. Have the EA strategy creation team discuss and define each of the fields for the service above. Record the decisions in the corresponding columns of the EA Service Planning Tool.
    4. Select the next required EA service, and repeat steps 2 and 3. Repeat the process until all required EA services have their details defined.

    Download the EA Service Planning Tool to assist with this activity.

    Step 4.2

    Finalize the Set of Services and Secure Approval

    Activities
    • 4.2.1 Secure approval for your organization’s EA strategy
    • 4.2.2 Map the EA contributions to business goals
    • 4.2.3 Quantify the EA effectiveness
    • 4.2.4 Determine the role of the architect in the Agile ceremonies of the organization

    This step will walk you through the following activities:

    • Present the EA strategy to stakeholders.
    • Determine service details for each EA service in your organization.

    This step involves the following participants:

    • CIO
    • EA Team
    • IT Leaders
    • Business Leaders

    Outcomes of this step

    • Secured approval for your organization’s EA strategy.
    • Measure effectiveness of EA contributions.

    Design the EA Services

    Step 4.1 Step 4.2

    Present the EA strategy to stakeholders to secure approval of the finalized EA strategy

    For the EA strategy to be successfully executed, it must be approved by the EA stakeholders. Securing their approval will increase the likelihood of success in the execution of the EA operating model.

    Outputs that make up the EA strategy —› Present outputs to EA strategy stakeholders
    • Business and technology drivers
    • EA function value proposition

    • EA vision statement
    • EA mission statement
    • EA goals and objectives
    • EA scope
    • EA principles

    • EA function services
    • Identified and prioritized EA stakeholders.








    • The checkmark symbol represents the outputs this blueprint assists with creating.

    4.2.1 Secure approval of your organization’s EA strategy

    1 hour

    Input: Completed EA Function Strategy Template, Expertise from EA strategy creation team

    Output: Approval of the EA strategy

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team, Key EA stakeholders

    Use the following steps to assist with securing approval for your organization’s EA strategy:

    1. Call a meeting between the EA strategy creation team and the identified key EA stakeholders. Key stakeholders were defined in activity 2.1.1.
    2. Open the completed EA Function Strategy Template. Use it to help you discuss the merits of the EA strategy with the key stakeholders.
    3. Discuss with the stakeholders any concerns and modifications they wish to make to the strategy. If detailed questions are asked, refer to the other templates created as a part of this blueprint. Record those concerns and address them at a later time.
    4. After presenting the EA strategy, ask the stakeholders for approval. If stakeholders do not approve, refer back to the concerns documented in step 3 and inquire if addressing the concerns will result in approval.
    5. If applicable, address stakeholder concerns with the EA strategy.
    6. Once EA strategy has been approved, publish the EA strategy to ensure there is a mutual understanding of what the EA function will provide to the organization. Move on to Info-Tech’s Define an EA Operating Model blueprint to begin executing upon the EA strategy.

    Use the EA Function Strategy Template to assist with this activity.

    4.2.2 Map the EA contributions to the business goals

    3 hours

    Input: Expertise from EA strategy creation team

    Output: Service details for each EA service in your organization

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Map EA contributions/services to the goals of the organization.

    1. Start from the business goals of the organization.
    2. Determine Business and IT drivers.
    3. Identify EA contributions that help achieve the business goals.

    Download the EA Service Planning Tool to assist with this activity.

    Trace EA drivers to business goals (sample)

    A model connecting 'Enterprise Architecture' with 'Corporate Goals' through 'EA Contributions'.

    4.2.3 Quantify the EA effectiveness

    1 hour

    Input: Expertise from EA strategy creation team

    Output: Defined KPIs (SMART)

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Use SMART key performance indicators (KPIs) to measure EA contributions vis-à-vis business goals.

    Measure the EA strategy effectiveness by tracking the benefits it provides to the corporate business goals

    The success of the EA function spans across three main dimensions:

    • The delivery of EA-enabled business outcomes that are most important to the enterprise.
    • The alignment between the business and IT from a planning perspective.
    • Improvements in the corporate business goals due to EA contributions (standardization, rationalization, reuse, etc.).
    Corporate Business GoalsEA ContributionsMeasurements
    • Reduction in operating costs
    • Decrease in regulatory compliance infractions
    • Increased revenue from existing channels
    • Increased revenue from new channels
    • Faster time to business value
    • Improved business agility
    • Reduction in enterprise risk exposure
    • Alignment of IT investments to business strategy
    • Achievement of business results directly linked to IT involvement
    • Application and platform rationalization
    • Standards in place
    • Flexible architecture
    • Better integration
    • Higher organizational satisfaction with technology-enabled services and solutions
    • Cost reductions based on application and platform rationalization
    • Standard based solutions
    • Time reduction for integration
    • Service reused
    • Stakeholder satisfaction with EA services
    • Increase customer satisfaction
    • Rework minimized
    • Lower cost of integration
    • Risk reduction
    • Faster time to market
    • Better scalability, etc.

    The oil and gas company began the EA strategy creation by crafting an EA value proposition

    CASE STUDY

    Industry: Oil & Gas
    Source: Info-Tech

    Challenge

    The oil and gas corporation faced a great challenge in communicating the role of enterprise architecture to the organization. Although it has the mandate from the CIO to create the EA function, there was no function in existence. Thus, few people in the organization understood EA.

    Because of this lack of understanding, the EA function was often undermined. The EA function was seen as an order taker that provided some services to the organization.

    Solution

    First, Info-Tech worked with the enterprise architecture team to define the EA stakeholders in the organization.

    Second, Info-Tech interviewed those stakeholders to identify their needs. The needs were analyzed and pains that would obstruct addressing those needs were identified.

    Lastly, Info-Tech worked with the team to identify common EA contributions that would solve those pains.

