Time Study

  • Buy Link or Shortcode: {j2store}260|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Governance, Risk & Compliance
  • Parent Category Link: /governance-risk-compliance
  • In ESG’s 2018 report “The Life of Cybersecurity Professionals,” 36% of participants expressed the overwhelming workload was a stressful aspect of their job.
  • Organizations expect a lot from their security specialists. From monitoring the threat environment, protecting business assets, and learning new tools, to keeping up with IT initiatives, cybersecurity teams struggle to balance their responsibilities with the constant emergencies and disruptions that take them away from their primary tasks.
  • Businesses fail to recognize the challenges associated with task prioritization and the time management practices of a security professional.

Our Advice

Critical Insight

  • The majority of scheduled calendar meetings include employees and peers.
    • Our research indicates cybersecurity professionals spent the majority of their meetings with employees (28%) and peers (24%). Other stakeholders involved in meetings included by myself (15%), boss (13%), customers (10%), vendors (8%), and board of directors (2%).
  • Calendar meetings are focused on project work, management, and operations.
    • When asked to categorize calendar meetings, the focus was on project work (26%), management (23%), and operations (22%). Other scheduled meetings included ones focused on strategy (15%), innovation (9%), and personal time (5%).
  • Time management scores were influenced by the percentage of time spent with employees and peers.
    • When participants were divided into good and poor time managers, we found good time managers spent less time with their peers and more time with their employees. This may be due to the nature of employee meetings being more directly tied to the project outputs of the manager than their peer meetings. Managers who spend more time in meetings with their employees feel a sense of accomplishment, and hence rate themselves higher in time management.

Impact and Result

  • Understand how cybersecurity professionals allocate their time.
  • Gain insight on whether perceived time management skills are associated with calendar maintenance factors.
  • Identify common time management pain points among cybersecurity professionals.
  • Identify current strategies cybersecurity professionals use to manage their time.

Time Study Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Read our Time Study

Read our Time Study to understand how cybersecurity professionals allocate their time, what pain points they endure, and tactics that can be leveraged to better manage time.

  • Time Study Storyboard
[infographic]

Rationalize Your Collaboration Tools

  • Buy Link or Shortcode: {j2store}51|cart{/j2store}
  • member rating overall impact: 7.3/10 Overall Impact
  • member rating average dollars saved: 10 Average Days Saved
  • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • Parent Category Name: End-User Computing Applications
  • Parent Category Link: /end-user-computing-applications
  • Organizations collaboration toolsets are increasingly disordered and overburdened. Not only do organizations waste money by purchasing tools that overlap with their current toolset, but also employees’ productivity is destroyed by having to spend time switching between multiple tools.
  • Shadow IT is easier than ever. Without suitable onboarding and agreed-upon practices, employees will seek out their own solutions for collaboration. No transparency of what tools are being used means that information shared through shadow IT cannot be coordinated, monitored, or regulated effectively.

Our Advice

Critical Insight

  • Best-of-breed approaches create more confusion than productivity. Collaboration toolsets should be as streamlined as possible.
  • Employee-led initiatives to implement new toolsets are more successful. Focus on what is a suitable fit for employees’ needs.
  • Strategizing toolsets enhances security. File transfers and communication through unmonitored, unapproved tools increases phishing and hacking risks.

Impact and Result

  • Categorize your current collaboration toolset, identifying genuine overlaps and gaps in your collaboration capabilities.
  • Work through our best-practice recommendations to decide which redundant overlapping tools should be phased out.
  • Build business requirements to fill toolset gaps and create an adoption plan for onboarding new tools.
  • Create a collaboration strategy that documents collaboration capabilities, rationalizes them, and states which capability to use when.

Rationalize Your Collaboration Tools Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out how to create a collaboration strategy that will improve employee efficiency and save the organization time and money.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Evaluate current toolset

Identify and categorize current collaboration toolset usage to recognize unnecessary overlaps and legitimate gaps.

  • Rationalize Your Collaboration Tools – Phase 1: Evaluate Current Toolset
  • Identifying and Categorizing Shadow Collaboration Tools Survey
  • Overlaps and Gaps in Current Collaboration Toolset Template

2. Strategize toolset overlaps

Evaluate overlaps to determine which redundant tools should be phased out and explore best practices for how to do so.

  • Rationalize Your Collaboration Tools – Phase 2: Strategize Toolset Overlaps
  • Phase-Out Plan Gantt Chart Template
  • Phase-Out Plan Marketing Materials

3. Fill toolset gaps

Fill your collaboration toolset gaps with best-fit tools, build business requirements for those tools, and create an adoption plan for onboarding.

  • Rationalize Your Collaboration Tools – Phase 3: Fill Toolset Gaps
  • Adoption Plan Gantt Chart Template
  • Adoption Plan Marketing Materials
  • Collaboration Tools Business Requirements Document Template
  • Collaboration Platform Evaluation Tool
[infographic]

Workshop: Rationalize Your Collaboration Tools

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Categorize the Toolset

The Purpose

Create a collaboration vision.

Acknowledge the current state of the collaboration toolset.

Key Benefits Achieved

A clear framework to structure the collaboration strategy

Activities

1.1 Set the vision for the Collaboration Strategy.

1.2 Identify your collaboration tools with use cases.

1.3 Learn what collaboration tools are used and why, including shadow IT.

1.4 Begin categorizing the toolset.

Outputs

Beginnings of the Collaboration Strategy

At least five archetypical use cases, detailing the collaboration capabilities required for these cases

Use cases updated with shadow IT currently used within the organization

Overlaps and Gaps in Current Capabilities Toolset Template

2 Strategize Overlaps

The Purpose

Identify redundant overlapping tools and develop a phase-out plan.

Key Benefits Achieved

Communication and phase-out plans for redundant tools, streamlining the collaboration toolset.

Activities

2.1 Identify legitimate overlaps and gaps.

2.2 Explore business and user strategies for identifying redundant tools.

2.3 Create a Gantt chart and communication plan and outline post-phase-out strategies.

Outputs

Overlaps and Gaps in Current Capabilities Toolset Template

A shortlist of redundant overlapping tools to be phased out

Phase-out plan

3 Build Business Requirements

The Purpose

Gather business requirements for finding best-fit tools to fill toolset gaps.

Key Benefits Achieved

A business requirements document

Activities

3.1 Use SoftwareReviews and the Collaboration Platform Evaluation Tool to shortlist best-fit collaboration tool.

3.2 Build SMART objectives and goals cascade.

3.3 Walk through the Collaboration Tools Business Requirements Document Template.

Outputs

A shortlist of collaboration tools

A list of SMART goals and a goals cascade

Completed Business Requirements Document

4 Create an Adoption Plan

The Purpose

Create an adoption plan for successfully onboarding new collaboration tools.

Key Benefits Achieved

An adoption plan

Activities

4.1 Fill out the Adoption Plan Gantt Chart Template.

4.2 Create the communication plan.

4.3 Explore best practices to socialize the new tools.

Outputs

Completed Gantt chart

Adoption plan marketing materials

Long-term strategy for engaging employees with onboarded tools

Decide What's Important and What Is Less So

  • Large vertical image:
  • member rating overall impact: Highly Rated
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • byline: Your BIA is your reality. Treat it as such.

Redefining the business impact analysis through the lens of value

The Business Impact Analysis (BIA) is easily one of the most misunderstood processes in the modern enterprise. For many, the term conjures images of dusty binders filled with disaster recovery plans. A compliance checkbox exercise focused solely on what to do when the servers are smoking or the building is flooded. This view, while not entirely incorrect, is dangerously incomplete. It relegates the BIA to a reactive, insurance-policy mindset when it should be a proactive, strategic intelligence tool.

Yes, I got that text from AI. So recognizable. But you know what? There is a kernel of truth in this.

A modern BIA is about understanding and protecting value more than just about planning for disaster. That is the one thing we must keep in mind at all times. The BIA really is a deep dive into the DNA of the organization. It maps the connections between information assets, operational processes, and business outcomes. It answers the critical question, “What matters? And why ? And what is the escalating cost of its absence?”

The Strategic Starting Point: A Top-Down Business Analysis

To answer “what matters,” the process must begin at the highest level: with senior management and, ideally, the board. Defining the organization's core mission and priorities is a foundational governance task, a principle now embedded in European regulations like DORA.

Rank the Business Units

The process begins at the highest level with senior management. I would say, the board. They need to decide what the business is all about. (This is in line with the DORA rules in Europe.) The core business units or departments of the organization are ranked based on their contribution to the company's mission. This ranking is frequently based on revenue generation, but it can also factor in strategic importance, market position, or essential support functions. For example, the “Production” and “Sales” units might be ranked higher than “Internal HR Administration.” This initial ranking provides the foundational context for all subsequent decisions.

I want to make something crystal clear: this ranking is merely a practical assessment. Obviously the HR and well being departments play a pivotal role in the value delivery of the company. Happy employees make for happy customers.  

But, being a bit Wall-Streety about it, the sales department generating the biggest returns is probably only surpassed by the business unit producing the product for those sales. And with that I just said that the person holding the wrench, who knows your critical production machine, is your most valuable HR asset. Just saying.

Identify Critical Functions Within Each Unit

With the business units prioritized, the next step is to drill down into each one and identify its critical operational functions. The focus here is on processes, not technology. For the top-ranked “Sales” unit, critical functions might include:

  • SF-01: Processing New Customer Orders

  • SF-02: Managing the Customer Relationship Management (CRM) System

  • SF-03: Generating Sales Quotes

  • SF-04: Closing the Sale

These functions are then rated against each other within the business unit to create a prioritized list of what truly matters for that unit to achieve its goals.

And here I'm going to give you some food for thought. There will be a superficial geographical difference in importance. If you value continuity then new business may not be the top critical department. I can imagine this is completely counter intuitive. But remember that it is cheaper to keep and upsell an existing client than it is to acquire a new one.

Information asset classification is a key component of resilience.

With a clear map of what the business does, the next logical step is to identify what it uses to get it done. This brings us to the non-negotiable foundation of resilience: comprehensive information asset classification.

Without knowing what you have, where it is, and what it's worth, any attempt at risk management is simply guesswork. You risk spending millions protecting low/mid-value data while leaving the crown jewels exposed (I guess your Ciso will have said something 😊). In this article, we will explore how foundational asset classification can evolve into a mature, value-driven impact analysis, offering a blueprint for transforming the BIA from a tactical chore into a strategic imperative.

Before you can determine the effect of losing an asset, you must first understand the asset itself. Information asset classification is the systematic process of inventorying, categorizing, and assigning business value to your organization's data. Now that we have terabyte-scale data on servers, cloud environments, and countless SaaS applications, you have your work cut out for you. It is, however, a most critical investment in the risk management lifecycle.

Classification forces an organization to look beyond the raw data and evaluate it through two primary lenses: criticality and sensitivity.

  • Criticality is a measure of importance. It answers the question: “How much damage would the business suffer if this asset were unavailable or corrupted?” This is directly tied to the operational functions that depend on the asset. The criticality of a customer database, for instance, is determined by the impact on the sales, marketing, and support functions that would grind to a halt without it. This translates to the availability rating. 

  • Sensitivity is a measure of secrecy. It answers the question: “What is the potential harm if this asset were disclosed to unauthorized parties?” This considers reputational damage, competitive disadvantage, legal penalties, and customer privacy violations. This translates to the confidentiality rating.

Without this dual understanding, it's impossible to implement a proportional and cost-effective security program. The alternative is a one-size-fits-all approach, which invariably leads to one of two expensive failures:

  1. Overprotection: Applying the highest level of security controls to all information is prohibitively expensive and creates unnecessary operational friction. It's like putting a bank vault door on a broom closet.

  2. Underprotection: Applying a baseline level of security to all assets leaves your most critical and sensitive information dangerously vulnerable. It exposes your organization to unacceptable risk. Remember assigning an A2 rating to all your infra because it cannot be related to specific business processes? The “we'll take care of it at the higher levels” approach leads to exactly this issue.

By understanding the criticality and sensitivity of assets, organizations can ensure that security efforts are directly tied to business objectives, making the investment in protection proportional to the asset's value. Proportionality is also embedded in new European legislation.

A practical framework for executing classification exercises

While the concept is straightforward, the execution can be complex. A successful classification program requires a methodical framework that moves from high-level policy to granular implementation. in this first stage, we're going to talk about data.

Step 1: Define the Classification Levels

The first step is to establish a simple, intuitive classification scheme. When you complicate it, you lose your people. Most organizations find success with a three- or four-tiered model, which is easy for employees to understand and apply. For example:

  • Public: Information intended for public consumption with no negative impact from disclosure (e.g., marketing materials, press releases).

  • Internal: Information for use within the organization but not overly sensitive. Its disclosure would be inconvenient but not damaging (e.g., internal memos on non-sensitive topics, general project plans).

  • Confidential: Sensitive business information that, if disclosed, could cause measurable damage to the organization's finances, operations, or reputation (e.g., business plans, financial forecasts, customer lists).

  • Restricted or secret: The most sensitive data that could cause severe financial or legal damage if compromised. Access is strictly limited on a need-to-know basis (e.g., trade secrets, source code, PII, M&A details).

Step 2: Tackle the Data Inventory Problem

This is often the most challenging phase: identifying and locating all information assets. You must create a comprehensive inventory and detail not just the data itself but its entire context:

  • Data Owners: The business leader accountable for the data and for determining its classification.

  • Data Custodians: The IT or operational teams responsible for implementing and managing the security controls on the data.

  • Location: Where does the data live? Is it in a specific database, a cloud storage bucket, a third-party application, or a physical filing cabinet?

  • External Dependencies: Crucially, this inventory must extend beyond the company's walls. Which third-party vendors (payroll processors, cloud hosting providers, marketing agencies) handle, store, or transport your data? Their security posture is now part of your risk surface. In Europe, this is now a foundation of your data management through GDPR, DORA, the AI Act and other legislation. 

Step 3: Establish a Lifecycle Approach

Information isn't static. Its value and handling requirements can change over its lifecycle. Your classification process must define clear rules for each stage:

  • Creation: How is data classified when it's first created? How is it marked (e.g., digital watermarks, document headers)?

  • Storage & Use: What security controls apply to each classification level at rest and in transit (e.g., encryption standards, access control rules)? What about legislative initiatives?

  • Archiving & Retention: How long must the data be kept to meet business needs and legal requirements? What about external storage?

  • Destruction: What are the approved methods for securely destroying the data (e.g., cryptographic erasure, physical shredding) once it's no longer required?

Without clear, consistent handling standards for each level, the classification labels themselves are meaningless. The classification directly dictates the required security measures.

The hierarchy of importance.

This dual (business processes and asset classification) top-down approach to determining criticality is often referred to as the 'hierarchy of importance,' which helps in systematically prioritizing assets based on their business value.

Once assets are inventoried, the next step is to systematically determine their criticality. Randomly assigning importance to thousands of assets is futile. A far more effective method is a top-down, hierarchical approach that mirrors the structure of the business itself. This method creates a clear “chain of criticality,” where the importance of a technical asset is directly derived from the value of the business function it supports.

Map the Supporting Assets and Resources

Only now, once you have clearly defined the critical business functions and prioritized them, can you finally map the specific assets and resources they depend on. These are the people, technology, and facilities that enable the function. For the critical function “Processing New Customer Orders,” the supporting assets might include:

  • Application: SAP ERP System (Module SD)

  • Database: Oracle Customer Order Database

  • Hardware: Primary ERP Server Cluster

  • Personnel: Sales team and Order Entry team

The criticality of the “Oracle Customer Order Database” is now clear. It is clearly integrated into the business; it is critically important because it is an essential asset for a top-priority function (SF-01) within a top-ranked business unit (“Sales”). This top-down structure provides a clear, business-justified view of risk that management can easily understand. It allows you to see precisely how a technical risk (e.g., a vulnerability in the Oracle database) can bubble up to impact a core business operation.

From Criticality to Consequence: Master Impact Analysis

With a clear understanding of what's indispensable, the BIA can now finally move to its core purpose: analyzing the tangible and intangible impacts of a disruption over time. A robust impact analysis prevents “impact inflation,” which is the common tendency to focus solely on unrealistic scenarios or self-importance assurances, as this just causes management to discount your findings. That just causes management to discount your findings. A more credible approach uses a range of outcomes that paint a realistic picture of escalating damage over time.

Your analysis should assess the loss of the four core pillars of information security:

  • Loss of Confidentiality: The unauthorized disclosure of sensitive information. The impact can range from legal fines for a data breach to the loss of competitive advantage from a leaked product design.

  • Loss of Integrity: The unauthorized or improper modification of data. This can lead to flawed decision-making based on corrupted reports, financial fraud, or a complete loss of trust in the system.

  • Loss of Availability: The inability to access a system or process. This is the most common focus of traditional BIA, leading to lost productivity, missed sales, and an inability to deliver services.

  • Insecurity around Authenticity: Your ability to ensure you receive data from the expected party. 

This brings us to the CIAA rating, which encompasses Confidentiality, Integrity, Availability, and Authenticity, providing a comprehensive framework for assessing information security impacts.

Qualitative vs. Quantitative Analysis

Impacts can be measured in two ways, and the most effective BIAs use a combination of both:

  • Qualitative Analysis: This uses descriptive scales (e.g., High, Medium, Low) to assess impacts that are difficult to assign a specific monetary value to. This is ideal for measuring things like reputational damage, loss of customer confidence, or employee morale. Its main advantage is prioritizing risks quickly, but it lacks the financial precision needed for a cost-benefit analysis.

  • Quantitative Analysis: This assigns a specific monetary value ($) to the impact. This is used for measurable losses like lost revenue per hour, regulatory fines, or the cost of manual workarounds. The major advantage is that it provides clear financial data to justify security investments. For example, “This outage will cost us $100,000 per hour in lost sales” is a powerful statement when requesting funding for a high-availability solution.

A mature analysis might involve scenario modeling—where we walk through a small set of plausible disruption scenarios with business stakeholders to define a range of outcomes (minimum, maximum, and most likely). This provides a far more nuanced and credible dataset that aligns with how management views other business risks.

The additional lens: The Customer Value Chain Contribution (CVCC)©

To elevate the BIA from an internal exercise to a truly strategic tool, we can apply one more lens: the Customer Value Chain Contribution (CVCC)©. This approach reframes the impact analysis to focus explicitly on the customer. Instead of just asking, “What is the impact on our business?” we ask, “What is the impact on our customer's experience and our ability to deliver value to them?”

The CVCC method involves mapping your critical processes and assets to specific stages of the customer journey. For example:

  • Awareness/Acquisition: A disruption to the company website or marketing automation platform directly impacts your ability to attract new customers.

  • Conversion/Sale: An outage of the e-commerce platform or CRM system prevents customers from making purchases, directly impacting revenue and frustrating users at a key moment.

  • Service Delivery/Fulfillment: A failure in the warehouse management or logistics system means orders can't be fulfilled, breaking promises made to the customer.

  • Support/Retention: If the customer support ticketing system is down, customers with problems can't get help, leading to immense frustration and potential churn.

By analyzing impact through the CVCC lens, the consequences become far more vivid and compelling. “Loss of the CRM system” becomes “a complete inability to process new sales leads or support existing customers, causing direct revenue loss and significant reputational damage.” This framing aligns the BIA directly with the goal of any business: creating and retaining satisfied customers. It transforms the discussion from technical risk to the preservation of the customer relationship and the value chain that supports it.

From document to real value

When you build your BIA on this framework, meaning that it is rooted in sound asset classification, structured by the correct top-down criticality analysis, and enriched by the customer-centric view of impact, then it is no longer a static document. It becomes the dynamic, strategic blueprint for organizational resilience.

These insights generate business decisions:

  • Prioritized risk mitigation: they show exactly where to focus security efforts and resources for the greatest return on investment.

  • Justified security spending: they provide the quantitative and qualitative data needed to make a compelling business case for new security controls, technologies, and processes.

  • Informed recovery planning: they establish clear, business-justified Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) that form the foundation of any effective business continuity and disaster recovery plan.

I'm convinced that this expanded vision of the business impact analysis embeds the right analytical understanding of value and risk into the fabric of the organization. I want you to move beyond the fear of disaster and toward a confident, proactive posture of resilience. Like that, you ensure that in a world of constant change and disruption, the things that truly matter are always understood, always protected, and always available.

Always happy to chat.

Stakeholder Relations

  • Buy Link or Shortcode: {j2store}25|cart{/j2store}
  • Related Products: {j2store}25|crosssells{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Strategy and Governance
  • Parent Category Link: /strategy-and-governance
  • byline: Make proper stakeholder management a habit.

The challenge

  • Stakeholders come in a wide variety, often with competing and conflicting demands.
  • Some stakeholders are hard to identify. Those hidden agendas may derail your efforts.
  • Understanding your stakeholders' relative importance allows you to prioritize your IT agenda according to the business needs.

Our advice

Insight

  • Stakeholder management is an essential factor in how successful you will be.
  • Stakeholder management is a continuous process. The landscape constantly shifts.
  • You must also update your stakeholder management plan and approach on an ongoing basis.

Impact and results 

  • Use your stakeholder management process to identify, prioritize, and manage key stakeholders effectively.
  • Continue to build on strengthening your relationships with stakeholders. It will help to gain easier buy-in and support for your future initiatives. 

The roadmap

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

Make the case

Identify stakeholders

  • Stakeholder Management Analysis Tool (xls)

Analyze your stakeholders

Assess the stakeholder's influence, interest, standing, and support to determine priority for future actions 

Manage your stakeholders

Develop your stakeholder management and communication plans

  • Stakeholder Management Plan Template (doc)
  • Communication Plan Template (doc)

Monitor your stakeholder management plan performance

Measure and monitor the success of your stakeholder management process.

 

 

Modernize Data Architecture for Measurable Business Results

  • Buy Link or Shortcode: {j2store}387|cart{/j2store}
  • member rating overall impact: 9.5/10 Overall Impact
  • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • member rating average days saved: Read what our members are saying
  • Parent Category Name: Data Management
  • Parent Category Link: /data-management
  • Data architecture projects have often failed in the past, causing businesses today to view the launch of a new project as a costly initiative with unclear business value.
  • New technologies in big data and analytics are requiring organizations to modernize their data architecture, but most organizations have failed to spend the time and effort refining the appropriate data models and blueprints that enable them to do so.
  • As the benefits for data architecture are often diffused across an organization’s information management practice, it can be difficult for the business to understand the value and necessity of data architecture.

Our Advice

Critical Insight

  • At the heart of tomorrow’s insights-driven enterprises is a modern data environment anchored in fit-for-purpose data architectures.
  • The role of traditional data architecture is transcending beyond organizational boundaries and its focus is shifting from “keeping the lights on” (i.e. operational data and BI) to providing game-changing insights gleaned from untapped big data.

Impact and Result

  • Perform a diagnostic assessment of your present day architecture and identify the capabilities of your future “to be” environment to position your organization to capitalize on new opportunities in the data space.
  • Use Info-Tech’s program diagnostic assessment and guidance for developing a strategic roadmap to support your team in building a fit-for purpose data architecture practice.
  • Create a data delivery architecture that harmonizes traditional and modern architectural opportunities.

Modernize Data Architecture for Measurable Business Results Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should modernize your data architecture, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Develop a data architecture vision

Plan your data architecture project and align it with the business and its strategic vision.

  • Modernize Data Architecture for Measurable Business Results – Phase 1: Develop a Data Architecture Vision
  • Modernize Data Architecture Project Charter
  • Data Architecture Strategic Planning Workbook

2. Assess data architecture capabilities

Evaluate the current and target capabilities of your data architecture, using the accompanying diagnostic assessment to identify performance gaps and build a fit-for-purpose practice.

  • Modernize Data Architecture for Measurable Business Results – Phase 2: Assess Data Architecture Capabilities
  • Data Architecture Assessment and Roadmap Tool
  • Initiative Definition Tool

3. Develop a data architecture roadmap

Translate your planned initiatives into a sequenced roadmap.

  • Modernize Data Architecture for Measurable Business Results – Phase 3: Develop a Data Architecture Roadmap
  • Modernize Data Architecture Roadmap Presentation Template
[infographic]

Workshop: Modernize Data Architecture for Measurable Business Results

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Develop a Data Architecture (DA) Vision

The Purpose

Discuss key business drivers and strategies.

Identify data strategies.

Develop a data architecture vision.

Assess data architecture practice capabilities. 

Key Benefits Achieved

A data architecture vision aligned with the business.

A completed assessment of the organization’s current data architecture practice capabilities.

Identification of "to be" data architecture practice capabilities.

Identification of key gaps. 

Activities

1.1 Explain approach and value proposition

1.2 Discuss business vision and key drivers

1.3 Discover business pain points and needs

1.4 Determine data strategies

1.5 Assess DA practice capabilities

Outputs

Data strategies

Data architecture vision

Current and target capabilities for the modernized DA practice

2 Assess DA Core Capabilities (Part 1)

The Purpose

Assess the enterprise data model (EDM).

Assess current and target data warehouse, BI/analytics, and big data architectures.

Key Benefits Achieved

A completed assessment of the organization’s current EDM, data warehouse, BI and analytics, and big data architectures.

Identification of "to be" capabilities for the organization’s EDM, data warehouse, BI and analytics, and big data architectures.

Identification of key gaps.

Activities

2.1 Present an overarching DA capability model

2.2 Assess current and target EDM capabilities

2.3 Assess current/target data warehouse, BI/analytics, and big data architectures

2.4 Identify gaps and high level strategies

Outputs

Target capabilities for EDM

Target capabilities for data warehouse architecture, BI architecture, and big data architecture

3 Assess DA Core Capabilities (Part 2)

The Purpose

Assess EDM.

Assess current/target MDM, metadata, data integration, and content architectures.

Assess dynamic data models.

Key Benefits Achieved

A completed assessment of the organization’s current MDM, metadata, data integration, and content architectures.

Identification of “to be” capabilities for the organization’s MDM, metadata, data integration, and content architectures.

Identification of key gaps.

Activities

3.1 Present an overarching DA capability model

3.2 Assess current and target MDM, metadata, data integration, and content architectures

3.3 Assess data lineage and data delivery model

3.4 Identify gaps and high level strategies

Outputs

Target capabilities for MDM architecture, metadata architecture, data integration architecture, and document & content architecture

Target capabilities for data lineage/delivery

4 Analyze Gaps and Formulate Strategies

The Purpose

Map performance gaps and document key initiatives from the diagnostic assessment.

Identify additional gaps and action items.

Formulate strategies and initiatives to address priority gaps. 

Key Benefits Achieved

Prioritized gap analysis.

Improvement initiatives and related strategies.

Activities

4.1 Map performance gaps to business vision, pain points, and needs

4.2 Identify additional gaps

4.3 Consolidate/rationalize/prioritize gaps

4.4 Formulate strategies and actions to address gaps

Outputs

Prioritized gaps

Data architecture modernization strategies

5 Develop a Data Architecture Roadmap

The Purpose

Plot initiatives and strategies on a strategic roadmap.

Key Benefits Achieved

A roadmap with prioritized and sequenced initiatives.

Milestone plan.

Executive report. 

Activities

5.1 Transform strategies into a plan of action

5.2 Plot actions on a prioritized roadmap

5.3 Identify and discuss next milestone plan

5.4 Compile an executive report

Outputs

Data architecture modernization roadmap

Data architecture assessment and roadmap report (from analyst team)

Data Protection Notice

Tymans Group BV processes personal information in compliance with this privacy statement. For further information, questions or comments on our privacy policy, please contact Gert Taeymans at https://tymansgroup.com/gdpr-contact.

Purposes of the processing

Tymans Group BV collects and processes customers’ personal data for customer and order management (customer administration, order / delivery follow-up, invoicing, solvency follow-up, profiling and the sending of marketing and personalised advertising).

Legal foundation for the processing

Personal data is processed based on several provisions of Article 6.1.

(a)  consent, which you can revoke at any time,

(b) required for the implementation of an agreement between you and Tymans Group BV, eg. when you enter into a contract with us,

(c)  required to satisfy a legal obligation

(f)  (required for the protection of our legitimate interest in entrepreneurship)] of the General Data Protection Regulation. An actual data item may be subject to multiple provisions.

Insofar as the processing of personal data takes place based on Article 6.1. a) (consent), customers always have the right to withdraw the given consent.

Transfer to third parties

If required to achieve the set purposes, your personal data will be shared with other companies within the European Economic Area, which are linked directly or indirectly with Gert Taeymans BV or with any other partner of Tymans Group BV

Tymans Group BV guarantees that these recipients will take the necessary technical and organisational measures for the protection of personal data.

Third party categories that are subject to this provision are:

    Accounting
    Hosting
    Software Engineering (when you order websites or custom development with us)
    Social Media (only as part of Social Media Marketing contracted services by you)

Due to the ECJ striking down the  EU-US Privacy Shield agreement, this leaves us with a open gap. The resulting implications and actions to take are not yet clear. You must be aware that one can argue that any data transfer from the EU towards the US is now in breach of the law. Other argue that necessary transfers are still allowed, whithout however defining, as far as we know, what "necessary" actually means. This website runs on servers within the EU. We also closely follow the opinions by the scholars and our regulator.

Retention period

Personal data processed for customer management will be stored for the time necessary to satisfy legal requirements (in terms of bookkeeping, among others).

Right to inspection, improvement, deletion, limitation, objection and transferability of personal data

You have at all times the right to inspect your personal data and can have it improved should it be incorrect or incomplete, have it removed, limit its processing an object to the processing of their personal data based on Article 6.1 (f), including profiling based on said provisions. Any personal data however that is needed for the legal processing of your order cannot be removed after you placed an order, as we need to keep it for legal purposes.

Furthermore, you are entitled to obtain a copy of your personal data and to have said personal data forwarded to another company.

In order to exercise the aforementioned rights, you are requested to send an e-mail the following address: dataprivacy@tymansgroup.com.

Direct marketing

You are entitled to object free of charge to the processing of any processing of their personal data aimed at direct marketing.

Complaint

You have the right to file a complaint with the Belgian Privacy Protection Commission (35 Rue de la Presse, 1000 Brussels - contact@adp-gba.be - 02/ 274 48 00 or 02/ 274 48 35).

Take Action on Service Desk Customer Feedback

  • Buy Link or Shortcode: {j2store}494|cart{/j2store}
  • member rating overall impact: 10.0/10 Overall Impact
  • member rating average dollars saved: $27,500 Average $ Saved
  • member rating average days saved: 110 Average Days Saved
  • Parent Category Name: Service Desk
  • Parent Category Link: /service-desk
  • IT leaders lack information to help inform and prioritize where improvements are most needed.
  • The service desk relies only on traditional metrics such as time to respond or percentage of SLAs met, but no measures of customer satisfaction with the service they receive.
  • There are signs of dissatisfied users, but no mechanism in place to formally capture those perceptions in order to address them.
  • Even if transactional (ticket) surveys are in use, often nothing is done with the data collected or there is a low response rate, and no broader satisfaction survey is in place.

Our Advice

Critical Insight

  • If customer satisfaction is not being measured, it’s often because service desk leaders don’t know how to design customer satisfaction surveys, don’t have a mechanism in place to collect feedback, or lack the resources to take accountability for a customer feedback program.
  • If customer satisfaction surveys are in place, it can be difficult to get full value out of them if there is a low response rate due to poor survey design or administration, or if leadership doesn’t understand the value of / know how to analyze the data.
  • It can actually be worse to ask your customers for feedback and do nothing with it than not asking for feedback at all. Customers may end up more dissatisfied if they take the time to provide value then see nothing done with it.

Impact and Result

  • Understand how to ask the right questions to avoid survey fatigue.
  • Design and implement two complementary satisfaction surveys: a transactional survey to capture satisfaction with individual ticket experiences and inform immediate improvements, and a relationship survey to capture broader satisfaction among the entire user base and inform longer-term improvements.
  • Build a plan and assign accountability for customer feedback management, including analyzing feedback, prioritizing customer satisfaction insights and using them to improve performance, and communicating the results back to your users and stakeholders.

Take Action on Service Desk Customer Feedback Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Take Action on Service Desk Customer Feedback Deck – A step-by-step document that walks you through how to measure customer satisfaction, design and implement transactional and relationship surveys, and analyze and act on user feedback.

Whether you have no Service Desk customer feedback program in place or you need to improve your existing process for gathering and responding to feedback, this deck will help you design your surveys and act on their results to improve CSAT scores.

  • Take Action on Service Desk Customer Feedback Storyboard

2. Transactional Service Desk Survey Template – A template to design a ticket satisfaction survey.

This template provides a sample transactional (ticket) satisfaction survey. If your ITSM tool or other survey mechanism allows you to design or write your own survey, use this template as a starting point.

  • Transactional Service Desk Survey Template

3. Sample Size Calculator – A tool to calculate the sample size needed for your survey.

Use the Sample Size Calculator to calculate your ideal sample size for your relationship surveys.

  • Desired confidence level
  • Acceptable margin of error
  • Company population size
  • Ideal sample size

    • Sample Size Calculator

    4. End-User Satisfaction Survey Review Workflows – Visio templates to map your review process for both transactional and relationship surveys

    This template will help you map out the step-by-step process to review collected feedback from your end-user satisfaction surveys, analyze the data, and act on it.

    • End-User Satisfaction Survey Review Workflows

    Infographic

    Further reading

    Take Action on Service Desk Customer Feedback

    Drive up CSAT scores by asking the right questions and effectively responding to user feedback.

    EXECUTIVE BRIEF

    Analyst Perspective

    Collecting feedback is only half the equation.

    The image contains a picture of Natalie Sansone.

    Natalie Sansone, PhD


    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Often when we ask service desk leaders where they need to improve and if they’re measuring customer satisfaction, they either aren’t measuring it at all, or their ticket surveys are turned on but they get very few responses (or only positive responses). They fail to see the value of collecting feedback when this is their experience with it.

    Feedback is important because traditional service desk metrics can only tell us so much. We often see what’s called the “watermelon effect”: metrics appear “green”, but under the surface they’re “red” because customers are in fact dissatisfied for reasons unmeasured by standard internal IT metrics. Customer satisfaction should always be the goal of service delivery, and directly measuring satisfaction in addition to traditional metrics will help you get a clearer picture of your strengths and weaknesses, and where to prioritize improvements.

    It’s not as simple as asking customers if they were satisfied with their ticket, however. There are two steps necessary for success. The first is collecting feedback, which should be done purposefully, with clear goals in mind in order to maximize the response rate and value of responses received. The second – and most critical – is acting on that feedback. Use it to inform improvements and communicate those improvements. Doing so will not only make your service desk better, increasing satisfaction through better service delivery, but also will make your customers feel heard and valued, which alone increases satisfaction.

    The image contains a picture of Emily Sugerman.

    Emily Sugerman, PhD


    Research Analyst, Infrastructure & Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach
    • The service desk relies only on traditional metrics such as time to respond, or percentage of SLAs met, but not on measures of customer satisfaction with the service they receive.
    • There are signs of dissatisfied users (e.g. shadow IT, users avoid the service desk, go only to their favorite technician) but no mechanism in place to formally capture those perceptions.
    • Transactional ticket surveys were turned on when the ITSM tool was implemented, but either nobody responds to them, or nobody does anything with the data received.
    • IT leaders lack information to help inform and prioritize where improvements are most needed.
    • Service desk leaders don’t know how to design survey questions to ask their users for feedback and/or they don’t have a mechanism in place to survey users.
    • If customer satisfaction surveys are in place, nothing is done with the results because service desk leaders either don’t understand the value of analyzing the data or don’t know how to analyze the data.
    • Executives only want a single satisfaction number to track and don’t understand the value of collecting more detailed feedback.
    • IT lacks the resources to take accountability for the feedback program, or existing resources don’t have time to do anything with the feedback they receive.
    • Understand how to ask the right questions to avoid survey fatigue (where users get overwhelmed and stop responding).
    • Design and implement a transactional survey to capture satisfaction with individual ticket experiences and use the results to inform immediate improvements.
    • Design and implement a relationship survey to capture broader satisfaction among the entire user base and use the results to inform longer-term improvements.
    • Build a plan and assign accountability for analyzing feedback, using it to prioritize and make actionable improvements to address feedback, and communicating the results back to your users and stakeholders.

    Info-Tech Insight

    Asking your customers for feedback then doing nothing with it is worse than not asking for feedback at all. Your customers may end up more dissatisfied than they were before, if their opinion is sought out and then ignored. It’s valuable to collect feedback, but the true value for both IT and its customers comes from acting on that feedback and communicating those actions back to your users.

    Traditional service desk metrics can be misleading

    The watermelon effect

    When a service desk appears to hit all its targets according to the metrics it tracks, but service delivery is poor and customer satisfaction is low, this is known as the “watermelon effect”. Service metrics appear green on the outside, but under the surface (unmeasured), they’re red because customers are dissatisfied.

    Traditional SLAs and service desk metrics (such as time to respond, average resolution time, percentage of SLAs met) can help you understand service desk performance internally to prioritize your work and identify process improvements. However, they don’t tell you how customers perceive the service or how satisfied they are.

    Providing good service to your customers should be your end goal. Failing to measure, monitor, and act on customer feedback means you don’t have the whole picture of how your service desk is performing and whether or where improvements are needed to maximize satisfaction.

    There is a shift in ITSM to focus more on customer experience metrics over traditional ones

    The Service Desk Institute (SDI) suggests that customer satisfaction is the most important indicator of service desk success, and that traditional metrics around SLA targets – currently the most common way to measure service desk performance – may become less valuable or even obsolete in the future as customer experience-focused targets become more popular. (Service Desk Institute, 2021)

    SDI conducted a Customer Experience survey of service desk professionals from a range of organizations, both public and private, from January to March 2018. The majority of respondents said that customer experience is more important than other metrics such as speed of service or adherence to SLAs, and that customer satisfaction is more valuable than traditional metrics. (SDI, 2018).

    The image contains a screenshot of two pie graphs. The graph on the left is labelled: which of these is most important to your service desk? Customer experience is first with 54%. The graph on the right is labelled: Which measures do you find more value in? Customer satisfaction is first with 65%.

    However, many service desk leaders aren’t effectively measuring customer feedback

    Not only is it important to measure customer experience and satisfaction levels, but it’s equally important to act on that data and feed it into a service improvement program. However, many IT leaders are neglecting either one or both of those components.

    Obstacles to collecting feedback

    Obstacles to acting on collected feedback
    • Don’t understand the value of measuring customer feedback.
    • Don’t have a good mechanism in place to collect feedback.
    • Don’t think that users would respond to a survey (either generally unresponsive or already inundated with surveys).
    • Worried that results would be negative or misleading.
    • Don’t know what questions to ask or how to design a survey.
    • Don’t understand the importance of analyzing and acting on feedback collected.
    • Don’t know how to analyze survey data.
    • Lack of resources to take accountability over customer feedback (including analyzing data, monitoring trends, communicating results).
    • Executives or stakeholders only want a satisfaction score.

    A strong customer feedback program brings many benefits to IT and the business

    Insight into customer experience

    Gather insight into both the overall customer relationship with the service desk and individual transactions to get a holistic picture of the customer experience.

    Data to inform decisions

    Collect data to inform decisions about where to spend limited resources or time on improvement, rather than guessing or wasting effort on the wrong thing.

    Identification of areas for improvement

    Better understand your strengths and weaknesses from the customer’s point of view to help you identify gaps and priorities for improvement.

    Customers feel valued

    Make customers feel heard and valued; this will improve your relationship and their satisfaction.

    Ability to monitor trends over time

    Use the same annual relationship survey to be able to monitor trends and progress in making improvements by comparing data year over year.

    Foresight to prevent problems from occurring

    Understand where potential problems may occur so you can address and prevent them, or who is at risk of becoming a detractor so you can repair the relationship.

    IT staff coaching and engagement opportunities

    Turn negative survey feedback into coaching and improvement opportunities and use positive feedback to boost morale and engagement.

    Take Action on Service Desk Customer Feedback

    The image contains a screenshot of a Thought Model titled: Take Action on Service Desk Customer Feedback.

    Info-Tech’s methodology for measuring and acting on service desk customer feedback

    Phase

    1. Understand how to measure customer satisfaction

    2. Design and implement transactional surveys

    3. Design and implement relationship surveys

    4. Analyze and act on feedback

    Phase outcomes

    Understand the main types of customer satisfaction surveys, principles for survey design, and best practices for surveying your users.

    Learn why and how to design a simple survey to assess satisfaction with individual service desk transactions (tickets) and a methodology for survey delivery that will improve response rates.

    Understand why and how to design a survey to assess overall satisfaction with the service desk across your organization, or use Info-Tech’s diagnostic.

    Measure and analyze the results of both surveys and build a plan to act on both positive and negative feedback and communicate the results with the organization.

    Insight Summary

    Key Insight:

    Asking your customers for feedback then doing nothing with it is worse than not asking for feedback at all. Your customers may end up more dissatisfied than they were before if they’re asked for their opinion then see nothing done with it. It’s valuable to collect feedback, but the true value for both IT and its customers comes from acting on that feedback and communicating those actions back to your users.

    Additional insights:

    Insight 1

    Take the time to define the goals of your transactional survey program before launching it – it’s not as simple as just deploying the default survey of your ITSM tool out of the box. The objectives of the survey – including whether you want to keep a pulse on average satisfaction or immediately act on any negative experiences – will influence a range of key decisions about the survey configuration.

    Insight 2

    While transactional surveys provide useful indicators of customer satisfaction with specific tickets and interactions, they tend to have low response rates and can leave out many users who may rarely or never contact the service desk, but still have helpful feedback. Include a relationship survey in your customer feedback program to capture a more holistic picture of what your overall user base thinks about the service desk and where you most need to improve.

    Insight 3

    Satisfaction scores provide valuable data about how your customers feel, but don’t tell you why they feel that way. Don’t neglect the qualitative data you can gather from open-ended comments and questions in both types of satisfaction surveys. Take the time to read through these responses and categorize them in at least a basic way to gain deeper insight and determine where to prioritize your efforts.

    Understand how to measure customer satisfaction

    Phase 1

    Understand the main types of customer satisfaction surveys, principles for survey design, and best practices for surveying your users.

    Phase 1:

    Phase 2:

    Phase 3:

    Phase 4:

    Understand how to measure customer satisfaction

    Design and implement transactional surveys

    Design and implement relationship surveys

    Analyze and act on feedback

    Three methods of surveying your customers

    Transactional

    Relationship

    One-off

    Also known as

    Ticket surveys, incident follow-up surveys, on-going surveys

    Annual, semi-annual, periodic, comprehensive, relational

    One-time, single, targeted

    Definition
    • Survey that is tied to a specific customer interaction with the service desk (i.e. a ticket).
    • Assesses how satisfied customers are with how the ticket was handled and resolved.
    • Sent immediately after ticket is closed.
    • Short – usually 1 to 3 questions.
    • Survey that is sent periodically (i.e. semi-annually or annually) to the entire customer base to measure overall relationship with the service desk.
    • Assesses customer satisfaction with their overall service experience over a longer time period.
    • Longer – around 15-20 questions.
    • One-time survey sent at a specific, targeted point in time to either all customers or a subset.
    • Often event-driven or project-related.
    • Assesses satisfaction at one time point, or about a specific change that was implemented, or to inform a specific initiative that will be implemented.

    Pros and cons of the three methods

    Transactional

    Relationship

    One-off

    Pros

    • Immediate feedback
    • Actionable insights to immediately improve service or experience
    • Feeds into team coaching
    • Multiple touchpoints allow for trending and monitoring
    • Comprehensive insight from broad user base to improve overall satisfaction
    • Reach users who don’t contact the service desk often or respond to ticket surveys
    • Identify unhappy customers and reasons for dissatisfaction
    • Monitor broader trends over time
    • Targeted insights to measure the impact of a specific change or perception at a specific point of time

    Cons

    • Customer may become frustrated being asked to fill out too many surveys
    • Can lead to survey fatigue and low response rates
    • Tend to only see responses for very positive or negative experiences
    • High volume of data to analyze
    • Feedback is at a high-level
    • Covers the entire customer journey, not a specific interaction
    • Users may not remember past interactions accurately
    • A lot of detailed data to analyze and more difficult to turn into immediate action
    • Not as valuable without multiple surveys to see trends or change

    Which survey method should you choose?

    Only relying on one type of survey will leave gaps in your understanding of customer satisfaction. Include both transactional and relationship surveys to provide a holistic picture of customer satisfaction with the service desk.

    If you can only start with one type, choose the type that best aligns with your goals and priorities:

    If your priority is to identify larger improvement initiatives the service desk can take to improve overall customer satisfaction and trust in the service desk:

    If your priority is to provide customers with the opportunity to let you know when transactions do not go well so you can take immediate action to make improvements:

    Start with a relationship survey

    Start with a transactional survey

    The image contains a screenshot of a bar graph on SDI's 2018 Customer Experience in ITSM report.

    Info-Tech Insight

    One-off surveys can be useful to assess whether a specific change has impacted satisfaction, or to inform a planned change/initiative. However, as they aren’t typically part of an on-going customer feedback program, the focus of this research will be on transactional and relationship surveys.

    3 common customer satisfaction measures

    The three most utilized measures of customer satisfaction include CSAT, CES, and NPS.

    CSAT CES NPS
    Name Customer Satisfaction Customer Effort Score Net Promoter score
    What it measures Customer happiness Customer effort Customer loyalty
    Description Measures satisfaction with a company overall, or a specific offering or interaction Measures how much effort a customer feels they need to put forth in order to accomplish what they wanted Single question that asks consumers how likely they are to recommend your product, service, or company to other people
    Survey question How satisfied are/were you with [company/service/interaction/product]? How easy was it to [solve your problem/interact with company/handle my issue]? Or: The [company] made it easy for me to handle my issue How likely are you to recommend [company/service/product] to a friend?
    Scale 5, 7, or 10 pt scale, or using images/emojis 5, 7, or 10 pt scale 10-pt scale from highly unlikely to highly likely
    Scoring Result is usually expressed as a percentage of satisfaction Result usually expressed as an average Responses are divided into 3 groups where 0-6 are detractors, 7-8 are passives, 9-10 are promoters
    Pros
    • Well-suited for specific transactions
    • Simple and able to compare scores
    • Simple number, easy to analyze
    • Effort tends to predict future behavior
    • Actionable data
    • Simple to run and analyze
    • Widely used and can compare to other organizations
    • Allows for targeting customer segments
    Cons
    • Need high response rate to have representative numberEasy to ask the wrong questions
    • Not as useful without qualitative questions
    • Only measures a small aspect of the interaction
    • Only useful for transactions
    • Not useful for improvement without qualitative follow-up questions
    • Not as applicable to a service desk as it measures brand loyalty

    When to use each satisfaction measure

    The image contains a screenshot of a diagram that demonstrates which measure to use based off of what you would like to access, and which surveys it aligns with.

    How to choose which measure(s) to incorporate in your surveys

    The best measures are the ones that align with your specific goals for collecting feedback.

    • Most companies will use multiple satisfaction measures. For example, NPS can be tracked to monitor the overall customer sentiment, and CSAT used for more targeted feedback.
    • For internal-facing IT departments, CSAT is the most popular of the three methods, and NPS may not be as useful.
    • Choose your measure and survey types based on what you are trying to achieve and what kind of information you need to make improvements.
    • Remember that one measure alone isn’t going to give you actionable feedback; you’ll need to follow up with additional measures (especially for NPS and CES).
    • For CSAT surveys, customize the satisfaction measures in as many ways as you need to target the questions toward the areas you’re most interested in.
    • Don’t stick to just these three measures or types of surveys – there are other ways to collect feedback. Experiment to find what works for you.
    • If you’re designing your own survey, keep in mind the principles on the next slide.

    Info-Tech Insight

    While we focus mainly on traditional survey-based approaches to measuring customer satisfaction in this blueprint, there’s no need to limit yourselves to surveys as your only method. Consider multiple techniques to capture a wider audience, including:

    • Customer journey mapping
    • Focus groups with stakeholders
    • Lunch and learns or workshop sessions
    • Interviews – phone, chat, in-person
    • Kiosks

    Principles for survey design

    As you design your satisfaction survey – whether transactional or relational – follow these guidelines to ensure the survey delivers value and gets responses.

    1. Focus on your goal

      2. Don’t include unnecessary questions that won’t give you actionable information; it will only waste respondents’ time.

    2. Be brief

      3. Keep each question as short as possible and limit the total number of survey questions to avoid survey fatigue.

    3. Include open-ended questions

      4. Most of your measures will be close-ended, but include at least one comment box to allow for qualitative feedback.

    4. Keep questions clear and concise

      5. Ensure that question wording is clear and specific so that all respondents interpret it the same way.

    5. Avoid biased or leading questions

      6. You won’t get accurate results if your question leads respondents into thinking or answering a certain way.

    6. Avoid double-barreled questions

      7. Don’t ask about two different things in the same question – it will confuse respondents and make your data hard to interpret.

    7. Don’t restrict responses

      8. Response options should include all possible opinions (including “don’t know”) to avoid frustrating respondents.

    8. Make the survey easy to complete

      9. Pre-populate information where possible (e.g. name, department) and ensure the survey is responsive on mobile devices.

    9. Keep questions optional

      10. If every question is mandatory, respondents may leave the survey altogether if they can’t or don’t want to answer one question.

    10. Test your survey

      11. Test your survey with your target audience before launching, and incorporate feedback - they may catch issues you didn’t notice.

    Prevent survey fatigue to increase response rates

    If it takes too much time or effort to complete your survey – whether transactional or relational – your respondents won’t bother. Balance your need to collect relevant data with users’ needs for a simple and worthwhile task in order to get the most value out of your surveys.

    There are two types of survey fatigue:

    1. Survey response fatigue

      2. Occurs when users are overwhelmed by too many requests for feedback and stop responding.

    2. Survey taking fatigue

      3. Occurs when the survey is too long or irrelevant to users, so they grow tired and abandon the survey.

    Fight survey fatigue:

    • Make it as easy as possible to answer your survey:
      • Keep the survey as short as possible.
      • For transactional surveys, allow respondents to answer directly from email without having to click a separate link if possible.
      • Don’t make all questions mandatory or users may abandon it if they get to a difficult or unapplicable question.
      • Test the survey experience across devices for mobile users.
    • Communicate the survey’s value so users will be more likely to donate their time.
    • Act on feedback: follow up on both positive and negative responses so users see the value in responding.
    • Consider attaching an incentive to responding (e.g. name entered in a monthly draw).

    Design and implement transactional surveys

    Phase 2

    Learn why and how to design a simple survey to assess satisfaction with individual service desk transactions (tickets) and a methodology for survey delivery that will improve response rates.

    Phase 1:

    Phase 2:

    Phase 3:

    Phase 4:

    Understand how to measure customer satisfaction

    Design and implement transactional surveys

    Design and implement relationship surveys

    Analyze and act on feedback

    Use transactional surveys to collect immediate and actionable feedback

    Recall the definition of a transactional survey:

    • Survey that is tied to a specific customer interaction with the service desk (i.e. a ticket).
    • Assesses how satisfied customers are with how the ticket was handled and resolved.
    • Sent immediately after ticket is closed.
    • Short – usually 1 to 3 questions.

    Info-Tech Insight

    While feedback on transactional surveys is specific to a single transaction, even one negative experience can impact the overall perception of the service desk. Pair your transactional surveys with an annual relationship survey to capture broader sentiment toward the service desk.

    Transactional surveys serve several purposes:

    • Gives end users a mechanism to provide feedback when they want to.
    • Provides continual insight into customer satisfaction throughout the year to monitor for trends or issues in between broader surveys.
    • Provides IT leaders with actionable insights into areas for improvement in their processes, knowledge and skills, or customer service.
    • Gives the service desk the opportunity to address any negative experiences or perceptions with customers, to repair the relationship.
    • Feeds into individual or team coaching for service desk staff.

    Make key decisions ahead of launching your transactional surveys

    If you want to get the most of your surveys, you need to do more than just click a button to enable out-of-the-box surveys through your ITSM tool. Make these decisions ahead of time:

    Decision Considerations For more guidance, see
    What are the goals of your survey? Are you hoping to get an accurate pulse of customer sentiment (if so, you may want to randomly send surveys) or give customers the ability to provide feedback any time they have some (if so, send a survey after every ticket)? Slide 25
    How many questions will you ask? Keep the survey as short as possible – ideally only one mandatory question. Slide 26
    What questions will you ask? Do you want a measure of NPS, CES, or CSAT? Do you want to measure overall satisfaction with the interaction or something more specific about the interaction? Slide 27
    What will be the response options/scale? Keep it simple and think about how you will use the data after. Slide 28
    How often will you send the survey? Will it be sent after every ticket, every third ticket, or randomly to a select percentage of tickets, etc.? Slide 29
    What conditions would apply? For example, is there a subset of users who you never want to receive a survey or who you always want to receive a survey? Slide 30
    What mechanism/tool will you use to send the survey? Will your ITSM tool allow you to make all the configurations you need, or will you need to use a separate survey tool? If so, can it integrate to your ITSM solution? Slide 30

    Key decisions, continued

    Decision Considerations For more guidance, see
    What will trigger the survey? Typically, marking the ticket as either ‘resolved’ or ‘closed’ will trigger the survey. Slide 31
    How long after the ticket is closed will you send the survey? You’ll want to leave enough time for the user to respond if the ticket wasn’t resolved properly before completing a survey, but not so much time that they don’t remember the ticket. Slide 31
    Will the survey be sent in a separate email or as part of the ticket resolution email? A separate email might feel like too many emails for the user, but a link within the ticket closure email may be less noticeable. Slide 32
    Will the survey be embedded in email or accessed through a link? If the survey can be embedded into the email, users will be more likely to respond. Slide 32
    How long will the survey link remain active, and will you send any reminders? Leave enough time for the user to respond if they are busy or away, but not so much time that the data would be irrelevant. Balance the need to remind busy end users with the possibility of overwhelming them with survey fatigue. Slide 32
    What other text will be in the main body of the survey email and/or thank you page? Keep messaging short and straightforward and remind users of the benefit to them. Slide 33
    Where will completed surveys be sent/who will have access? Will the technician assigned to the ticket have access or only the manager? What email address/DL will surveys be sent to? Slide 33

    Define the goals of your transactional survey program

    Every survey should have a goal in mind to ensure only relevant and useful data is collected.

    • Your survey program must be backed by clear and actionable goals that will inform all decisions about the survey.
    • Survey questions should be structured around that goal, with every question serving a distinct purpose.
    • If you don’t have a clear plan for how you will action the data from a particular question, exclude it.
    • Don’t run a survey just for the sake of it; wait until you have a clear plan. If customers respond and then see nothing is done with the data, they will learn to avoid your surveys.

    Your survey objectives will also determine how often to send the survey:

    If your objective is:

    Keep a continual pulse on average customer satisfaction

    Gain the opportunity to act on negative feedback for any poor experience

    Then:

    Send survey randomly

    Send survey after every ticket

    Rationale:

    Sending a survey less often will help avoid survey fatigue and increase the chances of users responding whether they have good, bad, or neutral feedback

    Always having a survey available means users can provide feedback every time they want to, including for any poor experience – giving you the chance to act on it.

    Info-Tech Insight

    Service Managers often get caught up in running a transactional survey program because they think it’s standard practice, or they need to report a satisfaction metric. If that’s your only objective, you will fail to derive value from the data and will only turn customers away from responding.

    Design survey content and length

    As you design your survey, keep in mind the following principles:

    1. Keep it short. Your customers won’t bother responding if they see a survey with multiple questions or long questions that require a lot of reading, effort, or time.
    2. Make it simple. This not only makes it easier for your customers to complete, but easier for you to track and monitor.
    3. Tie your survey to your goals. Remember that every question should have a clear and actionable purpose.
    4. Don’t measure anything you can’t control. If you won’t be able to make changes based on the feedback, there’s no value asking about it.
    5. Include an (optional) open-ended question. This will allow customers to provide more detailed feedback or suggestions.

    Q: How many questions should the survey contain?

    A: Ideally, your survey will have only one mandatory question that captures overall satisfaction with the interaction.

    This question can be followed up with an optional open-ended question prompting the respondent for more details. This will provide a lot more context to the overall rating.

    If there are additional questions you need to ask based on your goals, clearly make these questions optional so they don’t deter respondents from completing the survey. For example, they can appear only after the respondent has submitted their overall satisfaction response (i.e. on a separate, thank you page).

    Additional (optional) measures may include:

    • Customer effort score (how easy or difficult was it to get your issue resolved?)
    • Customer service skills of the service desk
    • Technical skills/knowledge of the agents
    • Speed or response or resolution

    Design question wording

    Tips for writing survey questions:

    • Be clear and concise
    • Keep questions as short as possible
    • Cut out any unnecessary words or phrasing
    • Avoid biasing, or leading respondents to select a certain answer
    • Don’t attempt to measure multiple constructs in a single question.

    Sample question wording:

    How satisfied are you with this support experience?

    How would you rate your support experience?

    Please rate your overall satisfaction with the way your issue was handled.

    Instead of this….

    Ask this….

    “We strive to provide excellent service with every interaction. Please rate how satisfied you are with this interaction.”

    “How satisfied were you with this interaction?”

    “How satisfied were you with the customer service skills, knowledge, and responsiveness of the technicians?”

    Choose only one to ask about.

    “How much do you agree that the service you received was excellent?”

    “Please rate the service you received.”

    “On a scale of 1-10, thinking about your most recent experience, how satisfied would you say that you were overall with the way that your ticket was resolved?”

    “How satisfied were you with your ticket resolution?”

    Choose response options

    Once you’ve written your survey question, you need to design the response options for the question. Put careful thought into balancing ease of responding for the user with what will give you the actionable data you need to meet your goals. Keep the following in mind:

    When planning your response options, remember to keep the survey as easy to respond to as possible – this means allowing a one-click response and a scale that’s intuitive and simple to interpret.

    Think about how you will use the responses and interpret the data. If you choose a 10-point scale, for example, what would you classify as a negative vs positive response? Would a 5-point scale suffice to get the same data?

    Again, use your goals to inform your response options. If you need a satisfaction metric, you may need a numerical scale. If your goal is just to capture negative responses, you may only need two response options: good vs bad.

    Common response options:

    • Numerical scale (e.g. very dissatisfied to very satisfied on a 5-point scale)
    • Star rating (E.g. rate the experience out of 5 stars)
    • Smiley face scale
    • 2 response options: Good vs Bad (or Satisfied vs Dissatisfied)

    Investigate the capabilities of your ITSM tool. It may only allow one built-in response option style. But if you have the choice, choose the simplest option that aligns with your goals.

    Decide how often to send surveys

    There are two common choices for when to send ticket satisfaction surveys:

    After random tickets

    After every ticket

    Pros
    • May increase response rate by avoiding survey fatigue.
    • May be more likely to capture a range of responses that more accurately reflect sentiment (versus only negative).
    • Gives you the opportunity to receive feedback whenever users have it.
    • If your goal is to act on negative feedback whenever it arises, that’s only possible if you send a survey after every ticket.

    Cons
    • Overrepresents frequent service desk users and underrepresents infrequent users.
    • Users who have feedback to give may not get the chance to give it/service desk can’t act on it.
    • Customers who frequently contact the service desk will be overwhelmed by surveys and may stop responding.
    • Customers may only reply if they have very negative or positive feedback.

    SDI’s 2018 Customer Experience in ITSM survey of service desk professionals found:

    Almost two-thirds (65%) send surveys after every ticket.

    One-third (33%) send surveys after randomly selected tickets are closed.

    Info-Tech Recommendation:

    Send a survey after every ticket so that anyone who has feedback gets the opportunity to provide it – and you always get the chance to act on negative feedback. But, limit how often any one customer receives a ticket to avoid over-surveying them – restrict to anywhere between one survey a week to one per month per customer.

    Plan detailed survey logistics

    Decision #1

    Decision #2

    What tool will you use to deliver the survey?

    What (if any) conditions apply to your survey?

    Considerations

    • How much configuration does your ITSM tool allow? Will it allow you to configure the survey according to your decisions? Many ITSM tools, especially mid-market, do not allow you to change the response options or how often the survey is sent.
    • How does the survey look and act on mobile devices? If a customer receives the survey on their phone, they need to be able to easily respond from there or they won’t bother at all.
    • If you wish to use a different survey tool, does it integrate with your ITSM solution? Would agents have to manually send the survey? If so, how would they choose who to send the survey to, and when?

    Considerations

    Is there a subset of users who you never want to receive a survey (e.g. a specific department, location, role, or title)?

    Is there a subset of users who you always want to receive a survey, no matter how often they contact the service desk (e.g. VIP users, a department that scored low on the annual satisfaction survey, etc.)?

    Are there certain times of the year that you don’t want surveys to go out (e.g. fiscal year end, holidays)?

    Are there times of the day that you don’t want surveys to be sent (e.g. only during business hours; not at the end of the day)?

    Recommendations

    The built-in functionality of your ITSM tool’s surveys will be easiest to send and track; use it if possible. However, if your tool’s survey module is limited and won’t give you the value you need, consider a third-party solution or survey tool that integrates with your ITSM solution and won’t require significant manual effort to send or review the surveys.

    Recommendations

    If your survey module allows you to apply conditions, think about whether any are necessary to apply to either maximize your response rate (e.g. don’t send a survey on a holiday), avoid annoying certain users, or seek extra feedback from dissatisfied users.

    Plan detailed survey logistics

    Decision #2

    Decision #1

    What will trigger the survey?

    When will the survey be sent?

    Considerations

    • Usually a change of ticket status triggers the survey, but you may have the option to send it after the ticket is marked ‘resolved’ or ‘closed’. The risk of sending the survey after the ticket is ‘resolved’ is the issue may not actually be resolved yet, but waiting until it’s ‘closed’ means the user may be less likely to respond as more time has passed.
    • Some tools allow for a survey to be sent after every agent reply.
    • Some have the option to manually generate a survey, which may be useful in some cases; those cases would need to be well defined.

    Considerations

    • Once you’ve decided the trigger for the survey, decide how much time should pass after that trigger before the survey is sent.
    • The amount of time you choose will be highly dependent on the trigger you choose. For example, if you want the ‘resolved’ status to send a survey, you may want to wait 24h to send the survey in case the user responds that their issue hasn’t been properly resolved.
    • If you choose ‘closed’ as your trigger, you may want the survey to be sent immediately, as waiting any longer could further reduce the response rate.
    • Your average resolution time may also impact the survey wait time.

    Recommendations

    Only send the survey once you’re sure the issue has actually been resolved; you could further upset the customer if you ask them how happy they are with the resolution if resolution wasn’t achieved. This means sending the survey once the user confirms resolution (which closes ticket) or the agent closes the ticket.

    Recommendations

    If you are sending the survey upon ticket status moving to ‘resolved’, wait at least 24 hours before sending the survey in case the user responds that their issue wasn’t actually resolved. However, if you are sending the survey after the ticket has been verified resolved and closed, you can send the survey immediately while the experience is still fresh in their memory.

    Plan detailed survey logistics

    Decision #1

    Decision #2

    How will the survey appear in email?

    How long will the survey remain active?

    Considerations

    • If the survey link is included within the ticket resolution email, it’s one less email to fatigue users, but users may not notice there is a survey in the email.
    • If the survey link is included in its own separate email, it will be more noticeable to users, but could risk overwhelming users with too many emails.
    • Can users view the entire survey in the email and respond directly within the email, or do they need to click on a link and respond to the survey elsewhere?

    Considerations

    • Leaving the survey open at least a week will give users who are out of office or busy more time to respond.
    • However, if users respond to the survey too long after their ticket was resolved, they may not remember the interaction well enough to give any meaningful response.
    • Will you send any reminders to users to complete the survey? It may improve response rate, or may lead to survey fatigue from reaching out too often.

    Recommendations

    Send the survey separately from the ticket resolution email or users will never notice it. However, if possible, have the entire survey embedded within the email so users can click to respond directly from their email without having to open a separate link. Reduce effort, to make users more likely to respond.

    Recommendations

    Leave enough time for the user to respond if they are busy or away, but not so much time that the data will be irrelevant. Balance the need to remind busy end users, with the possibility of overwhelming them with survey fatigue. About a week is typical.

    Plan detailed survey logistics

    Decision #1

    Decision #2

    What will the body of the email/messaging say?

    Where will completed surveys be sent?

    Considerations

    • Communicate the value of responding to the survey.
    • Remember, the survey should be as short and concise as possible. A lengthy body of text before the actual survey can deter respondents.
    • Depending on your survey configuration, you may have a ‘thank you’ page that appears after respondents complete the survey. Think about what messaging you can save for that page and what needs to be up front.
    • Ensure there is a clear reference to which ticket the survey is referencing (with the subject of the ticket, not just ticket number).

    Considerations

    • Depending on the complexity of your ITSM tool, you may designate email addresses to receive completed surveys, or configure entire dashboards to display results.
    • Decide who needs to receive all completed surveys in order to take action.
    • Decide whether the agent who resolved the ticket will have access to the full survey response. Note that if they see negative feedback, it may affect morale.
    • Are there any other stakeholders who should receive the immediate completed surveys, or can they view summary reports and dashboards of the results?

    Recommendations

    Most users won’t read a long message, especially if they see it multiple times, so keep the email short and simple. Tell users you value their feedback, indicate which interaction you’re asking about, and say how long the survey should take. Thank them after they submit and tell them you will act on their feedback.

    Recommendations

    Survey results should be sent to the Service Manager, Customer Experience Lead, or whoever is the person responsible for managing the survey feedback. They can choose how to share feedback with specific agents and the service desk team.

    Response rates for transactional surveys are typically low…

    Most IT organizations see transactional survey response rates of less than 20%.

    The image contains a screenshot of a SDI survey taken to demonstrate customer satisfaction respond rate.

    Source: SDI, 2018

    SDI’s 2018 Customer Experience in ITSM survey of service desk professionals found that 69% of respondents had survey response rates of 20% or less. However, they did not distinguish between transactional and relationship surveys.

    Reasons for low response rates:

    • Users tend to only respond if they had a very positive or very negative experience worth writing about, but don’t typically respond for interactions that go as expected or were average.
    • Survey is too long or complicated.
    • Users receive too many requests for feedback.
    • Too much time has passed since the ticket was submitted/resolved and the user doesn’t remember the interaction.
    • Users think their responses disappear into a black hole or aren’t acted upon so they don’t see the value in taking the time to respond. Or, they don’t trust the confidentiality of their responses.

    “In my experience, single digits are a sign of a problem. And a downward trend in response rate is also a sign of a problem. World-class survey response rates for brands with highly engaged customers can be as high as 60%. But I’ve never seen it that high for internal support teams. In my experience, if you get a response rate of 15-20% from your internal customers then you’re doing okay. That’s not to say you should be content with the status quo, you should always be looking for ways to increase it.”

    – David O’Reardon, Founder & CEO of Silversix

    … but there are steps you can take to maximize your response rate

    It is still difficult to achieve high response rates to transactional surveys, but you can at least increase your response rate with these strategies:

    1. Reduce frequency

      2. Don’t over-survey any one user or they will start to ignore the surveys.

    2. Send immediately

      3. Ask for feedback soon after the ticket was resolved so it’s fresh in the user’s memory.

    3. Make it short and simple

      4. Keep the survey short, concise, and simple to respond to.

    4. Make it easy to complete

      5. Minimize effort involved as much as possible. Allow users to respond directly from email and from any device.

    5. Change email messaging

      6. Experiment with your subject line or email messaging to draw more attention.

    6. Respond to feedback

      7. Respond to customers who provide feedback – especially negative – so they know you’re listening.

    7. Act on feedback

      8. Demonstrate that you are acting on feedback so users see the value in responding.

    Use Info-Tech’s survey template as a starting point

    Once you’ve worked through all the decisions in this step, you’re ready to configure your transactional survey in your ITSM solution or survey tool.

    As a starting point, you can leverage Info-Tech’s Transactional Service Desk Survey Templatee to design your templates and wording.

    Make adjustments to match your decisions or your configuration limitations as needed.

    Refer to the key decisions tables on slides 24 and 25 to ensure you’ve made all the configurations necessary as you set up your survey.

    The image contains a screenshot of Info-Tech's survey templates.

    Design and implement relationship surveys

    Phase 3

    Understand why and how to design a survey to assess overall satisfaction with the service desk across your organization, or use Info-Tech’s diagnostic.

    Phase 1:

    Phase 2:

    Phase 3:

    Phase 4:

    Understand how to measure customer satisfaction

    Design and implement transactional surveys

    Design and implement relationship surveys

    Analyze and act on feedback

    How can we evaluate overall Service Desk service quality?

    Evaluating service quality in any industry is challenging for both those seeking feedback and those consuming the service: “service quality is more difficult for the consumer to evaluate than goods quality.”

    You are in the position of trying to measure something intangible: customer perception, which “result[s] from a comparison of consumer expectations with actual service performance,” which includes both the service outcome and also “the process of service delivery”

    (Source: Parasuraman et al, 1985, 42).

    Your mission is to design a relationship survey that is:

    • Comprehensive but not too long.
    • Easy to understand but complex enough to capture enough detail.
    • Able to capture satisfaction with both the outcome and the experience of receiving the service.

    Use relationship surveys to measure overall service desk service quality

    Recall the definition of a relationship survey:

    • Survey that is sent periodically (i.e. semi-annually or annually) to the entire customer base to measure the overall relationship with the service desk.
    • Shows you where your customer experience is doing well and where it needs improving.
    • Asks customers to rate you based on their overall experience rather than on a specific product or interaction.
    • Longer and more comprehensive than transactional surveys, covering multiple dimensions/ topics.

    Relationship surveys serve several purposes:

    • Gives end users an opportunity to provide overall feedback on a wider range of experiences with IT.
    • Gives IT the opportunity to respond to feedback and show users their voices are heard.
    • Provides insight into year-over-year trends and customer satisfaction.
    • Provides IT leaders the opportunity to segment the results by demographic (e.g. by department, location, or seniority) and target improvements where needed most.
    • Feeds into strategic planning and annual reports on user experience and satisfaction

    Info-Tech Insight

    Annual relationship surveys provide great value in the form of year-over-year internal benchmarking data, which you can use to track improvements and validate the impact of your service improvement efforts.

    Understand the gaps that decrease service quality

    The Service Quality Model (Parasuraman, Zeithaml and Berry, 1985) shows how perceived service quality is negatively impacted by the gap between expectations for quality service and the perceptions of actual service delivery:

    Gap 1: Consumer expectation – Management perception gap:

    Are there differences between your assumptions about what users want from a service and what those users expect?

    Gap 2: Management perception – Service quality specification gap:

    Do you have challenges translating user expectations for service into standardized processes and guidelines that can meet those expectations?

    Gap 3: Service quality specifications – Service delivery gap:

    Do staff members struggle to carry out the service quality processes when delivering service?

    Gap 4: Service delivery – External communications gap:

    Have users been led to expect more than you can deliver? Alternatively, are users unaware of how the organization ensures quality service, and therefore unable to appreciate the quality of service they receive?

    Gap 5: Expected service – Perceived service gap:

    Is there a discrepancy between users’ expectations and their perception of the service they received (regardless of any user misunderstanding)?

    		The image contains a screenshot of the Service Quality Model to demonstrate the consumer and consumers.

    Your survey questions about service and support should provide insight into where these gaps exist in your organization

    Make key decisions ahead of launch

    Decision/step Considerations
    Align the relationship survey with your goals Align what is motivating you to launch the survey at this time and the outcomes it is intended to feed into.
    Identify what you’re measuring Clarify the purpose of the questions. Are you measuring feedback on your service desk, specifically? On all of IT? Are you trying to capture user effort? User satisfaction? These decisions will affect how you word your questions.
    Determine a framework for your survey Reporting on results and tracking year-over-year changes will be easier if you design a basic framework that your survey questions fall into. Consider drawing on an existing service quality framework to match best practices in other industries.
    Cover logistical details Designing a relationship survey requires attention to many details that may initially be overlooked: the survey’s length and timing, who it should be sent to and how, what demographic info you need to collect to slice and dice the results, and if it will be possible to conduct the survey anonymously.
    Design question wording It is important to keep questions clear and concise and to avoid overly lengthy surveys.
    Select answer scales The answer scales you select will depend on how you have worded the questions. There is a wide range of answer scales available to you; decide which ones will produce the most meaningful data.
    Test the survey Testing the survey before widely distributing it is key. When collecting feedback, conduct at least a few in person observations of someone taking the survey to get their unvarnished first impressions.
    Monitor and maximize your response rate Ensure success by staying on top of the survey during the period it is open.

    Align the relationship survey with your goals

    What is motivating you to launch the survey at this time?

    Is there a renewed focus on customer service satisfaction? If so, this survey will track the initiative’s success, so its questions must align with the sponsors’ expectations.

    Are you surveying customer satisfaction in order to comply with legislation, or directives to measure customer service quality?

    What objectives/outcomes will this survey feed into?

    What do you need to report on to your stakeholders? Have they communicated any expectations regarding the data they expect to see?

    Does the CIO want the annual survey to measure end-user satisfaction with all of IT?

    • Or do you only want to measure satisfaction with one set of processes (e.g. Service Desk)?
    • Are you seeking feedback on a project (e.g. implementation of new ERP)?
    • Are you seeking feedback on the application portfolio?

    In 1993 the U.S. president issued an Executive Order requiring executive agencies to “survey customers to determine the kind and quality of services they want and their level of satisfaction with existing services” and “post service standards and measure results against them.” (Clinton, 1993)

    Identify what you’re measuring

    Examples of Measures

    Clarify the purpose of the questions

    Each question should measure something specific you want to track and be phrased accordingly.

    		Are you measuring feedback on the service desk?

    Service desk professionalism

    Are you measuring user satisfaction?

    Service desk timeliness

    Your customers’ happiness with aspects of IT’s service offerings and customer service

    Trust in agents’ knowledge

    Users’ preferred ticket intake channel (e.g. portal vs phone)

    Satisfaction with self-serve features

    Are you measuring user effort?

    Are you measuring feedback on IT overall?

    Satisfaction with IT’s ability to enable the business

    How much effort your customer needs to put forth to accomplish what they wanted/how much friction your service causes or alleviates

    Satisfaction with company-issued devices
    Satisfaction with network/Wi-Fi

    Satisfaction with applications

    Info-Tech Insight

    As you compose survey questions, decide whether they are intended to capture user satisfaction or effort: this will influence how the question is worded. Include a mix of both.

    Determine a framework for your survey

    If your relationship survey covers satisfaction with service support, ensure the questions cover the major aspects of service quality. You may wish to align your questions on support with existing frameworks: for example, the SERVQUAL service quality measurement instrument identifies 5 dimensions of service quality: Reliability, Assurance, Tangibles, Empathy, and Responsiveness (see below). As you design the survey, consider if the questions relate to these five dimensions. If you have overlooked any of the dimensions, consider if you need to revise or add questions.

    Service dimension

    Definition

    Sample questions

    Reliability

    “Ability to perform the promised service dependably and accurately”1
    • How satisfied are you with the effectiveness of Service Desk’s ability to resolve reported issues?

    Assurance

    “Knowledge and courtesy of employees and their ability to convey trust and confidence”2
    • How satisfied are you with the technical knowledge of the Service Desk staff?
    • When you have an IT issue, how likely are you to contact Service Desk by phone?

    Tangibles

    “Appearance of physical facilities, equipment, personnel, and communication materials”3
    • How satisfied are you that employees in your department have all the necessary technology to ensure optimal job performance?
    • How satisfied are you with IT’s ability to communicate to you regarding the information you need to perform your job effectively?

    Empathy

    “Caring, individualized attention the firm provides its customers”4
    • How satisfied are you that IT staff interact with end users in a respectful and professional manner?

    Responsiveness

    “Willingness to help customers and provide prompt service”5
    • How satisfied are you with the timeliness of Service Desk’s resolution to reported issues?
    1-5. Arlen, Chris,2022. Paraphrasing Zeithaml, Parasuraman, and Berry, 1990.

    Cover logistical details of the survey

    Identify who you will send it to

    Will you survey your entire user base or a specific subsection? For example, a higher education institution may choose to survey students separately from staff and faculty. If you are gathering data on customer satisfaction with a specific implementation, only survey the affected stakeholders.

    Determine timing

    Avoid sending out the survey during known periods of time pressure or absence (e.g. financial year-end, summer vacation).

    Decide upon its length

    Consider what survey length your users can tolerate. Configure the survey to show the respondents’ progression or their percentage complete.

    Clearly introduce the survey

    The survey should begin with an introduction that thanks users for completing the survey, indicates its length and anonymity status, and conveys how the data will be used, along with who the participants should contact with any questions about the survey.

    Decide upon incentives

    Will you incentivize participation (e.g. by entering the participants in a draw or rewarding highest-participating department)?

    Collect demographic information

    Ensure your data can be “sliced and diced” to give you more granular insights into the results. Ask respondents for information such as department, location, seniority, and tenure to help with your trend analysis later.

    Clarify if anonymous

    Users may be more comfortable participating if they can do so anonymously (Quantisoft, n.d.). If you promise anonymity, ensure your survey software/ partner can support this claim. Note the difference between anonymity (identity of participant is not collected) and confidentiality (identifying data is collected but removed from the reported results).

    Decide how to deliver the survey

    Will you be distributing the survey yourself through your own licensed software (e.g. through Microsoft Forms if you are an MS shop)? Or, will you be partnering with a third-party provider? Is the survey optimized for mobile? Some find up to 1/3 of participants use mobile devices for their surveys (O’Reardon, 2018).

    Use the Sample Size Calculator to determine your ideal sample size

    Use Info-Tech’s Sample Size Calculator to calculate the number of people you need to complete your survey to have statistically representative results.

    The image contains a screenshot of the Sample Size Calculator.

    In the example above, the service desk supports 1000 total users (and sent the survey to each one). To be 95% confident that the survey results fall within 5% of the true value (if every user responded), they would need 278 respondents to complete their survey. In other words, to have a sample that is representative of the whole population, they would need 278 completed surveys.

    Explanation of terms:

    Confidence Level: A measure of how reliable your survey is. It represents the probability that your sample accurately reflects the true population (e.g. your entire user base). The industry standard is typically 95%. This means that 95 times out of 100, the true data value that you would get if you surveyed the entire population would fall within the margin of error.

    Margin of Error: A measure of how accurate the data is, also known as the confidence interval. It represents the degree of error around the data point, or the range of values above and below the actual results from a survey. A typical margin of error is 5%. This means that if your survey sample had a score of 70%, the true value if you sampled the entire population would be between 65% and 75%. To narrow the margin of error, you would need a bigger sample size.

    Population Size: The total set of people you want to study with your survey. For example, the total number of users you support.

    Sample Size: The number of people who participate in your survey (i.e. complete the survey) out of the total population.

    Info-Tech’s End-User Satisfaction Diagnostics

    If you choose to leverage a third-party partner, an Info-Tech satisfaction survey may already be part of your membership. There are two options, depending on your needs:

    I need to measure and report customer satisfaction with all of IT:

    • IT’s ability to enable the organization to meet its existing goals, innovate, adapt to business needs, and provide the necessary technology.
    • IT’s ability to provide training, respond to feedback, and behave professionally.
    • Satisfaction with IT services and applications.

    Both products measure end-user satisfaction

    One is more general to IT

    One is more specific to service desk

    I need to measure and report more granularly on Service Desk customer satisfaction:

    • Efficacy and timeliness of resolutions
    • Technical and communication skills
    • Ease of contacting the service desk
    • Effectiveness of portal/ website
    • Ability to collect and apply user feedback

    Choose Info-Tech's End User Satisfaction Survey

    Choose Info-Tech’s Service Desk Satisfaction Survey

    Design question wording

    Write accessible questions:

    Instead of this….

    Ask this….

    48% of US adults meet or exceed PIACC literacy level 3 and thus able to deal with texts that are “often dense or lengthy.”

    52% of US adults meet level 2 or lower.

    Keep questions clear and concise. Avoid overly lengthy surveys.

    Source: Highlights of the 2017 U.S. PIAAC Results Web Report
    1. How satisfied are you with the response times of the service desk?
    2. How satisfied are you with the timeliness of the service desk?

    Users will have difficulty perceiving the difference between these two questions.

    1. How satisfied are you with the time we take to acknowledge receipt of your ticket?
    2. How satisfied are you with the time we take to completely resolve your ticket?

    Tips for writing survey questions:

    “How satisfied are you with the customer service skills, knowledge, and responsiveness of the technicians?”

    This question measures too many things and the data will not be useful.

    Choose only one to ask about.

    • Cut out any unnecessary words or phrasing. Highlight/bold key words or phrases.
    • Avoid biasing or leading respondents to select a certain answer.
    • Don’t attempt to measure multiple constructs in a single question.

    “On a scale of 1-10, thinking about the past year, how satisfied would you say that you were overall with the way that your tickets were resolved?”

    This question is too wordy.

    “How satisfied were you with your ticket resolution?”

    Choose answer scales that best fit your questions and reporting needs

    Likert scale

    Respondents select from a range of statements the position with which they most agree:

    E.g. How satisfied are you with how long it generally takes to resolve your issue completely?

    E.g. Very dissatisfied/Somewhat dissatisfied/ Neutral/ Somewhat satisfied/ Very satisfied/ NA

    Frequency scale

    How often does the respondent have to do something, or how often do they encounter something?

    E.g. How frequently do you need to re-open tickets that have been closed without being satisfactorily resolved?

    E.g. Never/ Rarely/ Sometimes/ Often/ Always/ NA

    Numeric scale

    By asking users to rate their satisfaction on a numeric scale (e.g., 1-5, 1-10), you can facilitate reporting on averages:

    E.g. How satisfied are you with IS’s ability to provide services to allow the organization to meet its goals?

    E.g. 1 – Not at all Satisfied to 10 – Fully Satisfied / NA

    Forced ranking

    Learn more about your users’ priorities by asking them to rank answers from most to least important, or selecting their top choices (Sauro, 2018):

    E.g. From the following list, drag and drop the 3 aspects of our service that are most important to you into the box on the right.

    Info-Tech Insight

    Always include an optional open-ended question, which allows customers to provide more feedback or suggestions.

    Test the survey before launching

    Review your questions for repetition and ask for feedback on your survey draft to discover if readers interpret the questions differently than you intended.

    Test the survey with different stakeholder groups:

    • IT staff: To discover overlooked topics.
    • Representatives of your end-user population: To discover whether they understand the intention of the questions.
    • Executives: To validate whether you are capturing the data they are interested in reporting on.

    Testing methodology:

    • Ask your test subjects to take the survey in your presence so you can monitor their experience as they take it.
    • Ask them to narrate their experience as they take the survey.
    • Watch for:
      • The time it takes to complete the survey.
      • Moments when they struggle or are uncertain with the survey’s wording.
      • Questions they find repetitive or pointless.

    Info-Tech Insight

    In the survey testing phase, try to capture at least a few real-time responses to the survey. If you collect survey feedback only once the test is over, you may miss some key insights into the user experience of navigating the survey.

    “Follow the golden rule: think of your audience and what they may or may not know. Think about what kinds of outside pressures they may bring to the work you’re giving them. What time constraints do they have?”

    – Sally Colwell, Project Officer, Government of Canada Pension Centre

    Monitor and maximize your response rate

    Ensure success by staying on top of the survey during the period it is open.

    • When will your users complete the survey? You know your own organization’s culture best, but SurveyMonkey found that weekday survey responses peaked at mid-morning and mid-afternoon (Wronski). Ensure you send the communication at a time it will not be overlooked. For example, some studies found Mondays to have higher response rates; however, the data is not consistent (Amaresan, 2021). Send the survey at a time you believe your users are least likely to be inundated with other notifications.
    • Have a trusted leader send out the first communication informing the end-user base of the survey. Ensure the recipient understands your motivation and how their responses will be used to benefit them (O’Reardon, 2016). Remind them that participating in the survey benefits them: since IT is taking actions based on their feedback, it’s their chance to improve their employee experience of the IT services and tools they use to do their job.
    • In the introductory communication, test different email subject lines and email body content to learn which versions increase respondents’ rates of opening the survey link, and “keep it short and clear” (O’Reardon, 2016).
    • If your users tend to mistrust emailed links due to security training, tell them how to confirm the legitimacy of the survey.

    “[Send] one reminder to those who haven’t completed the survey after a few days. Don’t use the word ‘reminder’ because that’ll go straight in the bin, better to say something like, ‘Another chance to provide your feedback’”

    – David O’Reardon, Founder & CEO of Silversix

    Analyze and act on feedback

    Phase 4

    Measure and analyze the results of both surveys and build a plan to act on both positive and negative feedback and communicate the results with the organization.

    Phase 1:

    Phase 2:

    Phase 3:

    Phase 4:

    Understand how to measure customer satisfaction

    Design and implement transactional surveys

    Design and implement relationship surveys

    Analyze and act on feedback

    Leverage the service recovery paradox to improve customer satisfaction

    The image contains a screenshot of a graph to demonstrate the service recovery paradox.

    A service failure or a poor experience isn’t what determines customer satisfaction – it’s how you respond to the issue and take steps to fix it that really matters.

    This means one poor experience with the service desk doesn’t necessarily lead to an unhappy user; if you quickly and effectively respond to negative feedback to repair the relationship, the customer may be even happier afterwards because you demonstrated that you value them.

    “Every complaint becomes an opportunity to turn a bad IT customer experience into a great one.”

    – David O’Reardon, Founder & CEO of Silversix

    Collecting feedback is only the first step in the customer feedback loop

    Closing the feedback loop is one of the most important yet forgotten steps in the process.

    1. Collect Feedback
    • Send transactional surveys after every ticket is resolved.
    • Send a broader annual relationship survey to all users.
  • Analyze Feedback
    • Calculate satisfaction scores.
    • Read open-ended comments.
    • Analyze for trends, categories, common issues and priorities.
  • Act on Feedback
    • Respond to users who provided feedback.
    • Make improvements based on feedback.
  • Communicate Results
    • Communicate feedback results and improvements made to respondents and to service desk staff.
    • Summarize results and actions to key stakeholders and business leaders.

    Act on feedback to get the true value of your satisfaction program

    • SDI (2018) survey data shows that the majority of service desk professionals are using their customer satisfaction data to feed into service improvements. However, 30% still aren’t doing anything with the feedback they collect.
    • Collecting feedback is only one half of a good customer feedback program. Acting on that feedback is critical to the success of the program.
    • Using feedback to make improvements not only benefits the service desk but shows users the value of responding and will increase future response rates.
    		The image contains a screenshot of a bar graph that demonstrates SDI: What do service desk professionals do with customer satisfaction data?

    “Your IT service desk’s CSAT survey should be the means of improving your service (and the employee experience), and something that encourages people to provide even more feedback, not just the means for understanding how well it’s doing”

    – Joe the IT Guy, SysAid

    Assign responsibility for acting on feedback

    If collecting and analyzing customer feedback is something that happens off the side of your desk, it either won’t get done or won’t get done well.

    • Formalize the customer satisfaction program. It’s not a one-time task, but an ongoing initiative that requires significant time and dedication.
    • Be clear on who is accountable for the program and who is responsible for all the tasks involved for both transactional and relationship survey data collection, analysis, and communication.

    Assign accountability for the customer feedback program to one person (i.e. Service Desk Manager, Service Manager, Infrastructure & Operations Lead, IT Director), who may take on or assign responsibilities such as:

    • Designing surveys, including survey questions and response options.
    • Configuring survey(s) in ITSM or survey tool.
    • Sending relationship surveys and subsequent reminders to the organization.
    • Communicating results of both surveys to internal staff, business leaders, and end users.
    • Analyzing results.
    • Feeding results into improvement plans, coaching, and training.
    • Creating reports and dashboards to monitor scores and trends.

    Info-Tech Insight

    While feedback can feed into internal coaching and training, the goal should never be to place blame or use metrics to punish agents with poor results. The focus should always be on improving the experience for end users.

    Determine how and how often to analyze feedback data

    • Analyze and report scores from both transactional and relationship surveys to get a more holistic picture of satisfaction across the organization.
    • Determine how you will calculate and present satisfaction ratings/scores, both overall and for individual questions. See tips on the right for calculating and presenting NPS and CSAT scores.
    • A single satisfaction score doesn’t tell the full story; calculate satisfaction scores at multiple levels to determine where improvements are most needed.
      • For example, satisfaction by service desk tier, team or location, by business department or location, by customer group, etc.
    • Analyze survey data regularly to ensure you communicate and act on feedback promptly and avoid further alienating dissatisfied users. Transactional survey feedback should be reviewed at least weekly, but ideally in real time, as resources allow.

    Calculating NPS Scores

    Categorize respondents into 3 groups:

    • 9-10 = Promoters, 7-8 = Neutral, 1-6 = Detractors

    Calculate overall NPS score:

    • % Promoters - % Detractors

    Calculating CSAT Scores

    • CSAT is usually presented as a percentage representing the average score.
    • To calculate, take the total of all scores, divide by the maximum possible score, then multiply by 100. For example, a satisfaction rating of 80% means on average, users gave a rating of 4/5 or 8/10.
    • Note that some organizations present CSAT as the percentage of “satisfied” users, with satisfied being defined as either “yes” on a two-point scale or a score of 4 or 5 on a 5-point scale. Be clear how you are defining your satisfaction rating.

    Don’t neglect qualitative feedback

    While it may be more difficult and time-consuming to analyze, the reward is also greater in terms of value derived from the data.

    Why analyze qualitative data

    How to analyze qualitative data
    • Quantitative data (i.e. numerical satisfaction scores) tells you how many people are satisfied vs dissatisfied, but it doesn’t tell you why they feel that way.
    • If you limit your data analysis to only reporting numerical scores, you will miss out on key insights that can be derived from open-ended feedback.
    • Qualitative data from open-ended survey questions provides:
      • Explanations for the numbers
      • More detailed insight into why respondents feel a certain way
      • More honest and open feedback
      • Insight into areas you may not have thought to ask about
      • New ideas and recommendations

    Methods range in sophistication; choose a technique depending on your tools available and goals of your program.

    1. Manual 2. Semi-automated 3. AI & Analysis Tools
    • Read all comments.
    • Sort into positive vs negative groups.
    • Add tags to categorize comments (e.g. by theme, keyword, service).
    • Look for trends and priorities, differences across groups.
    • Run a script to search for specific keywords.
    • Use a word cloud generator to visualize the most commonly mentioned words (e.g. laptop, email).
    • Due to limitations, manual analysis will still be necessary.
    • Use a feedback analysis/text analysis tool to mine feedback.
    • Software will present reports and data visualizations of common themes.
    • AI-powered tools can automatically detect sentiment or emotion in comments or run a topic analysis.

    Define a process to respond to both negative and positive feedback

    Successful customer satisfaction programs respond effectively to both positive and negative outcomes. Late or lack of responses to negative comments may increase customer frustration, while not responding at all to the positive comments may give the perception of indifference.

    1. Define what qualifies as a positive vs negative score

      2. E.g. Scores of 1 to 2 out of 5 are negative, scores of 4 to 5 out of 5 are positive.

    2. Define process to respond to negative feedback
    • Negative responses should go directly to the Service Desk Manager or whoever is accountable for feedback.
    • Set an SLO for when the user will be contacted. It should be within 24h but ideally much sooner.
    • Investigate the issue to understand exactly what happened and get to the root cause.
    • Identify remediation steps to ensure the issue does not occur again.
    • Communicate to the customer the action you have taken to improve.
  • Define process to respond to positive feedback
    • Positive responses should also be reviewed by the person accountable for feedback, but the timeline to respond may be longer.
    • Show respondents that you value their time by thanking them for responding. Showing appreciate helps to build a long-term relationship with the user.
    • Share positive results with the team to improve morale, and as a coaching/training mechanism.
    • Consider how to use positive feedback as an incentive or reward.

    Build a plan to communicate results to various stakeholders

    Regular communication about your feedback results and action plan tied to those results is critical to the success of your feedback program. Build your communication plan around these questions:

    1. Who should receive communication?

    Each audience will require different messaging, so start by identifying who those audiences are. At a minimum, you should communicate to your end users who provided feedback, your service desk/IT team, and business leaders or stakeholders.

    2. What information do they need?

    End users: Thank them for providing feedback. Demonstrate what you will do with that feedback.

    IT team: Share results and what you need them to do differently as a result.

    Business leaders: Share results, highlight successes, share action plan for improvement.

    3. Who is responsible for communication?

    Typically, this will be the person who is accountable for the customer feedback program, but you may have different people responsible for communicating to different audiences.

    4. When will you communicate?

    Frequency of communication will depend on the survey type – relationship or transactional – as well as the audience, with internal communication being much more frequent than end-user communication.

    5. How will you communicate?

    Again, cater your approach to the audience and choose a method that will resonate with them. End users may view an email, an update on the portal, a video, or update in a company meeting; your internal IT team can view results on a dashboard and have regular meetings.

    Communication to your users impacts both response rates and satisfaction

    Based on the Customer Communication Cycle by David O’Reardon, 2018
    1. Ask users to provide feedback through transactional and relationship surveys.
    2. Thank them for completing the survey – show that you value their time, regardless of the type of feedback they submitted.
    3. Be transparent and summarize the results of the survey(s). Make it easy to digest with simple satisfaction scores and a summary of the main insights or priorities revealed.
    4. Before asking for feedback, explain how you will use feedback to improve the service. After collecting feedback, share your plan for making improvements based on what the data told you.
    5. After you’ve made changes, communicate again to share the results with respondents. Make it clear that their feedback had a direct result on the service they receive. Communicating this before running another survey will also increase the likelihood of respondents providing feedback again.

    Info-Tech Insight

    Focus your communications to users around them, not you. Demonstrate that you need feedback to improve their experience, not just for you to collect data.

    Translate feedback into actionable improvements

    Taking action on feedback is arguably the most important step of the whole customer feedback program.

    Prioritize improvements

    Prioritize improvements based on low scores and most commonly received feedback, then build into an action plan.

    Take immediate action on negative feedback

    Investigate the issue, diagnose the root cause, and repair both the relationship and issue – just like you would an incident.

    Apply lessons learned from positive feedback

    Don’t neglect actions you can take from positive feedback – identify how you can expand upon or leverage the things you’re doing well.

    Use feedback in coaching and training

    Share positive experiences with the team as lessons learned, and use negative feedback as an input to coaching and training.

    Make the change stick

    After making a change, train and communicate it to your team to ensure the change sticks and any negative experiences don’t happen again.

    “Without converting feedback into actions, surveys can become just a pointless exercise in number watching.”

    – David O’Reardon, Founder & CEO of Silversix

    Info-Tech Insight

    Outline exactly what you plan to do to address customer feedback in an action plan, and regularly review that action plan to select and prioritize initiatives and monitor progress.

    For more guidance on tracking and prioritizing ongoing improvement initiatives, see the blueprints Optimize the Service Desk with a Shift Left Strategy and Build a Continual Improvement Plan for the Service Desk.

    Leverage Info-Tech resources to guide your improvement efforts

    Map your identified improvements to the relevant resource that can help:

    Improve service desk processes:

    Improve end-user self-service options:

    Assess and optimize service desk staffing:

    Improve ease of contacting the service desk:
    Standardize the Service Desk Optimize the Service Desk With a Shift-Left Strategy Staff the Service Desk to Meet Demand Improve Service Desk Ticket Intake

    Improve service desk processes:

    Improve end-user self-service options:

    Assess and optimize service desk staffing:

    Improve ease of contacting the service desk::
    Improve Incident and Problem Management Improve Incident and Problem Management Deliver a Customer Service Training Program to Your IT Department Modernize and Transform Your End-User Computing Strategy

    Map process for acting on relationship survey feedback

    Use Info-Tech’s Relationship Satisfaction Survey Review Process workflow as a template to define your own process.

    The image contains a screenshot of the Relationship Satisfaction Survey Review Process.

    Map process for acting on transactional survey feedback

    Use Info-Tech’s Transactional Satisfaction Survey Review Process workflow as a template to define your own process.

    The image contains a screenshot of the Transactional Satisfaction Survey Review Process.

    Related Info-Tech Research

    Standardize the Service Desk

    This project will help you build and improve essential service desk processes, including incident management, request fulfillment, and knowledge management to create a sustainable service desk.

    Optimize the Service Desk With a Shift-Left Strategy

    This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

    Build a Continual Improvement Plan

    This project will help you build a continual improvement plan for the service desk to review key processes and services and manage the progress of improvement initiatives.

    Deliver a Customer Service Training Program to Your IT Department

    This project will help you deliver a targeted customer service training program to your IT team to enhance their customer service skills when dealing with end users, improve overall service delivery and increase customer satisfaction.

    Sources Cited

    Amaresan, Swetha. “The best time to send a survey, according to 5 studies.” Hubspot. 15 Jun 2021. Accessed October 2022.
    Arlen, Chris. “The 5 Service Dimensions All Customers Care About.” Service Performance Inc. n.d. Accessed October 2022.
    Clinton, William Jefferson. “Setting Customer Service Standards.” (1993). Federal Register, 58(176).
    “Understanding Confidentiality and Anonymity.” The Evergreen State College. 2022. Accessed October 2022.
    "Highlights of the 2017 U.S. PIAAC Results Web Report" (NCES 2020-777). U.S. Department of Education. Institute of Education Sciences, National Center for Education Statistics.
    Joe the IT Guy. “Are IT Support’s Customer Satisfaction Surveys Their Own Worst Enemy?” Joe the IT Guy. 29 August 2018. Accessed October 2022.
    O’Reardon, David. “10 Ways to Get the Most out of your ITSM Ticket Surveys.” LinkedIn. 2 July 2019. Accessed October 2022.
    O'Reardon, David. "13 Ways to increase the response rate of your Service Desk surveys".LinkedIn. 8 June 2016. Accessed October 2022.
    O’Reardon, David. “IT Customer Feedback Management – A Why & How Q&A with an Expert.” LinkedIn. 13 March 2018. Accessed October 2022.
    Parasuraman, A., Zeithaml, V. A., & Berry, L. L. (1985). "A Conceptual Model of Service Quality and Its Implications for Future Research." Journal of Marketing, 49(4), 41–50.
    Quantisoft. "How to Increase IT Help Desk Customer Satisfaction and IT Help Desk Performance.“ Quantisoft. n.d. Accessed November 2022.
    Rumberg, Jeff. “Metric of the Month: Customer Effort.” HDI. 26 Mar 2020. Accessed September 2022.
    Sauro, Jeff. “15 Common Rating Scales Explained.” MeasuringU. 15 August 2018. Accessed October 2022.
    SDI. “Customer Experience in ITSM.” SDI. 2018. Accessed October 2022.
    SDI. “CX: Delivering Happiness – The Series, Part 1.” SDI. 12 January 2021. Accessed October 2022.
    Wronski, Laura. “Who responds to online surveys at each hour of the day?” SurveyMonkey. n.d. Accessed October 2022.

    Research contributors

    Sally Colwell

    Project Officer

    Government of Canada Pension Centre

    Adopt Generative AI in Solution Delivery

    • Buy Link or Shortcode: {j2store}146|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Delivery teams are under continuous pressure to deliver high value and quality solutions with limited capacity in complex business and technical environments. Common challenges experienced by these teams include:
      • Attracting and retaining talent
      • Maximizing the return on technology
      • Confidently shifting to digital
      • Addressing competing priorities
      • Fostering a collaborative culture
      • Creating high-throughput teams
    • Gen AI offers a unique opportunity to address many of these challenges.

    Our Advice

    Critical Insight

    • Your stakeholders' understanding of Gen AI, its value, and its application can be driven by hype and misinterpretation. This confusion can lead to unrealistic expectations and set the wrong precedent for the role Gen AI is intended to play.
    • Your SDLC is not well documented and is often executed inconsistently. An immature practice will not yield the benefits stakeholders expect.
    • The Gen AI marketplace is broad and diverse. Selecting the appropriate tools and partners is confusing and overwhelming.
    • There is a skills gap for what is needed to configure, adopt, and operate Gen AI.

    Impact and Result

    • Ground your Gen AI expectations. Set realistic and achievable goals centered on driving business value and efficiency across the entire SDLC by enabling Gen AI in key tasks and activities. Propose the SDLC as the ideal pilot for Gen AI.
    • Select the right Gen AI opportunities. Discuss how proven Gen AI capabilities can be applied to your solution delivery practice to achieve the outcomes and priorities stakeholders expect. Lessons learned sow the foundation for future Gen AI scaling.
    • Assess your Gen AI readiness in your solution delivery teams. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of Gen AI.

    Adopt Generative AI in Solution Delivery Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Adopt Generative AI in Solution Delivery Storyboard – A step-by-step guide that helps you assess whether Gen AI is right for your solution delivery practices.

    Gain an understanding of the potential opportunities that Gen AI can provide your solution delivery practices and answer the question "What should I do next?"

    • Adopt Generative AI in Solution Delivery Storyboard

    2. Gen AI Solution Delivery Readiness Assessment Tool – A tool to help you understand if your solution delivery practice is ready for Gen AI.

    Assess the readiness of your solution delivery team for Gen AI. This tool will ask several questions relating to your people, process, and technology, and recommend whether or not the team is ready to adopt Gen AI practices.

    • Gen AI Solution Delivery Readiness Assessment Tool
    [infographic]

    Further reading

    Adopt Generative AI in Solution Delivery

    Drive solution quality and team productivity with the right generative AI capabilities.

    Analyst Perspective

    Build the case for Gen AI with the right opportunities.

    Generative AI (Gen AI) presents unique opportunities to address many solution delivery challenges. Code generation can increase productivity, synthetic data generation can produce usable test data, and scanning tools can identify issues before they occur. To be successful, teams must be prepared to embrace the changes that Gen AI brings. Stakeholders must also give teams the opportunity to optimize their own processes and gauge the fit of Gen AI.