    Results

    Through this process, Info-Tech helped the team at the oil and gas company create a document that could communicate the value of EA. Specifically, the document could articulate the issues obstructing each stakeholder from achieving their needs and how enterprise architecture could solve them.

    With this value proposition, EA was able to demonstrate value to important stakeholders and set itself up for success in its future endeavors.

    The oil and gas company defined EA services to provide and communicate value to the organization

    CASE STUDY

    Industry: Oil & Gas
    Source: Info-Tech

    Challenge

    As a brand new enterprise architecture function, the EA function at the oil and gas corporation did not have a set of defined EA services. Because of this lack of EA services, the organization did not know what contributions EA could provide.

    Further, without the definition of EA services, the EA function did not set out explicit expectations to the business. This caused expectations from the business to be different from those of the EA function, resulting in friction.

    Solution

    Info-Tech worked with the EA function at the oil and gas corporation to define a set of EA services the function could provide.

    The Info-Tech team, along with the organization, assessed the business and technology needs of the stakeholder. Those needs acted as the basis for the EA function to create their initial services.

    Additionally, Info-Tech worked with the team to define the service details (e.g. service benefits, service requestor, service provider) to communicate how to provide services to the business.

    Results

    The defined EA services led the EA function to communicate what it could provide for the business. As well, the defined services clarified the level of expectation for the business.

    The EA team was able to successfully service the business on future projects, adding value through their expertise and knowledge of the organization’s systems. Because of the demonstrated value, EA has been given greater responsibility throughout the organization.

    4.2.4 Determine the role of the architect in the Agile ceremonies of the organization

    1 hour

    Input: Expertise from EA strategy creation team

    Output: Participation in Agile Pre- and Post-PI, Architect Syncs, etc.

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: EA strategy creation team

    Document the involvement of the enterprise architect in your organization’s Agile ceremonies.

    1. Document the Agile ceremonial used in the organization (based on SAFe or other Agile approaches).
    2. Determine ceremonies the System Architect will participate in.
    3. Determine ceremonies the Solution Architect will participate in
    4. Determine ceremonies the Enterprise Architect will participate in.
    5. Determine Architect Syncs, etc.

    Note: Roles and responsibilities can be further defined as part of the Agile Enterprise Operating Model.

    The EA role relative to agility

    The enterprise architecture role relative to agility specifies the architecture roles as well as the agile protocols they will participate in.
    This statement will guide every architect’s participation in planning meetings, pre- and post-PI, syncs, etc. Use simple and concise terminology; speak loudly and clearly.

    A strong EA role statement relative to agility has the following characteristics:

    • Describes what different architect roles do to achieve the vision of the organization
    • In an agile way
    • Compelling
    • Easy to grasp
    • Sharply focused
    • Specific
    • Concise

    Sample EA mission relative to agility

    • Create strategies that provide guardrails for the organization, provide standards, reusable assets, accelerators, and other decisions at the enterprise level that support agility.
    • Participate in pre-PI and post-PI planning activities, architect syncs, etc.

    A clear statement can include additional details surrounding the Enterprise Architect role relative to agility

    Likewise, below is a sample of connecting keywords together to form an enterprise architect role statement, relative to agility.

    Optimize, transform, and innovate by defining and implementing the [Company]’s target enterprise architecture in an agile way.

    Optimize – We collaborate with the business to analyze and optimize business capabilities and business processes to enable the agile and efficient attainment of [Company name] business objectives.

    Transform – We support IT-enabled business transformation programs by building and maintaining a shared vision of the future-state enterprise and consistently communicating it to stakeholders.

    Innovate – We identify and develop new and creative opportunities for IT to enable the business. We communicate the art of the possible to the business.

    Defining and implementing – We engage with project teams early and guide solution design and selection to ensure alignment to the target-state enterprise architecture and provide guidance as well as accelerators.

    Target enterprise structure in an agile way – We analyze business needs and priorities and assess the current state of the enterprise. We build and maintain the target enterprise architecture blueprints that define:

    • Business capabilities and processes (business architecture)
    • Data, application, and technology assets that enable business capabilities and processes (technology architecture)
    • Architecture principles
    • Standards and reusable assets
    • Continuous exploration, integration, and deployment

    Move to the enterprise architecture operating model blueprint to execute your EA strategy

    Once approved, move on to Info-Tech’s Define an EA Operating Model blueprint to begin executing on the EA strategy.

    Enterprise architecture strategy

    This blueprint focuses on setting up an enterprise architecture function, with the goal of maximizing the likelihood of EA success. The blueprint puts into place the components that will align the EA function with the needs of the stakeholders, guide the decision making of the EA function, and define the services EA can provide to the organization.

    Agile enterprise architecture operating model

    An EA operating model helps you design and organize the EA function, ensuring adherence to architectural standards and delivery of EA services. This blueprint acts on the EA strategy by creating methods to engage, govern, and develop architecture as a part of the larger organization.

    Research contributors and experts

    Photo of Milena Litoiu, Senior Director Research and Advisory, Enterprise Architecture Milena Litoiu
    Senior Director Research and Advisory, Enterprise Architecture
    • Milena Litoiu is a Principal/Senior Manager of Enterprise Architecture. She is Master Certified with The Open Group and she sits on global architecture certification boards.
    • Other certifications include SABSA, CRISC, and Scaled Agile Framework. She started as a certified IT Architect at IBM and has over 25 years experience in this field.
    • Milena teaches enterprise architecture at the University of Toronto and led the development of the Enterprise Architecture Certificate (a course on EA fundamentals, one on EA development and Governance, and one on Trends going forward).
    • She has a Masters in Engineering, an executive MBA, and extensive experience in enterprise architecture as well as methodologies and tools.
    Photo of Lan Nguyen, IT Executive, Mentor, Managing Partner at CIOs Beyond Borders Group Lan Nguyen
    IT Executive, Mentor, Managing Partner at CIOs Beyond Borders Group
    • Lan Nguyen has a wealth of experience driving the EA strategy and the digital transformation success at the City of Toronto.
    • Lan is a university lecturer on topics like strategic leadership in the digital enterprise.
    • Lan is a Managing Partner at CIOs Beyond Borders Group.
    • Lan specializes in Partnership Development; Governance; Strategic Planning, Business Development; Government Relations; Business Relationship Management; Leadership Development; Organizational Agility and Change Management; Talent Management; Managed Services; Digital Transformation; Strategic Management of Enterprise IT; Shared Services; Service Quality Improvement, Portfolio Management; Community Development; and Social Enterprise.


    Photo of Dirk Coetsee, Director Research and Advisory, Enterprise Architecture, Data & Analytics Dirk Coetsee
    Director Research and Advisory, Enterprise Architecture, Data & Analytics
    • Dirk Coetsee is a Research & Advisory Director in the Data & Analytics practice. Dirk has over 25 years of experience in data management and architecture within a wide range of industries, especially Financial Services, Manufacturing, and Retail.
    • Dirk spearheaded data architecture at several organizations and was involved in enterprise data architecture, data governance, and data quality and analytics. He architected many operational data stores of ranging complexity and transaction volumes and was part of major enterprise data warehouse initiatives. Lately, he was part of projects that implemented big data, enterprise service bus, and micro services architectures. Dirk has an in-depth knowledge of industry models within the financial and retail spaces.
    • Dirk holds a BSc (Hons) in Operational Research and an MBA with specialization in Financial Services from the University of Pretoria, South Africa.
    Photo of Andy Neill, AVP, Enterprise Architecture, Data and Analytics Andy Neill
    AVP, Enterprise Architecture, Data and Analytics
    • Andy is AVP Data and Analytics and Chief Enterprise Architect at Info-Tech Research Group. Previous roles include leading the data architecture practice for Loblaw Companies Ltd, Shoppers Drug Mart and 360 Insights in Canada as well as leading architecture practices at Siemens consultancy, BBC, NHS, Ordnance Survey, and Houses of Parliament and Commons in the UK.
    • His responsibilities at Info-Tech include leading the data and analytics and enterprise architecture research practices and guiding the future of research and client engagement in that space.
    • Andy is the Product Owner for the Technical Counselor seat offering at Info-Tech, which gives world-class holistic support to our senior technical members.
    • He is also a instructor and content creator for the University of Toronto in the field of Enterprise Architecture.


    Photo of Wayne Filin-Matthews, Chief Enterprise Architect, ICMG Winner of Global Chief Enterprise Architect of the Year 2019 Wayne Filin-Matthews
    Chief Enterprise Architect, ICMG Winner of Global Chief Enterprise Architect of the Year 2019
    • Wayne is currently the EA Discipline Lead/Chief Enterprise Architect – Global Digital Transformation Office, COE at Dell Technologies.
    • He is a distinguished Motivator & Tech Lead as well as an influencer.
    • Wayne has led multiple Enterprise Architecture practices at the global level and has valuable contributions in this space managing and growing Enterprise Architecture and CTO practices across strategy, execution, and adoption parts of the IT lifecycle.
    Photo of Graham Smith, Experienced lead Enterprise Architect and Independent Consultant Graham Smith
    Experienced lead Enterprise Architect and Independent Consultant
    • Graham is an experienced lead enterprise architect specializing in digital and data transformation, with over 33 years of experience, spanning financial markets, media, information, insurance, and telecommunications sectors. Graham has successfully established and led large teams across India, China, Australia, Americas, Japan, and the UK.
    • He is currently working as an independent consultant in digital and data-led transformation and his work spans established businesses and start-ups alike.

    Thanks also go to all experts who contributed to previous versions of this document:

    • Zachary Curry, Director, Enterprise Architecture and Innovation, FMC Technologies
    • Pam Doucette, Director of Enterprise Architecture, Tufts Health Plan
    • Joe Evers, Consulting Principal, JcEvers Consulting Corp
    • Cameron Fairbairn, Enterprise Architect, Agriculture Financial Services Corporation (AFSC)
    • Michael Fulton, Chief Digital Officer & Senior IT Strategy & Architecture Consultant at CC and C Solutions
    • Tom Graves, Principal Consultant, Tetradian Consulting
    • (JB) Brahmaiah Jarugumilli, Consultant, Federal Aviation Administration – Enterprise Services Center
    • Huw Morgan, IT Research Executive, Enterprise Architect
    • Serge Parisien, Manager, Enterprise Architecture, Canada Mortgage & Housing Corporation

    Additional interviews were conducted but are not listed due to privacy and confidentiality requirements.

    Bibliography

    “Agile Manifesto for Software Development,” Ward Cunningham, 2001. Accessed July 2021.

    “ArchiMate 3.1 Specification.” The Open Group, n.d. Accessed July 2021.

    “Are Your IT Strategy and Business Strategy Aligned?” 5Q Partners, 8 Jan. 2015. Accessed Oct. 2016.

    Bowen, Fillmore. “How agile companies create and sustain high ROI.” IBM. Accessed Oct. 2016.

    Burns, Peter, et al. Building Value through Enterprise Architecture: A Global Study. Booz & Co. 2009. Web. Nov. 2016.

    “Demonstrating the Value of Enterprise Architecture in Delivering Business Capabilities.” Cisco, 2008. Web. Oct. 2016.

    “Disciplined Agile.” Disciplined Agile Consortium, n.d. Web.

    Fowler, Martin. “Building Effective software.” MartinFowler.com. Accessed July 2021.

    Fowler, Martin. “Agile Software Guide.” MartinFowler.com, 1 Aug. 2019.

    Accessed July 2021.

    Haughey, Duncan. “SMART Goals.” Project Smart, 2014. Accessed July 2021.