    Start small with the intent to learn. The right pilot initiative helps you learn the new technology and how it benefits your team without the headache of complex setups and lengthy training and onboarding. Look at your existing solution delivery tools to see what Gen AI capabilities are available and prioritize the use cases where Gen AI can be used out of the box.

    This is a picture of Andrew Kum-Seun

    Andrew Kum-Seun
    Research Director,
    Application Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Delivery teams are under continuous pressure to deliver high-value, high-quality solutions with limited capacity in complex business and technical environments. Common challenges experienced by these teams include:

    • Attracting and retaining talent
    • Maximizing the return on technology
    • Confidently shifting to digital
    • Addressing competing priorities
    • Fostering a collaborative culture
    • Creating high-throughput teams

    Generative AI (Gen AI) offers a unique opportunity to address many of these challenges.

    Common Obstacles

    • Your stakeholders' understanding of what is Gen AI, its value and its application, can be driven by hype and misinterpretation. This confusion can lead to unrealistic expectations and set the wrong precedent for the role Gen AI is intended to play.
    • Your solution delivery process is not well documented and is often executed inconsistently. An immature practice will not yield the benefits stakeholders expect.
    • The Gen AI marketplace is very broad and diverse. Selecting the appropriate tools and partners is confusing and overwhelming.
    • There is a skills gap for what is needed to configure, adopt, and operate Gen AI.

    Info-Tech's Approach

    • Ground your Gen AI expectations. Set realistic and achievable goals centered on driving business value and efficiency across the entire solution delivery process by enabling Gen AI in key tasks and activities. Propose this process as the ideal pilot for Gen AI.
    • Select the right Gen AI opportunities. Discuss how proven Gen AI capabilities can be applied to your solution delivery practice and achieve the outcomes and priorities stakeholders expect. Lessons learned sow the foundation for future Gen AI scaling.
    • Assess your Gen AI readiness in your solution delivery teams. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of Gen AI.

    Info-Tech Insight

    Position Gen AI as a tooling opportunity to enhance the productivity and depth of your solution delivery practice. Current Gen AI tools are unable to address the various technical and human complexities that commonly occur in solution delivery. Assess the fit of Gen AI by augmenting low-risk, out-of-the-box tools in key areas of your solution delivery process and teams.

    Insight Summary

    Overarching Info-Tech Insight

    Position Gen AI is a tooling opportunity to enhance the productivity and depth of your solution delivery practice. However, current Gen AI tools are unable to address the various technical and human complexities that commonly occur in solution delivery. Assess the fit of Gen AI by augmenting low-risk, out-of-the-box tools in key areas of your solution delivery process and teams.

    Understand and optimize first, automate with Gen AI later.
    Gen AI magnifies solution delivery inefficiencies and constraints. Adopt a user-centric perspective to understand your solution delivery teams' interactions with solution delivery tools and technologies to better replicate how they complete their tasks and overcome challenges.

    Enable before buy. Buy before build.
    Your solution delivery vendors see AI as a strategic priority in their product and service offering. Look into your existing toolset and see if you already have the capabilities. Otherwise, prioritize using off-the-shelf solutions with pre-trained Gen AI capabilities and templates.

    Innovate but don't experiment.
    Do not reinvent the wheel and lower your risk of success. Stick to the proven use cases to understand the value and fit of Gen AI tools and how your teams can transform the way they work. Use your lessons learned to discover scaling opportunities.

    Blueprint benefits

    IT benefits

    Business benefits
    • Select the Gen AI tools and capabilities that meet both the solution delivery practice and team goals, such as:
    • Improved team productivity and throughput.
    • Increased solution quality and value.
    • Greater team satisfaction.
    • Motivate stakeholder buy-in for the investment in solution delivery practice improvements.
    • Validate the fit and opportunities with Gen AI for future adoption in other IT departments.
    • Increase IT satisfaction by improving the throughput and speed of solution delivery.
    • Reduce the delivery and operational costs of enterprise products and services.
    • Use a pilot to demonstrate the fit and value of Gen AI capabilities and supporting practices across business and IT units.

    What is Gen AI?

    An image showing where Gen AI sits within the artificial intelligence. It consists of four concentric circles. They are labeled from outer-to-inner circle in the following order: Artificial Intelligence; Machine Learning; Deep Learning; Gen AI

    Generative AI (Gen AI)
    A form of ML whereby, in response to prompts, a Gen AI platform can generate new output based on the data it has been trained on. Depending on its foundational model, a Gen AI platform will provide different modalities and use case applications.

    Machine Learning (ML)
    The AI system is instructed to search for patterns in a data set and then make predictions based on that set. In this way, the system learns to provide accurate content over time. This requires a supervised intervention if the data is inaccurate. Deep learning is self-supervised and does not require intervention.

    Artificial Intelligence (AI)
    A field of computer science that focuses on building systems to imitate human behavior. Not all AI systems have learning behavior; many systems (such as customer service chatbots) operate on preset rules.

    Info-Tech Insight

    Many vendors have jumped on Gen AI as the latest marketing buzzword. When vendors claim to offer Gen AI functionality, pin down what exactly is generative about it. The solution must be able to induce new outputs from inputted data via self-supervision – not trained to produce certain outputs based on certain inputs.

    Augment your solution delivery teams with Gen AI

    Position Gen AI as a tooling opportunity to enhance the productivity and depth of your solution delivery practice. Current Gen AI tools are unable to address the various technical and human complexities that commonly occur in solution delivery; assess the fit of Gen AI by augmenting low-risk, out-of-the-box tools in key areas of your solution delivery process and teams.

    Solution Delivery Team

    Humans

    Gen AI Bots

    Product owner and decision maker
    Is accountable for the promised delivery of value to the organization.

    Business analyst and architect
    Articulates the requirements and aligns the team to the business and technical needs.

    Integrator and builder
    Implements the required solution.

    Collaborator
    Consults and supports the delivery.

    Administrator
    Performs common administrative tasks to ensure smooth running of the delivery toolchain and end-solutions.

    Designer and content creator
    Provides design and content support for common scenarios and approaches.

    Paired developer and tester
    Acts as a foil for existing developer or tester to ensure high quality output.

    System monitor and support
    Monitors and recommends remediation steps for operational issues that occur.

    Research deliverable

    This research is accompanied by a supporting deliverable to help you accomplish your goals.

    Gen AI Solution Delivery Readiness Assessment Tool

    Assess the readiness of your solution delivery team for Gen AI. This tool will ask several questions relating to your people, process, and technology, and recommend whether the team is ready to adopt Gen AI practices.

    This is a series of three screenshots from the Gen AI Solution Delivery Readiness Assessment Tool

    Step 1.1

    Set the context

    Activities

    1.1.1 Understand the challenges of your solution delivery teams.

    1.1.2 Outline the value you expect to gain from Gen AI.

    This step involves the following participants:

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Outcomes of this step

    • SWOT Analysis to help articulate the challenges facing your teams.
    • A Gen AI Canvas that will articulate the value you expect to gain.

    IT struggles to deliver solutions effectively

    • Lack of skills and resources
      Forty-six percent of respondents stated that it was very or somewhat difficult to attract, hire, and retain developers (GitLab, 2023; N=5,010).
    • Delayed software delivery
      Code development (37%), monitoring/observability (30%), deploying to non-production environments (30%), and testing (28%) were the top areas where software delivery teams or organizations encountered the most delays (GitLab, 2023, N=5,010).
    • Low solution quality and satisfaction
      Only 64% of applications were identified as effective by end users. Effective applications are identified as at least highly important and have high feature and usability satisfaction (Application Portfolio Assessment, August 2021 to July 2022; N=315).
    • Burnt out teams
      While workplace flexibility comes with many benefits, longer work hours jeopardize wellbeing. Sixty-two percent of organizations reported increased working hours, while 80% reported an increase in flexibility ("2022 HR Trends Report," McLean & Company, 2022; N=394) .

    Creating high-throughput teams is an organizational priority.

    CXOs ranked "optimize IT service delivery" as the second highest priority. "Achieve IT business" was ranked first.

    (CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568)

    1.1.1 Understand the challenges of your solution delivery teams

    1-3 hours

    1. Complete a SWOT analysis of your solution delivery team to discover areas where Gen AI can be applied.
    2. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Strengths

    Internal characteristics that are favorable as they relate to solution delivery

    Weaknesses

    Internal characteristics that are unfavorable or need improvement

    Opportunities

    External characteristics that you may use to your advantage

    Threats

    External characteristics that may be potential sources of failure or risk

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    Output

    • SWOT analysis of current state of solution delivery practice

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Gen AI can help solve your solution delivery challenges

    Why is software delivery an ideal pilot candidate for Gen AI?

    • Many software delivery practices are repeatable and standardized.
    • Software delivery roles that are using and implementing Gen AI are technically savvy.
    • Automation is a staple in many commonly used tools.
    • Change will likely not impact business operations.

    Improved productivity

    Gen AI jumpstarts the most laborious and mundane parts of software delivery. Delivery teams saved 22 hours (avg) per software use case when using AI in 2022, compared to last year when AI was not used ("Generative AI Speeds Up Software Development," PRNewswire, 2023).

    Fungible resources

    Teams are transferrable across different frameworks, platforms, and products. Gen AI provides the structure and guidance needed to work across a wider range of projects ("Game changer: The startling power generative AI is bringing to software development," KPMG, 2023).

    Improved solution quality

    Solution delivery artifacts (e.g. code) are automatically scanned to quickly identify bugs and defects based on recent activities and trends and validate against current system performance and capacity.

    Business empowerment

    AI enhances the application functionalities workers can build with low- and no-code platforms. In fact, "AI high performers are 1.6 times more likely than other organizations to engage non-technical employees in creating AI applications" ("The state of AI in 2022 — and a half decade in review." McKinsey, 2022, N=1,492).

    However, various fears, uncertainties, and doubts challenge Gen AI adoption

    Black Box

    Little transparency is provided on the tool's rationale behind content creation, decision making, and the use and storage of training data, creating risks for legal, security, intellectual property, and other areas.

    Role Replacement

    Some workers have job security concerns despite Gen AI being bound to their rule-based logic framework, the quality of their training data, and patterns of consistent behavior.

    Skills Gaps

    Teams need to gain expertise in AI/ML techniques, training data preparation, and continuous tooling improvements to support effective Gen AI adoption across the delivery practice and ensure reliable operations.

    Data Inaccuracy

    Significant good quality data is needed to build trust in the applicability and reliability of Gen AI recommendations and outputs. Teams must be able to combine Gen AI insights with human judgment to generate the right outcome.

    Slow Delivery of AI Solution

    Timelines are sensitive to organizational maturity, experience with Gen AI, and investments in good data management practices. 65% of organizations said it took more than three months to deploy an enterprise-ready AIOps solution (OpsRamp, 2022).

    Define the value you want Gen AI to deliver

    Well-optimized Gen AI instills stakeholder confidence in ongoing business value delivery and ensures stakeholder buy-in, provided proper expectations are set and met. However, business value is not interpreted or prioritized the same across the organization. Come to a common business value definition to drive change in the right direction by balancing the needs of the individual, team, and organization.

    Business value cannot always be represented by revenue or reduced expenses. Dissecting value by the benefit type and the value source's orientation allows you to see the many ways in which Gen AI brings value to the organization.

    Financial benefits vs. intrinsic needs

    • Financial benefits refers to the degree to which the value source can be measured through monetary metrics, such as revenue generation and cost saving.
    • Intrinsic needs refers to how a product, service, or business capability enhanced with Gen AI meets functional, user experience, and existential needs.

    Inward vs. outward orientation

    • Inward refers to value sources that are internally impacted by Gen AI and improve your employees' and teams' effectiveness in performing their responsibilities.
    • Outward refers to value sources that come from your interaction with external stakeholders and customers and were improved from using Gen AI.

    See our Build a Value Measurement Framework blueprint for more information about business value definition.

    An image of the Business Value Matrix for Gen AI

    Measure success with the right metrics

    Establishing and monitoring metrics are powerful ways to drive behavior and strategic changes in your organization. Determine the right measures that demonstrate the value of your Gen AI implementation by aligning them with your Gen AI objectives, business value drivers, and non-functional requirements.

    Select metrics with different views

    1. Solution delivery practice effectiveness
      The ability of your practice to deliver, support, and operate solutions with Gen AI
      Examples: Solution quality and throughput, delivery and operational costs, number of defects and issues, and system quality
    2. Solution quality and value
      The outcome of your solutions delivered with Gen AI tools
      Examples: Time and money saved, utilization of products and services, speed of process execution, number of errors, and compliance with standards
    3. Gen AI journey goals and milestones
      Your organization's position in your Gen AI journey
      Examples: Maturity score, scope of Gen AI adoption, comfort and
      confidence with Gen AI capabilities, and complexity of Gen AI use cases

    Leverage Info-Tech's Diagnostics

    IT Management & Governance

    • Improvement to application development quality and throughput effectiveness
    • Increased importance of application delivery and maintenance capabilities across the IT organization
    • Delegation of delivery accountability across more IT roles

    CIO Business Vision

    • Improvements to IT satisfaction and value from delivered solutions
    • Changes to the value and importance of IT core services enabled with Gen AI
    • The state of business and IT relationships
    • Capability to deliver and support Gen AI effectively

    1.1.2 Outline the value you expect to gain from Gen AI

    1-3 hours

    1. Complete the following fields to build your Gen AI canvas:
      1. Problem that Gen AI is intending to solve
      2. List of stakeholders
      3. Desired business and IT outcomes
      4. In-scope solution delivery teams, systems, and capabilities.
    2. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Output

    • Gen AI Canvas

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    1.1.2 Example

    Example of an outline of the value you expect to gain from Gen AI

    Problem statements

    • Manual testing procedures hinder pace and quality of delivery.
    • Inaccurate requirement documentation leads to constant redesigning.

    Business and IT outcomes

    • Improve code quality and performance.
    • Expedite solution delivery cycle.
    • Improve collaboration between teams and reduce friction.

    List of stakeholders

    • Testing team
    • Application director
    • CIO
    • Design team
    • Project manager
    • Business analysts

    In-scope solution delivery teams, system, and capabilities

    • Web
    • Development
    • App development
    • Testing
    • Quality assurance
    • Business analysts
    • UI/UX design

    Align your objectives to the broader AI strategy

    Why is an organizational AI strategy important for Gen AI?

    • All Gen AI tactics and capabilities are designed, delivered, and managed to support a consistent interpretation of the broader AI vision and goals.
    • An organizational strategy gives clear understanding of the sprawl, criticality, and risks of Gen AI solutions and applications to other IT capabilities dependent on AI.
    • Gen AI initiatives are planned, prioritized, and coordinated alongside other software delivery practice optimizations and technology modernization initiatives.
    • Resources, skills, and capacities are strategically allocated to meet the needs of Gen AI considering other commitments in the software delivery optimization backlog and roadmap.
    • Gen AI expectations and practices uphold the persona, values, and principles of the software delivery team.

    What is an AI strategy?

    An AI strategy details the direction, activities, and tactics to deliver on the promise of your AI portfolio. It often includes:

    • AI vision and goals
    • Application, automation, and process portfolio involved or impacted by AI
    • Values and principles
    • Health of your AI portfolio
    • Risks and constraints
    • Strategic roadmap

    Step 1.2

    Evaluate opportunities for Gen AI

    Activities

    1.2.1 Align Gen AI opportunities with teams and capabilities.

    This step involves the following participants:

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Outcomes of this step

    • Understand the Gen AI opportunities for your solution delivery practice.

    Learn how Gen AI is employed in solution delivery

    Gen AI opportunity Common Gen AI tools and vendors Teams than can benefit How can teams leverage this? Case study
    Synthetic data generation
    • Testing
    • Data Analysts
    • Privacy and Security
    • Create test datasets
    • Replace sensitive personal data

    How Unity Leverages Synthetic Data
    Code generation
    • Development
    • Testing
    • Code Templates & Boilerplate
    • Code Refactoring

    How CI&T accelerated development by 11%
    Defect forecasting and debugging
    • Project Manager & Quality Assurance
    • Development
    • Testing
    • Identify root cause
    • Static and dynamic code analysis
    • Debugging assistance

    Altran Uses Microsoft Code Defect AI Solution
    Requirements documentation and elicitation
    • Business Analysts
    • Development
    • Document functional requirements
    • Writing test cases

    Google collaborates with Replit to reduce time to bring new products to market by 30%
    UI design and prototyping
    • UI/UX Design
    • Development
    • Deployment
    • Rapid prototyping
    • Design assistance

    How Spotify is Upleveling Their Entire Design Team

    Other common AI opportunities solutions include test case generation, code translation, use case creation, document generation, and automated testing.

    Opportunity 1: Synthetic data generation

    Create artificial data that mimics the structure of real-life data.

    What are the expected benefits?

    • Availability of test data: Creation of large volumes of data compatible for testing multiple systems within the organization.
    • Improved privacy: Substituting real data with artificial leads to reduced data leaks.
    • Quicker data provisioning: Automated generation of workable datasets aligned to company policies.

    What are the notable risks and challenges?

    • Generalization and misrepresentations: Data models used in synthetic data generation may not be an accurate representation of production data because of potentially conflicting definitions, omission of dependencies, and multiple sources of truth.
    • Lack of accurate representation: It is difficult for synthetic data to fully capture real-world data nuances.
    • Legal complexities: Data to build and train the Gen AI tool does not comply with data residency and management standards and regulations.

    How should teams prepare for synthetic data generation?

    It can be used:

    • To train machine learning models when there is not enough real data, or the existing data does not meet specific needs.
    • To improve quality of test by using data that closely resembles production without the risk of leveraging sensitive and private information.

    "We can simply say that the total addressable market of synthetic data and the total addressable market of data will converge,"
    Ofir Zuk, CEO, Datagen (Forbes, 2022)

    Opportunity 2: Code generation

    Learn patterns and automatically generate code.

    What are the expected benefits?

    • Increased productivity: It allows developers to generate more code quickly.
    • Improved code consistency: Code is generated using a standardized model and lessons learnt from successful projects.
    • Rapid prototyping: Expedite development of a working prototype to be verified and validated.

    What are the notable risks and challenges?

    • Limited contextual understanding: AI may lack domain-specific knowledge or understanding of requirements.
    • Dependency: Overreliance on AI generated codes can affect developers' creativity.
    • Quality concerns: Generated code is untested and its alignment to coding and quality standards is unclear.

    How should teams prepare for code generation?

    It can be used to:

    • Build solutions without the technical expertise of traditional development.
    • Discover different solutions to address coding challenges.
    • Kickstart new development projects with prebuilt code.

    According to a survey conducted by Microsoft's GitHub, a staggering 92% of programmers were reported as using AI tools in their workflow (GitHub, 2023).

    Opportunity 3: Defect forecasting & debugging

    Predict and proactively address defects before they occur.

    What are the expected benefits?

    • Reduced maintenance cost: Find defects earlier in the delivery process, when it's cheaper to fix them.
    • Increased efficiency: Testing efforts can remain focused on critical and complex areas of solution.
    • Reduced risk: Find critical defects before the product is deployed to production.

    What are the notable risks and challenges?

    • False positives and negatives: Incorrect interpretation and scope of defect due to inadequate training of the Gen AI model.
    • Inadequate training: Training data does not reflect the complexity of the solutions code.
    • Not incorporating feedback: Gen AI models are not retrained in concert with solution changes.

    How should teams prepare for defect forecasting and debugging?

    It can be used to:

    • Perform static and dynamic code analysis to find vulnerabilities in the solution source code.
    • Forecast potential issues of a solution based on previous projects and industry trends.
    • Find root cause and suggest solutions to address found defects.

    Using AI technologies, developers can reduce the time taken to debug and test code by up to 70%, allowing them to finish projects faster and with greater accuracy (Aloa, 2023).

    Opportunity 4: Requirements documentation & elicitation

    Capturing, documenting, and analyzing function and nonfunctional requirements.

    What are the expected benefits?

    • Improve quality of requirements: Obtain different perspectives and contexts for the problem at hand and help identify ambiguities and misinterpretation of risks and stakeholder expectation.
    • Increased savings: Fewer resources are consumed in requirements elicitation activities.
    • Increased delivery confidence: Provide sufficient information for the solution delivery team to confidently estimate and commit to the delivery of the requirement.

    What are the notable risks and challenges?

    • Conflicting bias: Gen AI models may interpret the problem differently than how the stakeholders perceive it.
    • Organization-specific interpretation: Inability of the Gen AI models to accommodate unique interpretation of terminologies, standards, trends and scenarios.
    • Validation and review: Interpreting extracted insights requires human validation.

    How should teams prepare for requirements documentation & elicitation?

    It can be used to:

    • Document requirements in a clear and concise manner that is usable to the solution delivery team.
    • Analyze and test requirements against various user, business, and technical scenarios.

    91% of top businesses surveyed report having an ongoing investment in AI (NewVantage Partners, 2021).

    Opportunity 5: UI design and prototyping

    Analyze existing patterns and principles to generate design, layouts, and working solutions.

    What are the expected benefits?

    • Increased experimentation: Explore different approaches and tactics to solve a solution delivery problem.
    • Improved collaboration: Provide quick design layouts that can be reshaped based on stakeholder feedback.
    • Ensure design consistency: Enforce a UI/UX design standard for all solutions.

    What are the notable risks and challenges?

    • Misinterpretation of UX Requirements: Gen AI model incorrectly assumes a specific interpretation of user needs, behaviors, and problem.
    • Incorrect or missing requirements: Lead to extensive redesigns and iterations, adding to costs while hampering user experience.
    • Design creativity: May lack originality and specific brand aesthetics if not augmented well with human customizability and creativity.

    How should teams prepare for UI design and prototyping?

    It can be used to:

    • Visualize the solution through different views and perspectives such as process flows and use-case diagrams.
    • Create working prototypes that can be verified and validated by stakeholders and end users.

    A study by McKinsey & Company found that companies that invest in AI-driven design outperform their peers in revenue growth and customer experience metrics. They were found to achieve up to two times higher revenue growth than industry peers and up to 10% higher net promoter score (McKinsey & Company, 2018).

    Determine the importance of your opportunities by answering these questions

    Realizing the complete potential of Gen AI relies on effectively fostering its adoption and resulting changes throughout the entire solution delivery process.

    What are the challenges faced by your delivery teams that could be addressed by Gen AI?

    • Recognize the precise pain points, bottlenecks, or inefficiencies faced by delivery teams.
    • Include all stakeholders' perspectives during problem discovery and root cause analysis.

    What's holding back Gen AI adoption in the organization?

    • Apart from technical barriers, address cultural and organizational challenges and discuss how organizational change management strategies can mitigate Gen AI adoption risk.

    Are your objectives aligned with Gen AI capabilities?

    • Identify areas where processes can be modernized and streamlined with automation.
    • Evaluate the current capabilities and resources available within the organization to leverage Gen AI technologies effectively.

    How can Gen AI improve the entire solution delivery process?

    • Investigate and evaluate the improvements Gen AI can reasonably deliver, such as increased accuracy, quickened delivery cycles, improved code quality, or enhanced cross-functional collaboration.

    1.2.1 Align Gen AI opportunities to teams and capabilities

    1-3 hours

    1. Associate the Gen AI opportunities that can be linked to your system capabilities. These opportunities refer to the potential applications of generative AI techniques, such as code generation or synthetic data, to address specific challenges.
      1. Start by analyzing your system's requirements, constraints, and areas where Gen AI techniques can bring value. Identify the potential benefits of integrating Gen AI, such as increased productivity, or enhanced creativity.
      2. Next, discern potential risks or challenges, such as dependency or quality concerns, associated with the opportunity implementation.
    2. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Output

    • Gen AI opportunity selection

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    Keep an eye out for red flags

    Not all Gen AI opportunities are delivered and adopted the same. Some present a bigger risk than others.

    • Establishing vague targets and success criteria
    • Defining Gen AI as substitution of human capital
    • Open-source software not widely adopted or validated
    • High level of dependency on automation
    • Unadaptable cross-functional training across organization
    • Overlooking privacy, security, legal, and ethical implications
    • Lack of Gen AI expertise and understanding of good practices

    Step 1.3

    Assess your readiness for Gen AI

    Activities

    1.3.1 Assess your readiness for Gen AI.

    This step involves the following participants:

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Outcomes of this step

    • A completed Gen AI Readiness Assessment to confirm how prepared you are to embrace Gen AI in your solution delivery team.

    Prepare your SDLC* to leverage Gen AI

    As organizations evolve and adopt more tools and technology, their solution delivery processes become more complex. Process improvement is needed to simplify complex and undocumented software delivery activities and artifacts and prepare it for Gen AI. Gen AI scales process throughput and output quantity, but it multiplies the negative impact of problems the process already has.

    When is your process ready for Gen AI?

    • Solution value Ensures the accuracy and alignment of the committed feature and change requests to what the stakeholder truly expects and receives.
    • ThroughputDelivers new products, enhancements, and changes at a pace and frequency satisfactory to stakeholder expectations and meets delivery commitments.
    • Process governance Has clear ownership and appropriate standardization. The roles, activities, tasks, and technologies are documented and defined. At each stage of the process someone is responsible and accountable.
    • Process management Follows a set of development frameworks, good practices, and standards to ensure the solution and relevant artifacts are built, tested, and delivered consistently and repeatably.
    • Technical quality assurance – Accommodates committed non-functional requirements within the stage's outputs to ensure products meet technical excellence expectations.

    *software development lifecycle

    To learn more, visit Info-Tech's Modernize Your SDLC blueprint.

    To learn more, visit Info-Tech's Build a Winning Business Process Automation Playbook

    Assess the impacts from Gen AI changes

    Ensure that no stone is left unturned as you evaluate the fit of Gen AI and prepare your adoption and support plans.

    By shining a light on considerations that might have otherwise escaped planners and decision makers, an impact analysis is an essential component to Gen AI success. This analysis should answer the following questions on the impact to your solution delivery teams.

    1. Will the change impact how our clients/customers receive, consume, or engage with our products/services?
    2. Will there be an increase in operational costs, and a change to compensation and/or rewards?
    3. Will this change increase the workload and alter staffing levels?
    4. Will the vision or mission of the team change?
    5. Will a new or different set of skills be needed?
    6. Will the change span multiple locations/time zones?
    7. Are multiple products/services impacted by this change?
    8. Will the workflow and approvals be changed, and will there be a substantial change to scheduling and logistics?
    9. Will the tools of the team be substantially different?
    10. Will there be a change in reporting relationships?

    See our Master Organizational Change Management Practices blueprint for more information.

    Brace for impact

    A thorough analysis of change impacts will help your software delivery teams and change leaders:

    • Bypass avoidable problems.
    • Remove non-fixed barriers to success.
    • Acknowledge and minimize the impact of unavoidable barriers.
    • Identify and leverage potential benefits.
    • Measure the success of the change.

    Many key IT capabilities are required to successfully leverage Gen AI

    Portfolio Management

    An accurate and rationalized inventory of all Gen AI tools verifies they support the goals and abide to the usage policies of the broader delivery practice. This becomes critical when tooling is updated frequently and licenses and open- source community principles drastically change (e.g. after an acquisition).

    Quality Assurance

    Gen AI tools are routinely verified and validated to ensure outcomes are accurate, complete, and aligned to solution delivery quality standards. Models are retrained using lessons learned, new use cases, and updated training data.

    Security & Access Management

    Externally developed and trained Gen AI models may not include the measures, controls, and tactics you need to prevent vulnerabilities and protect against threats that are critical in your security frameworks, policies, and standards.

    Data Management & Governance

    All solution delivery data and artifacts can be transformed and consumed in various ways as they transit through solution delivery and Gen AI tools. Data integrations, structures, and definitions must be well-defined, governed, and monitored.

    OPERATIONAL SUPPORT

    Resources are available to support the ongoing operations of the Gen AI tool, including infrastructure, preparing training data, and managing integration with other tools. They are also prepared to recover backups, roll back, and execute recovery plans at a moment's notice.

    Apply Gen AI good practices in your solution delivery practice

    1. Keep the human in the loop.
      Gen AI models cannot produce high-quality content with 100% confidence. Keeping the human in the loop allows people to directly give feedback to the model to improve output quality.
    2. Strengthen prompt and query engineering.
      The value of the outcome is dependent on what is being asked. Good prompts and queries focus on creating the optimal input by selecting and phrasing the appropriate words, sentence structures, and punctuation to illustrate the focus, scope, problem, and boundaries.
    3. Thoughtfully prepare your training data.
      Externally hosted Gen AI tools may store your training data in their systems or use it to train their other models. Intellectual property and sensitive data can leak into third-party systems and AI models if it is not properly masked and sanitized.
    4. Build guardrails into your Gen AI models.
      Guardrails can limit the variability of any misleading Gen AI responses by defining the scope and bounds of the response, enforcing the policies of its use, and clarifying the context of its response.
    5. Monitor your operational costs.
      The cost breakdown will vary among the types of Gen AI solution and the vendor offerings. Cost per query, consultant fees, infrastructure hosting, and licensing costs are just a few cost factors. Open source can be an attractive cost-saving option, but you must be willing to invest in the roles to assume traditional vendor accountabilities.
    6. Check the licenses of your Gen AI tool.
      Each platform has licenses and agreements on how their solution can or cannot be used. They limit your ability to use the tool for commercial purposes or reproductions or may require you to purchase and maintain a specific license to use their solution and materials.

    See Build Your Generative AI Roadmap for more information.

    Assess your Gen AI readiness

    • Solution delivery team
      The team is educated on Gen AI, its use cases, and the tools that enable it. They have the skills and capacity to implement, create, and manage Gen AI.
    • Solution delivery process and tools
      The solution delivery process is documented, repeatable, and optimized to use Gen AI effectively. Delivery tools are configured to enable, leverage and manage Gen AI assets to improve their performance and efficiency.
    • Solution delivery artifacts
      Delivery artifacts (e.g. code, scripts, documents) that will be used to train and be leveraged by Gen AI tools are discoverable, accurate, complete, standardized, of sufficient quantity, optimized for Gen AI use, and stored in an accessible shared central repository.
    • Governance
      Defined policies, role definitions, guidelines, and processes that guide the implementation, development, operations, and management of Gen AI.
    • Vision and executive support
      Clear alignment of Gen AI direction, ambition, and objectives with broader business and IT priorities. Stakeholders support the Gen AI initiative and allocate human and financial resources for its implementation within the solution delivery team.
    • Operational support
      The capabilities to manage the Gen AI tools and ensure they support the growing needs of the solution delivery practice, such as security management, hosting infrastructure, risk and change management, and data and application integration.

    1.3.1 Assess your readiness for Gen AI

    1-3 hours

    1. Review the current state of your solution delivery teams including their capacity, skills and knowledge, delivery practices, and tools and technologies.
    2. Determine the readiness of your team to adopt Gen AI.
    3. Discuss the gaps that need to be filled to be successful with Gen AI.
    4. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    Output

    • Gen AI Solution Delivery Readiness Assessment

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Recognize that Gen AI does not require a fully optimized solution delivery process

    1. Consideration; 2. Exploration; 3. Incorporation; 4. Proliferation; 5. Optimization. Steps 3-5 are Recommended maturity levels to properly embrace Gen AI.

    To learn more, visit Info-Tech's Develop Your Value-First Business Process Automation (BPA) Strategy.

    Be prepared to take the next steps

    Deliver Gen AI to your solution delivery teams

    Modernize Your SDLC
    Efficient and effective SDLC practices are vital, as products need to readily adjust to evolving and changing business needs and technologies.

    Adopt Generative AI in Solution Delivery
    Generative AI can drive productivity and solution quality gains to your solution delivery teams. Level set expectations with the right use case to demonstrate its value potential.

    Select Your AI Vendor & Implementation Partner
    The right vendor and partner are critical for success. Build the selection criteria to shortlist the products and services that best meets the current and future needs of your teams.

    Drive Business Value With Off-the-Shelf AI
    Build a framework that will guide your teams through the selection of an off-the-shelf AI tool with a clear definition of the business case and preparations for successful adoption.

    Build Your Enterprise Application Implementation Playbook
    Your Gen AI implementation doesn't start with technology, but with an effective plan that your team supports and is aligned to broader stakeholder and sponsor priorities and goals.

    Build your Gen AI practice

    • Get Started With AI
    • AI Strategy & Generative AI Roadmap
    • AI Governance

    Related Info-Tech Research

    Build a Winning Business Process Automation Playbook
    Optimize and automate your business processes with a user-centric approach.

    Embrace Business Managed Applications
    Empower the business to implement their own applications with a trusted business-IT relationship.

    Application Portfolio Management Foundations
    Ensure your application portfolio delivers the best possible return on investment.

    Maximize the Benefits from Enterprise Applications with a Center of Excellence
    Optimize your organization's enterprise application capabilities with a refined and scalable methodology.

    Create an Architecture for AI
    Build your target state architecture from predefined best-practice building blocks.

    Deliver on Your Digital Product Vision
    Build a product vision your organization can take from strategy through execution.

    Enhance Your Solution Architecture Practices
    Ensure your software systems solution is architected to reflect stakeholders' short- and long-term needs.

    Apply Design Thinking to Build Empathy With the Business
    Use design thinking and journey mapping to make IT the business' go-to problem solver.

    Modernize Your SDLC
    Deliver quality software faster with new tools and practices.

    Drive Business Value With Off-the-Shelf AI
    A practical guide to ensure return on your off-the-shelf AI investment.

    Bibliography

    "Altran Helps Developers Write Better Code Faster with Azure AI." Microsoft, 2020.
    "Apply Design Thinking to Complex Teams, Problems, and Organizations." IBM, 2021.
    Bianca. "Unleashing the Power of AI in Code Generation: 10 Applications You Need to Know — AITechTrend." AITechTrend, 16 May 2023.
    Biggs, John. "Deep Code Cleans Your Code with the Power of AI." TechCrunch, 26 Apr 2018.
    "Chat GPT as a Tool for Business Analysis — the Brazilian BA." The Brazilian BA, 24 Jan 2023.
    Davenport, Thomas, and Randy Bean. "Big Data and AI Executive Survey 2019." New Vantage Partners, 2019.
    Davenport, Thomas, and Randy Bean. "Big Data and AI Executive Survey 2021." New Vantage Partners, 2021.
    Das, Tamal. "9 Best AI-Powered Code Completion for Productive Development." Geek flare, 5 Apr 2023.
    Gondrezick, Ilya. "Council Post: How AI Can Transform the Software Engineering Process." Forbes, 24 Apr 2020.
    "Generative AI Speeds up Software Development: Compass UOL Study." PR Newswire, 29 Mar 2023.
    "GitLab 2023 Global Develops Report Series." Gitlab, 2023.
    "Game Changer: The Startling Power Generative AI Is Bringing to Software Development." KPMG, 30 Jan 2023.
    "How AI Can Help with Requirements Analysis Tools." TechTarget, 28 July 2020.
    Indra lingam, Ashanta. "How Spotify Is Upleveling Their Entire Design Team." Framer, 2019.
    Ingle, Prathamesh. "Top Artificial Intelligence (AI) Tools That Can Generate Code to Help Programmers." Matchcoat, 1 Jan 2023.
    Kaur, Jagreet . "AI in Requirements Management | Benefits and Its Processes." Xenon Stack, 13 June 2023.
    Lange, Danny. "Game On: How Unity Is Extending the Power of Synthetic Data beyond the Gaming Industry." CIO, 17 Dec 2020.
    Lin, Ying. "10 Artificial Intelligence Statistics You Need to Know in 2020." OBERLO, 17 Mar. 2023.
    Mauran, Cecily. "Whoops, Samsung Workers Accidentally Leaked Trade Secrets via ChatGPT." Mashable, 6 Apr 2023.

    Become a Strategic CIO

    • Buy Link or Shortcode: {j2store}80|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 15 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • As a CIO, you are currently operating in a stable and trusted IT environment, but you would like to advance your role to strategic business partner.
    • CIOs are often overlooked as a strategic partner by their peers, and therefore face the challenge of proving they deserve a seat at the table.

    Our Advice

    Critical Insight

    • To become a strategic business partner, you must think and act as a business person that works in IT, rather than an IT person that works for the business.
    • Career advancement is not a solo effort. Building relationships with your executive business stakeholders will be critical to becoming a respected business partner.

    Impact and Result

    • Create a personal development plan and stakeholder management strategy to accelerate your career and become a strategic business partner. For a CIO to be considered a strategic business partner, he or she must be able to:
      • Act as a business person that works in IT, rather than an IT person that works for the business. This involves meeting executive stakeholder expectations, facilitating innovation, and managing stakeholder relationships.
      • Align IT with the customer. This involves providing business stakeholders with information to support stronger decision making, keeping up with disruptive technologies, and constantly adapting to the ever-changing end-customer needs.
      • Manage talent and change. This involves performing strategic workforce planning, and being actively engaged in identifying opportunities to introduce change in your organization, suggesting ways to improve, and then acting on them.

    Become a Strategic CIO Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should become a strategic CIO, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch

    Analyze strategic CIO competencies and assess business stakeholder satisfaction with IT using Info-Tech's CIO Business Vision Diagnostic and CXO-CIO Alignment Program.

    • Become a Strategic CIO – Phase 1: Launch

    2. Assess

    Evaluate strategic CIO competencies and business stakeholder relationships.

    • Become a Strategic CIO – Phase 2: Assess
    • CIO Strategic Competency Evaluation Tool
    • CIO Stakeholder Power Map Template

    3. Plan

    Create a personal development plan and stakeholder management strategy.

    • Become a Strategic CIO – Phase 3: Plan
    • CIO Personal Development Plan
    • CIO Stakeholder Management Strategy Template

    4. Execute

    Develop a scorecard to track personal development initiatives.

    • Become a Strategic CIO – Phase 4: Execute
    • CIO Strategic Competency Scorecard
    [infographic]

    Workshop: Become a Strategic CIO

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Competencies & Stakeholder Relationships

    The Purpose

    Gather and review information from business stakeholders.

    Assess strategic CIO competencies and business stakeholder relationships.

    Key Benefits Achieved

    Gathered information to create a personal development plan and stakeholder management strategy.

    Analyzed the information from diagnostics and determined the appropriate next steps.

    Identified and prioritized strategic CIO competency gaps.

    Evaluated the power, impact, and support of key business stakeholders.

    Activities

    1.1 Conduct CIO Business Vision diagnostic

    1.2 Conduct CXO-CIO Alignment program

    1.3 Assess CIO competencies

    1.4 Assess business stakeholder relationships

    Outputs

    CIO Business Vision results

    CXO-CIO Alignment Program results

    CIO competency gaps

    Executive Stakeholder Power Map

    2 Take Control of Your Personal Development

    The Purpose

    Create a personal development plan and stakeholder management strategy.

    Track your personal development and establish checkpoints to revise initiatives.

    Key Benefits Achieved

    Identified personal development and stakeholder engagement initiatives to bridge high priority competency gaps.

    Identified key performance indicators and benchmarks/targets to track competency development.

    Activities

    2.1 Create a personal development plan

    2.2 Create a stakeholder management strategy

    2.3 Establish key performance indicators and benchmarks/targets

    Outputs

    Personal Development Plan

    Stakeholder Management Strategy

    Strategic CIO Competency Scorecard

    Automate Work Faster and More Easily With Robotic Process Automation

    • Buy Link or Shortcode: {j2store}237|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • Your organization has many business processes that rely on repetitive, routine manual data collection and processing work, and there is high stakeholder interest in automating them.
    • You’re investigating whether robotic process automation (RPA) is a suitable technological enabler for automating such processes.
    • Being a trending technology, especially with its association with artificial intelligence (AI), there is much marketing fluff, hype, and misunderstanding about RPA.
    • Estimating the potential impact of RPA on business is difficult, as the relevant industry statistics often conflict each other and you aren’t sure how applicable it is to your business.

    Our Advice

    Critical Insight

    • There are no physical robots in RPA. RPA is about software “bots” that interact with applications as if they were human users to perform routine, repetitive work in your place. It’s for any business in any industry, not just for manufacturing.
    • RPA is lightweight IT; it reduces the cost of entry, maintenance, and teardown of automation as well as the technological requirement of resources that maintain it, as it complements existing automation solutions in your toolkit.
    • RPA is rules-based. While AI promises to relax the rigidity of rules, it adds business risks that are poorly understood by both businesses and subject-matter experts. Rules-based “RPA 1.0” is mature and may pose a stronger business case than AI-enabled RPA.
    • RPA’s sweet spot is “swivel chair automation”: processes that require human workers to act as a conduit between several systems, moving between applications, manually keying, re-keying, copying, and pasting information. A bot can take their place.

    Impact and Result

    • Discover RPA and how it differentiates from other automation solutions.
    • Understand the benefits and risks of complementing RPA with AI.
    • Identify existing business processes best suited for automation with RPA.
    • Communicate RPA’s potential business benefits to stakeholders.

    Automate Work Faster and More Easily With Robotic Process Automation Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should use RPA to automate routine, repetitive data collection and processing work, review Info-Tech’s methodology, and understand the ways we can support you.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Discover robotic process automation

    Learn about RPA, including how it compares to IT-led automation rooted in business process management practices and the role of AI.

    • Automate Work Faster and More Easily With Robotic Process Automation – Phase 1: Discover Robotic Process Automation
    • Robotic Process Automation Communication Template

    2. Identify processes best suited for robotic process automation

    Identify and prioritize candidate processes for RPA.

    • Automate Work Faster and More Easily With Robotic Process Automation – Phase 2: Identify Processes Best Suited for Robotic Process Automation
    • Process Evaluation Tool for Robotic Process Automation
    • Minimum Viable Business Case Document
    [infographic]

    Avoid Project Management Pitfalls

    • Buy Link or Shortcode: {j2store}374|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Program & Project Management
    • Parent Category Link: /program-and-project-management
    • IT organizations seem to do everything in projects, yet fewer than 15% successfully complete all deliverables on time and on budget.
    • Project managers seem to succumb to the relentless pressure from stakeholders to deliver more, more quickly, with fewer resources, and with less support than is ideal.
    • To achieve greater likelihood that your project will stay on track, watch out for the four big pitfalls: scope creep, failure to obtain stakeholder commitment, inability to assemble a team, and failure to plan.

    Our Advice

    Critical Insight

    • While many project managers worry about proper planning as the key to project success, skilled management of the political factors around a project has a much greater impact on success.
    • Alone, combating scope creep can improve your likelihood of success by a factor of 2x.
    • A strong project sponsor will be key to fighting the inevitable battles to control scope and obtain resources.

    Impact and Result

    • Take steps to avoid falling into common project pitfalls.
    • Assess which pitfalls threaten your project in its current state and take appropriate steps to avoid falling into them.
    • Avoiding pitfalls will allow you to deliver value on time and on budget, creating the perception of success in users’ and managers’ eyes.

    Avoid Project Management Pitfalls Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Learn about common PM pitfalls and the strategies to avoid them

    Consistently meet project goals through enhanced PM knowledge and awareness.

    • Storyboard: Avoid Project Management Pitfalls
    • None

    2. Detect project pitfalls

    Take action and mitigate a pitfall before it becomes a problem.

    • Project Pitfall Detection & Mitigation Tool

    3. Document and report PM issues

    Learn from issues encountered to help map PM strategies for future projects.

    • Project Management Pitfalls Issue Log
    [infographic]

    Agile Enterprise Architecture Operating Model

    • Buy Link or Shortcode: {j2store}581|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $31,106 Average $ Saved
    • member rating average days saved: 33 Average Days Saved
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model

    Establish an enterprise architecture practice that:

    • Leverages an operating model that promotes/supports agility within the organization.
    • Embraces business, data, application, and technology architectures in an optimal mix.
    • Is Agile in itself and will be sustainable and reactive to business needs, staying relevant and “profitable” – continuously delivering business value.

    Our Advice

    Critical Insight

    • Use your business and EA strategy and design principles to right-size standardized operating models to fit your EA organization’s needs.
    • You need to define a sound set of design principles before commencing with the design of your EA organization.
    • The EA operating model structure should be rigid but pliable enough to fit the needs of the stakeholders it provides services to.
    • A phased approach and a good communication strategy is key to the success of the new EA organization.
    • Start with one group and work out the hurdles before rolling it out organization-wide.
    • Make sure that you communicate regularly on wins but also on hurdles and how to overcome them.

    Impact and Result

    • The organization design approach proposed will aim to provide twofold agility: the ability to stretch and shrink depending on business requirements and the promotion of agility in architecture delivery.
    • By recognizing that agility comes in different flavors, organizations using more traditional design patterns will also benefit from the approach advocated by this blueprint.

    Agile Enterprise Architecture Operating Model Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out create an Agile EA operating model to execute the EA function, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Design your EA operating model

    You need to define a sound set of design principles before commencing with the design of your EA organization.

    • Agile EA Operating Model Communication Deck
    • Agile EA Operating Model Workbook
    • Business Architect
    • Application Architect
    • Data Architect
    • Enterprise Architect

    2. Define your EA organizational structure

    The EA operating model structure should be rigid but pliable enough to fit the needs of the stakeholders it provide services to.

    • EA Views Taxonomy
    • EA Operating Model Template
    • Architecture Board Charter Template
    • EA Policy Template
    • EA Compliance Waiver Form Template

    3. Implement the EA operating model

    A phased approach and a good communications strategy are key to the success of the new EA organization.

    • EA Roadmap
    • EA Communication Plan Template
    [infographic]

    Workshop: Agile Enterprise Architecture Operating Model

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 EA Function Design

    The Purpose

    Identify how EA looks within the organization and ensure all the necessary skills are accounted for within the function.

    Key Benefits Achieved

    EA is designed to be the most appropriately placed and structured for the organization.

    Activities

    1.1 Place the EA department.

    1.2 Define roles for each team member.

    1.3 Find internal and external talent.

    1.4 Create job descriptions with required proficiencies.

    Outputs

    EA organization design

    Role-based skills and competencies

    Talent acquisition strategy

    Job descriptions

    2 EA Engagement Model

    The Purpose

    Create a thorough engagement model to interact with stakeholders.

    Key Benefits Achieved

    An understanding of each process within the engagement model.

    Create stakeholder interaction cards to plan your conversations.

    Activities

    2.1 Define each engagement process for your organization.

    2.2 Document stakeholder interactions.

    Outputs

    EA Operating Model Template

    EA Stakeholder Engagement Model Template

    3 EA Governance

    The Purpose

    Develop EA boards, alongside a charter and policies to effectively govern the function.

    Key Benefits Achieved

    Governance that aids the EA function instead of being a bureaucratic obstacle.

    Adherence to governace.

    Activities

    3.1 Outline the architecture review process.

    3.2 Position the architecture review board.

    3.3 Create a committee charter.

    3.4 Make effective governance policy.

    Outputs

    Architecture Board Charter Template

    EA Policy Template

    4 Architecture Development Framework

    The Purpose

    Create an operating model that is influenced by universal standards including TOGAF, Zachmans, and DoDAF.

    Key Benefits Achieved

    A thoroughly articulated development framework.

    Understanding of the views that influence each domain.

    Activities

    4.1 Tailor an architecture development framework to your organizational context.

    Outputs

    EA Operating Model Template

    Enterprise Architecture Views Taxonomy

    5 Operational Plan

    The Purpose

    Create a change management and communication plan or roadmap to execute the operating model.

    Key Benefits Achieved

    Build a plan that takes change management and communication into consideration to achieve the wanted benefits of an EA program.

    Effectively execute the roadmap.

    Activities

    5.1 Create a sponsorship action plan.

    5.2 Outline a communication plan.

    5.3 Execute a communication roadmap.

    Outputs

    Sponsorship Action Plan

    EA Communication Plan Template

    EA Roadmap

    Manage End-User Devices

    • Buy Link or Shortcode: {j2store}307|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $45,499 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Desktop and mobile device management teams use separate tools and different processes.
    • People at all levels of IT are involved in device management.
    • Vendors are pushing unified endpoint management (UEM) products, and teams struggling with device management are hoping that UEM is their savior.
    • The number and variety of devices will only increase with the continued advance of mobility and emergence of the Internet of Things (IoT).

    Our Advice

    Critical Insight

    • Many problems can be solved by fixing roles, responsibilities, and process. Standardize so you can optimize.
    • UEM is not a silver bullet. Your current solution can image computers in less than 4 hours if you use lean images.
    • Done with, not done to. Getting input from the business will improve adoption, avoid frustration, and save everyone time.

    Impact and Result

    • Define the benefits that you want to achieve and optimize based on those benefits.
    • Take an evolutionary, rather than revolutionary, approach to merging end-user support teams. Process and tool unity comes first.
    • Define the roles and responsibilities involved in end-user device management, and create a training plan to ensure everyone can execute their responsibilities.
    • Stop using device management practices from the era of Windows XP. Create a plan for lean images and app packages.

    Manage End-User Devices Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize end-user device management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify the business and IT benefits of optimizing endpoint management

    Get your desktop and mobile device support teams out of firefighting mode by identifying the real problem.

    • Manage End-User Devices – Phase 1: Identify the Business and IT Benefits
    • End-User Device Management Standard Operating Procedure
    • End-User Device Management Executive Presentation

    2. Improve supporting teams and processes

    Improve the day-to-day operations of your desktop and mobile device support teams through role definition, training, and process standardization.

    • Manage End-User Devices – Phase 2: Improve Supporting Teams and Processes
    • End-User Device Management Workflow Library (Visio)
    • End-User Device Management Workflow Library (PDF)

    3. Improve supporting technologies

    Stop using management tools and techniques from the Windows XP era. Save yourself, and your technicians, from needless pain.

    • Manage End-User Devices – Phase 3: Improve Supporting Technologies
    [infographic]

    Workshop: Manage End-User Devices

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify the Business and IT Benefits of Optimizing End-User Device Management

    The Purpose

    Identify how unified endpoint management (UEM) can improve the lives of the end user and of IT.

    Key Benefits Achieved

    Cutting through the vendor hype and aligning with business needs.

    Activities

    1.1 Identify benefits you can provide to stakeholders.

    1.2 Identify business and IT goals in order to prioritize benefits.

    1.3 Identify how to achieve benefits.

    1.4 Define goals based on desired benefits.

    Outputs

    Executive presentation

    2 Improve the Teams and Processes That Support End-User Device Management

    The Purpose

    Ensure that your teams have a consistent approach to end-user device management.

    Key Benefits Achieved

    Developed a standard approach to roles and responsibilities, to training, and to device management processes.

    Activities

    2.1 Align roles to your environment.

    2.2 Assign architect-, engineer-, and administrator-level responsibilities.

    2.3 Rationalize your responsibility matrix.

    2.4 Ensure you have the necessary skills.

    2.5 Define Tier 2 processes, including patch deployment, emergency patch deployment, device deployment, app deployment, and app packaging.

    Outputs

    List of roles involved in end-user device management

    Responsibility matrix for end-user device management

    End-user device management training plan

    End-user device management standard operating procedure

    Workflows and checklists of end-user device management processes

    3 Improve the Technologies That Support End-User Device Management

    The Purpose

    Modernize the toolset used by IT to manage end-user devices.

    Key Benefits Achieved

    Saving time and resources for many standard device management processes.

    Activities

    3.1 Define the core image for each device/OS.

    3.2 Define app packages.

    3.3 Gather action items for improving the support technologies.

    3.4 Create a roadmap for improving end-user device management.

    3.5 Create a communication plan for improving end-user device management.

    Outputs

    Core image outline

    Application package outline

    End-user device management roadmap

    End-user device management communication plan

    Define Your Virtual and Hybrid Event Requirements

    • Buy Link or Shortcode: {j2store}64|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    Your organization is considering holding an event online, or has been, but:

    • The organization (both on the business and IT sides) may not have extensive experience hosting events online.
    • It is not immediately clear how your formerly in-person event’s activities translate to a virtual environment.
    • Like the work-from-home transformation, bringing events online instantly expands IT’s role and responsibilities.

    Our Advice

    Critical Insight

    If you don't begin with strategy, you will fit your event to technology, instead of the other way around.

    Impact and Result

    To determine your requirements:

    • Determine the scope of the event.
    • Narrow down your list of technical requirements.
    • Use Info-Tech’s Rapid Application Selection Framework to select the right software solution.

    Define Your Virtual and Hybrid Event Requirements Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define Your Virtual and Hybrid Event Requirements Storyboard – Use this storyboard to work through key decision points involved in creating digital events.

    This deck walks you through key decision points in creating virtual or hybrid events. Then, begin the process of selecting the right software by putting together the first draft of your requirements for a virtual event software solution.

    • Define Your Virtual and Hybrid Event Requirements Storyboard

    2. Virtual Events Requirements Tool – Use this tool to begin selecting your requirements for a digital event solution.

    The business should review the list of features and select which ones are mandatory and which are nice to have or optional. Add any features not included.

    • Virtual/Hybrid Event Software Feature Analysis Tool
    [infographic]

    Further reading

    Define Your Virtual and Hybrid Event Requirements

    Accelerate your event scoping and software selection process.

    Analyst Perspective

    When events go virtual, IT needs to cover its bases.

    The COVID-19 pandemic imposed a dramatic digital transformation on the events industry. Though event ticket and registration software, mobile event apps, and onsite audio/visual technology were already important pieces of live events, the total transformation of events into online experiences presented major challenges to organizations whose regular business operations involve at least one annual mid-sized to large event (association meetings, conferences, trade shows, and more).

    Many organizations worked to shift to online, or virtual events, in order to maintain business continuity. As time went on, and public gatherings began to restart, a shift to “hybrid” events began to emerge—events that accommodate both in-person and virtual attendance. Regardless of event type, this pivot to using virtual event software, or digital event technology, brings events more closely into IT’s areas of responsibility. If you don't begin with strategy, you risk fitting your event to technology, instead of the other way around.

    If virtual and hybrid events are becoming standard forms of delivering content in your organization, use Info-Tech’s material to help define the scope of the event and your requirements, and to support your software selection process.

    Photo of Emily Sugerman
    Emily Sugerman
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The organization (both on the business and IT sides) may not have extensive experience hosting events online.

    It is not immediately clear how a formerly in-person event’s activities translate to a virtual environment.

    Like the work-from-home transformation, bringing events online expands IT’s role and responsibilities.

    Common Obstacles

    It is not clear what technological capabilities are needed for the event, which capabilities you already own, and what you may need to purchase.

    Though virtual events remove some barriers to attendance (distance, travel), it introduces new complications and considerations for planners.

    Hybrid events introduce another level of complexity.

    Info-Tech’s Approach

    In order to determine your requirements:

    Determine the scope of the event.

    Narrow down your list of technical requirements.

    Use Info-Tech’s Rapid Application Selection Framework to select the right software solution.

    Info-Tech Insight

    If you don't begin with strategy, you will fit your event to technology, instead of the other way around.

    Your challenge

    The solution you have been using for online events does not meet your needs.

    Though you do have some tools that support large meetings, it is not clear if you require a larger and more comprehensive virtual event solution. There is a need to determine what type of technology you might need to purchase versus leveraging what you already have.

    It is difficult to quickly and practically identify core event requirements and how they translate into technical capabilities.

    Maintaining or improving audience engagement is a perpetual challenge for virtual events.

    38%
    of event professionals consider virtual event technology “a tool for reaching a wider audience as part of a hybrid strategy.”

    21%
    consider it “a necessary platform for virtual events, which remain my go-to event strategy.”

    40%
    prioritize “mid-budget all-in-one event tech solution that will prevent remote attendees from feeling like second-class participants.”

    Source: Virtual Event Tech Guide, 2022

    Common obstacles

    These barriers make this challenge difficult to address for many organizations.

    Events with networking objectives are not always well served by webinars, which are traditionally more limited in their interactive elements.

    Events that include the conducting of organizational/association business (like voting) may have bylaws that make selecting a virtual solution more challenging.

    Maintaining attendee engagement is more challenging in a virtual environment.

    Prior to the pandemic, your organization may not have been as experienced in putting on fully virtual events, putting more responsibility in your corner as IT. Navigating virtual events can also require technological competencies that your attendee userbase may not universally possess.

    Technological limitations and barriers to access can exclude potential attendees just as much as bringing events online can open up attendance to new audiences.

    Opportunity: Virtual events can significantly increase an event’s reach

    Events held virtually during the pandemic noted significant increases in attendees.

    “We had 19,000 registrations from all over the world, almost 50 times the number of people we had expected to host in Amsterdam. . . . Most of this year’s [2020] attendees would not have been able to participate in a physical GrafanaCon in Amsterdam. That was a huge win.” – Raj Dutt, Grafana Labs CEO[5]

    Event In-person Online 2022
    Microsoft Build 2019: 6,000 attendees 2020: 230,000+ registrants[1] The 2022 conference was also held virtually[3]
    Stanford Institute for Human-Centered Artificial Intelligence A few hundred attendees expected for the original (cancelled) 2020 in-person conference 2020: 30,000 attendees attended the “COVID-19 and AI” virtual conference[2] The 2022 Spring Conference was a hybrid event[4]

    [1] Kelly, 2020; [2] Price, 2020; [3] Stanford Digital Economy Lab, 2022; [4] Warren, 2022; [5] Fast Company, 2020

    Info-Tech’s methodology for defining virtual/hybrid event requirements

    A diagram that shows defining event scope, creating list of requirements, and selecting software.

    Event planning phases

    Apply project management principles to your virtual/hybrid event planning process.

    Online event planning should follow the same established principles as in-person event planning.
    Align the event’s concept and objectives with organizational goals.

    A diagram of event planning phases
    Source: Adapted from Event Management Body of Knowledge, CC BY 4.0

    Gather inputs to the planning processes

    Acquire as much of this information as possible before you being the planning process.

    Budget: Determine your organization’s budget for this event to help decide the scope of the event and the purchasing decisions you make as you plan.

    Internal human resources: Identify who in your organization is usually involved in the organization of this event and if they are available to organize this one.

    List of communication and collaboration tools: Acquire the list of the existing communication and collaboration tools you are currently licensed for. Ensure you know the following information about each tool:

    • Type of license
    • License limitations (maximum number of users)
    • Internal or external-facing tool (or capable of both)
    • Level of internal training and competency on the tool

    Decision point: Relate event goals to organizational goals

    What is driving the event?

    Your organization may hold a variety of in-person events that you now wish, for various reasons, to hold fully or partially online. Each event likely has a slightly different set of goals.

    Before getting into the details of how to transition your event online, return to the business/organizational goals the event is serving.

    Ensure each event (and each component of each event) maps back to an organizational goal.

    If a component of the event does not align to an organizational goal, assess whether it should remain as part of the event.

    Common organizational goals

    • Increase revenue
    • Increase productivity
    • Attract and retain talent
    • Improve change management
    • Carry out organizational mission
    • Identify new markets
    • Increase market share
    • Improve customer service
    • Launch new product/service

    Common event goals

    • Education/training
    • Knowledge transfer
    • Decision making
    • Professional development
    • Sales/lead generation
    • Fundraising
    • Entertainment
    • Morale boosting
    • Recognition of achievement

    Decision point: Identify your organization’s digital event vision

    What do you want the outcome of this event to be?

    Attendee goals: Who are your attendees? Why do they attend this event? What attendee needs does your event serve? What is your event’s value proposition? Are they intrinsically or extrinsically motivated to attend?

    Event goals: From the organizer perspective, why do you usually hold this event? Who are your stakeholders?

    Organizational goals: How do the event goals map to your organizational goals? Is there a clear understanding of what the event’s larger strategic purpose is.

    Common attendee goals

    Education: our attendees need to learn something new that they cannot learn on their own.
    Networking: our attendees need to meet people and make new professional connections.
    Professional development: our attendees have certain obligations to keep credentials updated or to present their work publicly to advance their careers.
    Entertainment: our attendees need to have fun.
    Commerce: our attendees need to buy and sell things.

    Decision point: Level of external event production

    Will you be completely self-managed, reliant on external event production services, or somewhere in the middle?

    You can review this after working through the other decision points and the scope becomes clearer.

    A diagram that shows Level of external event production, comparing Completely self-managed vs Fully externally-managed.

    Decision point: Assign event planning roles

    Who will be involved in planning the event? Fill/combine these roles as needed.

    Planning roles Description
    Project manager Shepherd event planning until completion while ensuring project remains on schedule and on budget.
    Event manager Correspond with presenters during leadup to event, communicate how to use online event tools/platform, perform tests with presenters/exhibitors, coordinate digital event staff/volunteers.
    Program planner Select the topics, speakers, activity types, content, streams.
    Designer and copywriter Design the event graphics; compose copy for event website.
    Digital event technologist Determine event technology requirements; determine how event technology fits together; prepare RFP, if necessary, for new hardware/software.
    Platform administrator Set up registration system/integrate registrations into platform(s) of choice; upload video files and collateral; add livestream links; add/delete staff roles and set controls and permissions; collect statistics and recordings after event.
    Commercial partner liaison Recruit sponsors and exhibitors (offer sponsorship packages); facilitate agreement/contract between commercial partners and organization; train commercial partners on how to use event technology; retrieve lead data.
    Marketing/social media Plan and execute promotional campaigns (email, social media) in the lead up to, and during, the event. Post-event, send follow-up communications, recording files, and surveys.

    Decision point: Assign event production roles

    Who will be involved in running the event?

    Event production roles Description
    Hosts/MCs Address attendees at beginning and end of event, and in-between sessions
    Provide continuity throughout event
    Introduce sessions
    Producers Prepare presenters for performance
    Begin and end sessions
    Use controls to share screens, switch between feeds
    Send backchannel messages to presenters (e.g., "Up next," "Look into webcam")
    Moderators Admit attendees from waiting room
    Moderate incoming questions from attendees
    Manage slides
    Pass questions to host/panelists to answer
    Moderate chat
    IT support Manage event technology stack
    Respond to attendee technical issues
    Troubleshoot network connectivity problems
    Ensure audio and video operational
    Start and stop session recording
    Save session recordings and files (chat, Q&As)

    Decision point: Map attendee goals to event goals to organizational goals

    Input: List of attendee benefits, List of event goals, List of organizational goals
    Output: Ranked list of event goals as they relate to attendee needs and organizational goals
    Materials: Whiteboard/flip charts
    Participants: Planning team

    1. Define attendee benefits:
      1. List the attendee benefits derived from your event (as many as possible).
      2. Rank attendee benefits from most to least important.
    2. Define event goals:
      1. List your event goals (as many as possible).
      2. Draw a connecting line to your ranked list of attendee benefits.
      3. Identify if any event goals exist with no clear relationship to attendee benefits. Discuss whether this event goal needs to be re-envisioned. If it connects to no discernible attendee benefits, consider removing it. Otherwise, figure out what attendee benefits the event goal provides.
    3. Define organizational goals:
      1. Acquire a list of your organization’s main strategic goals.
      2. Draw a connecting line from each event goal to the organizational goal it supports.
      3. If most of your event goals do not immediately seem to support an organizational goal, discuss why this is. Try to find the connection. If you cannot, discuss whether the event should proceed or be rethought.

    Decision point: Break down your event into its constituent components

    Identify your event archetype

    Decompose the event into its component parts

    Identify technical requirements that help meet event goals

    Benefits:

    • Clarify how formerly in-person events map to virtual archetypes.
    • Ensure your virtual event planning is anchored to organizational goals from the outset.
    • Streamline your virtual event tech stack planning later.

    Decision point: Determine your event archetype

    Analyze your event’s:

    • Main goals.
    • The components and activities that support those goals.
    • How these components and activities fall into people- vs. content-centric activities, and real-time vs. asynchronous activities.
    1. Conference
    2. Trade show
    3. Annual general meeting
    4. Department meeting
    5. Town hall
    6. Workshop

    A diagram that shows people- vs. content-centric activities, and real-time vs. asynchronous activities

    Info-Tech Insight

    Begin the digital event planning process by understanding how your event’s content is typically consumed. This will help you make decisions later about how best to deliver the content virtually.

    Conference

    Goals: Education/knowledge transfer; professional advancement; networking.

    Major content

    • Call for proposals/circulation of abstracts
    • Keynotes or plenary address: key talk addressed to large audience
    • Panel sessions: multiple panelists deliver address on common theme
    • Poster sessions: staffed/unstaffed booths demonstrate visualization of major research on a poster
    • Association meetings (see also AGM archetype): professional associations hold AGM as one part of a larger conference agenda

    Community

    • Formal networking (happy hours, social outings)
    • Informal networking (hallway track, peer introductions)
    • Business card exchange
    • Pre- and post-event correspondence

    Commercial Partners

    • Booth reps: Publishing or industry representatives exhibit products/discuss collaboration

    A quadrants matrix of conference

    Trade show

    Objectives: Information transfer; sales; lead generation.

    Major content

    • Live booth reps answer questions
    • Product information displayed
    • Promotional/information material distributed
    • Product demonstrations at booths or onstage
    • Product samples distributed to attendees

    Community interactions

    • Statements of intent to buy
    • Lead generation (badge scanning) of booth visitors
    • Business card exchange
    • Pre- and post-event correspondence

    A quadrants matrix of Trade show

    Annual general meeting

    Objectives: Transparently update members; establish governance and alignment.

    Meeting events

    • Updates provided to members on organization’s activities/finances
    • Decisions made regarding organization’s direction
    • Governance over organization established (elections)
    • Speakers addressing large audience from stage
    • In-camera sessions
    • Translation of proceedings
    • Real-time weighted voting
    • Minutes taken during meeting

    Administration

    • Notice given of meeting within mandated time period
    • Agenda circulated prior to meeting
    • Distribution of proxy material
    • Minutes distributed

    A quadrants matrix of Annual general meeting

    Department meeting

    Objectives: Information transfer of company agenda/initiatives; group decision making.

    Major content

    • Agenda circulated prior to meeting
    • Updates provided from senior management/leadership to employees on organization’s initiatives and direction
    • Employee questions and feedback addressed
    • Group decision making
    • Minutes taken during meeting
    • Minutes or follow-up circulated

    A quadrants matrix of department meeting

    Town hall meeting

    Objectives: Update public; answer questions; solicit feedback.

    Major content

    • Public notice of meeting announced
    • Agenda circulated prior to meeting
    • Speakers addressing large audience from stage
    • Presentation of information pertinent to public interest
    • Audience members line up to ask questions/provide feedback
    • Translation of proceedings
    • Recording of meeting archived

    A quadrants matrix of Town hall meeting

    Workshop

    Objectives: Make progress on objective; achieve consensus; knowledge transfer.

    Major content

    • Scheduling of workshop
    • Agenda circulated prior to meeting
    • Facilitator leads group activities
    • Participants develop alignment on project
    • Progress achieved on workshop project
    • Feedback on workshop shared with facilitator

    A quadrants matrix of Workshop

    Decision point: Analyze your event’s purpose and value

    Use the event archetypes to help you identify your event’s core components and value proposition.

    1. Attendee types: Who typically attends your event? Exclusively internal participants? External participants? A mix of the two?
    2. Communication: How do participants usually communicate with each other during this event? How do they communicate with the event organizers? Include both formal types of communication (listening to panel sessions) and informal (serendipitous conversations in the hallway).
    3. Connection: What types of connections do your attendees need to experience? (networking with peers; interactions with booth reps; consensus building with colleagues).
    4. Exchange of material: What kind of material is usually exchanged at this event and between whom? (Pamphlets, brochures, business cards, booth swag).
    5. Engagement: How do you usually retain attendees' attention and make sure they remain engaged throughout the event?
    6. Length: How long does the event typically last?
    7. Location and setup: Where does the event usually take place and who is involved in its setup?
    8. Success metrics: How do you usually measure your event's success?

    Info-Tech Insight

    Avoid trying to exactly reproduce the formerly in-person event online. Instead, identify the value proposition of each event component, then determine what its virtual expression could be.

    Example: Trade show

    Goals: Information transfer; sales; lead generation.

    1. Identify event component(s)
    2. Document its face-to-face expression(s)
    3. Identify the expression’s value proposition
    4. Translate the value proposition to a virtual component that facilitates overall event goal

    Event component

    Face-to-face expression

    Value proposition of component

    Virtual expression
    Attendee types Paying attendees Revenue for event organizer; sales and lead generation for booth rep Access to virtual event space
    Attendee types Booth rep Revenue for event organizer; information source for paying attendees Access to virtual event space
    Communication/connection Conversation between booth rep and attendee Lead generation for booth rep; information to inform decision making for attendee Ability to enter open video breakout session staffed by booth reps OR

    Ability to schedule meeting times with booth rep

    Multiple booth reps on hand to monitor different elements of the booth (one person to facilitate the discussion over video, another to monitor chat and Q&A)
    Communication/connection Serendipitous conversation between attendees Increased attendee contacts; fun Multiple attendees can attend the booth’s breakout session simultaneously and participate in web conferencing, meeting chat, or submit questions to Q&A
    Communication/connection Badges scanned at booth/email sign-up sheets filled out at table Lead generation for exhibitors List of visitors to booth shared with exhibitor (if consent given by attendees)

    Ability for attendees to request to be contacted for more information
    Exchange of material Catering (complimentary coffee, pastries) Obviate the need for attendees to leave the event for refreshments N/A: not included in virtual event
    Exchange of material Pamphlets, product literature, swag Portable information for attendee decision making Downloadable files (pdf)
    Location Responsibility of both the organizers (tables, chairs, venue) and booth reps (posters, handouts) Booth reps need a dedicated space where they can be easily found by attendees and advertise themselves Booth reps need access to virtual platform to upload files, images, provide booth description
    Engagement Attendees able to visit all booths by strolling through space Event organizers have a captive audience who is present in the immediacy of the event site Attendees motivated to stay in the event space and attend booths through gamification strategies (points awarded for number of booths visited or appointments booked)
    Length of event 2 full days Attendees travel to event site and spend the entire 2 days at the event, allowing them to be immersed in the event and absorb as much information in as little time as possible Exhibitors’ visiting hours will be scheduled so they work for both attendees attending in Eastern Standard Time and Pacific Time
    Metrics for success -Positive word of mouth
    -Number of registrations     		These metrics can be used to advertise to future exhibitors and attendees Number of virtual booths visited

    Number of file downloads

    Survey sent to attendees after event (favorite booths, preferred way to interact with exhibitors, suggestions for improvement, most valuable part of experience)

    Plan your metrics

    Use the analytics and reporting features available in your event technology toolset to capture the data you want to measure. Decide how each metric will impact your planning process for the next event.

    Examples of metrics:

    • Number of overall participants/registrants: Did you have more or fewer registrants/attendees than previous iterations of the event? What is the difference between number of registrants and number of real attendees?
    • Locations of participants: Where are people participating from? How many are attending for the first time? Are there new audiences you can pursue next time?
    • Most/least popular sessions: How long did people stay in the sessions and the event overall?
    • Most/least popular breakout rooms and discussion boards: Which topics should be repeated/skipped next time?
    • Social media mentions: Which topics received the most engagement on social media?
    • Surveys: What do participants report enjoying most? Least?
    • Technical failures: Can your software report on failures? Identify what technical problems arose and prepare a plan to mitigate them next time.

    Ensure the data you capture feeds into better planning for the next event

    Determine compliance requirements

    A greater event reach also means new data privacy considerations, depending on the location of your guests.

    General Data Protection Regulation (GDPR)

    Concerns over the collection of personal electronic data may not have previously been a part of your event planning considerations. However, now that your event is online, it’s wise to explore which data protection regulations apply to you. Remember, even if your organization is not located in the EU, if any of your attendees are European data subjects you may still be required to comply with GDPR, which involves the notification of data collected, allowing for opt-out options and the right to have data purged. The data must be collected for a specific purpose; if that purpose is expired, it can no longer be retained. You also have an obligation to report any breaches.

    Accessibility requirements

    What kind of accessibility laws are you subject to (AODA, WCAG2)? Regardless of compliance requirements, it is a good idea to ensure the online event follows accessibility best practices.

    Decision point: Set event policies

    What event policies need to be documented?
    How will you communicate them to attendees?

    Code of conduct

    One trend in the large event and conference space in recent years has been the development of codes of conduct that attendees are required to abide by to continue participating in the event.
    Now that your event is online, consider whether your code of conduct requires updating. Are there new types of appropriate/inappropriate online behavior that you need to define for your attendees?

    Harassment reporting

    If your organization has an event harassment reporting process, determine how this process will transfer over to the digital event.
    Ensure the reporting process has an owner and a clear methodology to follow to deal with complaints, as well as a digital reporting channel (a dedicated email or form) that is only accessed by approved staff to protect sensitive information.

    Develop a risk management plan

    Plan for how you will mitigate technical risks during your virtual event
    Provide presenters with a process to follow if technical problems arise.

    • Presenter’s internet connection cuts out
    • Attendees cannot log in to event platform
    • Attendees cannot hear/see video feed
    • What process will be followed when technical problems occur: ticketing system; chatbot; generic email accessible by all IT support assigned

    Testing/Rehearsal

    Test audio hardware: Ensure speakers use headphones/earbuds and mics (they do not have to be fancy/expensive). Relying on the computer/laptop mic can lead to more ambient noise and potential feedback problems.

    Check lighting: Avoid backlighting. Reposition speakers so they are not behind windows. Ask them to open/close shades. Add lamps as needed.

    Prevent interruptions: Before the event, ask panelists to turn phone and computer notifications to silent. Put a sign on the door saying Do not Disturb.

    Control audience view of screenshare: If your presenters will be sharing their screens, teach them how this works on the platform they are using. Advise them to exit out of any other application that is not part of their presentation, so they do not share the wrong screen unintentionally. Advise them to remove anything from the desktop that they do not want the audience to see, in case their desktop becomes visible at any point.

    Control audience view of physical environment: Before the event, advise participants to turn their cameras on and examine their backgrounds. Remove anything the audience should not be able to see.

    Test network connectivity: Send the presenters a link to a speed test and check their internet speed.

    Emergency contact: Exchange cell phone numbers for emergency backchannel conversations if problems arise on the day of the event.

    Set expectations: Presenting to an online audience feels very different to a live crowd. Prepare presenters for a lack of applause and lack of ability to see their audience, and that this does not mean the presentation was unsuccessful.

    Identify requirements

    To determine what kind of technical requirements you need to build the virtual expression of your event, consult the Virtual Event Platform Requirements Tool.

    1. If you have determined that the requirements you wish to use for the event exceed the capabilities of your existing communication and collaboration toolset, identify whether these gaps tip the scale toward purchasing a new tool. Use the requirement gaps to make the business case for purchasing a new tool.
    2. Use the Virtual Event Platform Requirements Tool to create a list of requirements.
    3. Consult the Software Reviews category for Virtual Event Platform Data Quadrant and Emotional Footprint reports.
    4. Assemble your documentation for approvals and the Rapid Application Selection Process.

    A photo of Detailed Feature Analysis Worksheet.

    Download the Virtual/Hybrid Event Software Feature Analysis Tool

    Rapid Application Selection Framework and Contract Review

    A photo of Rapid Application Selection Framework
    Launch Info-Tech’s Rapid Application Selection Framework.

    Using the requirements you’ve just gathered as a base, use Info-Tech’s complete framework to improve the efficiency and effectiveness of software selection.

    Once you’ve selected a vendor(s), review the contract. Does it define an exit strategy? Does it define when your data will be deleted? Does it set service-level agreements that you find acceptable? Leverage Info-Tech’s contract review service once you have selected the virtual event solution and have received a contract from the vendor.

    Further research

    Photo of Run Better Meetings
    Run Better Meetings

    Bibliography

    Dutt, Raj. “7 Lessons from This Company’s First-Ever Virtual Conference.” Fast Company, 29 Jul 2020. Web.

    Kelly, Samantha Murphy. “Microsoft Build Proves Splashy Tech Events Can Thrive Online.” CNN, 21 May 2020. Web.

    “Phases.” Event Management Body of Knowledge (EMBOK), n.d. Web.

    Price, Michael. “As COVID-19 Forces Conferences Online, Scientists Discover Upsides of Virtual Format.” Science, 28 Apr 2020. Web.

    “Stanford HAI Spring Conference - Key Advances in Artificial Intelligence.” Stanford Digital Economy Lab, 2022. Web.

    “Virtual Event Tech Guide 2022.” Skift Meetings, April 2022. Web.

    Warren, Tom. “Microsoft Build 2022 Will Take Place May 24th–26th.” The Verge, 30 March 2022. Web.

    Contributors

    6 anonymous contributors

    Tame the Project Backlog

    • Buy Link or Shortcode: {j2store}439|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Unmanaged project backlogs can become the bane of IT departments, tying IT leaders and PMO staff down to an ever-growing receptacle of project ideas that provides little by way of strategic value and that typically represents a lack of project intake and approval discipline.
    • Decision makers frequently use the backlog to keep the peace. Lacking the time to assess the bulk of requests, or simply wanting to avoid difficult conversations with stakeholders, they “approve” everything and leave it to IT to figure it out.
    • As IT has increasing difficulty assessing – let alone starting – any of the projects in the backlog, stakeholder relations suffer. Requestors view inclusion in the backlog as a euphemism for “declined,” and often characterize the backlog as the place where good project ideas go to die.
    • Faced with these challenges, you need to make your project backlog more useful and reliable. The backlog may contain projects worth doing, but in its current untamed state, you have difficulty discerning, let alone capitalizing upon, those instances of value.

    Our Advice

    Critical Insight

    • Project backlogs are an investment and need to be treated as such. Incurring a cost impact that can be measured in terms of time and money, the backlog needs to be actively managed to ensure that you’re investing wisely and getting a good return in terms of strategic value and project throughput.
    • Unmanageable project backlogs are rooted in bad habits and poorly-defined processes. Identifying the sources that fuel backlog growth is key to long-term success. Unless the problem is addressed at the root, any gains made in the near-term will simply fade away as old, unhealthy habits re-emerge and take hold.
    • Backlog management should facilitate executive awareness about the status of backlog items as new work is being approved. In the long run, this ongoing executive engagement will not only help to keep the backlog manageable, but it will also help to bring more even workloads to IT project staff.

    Impact and Result

    • Keep the best, forget the rest. Develop a near-term approach to limit the role of the backlog to include only those items that add value to the business.
    • Shine a light. Improve executive visibility into the health and status of the backlog so that the backlog is taken into account when decision makers approve new work.
    • Evolve the organizational culture. Effectively employ organizational change management practices to evolve the culture that currently exists around the project backlog in order to ensure customer-service needs are more effectively addressed.
    • Ensure long-term sustainability. Institute processes to make sure that your list of pending projects – should you still require one after implementing this blueprint – remains minimal, maintainable, and of high value.

    Tame the Project Backlog Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how a more disciplined approach to managing your project backlog can help you realize increased value and project throughput.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a project backlog battle plan

    Calculate the cost of the project backlog and assess the root causes of its unmanageability.

    • Tame the Project Backlog – Phase 1: Create a Backlog Battle Plan
    • Project Backlog ROI Calculator

    2. Execute a near-term backlog cleanse

    Increase the manageability of the backlog by updating stale requests and removing dead weight.

    • Tame the Project Backlog – Phase 2: Execute a Near-Term Backlog Cleanse
    • Project Backlog Management Tool
    • Project Backlog Stakeholder Communications Template

    3. Ensure long-term backlog manageability

    Develop and maintain a manageable backlog growth rate by establishing disciplined backlog management processes.

    • Tame the Project Backlog – Phase 3: Ensure Long-Term Backlog Manageability
    • Project Backlog Operating Plan Template
    • Project Backlog Manager
    [infographic]

    Workshop: Tame the Project Backlog

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Create a Project Backlog Battle Plan

    The Purpose

    Gauge the manageability of your project backlog in its current state.

    Calculate the total cost of your project backlog investments.

    Determine the root causes that contribute to the unmanageability of your project backlog.

    Key Benefits Achieved

    An understanding of the organizational need for more disciplined backlog management.

    Visibility into the costs incurred by the project backlog.

    An awareness of the sources that feed the growth of the project backlog and make it a challenge to maintain.

    Activities

    1.1 Calculate the sunk and marginal costs that have gone into your project backlog.

    1.2 Estimate the throughput of backlog items.

    1.3 Survey the root causes of your project backlog.

    Outputs

    The total estimated cost of the project backlog.

    A project backlog return-on-investment score.

    A project backlog root cause analysis.

    2 Execute a Near-Term Project Backlog Cleanse

    The Purpose

    Identify the most organizationally appropriate goals for your backlog cleanse.

    Pinpoint those items that warrant immediate removal from the backlog and establish a game plan for putting a bullet in them.

    Communicate backlog decisions with stakeholders in a way that minimizes friction and resistance. 

    Key Benefits Achieved

    An effective, achievable, and organizationally right-sized approach to cleansing the backlog.

    Criteria for cleanse outcomes and a protocol for carrying out the near-term cleanse.

    A project sponsor outreach plan to help ensure that decisions made during your near-term cleanse stick. 

    Activities

    2.1 Establish roles and responsibilities for the near-term cleanse.

    2.2 Determine cleanse scope.

    2.3 Develop backlog prioritization criteria.

    2.4 Prepare a communication strategy.

    Outputs

    Clear accountabilities to ensure the backlog is effectively minimized and outcomes are communicated effectively.

    Clearly defined and achievable goals.

    Effective criteria for cleansing the backlog of zombie projects and maintaining projects that are of strategic and operational value.

    A communication strategy to minimize stakeholder friction and resistance.

    3 Ensure Long-Term Project Backlog Manageability

    The Purpose

    Ensure ongoing backlog manageability.

    Make sure the executive layer is aware of the ongoing status of the backlog when making project decisions.

    Customize a best-practice toolkit to help keep the project backlog useful. 

    Key Benefits Achieved

    A list of pending projects that is minimal, maintainable, and of high value.

    Executive engagement with the backlog to ensure intake and approval decisions are made with a view of the backlog in mind.

    A backlog management tool and processes for ongoing manageability. 

    Activities

    3.1 Develop a project backlog management operating model.

    3.2 Configure a project backlog management solution.

    3.3 Assign roles and responsibilities for your long-term project backlog management processes.

    3.4 Customize a project backlog management operating plan.

    Outputs

    An operating model to structure your long-term strategy around.

    A right-sized management tool to help enable your processes and executive visibility into the backlog.

    Defined accountabilities for executing project backlog management responsibilities.

    Clearly established processes for how items get in and out of the backlog, as well as for ongoing backlog review.

    Govern Office 365

    • Buy Link or Shortcode: {j2store}52|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $21,473 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    Exploring the enterprise collaboration marketspace is difficult. The difficulty in finding a suitable collaboration tool is that there are many ways to collaborate, with just as many tools to match.

    Our Advice

    Critical Insight

    Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.

    Impact and Result

    The result is a defined plan for controlling Office 365 by leveraging hard controls to align Microsoft’s toolset with your needs and creating acceptable use policies and communication plans to highlight the impact of the transition to Office 365 on the end-user population.

    Govern Office 365 Research & Tools

    Start here – read the Executive Brief

    Understand the challenges posed by governing Office 365 and the necessity of deploying proper governance.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define your organizational goals

    Develop a list of organizational goals that will enable you to leverage the Office 365 toolset to its fullest extent while also implementing sensible governance.

    • Govern Office 365 – Phase 1: Define Your Organizational Goals

    2. Control your Office 365 environment

    Use Info-Tech's toolset to build out controls for OneDrive, SharePoint, and Teams that align with your organizational goals as they relate to governance.

    • Govern Office 365 – Phase 2: Control Your Office 365 Environment
    • Office 365 Control Map
    • Microsoft Teams Acceptable Use Policy
    • Microsoft SharePoint Online Acceptable Use Policy
    • Microsoft OneDrive Acceptable Use Policy

    3. Communicate your results

    Communicate the results of your Office 365 governance program using Info-Tech's toolset.

    • Govern Office 365 – Phase 3: Communicate Your Results
    • Office 365 Communication Plan Template

    Infographic

    Workshop: Govern Office 365

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Goals

    The Purpose

    Develop a plan to assess the capabilities of the Office 365 solution and select licensing for the product.

    Key Benefits Achieved

    Office 365 capability assessment (right-size licensing)

    Acceptable Use Policies

    Mapped Office 365 controls

    Activities

    1.1 Review organizational goals.

    1.2 Evaluate Office 365 capabilities.

    1.3 Conduct the Office 365 capability assessment.

    1.4 Define user groups.

    1.5 Finalize licensing.

    Outputs

    List of organizational goals

    Targeted licensing decision

    2 Build Refined Governance Priorities

    The Purpose

    Leverage the Office 365 governance framework to develop and refined governance priorities.

    Build a SharePoint acceptable use policy and define SharePoint controls.

    Key Benefits Achieved

    Refined governance priorities

    List of SharePoint controls

    SharePoint acceptable use policy

    Activities

    2.1 Explore the Office 365 Framework.

    2.2 Conduct governance priorities refinement exercise.

    2.3 Populate the Office 365 control map (SharePoint).

    2.4 Build acceptable use policy (SharePoint).

    Outputs

    Refined governance priorities

    SharePoint control map

    Sharepoint acceptable use policy

    3 Control Office 365

    The Purpose

    Implement governance priorities for OneDrive and Teams.

    Key Benefits Achieved

    Clearly defined acceptable use policies for OneDrive and Teams

    List of OneDrive and Teams controls

    Activities

    3.1 Populate the Office 365 Control Map (OneDrive).

    3.2 Build acceptable use policy (OneDrive).

    3.3 Populate the Office 365 Control Map (Teams).

    3.4 Build acceptable use policy (Teams).

    Outputs

    OneDrive controls

    OneDrive acceptable use policy

    Teams controls

    Teams acceptable use policy

    4 SOW Walkthrough

    The Purpose

    Build a plan to communicate coming changes to the productivity environment.

    Key Benefits Achieved

    Communication plan covering SharePoint, Teams, and OneDrive

    Activities

    4.1 Build SharePoint one pager.

    4.2 Build OneDrive one pager.

    4.3 Build Teams one pager.

    4.4 Finalize communication plan.

    Outputs

    SharePoint one pager

    OneDrive one pager

    Teams one pager

    Overall finalized communication plan

    5 Communicate and Implement

    The Purpose

    Finalize deliverables and plan post-workshop communications.

    Key Benefits Achieved

    Completed Office 365 governance plan

    Finalized deliverables

    Activities

    5.1 Completed in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    5.3 Validate governance with stakeholders.

    Outputs

    Completed acceptable use policies

    Completed control map

    Completed communication plan

    Completed licensing decision

    Maximize Business Value From IT Through Benefits Realization

    • Buy Link or Shortcode: {j2store}337|cart{/j2store}
    • member rating overall impact: 6.0/10 Overall Impact
    • member rating average dollars saved: 4 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • IT and the business are often misaligned because business value is not well defined or communicated.
    • Decisions are made without a shared perspective of value. This results in cost misallocation and unexploited opportunities to improve efficiency and drive innovation.

    Our Advice

    Critical Insight

    • IT exists to provide business value and is part of the business value chain. Most IT organizations lack a way to define value, which complicates the process of making value-based strategic business decisions.
    • IT must link its spend to business value to justify its investments. IT doesn’t have an established process to govern benefits realization and struggles to demonstrate how it provides value from its investments.
    • Pursue value, not technology. The inability to articulate value leads to IT being perceived as a cost center.

    Impact and Result

    • Ensure there is a common understanding within the organization of what is valuable to drive growth and consistent strategic decision making.
    • Equip IT to evaluate, direct, and monitor investments to support the achievement of organizational values and business benefits.
    • Align IT spend with business value through an enhanced governance structure to achieve cost optimization. Ensure IT visibly contributes to the creation and maintenance of value.

    Maximize Business Value From IT Through Benefits Realization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should establish a benefits realization process, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand business value

    Ensure that all key strategic stakeholders hold a current understanding of what is valuable to the organization and a sense of what will be valuable based on future needs.

    • Maximize Business Value from IT Through Benefits Realization – Phase 1: Understand Business Value
    • Business Value Statement Template
    • Business Value Statement Example
    • Value Statement Email Communication Template
    • Feedback Consolidation Tool

    2. Incorporate benefits realization into governance

    Establish the process to evaluate spend on IT initiatives based on expected benefits, and implement the methods to monitor how well the initiatives achieve these benefits.

    • Maximize Business Value from IT Through Benefits Realization – Phase 2: Incorporate Benefits Realization into Governance
    • Business Value Executive Presentation Template

    3. Ensure an accurate reference of value

    Re-evaluate, on a consistent basis, the accuracy of the value drivers stated in the value statement with respect to the organization’s current internal and external environments.

    • Maximize Business Value from IT Through Benefits Realization – Phase 3: Ensure an Accurate Reference of Value
    [infographic]

    Workshop: Maximize Business Value From IT Through Benefits Realization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Business Value

    The Purpose

    Establish the business value statement.

    Understand the importance of implementing a benefits realization process.

    Key Benefits Achieved

    Unified stakeholder perspectives of business value drivers

    Establish supporters of the initiative

    Activities

    1.1 Understand what governance is and how a benefits realization process in governance will benefit the company.

    1.2 Discuss the mission and vision of the company, and why it is important to establish the target state prior to defining value.

    1.3 Brainstorm and narrow down organization value drivers.

    Outputs

    Stakeholder buy-in on benefits realization process

    Understanding of interrelations of mission, vision, and business value drivers

    Final three prioritized value drivers

    Completed business value statement

    2 Incorporate Benefits Realization Into Governance

    The Purpose

    Establish the intake, assessment and prioritization, and output and monitoring processes that are involved with implementing benefits realization.

    Assign cut-over dates and accountabilities.

    Establish monitoring and tracking processes.

    Key Benefits Achieved

    A thorough implementation plan that can be incorporated into existing governance documents

    Stakeholder understanding of implemented process, process ownership

    Activities

    2.1 Devise the benefits realization process.

    2.2 Establish launch dates, accountabilities, and exception handling on processes.

    2.3 Devise compliance monitoring and exception tracking methods on the benefits realization process.

    Outputs

    Benefits realization process incorporated into governance documentation

    Actionable plan to implement benefits realization process

    Reporting processes to ensure the successful delivery of the improved governance process

    3 Ensure an Accurate Reference of Value

    The Purpose

    Implement a process to ensure that business value drivers remain current to the organization.

    Key Benefits Achieved

    Align IT with the business and business to its environment

    Activities

    3.1 Determine regular review cycle to reassess business value drivers.

    3.2 Determine the trigger events that may cause off-cycle revisits to value.

    3.3 Devise compliance monitoring on value definition.

    Outputs

    Agenda and tools to assess the business context to verify the accuracy of value

    List of possible trigger events specific to your organization

    Reporting processes to ensure the continuous adherence to the business value definition

    Integrate Portfolios to Create Exceptional Customer Value

    • Buy Link or Shortcode: {j2store}176|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Through growth, both organic and acquisition, you have a significant footprint of projects and applications.
    • Projects and applications have little in common with one another, all with their own history and pedigree.
    • You need to look across your portfolio of applications and projects to see if they will collectively help the organization achieve its goals.

    Our Advice

    Critical Insight

    • Stakeholders don’t care about the minutia and activities involved in project and application portfolio management.
    • Timely delivery of effective and important applications that deliver value throughout their life are the most important factors driving business satisfaction with IT.

    Impact and Result

    • Define an organizing principle that will structure your projects and applications in a way that matters to your stakeholders.
    • Bridge application and project portfolio data using the organizing principle that matters to communicate with stakeholders across the organization.
    • Create a dashboard that brings together the benefits of both project and application portfolio management to improve visibility and decision making.

    Integrate Portfolios to Create Exceptional Customer Value Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should integrate your application and project portfolios, review Info-Tech’s methodology, and understand the three ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define the principle that organizes your portfolios, objectives, and stakeholders

    To bring your portfolios together, you need to start with learning about your objectives, principles, and stakeholders.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 1: Define the Principle That Organizes Your Portfolios, Objectives, and Stakeholders
    • Integrated Portfolio Dashboard Tool
    • Integrated Portfolio Dashboard Tool – Example

    2. Take stock of what brings you closer to your goals

    Get a deeper understanding of what makes up your organizing principle before learning about your applications and projects that are aligned with your principles.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 2: Take Stock of What Brings You Closer to Your Goals

    3. Bring it all together

    Bound by your organizing principles, bring your projects and applications together under a single dashboard. Once defined, determine the rollout and communication plan that suits your organization.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 3: Bring It All Together
    • Integrated Portfolio Communication and Roadmap Plan
    • Integrated Portfolio Communication and Roadmap Plan Example
    [infographic]

    Workshop: Integrate Portfolios to Create Exceptional Customer Value

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Looking at Your Principles

    The Purpose

    Determine your organizational objectives and organizing principle.

    Key Benefits Achieved

    A clear understanding of where you need to go as an organization.

    A clear way to enable all parts of your portfolio to come together.

    Activities

    1.1 Determine your organization’s objectives.

    1.2 Determine your key stakeholders.

    1.3 Define your organizing principle.

    1.4 Decompose your organizing principle into its core components.

    Outputs

    Determined organizing principle for your applications and projects

    2 Understanding Your Applications

    The Purpose

    Get a clear view of the applications that contribute to your organization’s objectives.

    Key Benefits Achieved

    A key element of IT value delivery is its applications. Gaining awareness allows you to evaluate if the right value is being provided.

    Activities

    2.1 Determine your complete list of applications.

    2.2 Determine the health of your applications.

    2.3 Link your applications to the organization’s core components.

    Outputs

    List of applications

    Application list with health statistics filled in

    List of applications with health metrics bound to the organization’s core components

    3 Understanding Your Projects

    The Purpose

    Get a clear view of your project portfolio and how it relates to your applications and their organizing principle.

    Key Benefits Achieved

    An understanding of your project portfolio.

    Activities

    3.1 List all in-flight projects and vital health statistics.

    3.2 Map out the key programs and projects in your portfolio to the application’s core components.

    Outputs

    List of projects

    List of projects mapped to applications they impact

    4 Rolling Out the New Dashboard

    The Purpose

    Bring together your application and project portfolios in a new, easy-to-use dashboard with a full rollout plan.

    Key Benefits Achieved

    Dashboard available for use

    Roadmap and communication plan to make dashboard implementable and tangible

    Activities

    4.1 Test the dashboard.

    4.2 Define your refresh cadence.

    4.3 Plan your implementation.

    4.4 Develop your communication plan.

    Outputs

    Validated dashboards

    Increase Grant Application Success

    • Buy Link or Shortcode: {j2store}314|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $7,799 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Cost & Budget Management
    • Parent Category Link: /cost-and-budget-management
    • Writing grants has not been prioritized by the organization.
    • Your organization is unable to start, finish, and/or continue priority projects or initiatives as it does not have sufficient funds.
    • Grants are applied to in an ad hoc manner by employees who do not have sufficient time and resources to dedicate to the process.

    Our Advice

    Critical Insight

    There are three critical components to the grant application process:

    • Being strategic about the grant opportunities your organization chooses to pursue.
    • Dedicating sufficient time and resources to writing a competitive grant application.
    • Ensuring your organization will be able to adhere to the grant parameters if awarded the funding.

    Impact and Result

    • By leveraging Info-Tech’s methodology, your organization will strategically select, write, and submit competitive grant applications, securing additional funding sources to support the organization and the communities you serve.
    • This research can enhance the grant writing capabilities of the organization and ensure that every grant chosen aligns with your organizational priorities.
    • This blueprint will drive consensus on which grant applications should be prioritized by the organization, ensuring resourcing, feasibility, and significance are considered.

    Increase Grant Application Success Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should enhance your organization's grant application lifecycle and how you can increase the number of grants your organization is awarded. Review Info-Tech’s methodology and understand the four ways Info-Tech can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify Opportunities

    Identify grant funding opportunities that align with your organization's priorities. Ensure the programs, services, projects, and initiatives that align with these priorities can be financially supported by grant funding.

    • Increase Grant Application Success – Phase 1: Identify Opportunities
    • Grant Identification and Prioritization Tool for Organizations

    2. Grant Prioritization

    Prioritize applying for the grant opportunities that your organization identified. Be sure to consider the feasibility of implementing the project or initiative if your organization is awarded the grant.

    • Increase Grant Application Success – Phase 2: Grant Prioritization

    3. Write the Grant Application

    Write a competitive grant application that has been strategically developed and actively critiqued by various internal and external reviewers.

    • Increase Grant Application Success – Phase 3: Write the Grant Application
    • Grant Writing Checklist

    4. Submit the Grant Application

    Submit an exemplary grant application that meets the guidelines and expectations of the granting agency prior to the due date.

    • Increase Grant Application Success – Phase 4: Submit the Grant Application
    • Grant Follow-up Email Template

    Infographic

    Workshop: Increase Grant Application Success

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Determine Your Organization's Priorities

    The Purpose

    Determine the key priorities of your organization and identify grant funding opportunities that align with those priorities.

    Key Benefits Achieved

    Prevents duplicate grant applications from being submitted

    Ensures the grant and the organization's priorities are aligned

    Increases the success rate of grant applications

    Activities

    1.1 Discuss grant funding opportunities and their importance to the organization.

    1.2 Identify organizational priorities.

    Outputs

    An understanding of why grants are important to your organization

    A list of priorities being pursued by your organization

    2 Prioritize Grant Funding Opportunities

    The Purpose

    Identify potential grant funding opportunities that align with the projects/initiatives the organization would like to pursue. Prioritize these funding opportunities and identify which should take precedent based on resourcing, importance, likelihood of success, and feasibility.

    Key Benefits Achieved

    Generate a list of potential funding opportunities that can be revisited when resources allow

    Obtain consensus from your working group on which grants should be pursued based on how they have been prioritized

    Activities

    2.1 Develop a list of potential grant funding opportunities.

    2.2 Define the resource capacity your organization has to support the granting writing process.

    2.3 Discuss and prioritize grant opportunities

    Outputs

    A list of potential grant funding opportunities

    Realistic expectations of your organization's capacity to undertake the grant writing lifecycle

    Notes and priorities from your discussion on grant opportunities

    3 Sketch a Grant Application

    The Purpose

    Take the grant that was given top priority in the last section and sketch out a draft of what that application will look like. Think critically about the sketch and determine if there are opportunities to further clarify and demonstrate the goals of the grant application.

    Key Benefits Achieved

    A sketch ready to be developed into a grant application

    A critique of the sketch to ensure that the application will be well understood by the reviewers of your submission

    Activities

    3.1 Sketch the grant application.

    3.2 Perform a SWOT analysis of the grant sketch.

    Outputs

    A sketched version of the grant application ready to be drafted

    A SWOT analysis that critically examines the sketch and offers opportunities to enhance the application

    4 Prepare to Submit the Grant Application

    The Purpose

    Have the grant application actively critiqued by various internal and external individuals. This will increase the grant application's quality and generate understanding of the application submission and post-submission process.

    Key Benefits Achieved

    A list of individuals (internal and external) that can potentially review the application prior to submission

    Preparation for the submission process

    An understanding of why the opportunity to learn how to improve future grant applications is so important

    Activities

    4.1 Identify potential individuals who will review the draft of your grant application.

    4.2 Discuss next steps around the grant submission.

    4.3 Review grant writing best practices.

    Outputs

    A list of potential individuals who can be asked to review and critique the grant application

    An understanding of what the next steps in the process will be

    Knowledge of grant writing best practices

    Effectively Manage CxO Relations

    • Buy Link or Shortcode: {j2store}384|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage Business Relationships
    • Parent Category Link: /manage-business-relationships

    With the exponential pace of technological change, an organization's success will depend largely on how well CIOs can evolve from technology evangelists to strategic business partners. This will require CIOs to effectively broker relationships to improve IT's effectiveness and create business value. A confidential journal can help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.

    Our Advice

    Critical Insight

    Highly effective executives have in common the ability to successfully balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demands on your time and unpredictable shifts in the organization’s strategy require a personal game plan to deliver business value. Rather than managing stakeholders one IT project at a time, you need an action plan that is tailored for unique work styles.

    Impact and Result

    A personal relationship journal will help you:

    • Understand the context in which key stakeholders operate.
    • Identify the best communication approach to engage with different workstyles.
    • Stay committed to fostering relationships through difficult periods.

    Effectively Manage CxO Relations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Effectively Manage CxO Relations Storyboard – A guide to creating a personal action plan to help effectively manage relationships across key stakeholders.

    Use this research to create a personal relationship journal in four steps:

    • Effectively Manage CxO Relations Storyboard

    2. Personal Relationship Management Journal Template – An exemplar to help you build your personal relationship journal.

    Use this exemplar to build a journal that is readily accessible, flexible, and easy to maintain.

    • Personal Relationship Management Journal Template

    Infographic

    Further reading

    Effectively Manage CxO Relations

    Make relationship management a daily habit with a personalized action plan.

    Analyst Perspective

    "Technology does not run an enterprise, relationships do." – Patricia Fripp

    As technology becomes increasingly important, an organization's success depends on the evolution of the modern CIO from a technology evangelist to a strategic business leader. The modern CIO will need to leverage their expansive partnerships to demonstrate the value of technology to the business while safeguarding their time and effort on activities that support their strategic priorities. CIOs struggling to transition risk obsolescence with the emergence of new C-suite roles like the Digital Transformation Officer, Chief Digital Officer, Chief Data Officer, and so on.

    CIOs will need to flex new social skills to accommodate diverse styles of work and better predict dynamic situations. This means expanding beyond their comfort level to acquire new social skills. Having a clear understanding of one's own work style (preferences, natural tendencies, motivations, and blind spots) is critical to identify effective communication and engagement tactics.

    Building trust is an art. Striking a balance between fulfilling your own goals and supporting others will require a carefully curated approach to navigate the myriad of personalities and work styles. A personal relationship journal will help you stay committed through these peaks and troughs to foster productive partnerships and expand your sphere of influence over the long term.

    Photo of Joanne Lee
    Joanne Lee
    Principal, Research Director, CIO Advisory
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    In today's unpredictable markets and rapid pace of technological disruptions, CIOs need to create business value by effectively brokering relationships to improve IT's performance. Challenges they face:

    • Operate in silos to run the IT factory.
    • Lack insights into their stakeholders and the context in which they operate.
    • Competing priorities and limited time to spend on fostering relationships.
    • Relationship management programs are narrowly focused on associated change management in IT project delivery.

    Common Obstacles

    Limited span of influence.

    Mistaking formal roles in organizations for influence.

    Understanding what key individuals want and, more importantly, what they don't want.

    Lack of situational awareness to adapt communication styles to individual preferences and context.

    Leveraging different work styles to create a tangible action plan.

    Perceiving relationships as "one and done."

    Info-Tech's Approach

    A personal relationship journal will help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.

    • Identify your key stakeholders.
    • Understand the context in which they operate to define a profile of their mandate, priorities, commitments, and situation.
    • Choose the most effective engagement and communication strategies for different work styles.
    • Create an action plan to monitor and measure your progress.

    Info-Tech Insight

    Highly effective executives have in common the ability to balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demand on your time and unpredictable shifts in the organization's strategy will require a personal game plan to deliver business value. This will require more than managing stakeholders one IT project at a time: It requires an action plan that fosters relationships over the long term.

    Key Concepts

    Stakeholder Management
    A common term used in project management to describe the successful delivery of any project, program, or activity that is associated with organizational change management. The goal of stakeholder management is intricately tied to the goals of the project or activity with a finite end. Not the focus of this advisory research.

    Relationship Management
    A broad term used to describe the relationship between two parties (individuals and/or stakeholder groups) that exists to create connection, inclusion, and influence. The goals are typically associated with the individual's personal objectives and the nature of the interaction is seen as ongoing and long-term.

    Continuum of Commitment
    Info-Tech's framework that illustrates the different levels of commitment in a relationship. It spans from active resistance to those who are committed to actively supporting your personal priorities and objectives. This can be used to baseline where you are today and where you want the relationship to be in the future.

    Work Style
    A reference to an individual's natural tendencies and expectations that manifest itself in their communication, motivations, and leadership skills. This is not a behavior assessment nor a commentary on different personalities but observable behaviors that can indicate different ways people communicate, interact, and lead.

    Glossary
    CDxO: Chief Digital Officer
    CDO: Chief Data Officer
    CxO: C-Suite Executives

    The C-suite is getting crowded, and CIOs need to foster relationships to remain relevant

    The span of influence and authority for CIOs is diminishing with the emergence of Chief Digital Officers and Chief Data Officers.

    63% of CDxOs report directly to the CEO ("Rise of the Chief Digital Officer," CIO.com)

    44% of organizations with a dedicated CDxO in place have a clear digital strategy versus 22% of those without a CDxO (KPMG/Harvey Nash CIO Survey)

    The "good news": CIOs tend to have a longer tenure than CDxOs.

    A diagram that shows the average tenure of C-Suites in years.
    Source: "Age and Tenure of C-Suites," Korn Ferry

    The "bad news": The c-suite is getting overcrowded with other roles like Chief Data Officer.

    A diagram that shows the number of CDOs hired from 2017 to 2021.
    Source: "Chief Data Officer Study," PwC, 2022

    An image of 7 lies technology executives tell ourselves.

    Info-Tech Insight

    The digital evolution has created the emergence of new roles like the Chief Digital Officer and Chief Data Officer. They are a response to bridge the skill gap that exists between the business and technology. CIOs need to focus on building effective partnerships to better communicate the business value generated by technology or they risk becoming obsolete.

    Create a relationship journal to effectively manage your stakeholders

    A diagram of relationship journal

    Info-Tech's approach

    From managing relationships with friends to key business partners, your success will come from having the right game plan. Productive relationships are more than managing stakeholders to support IT initiatives. You need to effectively influence those who have the potential to champion or derail your strategic priorities. Understanding differences in work styles is fundamental to adapting your communication approach to various personalities and situations.

    A diagram that shows from 1.1 to 4.1

    A diagram of business archetypes

    Summary of Insights

    Insight 1: Expand your sphere of influence
    It's not just about gaining a volume of acquaintances. Figure out where you want to spend your limited time, energy, and effort to develop a network of professional allies who will support and help you achieve your strategic priorities.

    Insight 2: Know thyself first and foremost
    Healthy relationships start with understanding your own working style, preferences, and underlying motivations that drive your behavior and ultimately your expectations of others. A win/win scenario emerges when both parties' needs for inclusion, influence, and connection are met or mutually conceded.

    Insight 3: Walk a mile in their shoes
    If you want to build successful partnerships, you need to understand the context in which your stakeholder operates: their motivations, desires, priorities, commitments, and challenges. This will help you adapt as their needs shift and, moreover, leverage empathy to identify the best tactics for different working styles.

    Insight 4: Nurturing relationships is a daily commitment
    Building, fostering, and maintaining professional relationships requires a daily commitment to a plan to get through tough times, competing priorities, and conflicts to build trust, respect, and a shared sense of purpose.

    Related Info-Tech Research

    Supplement your CIO journey with these related blueprints.

    Photo of First 100 Days as CIO

    First 100 Days as CIO

    Photo of Become a Strategic CIO

    Become a Strategic CIO

    Photo of Improve IT Team Effectiveness

    Improve IT Team Effectiveness

    Photo of Become a Transformational CIO

    Become a Transformational CIO

    Executive Brief Case Study

    Logo of Multicap Limited

    • Industry: Community Services
    • Source: Scott Lawry, Head of Digital

    Conversation From Down Under

    What are the hallmarks of a healthy relationship with your key stakeholders?
    "In my view, I work with partners like they are an extension of my team, as we rely on each other to achieve mutual success. Partnerships involve a deeper, more intimate relationship, where both parties are invested in the long-term success of the business."

    Why is it important to understand your stakeholder's situation?
    "It's crucial to remember that every IT project is a business project, and vice versa. As technology leaders, our role is to demystify technology by focusing on its business value. Empathy is a critical trait in this endeavor, as it allows us to see a stakeholder's situation from a business perspective, align better with the business vision and goals, and ultimately connect with people, rather than just technology."

    How do you stay committed during tough times?
    "I strive to leave emotions at the door and avoid taking a defensive stance. It's important to remain neutral and not personalize the issue. Instead, stay focused on the bigger picture and goals, and try to find a common purpose. To build credibility, it's also essential to fact-check assumptions regularly. By following these principles, I approach situations with a clear mind and better perspective, which ultimately helps achieve success."

    Photo of Scott Lawry, Head Of Digital at Multicap Limited

    Key Takeaways

    In a recent conversation with a business executive about the evolving role of CIOs, she expressed: "It's the worst time to be perceived as a technology evangelist and even worse to be perceived as an average CIO who can't communicate the business value of technology."

    This highlights the immense pressure many CIOs face when evolving beyond just managing the IT factory.

    The modern CIO is a business leader who can forge relationships and expand their influence to transform IT into a core driver of business value.

    Stakeholder Sentiment

    Identify key stakeholders and their perception of IT's effectiveness

    1.1 Identify Key Stakeholders

    A diagram of Identify Key Stakeholders

    Identify and prioritize your key stakeholders. Be diligent with stakeholder identification. Use a broad view to identify stakeholders who are known versus those who are "hidden." If stakeholders are missed, then so are opportunities to expand your sphere of influence.

    1.2 Understand Stakeholder's Perception of IT

    A diagram that shows Info-Tech's Diagnostic Reports and Hospital Authority XYZ

    Assess stakeholder sentiments from Info-Tech's diagnostic reports and/or your organization's satisfaction surveys to help identify individuals who may have the greatest influence to support or detract IT's performance and those who are passive observers that can become your greatest allies. Determine where best to focus your limited time amid competing priorities by focusing on the long-term goals that support the organization's vision.

    Info-Tech Insight

    Understand which individuals can directly or indirectly influence your ability to achieve your priorities. Look inside and out, as you may find influencers beyond the obvious peers or executives in an organization. Influence can result from expansive connections, power of persuasion, and trust to get things done.

    Visit Info-Tech's Diagnostic Programs

    Activity: Identify and Prioritize Stakeholders

    30-60 minutes

    1.1 Identify Key Stakeholders

    Start with the key stakeholders that are known to you. Take a 360-degree view of both internal and external connections. Leverage external professional & network platforms (e.g. LinkedIn), alumni connections, professional associations, forums, and others that can help flush out hidden stakeholders.

    1.2 Prioritize Key Stakeholders

    Use stakeholder satisfaction surveys like Info-Tech's Business Vision diagnostic as a starting point to identify those who are your allies and those who have the potential to derail IT's success, your professional brand, and your strategic priorities. Review the results of the diagnostic reports to flush out those who are:

    • Resisters: Vocal about their dissatisfaction with IT's performance and actively sabotage or disrupt
    • Skeptics: Disengaged, passive observers
    • Ambassadors: Aligned but don't proactively support
    • Champions: Actively engaged and will proactively support your success

    Consider the following:

    • Influencers may not have formal authority within an organization but have relationships with your stakeholders.
    • Influencers may be hiding in many places, like the coach of your daughter's soccer team who rows with your CEO.
    • Prioritize, i.e. three degrees of separation due to potential diverse reach of influence.

    Key Output: Create a tab for your most critical stakeholders.

    A diagram that shows profile tabs

    Download the Personal Relationship Management Journal Template.

    Understand stakeholders' business

    Create a stakeholder profile to understand the context in which stakeholders operate.

    2.1 Create individual profile for each stakeholder

    A diagram that shows different stakeholder questions

    Collect and analyze key information to understand the context in which your stakeholders operate. Use the information to derive insights about their mandate, accountabilities, strategic goals, investment priorities, and performance metrics and challenges they may be facing.

    Stakeholder profiles can be used to help design the best approach for personal interactions with individuals as their business context changes.

    If you are short on time, use this checklist to gather information:

    • Stakeholder's business unit (BU) strategy goals
    • High-level organizational chart
    • BU operational model or capability map
    • Key performance metrics
    • Projects underway and planned
    • Financial budget (if available)
    • Milestone dates for key commitments and events
    • External platforms like LinkedIn, Facebook, Twitter, Slack, Instagram, Meetup, blogs

    Info-Tech Insight

    Understanding what stakeholders want (and more importantly, what they don't) requires knowing their business and the personal and social circumstances underlying their priorities and behaviors.

    Activity: Create a stakeholder profile

    30-60 minutes

    2.1.0 Understand stakeholder's business context

    Create a profile for each of your priority stakeholders to document their business context. Review all the information collected to understand their mandate, core accountability, and business capabilities. The context in which individuals operate is a window into the motivations, pressures, and vested interests that will influence the intersectionality between their expectations and yours.

    2.1.1 Document Observable Challenges as Private Notes

    Crushing demands and competing priorities can lead to tension and stress as people jockey to safeguard their time. Identify some observable challenges to create greater situational awareness. Possible underlying factors:

    • Sudden shifts/changes in mandate
    • Performance (operations, projects)
    • Finance
    • Resource and talent gaps
    • Politics
    • Personal circumstances
    • Capability gaps/limitations
    • Capacity challenges

    A diagram that shows considerations of this activity.

    Analyze Stakeholder's Work Style

    Adapt communication styles to the situational context in which your stakeholders operate

    2.2 Determine the ideal approach for engaging each stakeholder

    Each stakeholder has a preferred modality of working which is further influenced by dynamic situations. Some prefer to meet frequently to collaborate on solutions while others prefer to analyze data in solitude before presenting information to substantiate recommendations. However, fostering trust requires:

    1. Understanding your preferred default when engaging others.
    2. Knowing where you need to expand your skills.
    3. Identifying which skills to activate for different professional scenarios.

    Adapting your communication style to create productive interactions will require a diverse arsenal of interpersonal skills that you can draw upon as situations shift. The ability to adapt your work style to dial any specific trait up or down will help to increase your powers of persuasion and influence.

    "There are only two ways to influence human behavior: you can manipulate it, or you can inspire it." – Simon Sinek

    Activity: Identify Engagement Strategies

    30 minutes

    2.2.0 Establish work styles

    Every individual has a preferred style of working. Determine work styles starting with self-awareness:

    • Express myself - How you communicate and interact with others
    • Expression by others - How you want others to communicate and interact with you

    Through observation and situational awareness, we can make inferences about people's work style.

    • Observations - Observable traits of other people's work style
    • Situations - Personal and professional circumstances that influence how we communicate and interact with one another

    Where appropriate and when opportunities arise, ask individuals directly about their preferred work styles and method for communication. What is their preferred method of communication? During a normal course of interaction vs. for urgent priorities?

    2.2.1 Brainstorm possible engagement strategies

    Consider the following when brainstorming engagement strategies for different work styles.

    A table of involvement, influence, and connection.

    Think engagement strategies in different professional scenarios:

    • Meetings - Where and how you connect
    • Communicating - How and what you communicate to create connection
    • Collaborating - What degree of involved in shared activities
    • Persuading - How you influence or direct others to get things done

    Expand New Interpersonal Skills

    Use the Business Archetypes to brainstorm possible approaches for engaging with different work styles. Additional communication and engagement tactics may need to be considered based on circumstances and changing situations.

    A diagram that shows business archetypes and engagement strategies.

    Communicate Effectively

    Productive communication is a dialogue that requires active listening, tailoring messages to fluid situations, and seeking feedback to adapt.

    A diagram of elements that contributes to better align intention and impact

    Be Relevant

    • Understand why you need to communicate
    • Determine what you need to convey
    • Tailor your message to what matters to the audience and their context
    • Identify the most appropriate medium based on the situation

    Be Consistent and Accurate

    • Say what you mean and mean what you say to avoid duplicity
    • Information should be accurate and complete
    • Communicate truthfully; do not make false promises or hide bad news
    • Don't gossip

    Be Clear and Concise

    • Keep it simple and avoid excessive jargon
    • State asks upfront to set intention and transparency
    • Avoid ambiguity and focus on outcomes over details
    • Be brief and to the point or risk losing stakeholder's attention

    Be Attentive and Authentic

    • Stay engaged and listen actively
    • Be curious and inquire for clarification or explanation
    • Be flexible to adapt to both verbal and non-verbal cues
    • Be authentic in your approach to sharing yourself
    • Avoid "canned" approaches

    A diagram of listen, observe, reflect.


    "Good communication is the bridge between confusion and clarity."– Nat Turner (LinkedIn, 2020)

    Exemplar: Engaging With Jane

    A diagram that shows Exemplar: Engaging With Jane

    Exemplar: Engaging With Ali

    A diagram that shows Exemplar: Engaging With Ali

    Develop an Action Plan

    Moving from intent to action requires a plan to ensure you stay committed through the peaks and troughs.

    Create Your 120-Day Plan

    An action plan example

    Key elements of the action plan:

    • Strategic priorities – Your top focus
    • Objective – Your goals
    • 30-60-90-120 Day Topics – Key agenda items
    • Meeting Progress Notes – Key takeaways from meetings
    • Private Notes – Confidential observations

    Investing in relationships is a long-term process. You need to accumulate enough trust to trade or establish coalitions to expand your sphere of influence. Even the strongest of professional ties will have their bouts of discord. To remain committed to building the relationship during difficult periods, use an action plan that helps you stay grounded around:

    • Shared purpose
    • Removing emotion from the situation
    • Continuously learning from every interaction

    Photo of Angela Diop
    "Make intentional actions to set intentionality. Plans are good to keep you grounded and focused especially when relationship go through ups and down and there are changes: to new people and new relationships."
    – Angela Diop, Senior Director, Executive Services, Info-Tech & former VP of Information Services with Unity Health Care

    Activity: Design a Tailored Action Plan

    30-60 minutes

    3.1.0 Determine your personal expectations

    Establish your personal goals and expectations around what you are seeking from the relationship. Determine the strength of your current connection and identify where you want to move the relationship across the continuum of commitment.

    Use insights from your stakeholder's profile to explore their span of influence and degree of interest in supporting your strategic priorities.

    3.1.1 Determine what you want from the relationship

    Based on your personal goals, identify where you want to move the relationship across the continuum of commitment: What are you hoping to achieve from the relationship? How will this help create a win/win situation for both you and the key stakeholder?

    A diagram of Continuum of Commitment.

    3.1.2 Identify your metrics for progress

    Fostering relationships take time and commitment. Utilizing metrics or personal success criteria for each of your focus areas will help you stay on track and find opportunities to make each engagement valuable instead of being transactional.

    A graph that shows influence vs interest.

    Make your action plan impactful

    Level of Connection

    The strength of the relationship will help inform the level of time and effort needed to achieve your goals.

    • Is this a new or existing relationship?
    • How often do you connect with this individual?
    • Are the connections driven by a shared purpose or transactional as needs arise?

    Focus on Relational Value

    Cultivate your network and relationship with the goal of building emotional connection, understanding, and trust around your shared purpose and organization's vision through regular dialogue. Be mindful of transactional exchanges ("quid pro quo") to be strategic about its use. Treat every interaction as equally important regardless of agenda, duration, or channel of communication.

    Plan and Prepare

    Everyone's time is valuable, and you need to come prepared with a clear understanding of why you are engaging. Think about the intentionality of the conversation:

    • Gain buy-in
    • Create transparency
    • Specific ask
    • Build trust and respect
    • Provide information to clarify, clear, or contain a situation

    Non-Verbal Communication Matters

    Communication is built on both overt expressions and subtext. While verbal communication is the most recognizable form, non-lexical components of verbal communication (i.e. paralanguage) can alter stated vs. intended meaning. Engage with the following in mind:

    • Tone, pitch, speed, and hesitation
    • Facial expressions and gestures
    • Choice of channel for engagement

    Exemplar: Action Plan for VP, Digital

    A diagram that shows Exemplar: Action Plan for VP, Digital

    Make Relationship Management a Daily Habit

    Management plans are living documents and need to be flexible to adapt to changes in stakeholder context.

    Monitor and Adjust to Communicate Strategically

    A diagram that shows Principles for Effective Communication and Key Measures

    Building trust takes time and commitment. Treat every conversation with your key stakeholders as an investment in building the social capital to expand your span of influence when and where you need it to go. This requires making relationship management a daily habit. Action plans need to be a living document that is your personal journal to document your observations, feelings, and actions. Such a plan enables you to make constant adjustments along the relationship journey.

    "Without involvement, there is no commitment. Mark it down, asterisk it, circle it, underline it."– Stephen Convey (LinkedIn, 2016)

    Capture some simple metrics

    If you can't measure your actions, you can't manage the relationship.

    An example of measures: what, why, how - metrics, and intended outcome.

    While a personal relationship journal is not a formal performance management tool, identifying some tangible measures will improve the likelihood of aligning your intent with outcomes. Good measures will help you focus your efforts, time, and resources appropriately.

    Keep the following in mind:

    1. WHAT are you trying to measure?
      Specific to the situation or scenario
    2. WHY is this important?
      Relevant to your personal goals
    3. HOW will you measure?
      Achievable and quantifiable
    4. WHAT will the results tell you?
      Intended outcome that is directional

    Summary of accomplishments

    Knowledge Gained

    • Relationship management is critical to a CIO's success
    • A personal relationship journal will help build:
      • Customized approach to engaging stakeholders
      • New communication skills to adapt to different work styles

    New Concepts

    • Work style assessment framework and engagement strategies
    • Effective communication strategies
    • Continuum of commitment to establish personal goals

    Approach to Creating a Personal Journal

    • Step-by-step approach to create a personal journal
    • Key elements for inclusion in a journal
    • Exemplar and recommendations

    Related Info-Tech Research

    Photo of Tech Trends and Priorities Research Centre

    Tech Trends and Priorities Research Centre

    Access Info-Tech's Tech Trend reports and research center to learn about current industry trends, shifts in markets, and disruptions that are impacting your industry and sector. This is a great starting place to gain insights into how the ecosystem is changing your business and the role of IT within it.

    Photo of Embed Business Relationship Management in IT

    Embed Business Relationship Management in IT

    Create a business relationship management (BRM) function in your program to foster a more effective partnership with the business and drive IT's value to the organization.

    Photo of Become a Transformational CIO

    Become a Transformational CIO

    Collaborate with the business to lead transformation and leave behind a legacy of growth.

    Appendix: Framework

    Content:

    • Adaptation of DiSC profile assessment
    • DiSC Profile Assessment
    • FIRO-B Framework
    • Experience Cube

    Info-Tech's Adaption of DiSC Assessment

    A diagram of business archetypes

    Info-Tech's Business Archetypes was created based on our analysis of the DiSC Profile and Myers-Briggs FIRO-B personality assessment tools that are focused on assessing interpersonal traits to better understand personalities.

    The adaptation is due in part to Info-Tech's focus on not designing a personality assessment tool as this is neither the intent nor the expertise of our services. Instead, the primary purpose of this adaptation is to create a simple framework for our members to base their observations of behavioral cues to identify appropriate communication styles to better interact with key stakeholders.

    Cautionary note:
    Business archetypes are personas and should not be used to label, make assumptions and/or any other biased judgements about individual personalities. Every individual has all elements and aspects of traits across various spectrums. This must always remain at the forefront when utilizing any type of personality assessments or frameworks.

    Click here to learn about DiSC Profile
    Click here learn about FIRO-B
    Click here learn about Experience Cube

    DiSC Profile Assessment

    A photo of DiSC Profile Assessment

    What is DiSC?

    DisC® is a personal assessment tool that was originally developed in 1928 by psychologist William Moulton Marston, who designed it to predict job performance. The tool has evolved and is now widely used by thousands of organizations around the world, from large government agencies and Fortune 500 companies to nonprofit and small businesses, to help improve teamwork, communication, and productivity in the workplace. The tool provides a common language people can use to better understand themselves and those they interact with - and use this knowledge to reduce conflict and improve working relationships.

    What does DiSC mean?

    DiSC is an acronym that stands for the four main personality profiles described in the Everything DiSC model: (D)ominance, (i)nfluence, (S)teadiness, (C)onscientiousness

    People with (D) personalities tend to be confident and emphasize accomplishing bottom-line results.
    People with (i) personalities tend to be more open and emphasize relationships and influencing or persuading others.
    People with (S) personalities tend to be dependable and emphasize cooperation and sincerity.
    People with (C) personalities tend to emphasize quality, accuracy, expertise, and competency.

    Go to this link to explore the DiSC styles

    FIRO-B® – Interpersonal Assessment

    A diagram of FIRO framework

    What is FIRO workplace relations?

    The Fundamental Interpersonal Relations Orientation Behavior (FIRO-B®) tool has been around for forty years. The tool assesses your interpersonal needs and the impact of your behavior in the workplace. The framework reveals how individuals can shape and adapt their individual behaviors, influence others effectively, and build trust among colleagues. It has been an excellent resource for coaching individuals and teams about the underlying drivers behind their interactions with others to effectively build successful working relationships.

    What does the FIRO framework measure?

    The FIRO framework addresses five key questions that revolve around three interpersonal needs. Fundamentally, the framework focuses on how you want to express yourself toward others and how you want others to behave toward you. This interaction will ultimately result in the universal needs for (a) inclusion, (b) control, and (c) affection. The insights from the results are intended to help individuals adjust their behavior in relationships to get what they need while also building trust with others. This will allow you to better predict and adapt to different situations in the workplace.

    How can FIRO influence individual and team performance in the workplace?

    FIRO helps people recognize where they may be giving out mixed messages and prompts them to adapt their exhibited behaviors to build trust in their relationships. It also reveals ways of improving relationships by showing individuals how they are seen by others, and how this external view may differ from how they see themselves. Using this lens empowers people to adjust their behavior, enabling them to effectively influence others to achieve high performance.

    In team settings, it is a rich source of information to explore motivations, underlying tensions, inconsistent behaviors, and the mixed messages that can lead to mistrust and derailment. It demonstrates how people may approach teamwork differently and explains the potential for inefficiencies and delays in delivery. Through the concept of behavioral flexibility, it helps defuse cultural stereotypes and streamline cross-cultural teams within organizations.

    Go to this link to explore FIRO-B for Business

    Experience Cube

    A diagram of experience cube model.

    What is an experience cube?

    The Experience Cube model was developed by Gervase Bushe, a professor of Leadership and Organization at the Simon Fraser University's school of Business and a thought leader in the field of organizational behavior. The experience cube is intended as a tool to plan and manage conversations to communicate more effectively in the moment. It does this by promoting self-awareness to better reduce anxiety and adapt to evolving and uncertain situations.

    How does the experience cube work?

    Using the four elements of the experience cube (Observations, Thoughts, Feelings, and Wants) helps you to separate your experience with the situation from your potential judgements about the situation. This approach removes blame and minimizes defensiveness, facilitating a positive discussion. The goal is to engage in a continuous internal feedback loop that allows you to walk through all four quadrants in the moment to help promote self-awareness. With heightened self-awareness, you may (1) remain curious and ask questions, (2) check-in for understanding and clarification, and (3) build consensus through agreement on shared purpose and next steps.

    Observations: Sensory data (information you take in through your senses), primarily what you see and hear. What a video camera would record.

    Thoughts: The meaning you add to your observations (i.e. the way you make sense of them, including your beliefs, expectations, assumptions, judgments, values, and principles). We call this the "story you make up."

    Feelings: Your emotional or physiological response to the thoughts and observations. Feelings words such as sad, mad, glad, scared, or a description of what is happening in your body.

    Wants: Clear description of the outcome you seek. Wants go deeper than a simple request for action. Once you clearly state what you want, there may be different ways to achieve it.

    Go to this link to explore more: Experience Cube

    Research Contributors and Experts

    Photo of Joanne Lee
    Joanne Lee
    Principal, Research Director, CIO Advisory
    Info-Tech Research Group

    Joanne is a professional executive with over twenty-five years of experience in digital technology and management consulting spanning healthcare, government, municipal, and commercial sectors across Canada and globally. She has successfully led several large, complex digital and business transformation programs. A consummate strategist, her expertise spans digital and technology strategy, organizational redesign, large complex digital and business transformation, governance, process redesign, and PPM. Prior to joining Info-Tech Research Group, Joanne was a Director with KPMG's CIO Advisory management consulting services and the Digital Health practice lead for Western Canada. She brings a practical and evidence-based approach to complex problems enabled by technology.

    Joanne holds a Master's degree in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.



    Photo of Gord Harrison
    Gord Harrison
    Senior Vice President, Research and Advisory
    Info-Tech Research Group

    Gord Harrison, SVP, Research and Consulting, has been with Info-Tech Research Group since 2002. In that time, Gord leveraged his experience as the company's CIO, VP Research Operations, and SVP Research to bring the consulting and research teams together under his current role, and to further develop Info-Tech's practical, tactical, and value-oriented research product to the benefit of both organizations.

    Prior to Info-Tech, Gord was an IT consultant for many years with a focus on business analysis, software development, technical architecture, and project management. His background of educational game software development, and later, insurance industry application development gave him a well-rounded foundation in many IT topics. Gord prides himself on bringing order out of chaos and his customer-first, early value agile philosophy keeps him focused on delivering exceptional experiences to our customers.



    Photo of Angela Diop
    Angela Diop
    Senior Director, Executive Services
    Info-Tech Research Group

    Angela has over twenty-five years of experience in healthcare, as both a healthcare provider and IT professional. She has spent over fifteen years leading technology departments and implementing, integrating, managing, and optimizing patient-facing and clinical information systems. She believes that a key to a healthcare organization's ability to optimize health information systems and infrastructure is to break the silos that exist in healthcare organizations.

    Prior to joining Info-Tech, Angela was the Vice President of Information Services with Unity Health Care. She has demonstrated leadership and success in this area by fostering environments where business and IT collaborate to create systems and governance that are critical to providing patient care and sustaining organizational health.

    Angela has a Bachelor of Science in Systems Engineering and Design from the University of Illinois and a Doctorate of Naturopathic Medicine from Bastyr University. She is a Certified CIO with the College of Healthcare Information Management Executives. She is a two-time Health Information Systems Society (HIMSS) Davies winner.



    Photo of Edison Barreto
    Edison Barreto
    Senior Director, Executive Services
    Info-Tech Research Group

    Edison is a dynamic technology leader with experience growing different enterprises and changing IT through creating fast-paced organizations with cultural, modernization, and digital transformation initiatives. He is well versed in creating IT and business cross-functional leadership teams to align business goals with IT modernization and revenue growth. Over twenty-five years of Gaming, Hospitality, Retail, and F&B experience has given him a unique perspective on guiding and coaching the creation of IT department roadmaps to focus on business needs and execute successful changes.

    Edison has broad business sector experience, including:
    Hospitality, Gaming, Sports and Entertainment, IT policy and oversight, IT modernization, Cloud first programs, R&D, PCI, GRDP, Regulatory oversight, Mergers acquisitions and divestitures.



    Photo of Mike Tweedie
    Mike Tweedie
    Practice Lead, CIO Strategy
    Info-Tech Research Group

    Michael Tweedie is the Practice Lead, CIO – IT Strategy at Info-Tech Research Group, specializing in creating and delivering client-driven, project-based, practical research, and advisory. He brings more than twenty-five years of experience in technology and IT services as well as success in large enterprise digital transformations.

    Prior to joining Info-Tech, Mike was responsible for technology at ADP Canada. In that role, Mike led several large transformation projects that covered core infrastructure, applications, and services and worked closely with and aligned vendors and partners. The results were seamless and transparent migrations to current services, like public cloud, and a completely revamped end-user landscape that allowed for and supported a fully remote workforce.

    Prior to ADP, Mike was the North American Head of Engineering and Service Offerings for a large French IT services firm, with a focus on cloud adoption and complex ERP deployment and management; he managed large, diverse global teams and had responsibilities for end-to-end P&L management.

    Mike holds a Bachelor's degree in Architecture from Ryerson University.



    Photo of Carlene McCubbin
    Carlene McCubbin
    Practice Lead, People and Leadership
    Info-Tech Research Group

    Carlene McCubbin is a Research Lead for the CIO Advisory Practice at Info-Tech Research Group covering key topics in operating models & design, governance, and human capital development.

    During her tenure at Info-Tech, Carlene has led the development of Info-Tech's Organization and Leadership practice and worked with multiple clients to leverage the methodologies by creating custom programs to fit each organization's needs.

    Before joining Info-Tech, Carlene received her Master of Communications Management from McGill University, where she studied development of internal and external communications, government relations, and change management. Her education honed her abilities in rigorous research, data analysis, writing, and understanding the organization holistically, which has served her well in the business IT world.



    Photo of Anubhav Sharma
    Anubhav Sharma
    Research Director, CIO Strategy
    Info-Tech Research Group

    Anubhav is a digital strategy and execution professional with extensive experience in leading large-scale transformation mandates for organizations both in North America and globally, including defining digital strategies for leading banks and spearheading a large-scale transformation project for a global logistics pioneer across ten countries. Prior to joining Info-Tech Research Group, he held several industry and consulting positions in Fortune 500 companies driving their business and technology strategies. In 2023, he was recognized as a "Top 50 Digital Innovator in Banking" by industry peers.

    Anubhav holds an MBA in Strategy from HEC Paris, a Master's degree in Finance from IIT-Delhi, and a Bachelor's degree in Engineering.



    Photo of Kim Osborne-Rodriguez
    Kim Osborne-Rodriguez
    Research Director, CIO Strategy
    Info-Tech Research Group

    Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach to digital transformation, with a track record of supporting successful implementations.

    Kim holds a Bachelor's degree in Mechatronics Engineering from University of Waterloo.



    Photo of Amanda Mathieson
    Amanda Mathieson
    Research Director, People and Leadership
    Info-Tech Research Group

    Amanda joined Info-Tech Research Group in 2019 and brings twenty years of expertise working in Canada, the US, and globally. Her expertise in leadership development, organizational change management, and performance and talent management comes from her experience in various industries spanning pharmaceutical, retail insurance, and financial services. She takes a practical, experiential approach to people and leadership development that is grounded in adult learning methodologies and leadership theory. She is passionate about identifying and developing potential talent, as well as ensuring the success of leaders as they transition into more senior roles.

    Amanda has a Bachelor of Commerce degree and Master of Arts in Organization and Leadership Development from Fielding Graduate University, as well as a post-graduate diploma in Adult Learning Methodologies from St. Francis Xavier University. She also has certifications in Emotional Intelligence – EQ-i 2.0 & 360, Prosci ADKAR® Change Management, and Myers-Briggs Type Indicator Step I and II.

    Bibliography

    Bacey, Christopher. "KPMG/Harvey Nash CIO Survey finds most organizations lack enterprise-wide digital strategy." Harvey Nash/KPMG CIO Survey. Accessed Jan. 6, 2023. KPMG News Perspective - KPMG.us.com

    Calvert, Wu-Pong Susanna. "The Importance of Rapport. Five tips for creating conversational reciprocity." Psychology Today Magazine. June 30, 2022. Accessed Feb. 10, 2023. psychologytoday.com/blog

    Coaches Council. "14 Ways to Build More Meaningful Professional Relationships." Forbes Magazine. September 16, 2020. Accessed Feb. 20, 2023. forbes.com/forbescoachescouncil

    Council members. "How to Build Authentic Business Relationships." Forbes Magazine. June 15, 2021. Accessed Jan. 15, 2023. Forbes.com/business council

    Deloitte. "Chief Information Officer (CIO) Labs. Transform and advance the role of the CIO." The CIO program. Accessed Feb. 5, 2021.

    Dharsarathy, Anusha et al. "The CIO challenge: Modern business needs a new kind of tech leader." McKinsey and Company. January 27, 2020. Accessed Feb 2023. Mckinsey.com

    DiSC profile. "What is DiSC?" DiSC Profile Website. Accessed Feb. 5, 2023. discprofile.com

    FIRO Assessment. "Better working relationships". Myers Brigg Website. Resource document downloaded Feb. 10, 2023. myersbriggs.com/article

    Fripp, Patricia. "Frippicisms." Website. Accessed Feb. 25, 2023. fripp.com

    Grossman, Rhys. "The Rise of the Chief Digital Officer." Russell Reynolds Insights, January 1, 2012. Accessed Jan. 5, 2023. Rise of the Chief Digital Officer - russellreynolds.com

    Kambil, Ajit. "Influencing stakeholders: Persuade, trade, or compel." Deloitte Article. August 9, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights

    Kambil, Ajit. "Navigating the C-suite: Managing Stakeholder Relationships." Deloitte Article. March 8, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights

    Korn Ferry. "Age and tenure in the C-suite." Kornferry.com. Accessed Jan. 6, 2023. Korn Ferry Study Reveals Trends by Title and Industry

    Kumthekar, Uday. "Communication Channels in Project". Linkedin.com, 3 March 2020. Accessed April 27, 2023. Linkedin.com/Pulse/Communication Channels

    McWilliams, Allison. "Why You Need Effective Relationships at Work." Psychology Today Magazine. May 5, 2022. Accessed Feb. 11, 2023. psychologytoday.com/blog

    McKinsey & Company. "Why do most transformations fail? A conversation with Harry Robinson." Transformation Practice. July 2019. Accessed Jan. 10, 2023. Mckinsey.com

    Mind Tools Content Team. "Building Good Work Relationships." MindTools Article. Accessed Feb. 11, 2023. mindtools.com/building good work relationships

    Pratt, Mary. "Why the CIO-CFO relationship is key to digital success." TechTarget Magazine. November 11, 2021. Accessed Feb. 2023. Techtarget.com

    LaMountain, Dennis. "Quote of the Week: No Involvement, No Commitment". Linkedin.com, 3 April 2016. Accessed April 27, 2023. Linkedin.com/pulse/quote-week-involvement

    PwC Pulse Survey. "Managing Business Risks". PwC Library. 2022. Accessed Jan. 30, 2023. pwc.com/pulse-survey

    Rowell, Darin. "3 Traits of a Strong Professional Relationship." Harvard Business Review. August 8, 2019. Accessed Feb. 20, 2023. hbr.org/2019/Traits of a strong professional relationship

    Sinek, Simon. "The Optimism Company from Simon Sinek." Website. Image Source. Accessed, Feb. 21, 2023. simonsinek.com

    Sinek, Simon. "There are only two ways to influence human behavior: you can manipulate it or you can inspire it." Twitter. Dec 9, 2022. Accessed Feb. 20, 2023. twitter.com/simonsinek

    Whitbourne, Susan Krauss. "10 Ways to Measure the Health of Relationship." Psychology Today Magazine. Aug. 7, 2021. Accessed Jan. 30, 2023. psychologytoday.com/blog

    Considerations to Optimize Container Management

    • Buy Link or Shortcode: {j2store}499|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Center & Facilities Strategy
    • Parent Category Link: /data-center-and-facilities-strategy

    Do you experience challenges with the following:

    • Equipping IT operations processes to manage containers.
    • Choosing the right container technology.
    • Optimizing your infrastructure strategy for containers.

    Our Advice

    Critical Insight

    • Plan ahead to ensure your container strategy aligns with your infrastructure roadmap. Before deciding between bare metal and cloud, understand the different components of a container management solution and plan for current and future infrastructure services.
    • When selecting tools from multiple sources, it is important to understand what each tool should and should not meet. This holistic approach is necessary to avoid gaps and duplication of effort.

    Impact and Result

    Use the reference architecture to plan for the solution you need and want to deploy. Infrastructure planning and strategy optimizes the container image supply chain, uses your current infrastructure, and reduces costs for compute and image scan time.

    Considerations to Optimize Container Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Considerations to Optimize Container Management Deck – A document to guide you design your container strategy.

    A document that walks you through the components of a container management solution and helps align your business objectives with your current infrastructure services and plan for your future assets.

    • Considerations to Optimize Container Management Storyboard

    2. Container Reference Architecture – A best-of-breed template to help you build a clear, concise, and compelling strategy document for container management.

    Complete the reference architecture tool to strategize your container management.

    • Container Reference Architecture
    [infographic]

    Further reading

    Considerations to Optimize Container Management

    Design a custom reference architecture that meets your requirements.

    Analyst Perspective

    Containers have become popular as enterprises use DevOps to develop and deploy applications faster. Containers require managed services because the sheer number of containers can become too complex for IT teams to handle. Orchestration platforms like Kubernetes can be complex, requiring management to automatically deploy container-based applications to operating systems and public clouds. IT operations staff need container management skills and training.

    Installing and setting up container orchestration tools can be laborious and error-prone. IT organizations must first implement the right infrastructure setup for containers by having a solid understanding of the scope and scale of containerization projects and developer requirements. IT administrators also need to know how parts of the existing infrastructure connect and communicate to maintain these relationships in a containerized environment. Containers can run on bare metal servers, virtual machines in the cloud, or hybrid configurations, depending on your IT needs

    Nitin Mukesh, Senior Research Analyst, Infrastructure and Operations

    Nitin Mukesh
    Senior Research Analyst, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Info-Tech’s Approach

    The container software market is constantly evolving. Organizations must consider many factors to choose the right container management software for their specific needs and fit their future plans.

    It's important to consider your organization's current and future infrastructure strategy and how it fits with your container management strategy. The container management platform you choose should be compatible with the existing network infrastructure and storage capabilities available to your organization.

    		 IT operations staff have not been thinking the same way as developers who have now been using an agile approach for some time. Container image builds are highly automated and have several dependencies including scheduling, testing, and deployment that the IT staff is not trained for or lack the ability to create anything more than a simple image.

    Use the reference architecture to plan for the solution you need and want to deploy. Infrastructure planning and strategy optimizes the container image supply chain and reduces costs for compute and image scan time.

    Plan ahead to ensure your container strategy aligns with your infrastructure roadmap. Before deciding between bare metal and cloud, understand the different components of a container management solution and plan for current and future infrastructure services.

    Your challenge

    Choosing the right container technology: IT is a rapidly changing and evolving market, with startups and seasoned technology vendors maintaining momentum in everything from container platforms to repositories to orchestration tools. The rapid evolution of container platform components such as orchestration, storage, networking, and system services such as load balancing has made the entire stack a moving target.

    However, waiting for the industry to be standardized can be a recipe for paralysis, and waiting too long to decide on solutions and approaches can put a company's IT operations in catch-up mode.

    Keeping containers secure: Security breaches in containers are almost identical to operating system level breaches in virtual machines in terms of potential application and system vulnerabilities. It is important for any DevOps team working on container and orchestration architecture and management to fully understand the potential vulnerabilities of the platforms they are using.

    Optimize your infrastructure strategy for containers: One of the challenges enterprise IT operations management teams face when it comes to containers is the need to rethink the underlying infrastructure to accommodate the technology. While you may not want to embrace the public cloud for your critical applications just yet, IT operations managers will need an on-premises infrastructure so that applications can scale up and down the same way as they are containerized.

    Common ways organizations use containers

    A Separation of responsibilities
    Containerization provides a clear separation of responsibilities as developers can focus on application logic and dependencies, while IT operations teams can focus on deployment and management instead of application details such as specific software versions and configurations.

    B Workload portability
    Containers can run almost anywhere: physical servers or on-premise data centers on virtual machines or developer machines, as well as public clouds on Linux, Windows, or Mac operating systems, greatly easing development and deployment.

    “Lift and shift” existing applications into a modern cloud architecture. Some organizations even use containers to migrate existing applications to more modern environments. While this approach provides some of the basic benefits of operating system virtualization, it does not provide all the benefits of a modular, container-based application architecture.

    C Application isolation
    Containers virtualize CPU, memory, storage, and network resources at the operating system level, providing developers with a logically isolated view of the operating system from other applications.

    Source: TechTarget, 2021

    What are containers and why should I containerize?

    A container is a partially isolated environment in which an application or parts of an application can run. You can use a single container to run anything from small microservices or software processes to larger applications. Inside the container are all the necessary executable, library, and configuration files. Containers do not contain operating system images. This makes them lighter and more portable with much less overhead. Large application deployments can deploy multiple containers into one or more container clusters (CapitalOne, 2020).

    Containers have the following advantages:

    • Reduce overhead costs: Because containers do not contain operating system images, they require fewer system resources than traditional or hardware virtual machine environments.
    • Enhanced portability: Applications running in containers can be easily deployed on a variety of operating systems and hardware platforms.
    • More consistent operations: DevOps teams know that applications in containers run the same no matter where they are deployed.
    • Efficiency improvement: Containers allow you to deploy, patch, or scale applications faster.
    • Develop better applications: Containers support Agile and DevOps efforts to accelerate development and production cycles.

    Source: CapitalOne, 2020

    Container on the cloud or on-premise?

    On-premises containers Public cloud-based containers

    Advantages:

    • Full control over your container environment.
    • Increased flexibility in networking and storage configurations.
    • Use any version of your chosen tool or container platform.
    • No need to worry about potential compliance issues with data stored in containers.
    • Full control over the host operating system and environment.

    Disadvantages:

    • Lack of easy scalability. This can be especially problematic if you're using containers because you want to be more agile from a DevOps perspective.
    • No turnkey container deployment solution. You must set up and maintain every component of the container stack yourself.

    Advantages:

    • Easy setup and management through platforms such as Amazon Elastic Container Service or Azure Container Service. These products require significant Docker expertise to use but require less installation and configuration than on-premise installations.
    • Integrates with other cloud-based tools for tasks such as monitoring.
    • Running containers in the cloud improves scalability by allowing you to add compute and storage resources as needed.

    Disadvantages:

    • You should almost certainly run containers on virtual machines. That can be a good thing for many people; however, you miss out on some of the potential benefits of running containers on bare metal servers, which can be easily done.
    • You lose control. To build a container stack, you must use the orchestrator provided by your cloud host or underlying operating system.

    Info-Tech Insight
    Start-ups and small businesses that don't typically need to be closely connected to hardware can easily move (or start) to the cloud. Large (e.g. enterprise-class) companies and companies that need to manage and control local hardware resources are more likely to prefer an on-premises infrastructure. For enterprises, on-premises container deployments can serve as a bridge to full public cloud deployments or hybrid private/public deployments. The answer to the question of public cloud versus on premises depends on the specific needs of your business.

    Container management

    From container labeling that identifies workloads and ownership to effective reporting that meets the needs of different stakeholders across the organization, it is important that organizations establish an effective framework for container management.

    Four key considerations for your container management strategy:

    01 Container Image Supply Chain
    How containers are built

    02 Container Infrastructure and Orchestration
    Where and how containers run together

    03 Container Runtime Security and Policy Enforcement
    How to make sure your containers only do what you want them to do

    04 Container Observability
    Runtime metrics and debugging

    To effectively understand container management solutions, it is useful to define the various components that make up a container management strategy.

    1: Container image supply chain

    To run a workload as a container, it must first be packaged into a container image. The image supply chain includes all libraries or components that make up a containerized application. This includes CI/CD tools to test and package code into container images, application security testing tools to check for vulnerabilities and logic errors, registries and mirroring tools for hosting container images, and attribution mechanisms such as image signatures for validating images in registries.

    Important functions of the supply chain include the ability to:

    • Scan container images in registries for security issues and policy compliance.
    • Verify in-use image hashes have been scanned and authorized.
    • Mirror images from public registries to isolate yourself from outages in these services.
    • Attributing images to the team that created them.

    Source: Rancher, 2022

    Info-Tech Insight
    It is important to consider disaster recovery for your image registry. As mentioned above, it is wise to isolate yourself from registry disruptions. However, external registry mirroring is only one part of the equation. You also want to make sure you have a high availability plan for your internal registry as well as proper backup and recovery processes. A highly available, fault-tolerant container management platform is not just a runtime environment.

    2: Container infrastructure and orchestration

    Orchestration tools

    Once you have a container image to run, you need a location to run it. That means both the computer the container runs on and the software that schedules it to run. If you're working with a few containers, you can make manual decisions about where to run container images, what to run with container images, and how best to manage storage and network connectivity. However, at scale, these kinds of decisions should be left to orchestration tools like Kubernetes, Swarm, or Mesos. These platforms can receive workload execution requests, determine where to run based on resource requirements and constraints, and then actually launch that workload on its target. And if a workload fails or resources are low, it can be restarted or moved as needed.

    Source: DevOpsCube, 2022

    Storage

    Storage is another important consideration. This includes both the storage used by the operating system and the storage used by the container itself. First, you need to consider the type of storage you actually need. Can I outsource my storage concerns to a cloud provider using something like Amazon Relational Database Service instead? If not, do you really need block storage (e.g. disk) or can an external object store like AWS S3 meet your needs? If your external object storage service can meet your performance and durability requirements as well as your governance and compliance needs, you're in luck. You may not have to worry about managing the container's persistent storage. Many external storage services can be provisioned on demand, support discrete snapshots, and some even allow dynamic scaling on demand.

    Networking

    Network connectivity inside and outside the containerized environment is also very important. For example, Kubernetes supports a variety of container networking interfaces (CNIs), each providing different functionality. Questions to consider here are whether you can set traffic control policies (and the OSI layer), how to handle encryption between workloads and between workloads and external entities, and how to manage traffic import for containerized workloads. The impact of these decisions also plays a role on performance.

    Backups

    Backups are still an important task in containerized environments, but the backup target is changing slightly. An immutable, read-only container file system can be recreated very easily from the original container image and does not need to be backed up. Backups or snapshots on permanent storage should still be considered. If you are using a cloud provider, you should also consider fault domain and geo-recovery scenarios depending on the provider's capabilities. For example, if you're using AWS, you can use S3 replication to ensure that EBS snapshots can be restored in another region in case of a full region outage.

    3: Container runtime security and policy enforcement

    Ensuring that containers run in a place that meets the resource requirements and constraints set for them is necessary, but not sufficient. It is equally important that your container management solution performs continuous validation and ensures that your workloads comply with all security and other policy requirements of your organization. Runtime security and policy enforcement tools include a function for detecting vulnerabilities in running containers, handling detected vulnerabilities, ensuring that workloads are not running with unnecessary or unintended privileges, and ensuring that only other workloads that need to be allowed can connect.

    One of the great benefits of (well implemented) containerized software is reducing the attackable surface of the application. But it doesn't completely remove it. This means you need to think about how to observe running applications to minimize security risks. Scanning as part of the build pipeline is not enough. This is because an image without vulnerabilities at build time can become a vulnerable container because new flaws are discovered in its code or support libraries. Instead, some modern tools focus on detecting unusual behavior at the system call level. As these types of tools mature, they can make a real difference to your workload’s security because they rely on actual observed behavior rather than up-to-date signature files.

    4: Container observability

    What’s going on in there?

    Finally, if your container images are being run somewhere by orchestration tools and well managed by security and policy enforcement tools, you need to know what your containers are doing and how well they are doing it. Orchestration tools will likely have their own logs and metrics, as will networking layers, and security and compliance checking tools; there is a lot to understand in a containerized environment. Container observability covers logging and metrics collection for both your workloads and the tools that run them.

    One very important element of observability is the importance of externalizing logs and metrics in a containerized environment. Containers come and go, and in many cases the nodes running on them also come and go, so relying on local storage is not recommended.

    The importance of a container management strategy

    A container management platform typically consists of a variety of tools from multiple sources. Some container management software vendors or container management services attempt to address all four key components of effective container management. However, many organizations already have tools that provide at least some of the features they need and don't want to waste existing licenses or make significant changes to their entire infrastructure just to run containers.

    When choosing tools from multiple sources, it's important to understand what needs each tool meets and what it doesn't. This holistic approach is necessary to avoid gaps and duplication of effort.

    For example, scanning an image as part of the build pipeline and then rescanning the image while the container is running is a waste of CPU cycles in the runtime environment. Similarly, using orchestration tools and separate host-based agents to aggregate logs or metrics can waste CPU cycles as well as storage and network resources.

    Planning a container management strategy

    1 DIY, Managed Services, or Packaged Products
    Developer satisfaction is important, but it's also wise to consider the team running the container management software. Migrating from bare metal or virtual machine-based deployment methodologies to containers can involve a significant learning curve, so it's a good idea to choose a tool that will help smooth this curve.
    2 Kubernetes
    In the world of container management, Kubernetes is fast becoming the de facto standard for container orchestration and scheduling. Most of the products that address the other aspects of container management discussed in this post (image supply chain, runtime security and policy enforcement, observability) integrate easily with Kubernetes. Kubernetes is open-source software and using it is possible if your team has the technical skills and the desire to implement it themselves. However, that doesn't mean you should automatically opt to build yourself.
    3 Managed Kubernetes
    Kubernetes is difficult to implement well. As a result, many solution providers offer packaged products or managed services to facilitate Kubernetes adoption. All major cloud providers now offer Kubernetes services that reduce the operational burden on your teams. Organizations that have invested heavily in the ecosystem of a particular cloud provider may find this route suitable. Other organizations may be able to find a fully managed service that provides container images and lets the service provider worry about running the images which, depending on the cost and capacity of the organization, may be the best option.
    4 Third-Party Orchestration Products
    A third approach is packaged products from providers that can be installed on the infrastructure (cloud or otherwise). These products can offer several potential advantages over DIY or cloud provider offerings, such as access to additional configuration options or cluster components, enhanced functionality, implementation assistance and training, post-installation product support, and reduced risk of cloud provider lock-in.

    Source: Kubernetes, 2022; Rancher, 2022

    Infrastructure considerations

    It's important to describe your organization’s current and future infrastructure strategy and how it fits into your container management strategy. It’s all basic for now, but if you plan to move to a virtual machine or cloud provider next year, your container management solution should be able to adapt to your environment now and in the future. Similarly, if you’ve already chosen a public cloud, you may want to make sure that the tool you choose supports some of the cloud options, but full compatibility may not be an important feature.

    Infrastructure considerations extend beyond computing. Choosing a container management platform should be compatible with the existing network infrastructure and storage capacity available to your organization. If you have existing policy enforcement, monitoring, and alerting tools, the ideal solution should be able to take advantage of them. Moving to containers can be a game changer for developers and operations teams, so continuing to use existing tools to reduce complexity where possible can save time and money.

    Leverage the reference architecture to guide your container management strategy

    Questions for support transition

    Using the examples as a guide, complete the tool to strategize your container management

    Download the Reference Architecture

    Bibliography

    Mell, Emily. “What is container management and why is it important?” TechTarget, April 2021.
    https://www.techtarget.com/searchitoperations/definition/container-management-software#:~:text=A%20container%20management%20ecosystem%20automates,operator%20to%20keep%20up%20with

    Conrad, John. “What is Container Orchestration?” CapitalOne, 24 August 2020.
    https://www.capitalone.com/tech/cloud/what-is-container-orchestration/?v=1673357442624

    Kubernetes. “Cluster Networking.” Kubernetes, 2022.
    https://kubernetes.io/docs/concepts/cluster-administration/networking/

    Rancher. “Comparing Kubernetes CNI Providers: Flannel, Calico, Canal, and Weave.” Rancher, 2022.
    https://www.suse.com/c/rancher_blog/comparing-kubernetes-cni-providers-flannel-calico-canal-and-weave/

    Wilson, Bob. “16 Best Container Orchestration Tools and Services.” DevopsCube, 5 January 2022.
    https://devopscube.com/docker-container-clustering-tools/

    Develop a Targeted Flexible Work Program for IT

    • Buy Link or Shortcode: {j2store}542|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $18,909 Average $ Saved
    • member rating average days saved: 13 Average Days Saved
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select
    • Workplace flexibility continues to be top priority for IT employees. Organizations who fail to offer flexibility will have a difficult time attracting, recruiting, and retaining talent.
    • When the benefits of remote work are not available to everyone, this raises fairness and equity concerns.

    Our Advice

    Critical Insight

    IT excels at hybrid location work and is more effective as a business function when location flexibility is an option for its employees. But hybrid work is just a start. A comprehensive flex work program extends beyond flexible location, so organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent.

    Impact and Result

    • Uncover the needs of unique employee segments to shortlist flexible work options that employees want and will use.
    • Assess the feasibility of various flexible work options and select ones that meet employee needs and are feasible for the organization.
    • Equip leaders with the information and tools needed to implement and sustain a flexible work program.

    Develop a Targeted Flexible Work Program for IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess employee and organizational flexibility needs

    Identify prioritized employee segments, flexibility challenges, and the desired state to inform program goals.

    • Develop a Targeted Flexible Work Program for IT – Phases 1-3
    • Talent Metrics Library
    • Targeted Flexible Work Program Workbook
    • Fast-Track Hybrid Work Program Workbook

    2. Identify potential flex options and assess feasibility

    Review, shortlist, and assess the feasibility of common types of flexible work. Identify implementation issues and cultural barriers.

    • Flexible Work Focus Group Guide
    • Flexible Work Options Catalog

    3. Implement selected option(s)

    Equip managers and employees to adopt flexible work options while addressing implementation issues and cultural barriers and aligning HR programs.

    • Guide to Flexible Work for Managers and Employees
    • Flexible Work Time Policy
    • Flexible Work Time Off Policy
    • Flexible Work Location Policy

    Infographic

    Workshop: Develop a Targeted Flexible Work Program for IT

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare to Assess Flex Work Feasibility

    The Purpose

    Gather information on organizational and employee flexibility needs.

    Key Benefits Achieved

    Understand the flexibility needs of the organization and its employees to inform a targeted flex work program.

    Activities

    1.1 Identify employee and organizational needs.

    1.2 Identify employee segments.

    1.3 Establish program goals and metrics.

    1.4 Shortlist flexible work options.

    Outputs

    Organizational context summary

    List of shortlisted flex work options

    2 Assess Flex Work Feasibility

    The Purpose

    Perform a data-driven feasibility analysis on shortlisted work options.

    Key Benefits Achieved

    A data-driven feasibility analysis ensures your flex work program meets its goals.

    Activities

    2.1 Conduct employee/manager focus groups to assess feasibility of flex work options.

    Outputs

    Summary of flex work options feasibility per employee segment

    3 Finalize Flex Work Options

    The Purpose

    Select the most impactful flex work options and create a plan for addressing implementation challenge

    Key Benefits Achieved

    A data-driven selection process ensures decisions and exceptions can be communicated with full transparency.

    Activities

    3.1 Finalize list of approved flex work options.

    3.2 Brainstorm solutions to implementation issues.

    3.3 Identify how to overcome cultural barriers.

    Outputs

    Final list of flex work options

    Implementation barriers and solutions summary

    4 Prepare for Implementation

    The Purpose

    Create supporting materials to ensure program implementation proceeds smoothly.

    Key Benefits Achieved

    Employee- and manager-facing guides and policies ensure the program is clearly documented and communicated.

    Activities

    4.1 Design employee and manager guide prototype.

    4.2 Align HR programs and policies to support flexible work.

    4.3 Create a communication plan.

    Outputs

    Employee and manager guide to flexible work

    Flex work roadmap and communication plan

    5 Next Steps and Wrap-Up

    The Purpose

    Put everything together and prepare to implement.

    Key Benefits Achieved

    Our analysts will support you in synthesizing the workshop’s efforts into a cohesive implementation strategy.

    Activities

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Outputs

    Completed flexible work feasibility workbook

    Flexible work communication plan

    Further reading

    Develop a Targeted Flexible Work Program for IT

    Select flexible work options that balance organizational and employee needs to drive engagement and improve attraction and retention.

    Executive Summary

    Your Challenge

    • IT leaders continue to struggle with workplace flexibility, and it is a top priority for IT employees; as a result, organizations who fail to offer flexibility will have a difficult time attracting, recruiting, and retaining talent.
    • The benefits of remote work are not available to everyone, raising fairness and equity concerns for employees.

    Common Obstacles

    • A one-size-fits-all approach to selecting and implementing flexible work options fails to consider unique employee needs and will not reap the benefits of offering a flexible work program (e.g. higher engagement or enhanced employer brand).
    • Improper structure and implementation of flexible work programs exacerbates existing challenges (e.g. high turnover) or creates new ones.

    Info-Tech's Approach

    • Uncover the needs of unique employee segments to shortlist flexible work options that employees want and will use.
    • Assess the feasibility of various flexible work options and select ones that meet employee needs and are feasible for the organization.
    • Equip leaders with the information and tools needed to implement and sustain a flexible work program.

    Info-Tech Insight

    IT excels at hybrid location work and is more effective as a business function when location flexibility is an option for its employees. But hybrid work is just a start. A comprehensive flex work program extends beyond flexible location, so organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent.

    Flexible work arrangements are a requirement in today's world of work

    Flexible work continues to gain momentum…

    A 2022 LinkedIn report found that the following occurred between 2019 and 2021:

    +362%

    Increase in LinkedIn members sharing content with the term "flexible work."

    +83%

    Increase in job postings that mention "flexibility."
    (LinkedIn, 2022)

    In 2022, Into-Tech found that hybrid was the most commonly used location work model for IT across all industries.

    ("State of Hybrid Work in IT," Info-Tech Research Group, 2022)

    …and employees are demanding more flexibility

    90%

    of employees said they want schedule and location flexibility ("Global Employee Survey," EY, 2021).

    17%

    of resigning IT employees cited lack of flexible work options as a reason ("IT Talent Trends 2022," Info-Tech Research Group, 2022).

    71%

    of executives said they felt "pressure to change working models and adapt workplace policies to allow for greater flexibility" (LinkedIn, 2021).

    Therefore, organizations who fail to offer flexibility will be left behind

    Difficulty attracting and retaining talent

    98% of IT employees say flexible work options are important in choosing an employer ("IT Talent Trends 2022," Info-Tech Research Group, 2022).

    Worsening employee wellbeing and burnout

    Knowledge workers with minimal to no schedule flexibility are 2.2x more likely to experience work-related stress and are 1.4x more likely to suffer from burnout (Slack, 2022; N=10,818).

    Offering workplace flexibility benefits organizations and employees

    Higher performance

    IT departments that offer some degree of location flexibility are more effective at supporting the organization than those who do not.

    35% of service desk functions report improved service since implementing location flexibility.
    ("State of Hybrid Work in IT," Info-Tech Research Group, 2023).

    Enhanced employer brand

    Employees are 2.1x more likely to recommend their employer to others when they are satisfied with their organization's flexible work arrangements (LinkedIn, 2021).

    Improved attraction

    41% of IT departments cite an expanded hiring pool as a key benefit of hybrid work.

    Organizations that mention "flexibility" in their job postings have 35% more engagement with their posts (LinkedIn, 2022).

    Increased job satisfaction

    IT employees who have more control over their working arrangement experience a greater sense of contribution and trust in leadership ("State of Hybrid Work in IT," Info-Tech Research Group, 2023).

    Better work-life balance

    81% of employees say flexible work will positively impact their work-life balance (FlexJobs, 2021).

    Boosted inclusivity

    • Caregivers regardless of gender, supporting them in balancing responsibilities
    • Individuals with disabilities, enabling them to work from the comfort of their homes
    • Women who may have increased responsibilities
    • Women of color to mitigate the emotional tax experienced at work

    Info-Tech Insight

    Flexible work options are not a concession to lower productivity. Properly implemented, flex work enables employees to be more productive at reaching business goals.

    Despite the popularity of flexible work options, not all employees can participate

    IT organizations differ on how much flexibility different roles can have.

    IT employees were asked what percentage of IT roles were currently in a hybrid or remote work arrangement ("State of Hybrid Work in IT," Info-Tech Research Group, 2023).

    However, the benefits of remote work are not available to all, which raises fairness and equity concerns between remote and onsite employees.

    45%

    of employers said, "one of the biggest risks will be their ability to establish fairness and equity among employees when some jobs require a fixed schedule or location, creating a 'have and have not' dynamic based on roles" ("Businesses Suffering," EY, 2021).

    Offering schedule flexibility to employees who need to be fully onsite can be used to close the fairness and equity gap.

    When offered the choice, 54% of employees said they would choose schedule flexibility over location flexibility ("Global Employee Survey," EY, 2021).

    When employees were asked "What choice would you want your employer to provide related to when you have to work?" The top three choices were:

    68%

    Flexibility on when to start and finish work

    38%

    Compressed or four-day work weeks

    33%

    Fixed hours (e.g. 9am to 5pm)

    Disclaimer: "Percentages do not sum to 100%, as each respondent could choose up to three of the [five options provided]" ("Global Employee Survey," EY, 2021).

    Beware of the "all or nothing" approach

    There is no one-size-fits-all approach to workplace flexibility.

    Understanding the needs of various employee segments in the organization is critical to the success of a flexible work program.

    Working parents want more flexibility

    82%

    of working mothers desire flexibility in where they work.

    48%

    of working fathers "want to work remotely 3 to 5 days a week."

    Historically underrepresented groups value more flexibility

    38%

    "Thirty-eight percent of Black male employees and 33% of Black female employees would prefer a fully flexible schedule, compared to 25% of white female employees and 26% of white male employees."
    (Slack, 2022; N=10,818)

    33%

    Workplace flexibility must be customized to the organization to avoid longer working hours and heavy workloads that impact employee wellbeing

    84%

    of remote workers and 61% of onsite workers reported working longer hours post pandemic. Longer working hours were attributed to reasons such as pressure from management and checking emails after working hours (Indeed, 2021).

    2.6x

    Respondents who either agreed or strongly agreed with the statement "Generally, I find my workload reasonable" were 2.6x more likely to be engaged compared to those who stated they disagreed or strongly disagreed (McLean & Company Engagement Survey Database;2022; N=5,615 responses).

    Longer hours and unsustainable workloads can contribute to stress and burnout, which is a threat to employee engagement and retention. With careful management (e.g. setting clear expectations and establishing manageable workloads), flexible work arrangement benefits can be preserved.

    Info-Tech Insight

    Employees' lived experiences and needs determine if people use flexible work programs – a flex program that has limited use or excludes people will not benefit the organization.

    Develop a flexible work program that meets employee and organizational needs

    This is an image of a sample flexible work program which meets employee and organizational needs.

    Insight summary

    Overarching insight: IT excels at hybrid location work and is more effective as a business function when location, time, and time-off flexibility are an option for its employees.

    Introduction

    Step 1 insight

    Step 2 insight

    Step 3 insight

    • Flexible work options are not a concession to lower productivity. Properly implemented, flex work enables employees to be more productive at reaching business goals.
    • Employees' lived experiences and needs determine if people use flexible work programs – a flex program that has limited use or excludes people will not benefit the organization.
    • Flexible work benefits everyone. IT employees experience greater engagement, motivation, and company loyalty. IT organizations realize benefits such as better service coverage, reduced facilities costs, and increased productivity.
    • Hybrid work is a start. A comprehensive flex work program extends beyond flexible location to flexible time and time off. Organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent. Provide greater inclusivity to employees by broadening the scope to include flex location, flex time, and flex time off.
    • No two employee segments are the same. To be effective, flexible work options must align with the expectations and working processes of each segment.
    • Every role is eligible for hybrid location work. If onsite work duties prevent an employee group from participating, see if processes can be digitized or automated. Flexible work is an opportunity to go beyond current needs to future proofing your organization.
    • Flexible work options must balance organizational and employee needs. If an option is beneficial to employees but there is little or no benefit to the organization, or if the cost of the option is too high, it will not support the long-term success of the organization.
    • Prioritize flexible work options that employees want. Providing too many options often leads to information overload and results in employees not understanding what is available, lowering adoption of the flexible work program.
    • Leaders' collective support of the flexible program determines the program's successful adoption. Don't sweep cultural barriers under the rug; acknowledge and address them to overcome them.
    • Negative performance of a flexible work option does not necessarily mean failure. Take the time to evaluate whether the option simply needs to be tweaked or whether it truly isn't working for the organization.
    • A set of formal guidelines for IT ensures flexible work is:
      1. Administered fairly across all IT employees.
      2. Defensible and clear.
      3. Scalable to the rest of the organization.

    Case Study

    Expanding hybrid work at Info-Tech

    Challenge

    In 2020, Info-Tech implemented emergency work-from-home for its IT department, along with the rest of the organization. Now in 2023, hybrid work is firmly embedded in Info-Tech's culture, with plans to continue location flexibility for the foreseeable future.

    Adjusting to the change came with lessons learned and future-looking questions.

    Lessons Learned

    Moving into remote work was made easier by certain enablers that had already been put in place. These included issuing laptops instead of desktops to the user base and using an existing cloud-based infrastructure. Much support was already being done remotely, making the transition for the support teams virtually seamless.

    Continuing hybrid work has brought benefits such as reduced commuting costs for employees, higher engagement, and satisfaction among staff that their preferences were heard.

    Looking Forward

    Every flexible work implementation is a work in progress and must be continually revisited to ensure it continues to meet organizational and employee needs. Current questions being explored at Info-Tech are:

    • The concept of the "office as a tool" – how does use of the office change when it is used for specific collaboration-related tasks, rather than everything? How should the physical space change to support this?
    • What does a viable replacement for quick hallway meetings look like in a remote world where communication is much more deliberate? How can managers adjust their practices to ensure the benefits of informal encounters aren't lost?

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Preparation

    Step 1

    Step 2

    Step 3

    Follow-up

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Assess employee and organizational needs.

    Call #3: Shortlist flex work options and assess feasibility.

    Call #4: Finalize flex work options and create rollout plan.

    Call #5: (Optional) Review rollout progress or evaluate pilot success.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 3 to 5 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Activities

    Prepare to assess flex work feasibility

    Assess flex work feasibility

    Finalize flex work options

    Prepare for implementation

    Next Steps and Wrap-Up (offsite)

    1.1 Identify employee and organizational needs.

    1.2 Identify employee segments.

    1.3 Establish program goals and metrics.

    1.4 Shortlist flex work options.

    2.1 Conduct employee/manager focus groups to assess feasibility of flex work options.

    3.1 Finalize list of approved flex work options.

    3.2 Brainstorm solutions to implementation issues.

    3.2 Identify how to overcome cultural barriers.

    4.1 Design employee and manager guide prototype.

    4.2 Align HR programs and policies to support flexible work.

    4.3 Create a communication plan.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. Organizational context summary
    2. List of shortlisted flex work options
    1. Summary of flex work options' feasibility per employee segment
    1. 1.Final list of flex work options
    2. 2.Implementation barriers and solutions summary
    1. Employee and manager guide to flexible work
    2. Flex work roadmap and communication plan
    1. Completed flexible work feasibility workbook
    2. Flexible work communication plan

    Step 1

    Assess employee and organizational needs

    1. Assess employee and organizational flexibility needs
    2. Identify potential flex options and assess feasibility
    3. Implement selected option(s)

    After completing this step you will have:

    • Identified key stakeholders and their responsibilities
    • Uncovered the current and desired state of the organization
    • Analyzed feedback to identify flexibility challenges
    • Identified and prioritized employee segments
    • Determined the program goals
    • Identified the degree of flexibility for work location, timing, and deliverables

    Identify key stakeholders

    Organizational flexibility requires collaborative and cross-functional involvement to determine which flexible options will meet the needs of a diverse workforce. HR leads the project to explore flexible work options, while other stakeholders provide feedback during the identification and implementation processes.

    HR
    • Assist with the design, implementation, and maintenance of the program.
    • Provide managers and employees with guidance to establish successful flexible work arrangements.
    • Help develop communications to launch and maintain the program.

    Senior Leaders
    • Champion the project by modeling and promoting flexible work options
    • Help develop and deliver communications; set the tone for flexible work at the organization.
    • Provide input into determining program goals.

    Managers
    • Model flexible work options and encourage direct reports to request and discuss options.
    • Use flexible work program guidelines to work with direct reports to select suitable flexible work options.
    • Develop performance metrics and encourage communication between flexible and non-flexible workers.

    Flexible Workers
    • Indicate preferences of flexible work options to the manager.
    • Identify ways to maintain operational continuity and communication while working flexibly.
    • Flag issues and suggest improvements to the manager.
    • Develop creative ways to work with colleagues who don't work flexibly.

    Non-Flexible Workers
    • Share feedback on issues with flexible arrangements and their impact on operational continuity.

    Info-Tech Insight

    Flexible work is a holistic team effort. Leaders, flexible workers, teammates, and HR must clearly understand their roles to ensure that teams are set up for success.

    Uncover the current and desired state of flexibility in the organization

    Current State

    Target State

    Review:

    • Existing policies related to flexibility (e.g. vacation, work from anywhere)
    • Existing flexibility programs (e.g. seasonal hours) and their uptake
    • Productivity of employees
    • Current culture at the organization. Look for:
      • Employee autonomy
      • Reporting structure and performance management processes
      • Trust and psychological safety of employees
      • Leadership behavior (e.g. do leaders model work-life balance, or does the organization have a work 24/7 mentality?)

    Identify what is driving the need for flexible work options. Ask:

    • Why does the organization need flexible options?
      • For example, the introduction of flexibility for some employees has created a "have and have not" dynamic between roles that must be addressed.
    • What does the organization hope to gain from implementing flexible options? For example:
      • Improved retention
      • Increased attraction, remaining competitive for talent
      • Increased work-life balance for employees
      • Reduced burnout
    • What does the organization aspire to be?
      • For example, an organization that creates an environment that values output, not face time.

    These drivers identify goals for the organization to achieve through targeted flexible work options.

    Info-Tech Insight

    Hybrid work is a start. A comprehensive flex work program extends beyond flexible location, so organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent. Provide greater inclusivity to employees by broadening the scope to include flex location, flex time, and flex time off.

    Identify employee segments

    Using the data, feedback, and challenges analyzed and uncovered so far, assess the organization and identify employee segments.

    Identify employee segments with common characteristics to assess if they require unique flexible work options. Assess the feasibility options for the segments separately in Step 2.

    • Segments' unique characteristics include:
      • Role responsibilities (e.g. interacting with users, creating reports, development and testing)
      • Work location/schedule (e.g. geographic, remote vs. onsite, 9 to 5)
      • Work processes (e.g. server maintenance, phone support)
      • Group characteristics (e.g. specific teams, new hires)

    Identify employee segments and sort them into groups based on the characteristics above.

    Examples of segments:

    • Functional area (e.g. Service Desk, Security)
    • Job roles (e.g. desktop support, server maintenance)
    • Onsite, remote, or hybrid
    • Full-time or part-time
    • Job level (e.g. managers vs. independent contributors)
    • Employees with dependents

    Prioritize employee segments

    Determine whether the organization needs flexible work options for the entire organization or specific employee segments.
    For specific employee segments:

    • Answer the questions on the right to identify whether an employee segment is high, medium, or low priority. Complete slides 23 to 25 for each high-priority segment, repeating the process for medium-priority segments when resources allow.

    For the entire organization:

    • When identifying an option for the entire organization, consider all segments. The approach must create consistency and inclusion; keep this top of mind when identifying flexibility on slides 23 to 25. For example, the work location flexibility would be low in an organization where some segments can work remotely and others must be onsite due to machinery requirements.

    High priority: The employee segment has the lowest engagement scores or highest turnover within the organization. Segment sentiment is that current flexibility is nonexistent or not sufficiently meeting needs.
    Medium priority: The employee segment has low engagement or high turnover. Segment sentiment is that currently available flexibility is minimal or not sufficiently meeting needs.
    Low priority: The segment does not have the lowest engagement or the highest turnover rate. Segment sentiment is that currently available flexibility is sufficiently meeting needs.

    1. What is the impact on the organization if this segment's challenges aren't addressed (e.g. if low engagement and high turnover are not addressed)?
    2. How critical is flexibility to the segment's needs/engagement?
    3. How time sensitive is it to introduce flexibility to this segment (e.g. is the organization losing employees in this segment at a high rate)?
    4. Will providing flexibility to this segment increase organizational productivity or output

    Identify challenges to address with flexibility

    Uncover the lived experiences and expectations of employees to inform selection of segments and flexible options.

    1. Collect data from existing sources, such as:
      • Engagement surveys
      • New hire/exit surveys
      • Employee experience monitor surveys
      • Employee retention pulse surveys
      • Burnout surveys
      • DEI pulse surveys
    2. Analyze employee feedback on experiences with:
      • Work duties
      • Workload
      • Work-life balance
      • Operating processes and procedures
      • Achieving operational outcomes
      • Collaboration and communication
      • Individual experience and engagement
    3. Evaluate the data and identify challenges

    Example challenges:

    • Engagement: Low average score on work-life balance question; flexible work suggested in open-ended responses.
    • Retention: Exit survey indicating that lack of work-life balance is consistently a reason employees leave. Include the cost of turnover (e.g. recruitment, training, severance).
    • Burnout: Feedback from employees through surveys or HR business partner anecdotes indicating high burnout; high usage of wellness services or employee assistance programs.
    • Absenteeism: High average number of days employees were absent in the past year. Include the cost of lost productivity.
    • Operational continuity: Provide examples of when flexible work would have enabled operational continuity in the case of disaster or extended customer service coverage.
    • Program uptake: If the organization already has a flexible work program, provide data on the low proportion of eligible employees using available options.

    1.1 Prepare to evaluate flexible work options

    1-3 hours

    Follow the guidance on preceding slides to complete the following activities.
    Note: If you are only considering remote or hybrid work, use the Fast-Track Hybrid Work Program Workbook. Otherwise, proceed with the Targeted Flexible Work Program Workbook.

    1. Identify key stakeholders. Be sure to record the level of involvement and responsibility expected from each stakeholder. Use the "Stakeholders" tab of the workbook.
    2. Uncover current and desired state. Review and record your current state with respect to culture, productivity, and current flexible work options, if any. Next, record your desired future state, including reasons for implementing flexible work, and goals for the program. Record this in the "Current and Desired State" tab of the workbook.
    3. Identify and prioritize employee segments. Identify and record employee segments. Depending on the size of your department, you may identify a few or many. Be as granular as necessary to fully separate employee groups with different needs. If your resources or needs prevent you from rolling out flexible work to the entire department, record the priority level of each segment so you can focus on the highest priority first.
    4. Identify challenges with flexibility. With each employee segment in mind, analyze your available data to identify and record each segment's main challenges regarding flexible work. These will inform your program goals and metrics.

    Download the Targeted Flexible Work Program Workbook

    Download the Fast-Track Hybrid Work Program Workbook

    Input

    • List of departmental roles
    • Data on employee engagement, productivity, sentiment regarding flexible work, etc.

    Output

    • List of stakeholders and responsibilities
    • Flexible work challenges and aims
    • Prioritized list of employee segments

    Materials

    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • IT department head
    • HR business partner
    • Flexible work program committee

    Determine goals and metrics for the flexible work program

    Sample program goals

    Sample metrics

    Increase productivity
    • Employee, team, and department key performance indicators (KPIs) before and after flexible work implementation
    • Absenteeism rate (% of lost working days due to all types of absence)

    Improve business satisfaction and perception of IT value

    Increase retention
    • % of exiting employees who cite lack of flexible work options or poor work-life balance as a reason they left
    • Turnover and retention rates

    Improve the employee value proposition (EVP) and talent attraction
    • # of responses on the new hire survey where flexible work options or work-life balance are cited as a reason for accepting an employment offer
    • # of views of career webpage that mentions flexible work program
    • Time-to-fill rates

    Improve engagement and work-life balance

    • Overall engagement score – deploy Info-Tech's Employee Engagement Diagnostics
    • Score for questions about work-life balance on employee engagement or pulse survey, including:
      • "I am able to maintain a balance between my work and personal life."
      • "I find my stress levels at work manageable."

    Info-Tech Insight

    Implementing flex work without solid performance metrics means you won't have a way of determining whether the program is enabling or hampering your business practices.

    1.2 Determine goals and metrics

    30 minutes

    Use the examples on the preceding slide to identify program goals and metrics:

    1. Brainstorm program goals. Be sure to consider both the business benefits (e.g. productivity, retention) and the employee benefits (work-life balance, engagement). A successful flexible work program benefits both the organization and its employees.
    2. Brainstorm metrics for each goal. Identify metrics that are easy to track accurately. Use Info-Tech's IT and HR metrics libraries for reference. Ideally, the metrics you choose should already exist in your organization so no extra effort will be necessary to implement them. It is also important to have a baseline measure of each one before flexible work is rolled out.
    3. Record your outputs on the "Goals and Metrics" tab of the workbook.

    Download the Targeted Flexible Work Program Workbook

    Download the IT Metrics Library

    Download the HR Metrics Library

    Input

    • Organizational and departmental strategy

    Output

    • List of program goals and metrics

    Materials

    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee

    Determine work location flexibility for priority segments

    Work location looks at where a segment can complete all or some of their tasks (e.g. onsite vs. remote). For each prioritized employee segment, evaluate the amount of location flexibility available.

    Work Duties

    Processes

    Operational Outcomes

    High degree of flexibility
    • Low dependence on onsite equipment
    • Work easily shifts to online platforms
    • Low dependence on onsite external interactions (e.g. clients, customers, vendors)
    • Low interdependence of work duties internally (most work is independent)
    • Work processes and expectations are or can be formally documented
    • Remote work processes are sustainable long term

    Most or all operational outcomes can be achieved offsite (e.g. products/service delivery not impacted by WFH)
    • Some dependence on onsite equipment
    • Some work can shift to online platforms
    • Some dependence on onsite external interactions
    • Some interdependence of work duties internally (collaboration is critical)
    • Most work processes and expectations have been or can be formally documented
    • Remote work processes are sustainable (e.g. workarounds can be supported and didn't add work)

    Some operational outcomes can be achieved offsite (e.g. some impact of WFH on product/service delivery)

    Low degree of flexibility
    • High dependence on onsite equipment
    • Work cannot shift to online platforms
    • High dependence on onsite external interactions
    • High interdependence of work duties internally (e.g. line work)
    • Few work processes and expectations can be formally documented
    • Work processes cannot be done remotely, and workarounds for remote work are not sustainable long term

    Operational outcomes cannot be achieved offsite (e.g. significant impairment to product/service delivery)

    Note

    If roles within the segment have differing levels of location flexibility, use the lowest results (e.g. if role A in the segment has a high degree of flexibility for work duties and role B has a low degree of flexibility, use the results for role B).

    Identify work timing for priority segments

    Work timing looks at when work can or needs to be completed (e.g. Monday to Friday, 9am to 5pm).

    Work Duties

    Processes

    Operational Outcomes

    High degree of flexibility

    • No need to be available to internal and/or external customers during standard work hours
    • Equipment is available at any time
    • Does not rely on synchronous (occurring at the same time) work duties internally
    • Work processes and expectations are or can be formally documented
    • Low reliance on collaboration
    • Work is largely asynchronous (does not occur at the same time)

    Most or all operational outcomes are not time sensitive

    • Must be available to internal and/or external customers during some standard work hours
    • Some reliance on synchronous work duties internally (collaboration is critical)
    • Most work processes and expectations have been or can be formally documented
    • Moderate reliance on collaboration
    • Some work is synchronous

    Some operational outcomes are time sensitive and must be conducted within set date or time windows

    Low degree of flexibility

    • Must be available to internal and/or external customers during all standard work hours (e.g. Monday to Friday 9 to 5)
    • High reliance on synchronous work duties internally (e.g. line work)
    • Few work processes and expectations can be formally documented
    • High reliance on collaboration
    • Most work is synchronous

    Most or all operational outcomes are time sensitive and must be conducted within set date or time windows

    Note

    With additional coordination, flex time or flex time off options are still possible for employee segments with a low degree of flexibility. For example, with a four-day work week, the segment can be split into two teams – one that works Monday to Thursday and one that works Tuesday to Friday – so that employees are still available for clients five days a week.

    Examine work deliverables for priority segments

    Work deliverables look at the employee's ability to deliver on their role expectations (e.g. quota or targets) and whether reducing the time spent working would, in all situations, impact the work deliverables (e.g. constrained vs. unconstrained).

    Work Duties

    Operational Outcomes

    High degree of flexibility

    • Few or no work duties rely on equipment or processes that put constraints on output (unconstrained output)
    • Employees have autonomy over which work duties they focus on each day
    • Most or all operational outcomes are unconstrained (e.g. a marketing analyst who builds reports and strategies for clients can produce more reports, produce better reports, or identify new strategies)
    • Work quota or targets are achievable even if working fewer hours
    • Some work duties rely on equipment or processes that put constraints on output
    • Employees have some ability to decide which work duties they focus on each day
    • Some operational outcomes are constrained or moderately unconstrained (e.g. an analyst build reports based on client data; while it's possible to find efficiencies and build reports faster, it's not possible to attain the client data any faster)
    • Work quota or targets may be achievable if working fewer hours

    Low degree of flexibility

    • Most or all work duties rely on equipment or processes that put constraints on output (constrained output)
    • Daily work duties are prescribed (e.g. a telemarketer is expected to call a set number of people per day using a set list of contacts and a defined script)
    • Most or all operational outcomes are constrained (e.g. a machine operator works on a machine that produces 100 parts an hour; neither the machine nor the worker can produce more parts)
    • Work quota or targets cannot be achieved if fewer hours are worked

    Note

    For segments with a low degree of work deliverable flexibility (e.g. very constrained output), flexibility is still an option, but maintaining output would require additional headcount.

    1.3 Determine flexibility needs and constraints

    1-2 hours

    Use the guidelines on the preceding slides to document the parameters of each work segment.

    1. Determine work location flexibility. Work location looks at where a segment can complete all or some of their tasks (e.g. onsite vs. remote). For each prioritized employee segment, evaluate the amount of location flexibility available.
    2. Identify work timing. Work timing looks at when work can or needs to be completed (e.g. Monday to Friday, 9am to 5pm).
    3. Examine work deliverables. Work deliverables look at the employee's ability to deliver on their role expectations (e.g. quota or targets) and whether reducing the time spent working would, in all situations, impact the work deliverables (e.g. constrained vs. unconstrained).
    4. Record your outputs on the "Current and Desired State" tab of the workbook.

    Download the Targeted Flexible Work Program Workbook

    Input

    • List of employee segments

    Output

    • Summary of flexibility needs and constraints for each employee segment

    Materials

    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee
    • Employee segment managers

    Step 2

    Identify potential flex options and assess feasibility

    1. Assess employee and organizational flexibility needs
    2. Identify potential flex options and assess feasibility
    3. Implement selected option(s)

    After completing this step you will have:

    • Created a shortlist of potential options for each prioritized employee segment
    • Evaluated the feasibility of each potential option
    • Determined the cost and benefit of each potential option
    • Gathered employee sentiment on potential options
    • Finalized options with senior leadership

    Prepare to identify and assess the feasibility of potential flexible work options

    First, review the Flexible Work Solutions Catalog

    Before proceeding to the next slide, review the Flexible Work Options Catalog to identify and shortlist five to seven flexible work options that are best suited to address the challenges faced for each of the priority employee segments identified in Step 1.

    Then, assess the feasibility of implementing selected options using slides 29 to 32

    Assess the feasibility of implementing the shortlisted solutions for the prioritized employee segments against the feasibility factors in this step. Repeat for each employee segment. Use the following slides to consult with and include leaders when appropriate.

    • Document your analysis in tabs 6 to 8 of the Targeted Flexible Work Program Workbook.
    • Note implementation issues throughout the assessment and record them in the tool. They will be addressed in Step 3: Implement Selected Program(s). Don't rule out an option simply because it presents some challenges; careful implementation can overcome many challenges.
    • At the end of this step, determine the final list of flexible work options and gain approval from senior leaders for implementation.

    Evaluate feasibility by reviewing the option's impact on continued operations and job performance

    Operational coverage

    Synchronous communication

    Time zones

    Face-to-face

    communication

    To what extent are employees needed to deliver products or services?

    • If constant customer service is required, stagger employees' schedules (e.g. one team works Monday-Thursday while another works Tuesday-Friday).

    To what extent do employees need to communicate with each other synchronously?

    • Break the workflow down and identify times when employees do and do not have to work at the same time to communicate with each other.

    To what extent do employees need to coordinate work across time zones?

    • If the organization already operates in different time zones, ensure that the option does not impact operations requiring continuous coverage.
    • When employees are located in different time zones, coordinate schedules based on the other operational factors.

    When do employees need to interact with each other or clients in person?

    • Examine the workflow closely to identify times when face-to-face communication is not required. Schedule "office days" for employees to work together when in-person interaction is needed.
    • When the interaction is only required with clients, determine whether employees are able to meet clients offsite.

    Info-Tech Insight

    Every role is eligible for hybrid location work. If onsite work duties prevent an employee group from participating, see if processes can be digitized or automated. Flexible work is an opportunity to go beyond current needs to future-proof your organization.

    Assess the option's alignment with organizational culture

    Symbols

    Values

    		 Behaviors

    How supportive of flexible work are the visible aspects of the organization's culture?

    • For example, the mission statement, newsletters, or office layout.
    • Note: Visible elements will need to be adapted to ensure they reinforce the value of the flexible work option.

    How supportive are both the stated and lived values of the organization?

    • When the flexible work option includes less direct supervision, assess how empowered employees feel to make decisions.
    • Assess whether all types of employees (e.g. virtual) are included, valued, and supported.

    How supportive are the attitudes and behaviors, especially of leaders?

    • Leaders set the expectations for acceptable behaviors in the organization. Determine how supportive leaders are toward flexible workers by examining their attitudes and perceptions.
    • Identify if employees are open to different ways of doing work.

    Determine the resources required for the option

    People

    Process

    		 Technology

    Do employees have the knowledge, skills, and abilities to adopt this option?

    • Identify any areas (e.g. process, technology) employees will need to be trained on and assess the associated costs.
    • Determine whether the option will require additional headcount to ensure operational continuity (e.g. two part-time employees in a job-sharing arrangement) and calculate associated costs (e.g. recruitment, training, benefits).

    How much will work processes need to change?

    • Interview organizational leaders with knowledge of the employee segment's core work processes. Determine whether a significant change will be required.
    • If a significant change is required, evaluate whether the benefits of the option outweigh the costs of the process and behavioral change (see the "net benefit" factor on slide 33).

    What new technologies will be required?

    • Identify the technology (e.g. that supports communication, work processes) required to enable the flexible work option.
    • Note whether existing technology can be used or additional technology will be required, and further investigate the viability and costs of these options.

    Examine the option's risks

    Data

    Health & Safety

    Legal

    How will data be kept secure?

    • Determine whether the organization's data policy and technology covers employees working remotely or other flexible work options.
    • If the employee segment handles sensitive data (e.g. personal employee information), consult relevant stakeholders to determine how data can be kept secure and assess any associated costs.

    How will employees' health and safety be impacted?

    • Consult your organization's legal counsel to determine whether the organization will be liable for the employees' health and safety while working from home or other locations.
    • Determine whether the organization's policies and processes will need to be modified.

    What legal risks might be involved?

    • Identify any policies in place or jurisdictional requirements to avoid any legal risks. Consult your organization's legal counsel about the situations below.
      • If the option causes significant changes to the nature of jobs, creating the risk of constructive dismissal.
      • If there are any risks to providing less supervision (e.g. higher chance of harassment).
      • When only some employee segments are eligible for the option, determine whether there is a risk of inequitable access.
      • If the option impacts any unionized employees or collective agreements.

    Determine whether the benefits of the option outweigh the costs

    Include senior leadership in the net benefit process to ensure any unfeasible options are removed from consideration before presenting to employees.

    1. Document the employee and employer benefits of the option from the previous feasibility factors on slides 29 to 32.
    • Include the benefits of reaching program goals identified in Step 1.
    • Quantify the benefits in dollar value where possible.
  • Document the costs and risks of the option, referring to the costs noted from previous feasibility factors.
    • Quantify the costs in dollar value where possible.
  • Compare the benefits and costs.
    • Add an option to your final list if the benefits are greater than the costs.

    • This is an image of a table with the main heading being Net Benefit, with the following subheadings: Benefits to organization; Benefits to employees; Costs.

    Info-Tech Insight

    Flexible work options must balance organizational and employee needs. If an option is beneficial to employees but there is little or no benefit to the organization as a whole, or if the cost of the option is too high, it will not support the long-term success of the organization.

    2.1a Identify and evaluate flexible work options

    30 minutes per employee segment per work option

    If you are only considering hybrid or remote work, skip to activity 2.1b. Use the guidelines on the preceding slides to conduct feasibility assessments.

    1. Shortlist flexible work options. Review the Flexible Work Options Catalog to identify and shortlist five to seven flexible work options that are best suited to address the challenges faced for each of the priority employee segments. Record these on the "Options Shortlist" tab of the workbook. Even if the decision is simple, ensure you record the rationale to help communicate your decision to employees. Transparent communication is the best way to avoid feelings of unfairness if desired work options are not implemented.
    2. Evaluate option feasibility. For each of the shortlisted options, complete one "Feasibility - Option" tab in the workbook. Make as many copies of this tab as needed.
      • When evaluating each option, consider each employee segment individually as you work through the prompts in the workbook. You may find that segments differ greatly in the feasibility of various types of flexible work. You will use this information to inform your overall policy and any exceptions to it.
      • You may need to involve each segment's management team to get an accurate picture of day-to-day responsibilities and flexible work feasibility.
    3. Weigh benefits and costs. At the end of each flexible work option evaluation, record the anticipated costs and benefits. Discuss whether this balance renders the option viable or rules it out.

    Download the Targeted Flexible Work Program Workbook

    Download the Flexible Work Options Catalog

    Input

    • List of employee segments

    Output

    • Shortlist of flexible work options
    • Feasibility analysis for each work option

    Materials

    • Targeted Flexible Work Program Workbook
    • Flexible Work Options Catalog

    Participants

    • Flexible work program committee
    • Employee segment managers

    2.1b Assess hybrid work feasibility

    30 minutes per employee segment

    Use the guidelines on the preceding slides to conduct a feasibility assessment. This exercise relies on having trialed hybrid or remote work before. If you have never implemented any degree of remote work, consider completing the full feasibility assessment in activity 2.1a.

    1. Evaluate hybrid work feasibility. Review the feasibility prompts on the "Work Unit Remote Work Assessment" tab and record your insight for each employee segment.
      • When evaluating each option, consider each employee segment individually as you work through the prompts in the workbook. You may find that segments differ greatly in their ability to accommodate hybrid work. You will use this information to inform your overall policy and any exceptions to it.
      • You may need to involve each segment's management team to get an accurate picture of day-to-day responsibilities and hybrid work feasibility.

    Download the Fast-Track Hybrid Work Program Workbook

    Input

    • List of employee segments

    Output

    • Feasibility analysis for each work option

    Materials

    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee
    • Employee segment managers

    Ask employees which options they prefer and gather feedback for implementation

    Deliver a survey and/or conduct focus groups with a selection of employees from all prioritized employee segments.

    Share

    • Present your draft list of options to select employees.
    • Communicate that the organization is in the process of assessing the feasibility of flexible work options and would like employee input to ensure flex work meets needs.
    • Be clear that the list is not final or guaranteed.

    Ask

    • Ask which options are preferred more than others.
    • Ask for feedback on each option – how could it be modified to meet employee needs better? Use this information to inform implementation in Step 3.

    Decide

    • Prioritize an option if many employees indicated an interest in it.
    • If employees indicate no interest in an option, consider eliminating it from the list, unless it will be required. There is no value in providing an option if employees won't use it.

    Survey

    • List the options and ask respondents to rate each on a Likert scale from 1 to 5.
    • Ask some open-ended questions with comment boxes for employee suggestions.

    Focus Group

    • Conduct focus groups to gather deeper feedback.
    • See Appendix I for sample focus group questions.

    Info-Tech Insight

    Prioritize flexible work options that employees want. Providing too many options often leads to information overload and results in employees not understanding what is available, lowering adoption of the flexible work program.

    Finalize options list with senior leadership

    1. Select one to three final options and outline the details of each. Include:
      • Scope: To what extent will the option be applied? E.g. work-from-home one or two days a week.
      • Eligibility: Which employee segments are eligible?
      • Cost: What investment will be required?
      • Critical implementation issues: Will any of the implementation issues identified for each feasibility factor impact whether the option will be approved?
      • Resources: What additional resources will be required (e.g. technology)?
    2. Present the options to stakeholders for approval. Include:
      • An outline of the finalized options, including what the option is and the scope, eligibility, and critical implementation issues.
      • The feasibility assessment results, including benefits, costs, and employee preferences. Have more detail from the other factors ready if leaders ask about them.
      • The investment (cost) required to implement the option.
    3. Proceed to Step 3 to implement approved options.

    Running an IT pilot of flex work

    • As a technology department, IT typically doesn't own flexible work implementation for the entire organization. However, it is common to trial flexible work options for IT first, before rolling out to the entire organization.
    • During a flex work pilot, ensure you are working closely with HR partners, especially regarding regulatory and compliance issues.
    • Keep the rest of the organizational stakeholders in the loop, especially regarding their agreement on the metrics by which the pilot's success will be evaluated.

    2.2a Finalize flexible work options

    2-3 hours + time to gather employee feedback

    If you are only considering hybrid or remote work, skip to activity 2.2b. Use the guidelines on the preceding slides to gather final feedback and finalize work option selections.

    1. Gather employee feedback. If employee preferences are already known, skip this step. If they are not, gather feedback to ascertain whether any of the shortlisted options are preferred. Remember that a successful flexible work program balances the needs of employees and the business, so employee preference is a key determinant in flexible work program success. Document this on the "Employee Preferences" tab of the workbook.
    2. Finalize flexible work options. Use your notes on the cost-benefit balance for each option, along with employee preferences, to decide whether the move forward with it. Record this decision on the "Options Final List" tab. Include information about eligible employee segments and any implementation challenges that came up during the feasibility assessments. This is the final decision summary that will inform your flexible program parameters and policies.

    Download the Targeted Flexible Work Program Workbook

    Input

    • Flexible work options shortlist

    Output

    • Final flexible work options list

    Materials

    • Targeted Flexible Work Program Workbook

    Participants

    • Flexible work program committee

    2.2b Finalize hybrid work parameters

    2-3 hours + time to gather employee feedback

    Use the guidelines on the preceding slides to gather final feedback and finalize work option selections.

    1. Summarize feasibility analysis. On the "Program Parameters" tab, record the main insights from your feasibility analysis. Finalize important elements, including eligibility for hybrid/remote work by employee segment. Additionally, record the standard parameters for the program (i.e. those that apply to all employee segments) and variable parameters (i.e. ones that differ by employee segment).

    Download the Fast-Track Hybrid Work Program Workbook

    Input

    • Hybrid work feasibility analysis

    Output

    • Final hybrid work program parameters

    Materials

    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee

    Step 3

    Implement selected option(s)

    1. Assess employee and organizational flexibility needs
    2. Identify potential flex options and assess feasibility
    3. Implement selected option(s)

    After completing this step, you will have:

    • Addressed implementation issues and cultural barriers
    • Equipped the organization to adopt flexible work options successfully
    • Piloted the program and assessed its success
    • Developed a plan for program rollout and communication
    • Established a program evaluation plan
    • Aligned HR programs to support the program

    Solve the implementation issues identified in your feasibility assessment

    1. Identify a solution for each implementation issue documented in the Targeted Flexible Work Program Workbook. Consider the following when identifying solutions:
      • Scope: Determine whether the solution will be applied to one or all employee segments.
      • Stakeholders: Identify stakeholders to consult and develop a solution. If the scope is one employee segment, work with organizational leaders of that segment. When the scope is the entire organization, consult with senior leaders.
      • Implementation: Collaborate with stakeholders to solve implementation issues. Balance the organizational and employee needs, referring to data gathered in Steps 1 and 2.

    Example:

    Issue

    Solution

    Option 1: Hybrid work

    Brainstorming at the beginning of product development benefits from face-to-face collaboration.

    Block off a "brainstorming day" when all team members are required in the office.

    Employee segment: Product innovation team

    One team member needs to meet weekly with the implementation team to conduct product testing.

    Establish a schedule with rotating responsibility for a team member to be at the office for product testing; allow team members to swap days if needed.

    Address cultural barriers by involving leaders

    To shift a culture that is not supportive of flexible work, involve leaders in setting an example for employees to follow.

    Misconceptions

    Tactics to overcome them
    • Flexible workers are less productive.
    • Flexible work disrupts operations.
    • Flexible workers are less committed to the organization.
    • Flexible work only benefits employees, not the organization.
    • Employees are not working if they aren't physically in the office.

    Make the case by highlighting challenges and expected benefits for both the organization and employees (e.g. same or increased productivity). Use data in the introductory section of this blueprint.

    Demonstrate operational feasibility by providing an overview of the feasibility assessment conducted to ensure operational continuity.

    Involve most senior leadership in communication.

    Encourage discovery and exploration by having managers try flexible work options themselves, which will help model it for employees.

    Highlight success stories within the organization or from competitors or similar industries.

    Invite input from managers on how to improve implementation and ownership, which helps to discover hidden options.

    Shift symbols, values, and behaviors

    • Work with senior leaders to identify symbols, values, and behaviors to modify to align with the selected flexible work options.
    • Validate that the final list aligns with your organization's mission, vision, and values.

    Info-Tech Insight

    Leaders' collective support of the flexible program determines the program's successful adoption. Don't sweep cultural barriers under the rug; acknowledge and address them to overcome them.

    Equip the organization for successful implementation

    Info-Tech recommends providing managers and employees with a guide to flexible work, introducing policies, and providing training for managers.

    Provide managers and employees with a guide to flexible work

    Introduce appropriate organization policies

    Equip managers with the necessary tools and training

    Use the guide to:

    • Familiarize employees and managers with the flexible work program.
    • Gain employee and manager buy-in and support for the program.
    • Explain the process and give guidance on selecting flexible work options and working with their colleagues to make it a success.

    Use Info-Tech's customizable policy templates to set guidelines, outline arrangements, and scope the organization's flexible work policies. This is typically done by, or in collaboration with, the HR department.

    Download the Guide to Flexible Work for Managers and Employees

    Download the Flex Location Policy

    Download the Flex Time-Off Policy

    Download the Flex Time Policy

    3.1 Prepare for implementation

    2-3 hours

    Use the guidelines on the preceding slides to brainstorm solutions to implementation issues and prepare to communicate program rollout to stakeholders.

    1. Solve implementation issues.
      • If you are working with the Targeted Flexible Work Program Workbook: For each implementation challenge identified on the "Final Options List" tab, brainstorm solutions. If you are working with the Fast-Track Hybrid Work Program Workbook: Work through the program enablement prompts on the "Program Enablement" tab.
      • You may need to involve relevant stakeholders to help you come up with appropriate solutions for each employee segment.
      • Ensure that any anticipated cultural barriers have been documented and are addressed during this step. Don't underestimate the importance of a supportive organizational culture to the successful rollout of flexible work.
    2. Prepare the employee guide. Modify the Guide to Flexible Work for Managers and Employees template to reflect your final work options list and the processes and expectations employees will need to follow.
    3. Create a communication plan. Use Info-Tech's Communicate Any IT Initiative blueprint and Appendix II to craft your messaging.

    Download the Guide to Flexible Work for Managers and Employees

    Download the Targeted Flexible Work Program Workbook

    Input

    • Flexible work options final list

    Output

    • Employee guide to flexible work
    • Flexible work rollout communication plan

    Materials

    • Guide to Flexible Work for Managers and Employees
    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee
    • Employee segment managers

    Run an IT pilot for flexible work

    Prepare for pilot

    Launch Pilot

    Identify the flexible work options that will be piloted.

    • Refer to the final list of selected options for each priority segment to determine which options should be piloted.

    Select pilot participants.

    • If not rolling out to the entire IT department, look for the departments and/or team(s) where there is the greatest need and the biggest interest (e.g. team with lowest engagement scores).
    • Include all employees within the department, or team if the department is too large, in the pilot.
    • Start with a group whose managers are best equipped for the new flexibility options.

    Create an approach to collect feedback and measure the success of the pilot.

    • Feedback can be collected using surveys, focus groups, and/or targeted in-person interviews.