    Kern, Matthew. “20 Enterprise Architecture Practices.” LinkedIn, 3 March 2016. Accessed Nov. 2016.

    Lahanas, Stephen. “Infrastructure Architecture, Defined.” IT Architecture Journal, Sept. 2014. Accessed July 2021.

    Lean IX website, Accessed July 2021.

    Litoiu, Milena. Course material from Information Technology 2690: Foundations of Enterprise Architecture, 2021, University of Toronto.

    Mocker, M., J.W. Ross, and C.M. Beath. “How Companies Use Digital Technologies to Enhance Customer Findings.” MIT CISR Working Paper No. 434, Feb. 2019. Qtd in Mayor, Tracy. “MIT expert recaps 30-plus years of enterprise architecture.” MIT Sloan, 10 Aug. 2020. Web.

    “Open Agile ArchitectureTM.” The Open Group, 2020. Accessed July 2021.

    “Organizational Design Framework – The Transformation Model.” The Center for Organizational Design, n.d. Accessed 1 Aug. 2020.

    Ross, Jeanne W. et al. Enterprise Architecture as Strategy: Creating a Foundation for Business Execution. Harvard Business School Press, 2006.

    Rouse, Margaret. “Enterprise Architecture (EA).” SearchCIO, June 2007. Accessed Nov. 2016.

    “SAFe 5 for Lean Enterprises.” Scaled Agile Framework, Scaled Agile, Inc. Accessed 2021.

    “Security Architecture.” Technopedia, updated 20 Dec. 2016. Accessed July 2021.

    “Software Engineering Institute.” Carnegie Mellon University, n.d. Web.

    “TOGAF 9.1.” The Open Group, 2011. Accessed Oct. 2016.

    “TOGAF 9.2.” The Open Group, 2018. Accessed July 2021.

    Thompson, Rachel. “Stakeholder Analysis: Winning Support for Your Projects.” MindTools, n.d. Accessed July 2021.

    Wendt, Jerome M. “Redefining ‘SMB’, ‘SME’ and ‘Large Enterprise.’” DCIG, 25 Mar. 2011. Accessed July 2021.

    Wilkinson, Jim. “Business Drivers.” The Strategic CFO, 23 July 2013. Accessed July 2021.

    Zachman, John. “Conceptual, Logical, Physical: It is Simple.” Zachman International, 2011. Accessed July 2021.

    Identify and Manage Reputational Risk Impacts on Your Organization

    • Buy Link or Shortcode: {j2store}220|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Access to information about companies is more available to consumers than ever. Organizations must implement mechanisms to monitor and manage how information is perceived to avoid potentially disastrous consequences to their brand reputation.

    A negative event could impact your organization's reputation at any given time. Make sure you understand where such events may come from and have a plan to manage the inevitable consequences.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential impact on your organization’s reputation requires efforts from multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how social media can affect your brand.
    • Organizational leadership is often caught unaware during crises, and their response plans lack the flexibility to adjust to significant market upheavals.

    Impact and Result

    • Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

    Identify and Manage Reputational Risk Impacts on Your Organization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and Manage Reputational Risk Impacts on Your Organization Deck – Use the research to better understand the negative impacts of vendor actions on your brand reputation.

    Use this research to identify and quantify the potential reputational impacts caused by vendors. Use Info-Tech's approach to look at the reputational impact from various perspectives to better prepare for issues that may arise.

    • Identify and Manage Reputational Risk Impacts on Your Organization Storyboard

    2. Reputational Risk Impact Tool – Use this tool to help identify and quantify the reputational impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate - possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Reputational Risk Impact Tool
    [infographic]

    Further reading

    Identify and Manage Reputational Risk Impacts on Your Organization

    Brand reputation is the most valuable asset an organization can protect.

    Analyst Perspective

    Organizations must diligently assess and protect their reputations, both in the market and internally.

    Social media, unprecedented access to good and bad information, and consumer reliance on others’ online opinions force organizations to dedicate more resources to protecting their brand reputation than ever before. Perceptions matter, and you should monitor and protect the perception of your organization with as much rigor as possible to ensure your brand remains recognizable and trusted.

    Photo of Frank Sewell, Research Director, Vendor Management, Info-Tech Research Group.

    Frank Sewell
    Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Access to information about companies is more available to consumers than ever. A negative event could impact your organizational reputation at any time. As a result, organizations must implement mechanisms to monitor and manage how information is perceived to avoid potentially disastrous consequences to their brand reputation.

    Make sure you understand where negative events may come from and have a plan to manage the inevitable consequences.

    Common Obstacles

    Identifying and managing a vendor’s potential impact on your organization’s reputation requires efforts from multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how social media can affect your brand.

    Organizational leadership is often caught unaware during crises, and their response plans lack the flexibility to adjust to significant market upheavals.

    Info-Tech’s Approach

    Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

    Info-Tech Insight

    Organizations must evolve their risk assessments to be more adaptive to respond to rapid changes in online media. Ongoing monitoring of social media and the vendors tied to their company is imperative to achieving success and avoiding reputational disasters.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.

    Cube with each multiple colors on each face, similar to a Rubix cube, and individual components of vendor risk branching off of it: 'Financial', 'Reputational', 'Operational', 'Strategic', 'Security', and 'Regulatory & Compliance'.

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    Reputational risk impacts

    Potential losses to the organization due to risks to its reputation and brand

    In this blueprint, we’ll explore reputational risks (risks to the brand reputation of the organization) and their impacts.

    Identify potentially negative events to assess the overall impact on your organization and implement adaptive measures to respond and correct.

    Cube with each multiple colors on each face, similar to a Rubix cube, and the vendor risk component 'Reputational' highlighted.