    The length of the pilot will greatly vary based on which flexible work options were selected (e.g. seasonal hours will require a shorter pilot period compared to implementing a compressed work week). Use discretion when deciding on pilot length and be open to extending or shortening the pilot length as needed.

    Launch pilot.

    • Launch the program through a town hall meeting or departmental announcement to build excitement and buy-in.
    • Develop separate communications for employee segments where appropriate. See Appendix II for key messaging to include.

    Gather feedback.

    • The feedback will be used to assess the pilot's success and to determine what modifications will be needed later for a full-scale rollout.
    • When gathering feedback, tailor questions based on the employee segment but keep themes similar. For example:
      • Employees: "How did this help your day-to-day work?"
      • Managers: "How did this improve productivity on your team?"

    Track metrics.

    • The success of the pilot is best communicated using your department's unique KPIs.
    • Metrics are critical for:
      • Accurately determining pilot success.
      • Getting buy-in to expand the pilot beyond IT.
      • Justifying to employees any changes made to the flexible work options.

    Assess the pilot's success and determine next steps

    Review the feedback collected on the previous slide and use this decision tree to decide whether to relaunch a pilot or proceed to a full-scale rollout of the program.

    This is an image of the flow chart used to assess the pilot's success and determine the next steps. It will help you to determine whether you will Proceed to full-scale rollout on next slide, Major modifications to the option/launch (e.g. change operating time) – adjust and relaunch pilot or select a new employee segment and relaunch pilot, Minor modifications to the option/launch (e.g. introduce additional communications) – adjust and proceed to full scale rollout, or Return to shortlist (Step 2) and select a different option or launch pilot with a different employee segment.

    Prepare for full-scale rollout

    If you have run a team pilot prior to rolling out to all of IT, or run an IT pilot before an organizational rollout, use the following steps to transition from pilot to full rollout.

    1. Determine modifications
      • Review the feedback gathered during the pilot and determine what needs to change for a full-scale implementation.
      • Update HR policies and programs to support flexible work. Work closely with your HR business partner and other organizational leaders to ensure every department's needs are understood and compliance issues are addressed.
    2. Roll out and evaluate
      • Roll out the remainder of the program (e.g. to other employee segments or additional flexible work options) once there is significant uptake of the pilot by the target employee group and issues have been addressed.
      • Determine how feedback will be gathered after implementation, such as during engagement surveys, new hire and exit surveys, stay interviews, etc., and assess whether the program continues to meet employee and organizational needs.

    Rolling out beyond IT

    For a rollout beyond IT, HR will likely take over.

    However, this is your chance to remain at the forefront of your organization's flexible work efforts by continuing to track success and gather feedback within IT.

    Align HR programs and organizational policies to support flexible work

    Talent Management

    Learning & Development

    Talent Acquisition

    Reinforce managers' accountability for the success of flexible work in their teams:

    • Include "managing virtual teams" in the people management leadership competency.
    • Recognize managers who are modeling flexible work.

    Support flexible workers' career progression:

    • Monitor the promotion rates of flexible workers vs. non-flexible workers.
    • Make sure flexible workers are discussed during talent calibration meetings and have access to career development opportunities.

    Equip managers and employees with the knowledge and skills to make flexible work successful.

    • Provide guidance on selecting the right options and maintaining workflow.
    • If moving to a virtual environment, train managers on how to make it a success.

    Incorporate the flexible work program into the organization's employee value proposition to attract top talent who value flexible work options.

    • Highlight the program on the organization's career site and in job postings.

    Organizational policies

    Determine which organizational policies will be impacted as a result of the new flexible work options. For example, the introduction of flex time off can result in existing vacation policies needing to be updated.

    Plan to re-evaluate the program and make improvements

    Collect data

    Collect data

    Act on data

    Uptake

    Gather data on the proportion of employees eligible for each option who are using the option.

    If an option is tracking positively:

    • Maintain or expand the program to more of the organization.
    • Conduct a feasibility assessment (Step 2) for new employee segments.

    Satisfaction

    Survey managers and employees about their satisfaction with the options they are eligible for and provide an open box for suggestions on improvements.

    If an option is tracking negatively:

    • Investigate why. Gather additional data, interview organizational leaders, and/or conduct focus groups to gain deeper insight.
    • Re-assess the feasibility of the option (Step 2). If the costs outweigh the benefits based on new data, determine whether to cancel the option.
    • Take appropriate action based on the outcome of the evaluation, such as modifying or cancelling the option or providing employees with more support.
      • Note: Cancelling an option can impact the engagement of employees using the option. Ensure that the data, reasons for cancelling the option, and potential substitute options are communicated to employees in advance.

    Program goal progress

    Monitor progress against the program goals and metrics identified in Step 1 to evaluate the impact on issues that matter to the organization (e.g. retention, productivity, diversity).

    Career progression

    Evaluate flexible workers' promotion rates and development opportunities to determine if they are developing.

    Info-Tech Insight

    Negative performance of a flexible work option does not necessarily mean failure. Take the time to evaluate whether the option simply needs to be tweaked or whether it truly isn't working for the organization.

    Insight summary

    Overarching insight: IT excels at hybrid location work and is more effective as a business function when location, time, and time-off flexibility are an option for its employees.

    Introduction

    • Flexible work options are not a concession to lower productivity. Properly implemented, flex work enables employees to be more productive at reaching business goals.
    • Employees' lived experiences and needs determine if people use flexible work programs – a flex program that has limited use or excludes people will not benefit the organization.
    • Flexible work benefits everyone. IT employees experience greater engagement, motivation, and company loyalty. IT organizations realize benefits such as better service coverage, reduced facilities costs, and increased productivity.

    Step 1 insight

    • Hybrid work is a start. A comprehensive flex work program extends beyond flexible location to flexible time and time off. Organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent. Provide greater inclusivity to employees by broadening the scope to include flex location, flex time, and flex time off.
    • No two employee segments are the same. To be effective, flexible work options must align with the expectations and working processes of each segment.

    Step 2 insight

    • Every role is eligible for hybrid location work. If onsite work duties prevent an employee group from participating, see if processes can be digitized or automated. Flexible work is an opportunity to go beyond current needs to future proofing your organization.
    • Flexible work options must balance organizational and employee needs. If an option is beneficial to employees but there is little or no benefit to the organization, or if the cost of the option is too high, it will not support the long-term success of the organization.
    • Prioritize flexible work options that employees want. Providing too many options often leads to information overload and results in employees not understanding what is available, lowering adoption of the flexible work program.

    Step 3 insight

    • Leaders' collective support of the flexible program determines the program's successful adoption. Don't sweep cultural barriers under the rug; acknowledge and address them to overcome them.
    • Negative performance of a flexible work option does not necessarily mean failure. Take the time to evaluate whether the option simply needs to be tweaked or whether it truly isn't working for the organization.
    • A set of formal guidelines for IT ensures flexible work is:
      1. Administered fairly across all IT employees.
      2. Defensible and clear.
      3. Scalable to the rest of the organization.

    Research Contributors and Experts

    Quinn Ross
    CEO
    The Ross Firm Professional Corporation

    Margaret Yap
    HR Professor
    Ryerson University

    Heather Payne
    CEO
    Juno College

    Lee Nguyen
    HR Specialist
    City of Austin

    Stacey Spruell
    Division HR Director
    Travis County

    Don MacLeod
    Chief Administrative Officer
    Zorra Township

    Stephen Childs
    CHRO
    Panasonic North America

    Shawn Gibson
    Sr. Director
    Info Tech Research Group

    Mari Ryan
    CEO/Founder
    Advancing Wellness

    Sophie Wade
    Founder
    Flexcel Networks

    Kim Velluso
    VP Human Resources
    Siemens Canada

    Lilian De Menezes
    Professor of Decision Sciences
    Cass Business School, University of London

    Judi Casey
    WorkLife Consultant and former Director, Work and Family Researchers Network
    Boston College

    Chris Frame
    Partner – Operations
    LiveCA

    Rose M. Stanley, CCP, CBP, WLCP, CEBS
    People Services Manager
    Sunstate Equipment Co., LLC

    Shari Lava
    Director, Vendor Research
    Info-Tech Research Group

    Carol Cochran
    Director of People & Culture
    FlexJobs

    Kidde Kelly
    OD Practitioner

    Dr. David Chalmers
    Adjunct Professor
    Ted Rogers School of Management, Ryerson University

    Kashmira Nagarwala
    Change Manager
    Siemens Canada

    Dr. Isik U. Zeytinoglu
    Professor of Management and Industrial Relations McMaster University, DeGroote School of Business

    Claire McCartney
    Diversity & Inclusion Advisor
    CIPD

    Teresa Hopke
    SVP of Client Relations
    Life Meets Work – www.lifemeetswork.com

    Mark Tippey
    IT Leader and Experienced Teleworker

    Dr. Kenneth Matos
    Senior Director of Research
    Families and Work Institute

    1 anonymous contributor

    Appendix I: Sample focus group questions

    See Info-Tech's Focus Group Guidefor guidance on setting up and delivering focus groups. Customize the guide with questions specific to flexible work (see sample questions below) to gain deeper insight into employee preferences for the feasibility assessment in Step 2 of this blueprint.

    Document themes in the Targeted Flexible Work Program Workbook.

    • What do you need to balance/integrate your work with your personal life?
    • What challenges do you face in achieving work-life balance/integration?
    • What about your job is preventing you from achieving work-life balance/integration?
    • How would [flexible work option] help you achieve work-life balance/integration?
    • How well would this option work with the workflow of your team or department? What would need to change?
    • What challenges do you see in adopting [flexible work option]?
    • What else would be helpful for you to achieve work-life balance/integration?
    • How could we customize [flexible work option] to ensure it meets your needs?
    • If this program were to fail, what do you think would be the top reasons and why?

    Appendix II: Communication key messaging

    1. Program purpose

    Start with the name and high-level purpose of the program.

    2. Business reasons for the program

    Share data you gathered in Step 1, illustrating challenges causing the need for the program and the benefits.

    3. Options selection process

    Outline the process followed to select options. Remember to share the involvement of stakeholders and the planning around employees' feedback, needs, and lived experiences.

    4. Options and eligibility

    Provide a brief overview of the options and eligibility. Specify that the organization is piloting these options and will modify them based on feedback.

    5. Approval not guaranteed

    Qualify that employees need to be "flexible about flexible work" – the options are not guaranteed and may sometimes be unavailable for business reasons.

    6. Shared responsibility

    Highlight the importance of everyone (managers, flexible workers, the team) working together to make flexible work achievable.

    7. Next steps

    Share any next steps, such as where employees can find the organization's Guide to Flexible Work for Managers and Employees, how to make flexible work a success, or if managers will be providing further detail in a team meeting.

    8. Ongoing communications

    Normalize the program and embed it in organizational culture by continuing communications through various media, such as the organization's newsletter or announcements in town halls.

    Works Cited

    Baziuk, Jennifer, and Duncan Meadows. "Global Employee Survey - Key findings and implications for ICMIF." EY, June 2021. Accessed May 2022.
    "Businesses suffering 'commitment issues' on flexible working," EY, 21 Sep. 2021. Accessed May 2022.
    "IT Talent Trends 2022". Info-Tech Research Group, 2022.
    "Jabra Hybrid Ways of Working: 2021 Global Report." Jabra, Aug. 2021. Accessed May 2022.
    LinkedIn Talent Solutions. "2022 Global Talent Trends." LinkedIn, 2022. Accessed May 2022.
    Lobosco, Mark. "The Future of Work is Flexible: 71% of Leaders Feel Pressure to Change Working Models." LinkedIn, 9 Sep. 2021. Accessed May 2022.
    Ohm, Joy, et al. "Covid-19: Women, Equity, and Inclusion in the Future of Work." Catalyst, 28 May 2020. Accessed May 2022.
    Pelta, Rachel. "Many Workers Have Quit or Plan to After Employers Revoke Remote Work." FlexJobs, 2021. Accessed May 2022.
    Slack Future Forum. "Inflexible return-to-office policies are hammering employee experience scores." Slack, 19 April 2022. Accessed May 2022.
    "State of Hybrid Work in IT: A Trend Report". Info-Tech Research Group, 2023.
    Threlkeld, Kristy. "Employee Burnout Report: COVID-19's Impact and 3 Strategies to Curb It." Indeed, 11 March 2021. Accessed March 2022.

    Mergers & Acquisitions: The Buy Blueprint

    • Buy Link or Shortcode: {j2store}325|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: 5 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy

    There are four key scenarios or entry points for IT as the acquiring organization in M&As:

    • IT can suggest an acquisition to meet the business objectives of the organization.
    • IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspectives.
    • IT participates in due diligence activities and valuates the organization potentially being acquired.
    • IT needs to reactively prepare its environment to enable the integration.

    Consider the ideal scenario for your IT organization.

    Our Advice

    Critical Insight

    Acquisitions are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:

    • The growing trend for organizations to increase, decrease, or evolve through these types of transactions.
    • A maturing business perspective of IT, preventing the difficulty that IT is faced with when invited into the transaction process late.
    • Transactions that are driven by digital motivations, requiring IT’s expertise.
    • There never being such a thing as a true merger, making the majority of M&A activity either acquisitions or divestitures.

    Impact and Result

    Prepare for a growth/integration transaction by:

    • Recognizing the trend for organizations to engage in M&A activity and the increased likelihood that, as an IT leader, you will be involved in a transaction in your career.
    • Creating a standard strategy that will enable strong program management.
    • Properly considering all the critical components of the transaction and integration by prioritizing tasks that will reduce risk, deliver value, and meet stakeholder expectations.

    Mergers & Acquisitions: The Buy Blueprint Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how your organization can excel its growth strategy by engaging in M&A transactions. Review Info-Tech’s methodology and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Proactive Phase

    Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture.

    • One-Pager: M&A Proactive
    • Case Study: M&A Proactive
    • Information Asset Audit Tool
    • Data Valuation Tool
    • Enterprise Integration Process Mapping Tool
    • Risk Register Tool
    • Security M&A Due Diligence Tool

    2. Discovery & Strategy

    Create a standardized approach for how your IT organization should address acquisitions.

    • One-Pager: M&A Discovery & Strategy – Buy
    • Case Study: M&A Discovery & Strategy – Buy

    3. Due Diligence & Preparation

    Evaluate the target organizations to minimize risk and have an established integration project plan.

    • One-Pager: M&A Due Diligence & Preparation – Buy
    • Case Study: M&A Due Diligence & Preparation – Buy
    • IT Due Diligence Charter
    • Technical Debt Business Impact Analysis Tool
    • IT Culture Diagnostic
    • M&A Integration Project Management Tool (SharePoint)
    • SharePoint Template: Step-by-Step Deployment Guide
    • M&A Integration Project Management Tool (Excel)
    • Resource Management Supply-Demand Calculator

    4. Execution & Value Realization

    Deliver on the integration project plan successfully and communicate IT’s transaction value to the business.

    • One-Pager: M&A Execution & Value Realization – Buy
    • Case Study: M&A Execution & Value Realization – Buy

    Infographic

    Workshop: Mergers & Acquisitions: The Buy Blueprint

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Pre-Transaction Discovery & Strategy

    The Purpose

    Establish the transaction foundation.

    Discover the motivation for acquiring.

    Formalize the program plan.

    Create the valuation framework.

    Strategize the transaction and finalize the M&A strategy and approach.

    Key Benefits Achieved

    All major stakeholders are on the same page.

    Set up crucial elements to facilitate the success of the transaction.

    Have a repeatable transaction strategy that can be reused for multiple organizations.

    Activities

    1.1 Conduct the CIO Business Vision and CEO-CIO Alignment Diagnostics.

    1.2 Identify key stakeholders and outline their relationship to the M&A process.

    1.3 Identify the rationale for the company's decision to pursue an acquisition.

    1.4 Assess the IT/digital strategy.

    1.5 Identify pain points and opportunities tied to the acquisition.

    1.6 Create the IT vision and mission statements and identify IT guiding principles and the transition team.

    1.7 Document the M&A governance.

    1.8 Establish program metrics.

    1.9 Create the valuation framework.

    1.10 Establish the integration strategy.

    1.11 Conduct a RACI.

    1.12 Create the communication plan.

    1.13 Prepare to assess target organization(s).

    Outputs

    Business perspectives of IT

    Stakeholder network map for M&A transactions

    Business context implications for IT

    IT’s acquiring strategic direction

    Governance structure

    M&A program metrics

    IT valuation framework

    Integration strategy

    RACI

    Communication plan

    Prepared to assess target organization(s)

    2 Mid-Transaction Due Diligence & Preparation

    The Purpose

    Establish the transaction foundation.

    Discover the motivation for integration.

    Assess the target organization(s).

    Create the valuation framework.

    Plan the integration roadmap.

    Key Benefits Achieved

    All major stakeholders are on the same page.

    Methodology identified to assess organizations during due diligence.

    Methodology can be reused for multiple organizations.

    Integration activities are planned and assigned.

    Activities

    2.1 Gather and evaluate the stakeholders involved, M&A strategy, future-state operating model, and governance.

    2.2 Review the business rationale for the acquisition.

    2.3 Establish the integration strategy.

    2.4 Create the due diligence charter.

    2.5 Create a list of IT artifacts to be reviewed in the data room.

    2.6 Conduct a technical debt assessment.

    2.7 Assess the current culture and identify the goal culture.

    2.8 Identify the needed workforce supply.

    2.9 Create the valuation framework.

    2.10 Establish the integration roadmap.

    2.11 Establish and align project metrics with identified tasks.

    2.12 Estimate integration costs.

    Outputs

    Stakeholder map

    IT strategy assessment

    IT operating model and IT governance structure defined

    Business context implications for IT

    Integration strategy

    Due diligence charter

    Data room artifacts

    Technical debt assessment

    Culture assessment

    Workforce supply identified

    IT valuation framework

    Integration roadmap and associated resourcing

    3 Post-Transaction Execution & Value Realization

    The Purpose

    Establish the transaction foundation.

    Discover the motivation for integration.

    Plan the integration roadmap.

    Prepare employees for the transition.

    Engage in integration.

    Assess the transaction outcomes.

    Key Benefits Achieved

    All major stakeholders are on the same page.

    Integration activities are planned and assigned.

    Employees are set up for a smooth and successful transition.

    Integration strategy and roadmap executed to benefit the organization.

    Review what went well and identify improvements to be made in future transactions.

    Activities

    3.1 Identify key stakeholders and determine IT transaction team.

    3.2 Gather and evaluate the M&A strategy, future-state operating model, and governance.

    3.3 Review the business rationale for the acquisition.

    3.4 Establish the integration strategy.

    3.5 Prioritize integration tasks.

    3.6 Establish the integration roadmap.

    3.7 Establish and align project metrics with identified tasks.

    3.8 Estimate integration costs.

    3.9 Assess the current culture and identify the goal culture.

    3.10 Identify the needed workforce supply.

    3.11 Create an employee transition plan.

    3.12 Create functional workplans for employees.

    3.13 Complete the integration by regularly updating the project plan.

    3.14 Begin to rationalize the IT environment where possible and necessary.

    3.15 Confirm integration costs.

    3.16 Review IT’s transaction value.

    3.17 Conduct a transaction and integration SWOT.

    3.18 Review the playbook and prepare for future transactions.

    Outputs

    M&A transaction team

    Stakeholder map

    IT strategy assessed

    IT operating model and IT governance structure defined

    Business context implications for IT

    Integration strategy

    Integration roadmap and associated resourcing

    Culture assessment

    Workforce supply identified

    Employee transition plan

    Employee functional workplans

    Updated integration project plan

    Rationalized IT environment

    SWOT of transaction

    M&A Buy Playbook refined for future transactions

    Further reading

    Mergers & Acquisitions: The Buy Blueprint

    For IT leaders who want to have a role in the transaction process when their business is engaging in an M&A purchase.

    EXECUTIVE BRIEF

    Analyst Perspective

    Don’t wait to be invited to the M&A table, make it.

    Photo of Brittany Lutes, Research Analyst, CIO Practice, Info-Tech Research Group.
    Brittany Lutes
    Research Analyst,
    CIO Practice
    Info-Tech Research Group
    Photo of Ibrahim Abdel-Kader, Research Analyst, CIO Practice, Info-Tech Research Group.
    Ibrahim Abdel-Kader
    Research Analyst,
    CIO Practice
    Info-Tech Research Group

    IT has always been an afterthought in the M&A process, often brought in last minute once the deal is nearly, if not completely, solidified. This is a mistake. When IT is brought into the process late, the business misses opportunities to generate value related to the transaction and has less awareness of critical risks or inaccuracies.

    To prevent this mistake, IT leadership needs to develop strong business relationships and gain respect for their innovative suggestions. In fact, when it comes to modern M&A activity, IT should be the ones suggesting potential transactions to meet business needs, specifically when it comes to modernizing the business or adopting digital capabilities.

    IT needs to stop waiting to be invited to the acquisition or divestiture table. IT needs to suggest that the table be constructed and actively work toward achieving the strategic objectives of the business.

    Executive Summary

    Your Challenge

    There are four key scenarios or entry points for IT as the acquiring organization in M&As:

    • IT can suggest an acquisition to meet the business objectives of the organization.
    • IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspectives.
    • IT participates in due diligence activities and valuates the organization potentially being acquired.
    • IT needs to reactively prepare its environment to enable the integration.

    Consider the ideal scenario for your IT organization.

    Common Obstacles

    Some of the obstacles IT faces include:

    • IT is often told about the transaction once the deal has already been solidified and is now forced to meet unrealistic business demands.
    • The business does not trust IT and therefore does not approach IT to define value or reduce risks to the transaction process.
    • The people and culture element are forgotten or not given adequate priority.

    These obstacles often arise when IT waits to be invited into the transaction process and misses critical opportunities.

    Info-Tech's Approach

    Prepare for a growth/integration transaction by:

    • Recognizing the trend for organizations to engage in M&A activity and the increased likelihood that, as an IT leader, you will be involved in a transaction in your career.
    • Creating a standard strategy that will enable strong program management.
    • Properly considering all the critical components of the transaction and integration by prioritizing tasks that will reduce risk, deliver value, and meet stakeholder expectations.

    Info-Tech Insight

    As the number of merger, acquisition, and divestiture transactions continues to increase, so too does IT’s opportunity to leverage the growing digital nature of these transactions and get involved at the onset.

    The changing M&A landscape

    Businesses will embrace more digital M&A transactions in the post-pandemic world

    • When the pandemic occurred, businesses reacted by either pausing (61%) or completely cancelling (46%) deals that were in the mid-transaction state (Deloitte, 2020). The uncertainty made many organizations consider whether the risks would be worth the potential benefits.
    • However, many organizations quickly realized the pandemic is not a hindrance to M&A transactions but an opportunity. Over 16,000 American companies were involved in M&A transactions in the first six months of 2021 (The Economist). For reference, this had been averaging around 10,000 per six months from 2016 to 2020.
    • In addition to this transaction growth, organizations have increasingly been embracing digital. These trends increase the likelihood that, as an IT leader, you will engage in an M&A transaction. However, it is up to you when you get involved in the transactions.

    The total value of transactions in the year after the pandemic started was $1.3 billion – a 93% increase in value compared to before the pandemic. (Nasdaq)

    Virtual deal-making will be the preferred method of 55% of organizations in the post-pandemic world. (Wall Street Journal, 2020)

    Your challenge

    IT is often not involved in the M&A transaction process. When it is, it’s often too late.

    • The most important driver of an acquisition is the ability to access new technology (DLA Piper), and yet 50% of the time, IT isn’t involved in the M&A transaction at all (IMAA Institute, 2017).
    • Additionally, IT’s lack of involvement in the process negatively impacts the business:
      • Most organizations (60%) do not have a standardized approach to integration (Steeves and Associates).
      • Weak integration teams contribute to the failure of 70% of M&A integrations (The Wall Street Journal, 2019).
      • Less than half (47%) of organizations actually experience the positive results sought by the M&A transaction (Steeves and Associates).
    • Organizations pursuing M&A and not involving IT are setting themselves up for failure.

    Only half of M&A deals involve IT (Source: IMAA Institute, 2017)

    Common Obstacles

    These barriers make this challenge difficult to address for many organizations:

    • IT is rarely afforded the opportunity to participate in the transaction deal. When IT is invited, this often happens later in the process where integration will be critical to business continuity.
    • IT has not had the opportunity to demonstrate that it is a valuable business partner in other business initiatives.
    • One of the most critical elements that IT often doesn’t take the time or doesn’t have the time to focus on is the people and leadership component.
    • IT waits to be invited to the process rather then actively involving themselves and suggesting how value can be added to the process.

    In hindsight, it’s clear to see: Involving IT is just good business.

    47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion. (Source: IMAA Institute, 2017)

    40% of acquiring businesses discovered a cybersecurity problem at an acquisition.” (Source: Okta)

    Info-Tech's approach

    Acquisitions & Divestitures Framework

    Acquisitions and divestitures are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:

    1. The growing trend for organizations to increase, decrease, or evolve through these types of transactions.
    2. Transactions that are driven by digital motivations, requiring IT’s expertise.
    3. A maturing business perspective of IT, preventing the difficulty that IT is faced with when invited into the transaction process late.
    4. There never being such a thing as a true merger, making the majority of M&A activity either acquisitions or divestitures.
    A diagram highlighting the 'IT Executives' Role in Acquisitions and Divestitures' when they are integrated at different points in the 'Core Business Timeline'. There are four main entry points 'Proactive', 'Discovery and Strategy', 'Due Diligence and Preparation', and 'Execution and Value Realized'. It is highlighted that IT can and should start at 'Proactive', but most organizations start at 'Execution and Value Realized'. 'Proactive': suggest opportunities to evolve the organization; prove IT's value and engage in growth opportunities early. Innovators start here. Steps of the business timeline in 'Proactive' are 'Organization strategies are defined' and 'M and A is considered to enable strategy'. After a buy or sell transaction is initiated is 'Discovery and Strategy': pre-transaction state. If it is a Buy transaction, 'Establish IT's involvement and approach'. If it is a Sell transaction, 'Prepare to engage in negotiations'. Business Partners start here. Steps of the business timeline in 'Discovery and Strategy' are 'Searching criteria is set', 'Potential candidates are considered', and 'LOI is sent/received'. 'Due Diligence and Preparation': mid-transaction state. If it is a Buy transaction, 'Identify potential transaction benefits and risks'. If it is a Sell transaction, 'Comply, communicate, and collaborate in transaction'. Trusted Operators start here. Steps of the business timeline in 'Due Diligence and Preparation' are 'Due diligence engagement occurs', 'Final agreement is reached', and 'Preparation for transaction execution occurs'. 'Execution and Value Realization': post-transaction state. If it is a Buy transaction, 'Integrate the IT environments and achieve business value'. If it is a Sell transaction, 'Separate the IT environment and deliver on transaction terms'. Firefighters start here. Steps of the business timeline in 'Execution and Value Realization' are 'Staff and operations are addressed appropriately', 'Day 1 of implementation and integration activities occurs', '1st 100 days of new entity state occur' and 'Ongoing risk mitigating and value creating activities occur'.

    The business’ view of IT will impact how soon IT can get involved

    There are four key entry points for IT

    A colorful visualization of the four key entry points for IT and a fifth not-so-key entry point. Starting from the top: 'Innovator', Information and Technology as a Competitive Advantage, 90% Satisfaction; 'Business Partner', Effective Delivery of Strategic Business Projects, 80% Satisfaction; 'Trusted Operator', Enablement of Business Through Application and Work Orders, 70% Satisfaction; 'Firefighter', Reliable Infrastructure and IT Service Desk, 60% Satisfaction; and then 'Unstable', Inability to Consistently Deliver Basic Services, <60% Satisfaction.
    1. Innovator: IT suggests an acquisition to meet the business objectives of the organization.
    2. Business Partner: IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspective.
    3. Trusted Operator: IT participates in due diligence activities and valuates the organization potentially being acquired.
    4. Firefighter: IT reactively engages in the integration with little time to prepare.

    Merger, acquisition, and divestiture defined

    Merger

    A merger looks at the equal combination of two entities or organizations. Mergers are rare in the M&A space, as the organizations will combine assets and services in a completely equal 50/50 split. Two organizations may also choose to divest business entities and merge as a new company.

    Acquisition

    The most common transaction in the M&A space, where an organization will acquire or purchase another organization or entities of another organization. This type of transaction has a clear owner who will be able to make legal decisions regarding the acquired organization.

    Divestiture

    An organization may decide to sell partial elements of a business to an acquiring organization. They will separate this business entity from the rest of the organization and continue to operate the other components of the business.

    Info-Tech Insight

    A true merger does not exist, as there is always someone initiating the discussion. As a result, most M&A activity falls into acquisition or divestiture categories.

    Buying vs. selling

    The M&A process approach differs depending on whether you are the executive IT leader on the buy side or sell side

    This blueprint is only focused on the buy side:

    • More than two organizations could be involved in a transaction.
    • Examples of buy-related scenarios include:
      • Your organization is buying another organization with the intent of having the purchased organization keep its regular staff, operations, and location. This could mean minimal integration is required.
      • Your organization is buying another organization in its entirety with the intent of integrating it into your original company.
      • Your organization is buying components of another organization with the intent of integrating them into your original company.
    • As the purchasing organization, you will probably be initiating the purchase and thus will be valuating the selling organization during due diligence and leading the execution plan.

    The sell side is focused on:

    • Examples of sell-related scenarios include:
      • Your organization is selling to another organization with the intent of keeping its regular staff, operations, and location. This could mean minimal separation is required.
      • Your organization is selling to another organization with the intent of separating to be a part of the purchasing organization.
      • Your organization is engaging in a divestiture with the intent of:
        • Separating components to be part of the purchasing organization permanently.
        • Separating components to be part of a spinoff and establish a unit as a standalone new company.
    • As the selling organization, you could proactively seek out suitors to purchase all or components of your organization, or you could be approached by an organization.

    For more information on divestitures or selling your entire organization, check out Info-Tech’s Mergers & Acquisitions: The Sell Blueprint.

    Core business timeline

    For IT to be valuable in M&As, you need to align your deliverables and your support to the key activities the business and investors are working on.

    Info-Tech’s methodology for Buying Organizations in Mergers, Acquisitions, or Divestitures

    1. Proactive

    2. Discovery & Strategy

    3. Due Diligence & Preparation

    4. Execution & Value Realization

    Phase Steps
    1. Identify Stakeholders and Their Perspective of IT
    2. Assess IT’s Current Value and Future State
    3. Drive Innovation and Suggest Growth Opportunities
    1. Establish the M&A Program Plan
    2. Prepare IT to Engage in the Acquisition
    1. Assess the Target Organization
    2. Prepare to Integrate
    1. Execute the Transaction
    2. Reflection and Value Realization

    Phase Outcomes

    Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture.

    Create a standardized approach for how your IT organization should address acquisitions.

    Evaluate the target organizations successfully and establish an integration project plan.

    Deliver on the integration project plan successfully and communicate IT’s transaction value to the business.

    Potential metrics for each phase

    1. Proactive

    2. Discovery & Strategy

    3. Due Diligence & Preparation

    4. Execution & Value Realization

    • % Share of business innovation spend from overall IT budget
    • % Critical processes with approved performance goals and metrics
    • % IT initiatives that meet or exceed value expectation defined in business case
    • % IT initiatives aligned with organizational strategic direction
    • % Satisfaction with IT's strategic decision-making abilities
    • $ Estimated business value added through IT-enabled innovation
    • % Overall stakeholder satisfaction with IT
    • % Percent of business leaders that view IT as an Innovator
    • % IT budget as a percent of revenue
    • % Assets that are not allocated
    • % Unallocated software licenses
    • # Obsolete assets
    • % IT spend that can be attributed to the business (chargeback or showback)
    • % Share of CapEx of overall IT budget
    • % Prospective organizations that meet the search criteria
    • $ Total IT cost of ownership (before and after M&A, before and after rationalization)
    • % Business leaders that view IT as a Business Partner
    • % Defects discovered in production
    • $ Cost per user for enterprise applications
    • % In-house-built applications vs. enterprise applications
    • % Owners identified for all data domains
    • # IT staff asked to participate in due diligence
    • Change to due diligence
    • IT budget variance
    • Synergy target
    • % Satisfaction with the effectiveness of IT capabilities
    • % Overall end-customer satisfaction
    • $ Impact of vendor SLA breaches
    • $ Savings through cost-optimization efforts
    • $ Savings through application rationalization and technology standardization
    • # Key positions empty
    • % Frequency of staff turnover
    • % Emergency changes
    • # Hours of unplanned downtime
    • % Releases that cause downtime
    • % Incidents with identified problem record
    • % Problems with identified root cause
    • # Days from problem identification to root cause fix
    • % Projects that consider IT risk
    • % Incidents due to issues not addressed in the security plan
    • # Average vulnerability remediation time
    • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
    • # Time (days) to value realization
    • % Projects that realized planned benefits
    • $ IT operational savings and cost reductions that are related to synergies/divestitures
    • % IT staff–related expenses/redundancies
    • # Days spent on IT integration
    • $ Accurate IT budget estimates
    • % Revenue growth directly tied to IT delivery
    • % Profit margin growth

    The IT executive’s role in the buying transaction is critical

    And IT leaders have a greater likelihood than ever of needing to support a merger, acquisition, or divestiture.

    1. Reduced Risk

      IT can identify risks that may go unnoticed when IT is not involved.

    2. Increased Accuracy

      The business can make accurate predictions around the costs, timelines, and needs of IT.

    3. Faster Integration

      Faster integration means faster value realization for the business.

    4. Informed Decision Making

      IT leaders hold critical information that can support the business in moving the transaction forward.

    5. Innovation

      IT can suggest new opportunities to generate revenue, optimize processes, or reduce inefficiencies.

    The IT executive’s critical role is demonstrated by:

    • Reduced Risk

      47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion (IMAA Institute, 2017).

    • Increased Accuracy

      87% of respondents to a Deloitte survey effectively conducted a virtual deal, with a focus on cybersecurity and integration (Deloitte, 2020).

    • Faster Integration

      Integration costs range from as low as $4 million to as high as $3.8 billion, making the process an investment for the organization (CIO Dive).

    • Informed Decision Making

      Only 38% of corporate and 22% of private equity firms include IT as a significant aspect in their transaction approach (IMAA Institute, 2017).

    • Innovation

      Successful CIOs involved in M&As can spend 70% of their time on aspects outside of IT and 30% of their time on technology and delivery (CIO).

    Playbook benefits

    IT Benefits

    • IT will be seen as an innovative partner to the business, and its suggestions and involvement in the organization will lead to benefits, not hindrances.
    • Develop a streamlined method to valuate the potential organization being purchased and ensure risk management concerns are brought to the business’ attention immediately.
    • Create a comprehensive list of items that IT needs to do during the integration that can be prioritized and actioned.

    Business Benefits

    • The business will get accurate and relevant information about the organization being acquired, ensuring that the anticipated value of the transaction is correctly planned for.
    • Fewer business interruptions will happen, because IT can accurately plan for and execute the high-priority integration tasks.
    • The business can make a fair offer to the purchased organization, having properly valuated all aspects being bought, including the IT environment.

    Insight summary

    Overarching Insight

    As an IT executive, take control of when you get involved in a growth transaction. Do this by proactively identifying acquisition targets, demonstrating the value of IT, and ensuring that integration of IT environments does not lead to unnecessary and costly decisions.

    Proactive Insight

    CIOs on the forefront of digital transformation need to actively look for and suggest opportunities to acquire or partner on new digital capabilities to respond to rapidly changing business needs.

    Discovery & Strategy Insight

    IT organizations that have an effective M&A program plan are more prepared for the buying transaction, enabling a successful outcome. A structured strategy is particularly necessary for organizations expected to deliver M&As rapidly and frequently.

    Due Diligence & Preparation Insight

    Most IT synergies can be realized in due diligence. It is more impactful to consider IT processes and practices (e.g. contracts and culture) in due diligence rather than later in the integration.

    Execution & Value Realization Insight

    IT needs to realize synergies within the first 100 days of integration. The most successful transactions are when IT continuously realizes synergies a year after the transaction and beyond.

    Blueprint deliverables

    Key Deliverable: M&A Buy Playbook

    The M&A Buy Playbook should be a reusable document that enables your IT organization to successfully deliver on any acquisition transaction.

    Screenshots of the 'M and A Buy Playbook' deliverable.

    M&A Buy One-Pager

    See a one-page overview of each phase of the transaction.

    Screenshots of the 'M and A Buy One-Pagers' deliverable.

    M&A Buy Case Studies

    Read a one-page case study for each phase of the transaction.

    Screenshots of the 'M and A Buy Case Studies' deliverable.

    M&A Integration Project Management Tool (SharePoint)

    Manage the integration process of the acquisition using this SharePoint template.

    Screenshots of the 'M and A Integration Project Management Tool (SharePoint)' deliverable.

    M&A Integration Project Management Tool (Excel)

    Manage the integration process of the acquisition using this Excel tool if you can’t or don’t want to use SharePoint.

    Screenshots of the 'M and A Integration Project Management Tool (Excel)' deliverable.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 6 to 10 calls over the course of 2 to 4 months.

      Proactive Phase

    • Call #1: Scope requirements, objectives, and your specific challenges.

      • Discovery & Strategy Phase

    • Call #2: Determine stakeholders and their perspectives of IT.
    • Call #3: Identify how M&A could support business strategy and how to communicate.

      • Due Diligence & Preparation Phase

    • Call #4: Establish a transaction team and acquisition strategic direction.
    • Call #5: Create program metrics and identify a standard integration strategy.
    • Call #6: Assess the potential organization(s).
    • Call #7: Identify the integration program plan.

      • Execution & Value Realization Phase

    • Call #8: Establish employee transitions to retain key staff.
    • Call #9: Assess IT’s ability to deliver on the acquisition transaction.

    The Buy Blueprint

    Phase 1

    Proactive

    Phase 1

    		 Phase 2 Phase 3 Phase 4
    • 1.1 Identify Stakeholders and Their Perspective of IT
    • 1.2 Assess IT’s Current Value and Future State
    • 1.3 Drive Innovation and Suggest Growth Opportunities
    • 2.1 Establish the M&A Program Plan
    • 2.2 Prepare IT to Engage in the Acquisition
    • 3.1 Assess the Target Organization
    • 3.2 Prepare to Integrate
    • 4.1 Execute the Transaction
    • 4.2 Reflection and Value Realization

    This phase will walk you through the following activities:

    • Conduct the CEO-CIO Alignment diagnostic
    • Conduct the CIO Business Vision diagnostic
    • Visualize relationships among stakeholders to identify key influencers
    • Group stakeholders into categories
    • Prioritize your stakeholders
    • Plan to communicate
    • Valuate IT
    • Assess the IT/digital strategy
    • Determine pain points and opportunities
    • Align goals to opportunities
    • Recommend growth opportunities

    This phase involves the following participants:

    • IT and business leadership

    What is the Proactive phase?

    Embracing the digital drivers

    As the number of merger, acquisition, or divestiture transactions driven by digital means continues to increase, IT has an opportunity to not just be involved in a transaction but actively seek out potential deals.

    In the Proactive phase, the business is not currently considering a transaction. However, the business could consider one to reach its strategic goals. IT organizations that have developed respected relationships with the business leaders can suggest these potential transactions.

    Understand the business’ perspective of IT, determine who the critical M&A stakeholders are, valuate the IT environment, and examine how it supports the business goals in order to suggest an M&A transaction.

    In doing so, IT isn’t waiting to be invited to the transaction table – it’s creating it.

    Goal: To support the organization in reaching its strategic goals by suggesting M&A activities that will enable the organization to reach its objectives faster and with greater-value outcomes.

    Proactive Prerequisite Checklist

    Before coming into the Proactive phase, you should have addressed the following:

    • Understand what mergers, acquisitions, and divestitures are.
    • Understand what mergers, acquisitions, and divestitures mean for the business.
    • Understand what mergers, acquisitions, and divestitures mean for IT.

    Review the Executive Brief for more information on mergers, acquisitions, and divestitures for purchasing organizations.

    Proactive

    Step 1.1

    Identify M&A Stakeholders and Their Perspective of IT

    Activities

    • 1.1.1 Conduct the CEO-CIO Alignment diagnostic
    • 1.1.2 Conduct the CIO Business Vision diagnostic
    • 1.1.3 Visualize relationships among stakeholders to identify key influencers
    • 1.1.4 Group stakeholders into categories
    • 1.1.5 Prioritize your stakeholders
    • 1.16 Plan to communicate

    This step involves the following participants:

    • IT executive leader
    • IT leadership
    • Critical M&A stakeholders

    Outcomes of Step

    Understand how the business perceives IT and establish strong relationships with critical M&A stakeholders.

    Business executives' perspectives of IT

    Leverage diagnostics and gain alignment on IT’s role in the organization

    • To suggest or get involved with a merger, acquisition, or divestiture, the IT executive leader needs to be well respected by other members of the executive leadership team and the business.
    • Specifically, the Proactive phase relies on the IT organization being viewed as an Innovator within the business.
    • Identify how the CEO/business executive currently views IT and where they would like IT to move within the Maturity Ladder.
    • Additionally, understand how other critical department leaders view IT and how they view the partnership with IT.
    A colorful visualization titled 'Maturity Ladder' detailing levels of IT function that a business may choose from based on the business executives' perspectives of IT. Starting from the bottom: 'Struggle', Does not embarrass, Does not crash; 'Support', Keeps business happy, Keeps costs low; 'Optimize', Increases efficiency, Decreases costs; 'Expand', Extends into new business, Generates revenue; 'Transform', Creates new industry.

    Misalignment in target state requires further communication between the CIO and CEO to ensure IT is striving toward an agreed-upon direction.

    Info-Tech’s CIO Business Vision (CIO BV) diagnostic measures a variety of high-value metrics to provide a well-rounded understanding of stakeholder satisfaction with IT.

    Sample of Info-Tech's CIO Business Vision diagnostic measuring percentages of high-value metrics like 'IT Satisfaction' and 'IT Value' regarding business leader satisfaction. A note for these two reads 'Evaluate business leader satisfaction with IT this year and last year'. A section titled 'Relationship' has metrics such as 'Understands Needs' and 'Trains Effectively'. A note for this section reads 'Examine indicators of the relationship between IT and the business'. A section titled 'Security Friction' has metrics such as 'Regulatory Compliance-Driven' and 'Office/Desktop Security'.

    Business Satisfaction and Importance for Core Services

    The core services of IT are important when determining what IT should focus on. The most important services with the lowest satisfaction offer the largest area of improvement for IT to drive business value.

    Sample of Info-Tech's CIO Business Vision diagnostic specifically comparing the business satisfaction of 12 core services with their importance. Services listed include 'Service Desk', 'IT Security', 'Requirements Gathering', 'Business Apps', 'Data Quality', and more. There is a short description of the services, a percentage for the business satisfaction with the service, a percentage comparing it to last year, and a numbered ranking of importance for each service. A note reads 'Assess satisfaction and importance across 12 core IT capabilities'.

    1.1.1 Conduct the CEO-CIO Alignment diagnostic

    2 weeks

    Input: IT organization expertise and the CEO-CIO Alignment diagnostic

    Output: An understanding of an executive business stakeholder’s perception of IT

    Materials: CEO-CIO Alignment diagnostic, M&A Buy Playbook

    Participants: IT executive/CIO, Business executive/CEO

    1. The CEO-CIO Alignment diagnostic can be a powerful input. Speak with your Info-Tech account representative to conduct the diagnostic. Use the results to inform current IT capabilities.
    2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret and draw conclusions from the results.
    3. Examine the results of the survey and note where there might be specific capabilities that could be improved.
    4. Determine whether there are any areas of significant disagreement between the you and the CEO. Mark down those areas for further conversations. Additionally, take note of areas that could be leveraged to support growth transactions or support your rationale in recommending growth transactions.

    Download the sample report.

    Record the results in the M&A Buy Playbook.

    1.1.2 Conduct the CIO Business Vision diagnostic

    2 weeks

    Input: IT organization expertise, CIO BV diagnostic

    Output: An understanding of business stakeholder perception of certain IT capabilities and services

    Materials: CIO Business Vision diagnostic, Computer, Whiteboard and markers, M&A Buy Playbook

    Participants: IT executive/CIO, Senior business leaders

    1. The CIO Business Vision (CIO BV) diagnostic can be a powerful tool for identifying IT capability focus areas. Speak with your account representative to conduct the CIO BV diagnostic. Use the results to inform current IT capabilities.
    2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret the results and draw conclusions from the diagnostic.
    3. Examine the results of the survey and take note of any IT services that have low scores.
    4. Read through the diagnostic comments and note any common themes. Especially note which stakeholders identified they have a favorable relationship with IT and which stakeholders identified they have an unfavorable relationship. For those who have an unfavorable relationship, identify if they will have a critical role in a growth transaction.

    Download the sample report.

    Record the results in the M&A Buy Playbook.

    Create a stakeholder network map for M&A transactions

    Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

    Example:

    Diagram of stakeholders and their relationships with other stakeholders, such as 'Board Members', 'CFO/Finance', 'Compliance', etc. with 'CIO/IT Leader' highlighted in the middle. There are unidirectional black arrows and bi-directional green arrows indicating each connection.

      Legend
    • Black arrows indicate the direction of professional influence
    • Dashed green arrows indicate bidirectional, informal influence relationships

    Info-Tech Insight

    Your stakeholder map defines the influence landscape that the M&A transaction will occur within. This will identify who holds various levels of accountability and decision-making authority when a transaction does take place.

    Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantial relationships with your stakeholders.

    1.1.3 Visualize relationships among stakeholders to identify key influencers

    1-3 hours

    Input: List of M&A stakeholders

    Output: Relationships among M&A stakeholders and influencers

    Materials: M&A Buy Playbook

    Participants: IT executive leadership

    1. The purpose of this activity is to list all the stakeholders within your organization that will have a direct or indirect impact on the M&A transaction.
    2. Determine the critical stakeholders, and then determine the stakeholders of your stakeholders and consider adding each of them to the stakeholder list.
    3. Assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
    4. Construct a diagram linking stakeholders and their influencers together.
      • Use black arrows to indicate the direction of professional influence.
      • Use dashed green arrows to indicate bidirectional, informal influence relationships.

    Record the results in the M&A Buy Playbook.

    Categorize your stakeholders with a prioritization map

    A stakeholder prioritization map helps IT leaders categorize their stakeholders by their level of influence and ownership in the merger, acquisition, or divestiture process.

    A prioritization map of stakeholder categories split into four quadrants. The vertical axis is 'Influence', from low on the bottom to high on top. The horizontal axis is 'Ownership/Interest', from low on the left to high on the right. 'Spectators' are low influence, low ownership/interest. 'Mediators' are high influence, low ownership/interest. 'Noisemakers' are low influence, high ownership/interest. 'Players' are high influence, high ownership/interest.

    There are four areas in the map, and the stakeholders within each area should be treated differently.

    Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

    Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

    Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

    Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

    1.1.4 Group stakeholders into categories

    30 minutes

    Input: Stakeholder map, Stakeholder list

    Output: Categorization of stakeholders and influencers

    Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

    Participants: IT executive leadership, Stakeholders

    1. Identify your stakeholders’ interest in and influence on the M&A process as high, medium, or low by rating the attributes below.
    2. Map your results to the model to the right to determine each stakeholder’s category.

    Same prioritization map of stakeholder categories as before. This one has specific stakeholders mapped onto it. 'CFO' is mapped as low interest and middling influence, between 'Mediator' and 'Spectator'. 'CIO' is mapped as higher than average interest and high influence, a 'Player'. 'Board Member' is mapped as high interest and high influence, a 'Player'.

    Level of Influence
    • Power: Ability of a stakeholder to effect change.
    • Urgency: Degree of immediacy demanded.
    • Legitimacy: Perceived validity of stakeholder’s claim.
    • Volume: How loud their “voice” is or could become.
    • Contribution: What they have that is of value to you.
    Level of Interest

    How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?

    Record the results in the M&A Buy Playbook.

    Prioritize your stakeholders

    There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

    Level of Support

    Supporter

    Evangelist

    Neutral

    Blocker
    Stakeholder Category Player Critical High High Critical
    Mediator Medium Low Low Medium
    Noisemaker High Medium Medium High
    Spectator Low Irrelevant Irrelevant Low

    Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by answering the following question: How significant is that stakeholder to the M&A or divestiture process?

    These parameters are used to prioritize which stakeholders are most important and should receive your focused attention.

    1.1.5 Prioritize your stakeholders

    30 minutes

    Input: Stakeholder matrix

    Output: Stakeholder and influencer prioritization

    Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

    Participants: IT executive leadership, M&A/divestiture stakeholders

    1. Identify the level of support of each stakeholder by answering the following question: How significant is that stakeholder to the M&A transaction process?
    2. Prioritize your stakeholders using the prioritization scheme on the previous slide.

    Stakeholder

    Category

    Level of Support

    Prioritization
    CMO Spectator Neutral Irrelevant
    CIO Player Supporter Critical

    Record the results in the M&A Buy Playbook.

    Define strategies for engaging stakeholders by type

    A revisit to the map of stakeholder categories, but with strategies listed for each one, and arrows on the side instead of an axis. The vertical arrow is 'Authority', which increases upward, and the horizontal axis is Ownership/Interest which increases as it moves to the right. The strategy for 'Players' is 'Engage', for 'Mediators' is 'Satisfy', for 'Noisemakers' is 'Inform', and for 'Spectators' is 'Monitor'.

    Type

    Quadrant

    Actions
    Players High influence, high interest – actively engage Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success.
    Mediators High influence, low interest – keep satisfied They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.
    Noisemakers Low influence, high interest – keep informed Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.
    Spectators Low influence, low interest – monitor They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    Info-Tech Insight

    Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying stakeholder groups, the IT executive leader can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of Mediators and Players are met.

    1.1.6 Plan to communicate

    30 minutes

    Input: Stakeholder priority, Stakeholder categorization, Stakeholder influence

    Output: Stakeholder communication plan

    Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

    Participants: IT executive leadership, M&A/divestiture stakeholders

    The purpose of this activity is to make a communication plan for each of the stakeholders identified in the previous activities, especially those who will have a critical role in the M&A transaction process.

    1. In the M&A Buy Playbook, input the type of influence each stakeholder has on IT, how they would be categorized in the M&A process, and their level of priority. Use this information to create a communication plan.
    2. Determine the methods and frequency of communication to keep the necessary stakeholder satisfied and maintain or enhance IT’s profile within the organization.

    Record the results in the M&A Buy Playbook.

    Proactive

    Step 1.2

    Assess IT’s Current Value and Method to Achieve a Future State

    Activities

    • 1.2.1 Valuate IT
    • 1.2.2 Assess the IT/digital strategy

    This step involves the following participants:

    • IT executive leader
    • IT leadership
    • Critical stakeholders to M&A

    Outcomes of Step

    Identify critical opportunities to optimize IT and meet strategic business goals through a merger, acquisition, or divestiture.

    How to valuate your IT environment

    And why it matters so much

    • Valuating your current organization’s IT environment is a critical step that all IT organizations should take, whether involved in an M&A or not, to fully understand what it might be worth.
    • The business investments in IT can be directly translated into a value amount. For every $1 invested in IT, the business might be gaining $100 in value back or possibly even loosing $100.
    • Determining, documenting, and communicating this information ensures that the business takes IT’s suggestions seriously and recognizes why investing in IT is so critical.
    • There are three ways a business or asset can be valuated:
      • Cost Approach: Look at the costs associated with building, purchasing, replacing, and maintaining a given aspect of the business.
      • Market Approach: Look at the relative value of a particular aspect of the business. Relative value can fluctuate and depends on what the markets and consequently society believe that particular element is worth.
      • Discounted Cash Flow Approach: Focus on what the potential value of the business could be or the intrinsic value anticipated due to future profitability.
      • (Source: “Valuation Methods,” Corporate Finance Institute)

    Four ways to create value through digital

    1. Reduced costs
    2. Improved customer experience
    3. New revenue sources
    4. Better decision making
      5. (Source: McKinsey & Company)

    1.2.1 Valuate IT

    1 day

    Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk

    Output: Valuation of IT

    Materials: Relevant templates/tools listed on the following slides, Capital budget, Operating budget, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership

    The purpose of this activity is to demonstrate that IT is not simply an operational functional area that diminishes business resources. Rather, IT contributes significant value to the business.

    1. Review each of the following slides to valuate IT’s data, applications, infrastructure and operations, and security and risk. These valuations consider several tangible and intangible factors and result in a final dollar amount.
    2. Input the financial amounts identified for each critical area into a summary slide. Use this information to determine where IT is delivering value to the organization.

    Info-Tech Insight

    Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.

    Record the results in the M&A Buy Playbook.

    Data valuation

    Data valuation identifies how you monetize the information that your organization owns.

    Create a data value chain for your organization

    When valuating the information and data that exists in an organization, there are many things to consider.

    Info-Tech has two tools that can support this process:

    1. Information Asset Audit Tool: Use this tool first to take inventory of the different information assets that exist in your organization.
    2. Data Valuation Tool: Once information assets have been accounted for, valuate the data that exists within those information assets.

    Data Collection

    Insight Creation

    Value Creation

    Data Valuation
    01 Data Source
    02 Data Collection Method
    03 Data     		04 Data Analysis
    05 Insight
    06 Insight Delivery     		07 Consumer
    08 Value in Data     		09 Value Dimension
    10 Value Metrics Group
    11 Value Metrics
    Screenshots of Tab 2 of Info-Tech's Data Valuation Tool.

    Instructions

    1. Using the Data Valuation Tool, start gathering information based on the eight steps above to understand your organization’s journey from data to value.
    2. Identify the data value spectrum. (For example: customer sales service, citizen licensing service, etc.)
    3. Fill out the columns for data sources, data collection, and data first.
    4. Capture data analysis and related information.
    5. Then capture the value in data.
    6. Add value dimensions such as usage, quality, and economic dimensions.
      • Remember that economic value is not the only dimension, and usage/quality has a significant impact on economic value.
    7. Collect evidence to justify your data valuation calculator (market research, internal metrics, etc.).
    8. Finally, calculate the value that has a direct correlation with underlying value metrics.

    Application valuation

    Calculate the value of your IT applications

    When valuating the applications and their users in an organization, consider using a business process map. This shows how business is transacted in the company by identifying which IT applications support these processes and which business groups have access to them. Info-Tech has a business process mapping tool that can support this process:

    • Enterprise Integration Process Mapping Tool: Complete this tool first to map the different business processes to the supporting applications in your organization.

    Instructions

    1. Start by calculating user costs. This is the product of the (# of users) × (% of time spent using IT) × (fully burdened salary).
    2. Identify the revenue per employee and divide that by the average cost per employee to calculate the derived productivity ratio (DPR).
    3. Once you have calculated the user costs and DPR, multiply those total values together to get the application value.

      4. User Costs

      Total User Costs

      Derived Productivity Ratio (DPR)

      Total DPR

      Application Value
      # of users % time spent using IT Fully burdened salary Multiply values from the 3 user costs columns Revenue per employee Average cost per employee (Revenue P.E) ÷ (Average cost P.E) (User costs) X (DPR)

    4. Once the total application value is established, calculate the combined IT and business costs of delivering that value. IT and business costs include inflexibility (application maintenance), unavailability (downtime costs, including disaster exposure), IT costs (common costs statistically allocated to applications), and fully loaded cost of active (full-time equivalent [FTE]) users.
    5. Calculate the net value of applications by subtracting the total IT and business costs from the total application value calculated in step 3.

      6. IT and Business Costs

      Total IT and Business Costs

      Net Value of Applications
      Application maintenance Downtime costs (include disaster exposure) Common costs allocated to applications Fully loaded costs of active (FTE) users Sum of values from the four IT and business costs columns (Application value) – (IT and business costs)

    (Source: CSO)

    Infrastructure valuation

    Assess the foundational elements of the business’ information technology

    The purpose of this exercise is to provide a high-level infrastructure valuation that will contribute to valuating your IT environment.

    Calculating the value of the infrastructure will require different methods depending on the environment. For example, a fully cloud-hosted organization will have different costs than a fully on-premises IT environment.

    Instructions:

    1. Start by listing all of the infrastructure-related items that are relevant to your organization.
    2. Once you have finalized your items column, identify the total costs/value of each item.
      • For example, total software costs would include servers and storage.
    3. Calculate the total cost/value of your IT infrastructure by adding all of values in the right column.

    Item

    Costs/Value
    Hardware Assets Total Value +$3.2 million
    Hardware Leased/Service Agreement -$
    Software Purchased +$
    Software Leased/Service Agreement -$
    Operational Tools
    Network
    Disaster Recovery
    Antivirus
    Data Centers
    Service Desk
    Other Licenses
    Total:

    For additional support, download the M&A Runbook for Infrastructure and Operations.

    Risk and security

    Assess risk responses and calculate residual risk

    The purpose of this exercise is to provide a high-level risk assessment that will contribute to valuating your IT environment. For a more in-depth risk assessment, please refer to the Info-Tech tools below:

    1. Risk Register Tool
    2. Security M&A Due Diligence Tool
      3.

    Instructions

    1. Review the probability and impact scales below and ensure you have the appropriate criteria that align to your organization before you conduct a risk assessment.
    2. Identify the probability of occurrence and estimated financial impact for each risk category detail and fill out the table on the right. Customize the table as needed so it aligns to your organization.

      3. Probability of Risk Occurrence

      Occurrence Criteria
      (Classification; Probability of Risk Event Within One Year)

      Negligible Very Unlikely; ‹20%
      Very Low Unlikely; 20 to 40%
      Low Possible; 40 to 60%
      Moderately Low Likely; 60 to 80%
      Moderate Almost Certain; ›80%

    Note: If needed, you can customize this scale with the severity designations that you prefer. However, make sure you are always consistent with it when conducting a risk assessment.

    Financial & Reputational Impact

    Budgetary and Reputational Implications
    (Financial Impact; Reputational Impact)
    Negligible (‹$10,000; Internal IT stakeholders aware of risk event occurrence)
    Very Low ($10,000 to $25,000; Business customers aware of risk event occurrence)
    Low ($25,000 to $50,000; Board of directors aware of risk event occurrence)
    Moderately Low ($50,000 to $100,000; External customers aware of risk event occurrence)
    Moderate (›$100,000; Media coverage or regulatory body aware of risk event occurrence)

    Risk Category Details

    Probability of Occurrence

    Estimated Financial Impact

    Estimated Severity (Probability X Impact)
    Capacity Planning
    Enterprise Architecture
    Externally Originated Attack
    Hardware Configuration Errors
    Hardware Performance
    Internally Originated Attack
    IT Staffing
    Project Scoping
    Software Implementation Errors
    Technology Evaluation and Selection
    Physical Threats
    Resource Threats
    Personnel Threats
    Technical Threats
    Total:

    1.2.2 Assess the IT/digital strategy

    4 hours

    Input: IT strategy, Digital strategy, Business strategy

    Output: An understanding of an executive business stakeholder’s perception of IT, Alignment of IT/digital strategy and overall organization strategy

    Materials: Computer, Whiteboard and markers, M&A Buy Playbook

    Participants: IT executive/CIO, Business executive/CEO

    The purpose of this activity is to review the business and IT strategies that exist to determine if there are critical capabilities that are not being supported.

    Ideally, the IT and digital strategies would have been created following development of the business strategy. However, sometimes the business strategy does not directly call out the capabilities it requires IT to support.

    1. On the left half of the corresponding slide in the M&A Buy Playbook, document the business goals, initiatives, and capabilities. Input this information from the business or digital strategies. (If more space for goals, initiatives, or capabilities is needed, duplicate the slide).
    2. On the other half of the slide, document the IT goals, initiatives, and capabilities. Input this information from the IT strategy and digital strategy.

    For additional support, see Build a Business-Aligned IT Strategy.

    Record the results in the M&A Buy Playbook.

    Proactive

    Step 1.3

    Drive Innovation and Suggest Growth Opportunities

    Activities

    • 1.3.1 Determine pain points and opportunities
    • 1.3.2 Align goals with opportunities
    • 1.3.3 Recommend growth opportunities

    This step involves the following participants:

    • IT executive leader
    • IT leadership
    • Critical M&A stakeholders

    Outcomes of Step

    Establish strong relationships with critical M&A stakeholders and position IT as an innovative business partner that can suggest growth opportunities.

    1.3.1 Determine pain points and opportunities

    1-2 hours

    Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade

    Output: List of pain points or opportunities that IT can address

    Materials: Computer, Whiteboard and markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Business stakeholders

    The purpose of this activity is to determine the pain points and opportunities that exist for the organization. These can be external or internal to the organization.

    1. Identify what opportunities exist for your organization. Opportunities are the potential positives that the organization would want to leverage.
    2. Next, identify pain points, which are the potential negatives that the organization would want to alleviate.
    3. Spend time considering all the options that might exist, and keep in mind what has been identified previously.

    Opportunities and pain points can be trends, other departments’ initiatives, business perspectives of IT, etc.

    Record the results in the M&A Buy Playbook.

    1.3.2 Align goals with opportunities

    1-2 hours

    Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade, List of pain points and opportunities

    Output: An understanding of an executive business stakeholder’s perception of IT, Foundations for growth strategy

    Materials: Computer, Whiteboard and markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Business stakeholders

    The purpose of this activity is to determine whether a growth or separation strategy might be a good suggestion to the business in order to meet its business objectives.

    1. For the top three to five business goals, consider:
      1. Underlying drivers
      2. Digital opportunities
      3. Whether a growth or reduction strategy is the solution
    2. Just because a growth or reduction strategy is a solution for a business goal does not necessarily indicate M&A is the way to go. However, it is important to consider before you pursue suggesting M&A.

    Record the results in the M&A Buy Playbook.

    1.3.3 Recommend growth opportunities

    1-2 hours

    Input: Growth or separation strategy opportunities to support business goals, Stakeholder communication plan, Rationale for the suggestion

    Output: M&A transaction opportunities suggested

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO, Business executive/CEO

    The purpose of this activity is to recommend a merger, acquisition, or divestiture to the business.

    1. Identify which of the business goals the transaction would help solve and why IT is the one to suggest such a goal.
    2. Leverage the stakeholder communication plan identified previously to give insight into stakeholders who would have a significant level of interest, influence, or support in the process.

    Info-Tech Insight

    With technology and digital driving many transactions, leverage this opening and begin the discussions with your business on how and why an acquisition would be a great opportunity.

    Record the results in the M&A Buy Playbook.

    By the end of this Proactive phase, you should:

    Be prepared to suggest M&A opportunities to support your company’s goals through growth or acquisition transactions

    Key outcome from the Proactive phase

    Develop progressive relationships and strong communication with key stakeholders to suggest or be aware of transformational opportunities that can be achieved through growth or reduction strategies such as mergers, acquisitions, or divestitures.

    Key deliverables from the Proactive phase
    • Business perspective of IT examined
    • Key stakeholders identified and relationship to the M&A process outlined
    • Ability to valuate the IT environment and communicate IT’s value to the business
    • Assessment of the business, digital, and IT strategies and how M&As could support those strategies
    • Pain points and opportunities that could be alleviated or supported through an M&A transaction
    • Acquisition or buying recommendations

    The Buy Blueprint

    Phase 2

    Discovery & Strategy

    Phase 1

    Phase 2

    		Phase 3Phase 4
    • 1.1 Identify Stakeholders and Their Perspective of IT
    • 1.2 Assess IT’s Current Value and Future State
    • 1.3 Drive Innovation and Suggest Growth Opportunities
    • 2.1 Establish the M&A Program Plan
    • 2.2 Prepare IT to Engage in the Acquisition
    • 3.1 Assess the Target Organization
    • 3.2 Prepare to Integrate
    • 4.1 Execute the Transaction
    • 4.2 Reflection and Value Realization

    This phase will walk you through the following activities:

    • Create the mission and vision
    • Identify the guiding principles
    • Create the future-state operating model
    • Determine the transition team
    • Document the M&A governance
    • Create program metrics
    • Establish the integration strategy
    • Conduct a RACI
    • Create the communication plan
    • Assess the potential organization(s)

    This phase involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Establish the Transaction FoundationDiscover the Motivation for AcquiringFormalize the Program PlanCreate the Valuation FrameworkStrategize the TransactionNext Steps and Wrap-Up (offsite)

    Activities

    • 0.1 Conduct the CIO Business Vision and CEO-CIO Alignment diagnostics
    • 0.2 Identify key stakeholders and outline their relationship to the M&A process
    • 0.3 Identify the rationale for the company's decisions to pursue an acquisition
    • 1.1 Review the business rationale for the acquisition
    • 1.2 Assess the IT/digital strategy
    • 1.3 Identify pain points and opportunities tied to the acquisition
    • 1.4 Create the IT vision statement, create the IT mission statement, and identify IT guiding principles
    • 2.1 Create the future-state operating model
    • 2.2 Determine the transition team
    • 2.3 Document the M&A governance
    • 2.4 Establish program metrics
    • 3.1 Valuate your data
    • 3.2 Valuate your applications
    • 3.3 Valuate your infrastructure
    • 3.4 Valuate your risk and security
    • 3.5 Combine individual valuations to make a single framework
    • 4.1 Establish the integration strategy
    • 4.2 Conduct a RACI
    • 4.3 Review best practices for assessing target organizations
    • 4.4 Create the communication plan
    • 5.1 Complete in-progress deliverables from previous four days
    • 5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables

    1. Business perspectives of IT
    2. Stakeholder network map for M&A transactions
    1. Business context implications for IT
    2. IT’s acquisition strategic direction
    1. Operating model for future state
    2. Transition team
    3. Governance structure
    4. M&A program metrics
    1. IT valuation framework
    1. Integration strategy
    2. RACI
    3. Communication plan
    1. Completed M&A program plan and strategy
    2. Prepared to assess target organization(s)

    What is the Discovery & Strategy phase?

    Pre-transaction state

    The Discovery & Strategy phase during an acquisition is a unique opportunity for many IT organizations. IT organizations that can participate in the acquisition transaction at this stage are likely considered a strategic partner of the business.

    For one-off acquisitions, IT being invited during this stage of the process is rare. However, for organizations that are preparing to engage in many acquisitions over the coming years, this type of strategy will greatly benefit from IT involvement. Again, the likelihood of participating in an M&A transaction is increasing, making it a smart IT leadership decision to, at the very least, loosely prepare a program plan that can act as a strategic pillar throughout the transaction.

    During this phase of the pre-transaction state, IT will also be asked to participate in ensuring that the potential organization being sought will be able to meet any IT-specific search criteria that was set when the transaction was put into motion.

    Goal: To identify a repeatable program plan that IT can leverage when acquiring all or parts of another organization’s IT environment, ensuring customer satisfaction and business continuity

    Discovery & Strategy Prerequisite Checklist

    Before coming into the Discovery & Strategy phase, you should have addressed the following:

    • Understand the business perspective of IT.
    • Know the key stakeholders and have outlined their relationships to the M&A process.
    • Be able to valuate the IT environment and communicate IT's value to the business.
    • Understand the rationale for the company's decisions to pursue an acquisition and the opportunities or pain points the acquisition should address.

    Discovery & Strategy

    Step 2.1

    Establish the M&A Program Plan

    Activities

    • 2.1.1 Create the mission and vision
    • 2.1.2 Identify the guiding principles
    • 2.1.3 Create the future-state operating model
    • 2.1.4 Determine the transition team
    • 2.1.5 Document the M&A governance
    • 2.1.6 Create program metrics

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team

    Outcomes of Step

    Establish an M&A program plan that can be repeated across acquisitions.

    The vision and mission statements clearly articulate IT’s aspirations and purpose

    The IT vision statement communicates a desired future state of the IT organization, whereas the IT mission statement portrays the organization’s reason for being. While each serves its own purpose, they should both be derived from the business context implications for IT.

    Vision Statements

    Mission Statements

    Characteristics
    • Describe a desired future
    • Focus on ends, not means
    • Concise
    • Aspirational
    • Memorable
    • Articulate a reason for existence
    • Focus on how to achieve the vision
    • Concise
    • Easy to grasp
    • Sharply focused
    • Inspirational

    Samples

    		 To be a trusted advisor and partner in enabling business innovation and growth through an engaged IT workforce. (Source: Business News Daily) IT is a cohesive, proactive, and disciplined team that delivers innovative technology solutions while demonstrating a strong customer-oriented mindset. (Source: Forbes, 2013)

    2.1.1 Create the mission and vision statements

    2 hours

    Input: Business objectives, IT capabilities, Rationale for the transaction

    Output: IT’s mission and vision statements for growth strategies tied to mergers, acquisitions, and divestitures

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create mission and vision statements that reflect IT’s intent and method to support the organization as it pursues a growth strategy.

    1. Review the definitions and characteristics of mission and vision statements.
    2. Brainstorm different versions of the mission and vision statements.
    3. Edit the statements until you get to a single version of each that accurately reflects IT’s role in the growth process.

    Record the results in the M&A Buy Playbook.

    Guiding principles provide a sense of direction

    IT guiding principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting IT investment portfolio management, solution development, and procurement decisions.

    A diagram illustrating the place of 'IT guiding principles' in the process of making 'Decisions on the use of IT'. There are four main items, connecting lines naming the type of process in getting from one step to the next, and a line underneath clarifying the questions asked at each step. On the far left, over the question 'What decisions should be made?', is 'Business context and IT implications'. This flows forward to 'IT guiding principles', and they are connected by 'Influence'. Next, over the question 'How should decisions be made?', is the main highlighted section. 'IT guiding principles' flows forward to 'Decisions on the use of IT', and they are connected by 'Guide and inform'. On the far right, over the question 'Who has the accountability and authority to make decisions?', is 'IT policies'. This flows back to 'Decisions on the use of IT', and they are connected by 'Direct and control'.

    IT principles must be carefully constructed to make sure they are adhered to and relevant

    Info-Tech has identified a set of characteristics that IT principles should possess. These characteristics ensure the IT principles are relevant and followed in the organization.

    Approach focused. IT principles should be focused on the approach – how the organization is built, transformed, and operated – as opposed to what needs to be built, which is defined by both functional and non-functional requirements.

    Business relevant. Create IT principles that are specific to the organization. Tie IT principles to the organization’s priorities and strategic aspirations.

    Long lasting. Build IT principles that will withstand the test of time.

    Prescriptive. Inform and direct decision making with actionable IT principles. Avoid truisms, general statements, and observations.

    Verifiable. If compliance can’t be verified, people are less likely to follow the principle.

    Easily Digestible. IT principles must be clearly understood by everyone in IT and by business stakeholders. IT principles aren’t a secret manuscript of the IT team. IT principles should be succinct; wordy principles are hard to understand and remember.

    Followed. Successful IT principles represent a collection of beliefs shared among enterprise stakeholders. IT principles must be continuously communicated to all stakeholders to achieve and maintain buy-in.

    In organizations where formal policy enforcement works well, IT principles should be enforced through appropriate governance processes.

    Consider the example principles below

    IT Principle Name

    IT Principle Statement
    1. Risk Management We will ensure that the organization’s IT Risk Management Register is properly updated to reflect all potential risks and that a plan of action against those risks has been identified.
    2. Transparent Communication We will ensure employees are spoken to with respect and transparency throughout the transaction process.
    3. Integration for Success We will create an integration strategy that enables the organization and clearly communicates the resources required to succeed.
    4. Managed Data We will handle data creation, modification, integration, and use across the enterprise in compliance with our data governance policy.
    5. Establish a single IT Environment We will identify, prioritize, and manage the applications and services that IT provides in order to eliminate redundant technology and maximize the value that users and customers experience.
    6. Compliance With Laws and Regulations We will operate in compliance with all applicable laws and regulations for both our organization and the potentially purchased organization.
    7. Defined Value We will create a plan of action that aligns with the organization’s defined value expectations.
    8. Network Readiness We will ensure that employees and customers have immediate access to the network with minimal or no outages.
    9. Operating to Succeed We will bring all of IT into a central operating model within two years of the transaction.

    2.1.2 Identify the guiding principles

    2 hours

    Input: Business objectives, IT capabilities, Rationale for the transaction, Mission and vision statements

    Output: IT’s guiding principles for growth strategies tied to mergers, acquisitions, and divestitures

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create the guiding principles that will direct the IT organization throughout the growth strategy process.

    1. Review the role of guiding principles and the examples of guiding principles that organizations have used.
    2. Brainstorm different versions of the guiding principles. Each guiding principle should start with the phrase “We will…”
    3. Edit and consolidate the statements until you have a list of approximately eight to ten statements that accurately reflect IT’s role in the growth process.
    4. Review the guiding principles every six months to ensure they continue to support the delivery of the business’ growth strategy goals.

    Record the results in the M&A Buy Playbook.

    Create two IT teams to support the transaction

    IT M&A Transaction Team

    • The IT M&A Transaction Team should consist of the strongest members of the IT team who can be expected to deliver on unusual or additional tasks not asked of them in normal day-to-day operations.
    • The roles selected for this team will have very specific skills sets or deliver on critical integration capabilities, making their involvement in the combination of two or more IT environments paramount.
    • These individuals need to have a history of proving themselves very trustworthy, as they will likely be required to sign an NDA as well.
    • Expect to have to certain duplicate capabilities or roles across the M&A transaction team and operational team.

    IT Operational Team

    • This group is responsible for ensuring the business operations continue.
    • These employees might be those who are newer to the organization but can be counted on to deliver consistent IT services and products.
    • The roles of this team should ensure that end users or external customers remain satisfied.

    Key capabilities to support M&A

    Consider the following capabilities when looking at who should be a part of the M&A transaction team.

    Employees who have a significant role in ensuring that these capabilities are being delivered will be a top priority.

    Infrastructure

    • Systems Integration
    • Data Management

    Business Focus

    • Service-Level Management
    • Enterprise Architecture
    • Stakeholder Management
    • Project Management

    Risk & Security

    • Privacy Management
    • Security Management
    • Risk & Compliance Management

    Build a lasting and scalable operating model

    An operating model is an abstract visualization, used like an architect’s blueprint, that depicts how structures and resources are aligned and integrated to deliver on the organization’s strategy.

    It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint before embarking on detailed organizational design.

    The visual should highlight which capabilities are critical to attaining strategic goals and clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization.

    As you assess the current operating model, consider the following:

    • Does the operating model contain all the necessary capabilities your IT organization requires to be successful?
    • What capabilities should be duplicated?
    • Are there individuals with the skill set to support those roles? If not, is there a plan to acquire or develop those skills?
    • A dedicated project team strictly focused on M&A is great. However, is it feasible for your organization? If not, what blockers exist?
    A diagram with 'Initiatives' and 'Solutions' on the left and right of an area chart, 'Customer' at the top, the area between them labelled 'Functional Area n', and six horizontal bars labelled 'IT Capability' stacked on top of each other. The 'IT Capability' bars are slightly skewed to the 'Solutions' side of the chart.

    Info-Tech Insight

    Investing time up-front getting the operating model right is critical. This will give you a framework to rationalize future organizational changes, allowing you to be more iterative and allowing your model to change as the business changes.

    2.1.3 Create the future-state operating model

    4 hours

    Input: Current operating model, IT strategy, IT capabilities, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements

    Output: Future-state operating model

    Materials: Operating model, Capability overlay, Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to establish what the future-state operating model will be if your organization needs to adjust to support a growth transaction.

    1. Ensuring that all the IT capabilities are identified by the business and IT strategy, document your organization’s current operating model.
    2. Identify what core capabilities would be critical to the buying transaction process and integration. Highlight and make copies of those capabilities in the M&A Buy Playbook.
    3. Arrange the capabilities to clearly show the flow of inputs and outputs. Identify critical stakeholders of the process (such as customers or end users) if that will help the flow.
    4. Ensure the capabilities that will be decentralized are clearly identified. Decentralized capabilities do not exist within the central IT organization but rather in specific lines of businesses or products to better understand needs and deliver on the capability.

    An example operating model is included in the M&A Buy Playbook. This process benefits from strong reference architecture and capability mapping ahead of time.

    Record the results in the M&A Buy Playbook.

    2.1.4 Determine the transition team

    3 hours

    Input: IT capabilities, Future-state operating model, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements

    Output: Transition team

    Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create a team that will support your IT organization throughout the transaction. Determining which capabilities and therefore which roles will be required ensures that the business will continue to get the operational support it needs.

    1. Based on the outcome of activity 2.1.3, review the capabilities that your organization will require on the transition team. Group capabilities into functional groups containing capabilities that are aligned well with one another because they have similar responsibilities and functionalities.
    2. Replace the capabilities with roles. For example, stakeholder management, requirements gathering, and project management might be one functional group. Project management and stakeholder management might combine to create a project manager role.
    3. Review the examples in the M&A Buy Playbook and identify which roles will be a part of the transition team.

    For more information, see Redesign Your Organizational Structure

    What is governance?

    And why does it matter so much to IT and the M&A process?

    • Governance is the method in which decisions get made, specifically as they impact various resources (time, money, and people).
    • Because M&A is such a highly governed transaction, it is important to document the governance bodies that exist in your organization.
    • This will give insight into what types of governing bodies there are, what decisions they make, and how that will impact IT.
    • For example, funds to support integration need to be discussed, approved, and supplied to IT from a governing body overseeing the acquisition.
    • A highly mature IT organization will have automated governance, while a seemingly non-existent governance process will be considered ad hoc.
    A pyramid with four levels representing the types of governing bodies that are available with differing levels of IT maturity. An arrow beside the pyramid points upward. The bottom of the arrow is labelled 'Traditional (People and document centric)' and the top is labelled 'Adaptive (Data centric)'. Starting at the bottom of the pyramid is level 1 'Ad Hoc Governance', 'Governance that is not well defined or understood within the organization. It occurs out of necessity but often not by the right people'. Level 2 is 'Controlled Governance', 'Governance focused on compliance and decisions driven by hierarchical authority. Levels of authority are defined and often driven by regulatory'. Level 3 is 'Agile Governance', 'Governance that is flexible to support different needs and quick response in the organization. Driven by principles and delegated throughout the company'. At the top of the pyramid is level 4 'Automated Governance', 'Governance that is entrenched and automated into organizational processes and product/service design. Empowered and fully delegated governance to maintain fit and drive organizational success and survival'.

    2.1.5 Document M&A governance

    1-2 hours

    Input: List of governing bodies, Governing body committee profiles, Governance structure

    Output: Documented method on how decisions are made as it relates to the M&A transaction

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to determine the method in which decisions are made throughout the M&A transaction as it relates to IT. This will require understanding both governing bodies internal to IT and those external to IT.

    1. First, determine the other governance structures within the organization that will impact the decisions made about M&A. List out these bodies or committees.
    2. Create a profile for each committee that looks at the membership, purpose of the committee, decision areas (authority), and the process of inputs and outputs. Ensure IT committees that will have a role in this process are also documented. Consider the benefits realized, risks, and resources required for each.
    3. Organize the committees into a structure, identifying the committees that have a role in defining the strategy, designing and building, and running.

    Record the results in the M&A Buy Playbook.

    Current-state structure map – definitions of tiers

    Strategy: These groups will focus on decisions that directly connect to the strategic direction of the organization.

    Design & Build: The second tier of groups will oversee prioritization of a certain area of governance as well as design and build decisions that feed into strategic decisions.

    Run: The lowest level of governance will be oversight of more-specific initiatives and capabilities within IT.

    Expect tier overlap. Some committees will operate in areas that cover two or three of these governance tiers.

    Measure the IT program’s success in terms of its ability to support the business’ M&A goals

    Upper management will measure IT’s success based on your ability to support the underlying reasons for the M&A. Using business metrics will help assure business stakeholders that IT understands their needs and is working with the business to achieve them.

    Business-Specific Metrics

    • Revenue Growth: Increase in the top line as seen by market expansion, product expansion, etc. by percentage/time.
    • Synergy Extraction: Reduction in costs as determined by the ability to identify and eliminate redundancies over time.
    • Profit Margin Growth: Increase in the bottom line as a result of increased revenue growth and/or decreased costs over time.

    IT-Specific Metrics

    • IT operational savings and cost reductions due to synergies: Operating expenses, capital expenditures, licenses, contracts, applications, infrastructure over time.
    • Reduction in IT staff expense and headcount: Decreased budget allocated to IT staff, and ability to identify and remove redundancies in staff.
    • Meeting or improving on IT budget estimates: Delivering successful IT integration on a budget that is the same or lower than the budget estimated during due diligence.
    • Meeting or improving on IT time-to-integration estimates: Delivering successful IT integration on a timeline that is the same or shorter than the timeline estimated during due diligence.
    • Business capability support: Delivering the end state of IT that supports the expected business capabilities and growth.

    Establish your own metrics to gauge the success of IT

    Establish SMART M&A Success Metrics

    S pecific Make sure the objective is clear and detailed.
    M easurable Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.
    A ctionable Objectives become actionable when specific initiatives designed to achieve the objective are identified.
    R ealistic Objectives must be achievable given your current resources or known available resources.
    T ime-Bound An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.
    • What should IT consider when looking to identify potential additions, deletions, or modifications that will either add value to the organization or reduce costs/risks?
    • Provide a definition of synergies.
    • IT operational savings and cost reductions due to synergies: Operating expenses, capital expenditures, licenses, contracts, applications, infrastructure.
    • Reduction in IT staff expense and headcount: Decreased budget allocated to IT staff, and ability to identify and remove redundancies in staff.
    • Meeting or improving on IT budget estimates: Delivering successful IT integration on a budget that is the same or lower than the budget estimated during due diligence.
    • Meeting or improving on IT time-to-integration estimates: Delivering successful IT integration on a timeline that is the same or shorter than the timeline estimated during due diligence.
    • Revenue growth: Increase in the top line as a result, as seen by market expansion, product expansion, etc.
    • Synergy extraction: Reduction in costs, as determined by the ability to identify and eliminate redundancies.
    • Profit margin growth: Increase in the bottom line as a result of increased revenue growth and/or decreased costs.

    Metrics for each phase

    1. Proactive

    2. Discovery & Strategy

    3. Valuation & Due Diligence

    4. Execution & Value Realization

    • % Share of business innovation spend from overall IT budget
    • % Critical processes with approved performance goals and metrics
    • % IT initiatives that meet or exceed value expectation defined in business case
    • % IT initiatives aligned with organizational strategic direction
    • % Satisfaction with IT's strategic decision-making abilities
    • $ Estimated business value added through IT-enabled innovation
    • % Overall stakeholder satisfaction with IT
    • % Percent of business leaders that view IT as an Innovator
    • % IT budget as a percent of revenue
    • % Assets that are not allocated
    • % Unallocated software licenses
    • # Obsolete assets
    • % IT spend that can be attributed to the business (chargeback or showback)
    • % Share of CapEx of overall IT budget
    • % Prospective organizations that meet the search criteria
    • $ Total IT cost of ownership (before and after M&A, before and after rationalization)
    • % Business leaders that view IT as a Business Partner
    • % Defects discovered in production
    • $ Cost per user for enterprise applications
    • % In-house-built applications vs. enterprise applications
    • % Owners identified for all data domains
    • # IT staff asked to participate in due diligence
    • Change to due diligence
    • IT budget variance
    • Synergy target
    • % Satisfaction with the effectiveness of IT capabilities
    • % Overall end-customer satisfaction
    • $ Impact of vendor SLA breaches
    • $ Savings through cost-optimization efforts
    • $ Savings through application rationalization and technology standardization
    • # Key positions empty
    • % Frequency of staff turnover
    • % Emergency changes
    • # Hours of unplanned downtime
    • % Releases that cause downtime
    • % Incidents with identified problem record
    • % Problems with identified root cause
    • # Days from problem identification to root cause fix
    • % Projects that consider IT risk
    • % Incidents due to issues not addressed in the security plan
    • # Average vulnerability remediation time
    • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
    • # Time (days) to value realization
    • % Projects that realized planned benefits
    • $ IT operational savings and cost reductions that are related to synergies/divestitures
    • % IT staff–related expenses/redundancies
    • # Days spent on IT integration
    • $ Accurate IT budget estimates
    • % Revenue growth directly tied to IT delivery
    • % Profit margin growth

    2.1.6 Create program metrics

    1-2 hours

    Input: IT capabilities, Mission, vision, and guiding principles, Rationale for the acquisition

    Output: Program metrics to support IT throughout the M&A process

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to determine how IT’s success throughout a growth transaction will be measured and determined.

    1. Document a list of appropriate metrics on the whiteboard. Remember to include metrics that demonstrate the business impact. You can use the sample metrics listed on the previous slide as a starting point.
    2. Set a target and deadline for each metric. This will help the group determine when it is time to evaluate progression.
    3. Establish a baseline for each metric based on information collected within your organization.
    4. Assign an owner for tracking each metric as well as someone to be accountable for performance.

    Record the results in the M&A Buy Playbook.

    Discovery & Strategy

    Step 2.2

    Prepare IT to Engage in the Acquisition

    Activities

    • 2.2.1 Establish the integration strategy
    • 2.2.2 Conduct a RACI
    • 2.2.3 Create the communication plan
    • 2.2.4 Assess the potential organization(s)

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team

    Outcomes of Step

    Identify IT’s plan of action when it comes to the acquisition and align IT’s integration strategy with the business’ M&A strategy.

    Integration strategies

    There are several IT integration strategies that will help you achieve your target technology environment.

    IT Integration Strategies
    • Absorption. Convert the target organization’s strategy, structure, processes, and/or systems to that of the acquiring organization.
    • Best-of-Breed. Pick and choose the most effective people, processes, and technologies to form an efficient operating model.
    • Transformation Retire systems from both organizations and use collective capabilities, data, and processes to create something entirely new.
    • Preservation Retain individual business units that will operate within their own capability. People, processes, and technologies are unchanged.

    The approach IT takes will depend on the business objectives for the M&A.

    • Generally speaking, the integration strategy is well understood and influenced by the frequency of and rationale for acquiring.
    • Based on the initiatives generated by each business process owner, you need to determine the IT integration strategy that will best support the desired target technology environment.

    Key considerations when choosing an IT integration strategy include:

    • What are the main business objectives of the M&A?
    • What are the key synergies expected from the transaction?
    • What IT integration best helps obtain these benefits?
    • What opportunities exist to position the business for sustainable growth?

    Absorption and best-of-breed

    Review highlights and drawbacks of absorption and best-of-breed integration strategies

    Absorption
      Highlights
    • Recommended for businesses striving to reduce costs and drive efficiency gains.
    • Economies of scale realized through consolidation and elimination of redundant applications.
    • Quickest path to a single company operation and systems as well as lower overall IT cost.
      Drawbacks
    • Potential for disruption of the target company’s business operations.
    • Requires significant business process changes.
    • Disregarding the target offerings altogether may lead to inferior system decisions that do not yield sustainable results.
    Best-of-Breed
      Highlights
    • Recommended for businesses looking to expand their market presence or acquire new products. Essentially aligning the two organizations in the same market.
    • Each side has a unique offering but complementing capabilities.
    • Potential for better buy-in from the target because some of their systems are kept, resulting in willingness to
      Drawbacks
    • May take longer to integrate because it tends to present increased complexity that results in higher costs and risks.
    • Requires major integration efforts from both sides of the company. If the target organization is uncooperative, creating the desired technology environment will be difficult.

    Transformation and preservation

    Review highlights and drawbacks of transformation and preservation integration strategies

    Transformation
      Highlights
    • This is the most customized approach, although it is rarely used.
    • It is essential to have an established long-term vision of business capabilities when choosing this path.
    • When executed correctly, this approach presents potential for significant upside and creation of sustainable competitive advantages.
      Drawbacks
    • This approach requires extensive time to implement, and the cost of integration work may be significant.
    • If a new system is created without strategic capabilities, the organizations will not realize long-term benefits.
    • The cost of correcting complexities at later stages in the integration effort may be drastic.
    Preservation
      Highlights
    • This approach is appropriate if the merging organizations will remain fairly independent, if there will be limited or no communication between companies, and if the companies’ market strategies, products, and channels are entirely distinct.
    • Environment can be accomplished quickly and at a low cost.
      Drawbacks
    • Impact to each business is minimal, but there is potential for lost synergies and higher operational costs. This may be uncontrollable if the natures of the two businesses are too different to integrate.
    • Reduced benefits and limited opportunities for IT integration.

    2.2.1 Establish the integration strategy

    1-2 hours

    Input: Business integration strategy, Guiding principles, M&A governance

    Output: IT’s integration strategy

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to determine IT’s approach to integration. The approach might differ slightly from transaction to transaction. However, the business’ approach to transactions should give insight into the general integration strategy IT should adopt.

    1. Make sure you have clearly articulated the business objectives for the M&A, the technology end state for IT, and the magnitude of the overall integration.
    2. Review and discuss the highlights and drawbacks of each type of integration.
    3. Use Info-Tech’s Integration Posture Selection Framework on the next slide to select the integration posture that will appropriately enable the business. Consider these questions during your discussion:
      1. What are the main business objectives of the M&A? What key IT capabilities will need to support business objectives?
      2. What key synergies are expected from the transaction? What opportunities exist to position the business for sustainable growth?
      3. What IT integration best helps obtain these benefits?

    Record the results in the M&A Buy Playbook.

    Integration Posture Selection Framework

    Business M&A Strategy

    Resultant Technology Strategy

    M&A Magnitude (% of Acquirer Assets, Income, or Market Value)

    IT Integration Posture
    A. Horizontal Adopt One Model ‹10% Absorption
    10 to 75% Absorption or Best-of-Breed
    ›75% Best-of-Breed
    B. Vertical Create Links Between Critical Systems Any
    • Preservation (Differentiated Functions)
    • Absorption or Best-of-Breed (Non-Differentiated Functions)
    C. Conglomerate Independent Model Any Preservation
    D. Hybrid: Horizontal & Conglomerate Independent Model Any Preservation

    2.2.2 Conduct a RACI

    1-2 hours

    Input: IT capabilities, Transition team, Integration strategy

    Output: Completed RACI for transition team

    Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to identify the core accountabilities and responsibilities for the roles identified as critical to your transition team. While there might be slight variation from transaction to transaction, ideally each role should be performing certain tasks.

    1. First, identify a list of critical tasks that need to be completed to support the purchase or acquisition. For example:
      • Communicate with the company M&A team.
      • Identify critical IT risks that could impact the organization after the transaction.
      • Identify key artifacts to collect and review during due diligence.
    2. Next, identify at the activity level which role is accountable or responsible for each activity. Enter an A for accountable, R for responsible, or A/R for both.

    Record the results in the M&A Buy Playbook.

    Communication and change

    Prepare key stakeholders for the potential changes

    • Anytime you are starting a project or program that will depend on users and stakeholders to give up their old way of doing things, change will force people to become novices again, leading to lost productivity and added stress.
    • Change management can improve outcomes for any project where you need people to adopt new tools and procedures, comply with new policies, learn new skills and behaviors, or understand and support new processes.
    • M&As move very quickly, and it can be very difficult to keep track of which stakeholders you need to be communicating with and what you should be communicating.
    • Not all organizations embrace or resist change in the same ways. Base your change communications on your organization’s cultural appetite for change in general.
      • Organizations with a low appetite for change will require more direct, assertive communications.
      • Organizations with a high appetite for change are more suited to more open, participatory approaches.

    Three key dimensions determine the appetite for cultural change:

    • Power Distance. Refers to the acceptance that power is distributed unequally throughout the organization.
      In organizations with a high power distance, the unequal power distribution is accepted by the less powerful employees.
    • Individualism. Organizations that score high in individualism have employees who are more independent. Those who score low in individualism fall into the collectivism side, where employees are strongly tied to one another or their groups.
    • Uncertainty Avoidance. Describes the level of acceptance that an organization has toward uncertainty. Those who score high in this area find that their employees do not favor uncertain situations, while those that score low in this area find that their employees are comfortable with change and uncertainty.

    2.2.3 Create the communication plan

    1-2 hours

    Input: IT’s M&A mission, vision, and guiding principles, M&A transition team, IT integration strategy, RACI

    Output: IT’s M&A communication plan

    Materials: Flip charts/whiteboard, Markers, RACI, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create a communication plan that IT can leverage throughout the initiative.

    1. Create a structured communication plan that allows for continuous communication with the integration management office, senior management, and the business functional heads.
    2. Outline key topics of communication, with stakeholders, inputs, and outputs for each topic.
    3. Review Info-Tech’s example communication plan in the M&A Buy Playbook and update it with relevant information.
    4. Does this communication plan make sense for your organization? What doesn’t make sense? Adjust the communication guide to suit your organization.

    Record the results in the M&A Buy Playbook.

    Assessing potential organizations

    As soon as you have identified organizations to consider, it’s imperative to assess critical risks. Most IT leaders can attest that they will receive little to no notice when they have to assess the IT organization of a potential purchase. As a result, having a standardized template to quickly gauge the value of the business can be critical.

    Ways to Assess

    1. News: Assess what sort of news has been announced in relation to the organization. Have they had any risk incidents? Has a critical vendor announced working with them?
    2. LinkedIn: Scan through the LinkedIn profiles of employees. This will give you a sense of what platforms they have based on their employees.
    3. Trends: Some industries will have specific solutions that are relevant and popular. Assess what the key players are (if you don’t already know) to determine the solution.
    4. Business Architecture: While this assessment won’t perfect, try to understand the business’ value streams and the critical business and IT capabilities that would be needed to support them.

    2.2.4 Assess the potential organization(s)

    1-2 hours

    Input: Publicized historical risk events, Solutions and vendor contracts likely in the works, Trends

    Output: IT’s valuation of the potential organization(s) for acquisition

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO

    The purpose of this activity is to assess the organization(s) that your organization is considering purchasing.

    1. Complete the Historical Valuation Worksheet in the M&A Buy Playbook to understand the type of IT organization that your company may inherit and need to integrate with.
      • The business likely isn’t looking for in-depth details at this time. However, as the IT leader, it is your responsibility to ensure critical risks are identified and communicated to the business.
    2. Use the information identified to help the business narrow down which organizations should be targeted for the acquisition.

    Record the results in the M&A Buy Playbook.

    By the end of this pre-transaction phase you should:

    Have a program plan for M&As and a repeatable M&A strategy for IT when engaging in growth transactions

    Key outcomes from the Discovery & Strategy phase
    • Be prepared to analyze and recommend potential organizations that the business can acquire or merge with, using a strong program plan that can be repeated across transactions.
    • Create a M&A strategy that accounts for all the necessary elements of a transaction and ensures sufficient governance, capabilities, and metrics exist.
    Key deliverables from the Discovery & Strategy phase
    • Create vision and mission statements
    • Establish guiding principles
    • Create a future-state operating model
    • Identify the key roles for the transaction team
    • Identify and communicate the M&A governance
    • Determine target metrics
    • Identify the M&A operating model
    • Select the integration strategy framework
    • Conduct a RACI for key transaction tasks for the transaction team
    • Document the communication plan

    M&A Buy Blueprint

    Phase 3

    Due Diligence & Preparation

    Phase 1Phase 2

    Phase 3

    		Phase 4
    • 1.1 Identify Stakeholders and Their Perspective of IT
    • 1.2 Assess IT’s Current Value and Future State
    • 1.3 Drive Innovation and Suggest Growth Opportunities
    • 2.1 Establish the M&A Program Plan
    • 2.2 Prepare IT to Engage in the Acquisition
    • 3.1 Assess the Target Organization
    • 3.2 Prepare to Integrate
    • 4.1 Execute the Transaction
    • 4.2 Reflection and Value Realization

    This phase will walk you through the following activities:

    • Drive value with a due diligence charter
    • Identify data room artifacts
    • Assess technical debt
    • Valuate the target IT organization
    • Assess culture
    • Prioritize integration tasks
    • Establish the integration roadmap
    • Identify the needed workforce supply
    • Estimate integration costs
    • Create an employee transition plan
    • Create functional workplans for employees
    • Align project metrics with identified tasks

    This phase involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team
    • Business leaders
    • Prospective IT organization
    • Transition team

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Establish the Transaction FoundationDiscover the Motivation for IntegrationAssess the Target Organization(s)Create the Valuation FrameworkPlan the Integration RoadmapNext Steps and Wrap-Up (offsite)

    Activities

    • 0.1 Identify the rationale for the company's decisions to pursue an acquisition.
    • 0.2 Identify key stakeholders and determine the IT transaction team.
    • 0.3 Gather and evaluate the M&A strategy, future-state operating model, and governance.
    • 1.1 Review the business rationale for the acquisition.
    • 1.2 Identify pain points and opportunities tied to the acquisition.
    • 1.3 Establish the integration strategy.
    • 1.4 Create the due diligence charter.
    • 2.1 Create a list of IT artifacts to be reviewed in the data room.
    • 2.2 Conduct a technical debt assessment.
    • 2.3 Assess the current culture and identify the goal culture.
    • 2.4 Identify the needed workforce supply.
    • 3.1 Valuate the target organization’s data.
    • 3.2 Valuate the target organization’s applications.
    • 3.3 Valuate the target organization’s infrastructure.
    • 3.4 Valuate the target organization’s risk and security.
    • 3.5 Combine individual valuations to make a single framework.
    • 4.1 Prioritize integration tasks.
    • 4.2 Establish the integration roadmap.
    • 4.3 Establish and align project metrics with identified tasks.
    • 4.4 Estimate integration costs.
    • 5.1 Complete in-progress deliverables from previous four days.
    • 5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. IT strategy
    2. IT operating model
    3. IT governance structure
    4. M&A transaction team
    1. Business context implications for IT
    2. Integration strategy
    3. Due diligence charter
    1. Data room artifacts
    2. Technical debt assessment
    3. Culture assessment
    4. Workforce supply identified
    1. IT valuation framework to assess target organization(s)
    1. Integration roadmap and associated resourcing
    1. Acquisition integration strategy for IT

    What is the Due Diligence & Preparation phase?

    Mid-transaction state

    The Due Diligence & Preparation phase during an acquisition is a critical time for IT. If IT fails to proactively participate in this phase, IT will have to merely react to integration expectations set by the business.

    While not all IT organizations are able to participate in this phase, the evolving nature of M&As to be driven by digital and technological capabilities increases the rationale for IT being at the table. Identifying critical IT risks, which will inevitably be business risks, begins during the due diligence phase.

    This is also the opportunity for IT to plan how it will execute the planned integration strategy. Having access to critical information only available in data rooms will further enable IT to successfully plan and execute the acquisition to deliver the value the business is seeking through a growth transaction.

    Goal: To thoroughly evaluate all potential risks associated with the organization(s) being pursued and create a detailed plan for integrating the IT environments

    Due Diligence Prerequisite Checklist

    Before coming into the Due Diligence & Preparation phase, you must have addressed the following:

    • Understand the rationale for the company's decisions to pursue an acquisition and what opportunities or pain points the acquisition should alleviate.
    • Identify the key roles for the transaction team.
    • Identify the M&A governance.
    • Determine target metrics.
    • Select an integration strategy framework.
    • Conduct a RACI for key transaction tasks for the transaction team.

    Before coming into the Due Diligence & Preparation phase, we recommend addressing the following:

    • Create vision and mission statements.
    • Establish guiding principles.
    • Create a future-state operating model.
    • Identify the M&A operating model.
    • Document the communication plan.
    • Examine the business perspective of IT.
    • Identify key stakeholders and outline their relationship to the M&A process.
    • Be able to valuate the IT environment and communicate IT’s value to the business.

    The Technology Value Trinity

    Delivery of Business Value & Strategic Needs

    • Digital & Technology Strategy
      The identification of objectives and initiatives necessary to achieve business goals.
    • IT Operating Model
      The model for how IT is organized to deliver on business needs and strategies.
    • Information & Technology Governance
      The governance to ensure the organization and its customers get maximum value from the use of information and technology.

    All three elements of the Technology Value Trinity work in harmony to deliver business value and achieve strategic needs. As one changes, the others need to change as well.

    • Digital and IT Strategy tells you what you need to achieve to be successful.
    • IT Operating Model and Organizational Design is the alignment of resources to deliver on your strategy and priorities.
    • Information & Technology Governance is the confirmation of IT’s goals and strategy, which ensures the alignment of IT and business strategy. It’s the mechanism by which you continuously prioritize work to ensure that what is delivered is in line with the strategy. This oversight evaluates, directs, and monitors the delivery of outcomes to ensure that the use of resources results in the achieving the organization’s goals.

    Too often strategy, operating model and organizational design, and governance are considered separate practices. As a result, “strategic documents” end up being wish lists, and projects continue to be prioritized based on who shouts the loudest – not based on what is in the best interest of the organization.

    Due Diligence & Preparation

    Step 3.1

    Assess the Target Organization

    Activities

    • 3.1.1 Drive value with a due diligence charter
    • 3.1.2 Identify data room artifacts
    • 3.1.3 Assess technical debt
    • 3.1.4 Valuate the target IT organization
    • 3.1.5 Assess culture

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team
    • Business leaders
    • Prospective IT organization
    • Transition team

    Outcomes of Step

    This step of the process is when IT should actively evaluate the target organization being pursued for acquisition.

    3.1.1 Drive value with a due diligence charter

    1-2 hours

    Input: Key roles for the transaction team, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team

    Output: IT Due Diligence Charter

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create a charter leveraging the items completed in the previous phase, as listed on the Due Diligence Prerequisite Checklist slide, to gain executive sign-off.

    1. In the IT Due Diligence Charter in the M&A Buy Playbook, complete the aspects of the charter that are relevant for you and your organization.
    2. We recommend including these items in the charter:
      • Communication plan
      • Transition team roles
      • Goals and metrics for the transaction
      • Integration strategy
      • Acquisition RACI
    3. Once the charter has been completed, ensure that business executives agree to the charter and sign off on the plan of action.