    Protect your most valuable asset: your brand

    25%

    of a company’s market value is due to reputation (Transmission Private, 2021)

    94%

    of consumers say that a bad review has convinced them to avoid a business (ReviewTrackers, 2022)

    14 hours

    is the average time it takes for a false claim to be corrected on social media (Risk Analysis, 2018)
    Image of an umbrella covering the word 'BRAND' and three arrows approaching from above.

    What is brand recognition?

    And the cost of rebranding

    Brand recognition is the ability of consumers to recognize an identifying characteristic of one company versus a competitor.” (Investopedia)

    Most trademark valuation is based directly on its projected future earning power, based on income history. For a new brand with no history, evaluators must apply experience and common sense to predict the brand's earning potential. They can also use feedback from industry experts, market surveys, and other studies.” (UpCounsel)

    The cost of rebranding for small to medium businesses is about 10 to 20% of the recommended overall marketing budget and can take six to eight months (Ignyte).

    Stock image of a house with a money sign chimney.

    "All we are at our core is our reputation and our brand, and they are intertwined." (Phil Bode, Principal Research Director, Info-Tech Research Group)

    What your vendor associations say about you

    Arrows of multiple colors coalescing in an Earth labelled 'Your Brand', and then a red arrow that reads 'Reputation' points to the terms on the right.

    Bad Customer Reviews

    Breach of Data

    Poor Security Posture

    Negative News Articles

    Public Lawsuits

    Poor Performance

    How a major vendor protects its brand

    An ideal state
    • There is a dedicated brand protection department.
    • All employees are educated annually on brand protection policies and procedures.
    • Brand protection is tied to cybersecurity.
    • The organization actively monitors its brand and reputation through various media formats.
    • The organization has criteria for assessing x-party vendors and holds them accountable through ongoing monitoring and validation of their activities.

    Brand Protection
    Done Right

    Sticker for a '5 Star Rating'.

    Never underestimate the power of local media on your profits

    Info-Tech Insight

    Keep in mind that too much exposure to media can be a negative in that it heightens the awareness of your organization to outside actors. If you do go through a period of increased exposure, make sure to advance your monitoring practices and vigilance.

    Story: Restaurant data breach

    Losing customer faith

    A popular local restaurant’s point of service (POS) machines were breached and the credit card data of their customers over a two-week period was stolen. The restaurant did the right thing: they privately notified the affected people, helped them set up credit monitoring services, and replaced their compromised POS system.

    Unfortunately, the local newspaper got wind of the breach. It published the story, leaving out that the restaurant had already notified affected customers and had replaced their POS machines.

    In response, the restaurant launched a campaign in the local paper and on social media to repair their reputation in the community and reassure people that they could safely transact at their business.

    For at least a month, the restaurant experienced a drastic decrease in revenue as customers either refused to come in to eat or paid only in cash. During this same period the restaurant was spending outside their budget on the advertising.
    Broken trust.

    Story: Monitor your subcontractors

    Trust but verify

    A successful general contractor with a reputation for fairness in their dealings needed a specialist to perform some expert carpentry work for a few of their clients.

    The contractor gave the specialist the clients’ contact information and trusted them to arrange the work.

    Weeks later, the contractor checked in with the clients and received a ton of negative feedback:

    • The specialist called them once and never called back.
    • The specialist refused to do the work as described and wanted to charge extra.
    • The specialist performed work to “fix” the issue but cut corners to lessen their costs.

    As a result, the contractor took extreme measures to regain the clients’ confidence and trust and lost other opportunities in the process.

    Stock image of a sad construction site supervisor.

    You work hard for your reputation. Don’t let others ruin it.

    Don’t forget to look within as well as without

    Stock image of a frustrated desk worker.

    Story: Internal reputation is vital

    Trust works both ways

    An organization’s relatively new IT and InfoSec department leadership have been upgrading the organization's systems and policies as fast as resources allow when the organization encounters a major breach of security.

    Trust in the developing IT and InfoSec departments' leadership wanes throughout the organization as people search for the root cause and blame the systems. This degradation of trust limits the effectiveness of the newly implemented process, procedures, and tools of the departments.

    The new leaders' abilities are called into question, and they must now rigorously defend and justify their decisions and positions to the executives and board.

    It will be some time before the two departments gain their prior trust and respect, and the new leaders face some tough times ahead regaining the organization's confidence.

    How could the new leaders approach the situation to mend their reputations in the wake of this (perhaps unfair) reputational hit?

    It is not enough to identify the potential risks; there must also be adequate controls in place to monitor and manage them

    Stock image of a fingerprint on a computer chip under a blacklight.

    Identify, manage, and monitor reputational risks

    Global markets
    • Organizations need to learn how to assess the likelihood of potential risks in the changing global markets and recognize how their partnerships and subcontracts affect their brand.
    • Now more than ever, organizations need to be mindful of the larger global landscape and how their interactions within various regions can impact their reputation.
    Social media
    • Understanding how to monitor social media activity and online content will give you an edge in the current environment.
    • Changes in social media generally happen faster than companies can recognize them. If you are not actively monitoring those risks, the damage could set in before you even have a chance to respond.
    Global shortages
    • Organizations need to accept that shortages will recur periodically and that preparing for them will significantly increase the success potential of long-term plans.
    • Customers don’t always understand what is happening in the global supply chain and may blame you for poor service if you cannot meet demands as you have in the past.

    Which way is your reputation heading?

    • Do you understand and track items that might affect your reputation?
    • Do you understand the impact they may have on your business?

    Visualization of a Newton's Cradle perpetual motion device, aka clacky balls. The lifted ball is colored green with a smiley face and is labelled 'Your Brand Reputation'. The other four balls are red with a frowny face and are labelled 'Data Breach/ Lawsuit', 'Service Disruption', 'Customer Complaint', and 'Poor Delivery'.

    Identifying and understanding potential risks is essential to adapting to the ever-changing online landscape

    Info-Tech Insight

    Few organizations are good at identifying risks. As a result, almost none realistically plan to monitor, manage, and adapt their plans to mitigate those risks.

    Reputational risks

    Not protecting your brand can have disastrous consequences to your organization

    • Data breaches & lawsuits
    • Poor vendor performance
    • Service disruptions
    • Negative reviews

    Stock image of a smiling person on their phone rating something five stars.

    What to look for in vendors

    Identify potential reputational risk impacts
    • Check online reviews from both customers and employees.
    • Check news sites:
      • Has the vendor been affected by a breach?
      • Is the vendor frequently in the news – good or bad? Greater exposure can cause an uptick in hostile attacks, so make sure the vendor has adequate protections in line with its exposure.
    • Review its financials. Is it prime for an acquisition/bankruptcy or other significant change?
    • Review your contractual protections to ensure that you are made whole in the event something goes wrong. Has anything changed with the vendor that requires you to increase your protections?
    • Has anything changed in the vendor’s market? Is a competitor taking its business, or are its resources stretched on multiple projects due to increased demand?
    Illustration of business people in a city above various icons.

    Assessing Reputational Risk Impacts

    Zigzagging icons and numbers one through 7 alternating sides downward. Review Organizational Strategy
    Understand the organizational strategy to prepare for the “what if” game exercise.
    Identify & Understand Potential Risks
    Play the “what if” game with the right people at the table.
    Create a Risk Profile Packet for Leadership
    Pull all the information together in a presentation document.
    Validate the Risks
    Work with leadership to ensure that the proposed risks are in line with their thoughts.
    Plan to Manage the Risks
    Lower the overall risk potential by putting mitigations in place.
    Communicate the Plan
    It is important not only to have a plan but also to socialize it in the organization for awareness.
    Enact the Plan
    Once the plan is finalized and socialized put it in place with continued monitoring for success.
    (Adapted from Harvard Law School Forum on Corporate Governance)

    Insight Summary

    Reputational risk impacts are often unanticipated, causing catastrophic downstream effects. Continuously monitoring your vendors’ actions in the market can help organizations head off brand disasters before they occur.

    Insight 1

    Understanding how to monitor social media activity and online content will give you an edge in the current environment.

    Do you have dedicated individuals or teams to monitor your organization's online presence? Most organizations review and approve the online content, but many forget the need to have analysts reviewing what others are saying about them.

    Insight 2

    Organizations need to learn how to assess the likelihood of potential risks in the rapidly changing online environments and recognize how their partnerships and subcontractors’ actions can affect their brand.

    For example, do you understand how a simple news article raises your profile for short-term and long-term adverse events?

    Insight 3

    Socialize the risk management process throughout the organization to heighten awareness and enable employees to help protect the company’s reputation.

    Do you include a social media and brand protection policy in your annual education?

    Identify reputational risk

    Who should be included in the discussion?
    • While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make INFORMED decisions.
    • Getting input from your organization's marketing experts will enhance your brand's long-term protection.
    • Involving those who directly manage vendors and understand the market will aid in determining the forward path for relationships with your current vendors and identifying new emerging potential partners.
    • Organizations have a wealth of experience in their marketing departments that can help identify real-world negative scenarios.
    • Include vendor relationship managers to help track what is happening in the media for those vendors.
    Keep in mind: (R=L*I)
    Risk = Likelihood x Impact

    Impact tends to remain the same, while likelihood is a very flexible variable.

    Stock image of a flowchart asking 'Risk?', 'Yes', 'No'.

    Manage and monitor reputational risk impacts

    What can we realistically do about the risks?
    • Re-evaluate corporate policies frequently.
    • Ensure proper protections in contracts:
      • Limit the use of your brand name in the publicity and trademark clauses.
      • Make sure to include security protections for your data in the event of a breach; understand that reputation can rarely be made whole again once trust is breached.
    • Introduce continual risk assessment to monitor the relevant vendor markets.
    • Be adaptable and allow for innovations that arise from the current needs.
      • Capture lessons learned from prior incidents to improve over time and adjust your strategy based on the lessons.
    • Monitor your company’s and associated vendors’ online presence.
    • Track similar companies’ brand reputations to see how yours compares in the market.

    Social media is driving the need for perpetual diligence.

    Organizations need to monitor their brand reputation considering the pace of incidents in the modern age.

    Stock image of a person on a phone that is connected to other people.

    The “what if” game

    1-3 hours

    Input: List of identified potential risk scenarios scored by likelihood and financial impact, List of potential management of the scenarios to reduce the risk

    Output: Comprehensive reputational risk profile on the specific vendor solution

    Materials: Whiteboard/flip charts, Reputational Risk Impact Tool to help drive discussion

    Participants: Vendor Management Coordinator, Organizational Leadership, Operations Experts (SMEs), Legal/Compliance/Risk Manager, Marketing

    Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    1. Break into smaller groups (or if too small, continue as a single group).
    2. Use the Reputational Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potential risk but manage the overall process to keep the discussion on track.
    3. Collect the outputs and ask the subject matter experts for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

    Download the Reputational Risk Impact Tool

    Example: Low reputational risk

    We can see clearly in this example that the contractor suffered minimal impact from the specialist's behavior. Though they did take a hit to their overall reputation with a few customers, they should be able to course-correct with a minimal outlay of effort and almost no loss of revenue.

    Stock image of construction workers.

    Sample table of 'Sample Questions to Ask to Identify Reputational Impacts'. Column headers are 'Score', 'Weight', 'Question', and 'Comments or Notes'. At the bottom the 'Reputational Score' row has a low average score of '1.3' and '%100' total weight in their respective columns.

    Example: High reputational risk

    Note in the example how the tool can represent different weights for each of the criteria depending on your needs.

    Stock image of an older person looking out a window.

    Sample table of 'Sample Questions to Ask to Identify Reputational Impacts'. Column headers are 'Score', 'Weight', 'Question', and 'Comments or Notes'. At the bottom the 'Reputational Score' row has a high average score of '3.1' and '%100' total weight in their respective columns.