    Record the results in the M&A Buy Playbook.

    3.1.2 Identify data room artifacts

    4 hours

    Input: Future-state operating model, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team

    Output: List of items to acquire and review in the data room

    Materials: Critical domain lists on following slides, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

    The purpose of this activity is to create a list of the key artifacts that should be asked for and reviewed during the due diligence process.

    1. Review the lists on the following pages as a starting point. Identify which domains, stakeholders, artifacts, and information should be requested for the data room. This information should be directed to the target organization.
    2. IT leadership may or may not be asked to enter the data room directly. Therefore, it’s important that you clearly identify these artifacts.
    3. List each question or concern, select the associated workstream in the M&A Buy Playbook, and update the status of the information retrieval.
    4. Use the comments section to document your discoveries or concerns.

    Record the results in the M&A Buy Playbook.

    Critical domains

    Understand the key stakeholders and outputs for each domain

    Each critical domain will likely have different stakeholders who know that domain best. Communicate with these stakeholders throughout the M&A process to make sure you are getting accurate information and interpreting it correctly.

    Domain

    Stakeholders

    Key Artifacts

    Key Information to request
    Business
    • Enterprise Architecture
    • Business Relationship Manager
    • Business Process Owners
    • Business capability map
    • Capability map (the M&A team should be taking care of this, but make sure it exists)
    • Business satisfaction with various IT systems and services
    Leadership/IT Executive
    • CIO
    • CTO
    • CISO
    • IT budgets
    • IT capital and operating budgets (from current year and previous year)
    Data & Analytics
    • Chief Data Officer
    • Data Architect
    • Enterprise Architect
    • Master data domains, system of record for each
    • Unstructured data retention requirements
    • Data architecture
    • Master data domains, sources, and storage
    • Data retention requirements
    Applications
    • Applications Manager
    • Application Portfolio Manager
    • Application Architect
    • Applications map
    • Applications inventory
    • Applications architecture
    • Copy of all software license agreements
    • Copy of all software maintenance agreements
    Infrastructure
    • Head of Infrastructure
    • Enterprise Architect
    • Infrastructure Architect
    • Infrastructure Manager
    • Infrastructure map
    • Infrastructure inventory
    • Network architecture (including which data centers host which infrastructure and applications)
    • Inventory (including integration capabilities of vendors, versions, switches, and routers)
    • Copy of all hardware lease or purchase agreements
    • Copy of all hardware maintenance agreements
    • Copy of all outsourcing/external service provider agreements
    • Copy of all service-level agreements for centrally provided, shared services and systems
    Products and Services
    • Product Manager
    • Head of Customer Interactions
    • Product lifecycle
    • Product inventory
    • Customer market strategy

    Critical domains (continued)

    Understand the key stakeholders and outputs for each domain

    Domain

    Stakeholders

    Key Artifacts

    Key Information to request

    Operations
    • Head of Operations
    • Service catalog
    • Service overview
    • Service owners
    • Access policies and procedures
    • Availability and service levels
    • Support policies and procedures
    • Costs and approvals (internal and customer costs)
    IT Processes
    • CIO
    • IT Management
    • VP of IT Governance
    • VP of IT Strategy
    • IT process flow diagram
    • Processes in place and productivity levels (capacity)
    • Critical processes/processes the organization feels they do particularly well
    IT People
    • CIO
    • VP of Human Resources
    • IT organizational chart
    • Competency & capacity assessment
    • IT organizational structure (including resources from external service providers such as contractors) with appropriate job descriptions or roles and responsibilities
    • IT headcount and location
    Security
    • CISO
    • Security Architect
    • Security posture
    • Information security staff
    • Information security service providers
    • Information security tools
    • In-flight information security projects
    Projects
    • Head of Projects
    • Project portfolio
    • List of all future, ongoing, and recently completed projects
    Vendors
    • Head of Vendor Management
    • License inventory
    • Inventory (including what will and will not be transitioning, vendors, versions, number of licenses)

    Assess the target organization’s technical debt

    The other organization could be costly to purchase if not yet modernizing.

    • Consider the potential costs that your business will have to spend to get the other IT organization modernized or even digital.
    • This will be highly affected by your planned integration strategy.
    • A best-of-breed strategy might simply mean there's little to bring over from the other organization’s environment.
    • It’s often challenging to identify a direct financial cost for technical debt. Consider direct costs but also assess categories of impact that can have a long-term effect on your business: lost customer, staff, or business partner goodwill; limited flexibility and resilience; and health, safety, and compliance impacts.
    • Use more objective measures to track subjective impact. For example, consider the number of customers who could be significantly affected by each tech debt in the next quarter.

    Focus on solving the problems you need to address.

    Analyzing technical debt has value in that the analysis can help your organization make better risk management and resource allocation decisions.

    Review these examples of technical debt

    Do you have any of these challenges?

    Applications
    • Inefficient or incomplete code
    • Fragile or obsolete systems of record that limit the implementation of new functionality
    • Out-of-date IDEs or compilers
    • Unsupported applications
    Data & Analytics
    • Data presented via API that does not conform to chosen standards (EDI, NRF-ARTS, etc.)
    • Poor data governance
    • No transformation between OLTP and the data warehouse
    • Heavy use of OLTP for reporting
    • Lack of AI model and decision governance, maintenance
    End-User Computing
    • Aging and slow equipment
    • No configuration management
    • No MDM/UEM
    Security
    • Unpatched/unpatchable systems
    • Legacy firewalls
    • No data classification system
    • “Perimeter” security architecture
    • No documented security incident response
    • No policies, or unenforced policies
    Operations
    • Incomplete, ineffective, or undocumented business continuity and disaster recovery plans
    • Insufficient backups or archiving
    • Inefficient MACD processes
    • Application sprawl with no record of installed applications or licenses
    • No ticketing or ITSM system
    • No change management process
    • No problem management process
    • No event/alert management
    Infrastructure
    • End-of-life/unsupported equipment
    • Aging power or cooling systems
    • Water- or halon-based data center fire suppression systems
    • Out-of-date firmware
    • No DR site
    • Damaged or messy cabling
    • Lack of system redundancy
    • Integrated computers on business equipment (e.g. shop floor equipment, medical equipment) running out-of-date OS/software
    Project & Portfolio Management
    • No project closure process
    • Ineffective project intake process
    • No resource management practices

    “This isn’t a philosophical exercise. Knowing what you want to get out of this analysis informs the type of technical debt you will calculate and the approach you will take.” (Scott Buchholz, CTO, Deloitte Government & Public Services Practice, The Wall Street Journal, 2015)

    3.1.3 Assess technical debt

    1-2 hours

    Input: Participant views on organizational tech debt, Five to ten key technical debts, Business impact scoring scales, Reasonable next-quarter scenarios for each technical debt, Technical debt business impact analysis

    Output: Initial list of tech debt for the target organization

    Materials: Whiteboard, Sticky notes, Technical Debt Business Impact Analysis Tool, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Business leaders, Transition team

    The purpose of this activity is to assess the technical debt of the other IT organization. Taking on unnecessary technical debt is one of the biggest risks to the IT environment

    1. This activity can be completed by leveraging the blueprint Manage Your Technical Debt, specifically the Technical Debt Business Impact Analysis Tool. Complete the following activities in the blueprint:
      • 1.2.1 Identify your technical debt
      • 1.2.2 Select tech debt for your impact analysis
      • 2.2.2 Estimate tech debt impact
      • 2.2.3 Identify the most-critical technical debts
    2. Review examples of technical debt in the previous slide to assist you with this activity.
    3. Document the results from tab 3, Impact Analysis, in the M&A Buy Playbook if you are trying to record all artifacts related to the transaction in one place.

    Record the results in the M&A Buy Playbook.

    How to valuate an IT environment

    And why it matters so much

    • Valuating the target organization’s IT environment is a critical step to fully understand what it might be worth. Business partners are often not in the position to valuate the IT aspects to the degree that you would be.
    • The business investments in IT can be directly translated to a value amount. Meaning for every $1 invested in IT, the business might be gaining $100 in value back or possibly even loosing $100.
    • Determining, documenting, and communicating this information ensures that the business takes IT’s suggestions seriously and recognizes why investing in IT can be so critical.
    • There are three ways a business or asset can be valuated:
      • Cost Approach: Look at the costs associated with building, purchasing, replacing, and maintaining a given aspect of the business.
      • Market Approach: Look at the relative value of a particular aspect of the business. Relative value can fluctuate and depends on what the markets and consequently society believe that particular element is worth.
      • Discounted Cash Flow Approach: Focus on what the potential value of the business could be or the intrinsic value anticipated due to future profitability.

    The IT valuation conducted during due diligence can have a significant impact on the final financials of the transaction for the business.

    3.1.4 Valuate the target IT organization

    1 day

    Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk

    Output: Valuation of target organization’s IT

    Materials: Relevant templates/tools, Capital budget, Operating budget, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Prospective IT organization

    The purpose of this activity is to valuate the other IT organization.

    1. Review each of slides 42 to 45 to generate a valuation of IT’s data, applications, infrastructure, and security and risk. These valuations consider several tangible and intangible factors and result in a final dollar amount. For more information on this activity, review Activity 1.2.1 from the Proactive phase.
    2. Identify financial amounts for each critical area and add the financial output to the summary slide in the M&A Buy Playbook.
    3. Compare this information against your own IT organization’s valuation.
      1. Does it add value to your IT organization?
      2. Is there too much risk to accept if this transaction goes through?

    Info-Tech Insight

    Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.

    Record the results in the M&A Buy Playbook.

    Culture should not be overlooked, especially as it relates to the integration of IT environments

    • There are three types of culture that need to be considered.
    • Most importantly, this transition is an opportunity to change the culture that might exist in your organization’s IT environment.
    • Make a decision on which type of culture you’d like IT to have post-transition.

    Target Organization’s Culture

    The culture that the target organization is currently embracing. Their established and undefined governance practices will lend insight into this.

    Your Organization’s Culture

    The culture that your organization is currently embracing. Examine people’s attitudes and behaviors within IT toward their jobs and the organization.

    Ideal Culture

    What will the future culture of the IT organization be once integration is complete? Are there aspects that your current organization and the target organization embrace that are worth considering?

    Culture categories

    Map the results of the IT Culture Diagnostic to an existing framework

    Competitive
    • Autonomy
    • Confront conflict directly
    • Decisive
    • Competitive
    • Achievement oriented
    • Results oriented
    • High performance expectations
    • Aggressive
    • High pay for good performance
    • Working long hours
    • Having a good reputation
    • Being distinctive/different
    Innovative
    • Adaptable
    • Innovative
    • Quick to take advantage of opportunities
    • Risk taking
    • Opportunities for professional growth
    • Not constrained by rules
    • Tolerant
    • Informal
    • Enthusiastic
    Traditional
    • Stability
    • Reflective
    • Rule oriented
    • Analytical
    • High attention to detail
    • Organized
    • Clear guiding philosophy
    • Security of employment
    • Emphasis on quality
    • Focus on safety
    Cooperative
    • Team oriented
    • Fair
    • Praise for good performance
    • Supportive
    • Calm
    • Developing friends at work
    • Socially responsible

    Culture Considerations

    • What culture category was dominant for each IT organization?
    • Do you share the same dominant category?
    • Is your current dominant culture category the most ideal to have post-integration?

    3.1.5 Assess Culture

    3-4 hours

    Input: Cultural assessments for current IT organization, Cultural assessment for target IT organization

    Output: Goal for IT culture

    Materials: IT Culture Diagnostic, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, IT employees of current organization, IT employees of target organization, Company M&A team

    The purpose of this activity is to assess the different cultures that might exist within the IT environments of both organizations. More importantly, your IT organization can select its desired IT culture for the long term if it does not already exist.

    1. Complete this activity by leveraging the blueprint Fix Your IT Culture, specifically the IT Culture Diagnostic. Fill out the diagnostic for the IT department in your organization:
      1. Answer the 16 questions in tab 2, Diagnostic.
      2. Find out your dominant culture and review recommendations in tab 3, Results.
    2. Document the results from tab 3, Results, in the M&A Buy Playbook if you are trying to record all artifacts related to the transaction in one place.
    3. Repeat the activity for the target organization.
    4. Leverage the information to determine what the goal for the culture of IT will be post-integration if it will differ from the current culture.

    Record the results in the M&A Buy Playbook.

    Due Diligence & Preparation

    Step 3.2

    Prepare to Integrate

    Activities

    • 3.2.1 Prioritize integration tasks
    • 3.2.2 Establish the integration roadmap
    • 3.2.3 Identify the needed workforce supply
    • 3.2.4 Estimate integration costs
    • 3.2.5 Create an employee transition plan
    • 3.2.6 Create functional workplans for employees
    • 3.2.7 Align project metrics with identified tasks

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Transition team
    • Company M&A team

    Outcomes of Step

    Have an established plan of action toward integration across all domains and a strategy toward resources.

    Don’t underestimate the importance of integration preparation

    Integration is the process of combining the various components of one or more organizations into a single organization.

    80% of integration should happen within the first two years. (Source: CIO Dive)

    70% of M&A IT integrations fail due to components that could and should be addressed at the beginning. (Source: The Wall Street Journal, 2019)

    Info-Tech Insight

    Integration is not rationalization. Once the organization has integrated, it can prepare to rationalize the IT environment.

    Integration needs

    Identify your domain needs to support the target technology environment

    Set up a meeting with your IT due diligence team to:

    • Address data, applications, infrastructure, and other domain gaps.
    • Discuss the people and processes necessary to achieve the target technology environment and support M&A business objectives.

    Use this opportunity to:

    • Identify data and application complexities between your organization and the target organization.
    • Identify the IT people and process gaps, redundancies, and initiatives.
    • Determine your infrastructure needs and identify redundancies.
      • Does IT have the infrastructure to support the applications and business capabilities of the resultant enterprise?
      • Identify any gaps between the current infrastructure in both organizations and the infrastructure required in the resultant enterprise.
      • Identify any redundancies.
      • Determine the appropriate IT integration strategies.
    • Document your gaps, redundancies, initiatives, and assumptions to help you track and justify the initiatives that must be undertaken and help estimate the cost of integration.

    Integration implications

    Understand the implications for integration with respect to each target technology environment

    Domain

    Independent Models

    Create Links Between Critical Systems

    Move Key Capabilities to Common Systems

    Adopt One Model

    Data & Analytics

    • Consider data sources that might need to be combined (e.g. financials, email lists, internet).
    • Understand where each organization will warehouse its data and how it will be managed in a cost-effective manner.
    • Consider your reporting and transactional needs. Initially systems may remain separate, but eventually they will need to be merged.
    • Analyze whether or not the data types are compatible between companies.
    • Understand the critical data needs and the complexity of integration activities.
    • Consider your reporting and transactional needs. Initially systems may remain separate, but eventually they will need to be merged.
    • Focus on the master data domains that represent the core of your business.
    • Assess the value, size, location, and cleanliness of the target organization’s data sets.
    • Determine the data sets that will be migrated to capture expected synergies and drive core capabilities while addressing how other data sets will be maintained and managed.
    • Decide which applications to keep and which to terminate. This includes setting timelines for application retirement.
    • Establish interim linkages and common interfaces for applications while major migrations occur.

    Applications

    • Establish whether or not there are certain critical applications that still need to be linked (e.g. email, financials).
    • Leverage the unique strengths and functionalities provided by the applications used by each organization.
    • Confirm that adequate documentation and licensing exists.
    • Decide which critical applications need to be linked versus which need to be kept separate to drive synergies. For example, financial, email, and CRM may need to be linked, while certain applications may remain distinct.
    • Pay particular attention to the extent to which systems relating to customers, products, orders, and shipments need to be integrated.
    • Determine the key capabilities that require support from the applications identified by business process owners.
    • Assess which major applications need to be adopted by both organizations, based on the M&A goals.
    • Establish interim linkages and common interfaces for applications while major migrations occur.
    • Decide which applications to keep and which to terminate. This includes setting timelines for application retirement.
    • Establish interim linkages and common interfaces for applications while major migrations occur.

    Integration implications (continued)

    Understand the implications for integration with respect to each target technology environment

    Domain

    Independent Models

    Create Links Between Critical Systems

    Move Key Capabilities to Common Systems

    Adopt One Model

    Infrastructure

    • Assess the infrastructure demands created by retaining separate models (e.g. separate domains, voice, network integration).
    • Evaluate whether or not there are redundant data centers that could be consolidated to reduce costs.
    • Assess the infrastructure demands created by retaining separate models (e.g. separate domains, voice, network integration).
    • Evaluate whether or not there are redundant data centers that could be consolidated to reduce costs.
    • Evaluate whether certain infrastructure components, such as data centers, can be consolidated to support the new model while also eliminating redundancies. This will help reduce costs.
    • Assess which infrastructure components need to be kept versus which need to be terminated to support the new application portfolio. Keep in mind that increasing the transaction volume on a particular application increases the infrastructure capacity that is required for that application.
    • Extend the network to integrate additional locations.

    IT People & Processes

    • Retain workers from each IT department who possess knowledge of key products, services, and legacy systems.
    • Consider whether there are redundancies in staffing that could be eliminated.
    • The IT processes of each organization will most likely remain separate.
    • Consider the impact of the target organization on your IT processes.
    • Retain workers from each IT department who possess knowledge of key products, services, and legacy systems.
    • Consider whether there are redundancies in staffing that could be eliminated.
    • Consider how critical IT processes of the target organization fit with your current IT processes.
    • Identify which redundant staff members should be terminated by focusing on the key skills that will be necessary to support the common systems.
    • If there is overlap with the IT processes in both organizations, you may wish to map out both processes to get a sense for how they might work together.
    • Assess what processes will be prioritized to support IT strategies.
    • Identify which redundant staff members should be terminated by focusing on the key skills that will be necessary to support the prioritized IT processes.

    Integration implications (continued)

    Understand the implications for integration with respect to each target technology environment

    Domain

    Independent Models

    Create Links Between Critical Systems

    Move Key Capabilities to Common Systems

    Adopt One Model

    Leadership/IT Executive

    • Have insight into the goals and direction of the organization’s leadership. Make sure that a communication path has been established to receive information and provide feedback.
    • The decentralized model will require some form of centralization and strong governance processes to enable informed decisions.
    • Ensure that each area can deliver on its needs while not overstepping the goals and direction of the organization.
    • This will help with integration in the sense that front-line employees can see a single organization beginning to form.
    • In this model, there is the opportunity to select elements of each leadership style and strategy that will work for the larger organization.
    • Leadership can provide a single and unified approach to how the strategic goals will be executed.
    • More often than not, this would be the acquiring organization’s strategic direction.

    Vendors

    • Determine which contracts the target organization currently has in place.
    • Having different vendors in place will not be a bad model if it makes sense.
    • Spend time reviewing the contracts and ensuring that each organization has the right contracts to succeed.
    • Identify what redundancies might exist (ERPs, for example) and determine if the vendor would be willing to terminate one contract or another.
    • Through integration, it might be possible to engage in one set of contract negotiations for a single application or technology.
    • Identify whether there are opportunities to combine contracts or if they must remain completely separated until the end of the term.
    • In an effort to capitalize on the contracts working well, reduce the contracts that might be hindering the organization.
    • Speak to the vendor offering the contract.
    • Going forward, ensure the contracts are negotiated to include clauses to allow for easier and more cost-effective integration.

    Integration implications (continued)

    Understand the implications for integration with respect to each target technology environment

    Domain

    Independent Models

    Create Links Between Critical Systems

    Move Key Capabilities to Common Systems

    Adopt One Model

    Security

    • Both organizations would need to have a process for securing their organization.
    • Sharing and accessing information might be more difficult, as each organization would need to keep the other organization separate to ensure the organization remains secure.
    • Creating standard policies and procedures that each organization must adhere to would be critical here (for example, multifactor authentication).
    • Establish a single path of communication between the two organizations, ensuring reliable and secure data and information sharing.
    • Leverage the same solutions to protect the business as a whole from internal and external threats.
    • Identify opportunities where there might be user points of failure that could be addressed early in the process.
    • Determine what method of threat detection and response will best support the business and select that method to apply to the entire organization, both original and newly acquired.

    Projects

    • Projects remain ongoing as they were prior to the integration.
    • Some projects might be made redundant after the initial integration is over.
    • Re-evaluate the projects after integration to ensure they continue to deliver on the business’ strategic direction.
    • Determine which projects are similar to one another and identify opportunities to leverage business needs and solutions for each organization where possible.
    • Review project histories to determine the rationale for and success of projects that could be reused in either organization going forward.
    • Determine which projects should remain ongoing and which projects could wait to be implemented or could be completely stopped.
    • There might be certain modernization projects ongoing that cannot be stopped.
    • However, for all other projects, embrace a single portfolio.
    • Completely reduce or remove all ongoing projects from the one organization and continue with only the projects of the other organization.
    • Add in new projects when they arise as needed.

    3.2.1 Prioritize integration tasks

    2 hours

    Input: Integration tasks, Transition team, M&A RACI

    Output: Prioritized integration list

    Materials: Integration task checklist, Integration roadmap

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to prioritize the different integration tasks that your organization has identified as necessary to this transaction. Some tasks might not be relevant for this particular transaction, and others might be critical.

    1. Download the SharePoint or Excel version of the M&A Integration Project Management Tool. Identify which integration tasks you want as part of your project plan. Alter or remove any tasks that are irrelevant to your organization. Add in tasks you think are missing.
    2. When deciding criticality of the task, consider the effect on stakeholders, those who are impacted or influenced in the process of the task, and dependencies (e.g. data strategy needs to be addressed first before you can tackle its dependencies, like data quality).
    3. Feel free to edit the way you measure criticality. The standard tool leverages a three-point scale. At the end, you should have a list of tasks in priority order based on criticality.

    Record the updates in the M&A Integration Project Management Tool (SharePoint).

    Record the updates in the M&A Integration Project Management Tool (Excel).

    Integration checklists

    Prerequisite Checklist
    • Build the project plan for integration and prioritize activities
      • Plan first day
      • Plan first 30/100 days
      • Plan first year
    • Create an organization-aligned IT strategy
    • Identify critical stakeholders
    • Create a communication strategy
    • Understand the rationale for the acquisition or purchase
    • Develop IT's purchasing strategy
    • Determine goal opportunities
    • Create the mission and vision statements
    • Create the guiding principles
    • Create program metrics
    • Consolidate reports from due diligence/data room
    • Conduct culture assessment
    • Create a transaction team
    • Assess workforce demand and supply
    • Plan and communicate potential layoffs
    • Create an employee transition plan
    • Identify the IT investment
    Business
    • Design an enterprise architecture
    • Document your business architecture
    • Identify and assess all of IT's risks
    Leadership/IT Executive
    • Build an IT budget
    • Structure operating budget
    • Structure capital budget
    • Identify the needed workforce demand vs. capacity
    • Establish and monitor key metrics
    • Communicate value realized/cost savings
    Data
    • Confirm data strategy
    • Confirm data governance
    • Data architecture
    • Data sources
    • Data storage (on-premises vs. cloud)
    • Enterprise content management
    • Compatibility of data types between organizations
    • Cleanliness/usability of target organization data sets
    • Identify data sets that need to be combined to capture synergies/drive core capabilities
    • Reporting and analytics capabilities
    Applications
    • Prioritize and address critical applications
      • ERP
      • CRM
      • Email
      • HRIS
      • Financial
      • Sales
      • Risk
      • Security
    • Leverage application rationalization framework to determine applications to keep, terminate, or create
    • Develop method of integrating applications
    • Model critical applications that have dependencies on one another
    • Identify the infrastructure capacity required to support critical applications
    Operations
    • Communicate helpdesk/service desk information
    • Manage sales access to customer data
    • Determine locations and hours of operation
    • Consolidate phone lists and extensions
    • Synchronize email address books

    Integration checklists (continued)

    Infrastructure
    • Determine single network access
    • Manage organization domains
    • Consolidate data centers
    • Compile inventory of vendors, versions, switches, and routers
    • Review hardware lease or purchase agreements
    • Review outsourcing/service provider agreements
    • Review service-level agreements
    • Assess connectivity linkages between locations
    • Plan to migrate to a single email system if necessary
    Vendors
    • Establish a sustainable vendor management office
    • Review vendor landscape
    • Identify warranty options
    • Rationalize vendor services and solutions
    • Identify opportunities to mature the security architecture
    People
    • Design an IT operating model
    • Redesign your IT organizational structure
    • Conduct a RACI
    • Conduct a culture assessment and identify goal IT culture
    • Build an IT employee engagement program
    • Determine critical roles and systems/process/products they support
    • Create a list of employees to be terminated
    • Create employee transition plans
    • Create functional workplans
    Projects
    • Stop duplicate or unnecessary target organization projects
    • Communicate project intake process
    • Prioritize projects
    Products & Services
    • Ensure customer services requirements are met
    • Ensure customer interaction requirements are met
    • Select a solution for product lifecycle management
    Security
    • Conduct a security assessment of target organization
    • Develop accessibility prioritization and schedule
    • Establish an information security strategy
    • Develop a security awareness and training program
    • Develop and manage security governance, risk, and compliance
    • Identify security budget
    • Build a data privacy and classification program
    IT Processes
    • Evaluate current process models
    • Determine productivity/capacity levels of processes
    • Identify processes to be terminated
    • Identify process expectations from target organization
    • Establish a communication plan
    • Develop a change management process
    • Establish/review IT policies

    3.2.2 Establish the integration roadmap

    2 hours

    Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners

    Output: Integration roadmap

    Materials: M&A Integration Project Plan Tool (SharePoint), M&A Integration Project Plan Tool (Excel)

    Participants: IT executive/CIO, IT senior leadership, Transition team, Company M&A team

    The purpose of this activity is to create a roadmap to support IT throughout the integration process. Using the information gathered in previous activities, you can create a roadmap that will ensure a smooth integration.

    1. Leverage our M&A Integration Project Management Tool to track critical elements of the integration project. There are a few options available:
      1. Follow the instructions on the next slide if you are looking to upload our SharePoint project template.
      2. If you cannot or do not want to use SharePoint as your project management solution, download our Excel version of the tool.
        **Remember that this your tool, so customize to your liking.
    2. Identify who will own or be accountable for each of the integration tasks and establish the time frame for when each project should begin and end. This will confirm which tasks should be prioritized.

    Record the updates in the M&A Integration Project Management Tool (SharePoint).

    Record the updates in the M&A Integration Project Management Tool (Excel).

    Integration Project Management Tool (SharePoint Template)

    Follow these instructions to upload our template to your SharePoint environment

    1. Create or use an existing SP site.
    2. Download the M&A Integration Project Plan Tool (SharePoint) .wsp file from the Mergers & Acquisitions: The Buy Blueprint landing page.
    3. To import a template into your SharePoint environment, do the following:
      1. Open PowerShell.
      2. Connect-SPO Service (need to install PowerShell module).
      3. Enter in your tenant admin URL.
      4. Enter in your admin credentials.
      5. Set-SPO Site https://YourDomain.sharepoint.com/sites/YourSiteHe... -DenyAddAndCustomizePages 0
      OR
      1. Turn on both custom script features to allow users to run custom
      4. Screenshot of the 'Custom Script' option for importing a template into your SharePoint environment. Feature description reads 'Control whether users can run custom script on personal sites and self-service created sites. Note: changes to this setting might take up to 24 hours to take effect. For more information, see http://go.microsoft.com/fwlink/?LinkIn=397546'. There are options to prevent or allow users from running custom script on personal/self-service created sites.
    4. Enable the SharePoint Server Standard Site Collection features.
    5. Upload the .wsp file in Solutions Gallery.
    6. Deploy by creating a subsite and select from custom options.
      • Allow or prevent custom script
      • Security considerations of allowing custom script
      • Save, download, and upload a SharePoint site as a template
      7. Refer to Microsoft documentation to understand security considerations and what is and isn’t supported:

    For more information, check out the SharePoint Template: Step-by-Step Deployment Guide.

    Participate in active workforce planning to transition employees

    The chosen IT operating model, primary M&A goals, and any planned changes to business strategy will dramatically impact IT staffing and workforce planning efforts.

    Visualization of the three aspects of 'IT workforce planning', as listed below.

    IT workforce planning

    • Primary M&A goals
      If the goal of the M&A is cost cutting, then workforce planning will be necessary to identify labor redundancies.
    • Changes to business strategy
      If business strategy will change after the merger, then workforce planning will typically be more involved than if business strategy will not change.
    • Integration strategy
      For independent models, workforce planning will typically be unnecessary.
      For connection of essential systems or absorption, workforce planning will likely be an involved, time-consuming process.
    1. Estimate the headcount you will need through the end of the M&A transition period.
    2. Outline the process you will use to assess staff for roles that have more than one candidate.
    3. Review employees in each department to determine the best fit for each role.
    4. Determine whether terminations will happen all together or in waves.

    Info-Tech Insight

    Don’t be a short-term thinker when it comes to workforce planning! IT teams that only consider the headcount needed on day one of the new entity will end up scrambling to find skilled resources to fill workforce gaps later in the transition period.

    3.2.3 Identify the needed workforce supply

    3-4 hours

    Input: IT strategy, Prioritized integration tasks

    Output: A clear indication of how many resources are required for each role and the number of resources that the organization actually has

    Materials: Resource Management Supply-Demand Calculator

    Participants: IT executive/CIO, IT senior leadership, Target organization employees, Company M&A team, Transition team

    The purpose of this activity is to determine the anticipated amount of work that will be required to support projects (like integration), administrative, and keep-the-lights-on activities.

    1. Download the Resource Management Supply-Demand Calculator.
    2. The calculator requires minimal up-front staff participation: You can obtain meaningful results with participation from as few as one person with insight on the distribution of your resources and their average work week or month.
    3. The calculator will yield a report that shows a breakdown of your annual resource supply and demand, as well as the gap between the supply and demand. Further insight on project and non-project supply and demand are provided.
    4. Repeat the tool several times to identify the needs of your IT environment for day one, day 30/100, and year one. Anticipate that these will change over time. Also, do not forget to obtain this information from the target organization. Given that you will be integrating, it’s important to know how many staff they have in which roles.
      5. **For additional information, please review slides starting from slide 44 in Establish Realistic IT Resource Management Practices to see how to use the tool.

    Record the results in the Resource Management Supply-Demand Calculator.

    Resource Supply-Demand Calculator Output Example

    Example of a 'Resource Management Supply-Demand Analysis Report' with charts and tables measuring Annualized Resource Supply and Demand, Resource Capacity Confidence, Project Capacity, and combinations of those metrics.

    Resource Capacity Confidence. This figure is based on your confidence in supply confidence, demand stability, and the supply-demand ratio.

    Importance of estimating integration costs

    Change is the key driver of integration costs

    Integration costs are dependent on the following:
    • Meeting synergy targets – whether that be cost saving or growth related.
      • Employee-related costs, licensing, and reconfiguration fees play a huge part in meeting synergy targets.
    • Adjustments related to compliance or regulations – especially if there are changes to legal entities, reporting requirements, or risk-mitigation standards.
    • Governance or third party–related support required to ensure timelines are met and the integration is a success.
    Integration costs vary by industry type.
    • Certain industries may have integration costs made up of mostly one type, differing from other industries, due to the complexity and different demands of the transaction. For example:
      • Healthcare integration costs are mostly driven by regulatory, safety, and quality standards, as well as consolidation of the research and development function.
      • Energy and Utilities tend to have the lowest integration costs due to most transactions occurring within the same sector rather than as a cross-sector investment. For example, oil and gas acquisitions tend to be for oil fields and rigs (strategic fixed assets), which can easily be added to the buyer’s portfolio.

    Integration costs are more related to the degree of change required than the size of the transaction.

    3.2.4 Estimate integration costs

    3-4 hours

    Input: Integration tasks, Transition team, Valuation of current IT environment, Valuation of target IT environment, Outputs from data room, Technical debt, Employees

    Output: List of anticipated costs required to support IT integration

    Materials: Integration task checklist, Integration roadmap, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

    The purpose of this activity is to estimate the costs that will be associated with the integration. It’s important to ensure a realistic figure is identified and communicated to the larger M&A team within your company as early in the process as possible. This ensures that the funding required for the transaction is secured and budgeted for in the overarching transaction.

    1. On the associated slide in the M&A Buy Playbook, input:
      • Task
      • Domain
      • Cost type
      • Total cost amount
      • Level of certainty around the cost
    2. Provide a copy of the estimated costs to the company’s M&A team. Also provide any additional information identified earlier to help them understand the importance of those costs.

    Record the results in the M&A Buy Playbook.

    Employee transition planning

    Considering employee impact will be a huge component to ensure successful integration

    • Meet With Leadership
    • Plan Individual and Department Redeployment
    • Plan Individual and Department Layoffs
    • Monitor and Manage Departmental Effectiveness
    • For employees, the transition could mean:
      • Changing from their current role to a new role to meet requirements and expectations throughout the transition.
      • Being laid off because the role they are currently occupying has been made redundant.
    • It is important to plan for what the M&A integration needs will be and what the IT operational needs will be.
    • A lack of foresight into this long-term plan could lead to undue costs and headaches trying to retain critical staff, rehiring positions that were already let go, and keeping redundant employees longer then necessary.

    Info-Tech Insight

    Being transparent throughout the process is critical. Do not hesitate to tell employees the likelihood that their job may be made redundant. This will ensure a high level of trust and credibility for those who remain with the organization after the transaction.

    3.2.5 Create an employee transition plan

    3-4 hours

    Input: IT strategy, IT organizational design, Resource Supply-Demand Calculator output

    Output: Employee transition plans

    Materials: M&A Buy Playbook, Whiteboard, Sticky notes, Markers

    Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

    The purpose of this activity is to create a transition plan for employees.

    1. Transition planning can be done at specific individual levels or more broadly to reflect a single role. Consider these four items in the transition plan:
      • Understand the direction of the employee transitions.
      • Identify employees that will be involved in the transition (moved or laid off).
      • Prepare to meet with employees.
      • Meet with employees.
    2. For each employee that will be facing some sort of change in their regular role, permanent or temporary, create a transition plan.
    3. For additional information on transitioning employees, review the blueprint Streamline Your Workforce During a Pandemic.

    **Note that if someone’s future role is a layoff, then there is no need to record anything for skills needed or method for skill development.

    Record the results in the M&A Buy Playbook.

    3.2.6 Create functional workplans for employees

    3-4 hours

    Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners

    Output: Employee functional workplans

    Materials: M&A Buy Playbook, Learning and development tools

    Participants: IT executive/CIO, IT senior leadership, IT management team, Company M&A team, Transition team

    The purpose of this activity is to create a functional workplan for the different employees so that they know what their key role and responsibilities are once the transaction occurs.

    1. First complete the transition plan from the previous activity (3.2.5) and the separation roadmap. Have these documents ready to review throughout this process.
    2. Identify the employees who will be transitioning to a new role permanently or temporarily. Creating a functional workplan is especially important for these employees.
    3. Identify the skills these employees need to have to support the separation. Record this in the corresponding slide in the M&A Buy Playbook.
    4. For each employee, identify someone who will be a point of contact for them throughout the transition.

    It is recommended that each employee have a functional workplan. Leverage the IT managers to support this task.

    Record the results in the M&A Buy Playbook.

    Metrics for integration

    Valuation & Due Diligence

    • % Defects discovered in production
    • $ Cost per user for enterprise applications
    • % In-house-built applications vs. enterprise applications
    • % Owners identified for all data domains
    • # IT staff asked to participate in due diligence
    • Change to due diligence
    • IT budget variance
    • Synergy target

    Execution & Value Realization

    • % Satisfaction with the effectiveness of IT capabilities
    • % Overall end-customer satisfaction
    • $ Impact of vendor SLA breaches
    • $ Savings through cost-optimization efforts
    • $ Savings through application rationalization and technology standardization
    • # Key positions empty
    • % Frequency of staff turnover
    • % Emergency changes
    • # Hours of unplanned downtime
    • % Releases that cause downtime
    • % Incidents with identified problem record
    • % Problems with identified root cause
    • # Days from problem identification to root cause fix
    • % Projects that consider IT risk
    • % Incidents due to issues not addressed in the security plan
    • # Average vulnerability remediation time
    • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
    • # Time (days) to value realization
    • % Projects that realized planned benefits
    • $ IT operational savings and cost reductions that are related to synergies/divestitures
    • % IT staff–related expenses/redundancies
    • # Days spent on IT integration
    • $ Accurate IT budget estimates
    • % Revenue growth directly tied to IT delivery
    • % Profit margin growth

    3.2.7 Align project metrics with identified tasks

    3-4 hours

    Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners, M&A goals

    Output: Integration-specific metrics to measure success

    Materials: Roadmap template, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Transition team

    The purpose of this activity is to understand how to measure the success of the integration project by aligning metrics to each identified task.

    1. Review the M&A goals identified by the business. Your metrics will need to tie back to those business goals.
    2. Identify metrics that align to identified tasks and measure achievement of those goals. For each metric you consider, ask the following questions:
      • What is the main goal or objective that this metric is trying to solve?
      • What does success look like?
      • Does the metric promote the right behavior?
      • Is the metric actionable? What is the story you are trying to tell with this metric?
      • How often will this get measured?
      • Are there any metrics it supports or is supported by?

    Record the results in the M&A Buy Playbook.

    By the end of this mid-transaction phase you should:

    Have successfully evaluated the target organization’s IT environment, escalated the acquisition risks and benefits, and prepared IT for integration.

    Key outcomes from the Due Diligence & Preparation phase
    • Participate in due diligence activities to accurately valuate the target organization(s) and determine if there are critical risks or benefits the current organization should be aware of.
    • Create an integration roadmap that considers the tasks that will need to be completed and the resources required to support integration.
    Key deliverables from the Due Diligence & Preparation phase
    • Establish a due diligence charter
    • Create a list of data room artifacts and engage in due diligence
    • Assess the target organization’s technical debt
    • Valuate the target IT organization
    • Assess and plan for culture
    • Prioritize integration tasks
    • Establish the integration roadmap
    • Identify the needed workforce supply
    • Estimate integration costs
    • Create employee transition plans
    • Create functional workplans for employees
    • Align project metrics with identified tasks

    M&A Buy Blueprint

    Phase 4

    Execution & Value Realization

    Phase 1Phase 2Phase 3

    Phase 4

    • 1.1 Identify Stakeholders and Their Perspective of IT
    • 1.2 Assess IT’s Current Value and Future State
    • 1.3 Drive Innovation and Suggest Growth Opportunities
    • 2.1 Establish the M&A Program Plan
    • 2.2 Prepare IT to Engage in the Acquisition
    • 3.1 Assess the Target Organization
    • 3.2 Prepare to Integrate
    • 4.1 Execute the Transaction
    • 4.2 Reflection and Value Realization

    This phase will walk you through the following activities:

    • Rationalize the IT environment
    • Continually update the project plan
    • Confirm integration costs
    • Review IT’s transaction value
    • Conduct a transaction and integration SWOT
    • Review the playbook and prepare for future transactions

    This phase involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Vendor management team
    • IT transaction team
    • Company M&A team

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work

    Day 1

    Day 2

    Day 3

    Engage in Integration

    Day 4

    Establish the Transaction FoundationDiscover the Motivation for IntegrationPlan the Integration RoadmapPrepare Employees for the TransitionEngage in IntegrationAssess the Transaction Outcomes (Must be within 30 days of transaction date)

    Activities

    • 0.1 Understand the rationale for the company's decisions to pursue an acquisition.
    • 0.2 Identify key stakeholders and determine the IT transaction team.
    • 0.3 Gather and evaluate the M&A strategy, future-state operating model, and governance.
    • 1.1 Review the business rationale for the acquisition.
    • 1.2 Identify pain points and opportunities tied to the acquisition.
    • 1.3 Establish the integration strategy.
    • 1.4 Prioritize Integration tasks.
    • 2.1 Establish the integration roadmap.
    • 2.2 Establish and align project metrics with identified tasks.
    • 2.3 Estimate integration costs.
    • 3.1 Assess the current culture and identify the goal culture.
    • 3.2 Identify the needed workforce supply.
    • 3.3 Create an employee transition plan.
    • 3.4 Create functional workplans for employees.
    • I.1 Complete the integration by regularly updating the project plan.
    • I.2 Begin to rationalize the IT environment where possible and necessary.
    • 4.1 Confirm integration costs.
    • 4.2 Review IT’s transaction value.
    • 4.3 Conduct a transaction and integration SWOT.
    • 4.4 Review the playbook and prepare for future transactions.

    Deliverables

    1. IT strategy
    2. IT operating model
    3. IT governance structure
    4. M&A transaction team
    1. Business context implications for IT
    2. Integration strategy
    1. Integration roadmap and associated resourcing
    1. Culture assessment
    2. Workforce supply identified
    3. Employee transition plan
    1. Rationalized IT environment
    2. Updated integration project plan
    1. SWOT of transaction
    2. M&A Buy Playbook refined for future transactions

    What is the Execution & Value Realization phase?

    Post-transaction state

    Once the transaction comes to a close, it’s time for IT to deliver on the critical integration tasks. Set the organization up for success by having an integration roadmap. Retaining critical IT staff throughout this process will also be imperative to the overall transaction success.

    Throughout the integration process, roadblocks will arise and need to be addressed. However, by ensuring that employees, technology, and processes are planned for ahead of the transaction, you as IT will be able to weather those unexpected concerns with greater ease.

    Now that you as an IT leader have engaged in an acquisition, demonstrating the value IT was able to provide to the process is critical to establishing a positive and respected relationship with other senior leaders in the business. Be prepared to identify the positives and communicate this value to advance the business’ perception of IT.

    Goal: To carry out the planned integration activities and deliver the intended value to the business

    Execution Prerequisite Checklist

    Before coming into the Execution & Value Realization phase, you must have addressed the following:

    • Understand the rationale for the company's decisions to pursue an acquisition and what opportunities or pain points the acquisition should alleviate.
    • Identify the key roles for the transaction team.
    • Identify the M&A governance.
    • Determine target metrics and align to project tasks.
    • Select an integration strategy framework.
    • Conduct a RACI for key transaction tasks for the transaction team.
    • Create a list of data room artifacts and engage in due diligence (directly or indirectly).
    • Prioritize integration tasks.
    • Establish the integration roadmap.
    • Identify the needed workforce supply.
    • Create employee transition plans.

    Before coming into the Execution & Value Realization phase, we recommend addressing the following:

    • Create vision and mission statements.
    • Establish guiding principles.
    • Create a future-state operating model.
    • Identify the M&A operating model.
    • Document the communication plan.
    • Examine the business perspective of IT.
    • Identify key stakeholders and outline their relationship to the M&A process.
    • Be able to valuate the IT environment and communicate IT's value to the business.
    • Establish a due diligence charter.
    • Assess the target organization’s technical debt.
    • Valuate the target IT organization.
    • Assess and plan for culture.
    • Estimate integration costs.
    • Create functional workplans for employees.

    Integration checklists

    Prerequisite Checklist
    • Build the project plan for integration and prioritize activities
      • Plan first day
      • Plan first 30/100 days
      • Plan first year
    • Create an organization-aligned IT strategy
    • Identify critical stakeholders
    • Create a communication strategy
    • Understand the rationale for the acquisition or purchase
    • Develop IT's purchasing strategy
    • Determine goal opportunities
    • Create the mission and vision statements
    • Create the guiding principles
    • Create program metrics
    • Consolidate reports from due diligence/data room
    • Conduct culture assessment
    • Create a transaction team
    • Assess workforce demand and supply
    • Plan and communicate potential layoffs
    • Create an employee transition plan
    • Identify the IT investment
    Business
    • Design an enterprise architecture
    • Document your business architecture
    • Identify and assess all of IT's risks
    Leadership/IT Executive
    • Build an IT budget
    • Structure operating budget
    • Structure capital budget
    • Identify the needed workforce demand vs. capacity
    • Establish and monitor key metrics
    • Communicate value realized/cost savings
    Data
    • Confirm data strategy
    • Confirm data governance
    • Data architecture
    • Data sources
    • Data storage (on-premises vs. cloud)
    • Enterprise content management
    • Compatibility of data types between organizations
    • Cleanliness/usability of target organization data sets
    • Identify data sets that need to be combined to capture synergies/drive core capabilities
    • Reporting and analytics capabilities
    Applications
    • Prioritize and address critical applications
      • ERP
      • CRM
      • Email
      • HRIS
      • Financial
      • Sales
      • Risk
      • Security
    • Leverage application rationalization framework to determine applications to keep, terminate, or create
    • Develop method of integrating applications
    • Model critical applications that have dependencies on one another
    • Identify the infrastructure capacity required to support critical applications
    Operations
    • Communicate helpdesk/service desk information
    • Manage sales access to customer data
    • Determine locations and hours of operation
    • Consolidate phone lists and extensions
    • Synchronize email address books

    Integration checklists (continued)

    Infrastructure
    • Determine single network access
    • Manage organization domains
    • Consolidate data centers
    • Compile inventory of vendors, versions, switches, and routers
    • Review hardware lease or purchase agreements
    • Review outsourcing/service provider agreements
    • Review service-level agreements
    • Assess connectivity linkages between locations
    • Plan to migrate to a single email system if necessary
    Vendors
    • Establish a sustainable vendor management office
    • Review vendor landscape
    • Identify warranty options
    • Rationalize vendor services and solutions
    • Identify opportunities to mature the security architecture
    People
    • Design an IT operating model
    • Redesign your IT organizational structure
    • Conduct a RACI
    • Conduct a culture assessment and identify goal IT culture
    • Build an IT employee engagement program
    • Determine critical roles and systems/process/products they support
    • Create a list of employees to be terminated
    • Create employee transition plans
    • Create functional workplans
    Projects
    • Stop duplicate or unnecessary target organization projects
    • Communicate project intake process
    • Prioritize projects
    Products & Services
    • Ensure customer services requirements are met
    • Ensure customer interaction requirements are met
    • Select a solution for product lifecycle management
    Security
    • Conduct a security assessment of target organization
    • Develop accessibility prioritization and schedule
    • Establish an information security strategy
    • Develop a security awareness and training program
    • Develop and manage security governance, risk, and compliance
    • Identify security budget
    • Build a data privacy and classification program
    IT Processes
    • Evaluate current process models
    • Determine productivity/capacity levels of processes
    • Identify processes to be terminated
    • Identify process expectations from target organization
    • Establish a communication plan
    • Develop a change management process
    • Establish/review IT policies

    Execution & Value Realization

    Step 4.1

    Execute the Transaction

    Activities

    • 4.1.1 Rationalize the IT environment
    • 4.1.2 Continually update the project plan

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Vendor management team
    • IT transaction team
    • Company M&A team

    Outcomes of Step

    Successfully execute on the integration and strategize how to rationalize the two (or more) IT environments and update the project plan, strategizing against any roadblocks as they might come.

    Compile –› Assess –› Rationalize

    Access to critical information often does not happen until day one

    • As the transaction comes to a close and the target organization becomes the acquired organization, it’s important to start working on the rationalization of your organization.
    • One of the most important elements will be to have a complete understanding of the acquired organization’s IT environment. Specifically, assess the technology, people, and processes that might exist.
    • This rationalization will be heavily dependent on your planned integration strategy determined in the Discovery & Strategy phase of the process.
    • If your IT organization was not involved until after that phase, then determine whether your organization plans on remaining in its original state, taking on the acquired organization’s state, or forming a best-of-breed state by combining elements.
    • To execute on this, however, a holistic understanding of the new IT environment is required.

    Some Info-Tech resources to support this initiative:

    • Reduce and Manage Your Organization’s Insider Threat Risk
    • Build an Application Rationalization Framework
    • Rationalize Your Collaboration Tools
    • Consolidate IT Asset Management
    • Build Effective Enterprise Integration on the Back of Business Process
    • Consolidate Your Data Centers

    4.1.1 Rationalize the IT environment

    6-12 months

    Input: RACI chart, List of critical applications, List of vendor contracts, List of infrastructure assets, List of data assets

    Output: Rationalized IT environment

    Materials: Software Terms & Conditions Evaluation Tool

    Participants: IT executive/CIO, IT senior leadership, Vendor management

    The purpose of this activity is to rationalize the IT environment to reduce and eliminate redundant technology.

    1. Compile a list of the various applications and vendor contracts from the acquired organization and the original organization.
    2. Determine where there is repetition. Have a member of the vendor management team review those contracts and identify cost-saving opportunities.

    This will not be a quick and easy activity to complete. It will require strong negotiation on the behalf of the vendor management team.

    For additional information and support for this activity, see the blueprint Master Contract Review and Negotiations for Software Agreements.

    4.1.2 Continually update the project plan

    Reoccurring basis following transition

    Input: Prioritized integration tasks, Integration RACI, Activity owners

    Output: Updated integration project plan

    Materials: M&A Integration Project Management Tool

    Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team

    The purpose of this activity is to ensure that the project plan is continuously updated as your transaction team continues to execute on the various components outlined in the project plan.

    1. Set a regular cadence for the transaction team to meet, update and review the status of the various integration task items, and strategize how to overcome any roadblocks.
    2. Employ governance best practices in these meetings to ensure decisions can be made effectively and resources allocated strategically.

    Record the updates in the M&A Integration Project Management Tool (SharePoint).

    Record the updates in the M&A Integration Project Management Tool (Excel).

    Execution & Value Realization

    Step 4.2

    Reflection and Value Realization

    Activities

    • 4.2.1 Confirm integration costs
    • 4.2.2 Review IT’s transaction value
    • 4.2.3 Conduct a transaction and integration SWOT
    • 4.2.4 Review the playbook and prepare for future transactions

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Transition team
    • Company M&A team

    Outcomes of Step

    Review the value that IT was able to generate around the transaction and strategize on how to improve future acquisition transactions.

    4.2.1 Confirm integration costs

    3-4 hours

    Input: Integration tasks, Transition team, Previous RACI, Estimated costs

    Output: Actual integration costs

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team

    The purpose of this activity is to confirm the associated costs around integration. While the integration costs would have been estimated previously, it’s important to confirm the costs that were associated with the integration in order to provide an accurate and up-to-date report to the company’s M&A team.

    1. Taking all the original items identified previously in activity 3.2.4, identify if there were changes in the estimated costs. This can be an increase or a decrease.
    2. Ensure that each cost has a justification for why the cost changed from the original estimation.

    Record the results in the M&A Buy Playbook.

    Track synergy capture through the IT integration

    The ultimate goal of the M&A is to achieve and deliver deal objectives. Early in the M&A, IT must identify, prioritize, and execute upon synergies that deliver value to the business and its shareholders. Continue to measure IT’s contribution toward achieving the organization’s M&A goals throughout the integration by keeping track of cost savings and synergies that have been achieved. When these achievements happen, communicate them and celebrate success.

    1. Define Synergy Metrics: Select metrics to track synergies through the integration.
      1. You can track value by looking at percentages of improvement in process-level metrics depending on the synergies being pursued.
      2. For example, if the synergy being pursued is increasing asset utilization, metrics could range from capacity to revenue generated through increased capacity.
    2. Prioritize Synergistic Initiatives: Estimate the cost and benefit of each initiative's implementation to compare the amount of business value to the cost. The benefits and costs should be illustrated at a high level. Estimating the exact dollar value of fulfilling a synergy can be difficult and misleading.
        Steps
      • Determine the benefits that each initiative is expected to deliver.
      • Determine the high-level costs of implementation (capacity, time, resources, effort).
    3. Track Synergy Captures: Develop a detailed workplan to resource the roadmap and track synergy captures as the initiatives are undertaken.

    Once 80% of the necessary synergies are realized, executive pressure will diminish. However, IT must continue to work toward the technology end state to avoid delayed progression.

    4.2.2 Review IT’s transaction value

    3-4 hours

    Input: Prioritized integration tasks, Integration RACI, Activity owners, M&A company goals

    Output: Transaction value

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company's M&A team

    The purpose of this activity is to track how your IT organization performed against the originally identified metrics.

    1. If your organization did not have the opportunity to identify metrics earlier, determine from the company M&A team what those metrics might be. Review activity 3.2.7 for more information on metrics.
    2. Identify whether the metric (which should be used to support a goal) was at, below, or above the original target metric. This is a very critical task for IT to complete because it allows IT to confirm that they were successful engaging in the transaction and that the business can count on them in future transactions.
    3. Be sure to record accurate and relevant information on why the outcomes (good or bad) are supporting the M&A goals that were set out by the business.

    Record the results in the M&A Buy Playbook.

    4.2.3 Conduct a transaction and integration SWOT

    2 hours

    Input: Integration costs, Retention rates, Value IT contributed to the transaction

    Output: Strengths, weaknesses, opportunities, and threats

    Materials: Flip charts, Markers, Sticky notes

    Participants: IT executive/CIO, IT senior leadership, Business transaction team

    The purpose of this activity is to assess the positive and negative elements of the transaction.

    1. Consider the various internal and external elements that could have impacted the outcome of the transaction.
      • Strengths. Internal characteristics that are favorable as they relate to your development environment.
      • Weaknesses Internal characteristics that are unfavorable or need improvement.
      • Opportunities External characteristics that you may use to your advantage.
      • Threats External characteristics that may be potential sources of failure or risk.

    Record the results in the M&A Buy Playbook.

    M&A Buy Playbook review

    With an acquisition complete, your IT organization is now more prepared then ever to support the business through future M&As

    • Now that the transaction is more than 80% complete, take the opportunity to review the key elements that worked well and the opportunities for improvement in future transactions.
    • Critically examine the M&A Buy Playbook your IT organization created and identify what worked well to help the transaction and where your organization could adjust to do better in future transactions.
    • If your organization were to engage in another acquisition under your IT leadership, how would you go about the transaction to make sure the company meets its goals?

    4.2.4 Review the playbook and prepare for future transactions

    4 hours

    Input: Transaction and integration SWOT

    Output: Refined M&A playbook

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO

    The purpose of this activity is to revise the playbook and ensure it is ready to go for future transactions.

    1. Using the outputs from the previous activity, 4.2.3, determine what strengths and opportunities there were that should be leveraged in the next transaction.
    2. Likewise, determine which threats and weaknesses could be avoided in the future transactions.
      Remember, this is your M&A Buy Playbook, and it should reflect the most successful outcome for you in your organization.

    Record the results in the M&A Buy Playbook.

    By the end of this post-transaction phase you should:

    Have completed the integration post-transaction and be fluidly delivering the critical value that the business expected of IT.

    Key outcomes from the Execution & Value Realization phase
    • Ensure the integration tasks are being completed and that any blockers related to the transaction are being removed.
    • Determine where IT was able to realize value for the business and demonstrate IT’s involvement in meeting target goals.
    Key deliverables from the Execution & Value Realization phase
    • Rationalize the IT environment
    • Continually update the project plan for completion
    • Confirm integration costs
    • Review IT’s transaction value
    • Conduct a transaction and integration SWOT
    • Review the playbook and prepare for future transactions

    Summary of Accomplishment

    Problem Solved

    Congratulations, you have completed the M&A Buy Blueprint!

    Rather than reacting to a transaction, you have been proactive in tackling this initiative. You now have a process to fall back on in which you can be an innovative IT leader by suggesting how and why the business should engage in an acquisition. You now have:

    • Created a standardized approach for how your IT organization should address acquisitions.
    • Evaluated the target organizations successfully and established an integration project plan.
    • Delivered on the integration project plan successfully and communicated IT’s transaction value to the business.

    Now that you have done all of this, reflect on what went well and what can be improved in case if you have to do this all again in a future transaction.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information
    workshops@infotech.com 1-888-670-8899

    Research Contributors and Experts

    Ibrahim Abdel-Kader
    Research Analyst | CIO
    Info-Tech Research Group     		Brittany Lutes
    Senior Research Analyst | CIO
    Info-Tech Research Group
    John Annand
    Principal Research Director | Infrastructure
    Info-Tech Research Group     		Scott Bickley
    Principal Research Director | Vendor Management
    Info-Tech Research Group
    Cole Cioran
    Practice Lead | Applications
    Info-Tech Research Group     		Dana Daher
    Research Analyst | Strategy & Innovation
    Info-Tech Research Group
    Eric Dolinar
    Manager | M&A Consulting
    Deloitte Canada     		Christoph Egel
    Director, Solution Design & Deliver
    Cooper Tire & Rubber Company
    Nora Fisher
    Vice President | Executive Services Advisory
    Info-Tech Research Group     		Larry Fretz
    Vice President | Industry
    Info-Tech Research Group

    Research Contributors and Experts

    David Glazer
    Vice President of Analytics
    Kroll     		Jack Hakimian
    Senior Vice President | Workshops and Delivery
    Info-Tech Research Group
    Gord Harrison
    Senior Vice President | Research & Advisory
    Info-Tech Research Group     		Valence Howden
    Principal Research Director | CIO
    Info-Tech Research Group
    Jennifer Jones
    Research Director | Industry
    Info-Tech Research Group     		Nancy McCuaig
    Senior Vice President | Chief Technology and Data Office
    IGM Financial Inc.
    Carlene McCubbin
    Practice Lead | CIO
    Info-Tech Research Group     		Kenneth McGee
    Research Fellow | Strategy & Innovation
    Info-Tech Research Group
    Nayma Naser
    Associate
    Deloitte     		Andy Neill
    Practice Lead | Data & Analytics, Enterprise Architecture
    Info-Tech Research Group

    Research Contributors and Experts

    Rick Pittman
    Vice President | Research
    Info-Tech Research Group     		Rocco Rao
    Research Director | Industry
    Info-Tech Research Group
    Mark Rosa
    Senior Vice President & Chief Information Officer
    Mohegan Gaming and Entertainment     		Tracy-Lynn Reid
    Research Lead | People & Leadership
    Info-Tech Research Group
    Jim Robson
    Senior Vice President | Shared Enterprise Services (retired)
    Great-West Life     		Steven Schmidt
    Senior Managing Partner Advisory | Executive Services
    Info-Tech Research Group
    Nikki Seventikidis
    Senior Manager | Finance Initiative & Continuous Improvement
    CST Consultants Inc.     		Allison Straker
    Research Director | CIO
    Info-Tech Research Group
    Justin Waelz
    Senior Network & Systems Administrator
    Info-Tech Research Group     		Sallie Wright
    Executive Counselor
    Info-Tech Research Group

    Bibliography

    “5 Ways for CIOs to Accelerate Value During Mergers and Acquisitions.” Okta, n.d. Web.

    Altintepe, Hakan. “Mergers and acquisitions speed up digital transformation.” CIO.com, 27 July 2018. Web.

    “America’s elite law firms are booming.” The Economist, 15 July 2021. Web.

    Barbaglia, Pamela, and Joshua Franklin. “Global M&A sets Q1 record as dealmakers shape post-COVID world.” Nasdaq, 1 April 2021. Web.

    Boyce, Paul. “Mergers and Acquisitions Definition: Types, Advantages, and Disadvantages.” BoyceWire, 8 Oct. 2020. Web.

    Bradt, George. “83% Of Mergers Fail -- Leverage A 100-Day Action Plan For Success Instead.” Forbes, 27 Jan. 2015. Web.

    Capgemini. “Mergers and Acquisitions: Get CIOs, IT Leaders Involved Early.” Channel e2e, 19 June 2020. Web.

    Chandra, Sumit, et al. “Make Or Break: The Critical Role Of IT In Post-Merger Integration.” IMAA Institute, 2016. Web.

    Deloitte. “How to Calculate Technical Debt.” The Wall Street Journal, 21 Jan. 2015. Web.

    Ernst & Young. “IT As A Driver Of M&A Success.” IMAA Institute, 2017. Web.

    Fernandes, Nuno. “M&As In 2021: How To Improve The Odds Of A Successful Deal.” Forbes, 23 March 2021. Web.

    “Five steps to a better 'technology fit' in mergers and acquisitions.” BCS, 7 Nov. 2019. Web.

    Fricke, Pierre. “The Biggest Opportunity You’re Missing During an M&Aamp; IT Integration.” Rackspace, 4 Nov. 2020. Web.

    Garrison, David W. “Most Mergers Fail Because People Aren't Boxes.” Forbes, 24 June 2019. Web.

    Harroch, Richard. “What You Need To Know About Mergers & Acquisitions: 12 Key Considerations When Selling Your Company.” Forbes, 27 Aug. 2018. Web.

    Hope, Michele. “M&A Integration: New Ways To Contain The IT Cost Of Mergers, Acquisitions And Migrations.” Iron Mountain, n.d. Web.

    “How Agile Project Management Principles Can Modernize M&A.” Business.com, 13 April 2020. Web.

    Hull, Patrick. “Answer 4 Questions to Get a Great Mission Statement.” Forbes, 10 Jan. 2013. Web.

    Kanter, Rosabeth Moss. “What We Can Learn About Unity from Hostile Takeovers.” Harvard Business Review, 12 Nov. 2020. Web.

    Koller, Tim, et al. “Valuation: Measuring and Managing the Value of Companies, 7th edition.” McKinsey & Company, 2020. Web.

    Labate, John. “M&A Alternatives Take Center Stage: Survey.” The Wall Street Journal, 30 Oct. 2020. Web.

    Lerner, Maya Ber. “How to Calculate ROI on Infrastructure Automation.” DevOps.com, 1 July 2020. Web.

    Loten, Angus. “Companies Without a Tech Plan in M&A Deals Face Higher IT Costs.” The Wall Street Journal, 18 June 2019. Web.

    Low, Jia Jen. “Tackling the tech integration challenge of mergers today” Tech HQ, 6 Jan. 2020. Web.

    Lucas, Suzanne. “5 Reasons Turnover Should Scare You.” Inc. 22 March 2013. Web.

    “M&A Trends Survey: The future of M&A. Deal trends in a changing world.” Deloitte, Oct. 2020. Web.

    Maheshwari, Adi, and Manish Dabas. “Six strategies tech companies are using for successful divesting.” EY, 1 Aug. 2020. Web.

    Majaski, Christina. “Mergers and Acquisitions: What's the Difference?” Investopedia, 30 Apr. 2021.

    “Mergers & Acquisitions: Top 5 Technology Considerations.” Teksetra, 21 Jul. 2020. Web.

    “Mergers Acquisitions M&A Process.” Corporate Finance Institute, n.d. Web.

    “Mergers and acquisitions: A means to gain technology and expertise.” DLA Piper, 2020. Web.

    Nash, Kim S. “CIOs Take Larger Role in Pre-IPO Prep Work.” The Wall Street Journal, 5 March 2015. Web.

    Paszti, Laila. “Canada: Emerging Trends In Information Technology (IT) Mergers And Acquisitions.” Mondaq, 24 Oct. 2019. Web.

    Patel, Kiison. “The 8 Biggest M&A Failures of All Time” Deal Room, 9 Sept. 2021. Web.

    Peek, Sean, and Paula Fernandes. “What Is a Vision Statement?” Business News Daily, 7 May 2020. Web.

    Ravid, Barak. “Tech execs focus on growth amid increasingly competitive M&A market.” EY, 28 April 2021. Web.

    Resch, Scott. “5 Questions with a Mergers & Acquisitions Expert.” CIO, 25 June 2019. Web.

    Salsberg, Brian. “Four tips for estimating one-time M&A integration costs.” EY, 17 Oct. 2019. Web.

    Samuels, Mark. “Mergers and acquisitions: Five ways tech can smooth the way.” ZDNet, 15 Aug. 2018. Web.

    “SAP Divestiture Projects: Options, Approach and Challenges.” Cognizant, May, 2014. Web.

    Steeves, Dave. “7 Rules for Surviving a Merger & Acquisition Technology Integration.” Steeves and Associates, 5 Feb. 2020. Web.

    Tanaszi, Margaret. “Calculating IT Value in Business Terms.” CSO, 27 May 2004. Web.

    “The CIO Playbook. Nine Steps CIOs Must Take For Successful Divestitures.” SNP, 2016. Web.

    “The Role of IT in Supporting Mergers and Acquisitions.” Cognizant, Feb. 2015. Web.

    Torres, Roberto. “M&A playbook: How to prepare for the cost, staff and tech hurdles.” CIO Dive, 14 Nov. 2019. Web.

    “Valuation Methods.” Corporate Finance Institute, n.d. Web.

    Weller, Joe. “The Ultimate Guide to the M&A Process for Buyers and Sellers.” Smartsheet, 16 May 2019. Web.

    Modernize Your Applications

    • Buy Link or Shortcode: {j2store}178|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Application modernization is essential to stay competitive and productive in today’s digital environment. Your stakeholders have outlined their digital business goals that IT is expected to meet.
    • Your application portfolio cannot sufficiently support the flexibility and efficiency the business needs because of legacy challenges.
    • Your teams do not have a framework to illustrate, communicate, and justify the modernization effort and organizational changes in the language your stakeholders understand.

    Our Advice

    Critical Insight

    • Build your digital applications around continuous modernization. End-user needs, technology, business direction, and regulations rapidly change in today’s competitive and fast-paced industry. This reality will quickly turn your modern applications into shelfware. Build continuous modernization at the center of your digital application vision to keep up with evolving business, end-user, and IT needs.
    • Application modernization is organizational change management. If you build and modernize it, they may not come. The crux of successful application modernization is centered on the strategic, well-informed, and onboarded adoption of changes in key business areas, capabilities, and processes. Organizational change management must be front and center so that applications are fit for purpose and are something that end users want and need to use.
    • Business-IT collaboration is not optional. Application modernization will not be successful if your lines of business (LOBs) and IT are not working together. IT must empathize how LOBs operate and proactively support the underlying operational systems. LOBs must be accountable for all products leveraging modern technologies and be able to rationalize the technical feasibility of their digital application vision.

    Impact and Result

    • Establish the digital application vision. Gain a grounded understanding of the digital application construct and prioritize these attributes against your digital business goals.
    • Define your modernization approach. Obtain a thorough view of your business and technical complexities, risks, and impacts. Employ the right modernization techniques based on your organization’s change tolerance.
    • Build your roadmap. Clarify the organizational changes needed to support modernization and adoption of your digital applications.

    Modernize Your Applications Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should strategically modernize your applications, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set your vision

    Describe your application vision and set the right modernization expectations with your stakeholders.

    • Modernize Your Applications – Phase 1: Set Your Vision

    2. Identify your modernization opportunities

    Focus your modernization efforts on the business opportunities that your stakeholders care about.

    • Modernize Your Applications – Phase 2: Identify Your Modernization Opportunities

    3. Plan your modernization

    Describe your modernization initiatives and build your modernization tactical roadmap.

    • Modernize Your Applications – Phase 3: Plan Your Modernization
    [infographic]

    Workshop: Modernize Your Applications

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Set Your Vision

    The Purpose

    Discuss the goals of your application modernization initiatives

    Define your digital application vision and priorities

    List your modernization principles

    Key Benefits Achieved

    Clear application modernization objectives and high priority value items

    Your digital application vision and attributes

    Key principles that will guide your application modernization initiatives

    Activities

    1.1 State Your Objectives

    1.2 Characterize Your Digital Application

    1.3 Define Your Modernization Principles

    Outputs

    Application modernization objectives

    Digital application vision and attributes definitions

    List of application modernization principles and guidelines

    2 Identify Your Modernization Opportunities

    The Purpose

    Identify the value streams and business capabilities that will benefit the most from application modernization

    Conduct a change tolerance assessment

    Build your modernization strategic roadmap

    Key Benefits Achieved

    Understanding of the value delivery improvements modernization can bring

    Recognizing the flexibility and tolerance of your organization to adopt changes

    Select an approach that best fits your organization’s goals and capacity

    Activities

    2.1 Identify the Opportunities

    2.2 Define Your Modernization Approach

    Outputs

    Value streams and business capabilities that are ideal modernization opportunities

    Your modernization strategic roadmap based on your change tolerance and modernization approach

    3 Plan Your Modernization

    The Purpose

    Identify the most appropriate modernization technique and the scope of changes to implement your techniques

    Develop an actionable tactical roadmap to complete your modernization initiatives

    Key Benefits Achieved

    Clear understanding of what must be changed to the organization and application considering your change tolerance

    An achievable modernization plan

    Activities

    3.1 Shortlist Your Modernization Techniques

    3.2 Roadmap Your Modernization Initiatives

    Outputs

    Scope of your application modernization initiatives

    Your modernization tactical roadmap

    Create a Holistic IT Dashboard

    • Buy Link or Shortcode: {j2store}117|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $8,049 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement
    • IT leaders do not have a single holistic view of how their 45 IT processes are operating.
    • Expecting any single individual to understand the details of all 45 IT processes is unrealistic.
    • Problems in performance only become evident when the process has already failed.

    Our Advice

    Critical Insight

    • Mature your IT department by measuring what matters.
    • Don’t measure things just because you can; change what you measure as your organization matures.

    Impact and Result

    • Use Info-Tech’s IT Metrics Library to review typical KPIs for each of the 45 process areas and select those that apply to your organization.
    • Configure your IT Management Dashboard to record your selected KPIs and start to measure performance.
    • Set up the cadence for review of the KPIs and develop action plans to improve low-performing indicators.

    Create a Holistic IT Dashboard Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to develop your KPI program that leads to improved performance.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Choose the KPIs

    Identify the KPIs that matter to your organization’s goals.

    • Create a Holistic IT Dashboard – Phase 1: Choose the KPIs
    • IT Metrics Library

    2. Build the Dashboard

    Use the IT Management Dashboard on the Info-Tech website to display your chosen KPIs.

    • Create a Holistic IT Dashboard – Phase 2: Build the Dashboard

    3. Create the Action Plan

    Use the review of your KPIs to build an action plan to drive performance.

    • Create a Holistic IT Dashboard – Phase 3: Build the Action Plan
    [infographic]

    Workshop: Create a Holistic IT Dashboard

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify What to Measure (Offsite)

    The Purpose

    Determine the KPIs that matter to your organization.

    Key Benefits Achieved

    Identify organizational goals

    Identify IT goals and their organizational goal alignment

    Identify business pain points

    Activities

    1.1 Identify organizational goals.

    1.2 Identify IT goals and organizational alignment.

    1.3 Identify business pain points.

    Outputs

    List of goals and pain points to create KPIs for

    2 Configure the Dashboard Tool (Onsite)

    The Purpose

    Learn how to configure and use the IT Management Dashboard.

    Key Benefits Achieved

    Configured IT dashboard

    Initial IT scorecard report

    Activities

    2.1 Review metrics and KPI best practices.

    2.2 Use the IT Metrics Library.

    2.3 Select the KPIs for your organization.

    2.4 Use the IT Management Dashboard.

    Outputs

    Definition of KPIs to be used, data sources, and ownership

    Configured IT dashboard

    3 Review and Develop the Action Plan

    The Purpose

    Learn how to review and plan actions based on the KPIs.

    Key Benefits Achieved

    Lead KPI review to actions to improve performance

    Activities

    3.1 Create the scorecard report.

    3.2 Interpret the results of the dashboard.

    3.3 Use the IT Metrics Library to review suggested actions.

    Outputs

    Initial IT scorecard report

    Action plan with initial actions

    4 Improve Your KPIs (Onsite)

    The Purpose

    Use your KPIs to drive performance.

    Key Benefits Achieved

    Improve your metrics program to drive effectiveness

    Activities

    4.1 Develop your action plan.

    4.2 Execute the plan and tracking progress.

    4.3 Develop new KPIs as your practice matures.

    Outputs

    Understanding of how to develop new KPIs using the IT Metrics Library

    5 Next Steps and Wrap-Up (Offsite)

    The Purpose

    Ensure all documentation and plans are complete.

    Key Benefits Achieved

    Documented next steps

    Activities

    5.1 Complete IT Metrics Library documentation.

    5.2 Document decisions and next steps.

    Outputs

    IT Metrics Library

    Action plan

    Further reading

    Create a Holistic IT Dashboard

    Mature your IT department by measuring what matters.

    Executive Brief

    Analyst Perspective

    Measurement alone provides only minimal improvements

    It’s difficult for CIOs and other top-level leaders of IT to know if everything within their mandate is being managed effectively. Gaining visibility into what’s happening on the front lines without micromanaging is a challenge most top leaders face.

    Understanding Info-Tech’s Management and Governance Framework of processes that need to be managed and being able to measure what’s important to their organization's success can give leaders the ability to focus on their key responsibilities of ensuring service effectiveness, enabling increased productivity, and creating the ability for their teams to innovate.

    Even if you know what to measure, the measurement alone will lead to minimal improvements. Having the right methods in place to systematically collect, review, and act on those measurements is the differentiator to driving up the maturity of your IT organization.

    The tools in this blueprint can help you identify what to measure, how to review it, and how to create effective plans to improve performance.

    Tony Denford

    Research Director, Info-Tech Research Group

    Executive Summary

    Your Challenge

    • IT leaders do not have a single holistic view of how their IT processes are operating.
    • Expecting any single individual to understand the details of all IT processes is unrealistic.
    • Problems in performance only become evident when the process has already failed.

    Common Obstacles

    • Business changes quickly, and what should be measured changes as a result.
    • Most measures are trailing indicators showing past performance.
    • Measuring alone does not result in improved performance.
    • There are thousands of operational metrics that could be measured, but what are the right ones for an overall dashboard?

    Info-Tech's Approach

    • Use Info-Tech’s IT Metrics Library to review typical KPIs for each of the process areas and select those that apply to your organization.
    • Configure your IT Management Dashboard to record your selected KPIs and start to measure performance.
    • Set up the cadence for review of the KPIs and develop action plans to improve low-performing indicators.

    Info-Tech Insight

    Mature your IT department by aligning your measures with your organizational goals. Acting early when your KPIs deviate from the goals leads to improved performance.

    Your challenge

    This research is designed to help organizations quickly choose holistic measures, review the results, and devise action plans.

    • The sheer number of possible metrics can be overwhelming. Choose metrics from our IT Metrics Library or choose your own, but always ensure they are in alignment with your organizational goals.
    • Ensure your dashboard is balanced across all 45 process areas that a modern CIO is responsible for.
    • Finding leading indicators to allow your team to be proactive can be difficult if your team is focused on the day-to-day operational tasks.
    • It can be time consuming to figure out what to do if an indicator is underperforming.

    Build your dashboard quickly using the toolset in this research and move to improvement actions as soon as possible.

    The image is a bar graph, titled KPI-based improvements. On the X-axis are four categories, each with one bar for Before KPIs and another for After KPIs. The categories are: Productivity; Fire Incidents; Request Response Time; and Savings.

    Productivity increased by 30%

    Fire/smoke incidents decreased by 25% (high priority)

    Average work request response time reduced by 64%

    Savings of $1.6 million in the first year

    (CFI, 2013)

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • What should be measured can change over time as your organization matures and the business environment changes. Understanding what creates business value for your organization is critical.
    • Organizations almost always focus on past result metrics. While this is important, it will not indicate when you need to adjust something until it has already failed.
    • It’s not just about measuring. You also need to review the measures often and act on the biggest risks to your organization to drive performance.

    Don’t get overwhelmed by the number of things you can measure. It can take some trial and error to find the measures that best indicate the health of the process.

    The importance of frequent review

    35% - Only 35% of governing bodies review data at each meeting. (Committee of University Chairs, 2008)

    Common obstacles

    Analysis paralysis

    Poor data can lead to incorrect conclusions, limit analysis, and undermine confidence in the value of your dashboard.

    Achieving perfect data is extremely time consuming and may not add much value. It can also be an excuse to avoid getting started with metrics and analytics.

    Data quality is a struggle for many organizations. Consider how much uncertainty you can tolerate in your analysis and what would be required to improve your data quality to an acceptable level. Consider cost, technological resources, people resources, and time required.

    Info-Tech Insight

    Analytics are only as good as the data that informs it. Aim for just enough data quality to make informed decisions without getting into analysis paralysis.

    Common obstacles

    The problem of surrogation

    Tying KPIs and metrics to performance often leads to undesired behavior. An example of this is the now infamous Wells Fargo cross-selling scandal, in which 3.5 million credit card and savings accounts were opened without customers’ consent when the company incented sales staff to meet cross-selling targets.

    Although this is an extreme example, it’s an all-too-common phenomenon.

    A focus on the speed of closure of tickets often leads to shortcuts and lower-quality solutions.

    Tying customer value to the measures can align the team on understanding the objective rather than focusing on the measure itself, and the team will no longer be able to ignore the impact of their actions.

    Surrogation is a phenomenon in which a measure of a behavior replaces the intent of the measure itself. People focus on achieving the measure instead of the behavior the measure was intended to drive.

    Info-Tech’s thought model

    The Threefold Role of the IT Executive Core CIO Objectives
    IT Organization - Manager A - Optimize the Effectiveness of the IT Organization
    Enterprise - Partner B - Boost the Productivity of the Enterprise
    Market - Innovator C - Enable Business Growth Through Technology

    Low-Maturity Metrics Program

    Trailing indicators measure the outcomes of the activities of your organization. Hopefully, the initiatives and activities are aligned with the organizational goals.

    High-Maturity Metrics Program

    The core CIO objectives align with the organizational goals, and teams define leading indicators that show progress toward those goals. KPIs are reviewed often and adjustments are made to improve performance based on the leading indicators. The results are improved outcomes, greater transparency, and increased predictability.

    The image is a horizontal graphic with multiple text boxes. The first (on the left) is a box that reads Organizational Goals, second a second box nested within it that reads Core CIO Objectives. There is an arrow pointing from this box to the right. The arrow connects to a text box that reads Define leading indicators that show progress toward objectives. To the right of that, there is a title Initiatives & activities, with two boxes beneath it: Processes and Projects. Below this middle section, there is an arrow pointing left, with the text: Adjust behaviours. After this, there is an arrow pointing right, to a box with the title Outcomes, and the image of an unlabelled bar graph.

    Info-Tech’s approach

    Adopt an iterative approach to develop the right KPIs for your dashboard

    Periodically: As appropriate, review the effectiveness of the KPIs and adjust as needed.

    Frequently: At least once per month, but the more frequent, the more agility your organization will have.

    The image shows a series of steps in a process, each connected by an arrow. The process is iterative, so the steps circle back on themselves, and repeat. The process begins with IT Metrics Library, then Choose or build KPIs, then Build Dashboard, then Review KPIs and Create action plan. Review KPIs and Create action plan are steps that the graphic indicates should be repeated, so the arrows are arranged in a circle around these two items. Following that, there is an additional step: Are KPIs and action plans leading to improved results? After this step, we return to the Choose or build KPIs step.

    The Info-Tech difference:

    1. Quickly identify the KPIs that matter to your organization using the IT Metrics Library.
    2. Build a presentable dashboard using the IT Management Dashboard available on the Info-Tech website.
    3. When indicators show underperformance, quickly get them back on track using the suggested research in the IT Metrics Library.
    4. If your organization’s needs are different, define your own custom metrics using the same format as the IT Metrics Library.
    5. Use the action plan tool to keep track of progress

    Info-Tech’s methodology for creating a holistic IT dashboard

    1. Choose the KPIs 2. Build the Dashboard 3. Create the Action Plan
    Phase Steps
    1. Review available KPIs
    2. Select KPIs for your organization
    3. Identify data sources and owners
    1. Understand how to use the IT Management Dashboard
    2. Build and review the KPIs
    1. Prioritize low-performing indicators
    2. Review suggested actions
    3. Develop your action plan
    Phase Outcomes A defined and documented list of the KPIs that will be used to monitor each of the practice areas in your IT mandate A configured dashboard covering all the practice areas and the ability to report performance in a consistent and visible way An action plan for addressing low-performing indicators

    Insight summary

    Mature your IT department by aligning your measures with your organizational goals. Acting early when your KPIs deviate from the goals leads to improved performance.

    Don’t just measure things because you can. Change what you measure as your organization becomes more mature.

    Select what matters to your organization

    Measure things that will resolve pain points or drive you toward your goals.

    Look for indicators that show the health of the practice, not just the results.

    Review KPIs often

    Ease of use will determine the success of your metrics program, so keep it simple to create and review the indicators.

    Take action to improve performance

    If indicators are showing suboptimal performance, develop an action plan to drive the indicator in the right direction.

    Act early and often.

    Measure what your customers value

    Ensure you understand what’s valued and measure whether the value is being produced. Let front-line managers focus on tactical measures and understand how they are linked to value.

    Look for predictive measures

    Determine what action will lead to the desired result and measure if the action is being performed. It’s better to predict outcomes than react to them.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    IT Metrics Library

    Customize the KPIs for your organization using the IT Metrics Library

    IT Metrics Library Action Plan

    Keep track of the actions that are generated from your KPI review

    Key deliverable:

    IT Management Dashboard and Scorecard

    The IT Overall Scorecard gives a holistic view of the performance of each IT function

    Blueprint benefits

    IT Benefits

    • An IT dashboard can help IT departments understand how well they are performing against key indicators.
    • It can allow IT teams to demonstrate to their business partners the areas they are focusing on.
    • Regular review and action planning based on the results will lead to improved performance, efficiency, and effectiveness.
    • Create alignment of IT teams by focusing on common areas of performance.

    Business Benefits

    • Ensure alignment and transparency between the business and IT.
    • Understand the value that IT brings to the operation and strategic initiatives of your organization.
    • Understand the contribution of the IT team to achieving business outcomes.
    • Focus IT on the areas that are important to you by requesting new measures as business needs change.

    Measure the value of this blueprint

    Utilize the existing IT Metrics Library and IT Dashboard tools to quickly kick off your KPI program

    • Developing the metrics your organization should track can be very time consuming. Save approximately 120 hours of effort by choosing from the IT Metrics Library.
    • The need for a simple method to display your KPIs means either developing your own tool or buying one off the shelf. Use the IT Management Dashboard to quickly get your KPI program up and running. Using these tools will save approximately 480 hours.
    • The true value of this initiative comes from using the KPIs to drive performance.

    Keeping track of the number of actions identified and completed is a low overhead measure. Tracking time or money saved is higher overhead but also higher value.

    The image is a screen capture of the document titled Establish Baseline Metrics. It shows a table with the headings: Metric, Current, Goal.

    The image is a chart titled KPI benefits. It includes a legend indicating that blue bars are for Actions identified, purple bars are for Actions completed, and the yellow line is for Time/money saved. The graph shows Q1-Q4, indicating an increase in all areas across the quarters.

    Executive Brief Case Study

    Using data-driven decision making to drive stability and increase value

    Industry: Government Services

    Source: Info-Tech analyst experience

    Challenge

    A newly formed application support team with service desk responsibilities was becoming burned out due to the sheer volume of work landing on their desks. The team was very reactive and was providing poor service due to multiple conflicting priorities.

    To make matters worse, there was a plan to add a major new application to the team’s portfolio.

    Solution

    The team began to measure the types of work they were busy doing and then assessed the value of each type of work.

    The team then problem solved how they could reduce or eliminate their low-value workload.

    This led to tracking how many problems were being resolved and improved capabilities to problem solve effectively.

    Results

    Upon initial data collection, the team was performing 100% reactive workload. Eighteen months later slightly more than 80% of workload was proactive high-value activities.

    The team not only was able to absorb the additional workload of the new application but also identified efficiencies in their interactions with other teams that led to a 100% success rate in the change process and a 92% decrease in resource needs for major incidents.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostic and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 - Choose the KPIs

    Call #1: Scope dashboard and reporting needs.

    Call #2: Learn how to use the IT Metrics Library to select your metrics.

    Phase 2 – Build the Dashboard

    Call #3: Set up the dashboard.

    Call #4: Capture data and produce the report.

    Phase 3 – Create the Action Plan

    Call #5: Review the data and use the metrics library to determine actions.

    Call #6: Improve the KPIs you measure.

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 5 and 8 calls over the course of 2 to 3 months.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Identify What to Measure Configure the Dashboard Tool Review and Develop the Action Plan Improve Your KPIs Compile Workshop Output
    Activities

    1.1 Identify organizational goals.

    1.2 Identify IT goals and organizational alignment.

    1.3 Identify business pain points.

    2.1 Determine metrics and KPI best practices.

    2.2 Learn how to use the IT Metrics Library.

    2.3 Select the KPIs for your organization.

    2.4 Configure the IT Management Dashboard.

    3.1 Create the scorecard report.

    3.2 Interpret the results of the dashboard.

    3.3 Use the IT Metrics Library to review suggested actions.

    4.1 Develop your action plan.

    4.2 Execute the plan and track progress.

    4.3 Develop new KPIs as your practice matures.

    5.1 Complete the IT Metrics Library documentation.

    5.2 Document decisions and next steps.

    Outcomes 1. List of goals and pain points that KPIs will measure

    1. Definition of KPIs to be used, data sources, and ownership

    2. Configured IT dashboard

    1. Initial IT scorecard report

    2. Action plan with initial actions

    		1. Understanding of how to develop new KPIs using the IT Metrics Library

    1. IT Metrics Library documentation

    2. Action plan

    Phase 1

    Choose the KPIs

    Phase 1

    1.1 Review Available KPIs

    1.2 Select KPIs for Your Org.

    1.3 Identify Data Sources and Owners

    Phase 2

    2.1 Understand the IT Management Dashboard

    2.2 Build and Review the KPIs

    Phase 3

    3.1 Prioritize Low-Performing Indicators

    3.2 Review Suggested Actions

    3.3 Develop the Action Plan

    This phase will walk you through the following activities:

    Reviewing and selecting the KPIs suggested in the IT Metrics Library.

    Identifying the data source for the selected KPI and the owner responsible for data collection.

    This phase involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Step 1.1

    Review Available KPIs

    Activities

    1.1.1 Download the IT Metrics Library and review the KPIs for each practice area.

    Choose the KPIs

    Step 1.1 – Review Available KPIs

    Step 1.2 – Select KPIs for Your Org.

    Step 1.3 – Identify Data Sources and owners

    This step will walk you through the following activities:

    Downloading the IT Metrics Library

    Understanding the content of the tool

    Reviewing the intended goals for each practice area

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    Downloaded tool ready to select the KPIs for your organization

    Using the IT Metrics Library

    Match the suggested KPIs to the Management and Governance Framework

    The “Practice” and “Process” columns relate to each of the boxes on the Info-Tech Management and Governance Framework. This ensures you are measuring each area that needs to be managed by a typical IT department.

    The image shows a table on the left, and on the right, the Info-Tech Management and Governance Structure. Sections from the Practice and Process columns of the table have arrows emerging from them, pointing to matching sections in the framework.

    Using the IT Metrics Library

    Content for each entry

    KPI - The key performance indicator to review

    CSF - What needs to happen to achieve success for each goal

    Goal - The goal your organization is trying to achieve

    Owner - Who will be accountable to collect and report the data

    Data Source (typical) - Where you plan to get the data that will be used to calculate the KPI

    Baseline/Target - The baseline and target for the KPI

    Rank - Criticality of this goal to the organization's success

    Action - Suggested action if KPI is underperforming

    Blueprint - Available research to address typical underperformance of the KPI

    Practice/Process - Which practice and process the KPI represents

    1.1.1 Download the IT Metrics Library

    Input

    • IT Metrics Library

    Output

    • Ideas for which KPIs would be useful to track for each of the practice areas

    Materials

    • Whiteboard/flip charts

    Participants

    • IT senior leadership
    • Process area owners
    • Metrics program owners and administrators

    4 hours

    1. Click the link below to download the IT Metrics Library spreadsheet.
    2. Open the file and select the “Data Entry” tab.
    3. The sheet has suggested KPIs for each of the 9 practice areas and 45 processes listed in the Info-Tech Management and Governance Framework. You can identify this grouping in the “Practice” and “Process” columns.
    4. For each practice area, review the suggested KPIs and their associated goals and discuss as a team which of the KPIs would be useful to track in your organization.

    Download the IT Metrics Library

    Step 1.2

    Select KPIs for Your Organization

    Activities

    1.2.1 Select the KPIs that will drive your organization forward

    1.2.2 Remove unwanted KPIs from the IT Metrics Library

    Choose the KPIs

    Step 1.1 – Review Available KPIs

    Step 1.2 – Select KPIs for Your Org.

    Step 1.3 – Identify Data Sources and Owners

    This step will walk you through the following activities:

    • Selecting the KPIs for your organization and removing unwanted KPIs from IT Metrics Library

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    A shortlist of selected KPIs

    1.2.1 Select the KPIs that will drive your organization forward

    Input

    • IT Metrics Library

    Output

    • KPIs would be useful to track for each of the practice areas

    Materials

    • IT Metrics Library

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    4 hours

    1. Review the suggested KPIs for each practice area and review the goal.
    2. Some suggested KPIs are similar, so make sure the goal is appropriate for your organization.
    3. Pick up to three KPIs per practice.

    1.2.2 Remove unwanted KPIs

    Input

    • IT Metrics Library

    Output

    • KPIs would be useful to track for each of the practice areas

    Materials

    • IT Metrics Library

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    0.5 hours

    1. To remove unwanted KPIs from the IT Metric Library Tool, select the unwanted row, right-click on the row, and delete it.
    2. The result should be up to three KPIs per practice area left on the spreadsheet.

    Step 1.3

    Identify data sources and owners

    Activities

    1.3.1 Document the data source

    1.3.2 Document the owner

    1.3.3 Document baseline and target

    Choose the KPIs

    Step 1.1 – Review Available KPIs

    Step 1.2 – Select KPIs for Your Org.

    Step 1.3 – Identify Data Sources and Owners

    This step will walk you through the following activities:

    Documenting for each KPI where you plan to get the data, who is accountable to collect and report the data, what the current baseline is (if available), and what the target is

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    A list of KPIs for your organization with appropriate attributes documented

    1.3 Identify data sources, owners, baseline, and target

    Input

    • IT Metrics Library

    Output

    • Completed IT Metrics Library

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators

    2 hours

    1. For each selected KPI, complete the owner, data source, baseline, and target if the information is available.
    2. If the information is not available, document the owner and assign them to complete the other columns.

    Phase 2

    Build the Dashboard

    Phase 1

    1.1 Review Available KPIs

    1.2 Select KPIs for Your Org.

    1.3 Identify Data Sources and Owners

    Phase 2

    2.1 Understand the IT Management Dashboard

    2.2 Build and Review the KPIs

    Phase 3

    3.1 Prioritize Low-Performing Indicators

    3.2 Review Suggested Actions

    3.3 Develop the Action Plan

    This phase will walk you through the following activities:

    Understanding the IT Management Dashboard

    Configuring the IT Management Dashboard and entering initial measures

    Produce thing IT Scorecard from the IT Management Dashboard

    Interpreting the results

    This phase involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Step 2.1

    Understand the IT Management Dashboard

    Activities

    2.1.1 Logging into the IT Management Dashboard

    2.1.2 Understanding the “Overall Scorecard” tab

    2.1.3 Understanding the “My Metrics” tab

    Build the Dashboard

    Step 2.1 – Understand the IT Management Dashboard

    Step 2.2 – Build and review the KPIs

    This step will walk you through the following activities:

    Accessing the IT Management Dashboard

    Basic functionality of the tool

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    Understanding of how to administer the IT Management Dashboard

    2.1.1 Logging into the IT Management Dashboard

    Input

    • Info-Tech membership

    Output

    • Access to the IT Management Dashboard

    Materials

    • Web browser

    Participants

    • Metrics program owners and administrators

    0.5 hours

    1. Using your web browser, access your membership at infotech.com.
    2. Log into your Info-Tech membership account.
    3. Select the “My IT Dashboard” option from the menu (circled in red).
    4. If you cannot gain access to the tool, contact your membership rep.

    The image is a screen capture of the Info-Tech website, with the Login button at the top right of the window circled in red.

    2.1.2 Understanding the “Overall Scorecard” tab

    0.5 hours

    1. Once you select “My IT Dashboard,” you will be in the “Overall Scorecard” tab view.
    2. Scrolling down reveals the data entry form for each of the nine practice areas in the Info-Tech Management and Governance Framework, with each section color-coded for easy identification.
    3. Each of the section headers, KPI names, data sources, and data values can be updated to fit the needs of your organization.
    4. This view is designed to show a holistic view of all areas in IT that are being managed.

    2.1.3 Understanding the “My Metrics” tab

    0.5 hours

    1. On the “My Metrics” tab you can access individual scorecards for each of the nine practice areas.
    2. Below the “My Metrics” tab is each of the nine practice areas for you to select from. Each shows a different subset of KPIs specific to the practice.
    3. The functionality of this view is the same as the overall scorecard. Each title, KPI, description, and actuals are editable to fit your organization’s needs.
    4. This blueprint does not go into detail on this tab, but it is available to be used by practice area leaders in the same way as the overall scorecard.

    Step 2.2

    Build and review the KPIs

    Activities

    2.2.1 Entering the KPI descriptions

    2.2.2 Entering the KPI actuals

    2.2.3 Producing the IT Overall Scorecard

    Build the Dashboard

    Step 2.1 – Understand the IT Management Dashboard

    Step 2.2 – Build and review the KPIs

    This step will walk you through the following activities:

    Entering the KPI descriptions

    Entering the actuals for each KPI

    Producing the IT Overall Scorecard

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    An overall scorecard indicating the selected KPI performance

    2.2.1 Entering the KPI descriptions

    Input

    • Access to the IT Management Dashboard
    • IT Metrics Library with your organization’s KPIs selected

    Output

    • KPI descriptions entered into tool

    Materials

    • Web browser

    Participants

    • Metrics program owners and administrators

    1 hour

    1. Navigate to the IT Management Dashboard as described in section 2.1.1 and scroll down to the practice area you wish to complete.
    2. If needed, modify the section name to match your organization’s needs.
    3. Select “Add another score.”

    2.2.1 Entering the KPI descriptions

    1 hour

    1. Select if your metric is a custom metric or a standard metric available from one of the Info-Tech diagnostic tools.
    2. Enter the metric name you selected from the IT Metrics Library.
    3. Select the value type.
    4. Select the “Add Metric” button.
    5. The descriptions only need to be entered when they change.

    Example of a custom metric

    The image is a screen capture of the Add New Metric function. The metric type selected is Custom metric, and the metric name is Employee Engagement. There is a green Add Metric button, which is circled in red.

    Example of a standard metric

    The image is a screen capture of the Add New Metric function. The metric type selected is Standard Metric. The green Add Metric button at the bottom is circled in red.

    2.2.2 Entering the KPI actuals

    Input

    • Actual data from each data source identified

    Output

    • Actuals recorded in tool

    Materials

    • Web browser

    Participants

    • Metrics program owners and administrators

    1 hour

    1. Select the period you wish to create a scorecard for by selecting “Add New Period” or choosing one from the drop-down list.
    2. For each KPI on your dashboard, collect the data from the data source and enter the actuals.
    3. Select the check mark (circled) to save the data for the period.

    The image is a screen capture of the My Overall Scorecard Metrics section, with a button at the bottom that reads Add New Period circled in red

    The image has the text People and Resources at the top. It shows data for the KPI, and there is a check mark circled in red.

    2.2.3 Producing the IT Overall Scorecard

    Input

    • Completed IT Overall Scorecard data collection

    Output

    • IT Overall Scorecard

    Materials

    • Web browser

    Participants

    • Metrics program owners and administrators

    0.5 hours

    1. Select the period you wish to create a scorecard for by selecting from the drop-down list.
    2. Click the “Download as PDF” button to produce the scorecard.
    3. Once the PDF is produced it is ready for review or distribution.

    Phase 3

    Create the Action Plan

    Phase 1

    1.1 Review Available KPIs

    1.2 Select KPIs for Your Org.

    1.3 Identify Data Sources and Owners

    Phase 2

    2.1 Understand the IT Management Dashboard

    2.2 Build and Review the KPIs

    Phase 3

    3.1 Prioritize Low-Performing Indicators

    3.2 Review Suggested Actions

    3.3 Develop the Action Plan

    This phase will walk you through the following activities:

    Prioritizing low-performing indicators

    Using the IT Metrics Library to review suggested actions

    Developing your team’s action plan to improve performance

    This phase involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Step 3.1

    Prioritize low-performing indicators

    Activities

    3.1.1 Determine criteria for prioritization

    3.1.2 Identify low-performing indicators

    3.1.3 Prioritize low-performing indicators

    Create the action plan

    Step 3.1 – Prioritize low-performing indicators

    Step 3.2 – Review suggested actions

    Step 3.3 – Develop the action plan

    This step will walk you through the following activities:

    Determining the criteria for prioritization of low-performing indicators

    Identifying low-performing indicators

    Prioritizing the low-performing indicators

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    A prioritized list of low-performing indicators that need remediation

    3.1.1 Determine criteria for prioritization

    Often when metrics programs are established, there are multiple KPIs that are not performing at the desired level. It’s easy to expect the team to fix all the low-performing indicators, but often teams are stretched and have conflicting priorities.

    Therefore it’s important to spend some time to prioritize which of your indicators are most critical to the success of your business.

    Also consider, if one area is performing well and others have multiple poor indicators, how do you give the right support to optimize the results?

    Lastly, is it better to score slightly lower on multiple measures or perfect on most but failing badly on one or two?

    3.1.1 Determine criteria for prioritization

    Input

    • Business goals and objectives
    • IT goals and objectives
    • IT organizational structure

    Output

    • Documented scorecard remediation prioritization criteria

    Materials

    • Whiteboard or flip charts

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    1 hour

    1. Identify any KPIs that are critical and cannot fail without high impact to your organization.
    2. Identify any KPIs that cannot fail for an extended period and document the time period.
    3. Rank the KPIs from most critical to least critical in the IT Metrics Library.
    4. Look at the owner accountable for the performance of each KPI. If there are any large groups, reassess the ownership or rank.
    5. Periodically review the criteria to see if they’re aligned with meeting current business goals.

    3.1.2 Identify low-performing indicators

    Input

    • Overall scorecard
    • Overall scorecard (previous period)
    • IT Metrics Library

    Output

    • List of low-performing indicators that need remediation
    • Planned actions to improve performance

    Materials

    • Whiteboard or flip charts

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    1 hour

    1. Review the overall scorecard for the current period. List any KPIs that are not meeting the target for the current month in the “Action Plan” tab of the IT Metrics Library.
    2. Compare current month to previous month. List any KPIs that are moving away from the long-term target documented in the tool IT Metrics Library.
    3. Revise the target in the IT Metrics Library as business needs change.

    3.1.3 Prioritize low-performing indicators

    Input

    • IT Metrics Library

    Output

    • Prioritized list of planned actions for low-performing indicators

    Materials

    • IT Metrics Library

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    1 hour

    1. Look through the list of new and outstanding planned actions in the “Action Plan” tab of the IT Metrics Library, review progress, and prioritize outstanding items.
    2. Compare the list that needs remediation with the rank in the data entry tab.
    3. Adjust the priority of the outstanding and new actions to reflect the business needs.

    Step 3.2

    Review suggested actions

    Activities

    3.2.1 Review suggested actions in the IT Metrics Library

    Create the Action Plan

    Step 3.1 – Prioritize low-performing indicators

    Step 3.2 – Review suggested actions

    Step 3.3 – Develop the action plan

    This step will walk you through the following activities:

    Reviewing the suggested actions in the IT Metrics Library

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    An idea of possible suggested actions

    Take Action

    Knowing where you are underperforming is only half the battle. You need to act!

    • So far you have identified which indicators will tell you whether or not your team is performing and which indicators are most critical to your business success.
    • Knowing is the first step, but things will not improve without some kind of action.
    • Sometimes the action needed to course-correct is small and simple, but sometimes it is complicated and may take a long time.
    • Utilize the diverse ideas of your team to find solutions to underperforming indicators.
    • If you don’t have a viable simple solution, leverage the IT Metrics Library, which suggests high-level action needed to improve each indicator. If you need additional information, use your Info-Tech membership to review the recommended research.

    3.2.1 Review suggested actions in the IT Metrics Library

    Input

    • IT Metrics Library

    Output

    • Suggested actions

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    0.5 hours

    1. For each of your low-performing indicators, review the suggested action and related research in the IT Metrics Library.

    Step 3.3

    Develop the action plan

    Activities

    3.3.1 Document planned actions

    3.3.2 Assign ownership of actions

    3.3.3 Determine timeline of actions

    3.3.4 Review past action status

    Create the action plan

    Step 3.1 – Prioritize low- performing indicators

    Step 3.2 – Review suggested actions

    Step 3.3 – Develop the action plan

    This step will walk you through the following activities:

    Using the action plan tool to document the expected actions for low-performing indicators

    Assigning an owner and expected due date for the action

    Reviewing past action status for accountability

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    An action plan to invoke improved performance

    3.3.1 Document planned actions

    Input

    • IT Metrics Library

    Output

    • Planned actions

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    1 hour

    1. Decide on the action you plan to take to bring the indicator in line with expected performance and document the planned action in the “Action Plan” tab of the IT Metrics Library.

    Info-Tech Insight

    For larger initiatives try to break the task down to what is likely manageable before the next review. Seeing progress can motivate continued action.

    3.3.2 Assign ownership of actions

    Input

    • IT Metrics Library

    Output

    • Identified owners for each action

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    0.5 hours

    1. For each unassigned task, assign clear ownership for completion of the task.
    2. The task owner should be the person accountable for the task.

    Info-Tech Insight

    Assigning clear ownership can promote accountability for progress.

    3.3.3 Determine timeline of actions

    Input

    • IT Metrics Library

    Output

    • Expected timeline for each action

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    0.5 hours

    1. For each task, agree on an estimated target date for completion.

    Info-Tech Insight

    If the target completion date is too far in the future, break the task into manageable chunks.

    3.3.4 Review past action status

    Input

    • IT Metrics Library

    Output

    • Complete action plan for increased performance

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    0.5 hours

    1. For each task, review the progress since last review.
    2. If desired progress is not being made, adjust your plan based on your organizational constraints.

    Info-Tech Insight

    Seek to understand the reasons that tasks are not being completed and problem solve for creative solutions to improve performance.

    Measure the value of your KPI program

    KPIs only produce value if they lead to action

    • Tracking the performance of key indicators is the first step, but value only comes from taking action based on this information.
    • Keep track of the number of action items that come out of your KPI review and how many are completed.
    • If possible, keep track of the time or money saved through completing the action items.

    Keeping track of the number of actions identified and completed is a low overhead measure.

    Tracking time or money saved is higher overhead but also higher value.

    The image is a chart titled KPI benefits. It includes a legend indicating that blue bars are for Actions identified, purple bars are for Actions completed, and the yellow line is for Time/money saved. The graph shows Q1-Q4, indicating an increase in all areas across the quarters.

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    1. Identifying actions needed to remediate poor-performing KPIs
    2. Associating time and/or money savings as a result of actions taken
    Metric Current Goal
    Number of actions identified per month as a result of KPI review 0 TBD
    $ saved through actions taken due to KPI review 0 TBD
    Time saved through actions taken due to KPI review 0 TBD

    Summary of Accomplishment

    Problem Solved

    Through this project we have identified typical key performance indicators that are important to your organization’s effective management of IT.

    You’ve populated the IT Management Dashboard as a simple method to display the results of your selected KPIs.

    You’ve also established a regular review process for your KPIs and have a method to track the actions that are needed to improve performance as a result of the KPI review. This should allow you to hold individuals accountable for improvement efforts.

    You can also measure the effectiveness of your KPI program by tracking how many actions are identified as a result of the review. Ideally you can also track the money and time savings.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech Workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Select the KPIs for your organization

    Examine the benefits of the KPIs suggested in the IT Metrics Library and help selecting those that will drive performance for your maturity level.

    Build an action plan

    Discuss options for identifying and executing actions that result from your KPI review. Determine how to set up the discipline needed to make the most of your KPI review program.

    Research Contributors and Experts

    Valence Howden

    Principal Research Director, CIO – Service Management Info-Tech Research Group

    • Valence has extensive experience in helping organizations be successful through optimizing how they govern themselves, how they design and execute strategies, and how they drive service excellence in all work.

    Tracy-Lynn Reid

    Practice Lead, CIO – People & Leadership Info-Tech Research Group

    • Tracy-Lynn covers key topics related to People & Leadership within an information technology context.

    Fred Chagnon

    Practice Lead, Infrastructure & Operations Info-Tech Research Group

    • Fred brings extensive practical experience in all aspects of enterprise IT Infrastructure, including IP networks, server hardware, operating systems, storage, databases, middleware, virtualization and security.

    Aaron Shum

    Practice Lead, Security, Risk & Compliance Info-Tech Research Group

    • With 20+ years of experience across IT, InfoSec, and Data Privacy, Aaron currently specializes in helping organizations implement comprehensive information security and cybersecurity programs as well as comply with data privacy regulations.

    Cole Cioran

    Practice Lead, Applications and Agile Development Info-Tech Research Group

    • Over the past twenty-five years, Cole has developed software; designed data, infrastructure, and software solutions; defined systems and enterprise architectures; delivered enterprise-wide programs; and managed software development, infrastructure, and business systems analysis practices.

    Barry Cousins

    Practice Lead, Applications – Project and Portfolio Mgmt. Info-Tech Research Group

    • Barry specializes in Project Portfolio Management, Help/Service Desk, and Telephony/Unified Communications. He brings an extensive background in technology, IT management, and business leadership.

    Jack Hakimian

    Vice President, Applications Info-Tech Research Group

    • Jack has close to 25 years of Technology and Management Consulting experience. He has served multi-billion-dollar organizations in multiple industries, including Financial Services and Telecommunications. Jack also served several large public sector institutions.

    Vivek Mehta

    Research Director, CIO Info-Tech Research Group

    • Vivek publishes on topics related to digital transformation and innovation. He is the author of research on Design a Customer-Centric Digital Operating Model and Create Your Digital Strategy as well as numerous keynotes and articles on digital transformation.

    Carlos Sanchez

    Practice Lead, Enterprise Applications Info-Tech Research Group

    • Carlos has a breadth of knowledge in enterprise applications strategy, planning, and execution.

    Andy Neill

    Practice Lead, Enterprise Architecture, Data & BI Info-Tech Research Group

    • Andy has extensive experience in managing technical teams, information architecture, data modeling, and enterprise data strategy.

    Michael Fahey

    Executive Counselor Info-Tech Research Group

    • As an Executive Counselor, Mike applies his decades of business experience and leadership, along with Info-Tech Research Group’s resources, to assist CIOs in delivering outstanding business results.

    Related Info-Tech Research

    Develop Meaningful Service Metrics to Ensure Business and User Satisfaction

    • Reinforce service orientation in your IT organization by ensuring your IT metrics generate value-driven resource behavior.

    Use Applications Metrics That Matter

    • It all starts with quality and customer satisfaction.

    Take Control of Infrastructure Metrics

    • Master the metrics maze to help make decisions, manage costs, and plan for change.

    Bibliography

    Bach, Nancy. “How Often Should You Measure Your Organization's KPIs?” EON, 26 June 2018. Accessed Jan. 2020.

    “The Benefits of Tracking KPIs – Both Individually and for a Team.” Hoopla, 30 Jan. 2017. Accessed Jan. 2020.

    Chepul, Tiffany. “Top 22 KPI Examples for Technology Companies.” Rhythm Systems, Jan. 2020. Accessed Jan. 2020.

    Cooper, Larry. “CSF's, KPI's, Metrics, Outcomes and Benefits” itSM Solutions. 5 Feb. 2010. Accessed Jan 2020.

    “CUC Report on the implementation of Key Performance Indicators: case study experience.” Committee of University Chairs, June 2008. Accessed Jan 2020.

    Harris, Michael, and Bill Tayler. “Don’t Let Metrics Undermine Your Business.” HBR, Sep.–Oct 2019. Accessed Jan. 2020.

    Hatari, Tim. “The Importance of a Strong KPI Dashboard.” TMD Coaching. 27 Dec. 2018. Accessed Jan. 2020.

    Roy, Mayu, and Marian Carter. “The Right KPIs, Metrics for High-performing, Cost-saving Space Management.” CFI, 2013. Accessed Jan 2020.

    Schrage, Michael, and David Kiron. “Leading With Next-Generation Key Performance Indicators.” MIT Sloan Management Review, 26 June 2018. Accessed Jan. 2020.

    Setijono, Djoko, and Jens J. Dahlgaard. “Customer value as a key performance indicator (KPI) and a key improvement indicator (KII)” Emerald Insight, 5 June 2007. Accessed Jan 2020.

    Skinner, Ted. “Balanced Scorecard KPI Examples: Comprehensive List of 183 KPI Examples for a Balanced Scorecard KPI Dashboard (Updated for 2020).” Rhythm Systems, Jan. 2020. Accessed Jan 2020.

    Wishart, Jessica. “5 Reasons Why You Need The Right KPIs in 2020” Rhythm Systems, 1 Feb. 2020. Accessed Jan. 2020.

    Develop a Business Continuity Plan

    • Buy Link or Shortcode: {j2store}411|cart{/j2store}
    • member rating overall impact: 9.1/10 Overall Impact
    • member rating average dollars saved: $37,093 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Recent crises have increased executive awareness and internal pressure to create a business continuity plan (BCP).
    • Industry and government-driven regulations require evidence of sound business continuity practices.
    • Customers demand their vendors provide evidence of a workable BCP prior to signing a contract.
    • IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.

    Our Advice

    Critical Insight

    • BCP requires input from multiple departments with different and sometimes conflicting objectives. There are typically few, if any, dedicated resources for BCP, so it can't be a full-time, resource-intensive project.
    • As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but ultimately business leaders need to own the BCP – they know their processes, and therefore, their requirements to resume business operations better than anyone else.
    • The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces as outlined in this blueprint.

    Impact and Result

    • Implement a structured and repeatable process that you apply to one business unit at a time to keep BCP planning efforts manageable.
    • Use the results of the pilot to identify gaps in your recovery plans and reduce overall continuity risk while continuing to assess specific risks as you repeat the process with additional business units.
    • Enable business leaders to own the BCP going forward. Develop a template that the rest of the organization can use.
    • Leverage BCP outcomes to refine IT DRP recovery objectives and achieve DRP-BCP alignment.

    Develop a Business Continuity Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a business continuity plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify BCP maturity and document process dependencies

    Assess current maturity, establish a team, and choose a pilot business unit. Identify business processes, dependencies, and alternatives.

    • BCP Maturity Scorecard
    • BCP Pilot Project Charter Template
    • BCP Business Process Workflows Example (Visio)
    • BCP Business Process Workflows Example (PDF)

    2. Conduct a BIA to determine acceptable RTOs and RPOs

    Define an objective impact scoring scale, estimate the impact of downtime, and set recovery targets.

    • BCP Business Impact Analysis Tool

    3. Document the recovery workflow and projects to close gaps

    Build a workflow of the current steps for business recovery. Identify gaps and risks to recovery. Brainstorm and prioritize solutions to address gaps and mitigate risks.

    • BCP Tabletop Planning Template (Visio)
    • BCP Tabletop Planning Template (PDF)
    • BCP Project Roadmap Tool
    • BCP Relocation Checklists

    4. Extend the results of the pilot BCP and implement governance

    Present pilot project results and next steps. Create BCMS teams. Update and maintain BCMS documentation.

    • BCP Pilot Results Presentation
    • BCP Summary
    • Business Continuity Teams and Roles Tool

    5. Appendix: Additional BCP tools and templates

    Use these tools and templates to assist in the creation of your BCP.

    • BCP Recovery Workflow Example (Visio)
    • BCP Recovery Workflow Example (PDF)
    • BCP Notification, Assessment, and Disaster Declaration Plan
    • BCP Business Process Workarounds and Recovery Checklists
    • Business Continuity Management Policy
    • Business Unit BCP Prioritization Tool
    • Industry-Specific BIA Guidelines
    • BCP-DRP Maintenance Checklist
    • Develop a COVID-19 Pandemic Response Plan Storyboard
    [infographic]

    Workshop: Develop a Business Continuity Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define BCP Scope, Objectives, and Stakeholders

    The Purpose

    Define BCP scope, objectives, and stakeholders.

    Key Benefits Achieved

    Prioritize BCP efforts and level-set scope with key stakeholders.

    Activities

    1.1 Assess current BCP maturity.

    1.2 Identify key business processes to include in scope.

    1.3 Flowchart key business processes to identify business processes, dependencies, and alternatives.

    Outputs

    BCP Maturity Scorecard: measure progress and identify gaps.

    Business process flowcharts: review, optimize, and allow for knowledge transfer of processes.

    Identify workarounds for common disruptions to day-to-day continuity.

    2 Define RTOs and RPOs Based on Your BIA

    The Purpose

    Define RTOs and RPOs based on your BIA.

    Key Benefits Achieved

    Set recovery targets based business impact, and illustrate the importance of BCP efforts via the impact of downtime.

    Activities

    2.1 Define an objective scoring scale to indicate different levels of impact.

    2.2 Estimate the impact of downtime.

    2.3 Determine acceptable RTO/RPO targets for business processes based on business impact.

    Outputs

    BCP Business Impact Analysis: objective scoring scale to assess cost, goodwill, compliance, and safety impacts.

    Apply the scoring scale to estimate the impact of downtime on business processes.

    Acceptable RTOs/RPOs to dictate recovery strategy.

    3 Create a Recovery Workflow

    The Purpose

    Create a recovery workflow.

    Key Benefits Achieved

    Build an actionable, high-level, recovery workflow that can be adapted to a variety of different scenarios.

    Activities

    3.1 Conduct a tabletop exercise to determine current recovery procedures.

    3.2 Identify and prioritize projects to close gaps and mitigate recovery risks.

    3.3 Evaluate options for command centers and alternate business locations (i.e. BC site).

    Outputs

    Recovery flow diagram – current and future state

    Identify gaps and recovery risks.

    Create a project roadmap to close gaps.

    Evaluate requirements for alternate business sites.

    4 Extend the Results of the Pilot BCP and Implement Governance

    The Purpose

    Extend the results of the pilot BCP and implement governance.

    Key Benefits Achieved

    Outline the actions required for the rest of your BCMS, and the required effort to complete those actions, based on the results of the pilot.

    Activities

    4.1 Summarize the accomplishments and required next steps to create an overall BCP.

    4.2 Identify required BCM roles.

    4.3 Create a plan to update and maintain your overall BCP.

    Outputs

    Pilot BCP Executive Presentation

    Business Continuity Team Roles & Responsibilities

    3. Maintenance plan and BCP templates to complete the relevant documentation (BC Policy, BCP Action Items, Recovery Workflow, etc.)

    Further reading

    Develop a Business Continuity Plan

    Streamline the traditional approach to make BCP development manageable and repeatable.

    Analyst Perspective

    A BCP touches every aspect of your organization, making it potentially the most complex project you’ll take on. Streamline this effort or you won’t get far.

    None of us needs to look very far to find a reason to have an effective business continuity plan.

    From pandemics to natural disasters to supply chain disruptions to IT outages, there’s no shortage of events that can disrupt your complex and interconnected business processes. How in the world can anyone build a plan to address all these threats?

    Don’t try to boil the ocean. Use these tactics to streamline your BCP project and stay on track:

    • Focus on one business unit at a time. Keep the effort manageable, establish a repeatable process, and produce deliverables that provide a starting point for the rest of the organization.
    • Don’t start with an extensive risk analysis. It takes too long and at the end you’ll still need a plan to resume business operations following a disruption. Rather than trying to predict what could cause a disruption, focus on how to recover.
    • Keep your BCP documentation concise. Use flowcharts, checklists, and diagrams instead of traditional manuals.

    No one can predict every possible disruption, but by following the guidance in this blueprint, you can build a flexible continuity plan that allows you to withstand the threats your organization may face.

    Frank Trovato

    Research Director,
    IT Infrastructure & Operations Practice
    Info-Tech Research Group

    Andrew Sharp

    Senior Research Analyst,
    IT Infrastructure & Operations Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Recent crises have increased executive awareness and internal pressure to create a BCP.
    • Industry- and government-driven regulations require evidence of sound business continuity practices.
    • Customers demand their vendors provide evidence of a workable BCP prior to signing a contract.

    IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.

    Common Obstacles

    • IT managers asked to lead BCP efforts are dealing with processes and requirements beyond IT and outside of their control.
    • BCP requires input from multiple departments with different and sometimes conflicting objectives.
    • Typically there are few, if any, dedicated resources for BCP, so it can't be a full-time, resource-intensive project.

    Info-Tech’s Approach

    • Focus on implementing a structured and repeatable process that can be applied to one business unit at a time to avoid BCP from becoming an overwhelming project.
    • Enable business leaders to own the BCP going forward by establishing a template that the rest of the organization can follow.
    • Leverage BCP outcomes to refine IT DRP recovery objectives and achieve DRP-BCP alignment.

    Info-Tech Insight

    As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but you must enable business leaders to own their department’s BCP practices and outputs. They know their processes and, therefore, their requirements to resume business operations better than anyone else.

    Use this research to create business unit BCPs and structure your overall BCP

    A business continuity plan (BCP) consists of separate but related sub-plans, as illustrated below. This blueprint enables you to:

    • Develop a BCP for a selected business unit (as a pilot project), and thereby establish a methodology that can be repeated for remaining business units.
    • Through the BCP process, clarify requirements for an IT disaster recovery plan (DRP). Refer to Info-Tech’s Disaster Recovery Planning workshop for instructions on how to create an IT DRP.
    • Implement ongoing business continuity management to govern BCP, DRP, and crisis management.

    Overall Business Continuity Plan

    IT Disaster Recovery Plan

    A plan to restore IT application and infrastructure services following a disruption.

    Info-Tech’s disaster recovery planning blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.

    BCP for Each Business Unit

    A set of plans to resume business processes for each business unit. This includes:

    • Identifying business processes and dependencies.
    • Defining an acceptable recovery timeline based on a business impact analysis.
    • Creating a step-by-step recovery workflow.

    Crisis Management Plan

    A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

    Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

    IT leaders asked to develop a BCP should start with an IT Disaster Recovery Plan

    It’s a business continuity plan. Why should you start continuity planning with IT?

    1. IT services are a critical dependency for most business processes. Creating an IT DRP helps you mitigate a key risk to continuity quicker than it takes to complete your overall BCP, and you can then focus on other dependencies such as people, facilities, and suppliers.
    2. A BCP requires workarounds for IT failures. But it’s difficult to plan workarounds without a clear understanding of the potential IT downtime and data loss. Your DRP will answer those questions, and without a DRP, BCP discussions can get bogged down in IT discussions. Think of payroll as an example: if downtime might be 24 hours, the business might simply wait for recovery; if downtime might be a week, waiting it out is not an option.
    3. As an IT manager, you can develop an IT DRP primarily with resources within your control. That makes it an easier starting point and puts IT in a better position to shift responsibility for BCP to business leaders (where it should reside) since essentially the IT portion is done.

    Create a Right-Sized Disaster Recovery Plan today.

    Modernize the BCP

    If your BCP relies heavily on paper-based processes as workarounds, it’s time to update your plan.

    Back when transactions were recorded on paper and then keyed into the mainframe system later, it was easier to revert to deskside processes. There is very little in the way of paper-based processes anymore, and as a result, it is increasingly difficult to resume business processes without IT.

    Think about your own organization. What IT system(s) are absolutely critical to business operations? While you might be able to continue doing business without IT, this requires regular preparation and training. It’s likely a completely offline process and won’t be a viable workaround for long even if staff know how to do the work. If your data center and core systems are down, technology-enabled workarounds (such as collaboration via mobile technologies or cloud-based solutions) could help you weather the outage, and may be more flexible and adaptable for day-to-day work.

    The bottom line:

    Technology is a critical dependency for business processes. Consider the role IT systems play as process dependencies and as workarounds as part of continuity planning.

    Info-Tech’s approach

    The traditional approach to BCP takes too long and produces a plan that is difficult to use and maintain.

    The Problem: You need to create a BCP, but don’t know where to start.

    • BCP is being demanded more and more to comply with regulations, mitigate business risk, meet customer demands, and obtain insurance.
    • IT leaders are often asked to lead BCP.

    The Complication: A traditional BCP process takes longer to show value.

    • Traditional consultants don’t usually have an incentive to accelerate the process.
    • At the same time, self-directed projects with no defined process go months without producing useful deliverables.
    • The result is a dense manual that checks boxes but isn’t maintainable or usable in a crisis.

    A pie chart is separated into three segments, Internal Mandates 43%, Customer Demands 23%, and Regulatory Requirements 34%. The bottom of the image reads Source: Info-Tech Research Group.

    The Info-Tech difference:

    Use Info-Tech’s methodology to right-size and streamline the process.

    • Reduce required effort. Keep the work manageable and maintain momentum by focusing on one business unit at a time; allow that unit to own their BCP.
    • Prioritize your effort. Evaluate the current state of your BCP to identify the steps that are most in need of attention.
    • Get valuable results faster. Functional deliverables and insights from the first business unit’s BCP can be leveraged by the entire organization (e.g. communication, assessment, and BC site strategies).

    Expedite BCP development

    Info-Tech’s Approach to BCP:

    • Start with one critical business unit to manage scope, establish a repeatable process, and generate deliverables that become a template for remaining business units.
    • Resolve critical gaps as you identify them, generating early value and risk mitigation.
    • Create concise, practical documentation to support recovery.

    Embed training and awareness throughout the planning process.

    BCP for Business Unit A:

    Scope → Pilot BIA → Response Plan → Gap Analysis

    → Lessons Learned:

    • Leverage early results to establish a BCM framework.
    • Take action to resolve critical gaps as they are identified.
    • BCP for Business Units B through N.
    • Scope→BIA→Response Plan→Gap Analysis

    = Ongoing governance, testing, maintenance, improvement, awareness, and training.

    By comparison, a traditional BCP approach takes much longer to mitigate risk:

    • An extensive, upfront commitment of time and resources before defining incident response plans and mitigating risk.
    • A “big bang” approach that makes it difficult to predict the required resourcing and timelines for the project.

    Organizational Risk Assessment and Business Impact Analysis → Solution Design to Achieve Recovery Objectives → Create and Validate Response Plans

    Case Study

    Continuity Planning Supports COVID-19 Response

    Industry: Non-Profit
    Source: Info-Tech Advisory Services

    A charitable foundation for a major state university engaged Info-Tech to support the creation of their business continuity plan.

    With support from Info-Tech analysts and the tools in this blueprint, they worked with their business unit stakeholders to identify recovery objectives, confirm recovery capabilities and business process workarounds, and address gaps in their continuity plans.

    Results

    The outcome wasn’t a pandemic plan – it was a continuity plan that was applicable to pandemics. And it worked. Business processes were prioritized, gaps in work-from-home and business process workarounds had been identified and addressed, business leaders owned their plan and understood their role in it, and IT had clear requirements that they were able and ready to support.

    “The work you did here with us was beyond valuable! I wish I could actually explain how ready we really were for this…while not necessarily for a pandemic, we were ready to spring into action, set things up, the priorities were established, and most importantly some of the changes we’ve made over the past few years helped beyond words! The fact that the groups had talked about this previously almost made what we had to do easy.“ -- VP IT Infrastructure

    Download the BCP Case Study

    Project Overview: BCP

    Phases Phase 1: Identify BCP Maturity and Document Process Dependencies Phase 2: Conduct a BIA to Determine Acceptable RTOs and RPOs Phase 3: Document the Recovery Workflow and Projects to Close Gaps Phase 4: Extend the Results of the Pilot BCP and Implement Governance
    Steps 1.1 Assess current BCP maturity 2.1 Define an objective impact scoring scale 3.1 Determine current recovery procedures 4.1 Consolidate BCP pilot insights to support an overall BCP project plan
    1.2 Establish the pilot BCP team 2.2 Estimate the impact of downtime 3.2 Identify and prioritize projects to close gaps 4.2 Outline a business continuity management (BCM) program
    1.3 Identify business processes, dependencies, and alternatives 2.3 Determine acceptable RTO/RPO targets 3.3 Evaluate BC site and command center options 4.3 Test and maintain your BCP
    Tools and Templates

    BCP Business Impact Analysis Tool

    Results Presentation

    BCP Maturity Scorecard

    Tabletop Planning Template

    BCP Summary

    Pilot Project Charter

    Recovery Workflow Examples

    Business Continuity Teams and Roles

    Business Process Workflows Examples

    BCP Project Roadmap

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    BCP Business Impact Analysis Tool: Conduct and document a business impact analysis using this document.

    BCP Recovery Workflows Example: Model your own recovery workflows on this example.

    BCP Project Roadmap: Use this tool to prioritize projects that can improve BCP capabilities and mitigate gaps and risks.

    BCP Relocation Checklists: Plan for and manage a site relocation – whether to an alternate site or work from home.

    Key deliverable:

    BCP Summary Document

    Summarize your organization's continuity capabilities and objectives in a 15-page, easy-to-consume template.

    This document consolidates data from the supporting documentation and tools to the right.

    Download Info-Tech’s BCP Summary Document

    Insight summary

    Focus less on risk, and more on recovery

    Avoid focusing on risk and probability analysis to drive your continuity strategy. You never know what might disrupt your business, so develop a flexible plan to enable business resumption regardless of the event.

    Small teams = good pilots

    Choose a small team for your BCP pilot. Small teams are better at trialing new techniques and finding new ways to think about problems.

    Calculate downtime impact

    Develop and apply a scoring scale to develop a more-objective assessment of downtime impact for the organization. This will help you prioritize recovery.

    It’s not no, but rather not now…

    You can’t address all the organization’s continuity challenges at once. Prioritize high value, low effort initiatives and create a long-term roadmap for the rest.

    Show Value Now

    Get to value quickly. Start with one business unit with continuity challenges, and a small, focused project team who can rapidly learn the methodology, identify continuity gaps, and define solutions that can also be leveraged by other departments right away.

    Lightweight Testing Exercises

    Outline recovery capabilities using lightweight, low risk tabletop planning exercises. Our research shows tabletop exercises increase confidence in recovery capabilities almost as much as live exercises, which carry much higher costs and risks.

    Blueprint benefits

    Demonstrate compliance with demands from regulators and customers

    • Develop a plan that satisfies auditors, customers, and insurance providers who demand proof of a continuity plan.
    • Demonstrate commitment to resilience by identifying gaps in current capabilities and projects to overcome those gaps.
    • Empower business users to develop their plans and perform regular maintenance to ensure plans don’t go stale.
    • Establish a culture of business readiness and resilience.

    Leverage your BCP to drive value (Business Benefits)

    • Enable flexible, mobile, and adaptable business operations that can overcome disruptions large and small. This includes making it easier to work remotely in response to pandemics or facility disruptions.
    • Clarify the risk of the status quo to business leaders so they can make informed decisions on where to invest in business continuity.
    • Demonstrate to customers your ability to overcome disruptions and continue to deliver your services.

    Info-Tech Advisory Services lead to Measurable Value

    Info-Tech members told us they save an average of $44,522 and 23 days by working with an Info-Tech analyst on BCP (source: client response data from Info-Tech's Measured Value Survey).

    Why do members report value from analyst engagement?

    1. Expert advice on your specific situation to overcome obstacles and speed bumps.
    2. Structure the project and stay on track.
    3. Review project deliverables and ensure the process is applied properly.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostic and consistent frameworks are used throughout all four options.

    Guided Implementation

    Your Trusted Advisor is a call away.

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between eight to twelve calls over the course of four to six months.

    Scoping

    Call 1: Scope requirements, objectives, and stakeholders. Identify a pilot BCP project.

    Business Processes and Dependencies

    Calls 2 - 4: Assess current BCP maturity. Create business process workflows, dependencies, alternates, and workarounds.

    Conduct a BIA

    Calls 5 – 7: Create an impact scoring scale and conduct a BIA. Identify acceptable RTO and RPO.

    Recovery Workflow

    Calls 8 – 9: Create a recovery workflow based on tabletop planning.

    Documentation & BCP Framework

    Call 10: Summarize the pilot results and plan next steps. Define roles and responsibilities. Make the case for a wider BCP program.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com | 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Identify BCP Maturity, Key Processes, and Dependencies Conduct a BIA to Determine Acceptable RTOs and RPOs Document the Current Recovery Workflow and Projects to Close Gaps Identify Remaining BCP Documentation and Next Steps Next Steps and Wrap-Up (offsite)
    Activities

    1.1 Assess current BCP maturity.

    1.2 Identify key business processes to include in scope.

    1.3 Create a flowchart for key business processes to identify business processes, dependencies, and alternatives.

    2.1 Define an objective scoring scale to indicate different levels of impact.

    2.2 Estimate the impact of a business disruption on cost, goodwill, compliance, and health & safety.

    2.3 Determine acceptable RTOs/RPOs for selected business processes based on business impact.

    3.1 Review tabletop planning – what is it, how is it done?

    3.2 Walk through a business disruption scenario to determine your current recovery timeline, RTO/RPO gaps, and risks to your ability to resume business operations.

    3.3 Identify and prioritize projects to close RTO/RPO gaps and mitigate recovery risks.

    4.1 Assign business continuity management (BCM) roles to govern BCP development and maintenance, as well as roles required to execute recovery.

    4.2 Identify remaining documentation required for the pilot business unit and how to leverage the results to repeat the methodology for remaining business units.

    4.3 Workshop review and wrap-up.

    5.1 Finalize deliverables for the workshop.

    5.2 Set up review time for workshop outputs and to discuss next steps.

    Deliverables
    1. Baseline BCP maturity status
    2. Business process flowcharts
    3. Business process dependencies and alternatives recorded in the BIA tool
    1. Potential impact of a business disruption quantified for selected business processes.
    2. Business processes criticality and recovery priority defined
    3. Acceptable RTOs/RPOs defined based on business impact
    1. Current-state recovery workflow and timeline.
    2. RTO/RPO gaps identified.
    3. BCP project roadmap to close gaps
    1. BCM roles and responsibilities defined
    2. Workshop results deck; use this to communicate pilot results and next steps
    1. Finalized deliverables

    Phase 1

    Identify BCP Maturity and Document Process Dependencies

    Phase 1

    1.1 Assess Current BCP Maturity

    1.2 Establish the pilot BCP team

    1.3 Identify business processes, dependencies, and alternatives

    Insights & Outcomes

    Define the scope for the BCP project: assess the current state of the plan, create a pilot project team and pilot project charter, and map the business processes that will be the focus of the pilot.

    Participants

    • BCP Coordinator
    • BCP Executive Sponsor
    • Pilot Business Unit Manager & Process SMEs

    Step 1.1

    Assess current BCP Maturity

    This step will walk you through the following activities:

    • Complete Info-Tech’s BCP Maturity Scorecard

    This step involves the following participants:

    • Executive Sponsor
    • BCP Coordinator

    You'll use the following tools & templates:

    Outcomes & Insights

    Establish current BCP maturity using Info-Tech’s ISO 22301-aligned BCP Maturity Scorecard.

    Evaluate the current state of your continuity plan

    Use Info-Tech’s Maturity Scorecard to structure and accelerate a BCP maturity assessment.

    Conduct a maturity assessment to:

    • Create a baseline metric so you can measure progress over time. This metric can also drive buy-in from senior management to invest time and effort into your BCP.
    • Understand the scope of work to create a complete business continuity plan.
    • Measure your progress and remaining gaps by updating your assessment once you’ve completed the activities in this blueprint.

    This blueprint primarily addresses the first four sections in the scorecard, which align with the creation of the core components of your business continuity plan.

    Info-Tech’s BCP Maturity Scorecard

    Info-Tech’s maturity scorecard is aligned with ISO 22301, the international standard that describes the key elements of a functioning business continuity management system or program – the overarching set of documents, practices, and controls that support the ongoing creation and maintenance of your BCP. A fully functional BCMS goes beyond business continuity planning to include crisis management, BCP testing, and documentation management.

    Audit tools tend to treat every bullet point in ISO 22301 as a separate requirement – which means there’s almost 400 lines to assess. Info-Tech’s BCP Maturity Scorecard has synthesized key requirements, minimizing repetition to create a high-level self-assessment aligned with the standard.

    A high score is a good indicator of likely success with an audit.

    Download Info-Tech's BCP Maturity Scorecard

    Tool: BCP Maturity Scorecard

    Assess your organization’s BCP capabilities.

    Use Info-Tech’s BCP Maturity Scorecard to:

    • Assess the overall completeness of your existing BCP.
    • Track and demonstrate progress towards completion as you work through successive planning iterations with additional business units.
    1. Download a copy of the BCP Maturity Scorecard. On tab 1, indicate the percent completeness for each item using a 0-10 scale (0 = 0% complete, 10 = 100% complete).
    2. If you anticipate improvements in a certain area, make note of it in the “Comments” column.
    3. Review a visual representation of your overall scores on tab 2.

    Download Info-Tech's BCP Maturity Scorecard

    "The fact that this aligns with ISO is huge." - Dr. Bernard Jones MBCI, CBCP

    Step 1.2

    Establish the pilot BCP team

    This step will walk you through the following activities:

    • Assign accountability, responsibility, and roles.
    • Develop a project charter.
    • Identify dependencies and alternates for those dependencies.

    This step involves the following participants:

    • Executive Sponsor
    • BCP Coordinator

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Assign roles and responsibilities for the BCP pilot project. Set milestones and timelines for the pilot.

    Take a pilot approach for BCP

    Limit the scope of an initial BCP project to get to value faster.

    Pilot Project Goals

    • Establish a repeatable methodology that fits your organization and will accelerate BCP development, with tangible deliverables that provide a template for the rest of the business.
    • Identify high-priority business continuity gaps for the pilot business unit, many of which will also apply to the overall organization.
    • Identify initiatives to start addressing gaps now.
    • Enable business users to learn the BCP methodology and toolset so they can own and maintain their business unit BCPs.

    Accomplishments expected:

    • Define key business processes and process dependencies, and alternatives if dependencies are not available.
    • Classify key business processes by criticality for one business unit, using an objective impact scoring scale.
    • Set recovery objectives for these key processes.
    • Document workarounds and recovery plans.
    • Identify gaps in recovery plans and list action items to mitigate risks.
    • Develop a project plan to structure a larger continuity project.

    What not to expect from a pilot project:

    • A complete organizational BCP (the pilot is a strong starting point).
    • Implemented solutions to all BCP gaps (proposed solutions will need to be evaluated first).

    Structure IT’s role in continuity planning

    Clearly define IT’s role in the pilot BCP project to deliver a successful result that enables business units to own BCP in the future.

    Though IT is a critical dependency for most processes, IT shouldn’t own the business continuity plan. IT should be an internal BCP process consultant, and each business unit must own their plan.

    IT should be an internal BCP consultant.

    • IT departments interact with all business units, which gives IT leaders at least a high-level understanding of business operations across the organization.
    • IT leaders typically also have at least some knowledge of disaster recovery, which provides a foundation for tackling BCP.
    • By contrast, business leaders often have little or no experience with disaster recovery, and don’t have the same level of experience as IT when it comes to working with other business units.

    Why shouldn’t IT own the plan?

    • Business unit managers have the authority to direct resources in their department to participate in the BCP process.
    • Business users are the experts in their processes, and are in the best position to identify dependencies, downtime impacts, recovery objectives, and viable solutions (e.g., acceptable alternate sites or process workarounds).
    • Ultimately, business unit managers and executives must decide whether to mitigate, accept, or transfer risks.

    Info-Tech Insight

    A goal of the pilot is to seed success for further planning exercises. This is as much about demonstrating the value of continuity planning to the business unit, and enabling them to own it, as it is about implementing the methodology successfully.

    Create a RACI matrix for the pilot

    Assemble a small, focused team for the pilot project empowered to discover, report, and present possible solutions to continuity planning challenges in your organization.

    Outline roles and responsibilities on the pilot team using a “RACI” exercise. Remember, only one party can be ultimately accountable for the work being completed.

    Example Pilot BCP Project RACI

    Board Executive Team BCP Executive Sponsor BCP Team Leader BCP Coordinator Pilot Bus. Unit Manager Expert Bus. Unit Staff IT Manager
    Communicate BCP project status I I I A R C C I
    Assign resources to pilot BCP project A R C R C R
    Conduct continuity planning activities I A/R R R R R
    Create pilot BCP deliverables I A R R C C C
    Manage BCP documentation I A C R I C C
    Integrate results into BCMS I I A R R I C C
    Create overall BCP project plan I I A R C C

    R: Responsible for doing the work.

    A: Accountable to ensure the activity/work happens.

    C: Consulted prior to decision or action.

    I: Informed of the decision/action once it’s made.

    "Large teams excel at solving problems, but it is small teams that are more likely to come up with new problems for their more sizable counterparts to solve." – Wang & Evans, 2019

    Info-Tech Insight

    Small teams tend to be better at trialing new techniques and finding new ways to think about problems, both of which are needed for a BCP pilot project.

    Choose one business unit for the pilot

    Many organizations begin their BCP project with a target business unit in mind. It’s still worth establishing whether this business unit meets the criteria below.

    Good candidates for a pilot project:

    • Business processes are standardized and documented.
    • Management and staff are motivated to improve business continuity.
    • The business unit is sufficiently well resourced to spare time (e.g. a few hours a week) to dedicate to the BCP process.
    • If the business unit doesn’t meet these criteria, consider addressing shortfalls before the pilot (e.g. via stakeholder management or business process analysis) or selecting another unit.
    • Many of the decisions will ultimately require input and support from the business unit’s manager(s). It is critical that they are bought into and engaged with the project.
    • The leader of the first business unit will be a champion for BCP within the executive team.
    • Sometimes, there’s no clear place to start. If this is the case for you, consider using Info-Tech’s Business Unit BCP Prioritization Tool to determine the order in which business units should undergo BCP development.

    Create role descriptions for the pilot project

    Use these role descriptions and your RACI chart to define roles for the pilot.

    These short descriptions establish the functions, expectations, and responsibilities of each role at a more granular level.

    The Board and executives have an outsized influence on the speed at which the project can be completed. Ensure that communication with these stakeholders is clear and concise. Avoid involving them directly in activities and deliverable creation, unless it’s required by their role (e.g. as a business unit manager).

    Project Role Description
    Board & Executive Team
    • Will receive project status updates but are not directly involved in deliverable creation.
    Executive Sponsor
    • Liaison with the executive team.
    • Accountable to ensure the pilot BCP is completed.
    • Set project goals and approve resource allocation and funding.
    Pilot Business Unit Manager
    • Drive the project and assign required resources.
    • Delegate day-to-day project management tasks to the BCP Coordinator.
    BCP Coordinator
    • Function as the project manager. This includes scheduling activities, coordinating resources, reporting progress, and managing deliverables.
    • Learn and apply the BCP methodology to achieve project goals.
    Expert Business Unit Staff
    • Pilot business unit process experts to assist with BCP development for that business unit.
    IT Manager
    • Provide guidance on IT capabilities and recovery options.
    Other Business Unit Managers
    • Consulted to validate or provide input to the business impact analysis and RTOs/RPOs.

    Identify a suitable BCP Coordinator

    A skilled and committed coordinator is critical to building an effective and durable BCP.

    • Coordinating the BC planning effort requires a perspective that’s informed by IT, but goes beyond IT.
    • For example, many IT professionals only see business processes where they intersect with IT. The BCP Coordinator needs to be able to ask the right questions to help the business units think through dependencies for critical processes.
    • Business analysts can thrive in this role, which requires someone effective at dissecting business processes, working with business users, identifying requirements, and managing large projects.

    Structure the role of the BCP Coordinator

    The BCP Coordinator works with the pilot business unit as well as remaining business units to provide continuity and resolve discrepancies as they come up between business units.

    Specifically, this role includes:

    • Project management tasks (e.g. scheduling, assigning tasks, coordinating resources, and reporting progress).
    • Learning the BCP methodology (through the pilot) so that this person can lead remaining business units through their BCP process. This enables the IT leader who had been assigned to guide BCP development to step back into a more appropriate consulting role.
    • Managing the BCP workflow.

    "We found it necessary to have the same person work with each business unit to pass along lessons learned and resolve contingency planning conflicts for common dependencies." – Michelle Swessel, PM and IT Bus. Analyst, Wisconsin Compensation Rating Bureau (WCRB)

    Template: Pilot Project Charter

    Formalize participants, roles, milestones, risks for the pilot project.

    Your charter should:

    1. Define project parameters, including drivers, objectives, deliverables, and scope.
    2. Identify the pilot business unit.
    3. Assign a BCP pilot team, including a BCP Coordinator, to execute the methodology.
    4. Define before-and-after metrics to enable the team to measure pilot success.
    5. Set achievable, realistic target dates for specific project milestones.
    6. Document risks, assumptions, and constraints.

    Download Info-Tech’s BCP Pilot Project Charter Template

    Step 1.3

    Identify business processes, dependencies, and alternatives

    This step will walk you through the following activities:

    • Identify key business processes.
    • Document the process workflow.
    • Identify dependencies and alternates for those dependencies.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    You'll use the following tools & templates:

    Outcomes & Insights

    Documented workflows, process dependencies, and workarounds when dependencies are unavailable.

    Flowchart business processes

    Workflows help you visually identify process dependencies and optimization opportunities.

    • Business continuity planning is business process focused. You need to document business processes, dependencies, and downtime workarounds.
    • Process documentation is a basic BCP audit requirement, but it will also:
      • Keep discussions about business processes well-scoped and focused – by documenting the process, you also clarify for everyone what you’re actually talking about.
      • Remind participants of process dependencies and workarounds.
      • Make it easier to spot possible process breakdowns or improvements.
      • Capture your work, which can be used to create or update SOP documentation.
    • Use flowcharts to capture process workflows. Flowcharts are often quicker to create, take less time to update, and are ultimately more usable than a dense manual.

    Info-Tech Insight

    Process review often results in discovering informal processes, previously unknown workarounds or breakdowns, shadow IT, or process improvement opportunities.

    1.3.1 Prioritize pilot business unit processes

    Input

    • List of key business unit processes.

    Output

    • List of key business unit processes, now prioritized (at a high-level)

    Materials

    • Whiteboard/flip charts
    • BCP Business Impact Analysis Tool

    Participants

    • BCP Coordinator (leads the discussion)
    • Pilot Business Unit Manager

    30 minutes

    1. Create a list of all formal and informal business processes executed by the pilot business unit.
    2. Discuss the impact of process downtime, and do a quick assessment whether impact of downtime for each process would be high, medium, or low across each of these criteria:
      • Revenue or costs (e.g. supports sales, billing, or productivity)
      • Goodwill (e.g. affects internal or external reputation)
      • Compliance (e.g. affects legal or industry requirements)
      • Health or safety (e.g. affects employee/public health & safety)

    Note: A more in-depth analysis will be conducted later to refine priorities. The goal here is a high-level order of priority for the next steps in the planning methodology (identify business processes and dependencies).

    1. In the BCP Business Impact Analysis Tool, Processes and Dependencies tab, record the following:
      • The business processes in rough order of criticality.
      • For each process, provide a brief description that focuses on purpose and impact.
      • For each process, name a process owner (i.e. accountable for process completion – could be a manager or senior staff, not necessarily those executing the process).

    1.3.2 Review process flows & identify dependencies

    Input

    • List of key business unit processes (prioritized at a high level in Activity 1.3.1).
    • Business process flowcharts.

    Output

    • Business process flowcharts

    Materials

    • Whiteboard/flip charts
    • Microsoft Visio, or other flowcharting software
    • BCP Business Impact Analysis Tool

    Download Info-Tech’s Business Process Workflows Example

    1.5 hours

    1. Use a whiteboard to flowchart process steps. Collaborate to clarify process steps and dependencies. If processes are not documented, use this as an opportunity to create standard operating procedures (SOPs) to drive consistency and process optimization, as described in the Info-Tech blueprint, Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind.
    2. Record the dependencies in tab 1 of the BCP Business Impact Analysis Tool in the appropriate columns:
      • People – Anyone involved in the process, from providing guidance to executing the steps.
      • IT Applications – Core IT services (e.g. ERP, CRM) required for this process.
      • End-user devices & equipment – End-user devices, locally-installed apps, IoT, etc.
      • Facility – Any special requirements beyond general office space.
      • Suppliers & Service Providers – Third-parties who support this process.

    Info-Tech Insight

    Policies and procedures manuals, if they exist, are often out of date or incomplete. Use these as a starting point, but don’t stop there. Identify the go-to staff members who are well versed in how a process works.

    1.3.3 Document workarounds

    Input

    • Business process flowcharts.
    • List of process dependencies.

    Output

    • Workarounds and alternatives in the event dependencies aren’t available.

    Materials

    • BCP Business Impact Analysis Tool

    Participants

    • BCP Coordinator (facilitates the activity)
    • Pilot Business Unit Manager
    • Business Process Subject Matter Experts (SMEs)

    1.5 hours

    Identify alternatives to critical dependencies to help you create contingency plans.

    1. For each business process, identify known alternatives for each primary dependency. Ignore for the moment how long the workaround or alternate would be feasible.
    2. Record alternatives in the Business Continuity Business Impact Analysis Tool, Processes and Dependencies tab, Alternatives columns (a separate column for each category of dependency):
      • People – Can other staff execute the process steps? (Example: managers can step in if needed.)
      • IT Applications – Is there a manual workaround or other alternative while enterprise technology services are unavailable? (Example: database is down, but data is stored on physical forms.)
      • End-User Devices and Equipment – What alternatives exist to the usual end-user technologies, such as workstations and desk phones? (Example: some staff have cell phones.)
      • Facility Location and Requirements – Is there an alternate location where this work can be conducted? (Example: work from home, or from another building on the campus.)
      • Suppliers and External Services – Is there an alternative source for key suppliers or other external inputs? (Example: find alternate suppliers for key inputs.)
      • Additional Inputs or Requirements – What workarounds exist for additional artifacts that enable process steps (e.g. physical inventory records, control lists)? (Example: if hourly pay information is missing, run the same payroll as the previous run and reconcile once that information is available.)

    Phase 2

    Conduct a BIA to Determine Acceptable RTOs and RPOs

    Phase 2

    2.1 Define an objective impact scoring scale

    2.2 Estimate the impact of downtime

    2.3 Determine acceptable RTO/RPO targets

    Insights & Outcomes

    Assess the impact of business process downtime using objective, customized impact scoring scales. Sort business processes by criticality and by assigning criticality tiers, recovery time, and recovery point objectives.

    Participants

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Business Process SMEs

    Step 2.1

    Define an objective scoring scale

    This step will walk you through the following activities:

    • Identify impact criteria that are relevant to your business.
    • Create a scale that defines a range of impact for relevant criteria.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Define an impact scoring scale relevant to your business, which allows you to more-objectively assess the impact of business process downtime.

    Set appropriate recovery objectives

    Recovery time and recovery point objectives should align with business impact.

    The activities in Phase 2 will help you set appropriate, acceptable recovery objectives based on the business impact of process downtime.

    • The recovery time objective (RTO) and recovery point objective (RPO) are the recovery goals set for individual processes and dependencies to ensure your business unit meets its overall acceptable recovery timeline.

    For example:

    • An RTO of four hours means staff and other required resources must be available to support the business processes within four hours of an incident (e.g. relocate to an alternate worksite if necessary, access needed equipment, log-in to needed systems, get support for completing the process from alternate staff, etc.)
    • An RPO of four hours for a customer database means the most recent secondary copy of the data must never be more than four hours old – e.g. running a backup every four hours or less.

    Conduct a Business Impact Analysis (BIA)

    Create Impact Scoring Scales→Assess the impact of process downtime→Review overall impact of process downtime→Set Criticality Tiers→Set Recovery Time and Recovery Point Objectives

    Create financial impact scales

    Identify maximum cost and revenue impacts to build financial impact scales to measure the financial impact of process downtime.

    Work with the Business Unit Manager and Executive Sponsor to identify the maximum impact in each category to the entire business. Use a worst-case scenario to estimate the maximum for each scale. In the future, you can use this scoring scale to estimate the impact of downtime for other business units.

    • Loss of Revenue: Estimate the upper bound for this figure from the previous year, and divide that by the number of business days in the year. Note: Some organizations may choose to exclude revenue as a category where it won’t be lost (e.g. public-sector organizations).
    • Loss of Productivity: Proxy for lost workforce productivity using payroll numbers. Use the fully loaded payroll for the company, divided by the number of working days in the year as the maximum.
    • Increased Operating Costs: Isolate this to known additional costs resulting from a disruption. Does the interruption itself increase operating costs (e.g. if using timesheets for hourly/contract employees and that information is lost or unavailable, do you assume a full work week)?
    • Financial Penalties: If there are known financial penalties (e.g. due to failure to meet SLAs or other contractual obligations), include those values in your cost estimates.

    Info-Tech Insight

    Cost estimates are like hand grenades and horseshoes: you don’t need to be exact. It’s much easier to get input and validation from other stakeholders when you have estimates. Even weak estimates are far better than a blank sheet.

    Create goodwill, compliance, and safety impact scales

    Create a quantitative, more-objective scoring scale for goodwill, compliance and safety by following the guidance below.

    • Impact on Customers: By default, the customer impact scale is based on the percent of your total customer base impacted. You can also modify this scale to include severity of impact or alter it to identify the maximum number of customers that would be impacted.
    • Impact on Staff: Consider staff that are directly employed by the organization or its subsidiaries.
    • Impact on Business Partners: Which business partners would be affected by a business disruption?
    • Impact on Health & Safety: Consider the extent to which process downtime could increase the risk of the health & safety of staff, customers, and the general public. In addition, degradation of health & safety services should be noted.
    • Impact on Compliance: Set up the scale so that you can capture the impact of any critical regulatory requirements that might not be met if a particular process was down for 24 hours. Consider whether you expect to receive leeway or a grace period from the governance body that requires evidence of compliance.

    Info-Tech Best Practice

    Use just the impact scales that are relevant to your organization.

    Tool: Impact Scoring Scales

    • Define 4-point scoring scales in the BCP business impact analysis tool for a more objective assessment than gut-feel rankings.
    • You don’t need to include every category, if they aren’t relevant to your organization.
    • Refine the scoring scale as needed through the pilot project.
    • Use the same scoring scale for impact analyses with additional business units in the future.

    An image depicting the Business Impact Analysis Tool. A note pointing to the Level of Impact and Direct Cost Impact Scales columns states: Add the maximum cost impacts across each of the four impact scales to the tool. The rest of the scale will auto-populate based on the criteria outlined in the “Level of Impact” column. A note pointing to the column headers states: Change the names of the column headers in this tab. The changes to column headers will populate across the rest of the tool. Indicate exclusions from the scale here. A note pointing to the Goodwill Impact Scales columns reads: Update the Goodwill impact scales. For example, perhaps a critical impact on customers could be defined as “a significant impact on all customers using the organization’s services in a 24-hour period.” A note pointing to the Compliance, Heath and Safety Impact Scales columns reads: Review the compliance and safety impact scales, and update as required.

    Step 2.2

    Estimate the impact of downtime

    This step will walk you through the following activities:

    • Apply the scoring scale developed in step 2.1 to assess the impact of downtime for specific business processes.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Develop an objective view of the impact of downtime for key business processes.

    2.2.1 Estimate the impact of downtime

    1.5 hours

    Input

    • List of business processes, dependencies, and workarounds, all documented in the BIA tool.

    Output

    • Impact of downtime scores for key business unit processes.

    Materials

    • BCP Business Impact Analysis Tool

    Participants

    • BCP Coordinator (facilitates the discussion)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager
    1. Print a copy of the Scoring Criteria tab to use as a reference, or have it open on another screen. In tab 3 of the BCP Business Impact Analysis Tool use the drop-down menu to assign a score of 0 to 4 based on levels of impact defined in the Scoring Criteria tab.
    2. Work horizontally across all categories for a single process. This will set a benchmark, familiarize you with the scoring system, and allow you to modify any scoring scales if needed. In general, begin with the process that you know to be most critical.
      • For example, if call center sales operations are down:
        • Loss of Revenue would be the portion of sales revenue generated through the call center. This might score a 2 or 3 depending on the proportion of sales generated through the call center.
        • The Impact on Customers might be a 1 or 2 depending on the extent that existing customers might be using the call center to purchase new products or services.
        • The Legal/Regulatory Compliance and Health or Safety Risk might be a 0.
    3. Next, work vertically across all processes within a single category. This will allow you to compare scores within the category as you create them.

    Tool: Impact Analysis

    • The goal of the exercise is to arrive at a defensible ranking of process criticality, based on the impact of downtime.
    • Make sure participants can see the scores you’re assigning during the exercise (e.g. by writing out the scores on a whiteboard, or displaying the tool on a projector or screen) and can reference the scoring scales tab to understand what the scores mean.
    • Take notes to record the rationale behind the impact scores. Consider assigning note-taking duties to one of the participants.

    An image of the Impact Analysis Tool. A note pointing to the column headings states: Any customized column headings from tab 2, Scoring Criteria are automatically ported to this tab. A note pointing to the Impact on Goodwill columns reads: Score each application across each scoring scale from 0 to 4. Be sure to refer back to the scoring scale defined in tab 2. Have the scoring scale printed out, written on a whiteboard, or displayed on a separate screen. A note pointing to the tool's dropdown boxes states: Score categories using the drop-down boxes. A note pointing to the centre columns reads: Ignore scoring for categories you choose to exclude. You can hide these columns to clean up the tool if needed.

    2.2.2 Sort processes into Criticality Tiers

    30 minutes

    Input

    • Processes, with assigned impact scores (financial impact, goodwill impact, compliance and safety impact).

    Output

    • Business processes sorted into criticality tiers, based on the impact of downtime.

    Materials

    • BCP Business Impact Analysis Tool

    Participants

    • BCP Coordinator (facilitates the discussion)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager
    1. In general, consider the Total Impact on Goodwill, Compliance, and Safety first.
      • An effective tactic to start the process is to assign a tier 1 rating to all processes with a Goodwill, Compliance, and Safety score that’s 50% or more of the highest total score, tier 2 where scores are between 25% and 50%, and tier 3 where scores are below 25% (see table below for an example).
      • In step 2.3, you’ll align recovery time objectives with the criticality tiers. So, Tier 1 processes will target recovery before Tier 2 processes, and Tier 2 processes will target recovery before Tier 3 processes.
    2. Next, consider the Total Cost of Downtime.
    • The Total Cost is calculated by the tool based on the Scoring Criteria in tab 2 and the estimates in the BIA.
    • Consider whether the total cost impact justifies changing the criticality rating. “Smoke test” categorization with participants. Are there any surprises (processes more or less critical than expected)?
  • If the categorization doesn’t seem right, check that the scoring scale was applied consistently.

    • Example: Highest total Goodwill, Compliance, and Safety impact score is 18.

    Tier Score Range % of high score
    Tier 1 - Gold 9-18 50-100%
    Tier 2 - Silver 5 to 9 25-50%
    Tier 3 - Bronze 0 to 5 0-25%

    Step 2.3

    Determine acceptable RTO and RPO targets

    This step will walk you through the following activities:

    • Identify acceptable Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for business processes.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes and Insights

    Right-size recovery objectives based on business impact.

    Right-size recovery objectives

    Acceptable RTOs and RPOs must be right-sized to the impact of downtime.

    Rapid recovery typically requires more investment.

    The impact of downtime for most business processes tends to look something like the increasing impact curve in the image to the right.

    In the moments after a disruption, impact tends to be minimal. Imagine, for example, that your organization was suddenly unable to pay its suppliers (don’t worry about the reason for the disruption, for the moment). Chances are, this disruption wouldn’t affect many payees if it lasted just a few minutes, or even a few hours. But if the disruption were to continue for days, or weeks, the impact of downtime would start to spiral out of control.

    In general, we want to target recovery somewhere between the point where impact begins, and the point where impact is intolerable. We want to balance the impact of downtime with the investment required to make processes more resilient.

    Info-Tech Insight

    Account for hard copy files as well as electronic data. If that information is lost, is there a backup? BCP can be the driver to remove the last resistance to paperless processes, allowing IT to apply appropriate data protection.

    Set recovery time objectives and recovery point objectives in the “Debate Space”

    A graph with the X axis labelled as: Increasing downtime/data loss and the Y-axis labelled Increasing Impact. The graph shows a line rising as impact and downtime/data loss increase, with the lowest end of the line (on the left) labelled as minimal impact, and the highest point of the line (on the right) labelled maximum tolerance. The middle section of the line is labelled as the Debate Space, and a note reads: Acceptable RTO/RPO must be between Low Impact and Maximum Tolerance

    2.3.1 Define process-level recovery objectives

    1 hour

    Input

    • Processes, ranked by criticality.

    Output

    • Initial business-defined recovery objectives for each process.

    Materials

    • BCP Business Impact Analysis Tool

    Participants

    • BCP Coordinator (facilitates the discussion)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager
    1. Review the “Debate Space” diagram (shown in previous section) with all participants.
    2. Ask business participants for each process: how much downtime is tolerable, acceptable, or appropriate? How much data loss is tolerable?
      • If participants aren’t yet comfortable setting recovery objectives, identify the point at which downtime and data loss first becomes noticeable and the point at which downtime and data loss becomes intolerable.
      • Choose an RTO and RPO for each process that falls within the range set by these two extremes.

    RTOs and RPOs are business-defined, impact-aligned objectives that you may not be able to achieve today. It may require significant investments of time and capital to enable the organization to meet RTO and RPO.

    2.3.2 Align RTOs within and across criticality tiers

    1 hour

    Input

    • Results from pilot BCP impact analysis.

    Output

    • Initial business-defined recovery objectives for each process.

    Materials

    • BCP Business Impact Analysis Tool
    • Whiteboard/ flipchart

    Participants

    • BCP Coordinator
    • BCP Project Sponsor
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager (optional)

    Set a range for RTO for each Tier.

    1. Start with your least critical/Tier 3 processes. Use the filter in the “Criticality Rating” column in the Impact Analysis tab of the BIA tool to show only Tier 3 processes.
      • What range of RTOs did the group assign for processes in this Tier? Does the group agree that these targets are appropriate for these processes?
      • Record the range of RTOs on the whiteboard or flipchart.
    2. Next, look at Tier 2 processes. Use the same filter to show just Tier 2 processes.
      • Record the range of RTOs, confirm the range with the group, and ensure there’s no overlap with the Tier 3 range.
      • If the RTOs in one Tier overlap with RTOs in another, you’ll need to adjust RTOs or move processes between Tiers (if the impact analysis justifies it).
    Tier RTO
    Tier 1 4 hrs- 24 hrs
    Tier 2 24 hrs - 72 hrs
    Tier 3 72 hrs - 120 hrs

    Phase 3

    Document the Recovery Workflow and Projects to Close Gaps

    3.1 Determine current recovery procedures

    3.2 Identify and prioritize projects to close gaps

    3.3 Evaluate business continuity site and command center options

    Insights & Outcomes

    Outline business recovery processes. Highlight gaps and risks that could hinder business recovery. Brainstorm ideas to address gaps and risks. Review alternate site and business relocation options.

    Participants

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Business Process SMEs

    Step 3.1

    Determine current recovery procedures

    This step will walk you through the following activities:

    • Create a step-by-step, high-level recovery workflow.
    • Highlight gaps and risks in the recovery workflow.
    • Test the workflow against multiple scenarios.

    This step involves the following participants:

    • BCP Coordinator
    • Crisis Management Team
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Establish steps required for business recovery and current recovery timelines.

    Identify risks & gaps that could delay or obstruct an effective recovery.

    Conduct a tabletop planning exercise to draft business recovery plans

    Tabletop exercises are the most effective way to test and increase business confidence in business recovery capabilities.

    Why is tabletop planning so effective?

    • It enables you play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
    • It is non-intrusive, so it can be executed more frequently than other testing methodologies.
    • It provides a thorough test of your recovery workflow since the exercise is, essentially, paper-based.
    • After you have a BCP in place, this exercise can continue to be a valuable testing exercise for BCP to capture changes in your recovery process.

    A graph titled: Tabletop planning had the greatest impact on respondent confidence in meeting recovery objectives. The graph shows that the relative importance of Tabletop Planning is 57%, compared to 33% for Unit Testing, 3% for Simulation Testing, 6% for Parallel Testing, and 2% for Full-Scale Testing. The source for the graph is Info-Tech Research Group.

    Step 2 - 2 hours
    Establish command center.

    Step 2: Risks

    • Command center is just 15 miles away from primary site.

    Step 2: Gaps

    • Confirm what’s required to set up the command center.
    • Who has access to the EOC?
    • Does the center have sufficient bandwidth, workstations, phones, telephone lines?

    3.1.1 Choose a scenario for your first tabletop exercise

    30 minutes

    Input

    • List of past incidents.
    • Risks to business continuity that are of high concern.

    Output

    • Scenario for the tabletop exercise.

    Materials

    • N/A

    Participant

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot business unit manager

    At the business unit level, the goal is to define a plan to resume business processes after an incident.

    A good scenario is one that helps the group focus on the goal of tabletop planning – to discuss and document the steps required to recover business processes. We suggest choosing a scenario for your first exercise that:

    • Disrupts many process dependencies (i.e. facilities, staff, IT services, suppliers).
    • Does not result in major property damage, harm, or loss of life. Business resumption is the focus of this exercise, not emergency response.
    • Has happened in the past, or is of concern to the business.

    An example: a gas leak at company HQ that requires the area to be cordoned off and power to be shut down. The business must resume processes from another location without access to materials, equipment, or IT services at the primary location.

    A plan that satisfies the gas leak scenario should meet the needs of other scenarios that affect your normal workspace. Then use BCP testing to validate that the plan meets a wider range of incidents.

    3.1.2 Define the BCP activation process

    1 hour

    Input

    • Any existing crisis management, incident response or emergency response plans.
    • BC Scenario.

    Output

    • High level incident notification, assessment, and declaration workflow.

    Materials

    • Cue cards, sticky notes, whiteboard and markers, or Visio template.

    Participants

    • BCP Coordinator
    • Crisis Management Team (if one exists)
    • Business Process SMEs
    • Pilot Business Unit Manager

    Answer the questions below to structure your notification, assessment, and BCP activation procedures.

    Notification

    How will you be notified of a disaster event? How will this be escalated to leadership? How will the team responsible for making decisions coordinate (if they can’t meet on-site)? What emergency response plans are in place to protect health and safety? What additional steps are involved if there’s a risk to health and safety?

    Assessment

    Who’s in charge of the initial assessment? Who may need to be involved in the assessment? Who will coordinate if multiple teams are required to investigate and assess the situation? Who needs to review the results of the assessment, and how will the results of the assessment be communicated (e.g. phone bridge, written memo)? What happens if your primary mode of communication is unavailable (e.g. phone service is down)?

    Declaration

    Who is responsible today for declaring a disaster and activating business continuity plans? What are the organization’s criteria for activating continuity plans, and how will BCP activation be communicated? Establish a crisis management team to guide the organization through a wide range of crises by Implementing Crisis Management Best Practices.

    3.1.3 Document the business recovery workflow

    1 hour

    Input

    • Pilot BIA.
    • Any existing crisis management, incident response, or emergency response plans.
    • BC Scenario

    Output

    • Outline of your BCP declaration and business recovery plan.

    Materials

    • Cue cards, sticky notes, whiteboard and markers, or Visio template.

    Participants

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager

    Do the following:

    1. Create separate flows for facility, IT, and staff disruptions. Include additional workflows as needed.
      • We suggest you outline the recovery process at least to the point where business processes are restored to a minimum viable functional level.
    2. On white cue cards:
      1. Record the step.
      2. Indicate the task owner.
      3. Estimate how long the step will take.
    3. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
    4. On red cue cards, indicate risks (e.g. no backup person for a key staff member).

    Info-Tech Best Practice

    Tabletop planning is most effective when you keep it simple.

    • Be focused; stay on task and on time.
    • Revisit each step and record risks and mitigation strategies.
    • Discuss each step from start to finish.
    • Revise the plan with key task owners.
    • Don’t get weighed down by tools.
    • Simple tools, like cue cards or whiteboards, can be very effective.

    Tool: BCP Recovery Workflow

    Document the steps you identified in the tabletop to create your draft recovery workflow.

    Why use a flowchart?

    • Flowcharts provide an at-a-glance view, are ideal for crisis scenarios where pressure is high and effective, and where timely communication is necessary.
    • For experienced managers and staff, a high-level reminder of process flows or key steps is sufficient.
    • Where more detail is required, include links to supporting documentation (which could include checklists, vendor documentation/contracts, other flowcharts, etc.)

    Create one recovery workflow for all scenarios.

    Traditional planning calls for separate plans for different “what-if” scenarios. This is challenging not just because it’s a lot more documentation – and maintenance – but because it’s impossible to predict every possible incident. Use the template, aligned to recovery of process dependencies, to create one recovery workflow for each business unit that can be used in and tested against different scenarios.

    Download Info-Tech’s BCP Recovery Workflow Example

    "We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director-IT Operations, Healthcare Industry

    "Very few business interruptions are actually major disasters. It’s usually a power outage or hardware failure, so I ensure my plans address ‘minor’ incidents as well as major disasters."- BCP Consultant

    3.1.4 Document achievable recovery metrics (RTA/RPA)

    30 minutes

    Input

    • Pilot BCP BIA.
    • Draft recovery workflow.

    Output

    • RTA and RPA for each business process.

    Materials

    • Pilot BCP BIA.

    Participants

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager

    Add the following data to your copy of the BCP Business Impact Analysis Tool.

    1. Estimate the recovery time achievable (RTA) for each process based on the required time for the process to be restored to a minimum acceptable functional level. Review your recovery workflow to identify this timeline. For example, if the full process from notification, assessment, and declaration to recovery and relocation would take a full day, set the RTA to 24 hours.
    2. Estimate the recovery point achievable (RPA) for each process based on the maximum amount of data that could be lost. For example, if data on a particular system is backed up offsite once per day, and the onsite system was destroyed just before that backup began, the entire day’s data could be lost and the achievable RPO is 24 hours. Note: Enter a value of 9999 to indicate that data is unrecoverable.

    Info-Tech Insight

    Operating at a minimum acceptable functional level may not be feasible for more than a few days or weeks. Develop plans for immediate continuity first, then develop further plans for long-term continuity processes as required. Recognize that for longer term outages, you will evolve your plans in the crisis to meet the needs of the situation.

    3.1.5 Test the workflow of other scenarios

    1 hour

    Input

    • Draft recovery workflow.

    Output

    • Updated draft recovery workflow.

    Materials

    • Draft recovery workflow.
    • Projector or screen.

    Participants

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager

    Work from and update the soft copy of your recovery workflow.

    1. Would any steps change if the scenario changes? If yes, capture the different flow with a decision diamond. See the example Recovery Workflow for a workflow that uses decision diamonds. Identify any new gaps or risks you encounter with red and yellow cards.
    2. Make sure the decision diamonds are as generalized as possible. For example, instead of creating a separate response plan for each scenario that would require you to relocate from your existing building, create one response plan for relocation and one response plan for remaining in place.
    3. See the next section for some examples of different types of scenarios that you may include in your recovery workflow.

    Info-Tech Insight

    Remember that health and safety risks must be dealt with first in a crisis. The business unit recovery workflow will focus on restoring business operations after employees are no longer at risk (e.g. the risk has been resolved or employees have been safely relocated). See Implement Crisis Management Best Practices for ideas on how to respond to and assess a wide range of crises.

    Not all scenarios will have full continuity plans

    Risk management is a business decision. Business continuity planning can help decision makers understand and decide on whether to accept or mitigate high impact, low probability risks.

    For some organizations, it’s not practical or possible to invest in the redundancy that would be necessary to recover in a timely manner from certain major events.

    Leverage existing risk management practices to identify key high impact events that could present major business continuity challenges that could cause catastrophic disruptions to facility, IT, staffing, suppliers, or equipment. If you don’t have a risk register, review the scenarios on the next slide and brainstorm risks with the working group.

    Work through tabletop planning to identify how you might work through an event like this, at a high level. In step 3.2, you can estimate the effort, cost, and benefit for different ideas that can help mitigate the damage to the business to help decision makers choose between investment in mitigation or accepting the risk.

    Document any scenarios that you identify as outside the scope of your continuity plans in the “Scope” section of your BCP Summary document.

    For example:

    A single location manufacturing company is creating a BCP.

    The factory is large and contains expensive equipment; it’s not possible to build a second factory for redundancy. If the factory is destroyed, operations can’t be resumed until the factory is rebuilt. In this case, the BCP outlines how to conduct an orderly business shutdown while the factory is rebuilt.

    Contingency planning to resume factory operations after less destructive events, as well as a BCP for corporate services, is still practical and necessary.

    Considerations for other BCP scenarios

    Scenario Type Considerations
    Local hazard (gas leak, chemical leak, criminal incident, etc.)
    • Systems might be accessible remotely, but hands-on maintenance will be required eventually. “Work from home” won’t be a long-term solution.
    • An alternate site is required for service continuity. Can be within normal commuting distance.
    Equipment/building damage (fire, roof collapse, etc.)
    • Equipment will need repair or replacement (vendor involvement).
    • An alternate site is required for service continuity. Can be nearby.
    Regional natural disasters
    • Utilities may be affected (power, running water, etc.).
    • Expect staff to take care of their families first before work.
    • A geographically distant alternate site is required for service continuity.
    Supplier failure (IT provider outage, disaster at supplier, etc.)
    • Service-level agreements are important to establish recovery timelines. Review contracts and master services agreements.
    Staff (lottery win, work stoppage, pandemic/quarantine)
    • Staff are suddenly unavailable. Expect that no warm handoff to alternates is possible and that time to ramp up on the process is accounted for.
    • In a pandemic scenario, work from home, remote toolsets, and digital/contactless workflows become critical.

    Step 3.2

    Identify and prioritize projects to close gaps

    This step will walk you through the following activities:

    • Brainstorm solutions to identified gaps and risks.
    • Prioritize projects and action items to close gaps and risks.
    • Assess the impact of proposed projects on the recovery workflow.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Identify and prioritize projects and action items that can improve business continuity capabilities.

    3.2.1 Brainstorm solutions to address risks and gaps

    1 hour

    Input

    • Draft recovery workflow.
    • Known continuity risks and gaps.

    Output

    • Ideas for action items and projects to improve business continuity.

    Materials

    • Flipchart

    Participants

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager
    1. Review each of the risk and gap cards from the tabletop exercise.
    2. As a group, brainstorm ideas to address gaps, mitigate risks, and improve resiliency. Write the list of ideas on a whiteboard or flip chart paper. The solutions can range from quick-wins and action items to major capital investments. The following slides can help you seed ideas to support brainstorming and idea generation.

    Info-Tech Best Practice

    Try to avoid debates about feasibility at this point. The goal is to get ideas on the board.

    When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution – other ideas can expand on it and improve it.

    Step 4: No formal process to declare a disaster and invoke business continuity.

    Step 7: Alternate site could be affected by the same regional event as the main office.

    Step 12: Need to confirm supplier service-level agreements (SLAs).

    1. Continue to create BCP documentation.
    2. Identify a third location for regional disasters.
    3. Contact suppliers to confirm SLAs and validate alignment with RTOs/RPOs.
    4. Add BCP requirements collection to service procurement process?

    Discuss your remote work capabilities

    With COVID-19, most organizations have experience with mass work-from-home.

    Review the following case studies. Do they reflect your experience during the COVID-19 pandemic?

    Unacceptable risk

    • A small insurance company provided laptops to staff so they could work remotely.
    • Complication: Cheque and print stock is a dependency and no plan was made to store check stock offsite in a secure fashion.

    Key dependencies missing

    • A local government provided laptops to key staff so they could work remotely.
    • Complication: The organization didn’t currently own enough Citrix licenses for every user to be online concurrently.

    Unable to serve customers

    • The attestation and land services department of a local government agency provided staff with remote access to key apps.
    • Complication: Their most critical business processes were designed to be in-person – they had no plan to execute these processes from home.

    Consider where your own work-from-home plans fell short.

    • Were your collaboration and communication solutions too difficult for users to use effectively?
    • Did legacy infrastructure affect performance or limit capabilities? Were security concerns appropriately addressed?
    • What challenges did IT face supporting business users on break-fix and new requests?
    • Were there logistical needs (shipping/receiving, etc.) that weren’t met?
    • Develop an updated plan to support work-from-home using Info-Tech’s BCP Relocation Checklists and Home Office Survey template, and integrate these into your overall BCP documentation. Stakeholders can easily appreciate the value of this plan since it’s relevant to recent experience.

    Identify opportunities to improve continuity plans

    What gaps in your continuity response could be addressed with better planning?

    People

    • Alternates are not identified
    • Roles in a disaster are not formalized
    • No internal/external crisis comm. strategy

    Site & Facilities

    • No alternate place of business or command center identified
    • No formal planning or exercises to test alternate site viability

    • Identify a viable secondary site and/or work-from-home plan, and develop a schedule for testing activities. Review in Step 3.3 of the Develop a Business Continuity Plan blueprint.

    External Services & Suppliers

    • Contingency plans for a disruption not planned or formalized
    • No formal review of service-level agreements (SLAs)

    • Contact key suppliers and vendors to establish SLAs, and ensure they meet requirements.
    • Review supplier continuity plans.

    Technology & Physical Assets

    • No secondary site or redundancy for critical IT systems
    • No documented end-to-end IT DR plan

    Tool: BCP Project Roadmap

    Prioritize and visualize BCP projects to present options to decision makers.

    Not all BCP projects can be tackled at once. Enable decision makers to defer, rather than outright reject, projects that aren’t feasible at this time.

    1. Configure the tool in Tab 1. Setup. Adjust criteria and definitions for criteria. Note that shaded columns are required for reporting purposes and can’t be modified.
    2. Add projects and action items in Tab 2. Data Entry. Fields highlighted in red are all required for the dashboard to populate. All other fields are optional but will provide opportunities to track more detailed data on project ideas.
    3. To generate the dashboard in Tab 3. Roadmap, open the Data ribbon and under Queries and Connections click Refresh All. You can now use the slicers on the right of the sheet.

    Download Info-Tech’s BCP Project Roadmap Tool

    Demonstrate BCP project impacts

    Illustrate the benefits of proposed projects.

    1. Review your recovery workflow.
    2. Make updates to a second copy of the high-level outline to illustrate how the business response to a disaster scenario will change once proposed projects are complete.
    • Remove steps that have been made unnecessary.
    • Remove any risks or gaps that have been mitigated or addressed.
    • Verify that proposed projects close gaps between acceptable and achievable recovery capabilities in the BIA tool.
  • The visual impact of a shorter, less-risky recovery workflow can help communicate the benefits of proposed projects to decision makers.

    • Step 3.3

    Evaluate business continuity site and command center options

    This step will walk you through the following activities:

    • Take a deep dive on the requirements for working from an alternate location.
    • Assess different options for an alternate location.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Identify requirements for an alternate business site.

    Tool: Relocation Checklists

    An alternate site could be another company building, a dedicated emergency operations center, or work-from-home. Use this tool to guide and prepare for any relocation exercise.

    • Coordinate your response with the pre-populated checklists in Tabs 1 & 2, identify who’s responsible for items on the checklists, and update your recovery workflows to reflect new steps. When reviewing the checklist, consider what can be done to prepare ahead of a crisis.
      • For example, you may wish to create crisis communication templates to streamline crisis communications during a disaster.
    • Calculate the effort required to provision equipment for relocated users in Tabs 3 & 4.
    • Evaluate your options for alternate sites with the requirements matrix in Tab 5. Use your evaluation to identify how the organization could address shortcomings of viable options either ahead of time or at the time of an incident.

    Download Info-Tech’s BCP Relocation Checklists

    Create a checklist of requirements for an alternate site

    Leverage the roll-up view, in tab 3, of dependencies required to create a list of requirements for an alternate site in tab 4.

    1. The table on Tab 5 of the relocation checklists is pre-populated with some common requirements. Modify or replace requirements to suit your needs for an alternate business/office site. Be sure to consider distance, transportation, needed services, accessibility, IT infrastructure, security, and seating capacity at a minimum.
    2. Don’t assume. Verify. Confirm anything that requires permissions from the site owner. What network providers have a presence in the building? Can you access the site 24/7 and conduct training exercises? What facilities and services are available? Are you guaranteed the space if needed?

    "There are horror stories about organizations that assumed things about their alternate site that they later found out they weren’t true in practice." – Dr. Bernard Jones, MBCI CBCP

    Info-Tech Insight

    If you choose a shared location as a BCP site, a regional disaster may put you in competition with other tenants for space.

    Identify a command center

    For command center and alternate worksite selection, remember that most incidents are local and short term. Identify an onsite and an offsite command center.

    1. For events where the building is not compromised, identify an onsite location, ideally with remote conferencing capabilities and planning and collaboration tools (projectors, whiteboards, flipcharts). The onsite location can also be used for BCM and crisis management meetings. Remember, most business continuity events are not regional or massively destructive.
    2. For the offsite command center, select a location that is sufficiently far away from your normal business location to maintain separation from local incidents while minimizing commute time. However, consider a geographically distant option (e.g. more than 50 miles away) identified for those scenarios where it is a regional disaster, or plan to leverage online tools to create a virtual command center (see the Insight box below).
    3. The first members of the Emergency Response Team to be notified of the incident will determine which location to use or whether a third alternative is required.

    Info-Tech Insight

    For many organizations, a dedicated command center (TVs on the wall, maps and charts in filing cabinets) isn’t necessary. A conference bridge and collaboration tools allowing everyone to work remotely can be an acceptable offsite command center as long as digital options can meet your command center requirements.

    Create a plan for a return to normal

    Operating in continuity mode for an extended period of time tends to result in higher costs and reduced business capabilities. It’s important to restore normal operations as soon as possible.

    Advance planning can minimize risks and delays in returning to normal operations.

    Leverage the methodology and tools in this blueprint to define your return to normal (repatriation) procedures:

    1. Repeat the tabletop planning exercise to determine the repatriation steps and potential gaps. How will you return to the primary site from your alternate site? Does data need to be re-entered into core systems if IT services are down? Do you need to transfer job duties back to primary staff?
    2. What needs to be done to address the gaps in the return to normal workflow? Are there projects or action items that could make return to normal easier?

    For more on supporting a business move back to the office from the IT perspective, see Responsibly Resume IT Operations in the Office

    Potential business impacts of ongoing operations at a failover site

    • The cost of leasing alternate business worksites.
    • Inability to deliver on strategic initiatives while in emergency/interim operations mode, resulting in lost business opportunities.
    • A growing backlog of work that falls outside of emergency operations mode.
    • Travel and accommodation costs if the alternate site is geographically remote.
    • Additional vendor licensing and contract costs.

    Phase 4

    Extend the Results of the Pilot BCP and Implement Governance

    Phase 4

    4.1 Consolidate BCP pilot insights to support an overall BCP project plan

    4.2 Outline a business continuity management (BCM) program

    4.3 Test and maintain your BCP

    Insights & Outcomes

    Summarize and consolidate your initial insights and documentation. Create a project plan for overall BCP. Identify teams, responsibilities, and accountabilities, and assign documentation ownership. Integrate BCP findings in DR and crisis management practices. Set guidelines for testing, plan maintenance, training, and awareness.

    Participants

    • BCP Coordinator
    • Pilot Business Unit Manager
    • BCP Executive Sponsor

    Step 4.1

    Consolidate BCP pilot insights to support an overall BCP project plan

    This step will walk you through the following activities:

    • Summarize and consolidate outputs and key insights from the BCP pilot.
    • Identify outputs from the pilot that can be re-used for the overall BCP.
    • Create a project charter for an overall BCP.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • BCP Executive Sponsor

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Present results from the pilot BCP, and outline how you’ll use the pilot process with other business units to create an overall continuity program.

    Structure the overall BCP program.

    Template: BCP Pilot Results Presentation

    Highlight key findings from the BCP pilot to make the case for next steps.

    • Highlight critical gaps or risks identified, any potential process improvements, and progress made toward improving overall BCP maturity through the pilot project. Summarize the benefits of the pilot project for an executive audience.
    • Review process recovery objectives (RTO/RPO). Provide an overview of recovery capabilities (RTA/RPA). Highlight any significant gaps between objectives and capabilities.
    • Propose next steps, including an overall BCP project and program, and projects and action items to remediate gaps and risks.
    • Develop a project plan to estimate resource requirements for an overall BCP project prior to delivering this presentation. Quantifying required time and resources is a key outcome as it enables the remaining business units to properly scope and resource their BCP development activities and can help managers overcome the fear of the unknown.

    Download Info-Tech’s BCP Pilot Results Presentation

    Tool: BCP Summary

    Sum up information from completed BCP documents to create a high-level BCP overview for auditors and executives.

    The BCP Summary document is the capstone to business unit continuity planning exercises. It consolidates your findings in a short overview of your business continuity requirements, capabilities, and maintenance procedures.

    Info-Tech recommends embedding hyperlinks within the Summary to the rest of your BCP documentation to allow the reader to drill down further as needed. Leverage the following documents:

    • Business Impact Analysis
    • BCP Recovery Workflows
    • Business Process Workflows
    • BCP Project Roadmap
    • BCP Relocation Checklists
    • Business Continuity Policy

    Download Info-Tech’s BCP Summary Document

    Reuse templates for additional exercises

    The same methodology described in this blueprint can be repeated for each business unit. Also, many of the artifacts from the BCP pilot can be reused or built upon to give the remaining business units a head start. For example:

    • BCP Pilot Project Charter Template. Make a copy to use as a base for the next business unit’s BCP project charter, and update the stakeholders/roles and milestone dates. The rest of the content can remain the same in most cases.
    • BCP Reference Workbook. This tool contains information common to all business units and can be updated as needed.
    • BCP Business Impact Analysis Tool. You may need to start a separate copy for each business unit to allow enough space to capture all business processes. However, use the same scoring scale to drive consistent assessments. In addition, the scoring completed by the pilot business unit provides an example and benchmark for assessing other business processes.
    • BCP Recovery Workflow. The notification, assessment, and declaration steps can be standardized so remaining business units can focus primarily on recovery after a disaster is declared. Similarly, many of the steps related to alternate sites and IT workarounds will also apply to other business units.
    • BCP Project Roadmap Tool. Many of the projects identified by the pilot business unit will also apply to other business units – update the list as needed.
    • The Business Unit BCP Prioritization Tool, BCP Executive Presentation, and Business Continuity Policy Template do not need to be updated for each business unit.

    Info-Tech Best Practice

    You may need to create some artifacts that are site specific. For example, relocation plans or emergency plans may not be reusable from one site to another. Use your judgement to reuse as much of the templates as you can – similar templates simplify audit, oversight, and plan management.

    Create an Overall BCP Project Charter

    Modify the pilot project charter to encompass the larger BCP project.

    Adjust the pilot charter to answer the following questions:

    • How much time and effort should the rest of the project take, based on findings from the pilot? When do you expect to meet certain milestones? What outputs and outcomes are expected?
    • In what order should additional business units complete their BCP? Who needs to be involved?
    • What projects to address continuity gaps were identified during the pilot? What investments will likely be required?
    • What additional documentation is required? This section and the appendix include templates to document your BCM Policy, Teams & Contacts, your notification procedures, and more.
    • How does this integrate with the other areas of business resilience and continuity (IT disaster recovery planning and crisis management planning)?
    • What additional activities, such as testing, are required?

    Prioritize business units for further BCP activities.

    As with the pilot, choose a business unit, or business units, where BCP will have the greatest impact and where further BCP activities will have the greatest likelihood of success. Prioritize business units that are critical to many areas of the business to get key results sooner.

    Work with one business unit at a time if:

    • Required resources from the business unit are available to focus on BCP full-time over a short period (one to two weeks).
    • More hands-on guidance (less delegation) is needed.
    • The business unit is large or has complex processes.

    Work with several business units at the same time if:

    • Required resources are only available sporadically over a longer period of time.
    • Less guidance (more delegation) is possible.
    • All business units are small and have well-documented processes.

    Download Info-Tech’s Business Unit BCP Prioritization Tool

    Step 4.2

    Outline a Business Continuity Management (BCM) Program

    This step will walk you through the following activities:

    • Identify teams and roles for BCP and business continuity management.
    • Identify individuals to fill key roles.

    This step involves the following participants:

    • BCP Coordinator
    • Executive Sponsor

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Document BCP teams, roles, and responsibilities.

    Document contact information, alternates, and succession rules.

    Outline a Business Continuity Management Program

    A BCM program, also known as a BCM system, helps structure business continuity activities and practices to deliver long-term benefits to your business.

    A BCM program should:

    • Establish who is responsible and accountable for BCP practices, activities, and documentation, and set documentation management practices.
    • Define a process to improve plans. Review and update continuity requirements, suggest enhancements to recovery capabilities, and measure progress and improvements to the plan over time.
    • Coordinate disaster recovery, business continuity, and crisis management planning outputs and practices.
    • Communicate the value of the continuity program to the organization.

    Develop a Business Continuity Management Program

    Phase 4 of this blueprint will focus on the following elements of a business continuity management program:

    • BCM Roles, Responsibilities, and Accountabilities
    • BCM Document Management Practices
    • Integrate BC, IT DR, Crisis Management, and Emergency Management
    • Business Continuity Plan maintenance and testing
    • Training and awareness

    Schedule a call with an Info-Tech Analyst for help building out these core elements, and for advice on developing the rest of your BCM program.

    Create BCM teams

    Include a mix of strong leaders and strong planners on your BC management teams.

    BC management teams (including the secondary teams such as the emergency response team) have two primary roles:

    1. Preparation, Planning, and Governance: Conduct and consolidate business impact analyses. Review, and support the development of recovery workflows, including emergency response plans and business unit recovery workflows. Organize testing and training. Report on the state of the continuity plan.
    2. Leadership During a Crisis: Coordinate and support the execution of business recovery processes. To meet these goals, each team needs a mix of skill sets.

    Crisis leaders require strong crisis management skills:

    • Ability to make quick decisions under pressure with incomplete information.
    • Excellent verbal communication skills.
    • Strong leadership skills. Calm in stressful situations.
    • Team leaders are ideally, but not necessarily, those with the most senior title on each team. It’s more important that the team leader has the appropriate skill set.

    Collectively, the team must include a broad range of expertise as well as strong planning skills:

    • Diverse expertise to be able to plan for and respond to a wide range of potential incidents, from health and safety to reputational damage.
    • Excellent organizational skills and attention to detail.
    • Excellent written communication skills.

    Note: For specific BC team roles and responsibilities, including key resources such as Legal, HR, and IT SMEs required to prepare for and execute crisis management plans, see Implement Crisis Management Best Practices.

    Structure the BCM Team

    Create a hierarchy of teams to govern and coordinate business continuity planning and crisis management.

    BCM Team: Govern business continuity, DR, and crisis management planning. Support the organization’s response to a crisis, including the decision to declare a disaster or emergency.

    Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.

    Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.

    IT Disaster Recovery Team: Manage the recovery of IT services and data following an incident. Develop and maintain the IT DRP.

    Business Unit BCP Teams: Coordinate business process recovery at the business unit level. Develop and maintain business unit BCPs.

    “Planning Mode”

    Executive Team → BC Management Team ↓

    • Emergency Response Teams (ERT)
    • Crisis Management Team
    • IT DR Management Team
    • Business Unit BCP Teams

    “Crisis Mode”

    Executive Team ↔Crisis Management Team↓ ↔ Emergency Response Teams (ERT)

    • BC Management Team
    • IT DR Management Team
    • Business Unit BCP Teams

    For more details on specific roles to include on these teams, as well as more information on crisis management, review Info-Tech’s blueprint, Implement Crisis Management Best Practices.

    Tool: BCM Teams, Roles, Contacts, and Vendors

    Track teams, roles, and contacts in this template. It is pre-populated with roles and responsibilities for business continuity, crisis management, IT disaster recovery, emergency response, and vendors and suppliers critical to business operations.

    • Expect overlap across teams. For example, the BC Management Team will include representation from each secondary team to ensure plans are in sync. Similarly, both the Crisis Communication Team and BC Management Team should include a representative from your legal team to ensure legal issues are considered in communications as well as overall crisis management.
    • Clarify spending and decision authority for key members of each team during a crisis.

    Track contact information in this template only if you don’t have a more streamlined way of tracking it elsewhere.

    Download Info-Tech’s Business Continuity Teams and Roles Tool

    Manage key vendors

    Review supplier capabilities and contracts to ensure they meet your requirements.

    Suppliers and vendors might include:

    • Material shipments
    • IT/telecoms service providers
    • Integrators and business process outsourcing providers
    • Independent contractors
    • Utilities (power, water, etc.)

    Supplier RTOs and RPOs should align with the acceptable RTOs and RPOs defined in the BIA. Where they do not, explore options for improvement.

    Confirm the following:

    1. The supplier’s own BC/DR capabilities – how they would recover their own operations in a disaster scenario.
    2. Any continuity services the supplier provides – how they can help you recover your operations in a disaster scenario.
    3. Their existing contractual obligations for service availability (e.g. SLAs).

    Download Info-Tech’s BCP Supplier Evaluation Questionnaire

    Organize your BCMS documentation

    Your BCP isn’t any one document. It’s multiple documents that work together.

    Continue to work through any additional required documentation. Build a repository where master copies of each document will reside and can be updated as required. Assign ownership of document management to someone with an understanding of the process (e.g. the BCP Coordinator).

    Governance Recovery
    BCMS Policy BCP Summary Core BCP Recovery Workflows
    Business Process Workflows Action Items & Project Roadmap BCP Recovery Checklists
    BIA Teams, Roles, Contact Information BCP Business Process Workarounds and Recovery Checklists
    BCP Maturity Scorecard BCP Project Charter Additional Recovery Workflows
    Business Unit Prioritization Tool BCP Presentation

    Info-Tech Best Practice

    Recovery documentation has a different audience, purpose, and lifecycle than governance documentation, and keeping the documents separate can help with content management. Disciplined document management keeps the plan current and accessible.

    Align your IT DRP with your BCP

    Use the following BCP outputs to inform your DRP:

    • Business process technology dependencies. This includes technology not controlled by IT (e.g. cloud-based services).
    • RTOs and RPOs for business processes.
    • Technology projects identified by the business to improve resilience (e.g. improved mobility support).
    PCP Outputs DRP Activities
    Business processes defined Identify critical applications

    Dependencies identified:

    • People
    • Enterprise tech
    • Personal devices
    • Workspace and facilities
    • Services and other inputs

    Identify IT dependencies:

    • Infrastructure
    • Secondary applications

    Recovery objectives defined:

    • BIA and RTOs/RPOs
    • Recovery workflows

    Identify recovery objectives:

    • BIA and RTOs/RPOs
    • IT Recovery workflows

    Projects identified to close gaps:

    • Resourcing changes (e.g. training secondary staff)
    • Process changes (e.g. optimize processes and define interim processes)
    • Technology changes (e.g. improving mobility)

    Identify projects to close gaps:

    • Projects to improve DR capability (e.g. data replication, standby systems).
    • Projects to improve resiliency (e.g. redundant components)

    Info-Tech Insight

    Don’t think of inconsistencies between your DRP and BCP as a problem. Discrepancies between the plans are part of the discovery process, and they’re an opportunity to have a conversation that can improve alignment between IT service capabilities and business needs. You should expect that there will be discrepancies – managing discrepancies is part of the ongoing process to refine and improve both plans.

    Schedule activities to keep BC and DR in sync

    BC/DR Planning Workflow

    1. Collect BCP outputs that impact IT DRP (e.g. technology RTOs/RPOs).

    2. As BCPs are done, BCP Coordinator reviews outputs with IT DRP Management Team.

    3. Use the RTOs/RPOs from the BCPs as a starting point to determine IT recovery plans.

    4. Identify investments required to meet business-defined RTOs/RPOs, and validate with the business.

    5. Create a DR technology roadmap to meet validated RTOs/RPOs.

    6. Review and update business unit BCPs to reflect updated RTOs/RPOs.

    Find and address shadow IT

    Reviewing business processes and dependencies can identify workarounds or shadow IT solutions that weren’t visible to IT and haven’t been included in IT’s DR plan.

    • If you identify technology process dependencies that IT didn’t know about, it can be an opportunity to start a conversation about service support. This can be a “teachable moment” to highlight the risks of adopting and implementing technology solutions without consulting IT.
    • Highlight the possible impact of using technology services that aren’t supported by IT. For example:
      • RTOs and RPOs may not be in line with business requirements.
      • Costs could be higher than supported solutions.
      • Security controls may not be in line with compliance requirements.
      • IT may not be able to offer support when the service breaks or build new features or functionality that might be required in the future.
    • Make sure that if IT is expected to support shadow IT solutions, these systems are included in the IT DRP and that the risks and costs of supporting the non-core solution are clear to all parties and are compared to an alternative, IT-recommended solutions.

    Shadow IT can be a symptom of larger service support issues. There should be a process for requesting and tracking non-standard services from IT with appropriate technical, security, and management oversight.

    Review and reprioritize BC projects to create an overall BC project roadmap

    Assign the BCP Coordinator the task of creating a master list of BC projects, and then work with the BC management team to review and reprioritize this list, as described below:

    1. Build a list of BC projects as you work with each business unit.
      1. Add proposed projects to a master copy of the BCP Project Roadmap Tool
      2. For each subsequent business unit, copy project names, scoring, and timelines into the master roadmap tool.
    2. Work with the Executive Sponsor, the IT BCM representative, and the BCM team to review and reprioritize projects.
      1. In the master BCP Project Roadmap Tool, review and update project scoring, taking into account the relative importance of each project within the overall list. Rationalize the list (e.g. eliminate duplicate projects).
    3. The project roadmap is a suggested list of projects at this stage. Assign a project sponsor and project manager (from the BC management team or appropriate delegates) to each project to take it through your organization’s normal project scoping and approval process.

    Improving business continuity capabilities is a marathon, not a sprint. Change for the better is still change and introduces risk – massive changes introduce massive risk. Incremental changes help minimize disruption. Use Info-Tech research to deliver organizational change.

    "Developing a BCP can be like solving a Rubik’s Cube. It’s a complex, interdepartmental concern with multiple and sometimes conflicting objectives. When you have one side in place, another gets pushed out of alignment." – Ray Mach, BCP Expert

    Step 4.3

    Test and maintain your BCP

    This step will walk you through the following activities:

    • Create additional documentation to support your business continuity plan.
    • Create a repository for documentation, and assign ownership for BCP documentation.

    This step involves the following participants:

    • BCP Coordinator

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Create a plan to maintain the BCP.

    Iterate on your plan

    Tend your garden, and pull the weeds.

    Mastery comes through practice and iteration. Iterating on and testing your plan will help you keep up to date with business changes, identify plan improvements, and help your organization’s employees develop a mindset of continuity readiness. Maintenance drives continued success; don’t let your plan become stagnant, messy, and unusable.

    Your BCM program should structure BCP reviews and updates by answering the following:

    1. When do we review the plan?
    2. What are the goals of a review?
    3. Who must lead reviews and update BCP documents?
    4. How do we track reviews, tests, and updates?

    Structure plan reviews

    There are more opportunities for improvements than just planned reviews.

    At a minimum, review goals should include:

    1. Identify and document changes to BCP requirements.
    2. Identify and document changes to BCP capabilities.
    3. Identify gaps and risks and ways to remediate risks and close gaps.

    Who leads reviews and updates documents?

    The BCP Coordinator is likely heavily involved in facilitating reviews and updating documentation, at least at first. Look for opportunities to hand off document ownership to the business units over time.

    How do we track reviews, tests, and updates?

    Keep track of your good work by keeping a log of document changes. If you don’t have one, you can use the last tab on the BCP-DRP Maintenance Checklist.

    When do we review the plan?

    1. Scheduled reviews: At a minimum, plan reviews once a year. Plan owners should review the documents, identify needed updates, and notify the coordinator of any changes to their plan.
    2. As-needed reviews: Project launches, major IT upgrades, office openings or moves, organizational restructuring – all of these should trigger a BCP review.
    3. Testing exercises: Schedule controlled exercises to test and improve different aspects of your continuity plan, and ensure that lessons learned become part of plan documentation.
    4. Retrospectives: Take the opportunity to learn from actual continuity events and crises by conducting retrospectives to evaluate your response and brainstorm improvements.

    Conduct a retrospective after major incidents

    Use a retrospective on your COVID-19 response as a starting point. Build on the questions below to guide the conversation.

    • If needed, how did we set up remote work for our users? What worked, and what didn’t?
    • Did we discover any long-term opportunities to improve business processes?
    • Did we use any continuity plans we have documented?
    • Did we effectively prioritize business processes for recovery?
    • Were expectations from our business users in line with our plans?
    • What parts of our plan worked, and where can we improve the plan?
    1. Gather stakeholders and team members
    2. Ask:
      1. What happened?
      2. What did we learn?
      3. What did we do well?
      4. What should we have done differently?
      5. What gaps should we take action to address?
    3. Prepare a plan to take action

    Outcomes and benefits

    • Confirm business priorities.
    • Validate that business recovery solutions and procedures are effective in meeting business requirements (i.e. RTOs and RPOs).
    • Identify gaps in continuity resources, procedures, or documentation, and options to close gaps.
    • Build confidence in the response team and recovery capabilities.

    Tool: Testing and Maintenance Schedule

    Build a light-weight maintenance schedule for your BCP and DRP plans.

    This tool helps you set a schedule for plan update activities, identify document and exercise owners, and log updates for audit and governance purposes.

    • Add the names of your documents and brainstorm update activities.
    • Activities (document updates, testing, etc.) might be scheduled regularly, as-needed, or both. If they happen “as needed,” identify the trigger for the activity.
    • Start tracking past activities and resulting changes in Tab 3. You can also track crises that tested your continuity capabilities on this tab.

    Info-Tech Insight

    Everyone gets busy. If there’s a meeting you can schedule months in advance, schedule it months in advance! Then send reminders closer to the date. As soon as you’re done the pilot BCP, set aside time in everyone’s calendar for your first review session, whether that’s three months, six months, or a year from now.

    Appendix

    Additional BCP Tools and Templates

    Template Library: Business Continuity Policy

    Create a high-level policy to govern BCP and clarify BCP requirements.

    Use this template to:

    • Outline the organizational commitment to BCM.
    • Clarify the mandate to prepare, validate, and maintain continuity plans that align with business requirements.
    • Define specific policy statements that signatories to the policy are expected to uphold.
    • Require key stakeholders to review and sign off on the template.

    Download Info-Tech’s Business Continuity Policy template

    Template Library: Workarounds & Recovery Checklists

    Capture the step-by-step details to execute workarounds and steps in the business recovery process.

    If you require more detail to support your recovery procedures, you can use this template to:

    • Record specific steps or checklists to support specific workarounds or recovery procedures.
    • Identify prerequisites for workarounds or recovery procedures.

    Download Info-Tech’s BCP Process Workarounds & Recovery Checklists Template

    Template Library: Notification, Assessment, Declaration

    Create a procedure that outlines the conditions for assessing a disaster situation and invoking the business continuity plan.

    Use this template to:

    • Guide the process whereby the business is notified of an incident, assesses the situation, and declares a disaster.
    • Set criteria for activating business continuity plans.
    • Review examples of possible events, and suggest options on how the business might proceed or react.

    Download Info-Tech’s BCP Notification, Assessment, and Disaster Declaration Plan template

    Template Library: BCP Recovery Workflow Example

    Review an example of BCP recovery workflows.

    Use this template to:

    • Generate ideas for your own recovery processes.
    • See real examples of recovery processes for warehousing, supply, and distribution operations.
    • Review an example of working BCP documentation.

    Download Info-Tech’s BCP Recovery Workflows Example

    Create a Pandemic Response Plan

    If you’ve been asked to build a pandemic-specific response plan, use your core BCP findings to complete these pandemic planning documents.

    • At the onset of the COVID-19 crisis, IT departments were asked to rapidly ramp up work-from-home capabilities and support other process workarounds.
    • IT managers already knew that obstacles to working from home would go beyond internet speed and needing a laptop. Business input is critical to uncover unexpected obstacles.
    • IT needed to address a range of issues from security risk to increased service desk demand from users who don’t normally work from home.
    • Workarounds to speed the process up had to be balanced with good IT practices and governance (Asset Management, Security, etc.)
    • If you’ve been asked to update your Pandemic Response Plan, use this template and your core BCP deliverables to deliver a set of streamlined documentation that draws on lessons learned from the COVID-19 pandemic.

    Structure HR’s role in the pandemic plan

    Leverage the following materials from Info-Tech’s HR-focused sister company, McLean & Company.

    These HR research resources live on the website of Info-Tech’s sister company, McLean & Company. Contact your Account Manager to gain access to these resources.

    Summary of Accomplishment

    Knowledge Gained

    This blueprint outlined:

    • The streamlined approach to BCP development.
    • A BIA process to identify acceptable, appropriate recovery objectives.
    • Tabletop planning exercises to document and validate business recovery procedures.

    Processes Optimized

    • Business continuity development processes were optimized, from business impact analysis to incident response planning.
    • In addition, pilot business unit processes were identified and clarified to support BCP development, which also provided the opportunity to review and optimize those processes.

    Key Deliverables Completed

    • Core BCP deliverables for the pilot business unit, including a business impact analysis, recovery workflows, and a project roadmap.
    • BCP Executive Presentation to communicate pilot results as well as a summary of the methodology to the executive team.
    • BCP Summary to provide a high-level view of BCP scope, objectives, capabilities, and requirements.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Research Contributors and Experts

    Dr. Bernard A. Jones, MBCI, CBCP

    Professor and Continuity Consultant Berkeley College

    Dr. Jones is a professor at Berkeley College within the School of Professional Studies teaching courses in Homeland Security and Emergency Management. He is a member of the National Board of Directors for the Association of Continuity Professionals (ACP) as well as the Information & Publications Committee Chair for the Garden State Chapter of the ACP. Dr. Jones earned a doctorate degree in Civil Security Leadership, Management & Policy from New Jersey City University where his research focus was on organizational resilience.

    Kris L. Roberson

    Disaster Recovery Analyst Veterans United Home Loans

    Kris Roberson is the Disaster Recovery Analyst for Veterans United Home Loans, the #1 VA mortgage lender in the US. Kris oversees the development and maintenance of the Veterans United Home Loans DR program and leads the business continuity program. She is responsible for determining the broader strategies for DR testing and continuity planning, as well as the implementation of disaster recovery and business continuity technologies, vendors, and services. Kris holds a Masters of Strategic Leadership with a focus on organizational change management and a Bachelors in Music. She is a member of Infragard, the National Association of Professional Women, and Sigma Alpha Iota, and holds a Project+ certification.

    Trevor Butler

    General Manager of Information Technology City of Lethbridge

    As the General Manager of Information Technology with the City of Lethbridge, Trevor is accountable for providing strategic management and advancement of the city’s information technology and communications systems consistent with the goals and priorities of the corporation while ensuring that corporate risks are appropriately managed. He has 15+ years of progressive IT leadership experience, including 10+ years with public sector organizations. He holds a B.Mgt. and PMP certification along with masters certificates in both Project Management and Business Analysis.

    Robert Miller

    Information Services Director Witt/Kieffer

    Bob Miller is the Information Services Director at Witt/Kieffer. His department provides end-user support for all company-owned devices and software for Oak Brook, the regional offices, home offices, and traveling employees. The department purchases, implements, manages, and monitors the infrastructure, which includes web hosting, networks, wireless solutions, cell phones, servers, and file storage. Bob is also responsible for the firm’s security planning, capacity planning, and business continuity and disaster preparedness planning to ensure that the firm has functional technology to conduct business and continue business growth.