    Summary

    Be vigilant and adaptable to change
    • Organizations need to learn how to assess the likelihood of potential risks in the changing global markets and recognize how their partnerships and subcontracts affect their brand.
    • Understanding how to monitor social media activity and online content will give you an edge in the current environment.
    • Bring the right people to the table to outline potential risks to your organization’s brand reputation.
    • Socialize the risk management process throughout the organization to heighten awareness and enable employees to help protect the company’s reputation.
    • Incorporate lessons learned from incidents into your risk management process to build better plans for future issues.
    Stock image of a person's face overlaid with many different images.

    Organizations must evolve their risk assessments to be more adaptive to respond to global factors in the market.

    Ongoing monitoring of online media and the vendors tied to company visibility is imperative to avoiding disaster.

    Bibliography

    "The CEO Reputation Premium: Gaining Advantage in the Engagement Era." Weber Shandwick, March 2015. Accessed June 2022.

    Glidden, Donna. "Don't Underestimate the Need to Protect Your Brand in Publicity Clauses." Info-Tech Research Group, June 2022.

    Greenaway, Jordan. "Managing Reputation Risk: A start-to-finish guide." Transmission Private, July 2020. Accessed June 2022.

    Jagiello, Robert D., and Thomas T. Hills. “Bad News Has Wings: Dread Risk Mediates Social Amplification in Risk Communication.” Risk Analysis, vol. 38, no. 10, 2018, pp. 2193-2207.

    Kenton, Will. "Brand Recognition.” Investopedia, Aug. 2021. Accessed June 2022.

    Lischer, Brian. "How Much Does it Cost to Rebrand Your Company?" Ignyte, October 2017. Accessed June 2022.

    "Powerful Examples of How to Respond to Negative Reviews." ReviewTrackers, 16 Feb. 2022. Accessed June 2022.

    Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012. Web.

    "Valuation of Trademarks: Everything You Need to Know." UpCounsel, 2022. Accessed June 2022.

    Related Info-Tech Research

    Sample of 'Assessing Financial Risk Management'. Identify and Manage Financial Risk Impacts on Your Organization
    • Identifying and managing a vendor’s potential financial impact requires multiple people in the organization across several functions – and those people all need educating on the potential risks.
    • Organizational leadership is often unaware of decisions on organizational risk appetite and tolerance, and they assume there are more protections in place against risk impact than there truly are.
    Sample of 'How to Assess Strategic Risk'. Identify and Manage Strategic Risk Impacts on Your Organization
    • Identifying and managing a vendor’s potential strategic impact requires multiple people in the organization across several functions – and those people all need coaching on the potential changes in the market and how these changes affect strategic plans.
    • Organizational leadership is often caught unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals.
    Research coming soon. Jump Start Your Vendor Management Initiative
    • Vendor management is not “plug and play” – each organization’s vendor management initiative (VMI) needs to fit its culture, environment, and goals. The key is to adapt vendor management principles to fit your needs…not the other way around.
    • All vendors are not of equal importance to an organization. Classifying or segmenting your vendors allows you to focus your efforts on the most important vendors first, allowing your VMI to have the greatest impact possible.

    Research Contributors and Experts

    Frank Sewell

    Research Director
    Info-Tech Research Group

    Donna Glidden

    Research Director
    Info-Tech Research Group

    Steven Jeffery

    Principal Research Director
    Info-Tech Research Group

    Mark Roman

    Managing Partner
    Info-Tech Research Group

    Phil Bode

    Principal Research Director
    Info-Tech Research Group

    Sarah Pletcher

    Executive Advisor
    Info-Tech Research Group

    Scott Bickley

    Practice Lead
    Info-Tech Research Group

    Fast Track Your GDPR Compliance Efforts

    • Buy Link or Shortcode: {j2store}372|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $25,779 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations often tackle compliance efforts in an ad hoc manner, resulting in an ineffective use of resources.
    • The alignment of business objectives, information security, and data privacy is new for many organizations, and it can seem overwhelming.
    • GDPR is an EU regulation that has global implications; it likely applies to your organization more than you think.

    Our Advice

    Critical Insight

    • Financial impact isn’t simply fines. A data controller fined for GDPR non-compliance may sue its data processor for damage.
    • Even day-to-day activities may be considered processing. Screen-sharing from a remote location is considered processing if the data shown onscreen contains personal data!
    • This is not simply an IT problem. Organizations that address GDPR in a siloed approach will not be as successful as organizations that take a cross-functional approach.

    Impact and Result

    • Follow a robust methodology that applies to any organization and aligns operational and situational GDPR scope. Info-Tech's framework allows organizations to tackle GDPR compliance in a right-sized, methodical approach.
    • Adhere to a core, complex GDPR requirement through the use of our documentation templates.
    • Understand how the risk of non-compliance is aligned to both your organization’s functions and data scope.
    • This blueprint will guide you through projects and steps that will result in quick wins for near-term compliance.

    Fast Track Your GDPR Compliance Efforts Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should fast track your GDPR compliance efforts, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand your compliance requirements

    Understand the breadth of the regulation’s requirements and document roles and responsibilities.

    • Fast Track Your GDPR Compliance Efforts – Phase 1: Understand Your Compliance Requirements
    • GDPR RACI Chart

    2. Define your GDPR scope

    Define your GDPR scope and prioritize initiatives based on risk.

    • Fast Track Your GDPR Compliance Efforts – Phase 2: Define Your GDPR Scope
    • GDPR Initiative Prioritization Tool

    3. Satisfy documentation requirements

    Understand the requirements for a record of processing and determine who will own it.