    Related Info-Tech Research

    Create a Right-Sized Disaster Recovery Plan

    Close the gap between your DR capabilities and service continuity requirements.

    Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

    Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.

    Select the Optimal Disaster Recovery Deployment Model

    Determine which deployment models, including hybrid solutions, best meet your DR requirements.

    Bibliography

    “Business Continuity Planning.” IT Examination HandBook. The Federal Financial Institution Examination Council (FFIEC), February 2015. Web.

    “Business Continuity Plans and Emergency Contact Information.” FINRA, 12 February 2015. Web.

    “COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.” ISACA, n.d. Web.

    Disaster Resource GUIDE. Emergency Lifeline Corporation, n.d. Web.

    “DR Rules & Regulations.” Disaster Recovery Journal, March 2017. Web.

    “Federal Information Security Management Act (FISMA).” Homeland Security, 2014. Web.

    FEMA. “Planning & Templates.” FEMA, n.d. Web.

    “FINRA-SEC-CFTC Joint Advisory (Regulatory Notice 13-25).” FINRA, August 2013. Web.

    Gosling, Mel and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 24 April 2009. Web.

    Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, 2016. Web.

    Potter, Patrick. “BCM Regulatory Alphabet Soup – Part Two.” RSA Link, 28 August 2012. Web.

    The Good Practice Guidelines. Business Continuity Institute, 2013. Web.

    Wang, Dashun and James A. Evans. “When Small Teams are Better than Big Ones.” Harvard Business Review, 21 February 2019. Web.

    Demystify Blockchain: How Can It Bring Value to Your Organization?

    • Buy Link or Shortcode: {j2store}96|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Most leaders have an ambiguous understanding of blockchain and its benefits, let alone how it impacts their organization.
    • At the same time, with bitcoin drawing most of the media attention, organizations are finding it difficult to translate cryptocurrency usage to business case.

    Our Advice

    Critical Insight

    • Cut through the hype associated with blockchain by focusing on what is relevant to your organization. You have been hearing about blockchain for some time now and want to better understand it. While it is complex, you can beat the learning curve by analyzing its key benefits and purpose. Features such as transparency, efficiency, and security differentiate blockchain from existing technologies and help explain why it has transformative potential.
    • Ensure your use case is actually useful by first determining whether blockchain aligns with your organization. CIOs must take a practical approach to blockchain in order to avoid wasting resources (both time and money) and hurting IT’s image in the eyes of the business. While is easy to get excited and invest in a new technology to help maintain your image as a thought leader, you must ensure that your use case is fully developed prior to doing so.

    Impact and Result

    • Follow Info-Tech’s methodology for simplifying an otherwise complex concept. By focusing on its benefits and how they directly relate to a use case, blockchain technology is made easy to understand for business and IT professionals.
    • Our program will help you understand if blockchain is the optimal solution for your organization by mapping its key benefits (i.e. transparency, integrity, efficiency, and security) to your needs and capabilities.
    • Leverage a repeatable framework for brainstorming blockchain use case ideas and communicate your findings to business stakeholders who may otherwise be confused about the transformative potential of blockchain.

    Demystify Blockchain: How Can It Bring Value to Your Organization? Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should care about determining whether blockchain aligns with your organization, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. What exactly is blockchain?

    Understand blockchain’s unique feature, benefits, and business use cases.

    • Demystify Blockchain – Phase 1: What Is Blockchain?
    • Blockchain Glossary

    2. What can blockchain do for your organization?

    Envision blockchain’s transformative potential for your organization by brainstorming and validating a use case.

    • Demystify Blockchain – Phase 2: What Can Blockchain Do for Your Organization?
    • Blockchain Alignment Tool
    • Blockchain Alignment Presentation
    [infographic]

    Tech Trend Update: If Biosecurity Then Autonomous Edge

    • Buy Link or Shortcode: {j2store}99|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    COVID-19 has created new risks to physical encounters among workers and customers. New biosecurity processes and ways to effectively enforce them – in the least intrusive way possible – are required to resume these activities.

    Our Advice

    Critical Insight

    New biosecurity standards will be imposed on many industries, and the autonomous edge will be part of the solution to manage that new reality.

    Impact and Result

    There are some key considerations for businesses considering new biosecurity measures:

    1. If prevention, then ID-based access control
    2. If intervention, then alerts based on data
    3. If investigation, then contact tracing

    Tech Trend Update: If Biosecurity Then Autonomous Edge Research & Tools

    Tech Trend Update: If Biosecurity Then Autonomous Edge

    Understand how new biosecurity requirements could affect your business and why AI at the edge could be part of the solution.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Tech Trend Update: If Biosecurity Then Autonomous Edge Storyboard
    [infographic]

    Digital Data Ethics

    • Download01-Title: Tech Trend Update: If Digital Ethics Then Data Equity
    • Download-01: Visit Link
    • member rating overall impact: 9/10
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    In the past two years, we've seen that we need quick technology solutions for acute issues. We quickly moved to homeworking and then to a hybrid form. We promptly moved many of our offline habits online.

    That necessitated a boost in data collection from us towards our customers and employees, and business partners.
    Are you sure how to approach this structurally? What is the right thing to do?

    Impact and Results

    • When you partner with another company, set clear expectations
    • When you are building your custom solution, invite constructive criticism
    • When you present yourself as the authority, consider the most vulnerable in the relationship

    innovation

    Optimize IT Change Management

    • Buy Link or Shortcode: {j2store}409|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $33,585 Average $ Saved
    • member rating average days saved: 27 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Infrastructure managers and change managers need to re-evaluate their change management processes due to slow change turnaround time, too many unauthorized changes, too many incidents and outages because of poorly managed changes, or difficulty evaluating and prioritizing changes.
    • IT system owners often resist change management because they see it as slow and bureaucratic.
    • Infrastructure changes are often seen as different from application changes, and two (or more) processes may exist.

    Our Advice

    Critical Insight

    • ITIL provides a usable framework for change management, but full process rigor is not appropriate for every change request.
    • You need to design a process that is flexible enough to meet the demand for change, and strict enough to protect the live environment from change-related incidents.
    • A mature change management process will minimize review and approval activity. Counterintuitively, with experience in implementing changes, risk levels decline to a point where most changes are “pre-approved.”

    Impact and Result

    • Create a unified change management process that reduces risk. The process should be balanced in its approach toward deploying changes while also maintaining throughput of innovation and enhancements.
    • Categorize changes based on an industry-standard risk model with objective measures of impact and likelihood.
    • Establish and empower a change manager and change advisory board with the authority to manage, approve, and prioritize changes.
    • Integrate a configuration management database with the change management process to identify dependencies.

    Optimize IT Change Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize change management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Optimize IT Change Management – Phases 1-4

    1. Define change management

    Assess the maturity of your existing change management practice and define the scope of change management for your organization.

    • Change Management Maturity Assessment Tool
    • Change Management Risk Assessment Tool

    2. Establish roles and workflows

    Build your change management team and standardized process workflows for each change type.

    • Change Manager
    • Change Management Process Library – Visio
    • Change Management Process Library – PDF
    • Change Management Standard Operating Procedure

    3. Define the RFC and post-implementation activities

    Bookend your change management practice by standardizing change intake, implementation, and post-implementation activities.

    • Request for Change Form Template
    • Change Management Pre-Implementation Checklist
    • Change Management Post-Implementation Checklist

    4. Measure, manage, and maintain

    Form an implementation plan for the project, including a metrics evaluation, change calendar inputs, communications plan, and roadmap.

    • Change Management Metrics Tool
    • Change Management Communications Plan
    • Change Management Roadmap Tool
    • Optimize IT Change Management Improvement Initiative: Project Summary Template

    [infographic]

    Workshop: Optimize IT Change Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Change Management

    The Purpose

    Discuss the existing challenges and maturity of your change management practice.

    Build definitions of change categories and the scope of change management.

    Key Benefits Achieved

    Understand the starting point and scope of change management.

    Understand the context of change request versus other requests such as service requests, projects, and operational tasks.

    Activities

    1.1 Outline strengths and challenges

    1.2 Conduct a maturity assessment

    1.3 Build a categorization scheme

    1.4 Build a risk assessment matrix

    Outputs

    Change Management Maturity Assessment Tool

    Change Management Risk Assessment Tool

    2 Establish Roles and Workflows

    The Purpose

    Define roles and responsibilities for the change management team.

    Develop a standardized change management practice for approved changes, including process workflows.

    Key Benefits Achieved

    Built the team to support your new change management practice.

    Develop a formalized and right-sized change management practice for each change category. This will ensure all changes follow the correct process and core activities to confirm changes are completed successfully.

    Activities

    2.1 Define the change manager role

    2.2 Outline the membership and protocol for the Change Advisory Board (CAB)

    2.3 Build workflows for normal, emergency, and pre-approved changes

    Outputs

    Change Manager Job Description

    Change Management Standard Operating Procedure (SOP)

    Change Management Process Library

    3 Define the RFC and Post-Implementation Activities

    The Purpose

    Create a new change intake process, including a new request for change (RFC) form.

    Develop post-implementation review activities to be completed for every IT change.

    Key Benefits Achieved

    Bookend your change management practice by standardizing change intake, implementation, and post-implementation activities.

    Activities

    3.1 Define the RFC template

    3.2 Determine post-implementation activities

    3.3 Build your change calendar protocol

    Outputs

    Request for Change Form Template

    Change Management Post-Implementation Checklist

    Project Summary Template

    4 Measure, Manage, and Maintain

    The Purpose

    Develop a plan and project roadmap for reaching your target for your change management program maturity.

    Develop a communications plan to ensure the successful adoption of the new program.

    Key Benefits Achieved

    A plan and project roadmap for reaching target change management program maturity.

    A communications plan ready for implementation.

    Activities

    4.1 Identify metrics and reports

    4.2 Build a communications plan

    4.3 Build your implementation roadmap

    Outputs

    Change Management Metrics Tool

    Change Management Communications Plan

    Change Management Roadmap Tool

    Further reading

    Optimize IT Change Management

    Right-size IT change management practice to protect the live environment.

    EXECUTIVE BRIEF

    Analyst Perspective

    Balance risk and efficiency to optimize IT change management.

    Change management (change enablement, change control) is a balance of efficiency and risk. That is, pushing changes out in a timely manner while minimizing the risk of deployment. On the one hand, organizations can attempt to avoid all risk and drown the process in rubber stamps, red tape, and bureaucracy. On the other hand, organizations can ignore process and push out changes as quickly as possible, which will likely lead to change related incidents and debilitating outages.

    Right-sizing the process does not mean adopting every recommendation from best-practice frameworks. It means balancing the efficiency of change request fulfillment with minimizing risk to your organization. Furthermore, creating a process that encourages adherence is key to avoid change implementers from skirting your process altogether.

    Benedict Chang, Research Analyst, Infrastructure and Operations, Info-Tech Research Group

    Executive Summary

    Your Challenge

    Infrastructure and application change occurs constantly and is driven by changing business needs, requests for new functionality, operational releases and patches, and resolution of incidents or problems detected by the service desk.

    IT managers need to follow a standard change management process to ensure that rogue changes are never deployed while the organization remains responsive to demand.

    Common Obstacles

    IT system owners often resist change management because they see it as slow and bureaucratic.

    At the same time, an increasingly interlinked technical environment may cause issues to appear in unexpected places. Configuration management systems are often not kept up-to-date and do not catch the potential linkages.

    Infrastructure changes are often seen as “different” from application changes and two (or more) processes may exist.

    Info-Tech’s Approach

    Info-Tech’s approach will help you:

    • Create a unified change management practice that balances risk and throughput of innovation.
    • Categorize changes based on an industry-standard risk model with objective measures of impact and likelihood.
    • Establish and empower a Change Manager and Change Advisory Board (CAB) with the authority to manage, approve, and prioritize changes.

    Balance Risk and Efficiency to Optimize IT Change Management

    Two goals of change management are to protect the live environment and deploying changes in a timely manner. These two may seem to sometimes be at odds against each other, but assessing risk at multiple points of a change’s lifecycle can help you achieve both.

    Your challenge

    This research is designed to help organizations who need to:

    • Build a right-sized change management practice that encourages adherence and balances efficiency and risk.
    • Integrate the change management practice with project management, service desk processes, configuration management, and other areas of IT and the business.
    • Communicate the benefits and impact of change management to all the stakeholders affected by the process.

    Change management is heavily reliant on organizational culture

    Having a right-sized process is not enough. You need to build and communicate the process to gather adherence. The process is useless if stakeholders are not aware of it or do not follow it.

    Increase the Effectiveness of Change Management in Your Organization

    The image is a bar graph, with the segments labelled 1 and 2. The y-axis lists numbers 1-10. Segment 1 is at 6.2, and segment 2 is at 8.6.

    Of the eight infrastructure & operations processes measured in Info-Tech’s IT Management and Governance Diagnostic (MGD) program, change management has the second largest gap between importance and effectiveness of these processes.

    Source: Info-Tech 2020; n=5,108 IT professionals from 620 organizations

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Gaining buy-in can be a challenge no matter how well the process is built.
    • The complexity of the IT environment and culture of tacit knowledge for configuration makes it difficult to assess cross-dependencies of changes.
    • Each silo or department may have their own change management workflows that they follow internally. This can make it difficult to create a unified process that works well for everyone.

    “Why should I fill out an RFC when it only takes five minutes to push through my change?”

    “We’ve been doing this for years. Why do we need more bureaucracy?”

    “We don’t need change management if we’re Agile.”

    “We don’t have the right tools to even start change management.”

    “Why do I have to attend a CAB meeting when I don’t care what other departments are doing?”

    Info-Tech’s approach

    Build change management by implementing assessments and stage gates around appropriate levels of the change lifecycle.

    The image is a circle, comprised of arrows, with each arrow pointing to the next, forming a cycle. Each arrow is labelled, as follows: Improve; Request; Assess; Plan; Approve; Implement

    The Info-Tech difference:

    1. Create a unified change management process that balances risk and throughput of innovation.
    2. Categorize changes based on an industry-standard risk model with objective measures of impact and likelihood.
    3. Establish and empower a Change Manager and Change Advisory Board (CAB) with the authority to manage, approve, and prioritize changes.

    IT change is constant and is driven by:

    Change Management:

    1. Operations - Operational releases, maintenance, vendor-driven updates, and security updates can all be key drivers of change. Example: ITSM version update
      • Major Release
      • Maintenance Release
      • Security Patch
    2. Business - Business-driven changes may include requests from other business departments that require IT’s support. Examples: New ERP or HRIS implementation
      • New Application
      • New Version
    3. Service desk → Incident & Problem - Some incident and problem tickets require a change to facilitate resolution of the incident. Examples: Outage necessitating update of an app (emergency change), a user request for new functionality to be added to an existing app
      • Workaround
      • Fix
    4. Configuration Management Database (CMDB) ↔ Asset Management - In addition to software and hardware asset dependencies, a configuration management database (CMDB) is used to keep a record of changes and is queried to assess change requests.
      • Hardware
      • Software

    Insight summary

    “The scope of change management is defined by each organization…the purpose of change management is to maximize the number of successful service and product changes by ensuring that the risk have been properly assessed, authorizing changes to process, and managing the change schedule.” – ALEXOS Limited, ITIL 4

    Build a unified change management process balancing risk and change throughput.

    Building a unified process that oversees all changes to the technical environment doesn’t have to be burdensome to be effective. However, the process is a necessary starting point to identifying cross dependencies and avoiding change collisions and change-related incidents.

    Use an objective framework for estimating risk

    Simply asking, “What is the risk?” will result in subjective responses that will likely minimize the perceived risk. The level of due diligence should align to the criticality of the systems or departments potentially impacted by the proposed changes.

    Integrate your change process with your IT service management system

    Change management in isolation will provide some stability, but maturing the process through service integrations will enable data-driven decisions, decrease bureaucracy, and enable faster and more stable throughput.

    Change management and DevOps can work together effectively

    Change and DevOps tend to be at odds, but the framework does not have to change. Lower risk changes in DevOps are prime candidates for the pre-approved category. Much of the responsibility traditionally assigned to the CAB can be diffused throughout the software development lifecycle.

    Change management and DevOps can coexist

    Shift the responsibility and rigor to earlier in the process.

    • If you are implementing change management in a DevOps environment, ensure you have a strong DevOps lifecycle. You may wish to refer to Info-Tech’s research Implementing DevOps Practices That Work.
    • Consider starting in this blueprint by visiting Appendix II to frame your approach to change management. Follow the blueprint while paying attention to the DevOps Callouts.

    DEVOPS CALLOUTS

    Look for these DevOps callouts throughout this storyboard to guide you along the implementation.

    The image is a horizontal figure eight, with 7 arrows, each pointing into the next. They are labelled are follows: Plan; Create; Verify; Package; Release; Configure; Monitor. At the centre of the circles are the words Dev and Ops.

    Successful change management will provide benefits to both the business and IT

    Respond to business requests faster while reducing the number of change-related disruptions.

    IT Benefits

    • Fewer change-related incidents and outages
    • Faster change turnaround time
    • Higher rate of change success
    • Less change rework
    • Fewer service desk calls related to poorly communicated changes

    Business Benefits

    • Fewer service disruptions
    • Faster response to requests for new and enhanced functionalities
    • Higher rate of benefits realization when changes are implemented
    • Lower cost per change
    • Fewer “surprise” changes disrupting productivity

    IT satisfaction with change management will drive business satisfaction with IT. Once the process is working efficiently, staff will be more motivated to adhere to the process, reducing the number of unauthorized changes. As fewer changes bypass proper evaluation and testing, service disruptions will decrease and business satisfaction will increase.

    Change management improves core benefits to the business: the four Cs

    Most organizations have at least some form of change control in place, but formalizing change management leads to the four Cs of business benefits:

    Control

    Change management brings daily control over the IT environment, allowing you to review every relatively new change, eliminate changes that would have likely failed, and review all changes to improve the IT environment.

    Collaboration

    Change management planning brings increased communication and collaboration across groups by coordinating changes with business activities. The CAB brings a more formalized and centralized communication method for IT.

    Consistency

    Request for change templates and a structured process result in implementation, test, and backout plans being more consistent. Implementing processes for pre-approved changes also ensures these frequent changes are executed consistently and efficiently.

    Confidence

    Change management processes will give your organization more confidence through more accurate planning, improved execution of changes, less failure, and more control over the IT environment. This also leads to greater protection against audits.

    You likely need to improve change management more than any other infrastructure & operations process

    The image shows a vertical bar graph. Each segment of the graph is labelled for an infrastructure/operations process. Each segment has two bars one for effectiveness, and another for importance. The first segment, Change Management, is highlighted, with its Effectiveness at a 6.2 and Importance at 8.6

    Source: Info-Tech 2020; n=5,108 IT Professionals from 620 organizations

    Of the eight infrastructure and operations processes measured in Info-Tech’s IT Management and Governance Diagnostic (MGD) program, change management consistently has the second largest gap between importance and effectiveness of these processes.

    Executives and directors recognize the importance of change management but feel theirs is currently ineffective

    Info-Tech’s IT Management and Governance Diagnostic (MGD) program assesses the importance and effectiveness of core IT processes. Since its inception, the MGD has consistently identified change management as an area for immediate improvement.

    The image is a vertical bar graph, with four segments, each having 2 bars, one for Effectiveness and the other for Importance. The four segments are (with Effectiveness and Importance ratings in brackets, respectively): Frontline (6.5/8.6); Manager (6.6/8.9); Director (6.4/8.8); and Executive (6.1/8.8)

    Source: Info-Tech 2020; n=5,108 IT Professionals from 620 organizations

    Importance Scores

    No importance: 1.0-6.9

    Limited importance: 7.0-7.9

    Significant importance: 8.0-8.9

    Critical importance: 9.0-10.0

    Effectiveness Scores

    Not in place: n/a

    Not effective: 0.0-4.9

    Somewhat Ineffective: 5.0-5.9

    Somewhat effective: 6.0-6.9

    Very effective: 7.0-10.0

    There are several common misconceptions about change management

    Which of these have you heard in your organization?

     Reality
    “It’s just a small change; this will only take five minutes to do.” Even a small change can cause a business outage. That small fix could impact a large system connected to the one being fixed.
    “Ad hoc is faster; too many processes slow things down.” Ad hoc might be faster in some cases, but it carries far greater risk. Following defined processes keeps systems stable and risk-averse.
    “Change management is all about speed.” Change management is about managing risk. It gives the illusion of speed by reducing downtime and unplanned work.
    “Change management will limit our capacity to change.” Change management allows for a better alignment of process (release management) with governance (change management).

    Overcome perceived challenges to implementing change management to reap measurable reward

    Before: Informal Change Management

    Change Approval:

    • Changes do not pass through a formal review process before implementation.
    • 10% of released changes are approved.
    • Implementation challenge: Staff will resist having to submit formal change requests and assessments, frustrated at the prospect of having to wait longer to have changes approved.

    Change Prioritization

    • Changes are not prioritized according to urgency, risk, and impact.
    • 60% of changes are urgent.
    • Implementation challenge: Influential stakeholders accustomed to having changes approved and deployed might resist having to submit changes to a standard cost-benefit analysis.

    Change Deployment

    • Changes often negatively impact user productivity.
    • 25% of changes are realized as planned.
    • Implementation challenge: Engaging the business so that formal change freeze periods and regular maintenance windows can be established.

    After: Right-Sized Change Management

    Change Approval

    • All changes pass through a formal review process. Once a change is repeatable and well-tested, it can be pre-approved to save time. Almost no unauthorized changes are deployed.
    • 95% of changes are approved.
    • KPI: Decrease in change-related incidents

    Change Prioritization

    • The CAB prioritizes changes so that the business is satisfied with the speed of change deployment.
    • 35% of changes are urgent.
    • KPI: Decrease in change turnaround time.

    Change deployment

    • Users are always aware of impending changes and changes don’t interrupt critical business activities.
    • Over 80% of changes are realized as planned
    • KPI: Decrease in the number of failed deployments.

    Info-Tech’s methodology for change management optimization focuses on building standardized processes

     1. Define Change Management2. Establish Roles and Workflows3. Define the RFC and Post-Implementation Activities4. Measure, Manage, and Maintain
    Phase Steps

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Your Risk Assessment

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    3.1 Design the RFC

    3.2 Establish Post-Implementation Activities

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project
      Change Management Standard Operating Procedure (SOP) Change Management Project Summary Template
    Phase Deliverables
    • Change Management Maturity Assessment Tool
    • Change Management Risk Assessment Tool
    • Change Manager Job Description
    • Change Management Process Library
    • Request for Change (RFC) Form Template
    • Change Management Pre-Implementation Checklist
    • Change Management Post-Implementation Checklist
    • Change Management Metrics Tool
    • Change Management
    • Communications Plan
    • Change Management Roadmap Tool

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Change Management Process Library

    Document your normal, pre-approved, and emergency change lifecycles with the core process workflows .

    Change Management Risk Assessment Tool

    Test Drive your impact and likelihood assessment questionnaires with the Change Management Risk Assessment Tool.

    Project Summary Template

    Summarize your efforts in the Optimize IT Change Management Improvement Initiative: Project Summary Template.

    Change Management Roadmap Tool

    Record your action items and roadmap your steps to a mature change management process.

    Key Deliverable:

    Change Management SOP

    Document and formalize your process starting with the change management standard operating procedure (SOP).

    These case studies illustrate the value of various phases of this project

    Define Change Management

    Establish Roles and Workflows

    Define RFC and Post-Implementation Activities

    Measure, Manage, and Maintain

    A major technology company implemented change management to improve productivity by 40%. This case study illustrates the full scope of the project.

    A large technology firm experienced a critical outage due to poor change management practices. This case study illustrates the scope of change management definition and strategy.

    Ignorance of change management process led to a technology giant experiencing a critical cloud outage. This case study illustrates the scope of the process phase.

    A manufacturing company created a makeshift CMDB in the absence of a CMDB to implement change management. This case study illustrates the scope of change intake.

    A financial institution tracked and recorded metrics to aid in the success of their change management program. This case study illustrates the scope of the implementation phase.

    Working through this project with Info-Tech can save you time and money

    Engaging in a Guided Implementation doesn’t just offer valuable project advice, it also results in significant cost savings.

    Guided ImplementationMeasured Vale
    Phase 1: Define Change Management
    • We estimate Phase 1 activities will take 2 FTEs 10 days to complete on their own, but the time saved by using Info-Tech’s methodology will cut that time in half, thereby saving $3,100 (2 FTEs * 5 days * $80,000/year).

    Phase 2: Establish Roles and Workflows
    • We estimate Phase 2 will take 2 FTEs 10 days to complete on their own, but the time saved by using Info-Tech’s methodology will cut that time in half, thereby saving $3,100 (2 FTEs * 5 days * $80,000/year).
    Phase 3: Define the RFC and Post-Implementation Activities
    • We estimate Phase 3 will take 2 FTEs 10 days to complete on their own, but the time saved by using Info-Tech’s methodology will cut that time in half, thereby saving $3,100 (2 FTEs * 5 days * $80,000/year).

    Phase 4: Measure, Manage, and Maintain
    • We estimate Phase 4 will take 2 FTEs 5 days to complete on their own, but the time saved by using Info-Tech’s methodology will cut that time in half, thereby saving $1,500 (2 FTEs * 2.5 days * $80,000/year).
    Total Savings $10,800

    Case Study

    Industry: Technology

    Source: Daniel Grove, Intel

    Intel implemented a robust change management program and experienced a 40% improvement in change efficiency.

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    ITIL Change Management Implementation

    With close to 4,000 changes occurring each week, managing Intel’s environment is a formidable task. Before implementing change management within the organization, over 35% of all unscheduled downtime was due to errors resulting from change and release management. Processes were ad hoc or scattered across the organization and no standards were in place.

    Results

    After a robust implementation of change management, Intel experienced a number of improvements including automated approvals, the implementation of a formal change calendar, and an automated RFC form. As a result, Intel improved change productivity by 40% within the first year of the program’s implementation.

    Define Change Management

    Establish Roles and Workflows

    Define RFC and Post-Implementation Activities

    Measure, Manage, and Maintain

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Define Change Management

    • Call #1: Introduce change concepts.
    • Call #2: Assess current maturity.
    • Call #3: Identify target-state capabilities.

    Establish Roles and Workflows

    • Call #4: Review roles and responsibilities.
    • Call #5: Review core change processes.

    Define RFC and Post- Implementation Activities

    • Call #6: Define change intake process.
    • Call #7: Create pre-implementation and post-implementation checklists.

    Measure, Manage, and Maintain

    • Call #8: Review metrics.
    • Call #9: Create roadmap.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

     Day 1Day 2Day 3Day 4Day 5
    Activities

    Define Change Management

    1.1 Outline Strengths and Challenges

    1.2 Conduct a Maturity Assessment

    1.3 Build a Change Categorization Scheme

    1.4 Build Your Risk Assessment

    Establish Roles and Workflows

    2.1 Define the Change Manager Role

    2.2 Outline CAB Protocol and membership

    2.3 Build Normal Change Process

    2.4 Build Emergency Change Process

    2.5 Build Pre-Approved Change Process

    Define the RFC and Post-Implementation Activities

    3.1 Create an RFC Template

    3.2 Determine Post-Implementation Activities

    3.3 Build a Change Calendar Protocol

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Reports

    4.2 Create Communications Plan

    4.3 Build an Implementation Roadmap

    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps
    Deliverables
    1. Maturity Assessment
    2. Risk Assessment
    1. Change Manager Job Description
    2. Change Management Process Library
    1. Request for Change (RFC) Form Template
    2. Pre-Implementation Checklist
    3. Post-Implementation Checklist
    1. Metrics Tool
    2. Communications Plan
    3. Project Roadmap
    1. Change Management Standard Operating Procedure (SOP)
    2. Workshop Summary Deck

    Phase 1

    Define Change Management

    Define Change Management

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Your Risk Assessment

    Establish Roles and Workflows

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    Define the RFC and Post-Implementation Activities

    3.1 Design the RFC

    3.2 Establish Post-Implementation Activities

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project

    This phase will guide you through the following steps:

    • Assess Maturity
    • Categorize Changes and Build Your Risk Assessment

    This phase involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Step 1.1

    Assess Maturity

    Activities

    1.1.1 Outline the Organization’s Strengths and Challenges

    1.1.2 Complete a Maturity Assessment

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • An understanding of maturity change management processes and frameworks
    • Identification of existing change management challenges and potential causes
    • A framework for assessing change management maturity and an assessment of your existing change management processes

    Define Change Management

    Step 1.1: Assess Maturity → Step 1.2: Categorize Changes and Build Your Risk Assessment

    Change management is often confused with release management, but they are distinct processes

    Change

    • Change management looks at software changes as well as hardware, database, integration, and network changes, with the focus on stability of the entire IT ecosystem for business continuity.
    • Change management provides a holistic view of the IT environment, including dependencies, to ensure nothing is negatively affected by changes.
    • Change documentation is more focused on process, ensuring dependencies are mapped, rollout plans exist, and the business is not at risk.

    Release

    • Release and deployment are the detailed plans that bundle patches, upgrades, and new features into deployment packages, with the intent to change them flawlessly into a production environment.
    • Release management is one of many actions performed under change management’s governance.
    • Release documentation includes technical specifications such as change schedule, package details, change checklist, configuration details, test plan, and rollout and rollback plans.

    Info-Tech Insight

    Ensure the Release Manager is present as part of your CAB. They can explain any change content or dependencies, communicate business approval, and advise the service desk of any defects.

    Integrate change management with other IT processes

    As seen in the context diagram, change management interacts closely with many other IT processes including release management and configuration management (seen below). Ensure you delineate when these interactions occur (e.g. RFC updates and CMDB queries) and which process owns each task.

    The image is a chart mapping the interactions between Change Management and Configuration Management (CMDB).

    Avoid the challenges of poor change management

    1. Deployments
      • Too frequent: The need for frequent deployments results in reduced availability of critical business applications.
      • Failed deployments or rework is required: Deployments are not successful and have to be backed out of and then reworked to resolve issues with the installation.
      • High manual effort: A lack of automation results in high resource costs for deployments. Human error is likely, which adds to the risk of a failed deployment.
    2. Incidents
      • Too many unauthorized changes: If the process is perceived as cumbersome and ineffective, people will bypass it or abuse the emergency designation to get their changes deployed faster.
      • Changes cause incidents: When new releases are deployed, they create problems with related systems or applications.
    3. End Users
      • Low user satisfaction: Poor communication and training result in surprised and unhappy users and support staff.

    “With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” – Anonymous, VP IT of a federal credit union

    1.1.1 Outline the Organization’s Strengths and Challenges

    Input

    • Current change documentation (workflows, SOP, change policy, etc.)
    • Organizational chart(s)

    Output

    • List of strengths and challenges for change management

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. As group, discuss and outline the change management challenges facing the organization. These may be challenges caused by poor change management processes or by a lack of process.
    2. Use the pain points found on the previous slide to help guide the discussion.
    3. As a group, also outline the strengths of change management and the strengths of the current organization. Use these strengths as a guide to know what practices to continue and what strengths you can leverage to improve the change management process.
    4. Record the activity results in the Project Summary Template.

    Download the Optimize IT Change Management Improvement Initiative: Project Summary Template

    Assess current change management maturity to create a plan for improvement

     ChaosReactiveControlled

    Proactive

    		Optimized
    Change Requests No defined processes for submitting changes Low process adherence and no RFC form RFC form is centralized and a point of contact for changes exists RFCs are reviewed for scope and completion RFCs trend analysis and proactive change exists
    Change Review Little to no change risk assessment Risk assessment exists for each RFC RFC form is centralized and a point of contact for changes exists Change calendar exists and is maintained System and component dependencies exist (CMDB)
    Change Approval No formal approval process exists Approval process exists but is not widely followed Unauthorized changes are minimal or nonexistent Change advisory board (CAB) is established and formalized Trend analysis exists increasing pre-approved changes
    Post-Deployment No post-deployment change review exists Process exists but is not widely followed Reduction of change-related incidents Stakeholder satisfaction is gathered and reviewed Lessons learned are propagated and actioned
    Process Governance Roles & responsibilities are ad hoc Roles, policies & procedures are defined & documented Roles, policies & procedures are defined & documented KPIs are tracked, reported on, and reviewed KPIs are proactively managed for improvement

    Info-Tech Insight

    Reaching an optimized level is not feasible for every organization. You may be able to run a very good change management process at the Proactive or even Controlled stage. Pay special attention to keeping your goals attainable.

    1.1.2 Complete a Maturity Assessment

    Input

    • Current change documentation (workflows, SOP, change policy, etc.)

    Output

    • Assessment of current maturity level and goals to improve change management

    Materials

    Participants

    • Change Manager
    • Service Desk Manager
    • Operations (optional)
    1. Use Info-Tech’s Change Management Maturity Assessment Tool to assess the maturity and completeness of your change process.
    2. Significant gaps revealed in this assessment should be the focal points of your discussion when investigating root causes and brainstorming remediation activities:
      1. For each activity of each process area of change management, determine the degree of completeness of your current process.
      2. Review your maturity assessment results and discuss as a group potential reasons why you arrived at your maturity level. Identify areas where you should focus your initial attention for improvement.
      3. Regularly review the maturity of your change management practices by completing this maturity assessment tool periodically to identify other areas to optimize.

    Download the Change Management Maturity Assessment Tool

    Case Study

    Even Google isn’t immune to change-related outages. Plan ahead and communicate to help avoid change-related incidents

    Industry: Technology

    Source: The Register

    As part of a routine maintenance procedure, Google engineers moved App Engine applications between data centers in the Central US to balance out traffic.

    Unfortunately, at the same time that applications were being rerouted, a software update was in progress on the traffic routers, which triggered a restart. This temporarily diminished router capacity, knocking out a sizeable portion of Google Cloud.

    The server drain resulted in a huge spike in startup requests, and the routers simply couldn’t handle the traffic.

    As a result, 21% of Google App Engine applications hosted in the Central US experienced error rates in excess of 10%, while an additional 16% of applications experienced latency, albeit at a lower rate.

    Solution

    Thankfully, engineers were actively monitoring the implementation of the change and were able to spring into action to halt the problem.

    The change was rolled back after 11 minutes, but the configuration error still needed to be fixed. After about two hours, the change failure was resolved and the Google Cloud was fully functional.

    One takeaway for the engineering team was to closely monitor how changes are scheduled. Ultimately, this was the result of miscommunication and a lack of transparency between change teams.

    Step 1.2

    Categorize Changes and Build Your Risk Assessment

    Activities

    1.2.1 Define What Constitutes a Change

    1.2.2 Build a Change Categorization Scheme

    1.2.3 Build a Classification Scheme to Assess Impact

    1.2.4 Build a Classification Scheme to Define Likelihood

    1.2.5 Evaluate and Adjust Your Risk Assessment Scheme

    Define Change Management

    Step 1.1: Assess Maturity → Step 1.2: Categorize Changes and Build Your Risk Assessment

    This step involves the following participants:

    • Infrastructure/Applications Manager
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • A clear definition of what constitutes a change in your organization
    • A defined categorization scheme to classify types of changes
    • A risk assessment matrix and tool for evaluating and prioritizing change requests according to impact and likelihood of risk

    Change must be managed to mitigate risk to the infrastructure

    Change management is the gatekeeper protecting your live environment.

    Successfully managed changes will optimize risk exposure, severity of impact, and disruption. This will result in the bottom-line business benefits of removal of risk, early realization of benefits, and savings of money and time.

    • IT change is constant; change requests will be made both proactively and reactively to upgrade systems, acquire new functionality, and to prevent or resolve incidents.
    • Every change to the infrastructure must pass through the change management process before being deployed to ensure that it has been properly assessed and tested, and to check that a backout /rollback plan is in place.
    • It will be less expensive to invest in a rigorous change management process than to resolve incidents, service disruptions, and outages caused by the deployment of a bad change.
    • Change management is what gives you control and visibility regarding what is introduced to the live environment, preventing incidents that threaten business continuity.

    80%

    In organizations without formal change management processes, about 80% (The Visible Ops Handbook) of IT service outage problems are caused by updates and changes to systems, applications, and infrastructure. It’s crucial to track and systematically manage change to fully understand and predict the risks and potential impact of the change.

    Attributes of a change

    Differentiate changes from other IT requests

    Is this in the production environment of a business process?

    The core business of the enterprise or supporting functions may be affected.

    Does the task affect an enterprise managed system?

    If it’s for a local application, it’s a service request

    How many users are impacted?

    It should usually impact more than a single user (in most cases).

    Is there a configuration, or code, or workflow, or UI/UX change?

    Any impact on a business process is a change; adding a user or a recipient to a report or mailing list is not a change.

    Does the underlying service currently exist?

    If it’s a new service, then it’s better described as a project.

    Is this done/requested by IT?

    It needs to be within the scope of IT for the change management process to apply.

    Will this take longer than one week?

    As a general rule, if it takes longer than 40 hours of work to complete, it’s likely a project.

    Defining what constitutes a change

    Every change request will initiate the change management process; don’t waste time reviewing requests that are out of scope.

    ChangeService Request (User)Operational Task (Backend)
    • Fixing defects in code
    • Changing configuration of an enterprise system
    • Adding new software or hardware components
    • Switching an application to another VM
    • Standardized request
    • New PC
    • Permissions request
    • Change password
    • Add user
    • Purchases
    • Change the backup tape
    • Delete temporary files
    • Maintain database (one that is well defined, repeatable, and predictable)
    • Run utilities to repair a database

    Do not treat every IT request as a change!

    • Many organizations make the mistake of calling a standard service request or operational task a “change.”
    • Every change request will initiate the change management process; don’t waste time reviewing requests that are out of scope.
    • While the overuse of RFCs for out-of-scope requests is better than a lack of process, this will slow the process and delay the approval of more critical changes.
    • Requiring an RFC for something that should be considered day-to-day work will also discourage people from adhering to the process, because the RFC will be seen as meaningless paperwork.

     

    1.2.1 Define What Constitutes a Change

    Input

    • List of examples of each category of the chart

    Output

    • Definitions for each category to be used at change intake

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Service catalog (if applicable)
    • Sticky notes
    • Markers/pens
    • Change Management SOP

    Participants

    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. As a group, brainstorm examples of changes, projects, service requests (user), operational tasks (backend), and releases. You may add additional categories as needed (e.g. incidents).
    2. Have each participant write the examples on sticky notes and populate the following chart on the whiteboard/flip chart.
    3. Use the examples to draw lines and define what defines each category.
      • What makes a change distinct from a project?
      • What makes a change distinct from a service request?
      • What makes a change distinct from an operational task?
      • When do the category workflows cross over with other categories? (For example, when does a project interact with change management?)
    4. Record the definitions of requests and results in section 2.3 of the Change Management Standard Operating Procedure (SOP).
    ChangeProjectService Request (User)Operational Task (Backend)Release
    Changing Configuration ERP upgrade Add new user Delete temp files Software release

    Download the Change Management Standard Operating Procedure (SOP).

    Each RFC should define resources needed to effect the change

    In addition to assigning a category to each RFC based on risk assessment, each RFC should also be assigned a priority based on the impact of the change on the IT organization, in terms of the resources needed to effect the change.

    Categories include

    Normal

    Emergency

    Pre-Approved

    The majority of changes will be pre-approved or normal changes. Definitions of each category are provided on the next slide.

    Info-Tech uses the term pre-approved rather than the ITIL terminology of standard to more accurately define the type of change represented by this category.

    A potential fourth change category of expedited may be employed if you are having issues with process adherence or if you experience changes driven from outside change management’s control (e.g. from the CIO, director, judiciary, etc.) See Appendix I for more details.

    Info-Tech Best Practice

    Do not rush to designate changes as pre-approved. You may have a good idea of which changes may be considered pre-approved, but make sure they are in fact low-risk and well-documented before moving them over from the normal category.

    The category of the change determines the process it follows

     Pre-ApprovedNormalEmergency
    Definition
    • Tasks are well-known, documented, and proven
    • Budgetary approval is preordained or within control of change requester
    • Risk is low and understood
    • There’s a low probability of failure
    • All changes that are not pre-approved or emergency will be classified as normal
    • Further categorized by priority/risk
    • The change is being requested to resolve a current or imminent critical/severity-1 incident that threatens business continuity
    • Associated with a critical incident or problem ticket
    Trigger
    • The same change is built and changed repeatedly using the same install procedures and resulting in the same low-risk outcome
    • Upgrade or new functionality that will capture a business benefit
    • A fix to a current problem
    • A current or imminent critical incident that will impact business continuity
    • Urgency to implement the change must be established, as well as lack of any alternative or workaround
    Workflow
    • Pre-established
    • Repeatable with same sequence of actions, with minimal judgment or decision points
    • Dependent on the change
    • Different workflows depending on prioritization
    • Dependent on the change
    Approval
    • Change Manager (does not need to be reviewed by CAB)
    • CAB
    • Approval from the Emergency Change Advisory Board (E-CAB) is sufficient to proceed with the change
    • A retroactive RFC must be created and approved by the CAB

    Pay close attention to defining your pre-approved changes. They are going to be critical for running a smooth change management practice in a DevOps Environment

    1.2.2 Build a Change Categorization Scheme

    Input

    • List of examples of each change category

    Output

    • Definitions for each change category

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Service catalog (if applicable)
    • Sticky notes
    • Markers
    • Change Management SOP

    Participants

    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Discuss the change categories on the previous slide and modify the types of descriptions to suit your organization.
    2. Once the change categories or types are defined, identify several examples of change requests that would fall under each category.
    3. Types of normal changes will be further defined in the next activity and can be left blank for now.
    4. Examples are provided below. Capture your definitions in section 4 of your Change Management SOP.
    Pre-Approved (AKA Standard)NormalEmergency
    • Microsoft patch management/deployment
    • Windows update
    • Minor form changes
    • Service pack updates on non-critical systems
    • Advance label status on orders
    • Change log retention period/storage
    • Change backup frequency

    Major

    • Active directory server upgrade
    • New ERP

    Medium

    • Network upgrade
    • High availability implementation

    Minor

    • Ticket system go-live
    • UPS replacement
    • Cognos update
    • Any change other than a pre-approved change
    • Needed to resolve a major outage in a Tier 1 system

    Assess the risk for each normal change based on impact (severity) and likelihood (probability)

    Create a change assessment risk matrix to standardize risk assessment for new changes. Formalizing this assessment should be one of the first priorities of change management.

    The following slides guide you through the steps of formalizing a risk assessment according to impact and likelihood:

    1. Define a risk matrix: Risk matrices can either be a 3x3 matrix (Minor, Medium, or High Risk as shown on the next slide) or a 4x4 matrix (Minor, Medium, High, or Critical Risk).
    2. Build an impact assessment: Enable consistent measurement of impact for each change by incorporating a standardized questionnaire for each RFC.
    3. Build a likelihood assessment: Enable the consistent measurement of impact for each change by incorporating a standardized questionnaire for each RFC.
    4. Test drive your risk assessment and make necessary adjustments: Measure your newly formed risk assessment questionnaires against historical changes to test its accuracy.

    Consider risk

    1. Risk should be the primary consideration in classifying a normal change as Low, Medium, High. The extent of governance required, as well as minimum timeline to implement the change, will follow from the risk assessment.
    2. The business benefit often matches the impact level of the risk – a change that will provide a significant benefit to a large number of users may likely carry an equally major downside if deviations occur.

    Info-Tech Insight

    All changes entail an additional level of risk. Risk is a function of impact and likelihood. Risk may be reduced, accepted, or neutralized through following best practices around training, testing, backout planning, redundancy, timing and sequencing of changes, etc.

    Create a risk matrix to assign a risk rating to each RFC

    Every normal RFC should be assigned a risk rating.

    How is risk rating determined?

    • Priority should be based on the business consequences of implementing or denying the change.
    • Risk rating is assigned using the impact of the risk and likelihood/probability that the event may occur.

    Who determines priority?

    • Priority should be decided with the change requester and with the CAB, if necessary.
    • Don’t let the change requester decide priority alone, as they will usually assign it a higher priority than is justified. Use a repeatable, standardized framework to assess each request.

    How is risk rating used?

    • Risk rating is used to determine which changes should be discussed and assessed first.
    • Time frames and escalation processes should be defined for each risk level.

    RFCs need to clearly identify the risk level of the proposed change. This can be done through statement of impact and likelihood (low/medium/high) or through pertinent questions linked with business rules to assess the risk.

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    Risk Matrix

    Risk Matrix. Impact vs. Likelihood. Low impact, Low Likelihood and Medium Impact, Medium Likelihood are minor risks. High Likelihood, Low Impact; Medium Likelihood, Medium Impact; and Low Likelihood, High Impact are Medium Risk. High Impact, High Likelihood; High Impact, Medium Likelihood; and Medium Impact, High Likelihood are Major risk.

    1.2.3 Build a Classification Scheme to Assess Impact

    Input

    • Current risk assessment (if available)

    Output

    • Tailored impact assessment

    Materials

    Participants

    • CIO
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Define a set of questions to measure risk impact.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk as high, medium, or low.
    4. Capture your results in section 4.3.1 of your Change Management SOP.
    Impact
    Weight Question High Medium Low
    15% # of people affected 36+ 11-35 <10
    20% # of sites affected 4+ 2-3 1
    15% Duration of recovery (minutes of business time) 180+ 30-18 <3
    20% Systems affected Mission critical Important Informational
    30% External customer impact Loss of customer Service interruption None

    1.2.4 Build a Classification Scheme to Define Likelihood

    Input

    • Current risk assessment (if available)

    Output

    • Tailored likelihood assessment

    Materials

    Participants

    • CIO
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Define a set of questions to measure risk likelihood.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk as high, medium, or low.
    4. Capture your results in section 4.3.2 of your Change Management SOP.
    LIKELIHOOD
    Weight Question High Medium Low
    25% Has this change been tested? No   Yes
    10% Have all the relevant groups (companies, departments, executives) vetted the change? No Partial Yes
    5% Has this change been documented? No   Yes
    15% How long is the change window? When can we implement? Specified day/time Partial Per IT choice
    20% Do we have trained and experienced staff available to implement this change? If only external consultants are available, the rating will be “medium” at best. No   Yes
    25% Has an implementation plan been developed? No   Yes

    1.2.5 Evaluate and Adjust Your Risk Assessment Scheme

    Input

    • Impact and likelihood assessments from previous two activities

    Output

    • Vetted risk assessment

    Materials

    Participants

    • CIO
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Draw your risk matrix on a whiteboard or flip chart.
    2. As a group, identify up to 10 examples of requests for changes that would apply within your organization. Depending on the number of people participating, each person could identify one or two changes and write them on sticky notes.
    3. Take turns bringing your sticky notes up to the risk matrix and placing each where it belongs, according to the assessment criteria you defined.
    4. After each participant has taken a turn, discuss each change as a group and adjust the placement of any changes, if needed. Update the risk assessment weightings or questions, if needed.

    Download the Change Management Rick Assessment Tool.

    #

    Change Example

    Impact

    Likelihood

    Risk

    1

    ERP change

    High

    Medium

    Major

    2

    Ticket system go-live

    Medium

    Low

    Minor

    3

    UPS replacement

    Medium

    Low

    Minor

    4

    Network upgrade

    Medium

    Medium

    Medium

    5

    AD upgrade

    Medium

    Low

    Minor

    6

    High availability implementation

    Low

    Medium

    Minor

    7

    Key-card implementation

    Low

    High

    Medium

    8

    Anti-virus update

    Low

    Low

    Minor

    9

    Website

    Low

    Medium

    Minor

     

    Case Study

    A CMDB is not a prerequisite of change management. Don’t let the absence of a configuration management database (CMDB) prevent you from implementing change management.

    Industry: Manufacturing

    Source: Anonymous Info-Tech member

    Challenge

    The company was planning to implement a CMDB; however, full implementation was still one year away and subject to budget constraints.

    Without a CMDB, it would be difficult to understand the interdependencies between systems and therefore be able to provide notifications to potentially affected user groups prior to implementing technical changes.

    This could have derailed the change management project.

    Solution

    An Excel template was set up as a stopgap measure until the full implementation of the CMDB. The template included all identified dependencies between systems, along with a “dependency tier” for each IT service.

    Tier 1: The dependent system would not operate if the upstream system change resulted in an outage.

    Tier 2: The dependent system would suffer severe degradation of performance and/or features.

    Tier 3: The dependent system would see minor performance degradation or minor feature unavailability.

    Results

    As a stopgap measure, the solution worked well. When changes ran the risk of degrading downstream dependent systems, the impacted business system owner’s authorization was sought and end users were informed in advance.

    The primary takeaway was that a system to manage configuration linkages and system dependencies was key.

    While a CMDB is ideal for this use case, IT organizations shouldn’t let the lack of such a system stop progress on change management.

    Case Study (part 1 of 4)

    Intel used a maturity assessment to kick-start its new change management program.

    Industry: Technology

    Source: Daniel Grove, Intel

    Challenge

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.

    Intel’s change management program is responsible for over 4,000 changes each week.

    Solution

    Due to the sheer volume of change management activities present at Intel, over 35% of unscheduled outages were the result of changes.

    Ineffective change management was identified as the top contributor of incidents with unscheduled downtime.

    One of the major issues highlighted was a lack of process ownership. The change management process at Intel was very fragmented, and that needed to change.

    Results

    Daniel Grove, Senior Release & Change Manager at Intel, identified that clarifying tasks for the Change Manager and the CAB would improve process efficiency by reducing decision lag time. Roles and responsibilities were reworked and clarified.

    Intel conducted a maturity assessment of the overall change management process to identify key areas for improvement.

    Phase 2

    Establish Roles and Workflows

    For running change management in DevOps environment, see Appendix II.

    Define Change Management

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Your Risk Assessment

    Establish Roles and Workflows

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    Define RFC and Post-Implementation Activities

    3.1 Design the RFC

    3.2 Establish Post-Implementation Activities

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project

    This phase will guide you through the following steps:

    • Determine Roles and Responsibilities
    • Build Core Workflows

    This phase involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Step 2.1

    Determine Roles and Responsibilities

    Activities

    2.1.1 Capture Roles and Responsibilities Using a RACI Chart

    2.1.2 Determine Your Change Manager’s Responsibilities

    2.1.3 Define the Authority and Responsibilities of Your CAB

    2.1.4 Determine an E-CAB Protocol for Your Organization

    Establish Roles and Workflows

    Step 2.1: Determine Roles and Responsibilities → Step 2.2: Build Core Workflows

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • Clearly defined responsibilities to form the job description for a Change Manager
    • Clearly defined roles and responsibilities for the change management team, including the business system owner, technical SME, and CAB members
    • Defined responsibilities and authority of the CAB
    • Protocol for an emergency CAB (E-CAB) meeting

    Identify roles and responsibilities for your change management team

    Business System Owner

    • Provides downtime window(s)
    • Advises on need for change (prior to creation of RFC)
    • Validates change (through UAT or other validation as necessary)
    • Provides approval for expedited changes (needs to be at executive level)

    Technical Subject Matter Expert (SME)

    • Advises on proposed changes prior to RFC submission
    • Reviews draft RFC for technical soundness
    • Assesses backout/rollback plan
    • Checks if knowledgebase has been consulted for prior lessons learned
    • Participates in the PIR, if necessary
    • Ensures that the service desk is trained on the change

    CAB

    • Approves/rejects RFCs for normal changes
    • Reviews lessons learned from PIRs
    • Decides on the scope of change management
    • Reviews metrics and decides on remedial actions
    • Considers changes to be added to list of pre-approved changes
    • Communicates to organization about upcoming changes

    Change Manager

    • Reviews RFCs for completeness
    • Ensures RFCs brought to the CAB have a high chance of approval
    • Chairs CAB meetings, including scheduling, agenda preparation, reporting, and follow-ups
    • Manages post-implementation reviews and reporting
    • Organizes internal communications (within IT)

    2.1.1 Capture Roles and Responsibilities Using a RACI Chart

    Input

    • Current SOP

    Output

    • Documented roles and responsibilities in change management in a RACI chart

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. As a group, work through developing a RACI chart to determine the roles and responsibilities of individuals involved in the change management practice based on the following criteria:
      • Responsible (performs the work)
      • Accountable (ensures the work is done)
      • Consulted (two-way communication)
      • Informed (one-way communication)
    2. Record your results in slide 14 of the Project Summary Template and section 3.1 of your Change Management SOP.
    Change Management TasksOriginatorSystem OwnerChange ManagerCAB MemberTechnical SMEService DeskCIO/ VP ITE-CAB Member
    Review the RFC C C A C R C R  
    Validate changes C C A C R C R  
    Assess test plan A C R R C   I  
    Approve the RFC I C A R C   I  
    Create communications plan R I A     I I  
    Deploy communications plan I I A I   R    
    Review metrics   C A R   C I  
    Perform a post implementation review   C R A     I  
    Review lessons learned from PIR activities     R A   C    

    Designate a Change Manager to own the process, change templates, and tools

    The Change Manager will be the point of contact for all process questions related to change management.

    • The Change Manager needs the authority to reject change requests, regardless of the seniority of the requester.
    • The Change Manager needs the authority to enforce compliance to a standard process.
    • The Change Manager needs enough cross-functional subject-matter expertise to accurately evaluate the impact of change from both an IT and business perspective.

    Info-Tech Best Practice

    Some organizations will not be able to assign a dedicated Change Manager, but they must still task an individual with change review authority and with ownership of the risk assessment and other key parts of the process.

    Responsibilities

    1. The Change Manager is your first stop for change approval. Both the change management and release and deployment management processes rely on the Change Manager to function.
    2. Every single change that is applied to the live environment, from a single patch to a major change, must originate with a request for change (RFC), which is then approved by the Change Manager to proceed to the CAB for full approval.
    3. Change templates and tools, such as the change calendar, list of preapproved changes, and risk assessment template are controlled by the Change Manager.
    4. The Change Manager also needs to have ownership over gathering metrics and reports surrounding deployed changes. A skilled Change Manager needs to have an aptitude for applying metrics for continual improvement activities.

    2.1.2 Document Your Change Manager’s Responsibilities

    Input

    • Current Change Manager job description (if available)

    Output

    • Change Manager job description and list of responsibilities

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Markers/pens
    • Info-Tech’s Change Manager Job Description
    • Change Management SOP

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    1.Using the previous slide, Info-Tech’s Change Manager Job Description, and the examples below, brainstorm responsibilities for the Change Manager.

    2.Record the responsibilities in Section 3.2 of your Change Management SOP.

    Example:

    Change Manager: James Corey

    Responsibilities

    1. Own the process, tools, and templates.
    2. Control the Change Management SOP.
    3. Provide standard RFC forms.
    4. Distribute RFCs for CAB review.
    5. Receive all initial RFCs and check them for completion.
    6. Approve initial RFCs.
    7. Approve pre-approved changes.
    8. Approve the conversion of normal changes to pre-approved changes.
    9. Assemble the Emergency CAB (E-CAB) when emergency change requests are received.
    10. Approve submission of RFCs for CAB review.
    11. Chair the CAB:
      • Set the CAB agenda and distribute it at least 24 hours before the meeting.
      • Ensure the agenda is adhered to.
      • Make the final approval/prioritization decision regarding a change if the CAB is deadlocked and cannot come to an agreement.
      • Distribute CAB meeting minutes to all members and relevant stakeholders.

    Download the Change Manager Job Description

    Create a Change Advisory Board (CAB) to provide process governance

    The primary functions of the CAB are to:

    1. Protect the live environment from poorly assessed, tested, and implemented changes.
      • CAB approval is required for all normal and emergency changes.
      • If a change results in an incident or outage, the CAB is effectively responsible; it’s the responsibility of the CAB to assess and accept the potential impact of every change.
    2. Prioritize changes in a way that fairly reflects change impact and urgency.
      • Change requests will originate from multiple stakeholders, some of whom have competing interests.
      • It’s up to the CAB to prioritize these requests effectively so that business need is balanced with any potential risk to the infrastructure.
      • The CAB should seek to reduce the number of emergency/expedited changes.
    3. Schedule deployments in a way that minimizes conflict and disruption.
      • The CAB uses a change calendar populated with project work, upcoming organizational initiatives, and change freeze periods. They will schedule changes around these blocks to avoid disrupting user productivity.
      • The CAB should work closely with the release and deployment management teams to coordinate change/release scheduling.

    See what responsibilities in the CAB’s process are already performed by the DevOps lifecycle (e.g. authorization, deconfliction etc.). Do not duplicate efforts.

    Use diverse representation from the business to form an effective CAB

    The CAB needs insight into all areas of the business to avoid approving a high-risk change.

    Based on the core responsibilities you have defined, the CAB needs to be composed of a diverse set of individuals who provide quality:

    • Change need assessments – identifying the value and purpose of a proposed change.
    • Change risk assessments – confirmation of the technical impact and likelihood assessments that lead to a risk score, based on the inputs in RFC.
    • Change scheduling – offer a variety of perspectives and responsibilities and will be able to identify potential scheduling conflicts.
     CAB RepresentationValue Added
    Business Members
    • CIO
    • Business Relationship Manager
    • Service Level Manager
    • Business Analyst
    • Identify change blackout periods, change impact, and business urgency.
    • Assess impact on fiduciary, legal, and/or audit requirements.
    • Determine acceptable business risk.
    IT Operations Members
    • Managers representing all IT functions
    • IT Directors
    • Subject Matter Experts (SMEs)
    • Identify dependencies and downstream impacts.
    • Identify possible conflicts with pre-existing OLAs and SLAs.
    CAB Attendees
    • Specific SMEs, tech specialists, and business and vendor reps relevant to a particular change
    • Only attend meetings when invited by the Change Manager
    • Provide detailed information and expertise related to their particular subject areas.
    • Speak to requirements, change impact, and cost.

    Info-Tech Best Practice

    Form a core CAB (members attend every week) and an optional CAB (members who attend only when a change impacts them or when they can provide value in discussions about a change). This way, members can have their voice heard without spending every week in a meeting where they do not contribute.

    2.1.3 Define the Authority and Responsibilities of Your CAB

    Input

    • Current SOP or CAB charter (if available)

    Output

    • Documented list of CAB authorities and responsibilities

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    1.Using the previous slide and the examples below, list the authorities and responsibilities of your CAB.

    2.Record the responsibilities in section 3.3.2 of your Change Management SOP and the Project Summary Template.

    Example:

    CAP AuthorityCAP Responsibilities
    • Final authority over the deployment of all normal and emergency changes.
    • Authority to absorb the risk of a change.
    • Authority to set the change calendar:
      • Maintenance windows.
      • Change freeze periods.
      • Project work.
      • Authority to delay changes.
    • Evaluate all normal and emergency changes.
    • Verify all normal change test, backout, and implementation plans.
    • Verify all normal change test results.
    • Approve all normal and emergency changes.
    • Prioritize all normal changes.
    • Schedule all normal and emergency changes.
    • Review failed change deployments.

    Establish an emergency CAB (E-CAB) protocol

    • When an emergency change request is received, you will not be able to wait until the regularly scheduled CAB meeting.
    • As a group, decide who will sit on the E-CAB and what their protocol will be when assessing and approving emergency changes.

    Change owner conferences with E-CAB (best efforts to reach them) through email or messaging.

    E-CAB members and business system owners are provided with change details. No decision is made without feedback from at least one E-CAB member.

    If business continuity is being affected, the Change Manager has authority to approve change.

    Full documentation of the change (a retroactive RFC) is done after the change and is then reviewed by the CAB.

    Info-Tech Best Practice

    Members of the E-CAB should be a subset of the CAB who are typically quick to respond to their messages, even at odd hours of the night.

    2.1.4 Determine an E-CAB Protocol for Your Organization

    Input

    • Current SOP or CAB charter (if available)

    Output

    • E-CAB protocol

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather the members of the E-CAB and other necessary representatives from the change management team.
    2. Determine the order of operations for the E-CAB in the event that an emergency change is needed.
    3. Consult the example emergency protocol below. Determine what roles and responsibilities are involved at each stage of the emergency change’s implementation.
    4. Document the E-CAB protocol in section 3.4 of your Change Management SOP.

    Example

    Assemble E-CAB

    Assess Change

    Test (if Applicable)

    Deploy Change

    Create Retroactive RFC

    Review With CAB

    Step 2.2

    Build Core Workflows

    Activities

    2.2.1 Build a CMDB-lite as a Reference for Requested Changes

    2.2.2 Create a Normal Change Process

    2.2.3 Create a Pre-Approved Change Process

    2.2.4 Create an Emergency Change Process

    Establish Roles and Workflows

    Step 2.1: Determine Roles and Responsibilities → Step 2.2: Build Core Workflows

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • Emergency change workflow
    • Normal process workflow
    • Pre-approved change workflow

    Establishing Workflows: Change Management Lifecycle

    Improve

    • A post-implementation review assesses the value of the actual change measured against the proposed change in terms of benefits, costs, and impact.
    • Results recorded in the change log.
    • Accountability: Change Manager Change Implementer

    Request

    • A change request (RFC) can be submitted via paper form, phone, email, or web portal.
    • Accountability: Change requester/Initiator

    Assess

    • The request is screened to ensure it meets an agreed-upon set of business criteria.
    • Changes are assessed on:
      • Impact of change
      • Risks or interdependencies
      • Resourcing and costs
    • Accountability: Change Manager

    Plan

    • Tasks are assigned, planned, and executed.
    • Change schedule is consulted and necessary resources are identified.
    • Accountability: Change Manager

    Approve

    • Approved requests are sent to the most efficient channel based on risk, urgency, and complexity.
    • Change is sent to CAB members for final review and approval
    • Accountability: Change Manager
      • Change Advisory Board

    Implement

    • Approved changes are deployed.
    • A rollback plan is created to mitigate risk.
    • Accountability: Change Manager Change Implementer

    Establishing workflows: employ a SIPOC model for process definition

    A good SIPOC (supplier, input, process, output, customer) model helps establish the boundaries of each process step and provides a concise definition of the expected outcomes and required inputs. It’s a useful and recommended next step for every workflow diagram.

    For change management, employ a SIPOC model to outline your CAB process:

    Supplier

    • Who or what organization provides the inputs to the process? The supplier can be internal or external.

    Input

    • What goes into the process step? This can be a document, data, information, or a decision.

    Process

    • Activities that occur in the process step that’s being analyzed.

    Output

    • What does the process step produce? This can be a document, data, information, or a decision.

    Customer

    • Who or what organization(s) takes the output of the process? The customer can be internal or external.

    Optional Fields

    Metrics

    • Top-level indicators that usually relate to the input and output, e.g. turnaround time, risk matrix completeness.

    Controls

    • Checkpoints to ensure process step quality.

    Dependencies

    • Other process steps that require the output.

    RACI

    • Those who are Responsible, Accountable, Consulted, or Informed (RACI) about the input, output, and/or process.

    Establish change workflows: assess requested changes to identify impact and dependencies

    An effective change assessment workflow is a holistic process that leaves no stone unturned in an effort to mitigate risk before any change reaches the approval stage. The four crucial areas of risk in a change workflow are:

    Dependencies

    Identify all components of the change.

    Ask how changes will affect:

    • Services on the same infrastructure?
    • Applications?
    • Infrastructure/app architecture?
    • Security?
    • Ability to support critical systems?

    Business Impact

    Frame the change from a business point of view to identify potential disruptions to business activities.

    Your assessment should cover:

    • Business processes
    • User productivity
    • Customer service
    • BCPs

    SLA Impact

    Each new change can impact the level of service available.

    Examine the impact on:

    • Availability of critical systems
    • Infrastructure and app performance
    • Infrastructure and app capacity
    • Existing disaster recovery plans and procedures

    Required Resources

    Once risk has been assessed, resources need to be identified to ensure the change can be executed.

    These include:

    • People (SMEs, tech support, work effort/duration)
    • System time for scheduled implementation
    • Hardware or software (new or existing, as well as tools)

    Establishing workflows: pinpoint dependencies to identify the need for additional changes

    An assessment of each change and a query of the CMDB needs to be performed as part of the change planning process to mitigate outage risk.

    • A version upgrade on one piece of software may require another component to be upgraded as well. For example, an upgrade to the database management system requires that an application that uses the database be upgraded or modified.
    • The sequence of the release must also be determined, as certain components may need to be upgraded before others. For example, if you upgrade the Exchange Server, a Windows update must be installed prior to the Exchange upgrade.
    • If you do not have a CMDB, consider building a CMDB-lite, which consists of a listing of systems, primary users, SMEs, business owners, and system dependencies (see next slide).

    Services Impacted

    • Have affected services been identified?
    • Have supporting services been identified?
    • Has someone checked the CMDB to ensure all dependencies have been accounted for?
    • Have we referenced the service catalog so the business approves what they’re authorizing?

    Technical Teams Impacted

    • Who will support the change throughout testing and implementation?
    • Will additional support be needed?
    • Do we need outside support from eternal suppliers?
    • Has someone checked the contract to ensure any additional costs have been approved?

    Build a dependency matrix to avoid change related collisions (optional)

    A CMDB-lite does not replace a CMDB but can be a valuable tool to leverage when requesting changes if you do not currently have configuration management. Consider the following inputs when building your own CMDB-lite.

    • System
      • To build a CMDB-lite, start with the top 10 systems in your environment that experience changes. This list can always be populated iteratively.
    • Primary Users
      • Listing the primary users will give a change requester a first glance at the impact of the change.
      • You can also use this information when looking at the change communication and training after the change is implemented.
    • SME/Backup
      • These are the staff that will likely build and implement the change. The backup is listed in case the primary is on holiday.
    • Business System Owner
      • The owner of the system is one of the people needed to sign off on the change. Having their support from the beginning of a change is necessary to build and implement it successfully.
    • Tier 1 Dependency
      • If the primary system experiences and outage, Tier 1 dependency functionality is also lost. To request a change, include the business system owner signoffs of the Tier 1 dependencies of the primary system.
    • Tier 2 Dependency
      • If the primary system experiences an outage, Tier 2 dependency functionality is lost, but there is an available workaround. As with Tier 1, this information can help you build a backout plan in case there is a change-related collision.
    • Tier 3 Dependency
      • Tier 3 functionality is not lost if the primary system experiences an outage, but nice-to-haves such as aesthetics are affected.

    2.2.1 Build a CMDB-lite as a Reference for Requested Changes

    Input

    • Current system ownership documentation

    Output

    • Documented reference for change requests (CMDB-lite)

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Sticky notes
    • Markers/pens

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Start with a list of your top 10-15 systems/services with the highest volume of changes.
    2. Using a whiteboard, flip chart, or shared screen, complete the table below by filling the corresponding Primary Users, SMEs, Business System Owner, and Dependencies as shown below. It may help to use sticky notes.
    3. Iteratively populate the table as you notice gaps with incoming changes.
    SystemPrimary UsersSMEBackup SME(s)Business System OwnerTier 1 Dependency (system functionality is down)Tier 2 (impaired functionality/ workaround available)Tier 3 Dependency (nice to have)
    Email Enterprise Naomi Amos James
    • ITSMs
    • Scan-to-email
    • Reporting
    		  
    • Lots
    Conferencing Tool Enterprise Alex Shed James
    • Videoconferencing
    • Conference rooms (can use Facebook messenger instead in worst case scenario)
    • IM
    ITSM (Service Now) Enterprise (Intl.) Anderson TBD Mike
    • Work orders
    • Dashboards
    • Purchasing
    		  
    ITSM (Manage Engine) North America Bobbie Joseph Mike
    • Work orders
    • Dashboards
    • Purchasing
    		  

    Establishing workflows: create standards for change approvals to improve efficiency

    • Not all changes are created equal, and not all changes require the same degree of approval. As part of the change management process, it’s important to define who is the authority for each type of change.
    • Failure to do so can create bureaucratic bottlenecks if each change is held to an unnecessary high level of scrutiny, or unplanned outages may occur due to changes circumventing the formal approval process.
    • A balance must be met and defined to ensure the process is not bypassed or bottlenecked.

    Info-Tech Best Practice

    Define a list pre-approved changes and automate them (if possible) using your ITSM solution. This will save valuable time for more important changes in the queue.

    Example:

    Change CategoryChange Authority
    Pre-approved change Department head/manager
    Emergency change E-CAB
    Normal change – low and medium risk CAB
    Normal change – high risk CAB and CIO (for visibility)

    Example process: Normal Change – Change Initiation

    Change initiation allows for assurance that the request is in scope for change management and acts as a filter for out-of-scope changes to be redirected to the proper workflow. Initiation also assesses who may be assigned to the change and the proper category of the change, and results in an RFC to be populated before the change reaches the build and test phase.

    The image is a horizontal flow chart, depicting an example of a change process.

    The change trigger assessment is critical in the DevOps lifecycle. This can take a more formal role of a technical review board (TRB) or, with enough maturity, may be automated. Responsibilities such as deconfliction, dependency identification, calendar query, and authorization identification can be done early in the lifecycle to decrease or eliminate the burden on CAB.

    For the full process, refer to the Change Management Process Library.

    Example process: Normal Change – Technical Build and Test

    The technical build and test stage includes all technical prerequisites and testing needed for a change to pass before proceeding to approval and implementation. In addition to a technical review, a solution consisting of the implementation, rollback, communications, and training plan are also built and included in the RFC before passing it to the CAB.

    The image is a flowchart, showing the process for change during the technical build and test stage.

    For the full process, refer to the Change Management Process Library.

    Example process: Normal Change – Change Approval (CAB)

    Change approval can start with the Change Manager reviewing all incoming RFCs to filter them for completeness and check them for red flags before passing them to the CAB. This saves the CAB from discussing incomplete changes and allows the Change Manager to set a CAB agenda before the CAB meeting. If need be, change approval can also set vendor communications necessary for changes, as well as the final implementation date of the change. The CAB and Change Manager may follow up with the appropriate parties notifying them of the approval decision (accepted, rescheduled, or rejected).

    The image shows a flowchart illustrating the process for change approval.

    For the full process, refer to the Change Management Process Library.

    Example process: Normal Change – Change Implementation

    Changes should not end at implementation. Ensure you define post-implementation activities (documentation, communication, training etc.) and a post-implementation review in case the change does not go according to plan.

    The image is a flowchart, illustrating the work process for change implementation and post-implementation review.

    For the full process, refer to the Change Management Process Library.

    2.2.2 Create a Normal Change Process

    Input

    • Current SOP/workflow library

    Output

    • Normal change process

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather representatives from the change management team.
    2. Using the examples shown on the previous few slides, work as a group to determine the workflow for a normal change, with particular attention to the following sub-processes:
      1. Request
      2. Assessment
      3. Plan
      4. Approve
      5. Implementation and Post-Implementation Activities
    3. Optionally, you may create variations of the workflow for minor, medium, and major changes (e.g. there will be fewer authorizations for minor changes).
    4. For further documentation, you may choose to run the SIPOC activity for your CAB as outlined on this slide.
    5. Document the resulting workflows in the Change Management Process Library and section 11 of your Change Management SOP.

    Download the Change Management Process Library.

    Identify and convert low-risk normal changes to pre-approved once the process is established

    As your process matures, begin creating a list of normal changes that might qualify for pre-approval. The most potential for value in gains from change management comes from re-engineering and automating of high-volume changes. Pre-approved changes should save you time without threatening the live environment.

    IT should flag changes they would like pre-approved:

    • Once your change management process is firmly established, hold a meeting with all staff that make change requests and build changes.
    • Run a training session detailing the traits of pre-approved changes and ask these individuals to identify changes that might qualify.
    • These changes should be submitted to the Change Manager and reviewed, with the help of the CAB, to decide whether or not they qualify for pre-approval.

    Pre-approved changes are not exempt from due diligence:

    • Once a change is designated as pre-approved, the deployment team should create and compile all relevant documentation:
      • An RFC detailing the change, dependencies, risk, and impact.
      • Detailed procedures and required resources.
      • Implementation and backout plan.
      • Test results.
    • When templating the RFC for pre-approved changes, aim to write the documentation as if another SME were to implement it. This reduces confusion, especially if there’s staff turnover.
    • The CAB must approve, sign off, and keep a record of all documents.
    • Pre-approved changes must still be documented and recorded in the CMDB and change log after each deployment.

    Info-Tech Best Practice

    At the beginning of a change management process, there should be few active pre-approved changes. However, prior to launch, you may have IT flag changes for conversion.

    Example process: Pre-Approved Change Process

    The image shows two horizontal flow charts, the first labelled Pre-Approval of Recurring RFC, and the second labelled Implementation of Child RFC.

    For the full process, refer to the Change Management Process Library.

    Review the pre-approved change list regularly to ensure the list of changes are still low-risk and repeatable.

    IT environments change. Don’t be caught by surprise.

    • Changes which were once low-risk and repeatable may cause unforeseen incidents if they are not reviewed regularly.
    • Dependencies change as the IT environment changes. Ensure that the changes on the pre-approved change list are still low-risk and repeatable, and that the documentation is up to date.
    • If dependencies have changed, then move the change back to the normal category for reassessment. It may be redesignated as a pre-approved change once the documentation is updated.

    Info-Tech Best Practice

    Other reasons for moving a pre-approved change back to the normal category is if the change led to an incident during implementation or if there was an issue during implementation.

    Seek new pre-approved change submissions. → Re-evaluate the pre-approved change list every 4-6 months.

    The image shows a horizontal flow chart, depicting the process for a pre-approved change list review.

    For the full process, refer to the Change Management Process Library.

    2.2.3 Create a Pre-Approved Change Process

    Input

    • Current SOP/workflow library

    Output

    • Pre-approved change process

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather representatives from the change management team.
    2. Using the examples shown on the previous few slides, work as a group to determine the workflow for a pre-approved change, with particular attention to the following sub-processes:
      1. Request
      2. Assessment
      3. Plan
      4. Approve
    3. Document the process of a converting a normal change to pre-approved. Include the steps from flagging a low-risk change to creating the related RFC template.
    4. Document the resulting workflows in the Change Management Process Library and sections 4.2 and 13 of your Change Management SOP.

    Reserve the emergency designation for real emergencies

    • Emergency changes have one of the following triggers:
      • A critical incident is impacting user productivity.
      • An imminent critical incident will impact user productivity.
    • Unless a critical incident is being resolved or prevented, the change should be categorized as normal.
    • An emergency change differs from a normal change in the following key aspects:
      • An emergency change is required to recover from a major outage – there must be a validated service desk critical incident ticket.
      • An urgent business requirement is not an “emergency.”
      • An RFC is created after the change is implemented and the outage is over.
      • A review by the full CAB occurs after the change is implemented.
      • The first responder and/or the person implementing the change may not be the subject matter expert for that system.
    • In all cases, an RFC must be created and the change must be reviewed by the full CAB. The review should occur within two business days of the event.
    Sample ChangeQuick CheckEmergency?
    Install the latest critical patches from the vendor. Are the patches required to resolve or prevent an imminent critical incident? No
    A virus or worm invades the network and a patch is needed to eliminate the threat. Is the patch required to resolve or prevent an imminent critical incident? Yes

    Info-Tech Best Practice

    Change requesters should be made aware that senior management will be informed if an emergency RFC is submitted inappropriately. Emergency requests trigger urgent CAB meetings, are riskier to deploy, and delay other changes waiting in the queue.

    Example process: Emergency Change Process

    The image is a flowchart depicting the process for an emergency change process

    When building your emergency change process, have your E-CAB protocol from activity 2.1.4 handy.

    • Focus on the following requirements for an emergency process:
      • E-CAB protocol and scope: Does the SME need authorization first before working on the change or can the SME proceed if no E-CAB members respond?
      • Documentation and communication to stakeholders and CAB after the emergency change is completed.
      • Input from incident management.

    For the full process, refer to the Change Management Process Library.

    2.2.4 Create an Emergency Change Process

    Input

    • Current SOP/workflow library

    Output

    • Emergency change process

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather representatives from the change management team.
    2. Using the examples shown on the previous few slides, work as a group to determine the workflow for an emergency change, with particular attention to the following sub-processes:
      1. Request
      2. Assessment
      3. Plan
      4. Approve
    3. Ensure that the E-CAB protocol from activity 2.1.4 is considered when building your process.
    4. Document the resulting workflows in the Change Management Process Library and section 12 of your Change Management SOP.

    Case Study (part 2 of 4)

    Intel implemented a robust change management process.

    Industry: Technology

    Source: Daniel Grove, Intel

    Challenge

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.

    Intel’s change management program is responsible for over 4,000 changes each week.

    Solution

    Intel identified 37 different change processes and 25 change management systems of record with little integration.

    Software and infrastructure groups were also very siloed, and this no doubt contributed to the high number of changes that caused outages.

    The task was simple: standards needed to be put in place and communication had to improve.

    Results

    Once process ownership was assigned and the role of the Change Manager and CAB clarified, it was a simple task to streamline and simplify processes among groups.

    Intel designed a new, unified change management workflow that all groups would adopt.

    Automation was also brought into play to improve how RFCs were generated and submitted.

    Phase 3

    Define the RFC and Post-Implementation Activities

    Define Change Management

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Your Risk Assessment

    Establish Roles and Workflows

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    Define the RFC and Post-Implementation Activities

    3.1 Design the RFC

    3.2 Establish Post-Implementation Activities

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project

    This phase will guide you through the following activities:

    • Design the RFC
    • Establish Post-Implementation Activities

    This phase involves the following participants:

    • IT Director
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board

    Step 3.1

    Design the RFC

    Activities

    3.1.1 Evaluate Your Existing RFC Process

    3.1.2 Build the RFC Form

    Define the RFC and Post-Implementation Activities

    Step 3.1: Design the RFC

    Step 3.2: Establish Post-Implementation Activities

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • A full RFC template and process that compliments the workflows for the three change categories

    A request for change (RFC) should be submitted for every non-standard change

    An RFC should be submitted through the formal change management practice for every change that is not a standard, pre-approved change (a change which does not require submission to the change management practice).

    • The RFC should contain all the information required to approve a change. Some information will be recorded when the change request is first initiated, but not everything will be known at that time.
    • Further information can be added as the change progresses through its lifecycle.
    • The level of detail that goes into the RFC will vary depending on the type of change, the size, and the likely impact of the change.
    • Other details of the change may be recorded in other documents and referenced in the RFC.

    Info-Tech Insight

    Keep the RFC form simple, especially when first implementing change management, to encourage the adoption of and compliance with the process.

    RFCs should contain the following information, at a minimum:

    1. Contact information for requester
    2. Description of change
    3. References to external documentation
    4. Items to be changed, reason for the change, and impact of both implementing and not implementing the change
    5. Change type and category
    6. Priority and risk assessment
    7. Predicted time frame, resources, and cost
    8. Backout or remediation plan
    9. Proposed approvers
    10. Scheduled implementation time
    11. Communications plan and post-implementation review

    3.1.1 Evaluate Your Existing RFC Process

    Input

    • Current RFC form or stock ITSM RFC
    • Current SOP (if available)

    Output

    • List of changes to the current RFC form and RFC process

    Materials

    Participants

    • IT Director
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. If the organization is already using an RFC form, review it as a group now and discuss its contents:
      • Does this RFC provide adequate information for the Change Manager and/or CAB to review?
      • Should any additional fields be added?
    2. Show the participants Info-Tech’s Request for Change Form Template and compare it to the one the organization is currently using.
    3. As a group, finalize an RFC table of contents that will be used to formalize a new or improved RFC.
    4. Decide which fields should be filled out by the requester before the initial RFC is submitted to the Change Manager:
      • Many sections of the RFC are relevant for change assessment and review. What information does the Change Manager need when they first receive a request?
      • The Change Manager needs enough information to ensure that the change is in scope and has been properly categorized.
    5. Decide how the RFC form should be submitted and reviewed; this can be documented in section 5 of your Change Management SOP.

    Download the Request for Change Form Template.

    Design the RFC to encourage process buy-in

    • When building the RFC, split the form up into sections that follow the normal workflow (e.g. Intake, Assessment and Build, Approval, Implementation/PIR). This way the form walks the requester through what needs to be filled and when.
    • Revisit the form periodically and solicit feedback to continually improve the user experience. If there’s information missing on the RFC that the CAB would like to know, add the fields. If there are sections that are not used or not needed for documentation, remove them.
    • Make sure the user experience surrounding your RFC form is a top priority – make it accessible, otherwise change requesters simply will not use it.
    • Take advantage of your ITSM’s dropdown lists, automated notifications, CMDB integrations, and auto-generated fields to ease the process of filling the RFC

    Draft:

    • Change requester
    • Requested date of deployment
    • Change risk: low/medium/high
    • Risk assessment
    • Description of change
    • Reason for change
    • Change components

    Technical Build:

    • Assess change:
      • Dependencies
      • Business impact
      • SLA impact
      • Required resources
      • Query the CMS
    • Plan and test changes:
      • Test plan
      • Test results
      • Implementation plan
      • Backout plan
      • Backout plan test results

    CAB:

    • Approve and schedule changes:
      • Final CAB review
      • Communications plan

    Complete:

    • Deploy changes:
      • Post-implementation review

    Designing your RFC: RFC draft

    • Change requester – link your change module to the active directory to pull the change requester’s contact information automatically to save time.
    • A requested date of deployment gives approvers information on timeline and can be used to query the change calendar for possible conflicts
    • Information about risk assessment based on impact and likelihood questionnaires are quick to fill out but provide a lot of information to the CAB. The risk assessment may not be complete at the draft stage but can be updated as the change is built. Ensure this field is up-to- date before it reaches CAB.
    • If you have a technical review stage where changes are directed to the proper workflow and resourcing is assessed, the description, reason, and change components are high-level descriptors of the change that will aid in discovery and lining the change up with the business vision (viability from both a technical and business standpoint).
    • Change requester
    • Requested date of deployment
    • Change Risk: low/medium/high
    • Risk assessment
    • Description of change
    • Reason for change
    • Change components

    Use the RFC to point to documentation already gathered in the DevOps lifecycle to cut down on unnecessary manual work while maintaining compliance.

    Designing your RFC: technical build

    • Dependencies and CMDB query, along with the proposed implementation date, are included to aid in calendar deconfliction and change scheduling. If there’s a conflict, it’s easier to reschedule the proposed change early in the lifecycle.
    • Business, SLA impact, and required resources can be tracked to provide the CAB with information on the business resources required. This can also be used to prioritize the change if conflicts arise.
    • Implementation, test, and backout plans must be included and assessed to increase the probability that a change will be implemented without failure. It’s also useful in the case of PIRs to determine root causes of change-related incidents.
    • Assess change:
      • Dependencies
      • Business impact
      • SLA impact
      • Required resources
      • Query the CMS
    • Plan and test changes:
      • Test plan
      • Test results
      • Implementation plan
      • Backout plan
      • Backout plan test results

    Designing your RFC: approval and deployment

    • Documenting approval, rejection, and rescheduling gives the change requester the go-ahead to proceed with the change, rationale on why it was prioritized lower than another change (rescheduled), or rationale on rejection.
    • Communications plans for appropriate stakeholders can also be modified and forwarded to the communications team (e.g. service desk or business system owners) before deployment.
    • Post-implementation activities and reviews can be conducted if need be before a change is closed. The PIR, if filled out, should then be appended to any subsequent changes of the same nature to avoid making the same mistake twice.
    • Approve and schedule changes:
      • Final CAB review
      • Communications plan
    • Deploy changes:
      • Post-implementation review

    Standardize the request for change protocol

    1. Submission Standards
      • Electronic submission will make it easier for CAB members to review the documentation.
      • As the change goes through the assessment, plan, and test phase, new documentation (assessments, backout plans, test results, etc.) can be attached to the digital RFC for review by CAB members prior to the CAB meeting.
      • Change management software won’t be necessary to facilitate the RFC submission and review; a content repository system, such as SharePoint, will suffice.
    2. Designate the first control point
      • All RFCs should be submitted to a single point of contact.
      • Ideally, the Change Manager or Technical Review Board should fill this role.
      • Whoever is tasked with this role needs the subject matter expertise to ensure that the change has been categorized correctly, to reject out-of-scope requests, or to ask that missing information be provided before the RFC moves through the full change management practice.

    Info-Tech Best Practice

    Technical and SME contacts should be noted in each RFC so they can be easily consulted during the RFC review.

    3.1.2 Build the RFC Form

    Input

    • Current RFC form or stock ITSM RFC
    • Current SOP (if available)

    Output

    • List of changes to the current RFC and RFC process

    Materials

    Participants

    • IT Director
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Use Info-Tech’s Request for Change Form Template as a basis for your RFC form.
    2. Use this template to standardize your change request process and ensure that the appropriate information is documented effectively each time a request is made. The change requester and Change Manager should consolidate all information associated with a given change request in this form. This form will be submitted by the change requester and reviewed by the Change Manager.

    Case Study (part 3 of 4)

    Intel implemented automated RFC form generation.

    Industry: Technology

    Source: Daniel Grove, Intel

    Challenge

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.

    Intel’s change management program is responsible for over 4,000 changes each week.

    Solution

    One of the crucial factors that was impacting Intel’s change management efficiency was a cumbersome RFC process.

    A lack of RFC usage was contributing to increased ad hoc changes being put through the CAB, and rescheduled changes were quite high.

    Additionally, ad hoc changes were also contributing heavily to unscheduled downtime within the organization.

    Results

    Intel designed and implemented an automated RFC form generator to encourage end users to increase RFC usage.

    As we’ve seen with RFC form design, the UX/UI of the form needs to be top notch, otherwise end users will simply circumvent the process. This will contribute to the problems you are seeking to correct.

    Thanks to increased RFC usage, Intel decreased emergency changes by 50% and reduced change-caused unscheduled downtime by 82%.

    Step 3.2

    Establish Post-Implementation Activities

    Activities

    3.2.1 Determine When the CAB Would Reject Tested Changes

    3.2.2 Create a Post-Implementation Activity Checklist

    Define the RFC and Post-Implementation Activities

    Step 3.1: Design RFC

    Step 3.2: Establish Post-Implementation Activities

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • A formalized post-implementation process for continual improvement

    Why would the CAB reject a change that has been properly assessed and tested?

    Possible reasons the CAB would reject a change include:

    • The product being changed is approaching its end of life.
    • The change is too costly.
    • The timing of the change conflicts with other changes.
    • There could be compliance issues.
    • The change is actually a project.
    • The risk is too high.
    • There could be regulatory issues.
    • The peripherals (test, backout, communication, and training plans) are incomplete.

    Info-Tech Best Practice

    Many reasons for rejection (listed above) can be caught early on in the process during the technical review or change build portion of the change. The earlier you catch these reasons for rejection, the less wasted effort there will be per change.

    Sample RFCReason for CAP Rejection
    There was a request for an update to a system that a legacy application depends on and only a specific area of the business was aware of the dependency. The CAB rejects it due to the downstream impact.
    There was a request for an update to a non-supported application, and the vendor was asking for a premium support contract that is very costly. It’s too expensive to implement, despite the need for it. The CAB will wait for an upgrade to a new application.
    There was a request to update application functionality to a beta release. The risk outweighs the business benefits.

    Determine When the CAB Would Reject Tested Changes

    Input

    • Current SOP (if available)

    Output

    • List of reasons to reject tested changes

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Projector
    • Markers/pens
    • Laptop with ITSM admin access
    • Project Summary Template

    Participants

    • IT Director
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board

    Avoid hand-offs to ensure a smooth implementation process

    The implementation phase is the final checkpoint before releasing the new change into your live environment. Once the final checks have been made to the change, it’s paramount that teams work together to transition the change effectively rather than doing an abrupt hand-off. This could cause a potential outage.

    1.

    • Deployment resources identified, allocated, and scheduled
    • Documentation complete
    • Support team trained
    • Users trained
    • Business sign-off
    • Target systems identified and ready to receive changes
    • Target systems available for installation maintenance window scheduled
    • Technical checks:
      • Disk space available
      • Pre-requisites met
      • Components/Services to be updated are stopped
      • All users disconnected
    • Download Info-Tech’sChange Management Pre-Implementation Checklist

    Implement change →

    2.

    1. Verification – once the change has been implemented, verify that all requirements are fulfilled.
    2. Review – ensure that all affected systems and applications are operating as predicted. Update change log.
    3. Transition – a crucial phase of implementation that’s often overlooked. Once the change implementation is complete from a technical point of view, it’s imperative that the team involved with the change inform and train the group responsible for managing the new change.

    Create a backout plan to reduce the risk of a failed change

    Every change process needs to plan for the potential for failure and how to address it effectively. Change management’s solution to this problem is a backout plan.

    A backout plan needs to contain a record of the steps that need to be taken to restore the live environment back to its previous state and maintain business continuity. A good backout plan asks the following questions:

    1. How will failure be determined? Who will make the determination to back out of a change be made and when?
    2. Do we fix on fail or do we rollback to the previous configuration?
    3. Is the service desk aware of the impending change? Do they have proper training?

    Notify the Service Desk

    • Notify the Service Desk about backout plan initiation.

    Disable Access

    • Disable user access to affected system(s).

    Conduct Checks

    • Conduct checks to all affected components.

    Enable User Access

    • Enable user access to affected systems.

    Notify the Service Desk

    • Notify the service desk that the backout plan was successful.

    Info-Tech Best Practice

    As part of the backout plan, consider the turnback point in the change window. That is, the point within the change window where you still have time to fully back out of the change.

    Ensure the following post-implementation review activities are completed

    Service Catalog

    Update the service catalog with new information as a result of the implemented change.

    CMDB

    Update new dependencies present as a result of the new change.

    Asset DB

    Add notes about any assets newly affected by changes.

    Architecture Map

    Update your map based on the new change.

    Technical Documentation

    Update your technical documentation to reflect the changes present because of the new change.

    Training Documentation

    Update your training documentation to reflect any information about how users interact with the change.

    Use a post-implementation review process to promote continual improvement

    The post-implementation review (PIR) is the most neglected change management activity.

    • All changes should be reviewed to understand the reason behind them, appropriateness, and recommendations for next steps.
    • The Change Manager manages the completion of information PIRs and invites RFC originators to present their findings and document the lessons learned.

    Info-Tech Best Practice

    Review PIR reports at CAB meetings to highlight the root causes of issues, action items to close identified gaps, and back-up documentation required. Attach the PIR report to the relevant RFC to prevent similar changes from facing the same issues in the future.

    1. Why do a post-implementation review?
      • Changes that don’t fail but don’t perform well are rarely reviewed.
      • Changes may fail subtly and still need review.
      • Changes that cause serious failures (i.e. unplanned downtime) receive analysis that is unnecessarily in-depth.
    2. What are the benefits?
      • A proactive, post-implementation review actually uses less resources than reactionary change reviews.
      • Root-cause analysis of failed changes, no matter what the impact.
      • Insight into changes that took longer than projected.
      • Identification of previously unidentified risks affecting changes.

    Determine the strategy for your PIR to establish a standardized process

    Capture the details of your PIR process in a table similar to the one below.

    Frequency Part of weekly review (IT team meeting)
    Participants
    • Change Manager
    • Originator
    • SME/supervisor/impacted team(s)

    Categories under review

    Current deviations and action items from previous PIR:

    • Complete
    • Partially complete
    • Complete, late
    • Change failed, rollback succeeded
    • Change failed, rollback failed
    • Major deviation from implementation plan
    Output
    • Root cause or failure or deviation
    • External factors
    • Remediation focus areas
    • Remediation timeline (follow-up at appropriate time)
    Controls
    • Reviewed at next CAB meeting
    • RFC close is dependent on completion of PIR
    • Share with the rest of the technical team
    • Lessons learned stored in the knowledgebase and attached to RFC for easy search of past issues.

    3.2.2 Create a Post-Implementation Activity Checklist

    Input

    • Current SOP (if available)

    Output

    • List of reasons to reject tested changes

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather representatives from the change management team.
    2. Brainstorm duties to perform following the deployment of a change. Below is a sample list:
      • Example:
        • Was the deployment successful?
          • If no, was the backout plan executed successfully?
        • List change-related incidents
        • Change assessment
          • Missed dependencies
          • Inaccurate business impact
          • Incorrect SLA impact
          • Inaccurate resources
            • Time
            • Staff
            • Hardware
        • System testing
        • Integration testing
        • User acceptance testing
        • No backout plan
        • Backout plan failure
        • Deployment issues
    3. Record your results in the Change Management Post-Implementation Checklist.

    Download the Change Management Post-Implementation Checklist

    Case Study

    Microsoft used post-implementation review activities to mitigate the risk of a critical Azure outage.

    Industry: Technology

    Source: Jason Zander, Microsoft

    Challenge

    In November 2014, Microsoft deployed a change intended to improve Azure storage performance by reducing CPU footprint of the Azure Table Front-Ends.

    The deployment method was an incremental approach called “flighting,” where software and configuration deployments are deployed incrementally to Azure infrastructure in small batches.

    Unfortunately, this software deployment caused a service interruption in multiple regions.

    Solution

    Before the software was deployed, Microsoft engineers followed proper protocol by testing the proposed update. All test results pointed to a successful implementation.

    Unfortunately, engineers pushed the change out to the entire infrastructure instead of adhering to the traditional flighting protocol.

    Additionally, the configuration switch was incorrectly enabled for the Azure Blob storage Front-Ends.

    A combination of the two mistakes exposed a bug that caused the outage.

    Results

    Thankfully, Microsoft had a backout plan. Within 30 minutes, the change was rolled back on a global scale.

    It was determined that policy enforcement was not integrated across the deployment system. An update to the system shifted the process of policy enforcement from human-based decisions and protocol to automation via the deployment platform.

    Defined PIR activities enabled Microsoft to take swift action against the outage and mitigate the risk of a serious outage.

    Phase 4

    Measure, Manage, and Maintain

    Define Change Management

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Risk Assessment

    Establish Roles and Workflows

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    Define RFC and Post-Implementation Activities

    3.1 Design RFC

    3.2 Establish post-implementation activities

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project

    This phase will guide you through the following activities:

    • Identify Metrics and Build the Change Calendar
    • Implement the Project

    This phase involves the following participants:

    • CIO/IT Director
    • IT Managers
    • Change Manager

    Step 4.1

    Identify Metrics and Build the Change Calendar

    Activities

    4.1.1 Create an Outline for Your Change Calendar

    4.1.2 Determine Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    4.1.3 Track and Record Metrics Using the Change Management Metrics Tool

    Measure, Manage, and Maintain

    Step 4.1: Identify Metrics and Build the Change Calendar

    Step 4.2: Implement the Project

    This step involves the following participants:

    • CIO/IT Director
    • IT Managers
    • Change Manager

    Outcomes of this step

    • Clear definitions of change calendar content
    • Guidelines for change calendar scheduling
    • Defined metrics to measure the success of change management with associated reports, KPIs, and CSFs

    Enforce a standard method of prioritizing and scheduling changes

    The impact of not deploying the change and the benefit of deploying it should determine its priority.

    Risk of Not Deploying

    • What is the urgency of the change?
    • What is the risk to the organization if the change is not deployed right away?
    • Will there be any lost productivity, service disruptions, or missed critical business opportunities?
      • Timing
        • Does the proposed timing work with the approved changes already on the change schedule?
        • Has the change been clash checked so there are no potential conflicts over services or resources?
      • Once prioritized, a final deployment date should be set by the CAB. Check the change calendar first to avoid conflicts.

    Positive Impact of Deployment

    • What benefits will be realized once the change is deployed?
    • How significant is the opportunity that triggered the change?
    • Will the change lead to a positive business outcome (e.g. increased sales)?

    “The one who has more clout or authority is usually the one who gets changes scheduled in the time frame they desire, but you should really be evaluating the impact to the organization. We looked at the risk to the business of not doing the change, and that’s a good way of determining the criticality and urgency of that change.” – Joseph Sgandurra, Director, Service Delivery, Navantis

    Info-Tech Insight

    Avoid a culture where powerful stakeholders are able to push change deployment on an ad hoc basis. Give the CAB the full authority to make approval decisions based on urgency, impact, cost, and availability of resources.

    Develop a change schedule to formalize the planning process

    A change calendar will help the CAB schedule changes more effectively and increase visibility into upcoming changes across the organization.

    1. Establish change windows in a consistent change schedule:
      • Compile a list of business units that would benefit from a change.
      • Look for conflicts in the change schedule.
      • Avoid scheduling two or more major business units in a day.
      • Consider clients when building your change windows and change schedule.
    2. Gain commitments from key participants:
      • These individuals can confirm if there are any unusual or cyclical business requirements that will impact the schedule.
    3. Properly control your change calendar to improve change efficiency:
      • Look at the proposed start and end times: Are they sensible? Does the implementation window leave time for anything going wrong or needing to roll back the change?
      • Special considerations: Are there special circumstances that need to be considered? Ask the business if you don’t know.
      • The key principle is to have a sufficient window available for implementing changes so you only need to set up calendar freezes for sound business or technical reasons.

    Our mantra is to put it on the calendar. Even if it’s a preapproved change and doesn’t need a vote, having it on the calendar helps with visibility. The calendar is the one-stop shop for scheduling and identifying change dependencies.“ – Wil Clark, Director of Service and Performance Management, University of North Texas Systems

    Provide clear definitions of what goes on the change calendar and who’s responsible

    Roles

    • The Change Manager will be responsible for creating and maintaining a change calendar.
    • Only the Change Manager can physically alter the calendar by adding a new change after the CAB has agreed upon a deployment date.
    • All other CAB members, IT support staff, and other impacted stakeholders should have access to the calendar on a read-only basis to prevent people from making unauthorized changes to deployment dates.

    Inputs

    • Freeze periods for individual business departments/applications (e.g. finance month-end periods, HR payroll cycle, etc. – all to be investigated).
    • Maintenance windows and planned outage periods.
    • Project schedules, and upcoming major/medium changes.
    • Holidays.
    • Business hours (some departments work 9-5, others work different hours or in different time zones, and user acceptance testing may require business users to be available).

    Guidelines

    • Business-defined freeze periods are the top priority.
    • No major or medium normal changes should occur during the week between Christmas and New Year’s Day.
    • Vendor SLA support hours are the preferred time for implementing changes.
    • The vacation calendar for IT will be considered for major changes.
    • Change priority: High > Medium > Low.
    • Minor changes and preapproved changes have the same priority and will be decided on a case-by-case basis.

    The change calendar is a critical pre-requisite to change management in DevOps. Use the calendar to be proactive with proposed implementation dates and deconfliction before the change is finished.

    4.1.1 Create Guidelines for Your Change Calendar

    Input

    • Current change calendar guidelines

    Output

    • Change calendar inputs and schedule checklist

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)
    1. Gather representatives from the change management team.
      • Example:
        • The change calendar/schedule includes:
          • Approved and scheduled normal changes.
          • Scheduled project work.
          • Scheduled maintenance windows.
          • Change freeze periods with affected users noted:
            • Daily/weekly freeze periods.
            • Monthly freeze periods.
            • Annual freeze periods.
            • Other critical business events.
    2. Create a checklist to run through before each change is scheduled:
      • Check the schedule and assess resource availability:
        • Will user productivity be impacted?
        • Are there available resources (people and systems) to implement the change?
        • Is the vendor available? Is there a significant cost attached to pushing change deployment before the regularly scheduled refresh?
        • Are there dependencies? Does the deployment of one change depend on the earlier deployment of another?
    3. Record your results in your Project Summary Template.

    Start measuring the success of your change management project using three key metrics

    Number of change-related incidents that occur each month

    • Each month, record the number of incidents that can be directly linked to a change. This can be done using an ITSM tool or manually by service desk staff.
    • This is a key success metric: if you are not tracking change-related incidents yet, start doing so as soon as possible. This is the metric that the CIO and business stakeholders will be most interested in because it impacts users directly.

    Number of unauthorized changes applied each month

    • Each month, record the number of changes applied without approval. This is the best way to measure adherence to the process.
    • If this number decreases, it demonstrates a reduction in risk, as more changes are formally assessed and approved before being deployed.

    Percentage of emergency changes

    • Each month, compare the number of emergency change requests to the total number of change requests.
    • Change requesters often designate changes as emergencies as a way of bypassing the process.
    • A reduction in emergency changes demonstrates that your process is operating smoothly and reduces the risk of deploying changes that have not been properly tested.

    Info-Tech Insight

    Start simple. Metrics can be difficult to tackle if you’re starting from scratch. While implementing your change management practice, use these three metrics as a starting point, since they correlate well with the success of change management overall. The following few slides provide more insight into creating metrics for your change process.

    If you want more insight into your change process, measure the progress of each step in change management with metrics

    Improve

    • Number of repeat failures (i.e. making the same mistake twice)
    • Number of changes converted to pre-approved
    • Number of changes converted from pre-approved back to normal

    Request

    • What percentage of change requests have errors or lack appropriate support?
    • What percentage of change requests are actually projects, service requests, or operational tasks?
    • What percentage of changes have been requested before (i.e. documented)?

    Assess

    • What percentage of change requests are out of scope?
    • What percentage of changes have been requested before (i.e. documented)?
    • What are the percentages of changes by category (normal, pre-approved, emergency)?

    Plan

    • What percentage of change requests are reviewed by the CAB that should have been pre-approved or emergency (i.e. what percentage of changes are in the wrong category)?

    Approve

    • Number of changes broken down by department (business unit/IT department to be used in making core/optional CAB membership more efficient)
    • Number of workflows that can be automated

    Implement

    • Number of changes completed on schedule
    • Number of changes rolled back
    • What percentage of changes caused an incident?