    • Fast Track Your GDPR Compliance Efforts – Phase 3: Satisfy Documentation Requirements
    • Record of Processing Template
    • Legitimate Interest Assessment Template
    • Data Protection Impact Assessment Tool
    • A Guide to Data Subject Access Requests

    4. Align your data breach requirements and security program

    Document your DPO decision and align security strategy to data privacy.

    • Fast Track Your GDPR Compliance Efforts – Phase 4: Align Your Data Breach Requirements & Security Program

    5. Prioritize your GDPR initiatives

    Prioritize any initiatives driven out of Phases 1-4 and begin developing policies that help in the documentation effort.

    • Fast Track Your GDPR Compliance Efforts – Phase 5: Prioritize Your GDPR Initiatives
    • Data Protection Policy
    [infographic]

    Workshop: Fast Track Your GDPR Compliance Efforts

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Your Compliance Requirements

    The Purpose

    Kick-off the workshop; understand and define GDPR as it exists in your organizational context.

    Key Benefits Achieved

    Prioritize your business units based on GDPR risk.

    Assign roles and responsibilities.

    Activities

    1.1 Kick-off and introductions.

    1.2 High-level overview of weekly activities and outcomes.

    1.3 Identify and define GDPR initiative within your organization’s context.

    1.4 Determine what actions have been done to prepare; how have regulations been handled in the past?

    1.5 Identify key business units for GDPR committee.

    1.6 Document business units and functions that are within scope.

    1.7 Prioritize business units based on GDPR.

    1.8 Formalize stakeholder support.

    Outputs

    Prioritized business units based on GDPR risk

    GDPR Compliance RACI Chart

    2 Define Your GDPR Scope

    The Purpose

    Know the rationale behind a record of processing.

    Key Benefits Achieved

    Determine who will own the record of processing.

    Activities

    2.1 Understand the necessity for a record of processing.

    2.2 Determine for each prioritized business unit: are you a controller or processor?

    2.3 Develop a record of processing for most-critical business units.

    2.4 Perform legitimate interest assessments.

    2.5 Document an iterative process for creating a record of processing.

    Outputs

    Initial record of processing: 1-2 activities

    Initial legitimate interest assessment: 1-2 activities

    Determination of who will own the record of processing

    3 Satisfy Documentation Requirements and Align With Your Data Breach Requirements and Security Program

    The Purpose

    Review existing security controls and highlight potential requirements.

    Key Benefits Achieved

    Ensure the initiatives you’ll be working on align with existing controls and future goals.

    Activities

    3.1 Determine the appetite to align the GDPR project to data classification and data discovery.

    3.2 Discuss the benefits of data discovery and classification.

    3.3 Review existing incident response plans and highlight gaps.

    3.4 Review existing security controls and highlight potential requirements.

    3.5 Review all initiatives highlighted during days 1-3.

    Outputs

    Highlighted gaps in current incident response and security program controls

    Documented all future initiatives

    4 Prioritize GDPR Initiatives

    The Purpose

    Review project plan and initiatives and prioritize.

    Key Benefits Achieved

    Finalize outputs of the workshop, with a strong understanding of next steps.

    Activities

    4.1 Analyze the necessity for a data protection officer and document decision.

    4.2 Review project plan and initiatives.

    4.3 Prioritize all current initiatives based on regulatory compliance, cost, and ease to implement.

    4.4 Develop a data protection policy.

    4.5 Finalize key deliverables created during the workshop.

    4.6 Present the GDPR project to key stakeholders.

    4.7 Workshop executive presentation and debrief.

    Outputs

    GDPR framework and prioritized initiatives

    Data Protection Policy

    List of key tools

    Communication plans

    Workshop summary documentation

    Release management

    • Buy Link or Shortcode: {j2store}9|cart{/j2store}
    • Related Products: {j2store}9|crosssells{/j2store}
    • Up-Sell: {j2store}9|upsells{/j2store}
    • member rating overall impact (scale of 10): 10.0/10
    • member rating average dollars saved: $35,731
    • member rating average days saved: 20
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    Today's world requires frequent and fast deployments. Stay in control with release management.

    Simplify Remote Deployment With Zero-Touch Provisioning

    • Buy Link or Shortcode: {j2store}310|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $5,199 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: End-User Computing Strategy
    • Parent Category Link: /end-user-computing-strategy

    Provide better end-user device support to a remote workforce:

    • Remain compliant while purchasing, deploying, supporting, and decommissioning devices.
    • Save time and resources during device deployment while providing a high-quality experience to remote end users.
    • Build a set of capabilities that will let you support different use cases.

    Our Advice

    Critical Insight

    • Zero-touch is more than just deployment. This is more difficult than turning on a tool and provisioning new devices to end users.
    • Consider the entire user experience and device lifecycle to show value to the organization. Don’t forget that you will eventually need to touch the device.

    Impact and Result

    Approach zero-touch provisioning and patching from the end user’s experience:

    • Align your zero-touch approach with stakeholder priorities and larger IT strategies.
    • Build your zero-touch provisioning and patching plan from both the asset lifecycle and the end-user perspective to take a holistic approach that emphasizes customer service.
    • Tailor deployment plans to more easily scope and resource deployment projects.

    Simplify Remote Deployment With Zero-Touch Provisioning Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should adopt zero-touch provisioning, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Design the zero-touch experience

    Design the user’s experience and build a vision to direct your zero-touch provisioning project. Update your ITAM practices to reflect the new experience.

    • Zero-Touch Provisioning and Support Plan
    • HAM Process Workflows (Visio)
    • HAM Process Workflows (PDF)
    • End-User Device Management Standard Operating Procedure

    2. Update device management, provisioning, and patching

    Leverage new tools to manage remote endpoints, keep those devices patched, and allow users to get the apps they need to work.

    • End-User Device Build Book Template

    3. Build a roadmap and communication plan

    Create a roadmap for migrating to zero-touch provisioning.

    • Roadmap Tool
    • Communication Plan Template
    [infographic]