    Use metrics to inform project KPIs and CSFs

    Leverage the metrics from the last slide and convert them to data communicable to IT, management, and leadership

    • To provide value, metrics and measurements must be actionable. What actions can be taken as a result of the data being presented?
    • If the metrics are not actionable, there is no value and you should question the use of the metric.
    • Data points in isolation are mostly meaningless to inform action. Observe trends in your metrics to inform your decisions.
    • Using a framework to develop measurements and metrics provides a defined methodology that enables a mapping of base measurements through CSFs.
    • Establishing the relationship increases the value that measurements provide.

    Purposely use SDLC and change lifecycle metrics to find bottlenecks and automation candidates.

    Metrics:

    Metrics are easily measured datapoints that can be pulled from your change management tool. Examples: Number of changes implemented, number of changes without incident.

    KPIs:

    Key Performance Indicators are metrics presented in a way that is easily digestible by stakeholders in IT. Examples: Change efficiency, quality of changes.

    CSFs:

    Critical Success Factors are measures of the business success of change management taken by correlating the CSF with multiple KPIs. Examples: consistent and efficient change management process, a change process mapped to business needs

    List in-scope metrics and reports and align them to benefits

    Metric/Report (by team)Benefit
    Total number of RFCs and percentages by category (pre-approved, normal, emergency, escalated support, expedited)
    • Understand change management activity
    • Tracking maturity growth
    • Identifying “hot spots”
    Pre-approved change list (and additions/removals from the list) Workload and process streamlining (i.e. reduce “red tape” wherever possible)
    Average time between RFC lifecycle stages (by service/application) Advance planning for proposed changes
    Number of changes by service/application/hardware class
    • Identifying weaknesses in the architecture
    • Vendor-specific TCO calculations
    Change triggers Business- vs. IT-initiated change
    Number of RFCs by lifecycle stage Workload planning
    List of incidents related to changes Visible failures of the CM process
    Percentage of RFCs with a tested backout/validation plan Completeness of change planning
    List of expedited changes Spotlighting poor planning and reducing the need for this category going forward (“The Hall of Shame”)
    CAB approval rate Change coordinator alignment with CAB priorities – low approval rate indicates need to tighten gatekeeping by the change coordinator
    Calendar of changes Planning

    4.1.2 Determine Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    Input

    • Current metrics

    Output

    • List of trackable metrics, KPIs and CSFs

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)
    1. Draw three tables for metrics, KPIs, and CSFs.
    2. Starting with the CSF table, fill in all relevant CSFs that your group wishes to track and measure.
    3. Next, work to determine relevant KPIs correlated with the CSFs and metrics needed to measure the KPIs. Use the tables included below (taken from section 14 of the Change Management SOP) to guide the process.
    4. Record the results in the tables in section 14 of your Change Management SOP.
    5. Decide on where and when to review the metrics to discuss your change management strategy. Designate and owner and record in the RACI and Communications section of your Change Management SOP.
    Ref #Metric

    M1

    		 Number of changes implemented for a time period
    M2 Number of changes successfully implemented for a time period
    M3 Number of changes implemented causing incidents
    M4 Number of accepted known errors when change is implemented
    M5 Total days for a change build (specific to each change)
    M6 Number of changes rescheduled
    M7 Number of training questions received following a change
    Ref#KPIProduct
    K1 Successful changes for a period of time (approach 100%) M2 / M1 x 100%
    K2 Changes causing incidents (approach 0%) M3 / M1 x 100%
    K3 Average days to implement a change ΣM5 / M1
    K4 Change efficiency (approach 100%) [1 - (M6 / M1)] x 100%
    K5 Quality of changes being implemented (approach 100%) [1 - (M4 / M1)] x 100%
    K6 Change training efficiency (approach 100%) [1 - (M7 / M1)] x 100%
    Ref#CSFIndicator
    C1 Successful change management process producing quality changes K1, K5
    C2 Consistent efficient change process K4, K6
    C3 Change process maps to business needs K5, K6

    Measure changes in selected metrics to evaluate success

    Once you have implemented a standardized change management practice, your team’s goal should be to improve the process, year over year.

    • After a process change has been implemented, it’s important to regularly monitor and evaluate the CSFs, KPIs, and metrics you chose to evaluate. Examine whether the process change you implemented has actually resolved the issue or achieved the goal of the critical success factor.
    • Establish a schedule for regularly reviewing the key metrics. Assess changes in those metrics and determine progress toward reaching objectives.
    • In addition to reviewing CSFs, KPIs, and metrics, check in with the release management team and end users to measure their perceptions of the change management process once an appropriate amount of time has passed.
    • Ensure that metrics are telling the whole story and that reporting is honest in order to be informative.

    Outcomes of standardizing change management should include:

    1. Improved efficiency, effectiveness, and quality of changes.
    2. Changes and processes are more aligned with the business needs and strategy.
    3. Improved maturity of change processes.

    Info-Tech Best Practice

    Make sure you’re measuring the right things and considering all sources of information. It’s very easy to put yourself in a position where you’re congratulating yourselves for improving on a specific metric such as number of releases per month, but satisfaction remains low.

    4.1.3 Track and Record Metrics Using the Change Management Metrics Tool

    Input

    • Current metrics

    Output

    • List of trackable metrics, KPIs and CSFs to be observed over the length of a year

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)

    Tracking the progress of metrics is paramount to the success of any change management process. Use Info-Tech’s Change Management Metrics Tool to record metrics and track your progress. This tool is intended to be a substitute for organizations who do not have the capability to track change-related metrics in their ITSM tool.

    1. Input metrics from the previous activity to track over the course of a year.
    2. To record your metrics, open the tool and go to tab 2. The tool is currently primed to record and track five metrics. If you need more than that, you can edit the list in the hidden calculations tab.
    3. To see the progress of your metrics, move to tab 3 to view a dashboard of all metrics in the tool.

    Download the Change Management Metrics Tool

    Case Study

    A federal credit union was able to track maturity growth through the proper use of metrics.

    Industry: Federal Credit Union (anonymous)

    Source: Info-Tech Workshop

    Challenge

    At this federal credit union, the VP of IT wanted a tight set of metrics to engage with the business, communicate within IT, enable performance management of staff, and provide visibility into workload demands, among other requirements.

    The organization was suffering from “metrics fatigue,” with multiple reports being generated from all groups within IT, to the point that weekly/monthly reports were being seen as spam.

    Solution

    Stakeholders were provided with an overview of change management benefits and were asked to identify one key attribute that would be useful to their specific needs.

    Metrics were designed around the stakeholder needs, piloted with each stakeholder group, fine-tuned, and rolled out.

    Some metrics could not be automated off-the-shelf and were rolled out in a manual fashion. These metrics were subsequently automated and finally made available through a dashboard.

    Results

    The business received clear guidance regarding estimated times to implement changes across different elements of the environment.

    The IT managers were able to plan team workloads with visibility into upstream change activity.

    Architects were able to identify vendors and systems that were the leading source of instability.

    The VP of IT was able to track the maturity growth of the change management process and proactively engage with the business on identified hot spots.

    Step 4.2

    Implement the Project

    Activities

    4.2.1 Use a Communications Plan to Gain End User Buy-In

    4.2.2 Create a Project Roadmap to Track Your Implementation Progress

    Measure, Manage, and Maintain

    Step 4.1: Identify Metrics and Build the Change Calendar

    Step 3.2: Implement the Project

    This step involves the following participants:

    • CIO/IT Director
    • IT Managers
    • Change Manager

    Outcomes of this step

    • A communications plan for key messages to communicate to relevant stakeholders and audiences
    • A roadmap with assigned action items to implement change management

    Success of the new process will depend on introducing change and gaining acceptance

    Change management provides value by promptly evaluating and delivering changes required by the business and by minimizing disruption and rework caused by failed changes. Communication of your new change management process is key. If people do not understand the what and why, it will fail to provide the desired value.

    Info-Tech Best Practice

    Gather feedback from end users about the new process: if the process is too bureaucratic, end users are more likely to circumvent it.

    Main Challenges with Communication

    • Many people fail before they even start because they are buried in a mess created before they arrived – either because of a failed attempt to get change management implemented or due to a complicated system that has always existed.
    • Many systems are maintained because “that’s the way it’s always been done.”
    • Organizations don’t know where to start; they think change management is too complex a process.
    • Each group needs to follow the same procedure – groups often have their own processes, but if they don’t agree with one another, this could cause an outage.

    Educate affected stakeholders to prepare for organizational change

    An organizational change management plan should be part of your change management project.

    • Educate stakeholders about:
      • The process change (describe it in a way that the user can understand and is clear and concise).
        • IT changes will be handled in a standardized and repeatable fashion to minimize change-related incidents.
      • Who is impacted?
        • All users.
      • How are they impacted?
        • All change requests will be made using a standard form and will not be deployed until formal approval is received.
      • Change messaging.
        • How to communicate the change (benefits).
      • Learning and development – training your users on the change.
        • Develop and deliver training session on the Change Management SOP to familiarize users with this new method of handling IT change.

    Host a lunch-and-learn session

    • For the initial deployment, host a lunch-and-learn session to educate the business on the change management practice. Relevant stakeholders of affected departments should host it and cover the following topics:
    • What is change management (change management/change control)?
    • The value of change management.
    • What the Change Management SOP looks like.
    • Who is involved in the change management process (the CAB, etc.)?
    • What constitutes a pre-approved change and an emergency change?
    • An overview of the process, including how to avoid unauthorized changes.
    • Who should they contact in case of questions?

    Communicate the new process to all affected stakeholders

    Do not surprise users or support staff with changes. This will result in lost productivity and low satisfaction with IT services.

    • User groups and the business need to be given sufficient notice of an impending change.
    • This will allow them to make appropriate plans to accept the change, minimizing the impact of the change on productivity.
    • A communications plan will be documented in the RFC while the release is being built and tested.
    • It’s the responsibility of the change team to execute on the communications plan.

    Info-Tech Insight

    The success of change communication can be measured by monitoring the number of service desk tickets related to a change that was not communicated to users.

    Communication is crucial to the integration and overall implementation of your change management initiative. An effective communications plan will:

    • Gain support from management at the project proposal phase.
    • Create end-user buy-in once the program is set to launch.
    • Maintain the presence of the program throughout the business.
    • Instill ownership throughout the business from top-level management to new hires.

    Create your communications plan to anticipate challenges, remove obstacles, and ensure buy-in

    Management

    Technicians

    Business Stakeholders

    Provide separate communications to key stakeholder groups

    Why? What problems are you trying to solve?

    What? What processes will it affect (that will affect me)?

    Who? Who will be affected? Who do I go to if I have issues with the new process?

    When? When will this be happening? When will it affect me?

    How? How will these changes manifest themselves?

    Goal? What is the final goal? How will it benefit me?

    Info-Tech Insight

    Pay close attention to the medium of communication. For example, stakeholders on their feet all day would not be as receptive to an email communication compared to those who primarily work in front of a computer. Put yourself into various stakeholders’ shoes to craft a tailored communication of change management.

    4.2.1 Use a Communications Plan to Gain End User Buy-In

    Input

    • List of stakeholder groups for change management

    Output

    • Tailored communications plans for various stakeholder groups

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)
    1. Using Info-Tech’s Change Management Communications Plan, identify key audiences or stakeholder groups that will be affected by the new change management practice.
    2. For each group requiring a communications plan, identify the following:
      • The benefits for that group of individuals.
      • The impact the change will have on them.
      • The best communication method(s) for them.
      • The time frame of the communication.
    3. Complete this information in a table like the one below:
    GroupBenefitsImpactMethodTimeline
    IT Standardized change process All changes must be reviewed and approved Poster campaign 6 months
    End Users Decreased wait time for changes Formal process for RFCs Lunch-and-learn sessions 3 months
    Business Reduced outages Increased involvement in planning and approvals Monthly reports 1 year
    1. Discuss the communications plan:
      • Will this plan ensure that users are given adequate opportunities to accept the changes being deployed?
      • Is the message appropriate for each audience? Is the format appropriate for each audience?
      • Does the communication include training where necessary to help users adopt any new functions/workflows being introduced?

    Download the Change Management Communications Plan

    Present your SOP to key stakeholders and obtain their approval

    Now that you have completed your Change Management SOP, the final step is to get sign-off from senior management to begin the rollout process.

    Know your audience:

    • Determine the service management stakeholders who will be included in the audience for your presentation.
    • You want your presentation to be succinct and hard hitting. Management’s time is tight and they will lose interest if you drag out the delivery.
    • Briefly speak about the need for more formal change management and emphasize the benefits of implementing a more formal process with a SOP.
    • Present your current state assessment results to provide context before presenting the SOP itself.
    • As with any other foundational activity, be prepared with some quick wins to gain executive attention.
    • Be prepared to review with both technical and less technical stakeholders.

    Info-Tech Insight

    The support of senior executive stakeholders is critical to the success of your SOP rollout. Try to wow them with project benefits and make sure they know about the risks/pain points.

    Download the Change Management Project Summary Template

    4.2.2 Create a Project Roadmap to Track Your Implementation Progress

    Input

    • List of implementation tasks

    Output

    • Roadmap and timeline for change management implementation

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)
    1. Info-Tech’s Change Management Roadmap Tool helps you identify and prioritize tasks that need to be completed for the change management implementation project.
    2. Use this tool to identify each action item that will need to be completed as part of the change management initiative. Chart each action item, assign an owner, define the duration, and set a completion date.
    3. Use the resulting rocket diagram as a guide to task completion as you work toward your future state.

    Download the Change Management Roadmap Tool

    Case Study (part 4 of 4)

    Intel implemented a robust change management process.

    Industry: Technology

    Source: Daniel Grove, Intel

    Challenge

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.

    Intel’s change management program is responsible for over 4,000 changes each week.

    Solution

    Intel had its new change management program in place and the early milestones planned, but one key challenge with any new project is communication.

    The company also needed to navigate the simplification of a previously complex process; end users could be familiar with any of the 37 different change processes or 25 different change management systems of record.

    Top-level buy-in was another concern.

    Results

    Intel first communicated the process changes by publishing the vision and strategy for the project with top management sponsorship.

    The CIO published all of the new change policies, which were supported by the Change Governance Council.

    Intel cited the reason for success as the designation of a Policy and Guidance Council – a group designed to own communication and enforcement of the new policies and processes put in place.

    Summary of Accomplishment

    Problem Solved

    You now have an outline of your new change management process. The hard work starts now for an effective implementation. Make use of the communications plan to socialize the new process with stakeholders and the roadmap to stay on track.

    Remember as you are starting your implementation to keep your documents flexible and treat them as “living documents.” You will likely need to tweak and refine the processware and templates several times to continually improve the process. Furthermore, don’t shy away from seeking feedback from your stakeholders to gain buy-in.

    Lastly, keep an eye on your progress with objective, data-driven metrics. Leverage the trends in your data to drive your decisions. Be sure to revisit the maturity assessment not only to measure and visualize your progress, but to gain insight into your next steps.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic office in Toronto, Ontario, Canada to participate in an innovative onsite workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.2 Complete a Change Management Maturity Assessment

    Run through the change management maturity assessment with tailored commentary for each action item outlining context and best practices.

    2.2.1 Plot the Process for a Normal Change

    Build a normal change process using Info-Tech’s Change Management Process Library template with an analyst helping you to right size the process for your organization.

    Related Info-Tech Research

    Standardize the Service Desk

    Improve customer service by driving consistency in your support approach and meeting SLAs.

    Stabilize Release and Deployment Management

    Maintain both speed and control while improving the quality of deployments and releases within the infrastructure team.

    Incident and Problem Management

    Don’t let persistent problems govern your department.

    Select Bibliography

    AXELOS Limited. ITIL Foundation: ITIL 4th edition. TSO, 2019, pp. 118–120.

    Behr, Kevin and George Spafford. The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps. IT Revolution Press. 2013.

    BMC. “ITIL Change Management.” BMC Software Canada, 22 December 2016.

    Brown, Vance. “Change Management: The Greatest ROI of ITIL.” Cherwell Service Management.

    Cisco. “Change Management: Best Practices.” Cisco, 10 March 2008.

    Grove, Daniel. “Case Study ITIL Change Management Intel Corporation.” PowerShow, 2005.

    ISACA. “COBIT 5: Enabling Processes.” ISACA, 2012.

    Jantti, M. and M. Kainulainen. “Exploring an IT Service Change Management Process: A Case Study.” ICDS 2011: The Fifth International Conference on Digital Society, 23 Feb. 2011.

    Murphy, Vawns. “How to Assess Changes.” The ITSM Review, 29 Jan. 2016.

    Nyo, Isabel. “Best Practices for Change Management in the Age of DevOps.” Atlassian Engineering, 12 May 2021.

    Phillips, Katherine W., Katie A. Liljenquist, and Margaret A. Neale. “Better Decisions Through Diversity.” Kellogg Insight, 1 Oct. 2010.

    Pink Elephant. “Best Practices for Change Management.” Pink Elephant, 2005.

    Sharwood, Simon. “Google broke its own cloud by doing two updates at once.” The Register, 24 Aug. 2016.

    SolarWinds. “How to Eliminate the No: 1 Cause of Network Downtime.” SolarWinds Tech Tips, 25 Apr. 2014.

    The Stationery Office. “ITIL Service Transition: 2011.” The Stationary Office, 29 July 2011.

    UCISA. “ITIL – A Guide to Change Management.” UCISA.

    Zander, Jason. “Final Root Cause Analysis and Improvement Areas: Nov 18 Azure Storage Service Interruption.” Microsoft Azure: Blog and Updates, 17 Dec. 2014.

    Appendix I: Expedited Changes

    Employ the expedited change to promote process adherence

    In many organizations, there are changes which may not fit into the three prescribed categories. The reason behind why the expedited category may be needed generally falls between two possibilities:

    1. External drivers dictate changes via mandates which may not fall within the normal change cycle. A CIO, judge, state/provincial mandate, or request from shared services pushes a change that does not fall within a normal change cycle. However, there is no imminent outage (therefore it is not an emergency). In this case, an expedited change can proceed. Communicate to the change requester that IT and the change build team will still do their best to implement the change without issue, but any extra risk of implementing this expedited change (compared to an normal change) will be absorbed by the change requester.
    2. The change requester did not prepare for the change adequately. This is common if a new change process is being established (and stakeholders are still adapting to the process). Change requesters or the change build team may request the change to be done by a certain date that does not fall within the normal change cycle, or they simply did not give the CAB enough time to vet the change. In this case, you may use the expedited category as a metric (or a “Hall of Shame” example). If you identify a department or individual that frequently request expedited changes, use the expedited category as a means to educate them about the normal change to discourage the behavior moving forward.

    Two possible ways to build an expedited change category”

    1. Build the category similar to an emergency change. In this case, one difference would be the time allotted to fully obtain authorization of the change from the E-CAB and business owner before implementing the change (as opposed to the emergency change workflow).
    2. Have the expedited change reflect the normal change workflow. In this case, all the same steps of the normal change workflow are followed except for expedited timelines between processes. This may include holding an impromptu CAB meeting to authorize the change.

    Example process: Expedited Change Process

    The image is a flowchart, showing the process for Expedited Change.

    For the full process, refer to the Change Management Process Library.

    Appendix II: Optimize IT Change Management in a DevOps Environment

    Change Management cannot be ignored because you are DevOps or Agile

    But it can be right-sized.

    The core tenets of change management still apply no matter the type of development environment an organization has. Changes in any environment carry risk of degrading functionality, and must therefore be vetted. However, the amount of work and rigor put into different stages of the change life cycle can be altered depending on the maturity of the development workflows. The following are several stage gates for change management that MUST be considered if you are a DevOps or Agile shop:

    • Intake assessment (separation of changes from projects, service requests, operational tasks)
      • Within a DevOps or Agile environment, many of the application changes will come directly from the SDLC and projects going live. It does not mean a change must go through CAB, but leveraging the pre-approved category allows for an organization to stick to development lifecycles without being heavily bogged down by change bureaucracy.
    • Technical review
      • Leveraging automation, release contingencies, and the current SDLC documentation to decrease change risk allows for various changes to be designated as pre-approved.
    • Authorization
      • Define the authorization and dependencies of a change early in the lifecycle to gain authorization and necessary signoffs.
    • Documentation/communication
      • Documentation and communication are post-implementation activities that cannot be ignored. If documentation is required throughout the SDLC, then design the RFC to point to the correct documentation instead of duplicating information.

    "Understand that process is hard and finding a solution that fits every need can be tricky. With this change management process we do not try to solve every corner case so much as create a framework by which best judgement can be used to ensure maximum availability of our platforms and services while still complying with our regulatory requirements and making positive changes that will delight our customers.“ -IT Director, Information Cybersecurity Organization

    Five principals for implementing change in DevOps

    Follow these best practices to make sure your requirements are solid:

    People

    The core differences between an Agile or DevOps transition and a traditional approach are the restructuring and the team behind it. As a result, the stakeholders of change management must be onboard for the process to work. This is the most difficult problem to solve if it’s an issue, but open avenues of feedback for a process build is a start.

    DevOps Lifecycles

    • Plan the dev lifecycle so people can’t skirt it. Ensure the process has automated checks so that it’s more work to skirt the system than it is to follow it. Make the right process the process of least resistance.
    • Plan changes from the start to ensure that cross-dependencies are identified early and that the proposed implementation date is deconflicted and visible to other change requesters and change stakeholders.

    Automation

    Automation comes in many forms and is well documented in many development workflows. Having automated signoffs for QA/security checks and stakeholders/cross dependency owner sign offs may not fully replace the CAB but can ease the burden on discussions before implementation.

    Contingencies

    Canary releases, phased releases, dark releases, and toggles are all options you can employ to reduce risk during a release. Furthermore, building in contingencies to the test/rollback plan decreases the risk of the change by decreasing the factor of likelihood.

    Continually Improve

    Building change from the ground up doesn’t meant the process has to be fully fledged before launch. Iterative improvements are possible before achieving an optimal state. Having the proper metrics on the pain points and bottlenecks in the process can identify areas for automation and improvement.

    Increasing the proportion of pre-approved changes

    Leverage the traditional change infrastructure to deploy changes quickly while keeping your risk low.

    • To designate a change as a pre-approved change it must have a low risk rating (based on impact and likelihood). Fortunately, many of the changes within the Agile framework are designed to be small and lower risk (at least within application development). Putting in the work ahead of time to document these changes, template RFCs, and document the dependencies for various changes allows for a shift in the proportion of pre-approved changes.
    • The designation of pre-approved changes is an ongoing process. This is not an overnight initiative. Measure the proportion of changes by category as a metric, setting goals and interim goals to shift the change proportion to a desired ratio.

    The image is a bar graph, with each bar having 3 colour-coded sections: Emergency, Normal, and Pre-Approved. The first bar is before, where the largest change category is Normal. The second bar is after, and the largest change category is Pre-Approved.

    Turn your CAB into a virtual one

    • The CAB does not have to fully disappear in a DevOps environment. If the SDLC is built in a way that authorizes changes through peer reviews and automated checks, by the time it’s deployed, the job of the CAB should have already been completed. Then the authorization stage-gate (traditionally, the CAB) shifts to earlier in the process, reducing the need for an actual CAB meeting. However, the change must still be communicated and documented, even if it’s a pre-approved change.
    • As the proportion of changes shifts from a high degree of normal changes to a high degree of pre-approved changes, the need for CAB meetings should decrease even further. As an end-state, you may reserve actual CAB meetings for high-profile changes (as defined by risk).
    • Lastly, change management does not disappear as a process. Periodic reviews of change management metrics and the pre-approved change list must still be completed.

    Sustain and Grow the Maturity of Innovation in Your Enterprise

    • Buy Link or Shortcode: {j2store}91|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Customers are not waiting – they are insisting on change now. The recent litany of business failures and the ongoing demand for improved services means that “not in my backyard” will mean no backyard.
    • Positive innovation is about achieving tomorrow’s success today, where everyone is a leader and ideas and people can flourish – in every sector.

    Our Advice

    Critical Insight

    • Many innovation programs are not delivering value at a time when change is constant and is impacting both public and private sector organizations.
    • Organizations are not well-positioned in terms of leadership skills to advance their innovation programs.
    • Unlock your innovation potential by looking at your innovation projects on both a macro and micro level.
    • Innovation capacity is directly linked with creativity; allow your employees' creativity to flourish using Info-Tech’s positive innovation techniques.
    • Innovations need to be re-harvested each year in order to maximize your return on investment.

    Impact and Result

    • From an opportunity perspective, create an effective innovation program that spawns more innovations, realizes benefits from existing assets not fully being leveraged, and lays the groundwork for enhanced products and services.
    • This complementary toolkit and method (to existing blueprints/research) guides you to assess the “aspiration level” of innovations and the innovation program, assess the resources/capabilities that an entity has to date employed in its innovation program, and position IT for success to achieve the strategic objectives of the enterprise.

    Sustain and Grow the Maturity of Innovation in Your Enterprise Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should formalize processes to improve your innovation program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Scope and define

    Understand your current innovation capabilities and create a mandate for the future of your innovation program.

    • Sustain and Grow the Maturity of Innovation in Your Enterprise – Phase 1: Scope and Define
    • Innovation Program Mandate and Terms of Reference Template
    • Innovation Program Overview Presentation Template
    • Innovation Assessment Tool

    2. Assess and aspire

    Assess opportunities for your innovation program on a personnel and project level, and provide direction on how to improve along these dimensions.

    • Sustain and Grow the Maturity of Innovation in Your Enterprise – Phase 2: Assess and Aspire
    • Appreciative Inquiry Questionnaire

    3. Implement and inspire

    Formalize the innovation improvements you identified earlier in the blueprint by mapping them to your IT strategy.

    • Sustain and Grow the Maturity of Innovation in Your Enterprise – Phase 3: Implement and Inspire
    • Innovation Planning Tool
    [infographic]

    Workshop: Sustain and Grow the Maturity of Innovation in Your Enterprise

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Pre-Work

    The Purpose

    Gather data that will be analyzed in the workshop.

    Key Benefits Achieved

    Information gathered with which analysis can be performed.

    Activities

    1.1 Do an inventory of innovations/prototypes underway.

    1.2 High-level overview of all existing project charters, and documentation of innovation program.

    1.3 Poll working group or key stakeholders in regards to scope of innovation program.

    Outputs

    Up-to-date inventory of innovations/prototypes

    Document review of innovation program and its results to date

    Draft scope of the innovation program and understanding of the timelines

    2 Scope and Define

    The Purpose

    Scope the innovation program and gain buy-in from major stakeholders.

    Key Benefits Achieved

    Buy-in from IT steering committee for innovation program improvements.

    Activities

    2.1 Establish or re-affirm values for the program.

    2.2 Run an initial assessment of the organization’s innovation potential (macro level).

    2.3 Set/reaffirm scope and budget for the program.

    2.4 Define or refine goals and outcomes for the program.

    2.5 Confirm/re-confirm risk tolerance of organization.

    2.6 Update/document innovation program.

    2.7 Create presentation to gain support from the IT steering committee.

    Outputs

    Innovation program and terms of reference

    Presentation on organization innovation program for IT steering committee

    3 Assess and Aspire

    The Purpose

    Analyze the current performance of the innovation program and identify areas for improvement.

    Key Benefits Achieved

    Identify actionable items that can be undertaken in order to improve the performance of the innovation program.

    Activities

    3.1 Assess your level of innovation per innovation project (micro level).

    3.2 Update the risk tolerance level of the program.

    3.3 Determine if your blend of innovation projects is ideal.

    3.4 Re-prioritize your innovation projects (if needed).

    3.5 Plan update to IT steering committee.

    3.6 Assess positive innovation assessment of team.

    3.7 Opportunity analysis of innovation program and team.

    Outputs

    Positive innovation assessment

    Re-prioritized innovation projects

    Updated presentation for IT steering committee

    4 Implement and Inspire

    The Purpose

    Formalize the innovation program by tying it into the IT strategy.

    Key Benefits Achieved

    A formalized innovation program that is closely tied to the IT strategy.

    Activities

    4.1 Update business context in terms of impact on IT implications.

    4.2 Update IT strategy in terms of impact and benefits of innovation program.

    4.3 Update/create innovation program implementation plan.

    4.4 Plan update for IT steering committee.

    Outputs

    Updated business context

    Updated IT strategy

    Innovation implementation plan, including roadmap

    Updated presentation given to IT steering committee

    Mentoring for Agile Teams

    • Buy Link or Shortcode: {j2store}154|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $187,599 Average $ Saved
    • member rating average days saved: 27 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Today’s realities are driving organizations to digitize faster and become more Agile.
    • Most hierarchical, command and control–style organizations are not yet well adapted to using Agile.
    • So-called textbook Agile practices often clash with traditional processes and practices.
    • Members must adapt their Agile practices to accommodate their organizational realities.

    Our Advice

    Critical Insight

    • There is no one-size-fits-all approach to Agile. Agile practices need to be adjusted to work in your organization based on a thoughtful diagnosis of the challenges and solutions tailored to the nature of your organization.

    Impact and Result

    • Identify your Agile challenges and success factors (both organization-wide and team-specific).
    • Leverage the power of research and experience to solve key Agile challenges and gain immediate benefits for your project.
    • Your Agile playbook will capture your findings so future projects can benefit from them.

    Mentoring for Agile Teams Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand how a Agile Mentoring can help your organization to successfully establish Agile practices within your context.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take the Info-Tech Agile Challenges and Success Factors Survey

    This tool will help you identify where your Agile teams are experiencing the most pain so you can create your Agile challenges hit list.

    • Agile Challenges and Success Factors Survey

    2. Review typical challenges and findings

    While each organization/team will struggle with its own individual challenges, many members find they face similar organizational/systemic challenges when adopting Agile. Review these typical challenges and learn from what other members have discovered.

    • Mentoring for Agile Teams – Typical Findings

    Infographic

    Workshop: Mentoring for Agile Teams

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Take the Agile Challenges and Success Factors Survey

    The Purpose

    Determine whether an Agile playbook is right for you.

    Broadly survey your teams to identify Agile challenges and success factors in your organization.

    Key Benefits Achieved

    Better understanding of common Agile challenges and success factors

    Identification of common Agile challenges and success factors are prevalent in your organization

    Activities

    1.1 Distribute survey and gather results.

    1.2 Consolidate survey results.

    Outputs

    Completed survey responses from across teams/organization

    Consolidated heat map of your Agile challenges and success factors

    2 Identify Your Agile Challenges Hit List

    The Purpose

    Examine consolidated survey results.

    Identify your most pressing challenges.

    Create a hit list of challenges to be resolved.

    Key Benefits Achieved

    Identification of the most serious challenges to your Agile transformation

    Attention focused on those challenge areas that are most impacting your Agile teams

    Activities

    2.1 Analyze and discuss your consolidated heat map.

    2.2 Prioritize identified challenges.

    2.3 Select your hit list of challenges to address.

    Outputs

    Your Agile challenges hit list

    3 Problem Solve

    The Purpose

    Address each challenge in your hit list to eliminate or improve it.

    Key Benefits Achieved

    Better Agile team performance and effectiveness

    Activities

    3.1 Work with Agile mentor to problem solve each challenge in your hit list.

    3.2 Apply these to your project in real time.

    Outputs

    4 Create Your Agile Playbook

    The Purpose

    Capture the findings and lessons learned while problem solving your hit list.

    Key Benefits Achieved

    Strategies and tactics for being successful with Agile in your organization which can be applied to future projects

    Activities

    4.1 For each hit list item, capture the findings and lessons learned in Module 3.

    4.2 Document these in your Agile Playbook.

    Outputs

    Your Agile Playbook deliverable

    Build an IT Risk Management Program

    • Buy Link or Shortcode: {j2store}192|cart{/j2store}
    • member rating overall impact: 8.3/10 Overall Impact
    • member rating average dollars saved: $31,532 Average $ Saved
    • member rating average days saved: 17 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
    • The business could be making decisions that are not informed by risk.
    • Reacting to risks AFTER they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

    Our Advice

    Critical Insight

    • IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

    Impact and Result

    • Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
    • Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.

    Build an IT Risk Management Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an IT Risk Management Program – A holistic approach to managing IT risks within your organization and involving key business stakeholders.

    Gain business buy-in to understanding the key IT risks that could negatively impact the organization and create an IT risk management program to properly identify, assess, respond, monitor, and report on those risks.

    • Build an IT Risk Management Program – Phases 1-3

    2. Risk Management Program Manual – A single source of truth for the risk management program to exist and be updated to reflect changes.

    Leverage this Risk Management Program Manual to ensure that the decisions around how IT risks will be governed and managed can be documented in a single source accessible by those involved.

    • Risk Management Program Manual

    3. Risk Register & Risk Costing Tool – A set of tools to document identified risk events. Assess each risk event and consider the appropriate response based on your organization’s threshold for risk.

    Engage these tools in your organization if you do not currently have a GRC tool to document risk events as they relate to the IT function. Consider the best risk response to high severity risk events to ensure all possible situations are considered.

    • Risk Register Tool
    • Risk Costing Tool

    4. Risk Event Action Plan and Risk Report – A template to document the chosen risk responses and ensure accountable owners agree on selected response method.

    Establish clear guidelines and responses to risk events that will leave your organization vulnerable to unwanted threats. Ensure risk owners have agreed to the risk responses and are willing to take accountability for that response.

    • Risk Event Action Plan
    • Risk Report

    Infographic

    Workshop: Build an IT Risk Management Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review IT Risk Fundamentals and Governance

    The Purpose

    To assess current risk management maturity, develop goals, and establish IT risk governance.

    Key Benefits Achieved

    Identified obstacles to effective IT risk management.

    Established attainable goals to increase maturity.

    Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.

    Activities

    1.1 Assess current program maturity

    1.2 Complete RACI chart

    1.3 Create the IT risk council

    1.4 Identify and engage key stakeholders

    1.5 Add organization-specific risk scenarios

    1.6 Identify risk events

    Outputs

    Maturity Assessment

    Risk Management Program Manual

    Risk Register

    2 Identify IT Risks

    The Purpose

    Identify and assess all IT risks.

    Key Benefits Achieved

    Created a comprehensive list of all IT risk events.

    Risk events prioritized according to risk severity – as defined by the business.

    Activities

    2.1 Identify risk events (continued)

    2.2 Augment risk event list using COBIT 5 processes

    2.3 Determine the threshold for (un)acceptable risk

    2.4 Create impact and probability scales

    2.5 Select a technique to measure reputational cost

    2.6 Conduct risk severity level assessment

    Outputs

    Finalized List of IT Risk Events

    Risk Register

    Risk Management Program Manual

    3 Identify IT Risks (continued)

    The Purpose

    Prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.

    Key Benefits Achieved

    Risk monitoring responsibilities are established.

    Risk response strategies have been identified for all key risks.

    Activities

    3.1 Conduct risk severity level assessment

    3.2 Document the proximity of the risk event

    3.3 Conduct expected cost assessment

    3.4 Develop key risk indicators (KRIs) and escalation protocols

    3.5 Root cause analysis

    3.6 Identify and assess risk responses

    Outputs

    Risk Register

    Risk Management Program Manual

    Risk Event Action Plans

    4 Monitor, Report, and Respond to IT Risk

    The Purpose

    Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.

    Key Benefits Achieved

    Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.

    Authoritative risk response recommendations can be made to senior leadership.

    A finalized Risk Management Program Manual is ready for distribution to key stakeholders.

    Activities

    4.1 Identify and assess risk responses

    4.2 Risk response cost-benefit analysis

    4.3 Create multi-year cost projections

    4.4 Review techniques for embedding risk management in IT

    4.5 Finalize the Risk Report and Risk Management Program Manual

    4.6 Transfer ownership of risk responses to project managers

    Outputs

    Risk Report

    Risk Management Program Manual

    Further reading

    Build an IT Risk Management Program

    Mitigate the IT risks that could negatively impact your organization.

    Table of Contents

    3 Executive Brief

    4 Analyst Perspective

    5 Executive Summary

    19 Phase 1: Review IT Risk Fundamentals & Governance

    43 Phase 2: Identify and Assess IT Risk

    74 Phase 3: Monitor, Communicate, and Respond to IT Risk

    102 Appendix

    108 Bibliography

    Build an IT Risk Management Program

    Mitigate the IT risks that could negatively impact your organization.

    EXECUTIVE BRIEF

    Analyst Perspective

    Siloed risks are risky business for any enterprise.

    Photo of Valence Howden, Principal Research Director, CIO Practice.
    Valence Howden
    Principal Research Director, CIO Practice    		 Photo of Brittany Lutes, Senior Research Analyst, CIO Practice.
    Brittany Lutes
    Senior Research Analyst, CIO Practice

    Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.

    Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.

    This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.

    Executive Summary

    Your Challenge

    IT has several challenges when it comes to addressing risk management:

    • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
    • The business could be making decisions that are not informed by risk.
    • Reacting to risks after they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

    Common Obstacles

    Many IT organizations realize these obstacles:

    • IT risks and business risks are often addressed separately, causing inconsistencies in the approach.
    • Security risk receives such a high profile that it often eclipses other important IT risks, leaving the organization vulnerable.
    • Failing to include the business in IT risk management leaves IT leaders too accountable; the business must have accountability as well.

    Info-Tech’s Approach

    • Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
    • Involve key stakeholders, including the business senior management team, to gain buy-in and to focus on the IT risks most critical to the organization.

    Info-Tech Insight

    IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

    Ad hoc approaches to managing risk fail because…

    If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk.

    1. Ad hoc risk management is reactionary.
    2. Ad hoc risk management is often focused only on IT security.
    3. Ad hoc risk management lacks alignment with business objectives.

    The results:

    • Increased business risk exposure caused by a lack of understanding of the impact of IT risks on the business.
    • Increased IT non-compliance, resulting in costly settlements and fines.
    • IT audit failure.
    • Ineffective management of risk caused by poor risk information and wrong risk response decisions.
    • Increased unnecessary and avoidable IT failures and fixes.

    58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)

    Data is an invaluable asset – ensure it’s protected

    Case Studies

    Logo for Cognyte.

    Cognyte, a vendor hired to be a cybersecurity analytics company, had over five billion records exposed in Spring 2021. The data was compromised for four days, providing attackers with plenty of opportunities to obtain personally identifying information. (SecureBlink., 2021 & Security Magazine, 2021)

    Logo for Facebook.

    Facebook, the world’s largest social media giant, had over 533 million Facebook users’ personal data breached when data sets were able to be cross-listed with one another. (Business Insider, 2021 & Security Magazine, 2021)

    Logo for MGM Resorts.

    In 2020, over 10.6 million customers experienced some sort of data being accessible, with 1,300 having serious personally identifying information breached. (The New York Times, 2020)

    Risk management is a business enabler

    Formalize risk management to increase your likelihood of success.

    By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.

    A certain amount of risk is healthy and can stimulate innovation:

    • A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it means exposing the organization to the right amount of risk.
    • Taking a formal risk management approach allows an organization to thoughtfully choose which risks it is willing to accept.
    • Organizations with high risk management maturity will vault themselves ahead of the competition because they will be aware of which risks to prepare for, which risks to ignore, and which risks to take.

    Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)

    IT risk is enterprise risk

    Accountability for IT risks and the decisions made to address them should be shared between IT and the business.

    Multiple types of risk, 'Finance', 'IT', 'People', and 'Digital', funneling into 'ENTERPRISE RISKS'. IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

    Follow the steps of this blueprint to build or optimize your IT risk management program

    Cycle of 'Goverance' beginning with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report'.

    Start Here

    		 PHASE 1
    Review IT Risk Fundamentals and Governance
    		 PHASE 2
    Identify and Assess IT Risk
    		 PHASE 3
    Monitor, Report, and Respond to IT Risk

    1.1

    Review IT Risk Management Fundamentals

    1.2

    Establish a Risk Governance Framework

    2.1

    Identify IT Risks

    2.2

    Assess and Prioritize IT Risks

    3.1

    Monitor IT Risks and Develop Risk Responses

    3.2

    Report IT Risk Priorities

    Integrate Risk and Use It to Your Advantage

    Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

    Risk management is more than checking an audit box or demonstrating project due diligence.

    Risk Drivers
    • Audit & compliance
    • Preserve value & avoid loss
    • Previous risk impact driver
    • Major transformation
    • Strategic opportunities
    		 Arrow pointing right. Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
    1. Assess Enterprise Risk Maturity 3. Build a Risk Management Program Plan 4. Establish Risk Management Processes 5. Implement a Risk Management Program
    2. Determine Authority with Governance
    Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
    IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.

    Governance and related decision making is optimized with integrated and aligned risk data.

    		 List of 'Integrated Risk Maturity Categories': '1. Context & Strategic Direction', '2. Risk Culture and Authority', '3. Risk Management Process', and '4. Risk Program Optimization'. The five types of a risk in 'Enterprise Risk Management (ERM)': 'IT', 'Security', 'Digital', 'Vendor/TPRM', and 'Other'.

    ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types.

    The program plan is meant to consider all the major risk types in a unified approach.

    		 The 'Risk Process' cycle starting with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report', and back to the beginning. Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Risk Management Program Manual

    Use the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk.

    Sample of the key deliverable, Risk Manangement Program Fund.    		 Integrated Risk Maturity Assessment

    Assess the organization's current maturity and readiness for integrated risk management (IRM).

    		 Sample of the Integrated Risk Maturity Assessment blueprint. Centralized Risk Register

    The repository for all the risks that have been identified within your environment.

    		 Sample of the Centralized Risk Register blueprint.
    Risk Costing Tool

    A potential cost-benefit analysis of possible risk responses to determine a good method to move forward.

    		 Sample of the Risk Costing Tool blueprint. Risk Report & Risk Event Action Plan

    A method to report risk severity and hold risk owners accountable for chosen method of responding.

    		 Samples of the Risk Report & Risk Event Action Plan blueprints.

    Benefit from industry-leading best practices

    As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

    Logo for COSO.

    COSO’s Enterprise Risk Management — Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. (COSO)

    Logo for ISO.

    ISO 31000
    Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. (ISO 31000)

    Logo for COBIT.

    COBIT 2019’s IT functions were used to develop and refine our Ten IT Risk Categories used in our top-down risk identification methodology. (COBIT 2019)

    Abandon ad hoc risk management

    A strong risk management foundation is valuable when building your IT risk management program.

    This research covers the following IT risk fundamentals:

    • Benefits of formalized risk management
    • Key terms and definitions
    • Risk management within ERM
    • Risk management independent of ERM
    • Four key principles of IT risk management
    • Importance of a risk management program manual
    • Importance of buy-in and support from the business

    Drivers of Formalized Risk Management:
    Drivers External to IT
    External Audit Internal Audit
    Mandated by ERM
    Occurrence of Risk Event
    Demonstrating IT’s value to the business Proactive initiative
    Emerging IT risk awareness
    Grassroots Drivers

    Blueprint benefits

    IT Benefits

    • Increased on-time, in-scope, and on-budget completion of IT projects.
    • Meet the business’ service requirements.
    • Improved satisfaction with IT by senior leadership and business units.
    • Fewer resources wasted on fire-fighting.
    • Improved availability, integrity, and confidentiality of sensitive data.
    • More efficient use of resources.
    • Greater ability to respond to evolving threats.

    Business Benefits

    • Reduced operational surprises or failures.
    • Improved IT flexibility when responding to risk events and market fluctuations.
    • Reduced budget uncertainty.
    • Improved ability to make decisions when developing long-term strategies.
    • Improved stakeholder and shareholder confidence.
    • Achieved compliance with external regulations.
    • Competitive advantage over organizations with immature risk management practices.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 3 to 6 months.

    What does a typical GI on this topic look like?

      Phase 1

    • Call #1: Assess current risk maturity and organizational buy-in.
    • Call #2: Establish an IT risk council and determine IT risk management program goals.

      • Phase 2

    • Call #3: Identify the risk categories used to organize risk events.
    • Call #4: Identify the threshold for risk the organization can withstand.

      • Phase 3

    • Call #5: Create a method to assess risk event severity.
    • Call #6: Establish a method to monitor priority risks and consider possible risk responses.
    • Call #7: Communicate risk priorities to the business and implement risk management plan.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Activities
    Review IT Risk Fundamentals and Governance

    1.1 Assess current program maturity

    1.2 Complete RACI chart

    1.3 Create the IT risk council

    1.4 Identify and engage key stakeholders

    1.5 Add organization-specific risk scenarios

    1.6 Identify risk events
    Identify IT Risks

    2.1 Identify risk events (continued)

    2.2 Augment risk event list using COBIT5 processes

    2.3 Determine the threshold for (un)acceptable risk

    2.4 Create impact and probability scales

    2.5 Select a technique to measure reputational cost

    2.6 Conduct risk severity level assessment
    Assess IT Risks

    3.1 Conduct risk severity level assessment

    3.2 Document the proximity of the risk event

    3.3 Conduct expected cost assessment

    3.4 Develop key risk indicators (KRIs) and escalation protocols

    3.5 Perform root cause analysis

    3.6 Identify and assess risk responses
    Monitor, Report, and Respond to IT Risk

    4.1 Identify and assess risk responses

    4.2 Risk response cost-benefit analysis

    4.3 Create multi-year cost projections

    4.4 Review techniques for embedding risk management in IT

    4.5 Finalize the Risk Report and Risk Management Program Manual

    4.6 Transfer ownership of risk responses to project managers
    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps
    Outcomes
    1. Maturity Assessment
    2. Risk Management Program Manual
    1. Finalized List of IT Risk Events
    2. Risk Register
    3. Risk Management Program Manual
    1. Risk Register
    2. Risk Event Action Plans
    3. Risk Management Program Manual
    1. Risk Report
    2. Risk Management Program Manual
    1. Workshop Report
    2. Risk Management Program Manual

    Build an IT Risk Management Program

    Phase 1

    Review IT Risk Fundamentals and Governance

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework
      •

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Gain buy-in from senior leadership
    • Assess current program maturity
    • Identify obstacles and pain points
    • Determine the risk culture of the organization
    • Develop risk management goals
    • Develop SMART project metrics
    • Create the IT risk council
    • Complete a RACI chart

    This phase involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Step 1.1

    Review IT Risk Management Fundamentals

    Activities
    • 1.1.1 Gain buy-in from senior leadership
    • 1.1.2 Assess current program maturity

    This step involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Outcomes of this step

    • Reviewed key IT principles and terminology
    • Gained understanding of the relationship between IT risk management and ERM
    • Introduced to Info-Tech’s IT Risk Management Framework
    • Obtained the support of senior leadership
    Step 1.1 Step 1.2

    Effective IT risk management is possible with or without ERM

    Whether or not your organization has ERM, integrating your IT risk management program with the business is possible.

    Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:

    Core Responsibilities With an ERM Without an ERM
    • Risk Decision-Making Authority
    • Final Accountability
    		 Senior Leadership Team Senior Leadership Team
    • Risk Governance
    • Risk Prioritization & Communication
    		 ERM IT Risk Management
    • Risk Identification
    • Risk Assessment
    • Risk Monitoring
    		 IT Risk Management
    Pro: IT’s risk management responsibilities are defined (assessment schedules, escalation and reporting procedures).
    Con: IT may lack autonomy to implement IT risk management best practices.    		 Pro: IT is free to create its own IT risk council and develop customized processes that serve its unique needs.
    Con: Lack of clear reporting procedures and mechanisms to share accountability with the business.

    Info-Tech’s IT risk management framework walks you through each step to achieve risk readiness

    IT Risk Management Framework

    Risk Governance
    • Optimize Risk Management Processes
    • Assess Risk Maturity
    • Measure the Success of the Program
    		 A cycle surrounds the words 'Business Objectives', referring to the surrounding lists. On the top half is 'Communication', and the bottom is 'Monitoring'. Risk Identification
    • Engage Stakeholder Participation
    • Use Risk Identification Frameworks
    • Compile IT-Related Risks
    Risk Response
    • Establish Monitoring Responsibilities
    • Perform Cost-Benefit Analysis
    • Report Risk Response Actions
    		 Risk Assessment
    • Establish Thresholds for Unacceptable Risk
    • Calculate Expected Cost
    • Determine Risk Severity & Prioritize IT Risks

    Effective IT risk management benefits

    Obtain the support of the senior leadership team or IT steering committee by communicating how IT risk impacts their priorities.

    Risk management benefits To engage the business...
    IT is compliant with external laws and regulations. Identify the industry or legal legislation and regulations your organization abides by.
    IT provides support for business compliance. Find relevant business compliance issues, and relate compliance failures to cost.
    IT regularly communicates costs, benefits, and risks to the business. Acknowledge the number of times IT and the business miscommunicate critical information.
    Information and processing infrastructure are very secure. Point to past security breaches or potential vulnerabilities in your systems.
    IT services are usually delivered in line with business requirements. Bring up IT services that the business was unsatisfied with. Explain that their inputs in identifying risks are correlated with project quality.
    IT related business risks are managed very well. Make it clear that with no risk tracking process, business processes become exposed and tend to slow down.
    IT projects are completed on time and within budget. Point out late or over-budget projects due to the occurrence of unforeseen risks.

    1.1.1 Gain buy-in from senior leadership

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Buy-in from senior leadership for an IT risk management program

    Materials: Risk Management Program Manual

    Participants: IT executive leadership, Business executive leadership

    The resource demands of IT risk management will vary from organization to organization. Here are typical requirements:

    • Occasional participation of key IT personnel and select business stakeholders in IT risk council meetings (e.g. once every two weeks).
    • Periodic risk assessments (e.g. 4 days, twice a year).
    • IT personnel must take on risk monitoring responsibilities (e.g. 1-4 hours per week).
    • Record the results in the Program Manual sections 3.3, 3.4 and 3.5.

    Record the results in the Risk Management Program Manual.

    Integrated Risk Maturity Assessment

    The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM)

    Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

    Integrated Risk Maturity Assessment
    A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization.    		 Sample of the Integrated Risk Maturity Assessment deliverable.

    Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations.

    Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

    1.1.2 Assess current program maturity

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Maturity scores across four key risk categories

    Materials: Integrated Risk Maturity Assessment Tool

    Participants: IT executive leadership, Business executive leadership

    This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis.

    How to Use This Assessment:

    1. Download the Integrated Risk Management Maturity Assessment Tool.
    2. Tab 2, "Data Entry:" This is a qualitative assessment of your integrated risk management process and is organized by the categories of integrated risk maturity. You will be asked to rate the extent to which you are executing the activities required to successfully complete each phase of the assessment. Use the drop-down menus provided to select the appropriate level of execution for each activity listed.
    3. Tab 3, "Results:" This tab will display your rate of IRM completeness/maturity. You will receive a score for each category as well as an overall score. The results will be displayed numerically, by percentage, and graphically.

    Record the results in the Integrated Risk Maturity Assessment.

    Integrated Risk Maturity Categories

    		 Semi-circle with colored points indicating four categories.

    1

    		Context & Strategic Direction Understanding of the organization’s main objectives and how risk can support or enhance those objectives.

    2

    		Risk Culture and Authority Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture.

    3

    		Risk Management Process Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization.

    4

    		Risk Program Optimization Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise.

    Step 1.2

    Establish a Risk Governance Framework

    Activities
    • 1.2.1 Identify pain points/obstacles and opportunities
    • 1.2.2 Determine the risk culture of the organization
    • 1.2.3 Develop risk management goals
    • 1.2.4 Develop SMART project metrics
    • 1.2.5 Create the IT risk council
    • 1.2.6 Complete a RACI chart

    This step involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Outcomes of this step

    • Developed goals for the risk management program
    • Established the IT risk council
    • Assigned accountability and responsibility for risk management processes

    Review IT Risk Fundamentals and Governance

    Step 1.1 Step 1.2

    Create an IT risk governance framework that integrates with the business

    Follow these best practices to make sure your requirements are solid:

    1. Self-assess your current approach to IT risk management.
    2. Identify organizational obstacles and set attainable risk management goals.
    3. Track the effectiveness and success of the program using SMART risk management metrics.
    4. Establish an IT risk council tasked with managing IT risk.
    5. Set clear risk management accountabilities and responsibilities for IT and business stakeholders.

    Key metrics for your IT risk governance framework

    Challenges:
    • Key stakeholders are left out or consulted once risks have already occurred.
    • Failure to employ consistent risk identification methodologies results in omitted and unknown risks.
    • Risk assessments do not reflect organizational priorities and may not align with thresholds for acceptable risk.
    • Risk assessment occurs sporadically or only after a major risk event has already occurred.
    		 Key metrics:
    • Number of risk management processes done ad hoc.
    • Frequency that IT risk appears as an agenda item at IT steering committee meetings.
    • Percentage of IT employees whose performance evaluations reflect risk management objectives.
    • Percentage of IT risk council members who are trained in risk management activities.
    • Number of open positions in the IT risk council.
    • Cost of risk management program operations per year.

    Info-Tech Insight

    Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses.

    IT risk management success factors

    Support and sponsorship from senior leadership

    IT risk management has more success when initiated by a member of the senior leadership team or the board, rather than emerging from IT as a grassroots initiative.

    Sponsorship increases the likelihood that risk management is prioritized and receives the necessary resources and attention. It also ensures that IT risk accountability is assumed by senior leadership.

    		 Risk culture and awareness

    A risk-aware organizational culture embraces new policies and processes that reflect a proactive approach to risk.

    An organization with a risk-aware culture is better equipped to facilitate communication vertically within the organization.

    Risk awareness can be embedded by revising job descriptions and performance assessments to reflect IT risk management responsibilities.

    		 Organization size

    Smaller organizations can often institute a mature risk management program much more quickly than larger organizations.

    It is common for key personnel within smaller organizations to be responsible for multiple roles associated with risk management, making it easier to integrate IT and business risk management.

    Larger organizations may find it more difficult to integrate a more complex and dispersed network of individuals responsible for various risk management responsibilities.

    1.2.1 Identify obstacles and pain points

    1-4 hours

    Input: Integrated Risk Maturity Assessment

    Output: Obstacles and pain points identified

    Materials: IT Risk Management Success Factors

    Participants: IT executive leadership, Business executive leadership

    Anticipate potential challenges and “blind spots” by determining which success factors are missing from your current situation.

    Instructions:

    1. List the potential obstacles and missing success factors that you must overcome to effectively manage IT risk and build a risk management program.
    2. Consider some opportunities that could be leveraged to increase the success of this program.
    3. Use this list in Activity 1.2.3 to develop program goals.

    Risk Management

    Replace the example pain points and opportunities with real scenarios in your organization.

    Pain Points/Obstacles
    • Lack of leadership buy-in
    • Skills and understanding around risk management within IT
    • Skills and understanding around risk management within the organization
    • Lack of a defined risk management posture
    		 Opportunities
    • Changes in regulations related to risk
    • Organization moving toward an integrated risk management program
    • Ability to leverage lessons learned from similar companies
    • Strong process management and adherence to policies by employees in the organization

    1.2.2 Determine the risk culture of your organization

    1-3 hours

    Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match your organization perfectly.

    Risk Tolerant
    • You have no compliance requirements.
    • You have no sensitive data.
    • Customers do not expect you to have strong security controls.
    • Revenue generation and innovative products take priority and risk is acceptable.
    • The organization does not have remote locations.
    • It is likely that your organization does not operate within the following industries:
      • Finance
      • Health care
      • Telecom
      • Government
      • Research
      • Education
    		 Moderate
    • You have some compliance requirements, e.g.:
      • HIPAA
      • PIPEDA
    • You have sensitive data, and are required to retain records.
    • Customers expect strong security controls.
    • Information security is visible to senior leadership.
    • The organization has some remote locations.
    • Your organization most likely operates within the following industries:
      • Government
      • Research
      • Education
    		 Risk Averse
    • You have multiple, strict compliance and/or regulatory requirements.
    • You house sensitive data, such as medical records.
    • Customers expect your organization to maintain strong and current security controls.
    • Information security is highly visible to senior management and public investors.
    • The organization has multiple remote locations.
    • Your organization operates within the following industries:
      • Finance
      • Healthcare
      • Telecom

    Be aware of the organization’s attitude towards risk

    Risk culture is an organization’s attitude towards taking risks. This attitude manifests itself in two ways:

    One element of risk culture is what levels of risk the organization is willing to accept to pursue its objectives and what levels of risk are deemed unacceptable. This is often called risk appetite.
    Risk tolerant

    Risk-tolerant organizations embrace the potential of accelerating growth and the attainment of business objectives by taking calculated risks.

    		 Risk averse

    Risk-averse organizations prefer consistent, gradual growth and goal attainment by embracing a more cautious stance toward risk.
    The other component of risk culture is the degree to which risk factors into decision making.
    Risk conscious

    Risk-conscious organizations place a high priority on being aware of all risks impacting business objectives, regardless of whether they choose to accept or respond to those risks.

    		 Unaware

    Organizations that are largely unaware of the impact of risk generally believe there are few major risks impacting business objectives and choose to invest resources elsewhere.

    Info-Tech Insight

    Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making.

    1.2.3 Develop goals for the IT risk management program

    1-4 hours

    Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities

    Output: Goals for the IT risk management program

    Materials: Risk Management Program Manual

    Participants: IT executive leadership, Business executive leadership

    Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and success factors to develop goals for your IT risk management program.

    Instructions:

    1. In the Risk Management Program Manual, revise, replace, or add to the high-level goals provided in section 2.4.
    2. Make sure that you have three to five high-level goals that reflect the current and targeted maturity of IT risk management processes.
    3. Integrate potential obstacles, pain points, and insights from the organization’s risk culture.

    Record the results in the Risk Management Program Manual.

    1.2.4 Develop SMART project metrics

    1-3 hours

    Create metrics for measuring the success of the IT risk management program.

    Ensure that all success metrics are SMART Instructions
    1. Document a list of appropriate metrics to assess the success of the IT risk management program on a whiteboard.
    2. Use the sample metrics listed in the table on the next slide as a starting point.
    3. Fill in the chart to indicate the:
      1. Name of the success metric
      2. Method for measuring success
      3. Baseline measurement
      4. Target measurement
      5. Actual measurements at various points throughout the process of improving the risk management program
      6. A deadline for each metric to meet the target measurement
    Strong Make sure the objective is clear and detailed.
    Measurable Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.
    Actionable Objectives become actionable when specific initiatives designed to achieve the objective are identified.
    Realistic Objectives must be achievable given your current resources or known available resources.
    Time-Bound An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.

    1.2.4 Develop SMART project metrics (continued)

    1-3 hours

    Attach metrics to your goals to gauge the success of the IT risk management program.

    Replace the example metrics with accurate KPIs or metrics for your organization.

    Sample Metrics
    Name Method Baseline Target Deadline Checkpoint 1 Checkpoint 2 Final
    Number of risks identified (per year) Risk register 0 100 Dec. 31
    Number of business units represented (risk identification) Meeting minutes 0 5 Dec. 31
    Frequency of risk assessment Assessments recorded in risk management program manual 0 2 per year Year 2
    Percentage of identified risk events that undergo expected cost assessment Ratio of risks assessed in the risk costing tool to risks assessed in the risk register 0 20% Dec. 31
    Number of top risks without an identified risk response Risk register 5 0 March 1
    Cost of risk management program operations per year Meeting frequency and duration, multiplied by the cost of participation $2,000 $5,000 Dec. 31

    Create the IT risk committee (ITRC)

    Responsibilities of the ITRC:
    1. Formalize risk management processes.
    2. Identify and review major risks throughout the IT department.
    3. Recommend an appropriate risk appetite or level of exposure.
    4. Review the assessment of the impact and likelihood of identified risks.
    5. Review the prioritized list of risks.
    6. Create a mitigation plan to minimize risk likelihood and impact.
    7. Review and communicate overall risk impact and risk management success.
    8. Assign risk ownership responsibilities of key risks to ensure key risks are monitored and risk responses are effectively implemented.
    9. Address any concerns in regards to the risk management program, including, but not limited to, reviewing their risk management duties and resourcing.
    10. Communicate risk reports to senior management annually.
    11. Make any alterations to the committee roster and the individuals’ responsibilities as needed and document changes.
    		 Must be on the ITRC:
    • CIO
    • CRO (if applicable)
    • Senior Directors
    • Security Officer
    • Head of Operations

    Must be on the ITRC:

    • CFO
    • Senior representation from every business unit impacted by IT risk

    1.2.5 Create the IT risk council

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Goals for the IT risk management program

    Materials: Risk Management Program Manual

    Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations

    Identify the essential individuals from both the IT department and the business to create a permanent committee that meets regularly and carries out IT risk management activities.

    Instructions:

    1. Review sections 3.1 (Mandate) and 3.2 (Agenda and Responsibilities) of the IT Risk Committee Charter, located in the Risk Management Program Manual. Make any necessary revisions.
    2. In section 3.3, document how frequently the council is scheduled to meet.
    3. In section 3.4, document members of the IT risk council.
    4. Obtain sign-off for the IT risk council from the CIO or another member of the senior leadership team in section 3.5 of the manual.

    Record the results in the Risk Management Program Manual.

    1.2.6 Complete RACI chart

    1-3 hours

    A RACI diagram is a useful visualization that identifies redundancies and ensures that every role, project, or task has an accountable party.

    RACI is an acronym made up of four participatory roles: Instructions
    1. Use the template provided on the following slide, and add key stakeholders who do not appear and are relevant for your organization.
    2. For each activity, assign each stakeholder a letter.
    3. There must be an accountable party for each activity (every activity must have an “A”).
    4. For activities that do not apply to a particular stakeholder, leave the space blank.
    5. Once the chart is complete, copy/paste it into section 4.1 of the Risk Management Program Manual.
    Responsible Stakeholders who undertake the activity.
    Accountable Stakeholders who are held responsible for failure or take credit for success.
    Consulted Stakeholders whose opinions are sought.
    Informed Stakeholders who receive updates.

    1.2.6 Complete RACI chart (continued)

    1-3 hours

    Assign risk management accountabilities and responsibilities to key stakeholders:

    Stakeholder Coordination Risk Identification Risk Thresholds Risk Assessment Identify Responses Cost-Benefit Analysis Monitoring Risk Decision Making
    ITRC A R I R R R A C
    ERM C I C I I I I C
    CIO I A A A A A I R
    CRO I R C I R
    CFO I R C I R
    CEO I R C I A
    Business Units I C C C
    IT I I I I I I R C
    PMO C C C
    Legend: Responsible Accountable Consulted Informed

    Build an IT Risk Management Program

    Phase 2

    Identify and Assess IT Risk

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks
      •

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Add organization-specific risk scenarios
    • Identify risk events
    • Augment risk event list using COBIT 2019 processes
    • Conduct a PESTLE analysis
    • Determine the threshold for (un)acceptable risk
    • Create a financial impact assessment scale
    • Select a technique to measure reputational cost
    • Create a likelihood scale
    • Assess risk severity level
    • Assess expected cost

    This phase involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business Risk Owners

    Step 2.1

    Identify IT Risks

    Activities
    • 2.1.1 Add organization-specific risk scenarios
    • 2.1.2 Identify risk events
    • 2.1.3 Augment risk event list using COBIT 19 processes
    • 2.1.4 Conduct a PESTLE analysis

    This step involves the following participants:

    • IT executive leadership
    • IT Risk Council
    • Business executive leadership
    • Business risk owners

    Outcomes of this step

    • Participation of key stakeholders
    • Comprehensive list of IT risk events
    Identify and Assess IT Risk
    Step 2.1 Step 2.2

    Get to know what you don’t know

    1. Engage the right stakeholders in risk identification.
    2. Employ Info-Tech’s top-down approach to risk identification.
    3. Augment your risk event list using alternative frameworks.
    		 Key metrics:
    • Total risks identified
    • New risks identified
    • Frequency of updates to the Risk Register Tool
    • Number of realized risk events not identified in the Risk Register Tool
    • Level of business participation in enterprise IT risk identification
      • Number of business units represented
      • Number of meetings attended in person
      • Number of risk reports received

    Info-Tech Insight

    What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks.

    Engage key stakeholders

    Ensure that all key risks are identified by engaging key business stakeholders.

    Benefits of obtaining business involvement during the risk identification stage:
    • You will identify risk events you had not considered or you weren’t aware of.
    • You will identify risks more accurately.
    • Risk identification is an opportunity to raise awareness of IT risk management early in the process.

    Executive Participation:

    • CIO participation is integral when building a comprehensive register of risk events impacting IT.
    • CIOs and IT directors possess a holistic view of all of IT’s functions.
    • CIOs and IT directors are uniquely placed to identify how IT affects other business units and the attainment of business objectives. If applicable, CRO and CTO participation is also critical.

    Prioritizing and Selecting Stakeholders

    1. Reliance on IT services and technologies to achieve business objectives.
    2. Relationship with IT, and willingness to engage in risk management activities.
    3. Unique perspectives, skills, and experiences that IT may not possess.

    Info-Tech Insight

    While IT personnel are better equipped to identify IT risk than anyone, IT does not always have an accurate view of the business’ exposure to IT risk. Strive to maintain a 3 to 1 ratio of IT to non-IT personnel involved in the process.

    Enable IT to target risk holistically

    Take a top-down approach to risk identification to guide brainstorming

    Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.

    A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks.

    Risk Category: High-level groupings that describe risk pertaining to major IT functions. See the following slide for all ten of Info-Tech’s IT risk categories. Risk Scenario: An abstract profile representing common risk groups that are more specific than risk categories. Typically, organizations are able to identify two to five scenarios for each category. Risk Event: Specific threats and vulnerabilities that fall under a particular risk scenario. Organizations are able to identify anywhere between 1 and 20 events for each scenario. See the Appendix of the Risk Management Program Manual for a list of risk event examples.

    Risk Category

    Risk Scenario

    Risk Event
    Compliance Regulatory compliance Being fined for not complying/being aware of a new regulation.
    Externally originated attack Phishing attack on the organization.
    Operational Technology evaluation & selection Partnering with a vendor that is not in compliance with a key regulation.
    Capacity planning Not having sufficient resources to support a DRP.
    Third-Party Risk Vendor management Vendor performance requirements are improperly defined.
    Vendor selection Vendors are improperly selected to meet the defined use case.

    2.1.1 Add organization-specific risk scenarios

    1-3 hours

    Review Info-Tech’s ten IT risk categories and add risk scenarios to the examples provided.

    IT Reputational
    • Negative PR
    • Consumers writing negative reviews
    • Employees writing negative reviews
    		 IT Financial
    • Stock prices drop
    • Value of the organization is reduced
    		 IT Strategic
    • Organization prioritizes innovation but remains focused on operational
    • Unable to access data to support strategic initiative
    		 Operational
    • Enterprise architecture
    • Technology evaluation and selection
    • Capacity planning
    • Operational errors
    		 Availability
    • Power outage
    • Increased data workload
    • Single source of truth
    • Lacking knowledge transfer processes for critical tasks
    Performance
    • Network failure
    • Service levels not being met
    • Capacity overload
    		 Compliance
    • Regulatory compliance
    • Standards compliance
    • Audit compliance
    		Security
    • Malware
    • Internally originated attack
    		 Third Party
    • Vendor selection
    • Vendor management
    • Contract termination
    		 Digital
    • No back-up process if automation fails

    2.1.2 Identify risk events

    1-4 hours

    Input: IT risk categories

    Output: Risk events identified and categorized

    Materials: Risk Register Tool

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owners, CRO (if applicable)

    Use Info-Tech’s IT risk categories and scenarios to brainstorm a comprehensive list of IT-related threats and vulnerabilities impacting your organization.

    Instructions:

    1. Document risk events in the Risk Register Tool.
    2. List risk scenarios (organized by risk category) in the Risk Events/Threats column.
    3. Disseminate the list to key stakeholders who were unable to participate and solicit their feedback.
      • Consult the RACI chart located in section 4.1 of the Risk Management Program Manual.
    4. Attack one scenario at a time, exhausting all realistic risk events for that grouping before moving onto the next scenario. Each scenario should take approximately 45-60 minutes.

    Tip: If disagreement arises regarding whether a specific risk event is relevant to the organization or not and it cannot be resolved quickly, include it in the list. The applicability of these risks will become apparent during the assessment process.

    Record the results in the Risk Register Tool.

    2.1.3 Augment the risk event list using COBIT 2019 processes (Optional)

    1-3 hours

    Other industry-leading frameworks provide alternative ways of conceptualizing the functions and responsibilities of IT and may help you uncover additional risk events.

    1. Managed IT Management Framework
    2. Managed Strategy
    3. Managed Enterprise Architecture
    4. Managed Innovation
    5. Managed Portfolio
    6. Managed Budget and Costs
    7. Managed Human Resources
    8. Managed Relationships
    9. Managed Service Agreements
    10. Managed Vendors
    11. Managed Quality
    12. Managed Risk
    13. Managed Security
    14. Managed Data
    15. Managed Programs
    16. Managed Requirements Definition
    17. Managed Solutions Identification and Build
    18. Managed Availability and Capacity
    19. Managed Organizational Change Enablement
    20. Managed IT Changes
    1. Managed IT Change Acceptance and Transitioning
    2. Managed Knowledge
    3. Managed Assets
    4. Managed Configuration
    5. Managed Projects
    6. Managed Operations
    7. Managed Service Requests and Incidents
    8. Managed Problems
    9. Managed Continuity
    10. Managed Security Services
    11. Managed Business Process Controls
    12. Managed Performance and Conformance Monitoring
    13. Managed System of Internal Control
    14. Managed Compliance with External Requirements
    15. Managed Assurance
    16. Ensured Governance Framework Setting and Maintenance
    17. Ensured Benefits Delivery
    18. Ensured Risk Optimization
    19. Ensured Resource Optimization
    20. Ensured Stakeholder Engagement

    Instructions:

    1. Review COBIT 2019’s 40 IT processes and identify additional risk events.
    2. Match risk events to the corresponding risk category and scenario and add them to the Risk Register Tool.

    2.1.4 Finalize your risk register by conducting a PESTLE analysis (Optional)

    1-3 hours

    Explore alternative identification techniques to incorporate external factors and avoid “groupthink.”

    Consider the External Environment – PESTLE Analysis

    Despite efforts to encourage equal participation in the risk identification process, key risks may not have been shared in previous exercises.

    Conduct a PESTLE analysis as a final safety net to ensure that all key risk events have been identified.

    		 Avoid “Groupthink” – Nominal Group Technique

    The Nominal Group Technique uses the silent generation of ideas and an enforced “safe” period of time where ideas are shared but not discussed to encourage judgement-free idea generation.

    • Ideas are generated silently and independently.
    • Ideas are then shared and documented; however, discussion is delayed until all of the group’s ideas have been recorded.
    • Idea generation can occur before the meeting and be kept anonymous.

    Note: Employing either of these techniques will lengthen an already time-consuming process. Only consider these techniques if you have concerns regarding the homogeneity of the ideas being generated or if select individuals are dominating the exercise.
    List the following factors influencing the risk event:
    • Political factors
    • Economic factors
    • Social factors
    • Technological factors
    • Legal factors
    • Environmental factors
    		 'PESTLE Analysis' presented as a wheel with the acronym's meanings surrounding the title. 'Political Factors', 'Economic Factors', 'Social Factors', 'Technological Factors', 'Legal Factors', and 'Environmental Factors'.

    Step 2.2

    Assess and Prioritize IT Risks

    Activities
    • 2.2.1 Determine the threshold for (un)acceptable risk
    • 2.2.2 Create a financial impact assessment scale
    • 2.2.3 Select a technique to measure reputational cost
    • 2.2.4 Create a likelihood scale
    • 2.2.5 Risk severity level assessment
    • 2.2.6 Expected cost assessment

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business risk owners

    Outcomes of this step

    • Business-approved thresholds for unacceptable risk
    • Completed Risk Register Tool with risks prioritized according to severity
    • Expected cost calculations for high-priority risks

    Identify and Assess IT Risk

    Step 2.1 Step 2.2

    Reveal the organization’s greatest IT threats and vulnerabilities

    1. Establish business-approved risk thresholds for acceptable and unacceptable risk.
    2. Conduct a streamlined assessment of all risks to separate acceptable and unacceptable risks.
    3. Perform a deeper, cost-based assessment of prioritized risks.
    		 Key metrics:
    • Frequency of IT risk assessments
      • (Annually, bi-annually, etc.)
    • Assessment accuracy
      • Percentage of risk assessments that are substantiated by later occurrences or testing
      • Ratio of cumulative actual costs to expected costs
    • Assessment consistency
      • Percentage of risk assessments that are substantiated by third-party audit
    • Assessment rigor
      • Percentage of identified risk events that undergo first-level assessment (severity scores)
      • Percentage of identified risk events that undergo second-level assessment (expected cost)
    • Stakeholder oversight and participation
      • Level of executive participation in IT risk assessment (attend in person, receive report, etc.)
      • Number of business stakeholder reviews per risk assessment

    Info-Tech Insight

    Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be.

    Review risk assessment fundamentals

    Risk assessment provides you with the raw materials to conduct an informed cost-benefit analysis and make robust risk response decisions.

    In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.

    Calculating risk severity

    How much you expect a risk event to cost if it were to occur:

    Likelihood of Risk Impact

    e.g. $250,000 or “High”

    X

    		 Calibrated by how likely the risk is to occur:

    Likelihood of Risk Occurrence

    e.g. 10% or “Low”

    =

    		 Produces a dollar value or “severity level” for comparing risks:

    Risk Severity

    e.g. $25,000 or “Medium”    		 Which must be evaluated against thresholds for acceptable risk and the cost of risk responses.

    Risk Tolerance
    Risk Response
    CBA
    Cost-benefit analysis

    Maintain the engagement of key stakeholders in the risk assessment process

    1

    Engage the Business During Assessment Process

    Asking business stakeholders to make significant contributions to the assessment exercise may be unrealistic (particularly for members of the senior leadership team, other than the CIO).

    Ensure that they work with you to finalize thresholds for acceptable or unacceptable risk.

    2

    Verify the Risk Impact and Assessment

    If IT has ranked risk events appropriately, the business will be more likely to offer their input. Share impact and likelihood values for key risks to see if they agree with the calculated risk severity scores.

    3

    Identify Where the Business Focuses Attention

    While verifying, pay attention to the risk events that the business stresses as key risks. Keep these risks in mind when prioritizing risk responses as they are more likely to receive funding.

    Try to communicate the assessments of these risk events in terms of expected cost to attract the attention of business leaders.

    Info-Tech Insight

    If business executives still won’t provide the necessary information to update your initial risk assessments, IT should approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and business managers or supervisors to obtain any additional information.

    Info-Tech recommends a two-level approach to risk assessment

    Review the two levels of risk assessment offered in this blueprint.

    Risk severity level assessment (mandatory)

    1

    		Information

    Number of risks: Assess all risk events identified in Phase 1.
    Units of measurement: Use customized likelihood and impact “levels.”
    Time required: One to five minutes per risk event.

    		Assess Likelihood

    Negligible
    Low
    Moderate
    High
    Very High

    X

    		Assess Likelihood

    Negligible
    Low
    Moderate
    High
    Very High

    =

    		Output


    Risk Security Level:

    Moderate

    Example of a risk severity level assessment chart.
    Chart risk events according to risk severity as this allows you to organize and prioritize IT risks.

    Assess all of your identified risk events with a risk severity-level assessment.

    • By creating a likelihood and impact assessment scale divided into three to nine “levels” (sometimes referred to as “buckets”), you can evaluate every risk event quickly while being confident that risks are being assessed accurately.
    • In the following activities, you will create likelihood and impact scales that align with your organizational risk appetite and tolerance.
    • Severity-level assessment is a “first pass” of your risk list, revealing your organization’s most severe IT risks, which can be assessed in greater detail by incorporating expected cost into your evaluation.

    Info-Tech recommends a two-level approach to risk assessment (continued)

    Expected cost assessment (optional)

    2

    		Information

    Number of risks: Only assess high-priority risks revealed by severity-level assessment.
    Units of measurement: Use actual likelihood values (%) and impact costs ($).
    Time required: 10-20 minutes per risk event.

    		Assess Likelihood

    15%

    Moderate

    X

    		Assess Likelihood

    $100,000

    High

    =

    		Output


    Expected Cost:

    $15,000

    Expected cost is useful for conducting cost-benefit analysis and comparing IT risks to non-IT risks and other budget priorities for the business.

    Conduct expected cost assessments for IT’s greatest risks.

    For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.

    Why conduct expected cost assessments?
    • Expected cost represents how much you would expect to pay in an average year for each risk event.
    • Communicate risk priorities to the business in language they can understand.
    • While risk severity levels are useful for comparing one IT risk to another, expected cost data allows the business to compare IT risks to non-IT risks that may not use the same scales.
    		 Why is expected cost assessment optional?
    • Determining robust likelihood values and precise impact estimates can be challenging and time consuming.
    • Some risk events may require extensive data gathering and industry analysis.

    Implement and leverage a centralized risk register

    The purpose of the risk register is to act as the repository for all the risks that have been identified within your environment.

    Use this tool to:

    1. Collect and maintain a repository for all IT risk events impacting the organization and relevant information for each risk.
      • Capture all relevant IT risk information in one location.
      • Organize risk identification and assessment information for transparent risk management, stakeholder review, and/or internal audit.
    2. Calculate risk severity scores to prioritize risk events and determine which risks require a risk response.
      • Separate acceptable and unacceptable risks (as determined by the business).
      • Rank risks based on severity levels.
    3. Assess risk responses and calculate residual risk.
      • Evaluate the effect that proposed risk response actions will have on top risk events and quantify residual risk magnitude.
      • This step will be completed in section 3.1

    2.2.1 Determine the threshold for (un)acceptable risk

    1-4 hours

    Input: Risk events, Risk appetite

    Output: Threshold for risk identified

    Materials: Risk Register Tool, Risk Management Program Manual

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    There are times when the business needs to know about IT risks with high expected costs.

    1. Create an expected cost threshold that defines what constitutes an acceptable and unacceptable risk for the organization. This figure should be a concrete dollar value. In the next exercises, you will build risk impact and likelihood scales with this value in mind, ensuring that “high” or “extreme” risks are immediately communicated to senior leadership.
    2. Do not consider IT budget restrictions when developing this number. The acceptable risk threshold should reflect the business’ tolerance/appetite for risk.

    This threshold is typically based on the organization’s ability to absorb financial losses, and its tolerance/appetite towards risk.

    If your organization has ERM, adopt the existing acceptability threshold.

    Record this threshold in section 5.3 of the Risk Management Program Manual

    2.2.2 Create a financial impact assessment scale

    1-4 hours

    Input: Risk events, Risk threshold

    Output: Financial impact scale created

    Materials: Risk Register Tool, Risk Management Program Manual

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    1. Create a scale to assess the financial impact of risk events.
      • Typically, risk impacts are assessed on a scale of 1-5; however, some organizations may prefer to assess risks using 3, 4, 7, or 9-point scales.
    2. Ensure that the unacceptable risk threshold is reflected in the scale.
      • In the example provided, the unacceptable risk threshold ($100,000) is represented as “High” on the impact scale.
    3. Attach labels to each point on the scale. Effective labels will easily distinguish between risks on either side of the unacceptable risk threshold.

    Record the risk impact scale in section 5.3 of the Risk Management Program Manual

    Convert project overruns and service outages into costs

    Use the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect your own costs.

    • While project overruns and service outages may have intangible impacts beyond the unexpected costs stemming from paying employees and lost revenue (such as adding complexity to project management and undermining the business’ confidence in IT), these measurements will provide adequate impact estimations for risk assessment.
    • Remember, complex risk events can be analyzed further with an expected cost assessment.
    Project Overruns Scale for the use of cost assessment with dollar amounts associated with impact levels. '$250,000 - Extreme', '$100,000 - High', '$60,000 - Moderate', '$35,000 - Low', '$10,000 - Negligible'.

    Project

    Time (days)

    20 days

    Number of employees

    8

    Average cost per employee (per day)

    $300

    Estimated cost

    $48,000
    Service Outages

    Service

    Time (hours)

    4 hours

    Lost revenue (per hour)

    $10,000

    Estimated cost

    $40,000

    Impact scale

    Low

    2.2.3 Select a technique to measure reputational cost (1 of 3)

    1-3 hours

    Realized risk events may have profound reputational costs that do not immediately impact your bottom line.

    Reputational cost can take several forms, including the internal and external perception of:
    1. Brand likeability
    2. Product quality
    3. Leadership capability
    4. Social responsibility

    Based on your industry and the nature of the risk, select one of the three techniques described in this section to incorporate reputational costs into your risk assessment.

    		 Technique #1 – Use financial indicators:

    For-profit companies typically experience reputational loss as a gradual decline in the strength of their brand, exclusion from industry groups, or lost revenue.

    If possible, use these measures to put a price on reputational loss:

    • Lost revenue attributable to reputation loss
    • Loss of market share attributable to reputation loss
    • Drops in share price attributable to reputation loss (for public companies)

    Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.

    • If you are not able to effectively translate all reputational costs into financial costs, proceed to techniques 2 and 3 on the following slides.

    2.2.3 Select a technique to measure reputational cost (2 of 3)

    1-3 hours
    It is common for public sector or not-for-profit organizations to have difficulty putting a price tag on intangible reputational costs.
    • For example, a government organization may be unable to directly quantify the cost of losing the confidence and/or support of the public.
    • A helpful technique is to reframe how reputation is assigned value.
    		 Technique #2 – Calculate the value of avoiding reputational cost:
    1. Imagine that the particular risk event you are assessing has occurred. Describe the resulting reputational cost using qualitative language.

    For example:

    A data breach, which caused the unsanctioned disclosure of 2,000 client files, has inflicted high reputational costs on the organization. These have impacted the organization in the following ways:

    • Loss of organizational trust in IT
    • IT’s reputation as a value provider to the organization is tarnished
    • Loss of client trust in the organization
    • Potential for a public reprimand of the organization by the government to restore public trust
  • Then, determine (hypothetically) how much money the organization would be willing to spend to prevent the reputational cost from being incurred.
  • Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.
    		•

    2.2.3 Select a technique to measure reputational cost (3 of 3)

    1-3 hours

    If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly matches your financial impact scale.

    Technique #3 – Create a parallel scale for reputational impact:

    Visibility is a useful metric for measuring reputational impact. Visibility measures how widely knowledge of the risk event has spread and how negatively the organization is perceived. Visibility has two main dimensions:

    • Internal vs. External
    • Low Amplification vs. High Amplification

      • Internal/External: The further outside of the organization that the risk event is visible, the higher the reputational impact.
      Low/High Amplification: The greater the ability of the actor to communicate and amplify the occurrence of a risk event, the higher the reputational impact.
      After establishing a scale for reputational impact, test whether it reflects the severity of the financial impact levels in the financial impact scale.

    • For example, if the media learns about a recent data breach, does that feel like a $100,000 loss?
    		 Example:
    Scale for the use of cost assessment of reputational impact with dimension combinations associated with impact levels. 'External, High Amp, (regulators, lawsuits) - Extreme', 'Internal, High Amp, (CEO) - Low', 'Internal, Low Amp (IT) - Negligible'.

    2.2.4 Create a likelihood scale

    1-3 hours

    Instructions:
    1. Create a scale to assess the likelihood that a risk event will occur over a given period of time.
      • Info-Tech recommends assessing the likelihood that the risk event will occur over a period of one year (the IT risk council should be reassessing the risk event no less than once per year).
    2. Ensure that the likelihood scale contains the same number of levels as the financial impact scale (3, 4, 5, 7, or 9).
    3. The example provided is likely to satisfy most IT departments; however, you may customize the distribution of likelihood values to reflect the organization’s aversion towards uncertainty.
      • For example, an extremely risk-averse organization may consider any risk event with a likelihood greater than 20% to have a “High” likelihood of occurrence.
    4. Attach the same labels used for the financial impact scale (Low, Moderate, High, etc.)

    Record the risk impact scale in section 5.3 of the Risk Management Program Manual

    		 Scale to assess the likelihood that a risk event will occur. '80-99% - Extreme', '60-79% - High', '40-59% - Moderate' '20-39% - Low', '1-19% - Negligible'.

    Info-Tech Insight

    Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
    For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix.

    2.2.5 Risk severity level assessment

    6-10 hours

    Input: Risk events identified

    Output: Assessed the likelihood of occurrence and impact for all identified risk events

    Materials: Risk Register Tool

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    1. Document the “Risk Category” and “Existing Controls.” in the Risk Register Tool.
      • (See the slide following this activity for tips on identifying existing controls.)
    2. Assign each risk event a likelihood and impact level.
      • Remember, you are assessing the impact that a risk event will have on the organization as a whole, not just on IT.
    3. When assigning a financial impact level to a risk event, factor in the likely number of instances that the event will occur within the time frame for which you are assessing (usually one year).
      • For risk events like third-party service outages that typically occur a few times each year, assign them an impact level that reflects the likelihood of financial impact the risk event will have over the entire year.
      • E.g. If your organization is likely to experience two major service outages next year and each outage costs the organization approximately $15,000, the total financial impact is $30,000.

    Record results in the Risk Register Tool

    2.2.5 Risk severity level assessment (continued)

    Instructions (continued):
    1. Assign a risk owner to non-negligible risk events.
      • For organizations that practice ongoing risk management and frequently reassess their risk portfolio (minimum once per year), risk ownership does not need to be assigned to “Negligible” or low-level risks.
      • View the following slides for advice on how to select a risk owner and information on their responsibilities.
    2. As you input the first few likelihood and impact values, compare them to one another to ensure consistency and accuracy:
      • Is a service outage really twice as impactful as our primary software provider going out of business?
      • Is a data breach far more likely than a ›1 hour web-services outage?
    		 Tips for Selecting Likelihood Values:

    Does ~10% sound right?

    Test a likelihood estimate by assessing the truth of the following statements:

    • The risk event will likely occur once in the next ten years (if the environment remains nearly identical).
    • If ten organizations existed that were nearly identical to our own, it is likely that one out of ten would experience the risk event this year.

    Screenshot of a risk severity level assessment.

    Identify current risk controls

    Consider how IT is already addressing key risks.

    Types of current risk control

    Tactical controls

    Apply to individual risks only.

    Example: A tactical control for backup/replication failure is faster WAN lines.

    		 Tactical risk control Strategic controls

    Apply to multiple risks.

    Example: A strategic control for backup/replication failure is implementing formal DR plans.

    		 Strategic risk control
    Risk event Risk event Risk event

    Screenshot of the column headings on the risk severity level assessment with 'Current Controls' highlighted.
    Consider both tactical and strategic controls already in place when filling out risk event information in the Risk Register Tool.

    Info-Tech Insight

    Identifying existing risk controls (past risk responses) provides a clear picture of the measures already in place to avoid, mitigate, or transfer key risks. This reveals opportunities to improve existing risk controls, or where new strategies are needed, to reduce risk severity levels below business thresholds.

    Assign a risk owner for each risk event

    Designate a member of the IT risk council to be responsible for each risk event.

    Selecting the Appropriate Risk Owner

    Use the following considerations to determine the best owner for each risk:

    • The risk owner should be familiar with the process, project, or IT function related to the risk event.
    • The risk owner should have access to the necessary data to monitor and measure the severity of the risk event.
    • The risk owner’s performance assessment should reflect their ability to demonstrate the ongoing management of their assigned risk events.

    Screenshot of the column headings on the risk severity level assessment with 'Risk Owner' highlighted.

    		 Risk Owner Responsibilities

    Risk ownership means that an individual is responsible for the following activities:

    • Monitoring the threat or vulnerability for changes in the likelihood of occurrence and/or likely impact.
    • Monitoring changes in the market and external environment that may alter the severity of the risk event.
    • Monitoring changes of closely related risks with interdependencies.
    • Developing and using key risk indicators (KRIs) to measure changes in risk severity.
    • Regularly reporting changes in risk severity to the IT risk council.
    • If necessary, escalating the risk event to other IT risk council personnel or senior management for reassessment.
    • Monitoring risk severity levels for risk events after a risk response has been implemented.

    Use Info-Tech’s Risk Costing Tool to calculate the expected cost of IT’s high-priority risks (optional)

    Sample of the Risk Costing Tool.

    Use this tool to:

    1. Conduct a deeper analysis of severe risks.
      • Determine specific likelihood and financial impact values to communicate the severity of the risk in the Expected Cost tab.
      • Identify the maximum financial impact that the risk event may inflict.
    2. Assess the effectiveness of multiple risk responses for each risk event.
      • Determine how proposed risk events will change the likelihood of occurrence and financial impact of the risk event.
    3. Incorporate risk proximity into your cost-benefit analysis of risk responses.
      • Illustrate how spending decisions will impact the expected cost of the risk event over time.

    2.2.6 Expected cost assessment (optional)

    Assign likelihood and financial impact values to high-priority risks.

    Select risks with these characteristics:

    Strongly consider conducting an expected cost assessment for risk events that meet one or more of the following criteria.

    The risk:

    • Has been assigned to the highest risk severity level.
    • Has exposed the organization previously and had severe implications.
    • Exceeds the organization’s threshold for financial impact.
    • Involves an IT function that is highly visible to the business.
    • Will likely require risk response actions that will exceed current IT budgetary constraints.
    • Is conducive to expected cost assessment:
      • There is general consensus on likelihood estimates.
      • There is general consensus on financial impact estimates.
      • Historical data exists to support estimates.
    		 Determine which risks require a deeper assessment:

    Info-Tech recommends conducting a second-level assessment for 5-15% of your IT risk register.

    Communicating the expected cost of high-priority risks significantly increases awareness of IT risks by the business.

    Communicating risks to the business using their language also increases the likelihood that risk responses will receive the necessary support and investment


    Record the list of risk events requiring second-level assessment in the Risk Costing Tool.

    • Transfer the likelihood and impact levels for each event into the Risk Costing Tool using data from the Risk Register Tool.

    2.2.6 Expected cost assessment (continued)

    Assign likelihood and financial impact values to high-priority risks.

    Instructions:
    1. Go through the list of prioritized risks in the Risk Costing Tool one by one. Indicate the likelihood and impact level (from the Risk Register Tool) for the risk event being assessed.
    2. Record likelihood values (1-99%) and impact values ($) from participants.
      • Only record values from individuals that indicate they are fairly confident with their estimates.
      • Keep likelihood estimates to values that are multiples of five.
    3. Estimate and record the maximum impact that the risk event could inflict.
      • See Appendix III for information on how the possibility of high-impact scenarios may influence your decision making.
    4. Discuss the estimates provided. Eliminate outliers and retracted estimates.
      • If you are unable to achieve consensus, take the average of the values provided.
    5. If you are having difficulty arriving at a likelihood or impact value, select the median value of the level assigned to the risk during the risk severity level assessment.
      • E.g. Risk event assigned to likelihood level “Moderate” (20-39%). Select a likelihood value of 30%.

    Screenshot of the column headings on the risk severity level assessment with 'Optional Inherent Likelihood Parameters' and 'Optional Inherent Impact Parameters' highlighted.

    		 Who should participate?
    • Depending on the size of your IT risk council, you may want to consider conducting this exercise in a smaller group.
    • Ideally, you should try to find the right balance between ensuring that the necessary experience and knowledge is in the room while insulating the exercise from outlier opinions, noise, and distractions.

    Evaluate likelihood and impact

    Refine your risk assessment process by developing more accurate measurements of likelihood and impact.

    Intersubjective likelihood

    The goal of the expected cost assessment is to develop robust intersubjective estimates of likelihood and financial impact.

    By aggregating a number of expert opinions of what they deem to be the “correct” value, you will arrive at a collectively determined value that better reflects reality than an individual opinion.

    Example: The Delphi Method

    The Delphi Method is a common technique to produce a judgement that is representative of the collective opinion of a group.

    • Participants are sent a series of sequential questionnaires (typically by email).
    • The first questionnaire asks them what the likelihood, likely impact, and expected cost is for a specific risk event.
    • Data from the questionnaire is compiled and then communicated in a subsequent questionnaire, which encourages participants to restate or revise their estimates given the group’s judgements.
    • With each successive questionnaire, responses will typically converge around a single intersubjective value.
    		Justifying Your Estimates:

    When asked to explain the numbers you arrived at during the risk assessment, pointing to an assessment methodology gives greater credibility to your estimates.

    • Assign one individual to take notes during the assessment exercise.
    • Have them document the main rationale behind each value and the level of consensus.

    Info-Tech Insight

    The underlying assumption behind intersubjective forecasting is that group judgements are more accurate than individual judgements. However, this may not be the case at all.

    Sometimes, a single expert opinion is more valuable than many uninformed opinions. Defining whose opinion is valuable and whose is not is an unpleasant exercise; therefore, selecting the right personnel to participate in the exercise is crucially important.

    Build an IT Risk Management Program

    Phase 3

    Monitor, Respond, and Report on IT Risk

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities
      •

    This phase will walk you through the following activities:

    • Develop key risk indicators (KRIs) and escalation protocols
    • Establish the reporting schedule
    • Identify and assess risk responses
    • Analyze risk response cost-benefit
    • Create multi-year cost projections
    • Obtain executive approval for risk action plans
    • Socialize the Risk Report
    • Transfer ownership of risk responses to project managers
    • Finalize the Risk Management Program Manual

    This phase involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Risk business owner

    Step 3.1

    Monitor IT Risks and Develop Risk Responses

    Activities
    • 3.1.1 Develop key risk indicators (KRIs) and escalation protocols
    • 3.1.2 Establish the reporting schedule
    • 3.1.3 Identify and assess risk responses
    • 3.1.4 Risk response cost-benefit analysis
    • 3.1.5 Create multi-year cost projections

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business risk owner

    Outcomes of this step

    • Completed risk event action plans
    • Risk responses identified and assessed for top risks
    • Risk response selected for top risks

    Monitor, Respond, and Report on IT Risk

    Step 3.1 Step 3.2

    Use Info-Tech’s Risk Event Action Plan to manage high-priority risks

    Manage risks in between risk assessments and create a paper trail for key risks that exceed the unacceptable risk threshold. Use a new form for every high-priority risk that requires tracking.

    Risk Event Action Plan Sample of the Risk Event Action Plan deliverable.

    Obtaining sign-off from the senior leadership team or from the ERM office is an important step of the risk management process. The Risk Event Action Plan ensures that high-priority risks are closely monitored and that changes in risk severity are detected and reported.

    Clear documentation is a way to ensure that critical information is shared with management so that they can make informed risk decisions. These reports should be succinct yet comprehensive; depending on time and resources, it is good practice to fill out this form and obtain sign-off for the majority of IT risks.

    3.1.1 Develop key risk indicators (KRIs) and escalation protocols

    The risk owner should be held accountable for monitoring their assigned risks but may delegate responsibility for these tasks.

    Instructions:
    1. Design key risk indicators (KRIs) for risks that measure changes in their severity and document them in the Risk Event Action Plan.
      • See the following slide for examples.
    2. Clearly document the risk owner and the individual(s) carrying out risk monitoring activities (delegates) in the Risk Event Action Plan.

    Note: Examples of KRIs can be found on the following slide.

    		 What are KRIs?
    • KRIs should be observable metrics that alert the IT risk council and management when risk severity exceeds acceptable risk thresholds.
    • KRIs should serve as tripwires or early-warning indicators that trigger further actions to be taken on the risk.
    • Further actions may include:
      • Escalation to the risk owner (if delegated) or to a member of the senior leadership team.
      • Reporting to the IT risk council or IT steering committee.
      • Reassessment.
      • Updating the risk monitoring schedule.

    Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk Event Action Plan.

    Developing KRIs for success

    Visualization of KRI development, from the 'Risk Event' to the 'Intermediate Steps' with 'KRI Measurements' to the image of a growing seed.

    Examples of KRIs

    • Number of resources who quit or were fired who had access to critical data
    • Number of risk mitigation initiatives unfunded
    • Changes in time horizon of mitigation implementation
    • Number of employees who did not report phishing attempts
    • Amount of time required to get critical operations access to necessary data
    • Number of days it takes to implement a new regulation or compliance control

    3.1.2 Establish the reporting schedule

    For each risk event, document how frequently the risk owner must report to the IT risk council in the Risk Event Action Plan.

    • A clear reporting schedule enforces accountability for each risk event, ensuring that risk owners are fulfilling their monitoring responsibilities.
    • The ongoing discussion of risks between assessment cycles also increases overall awareness of how IT risks are not static but constantly evolving.
    Reporting Risk Event
    Weekly reports to ITRC Risk event severity represented as a thermometer with levels 'Extreme', 'High', 'Moderate', 'Low', and 'Negligible'.
    Bi-weekly reports to ITRC
    Monthly reports to ITRC
    Report to ITRC only if KRI thresholds triggered
    No reports; reassessed bi-annually

    Use Info-Tech’s tools to identify, analyze, and select risk responses

    1

    (Mandatory)    		Tool

    Screenshot of the Risk Register Tool.

    Risk Register Tool

    		Information
    • Develop risk responses for all risk events pre-populated on the “2. Risk Register” sheet of the Risk Register Tool.
    • Document the root cause of the risk (Activity 3.1.3) and other contributing factors (Activity 3.1.4).
    • Identify risk responses (Activity 3.1.5).
    • Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and impact of the risk (Activity 3.1.5).
    • The tool will calculate the residual severity of the risk after applying the risk response.

    2

    (Optional)    		Tool

    Screenshot of the Risk Costing Tool.

    Risk Costing Tool

    		Information
    • Continue your second-level risk analysis for top risks for which you calculated expected cost in section 2.2.
    • Activity 3.1.5:
      • Identify between one and four risk response options for each risk.
      • Develop precise values for residual likelihood and impact.
      • Compare expected cost of the risk event to expected residual cost.
      • Select the risk response to recommend to senior leadership and document it in the Risk Register Tool.

    Determine the root cause of IT risks

    Root cause analysis

    Use the “Five Whys” methodology to identify the root cause and contributing/exacerbating factors for each risk event.

    Diagnosing the root cause of a risk as well as the environmental factors that increase its potential impact and likelihood of occurring allow you to identify more effective risk responses.

    Risk responses that only address the symptoms of the risk are less likely to succeed than responses that address the core issue.

    Concentric circles with 'Root Cause' at the center, 'Contributing Factors' around it, and 'Symptoms' on the outer circle.

    		 Example of 'The Five Whys Methodology', tracing symptoms to their root cause. In 'Symptoms' we see 'Risk Event: Network outage', Why? 'Network congestion', Why? Then on to 'Contributing Factors' the answer is 'Inadequate bandwidth for latency-sensitive applications', Why? 'Increased business use of latency-sensitive applications', Why? And finally to the 'Root Cause', 'Business units rely on 'real-time' data gathered from latency-sensitive applications', Why?

    Identify factors that contribute to the severity of the risk

    Environmental factors interact with the root cause to increase the likelihood or impact of the risk event.

    What factors matter?

    Identify relevant actors and assets that amplify or diminish the severity of the risk.

    Actors

    • Internal (business units)
    • External (vendor, regulator, market, competitor, hostile actor)

    Assets/Resources

    • Infrastructure
    • Applications
    • Processes
    • Information/data
    • Personnel
    • Reputation
    • Operations
    		 Develop risk responses that target contributing factors.
    Root cause:
    Business units rely on “real-time” data gathered from latency-sensitive applications

    Actors: Enterprise App users (Finance, Product Development, Product Management)

    Asset/resource: Applications, network

    Risk response:
    Decrease the use of latency-sensitive applications.

    X

    Decreasing the use of key apps contradicts business objectives.

    		 Contributing factors:
    Unreliable router software

    Actors: Network provider, router vendor, router software vendor, IT department

    Asset/resource: Network, router, router software

    Risk response:
    Replace the vendor that provides routers and router software.

    Replacing the vendor would reduce network outages at a relatively low cost.

    		 Symptoms:
    Network outage

    Actors: All business units, network provider

    Asset/resource: Network, business operations, employee productivity

    Risk response:
    Replace legacy systems.

    X

    Replacing legacy systems would be too costly.

    3.1.3 Identify and assess risk responses

    Instructions:
    Complete the following steps for each risk event.
    1. Identify a risk response action that will help reduce the likelihood of occurrence or the impact if the event were to occur.
      • Indicate the type of risk response (avoidance, mitigation, transfer, acceptance, or no risk exists).
    2. Assign each risk response action a residual likelihood level and a residual impact level.
      • This is the same step performed in Activity 2.2.6, when initial likelihood and impact levels were determined; however, now you are estimating the likelihood and impact of the risk event after the risk response action has been implemented successfully.
      • The Risk Register Tool will generate a residual risk severity level for each risk event.
    3. Identify the potential Risk Action Owner (Project Manager) if the response is selected and turned into an IT project, and document this in the Risk Register Tool.
    		 Document the following in the Risk Event Action Plan for each risk event:
      • Risk response actions
      • Residual likelihood and impact levels
      • Residual risk severity level
    • Review the following slides about the four types of risk response to help complete the activity.
      1. Avoidance
      2. Mitigation
      3. Transfer
      4. Acceptance

    Record the results in the Risk Event Action Plan.

    Take actions to avoid the risk entirely

    Risk Avoidance

    • Risk avoidance involves taking evasive maneuvers to avoid the risk event.
    • Risk avoidance targets risk likelihood, decreasing the likelihood of the risk event occurring.
    • Since risk avoidance measures are fairly drastic, the likelihood is often reduced to negligible levels.
    • However, risk avoidance response actions often sacrifice potential benefits to eliminate the possibility of the risk entirely.
    • Typically, risk avoidance measures should only be taken for risk events with extremely high severity and when the severity (expected cost) of the risk event exceeds the cost (benefits sacrificed) of avoiding the risk.

    Example

    Risk event: Information security vulnerability from third-party cloud services provider.

    • Risk avoidance action: Store all data in-house.
    • Benefits sacrificed: Cost savings, storage flexibility, etc.
    		 Stock photo of a person hikiing along a damp, foggy, valley path.

    Pursue projects that reduce the likelihood or impact of the risk event

    Risk Mitigation

    • Risk mitigation actions are risk responses that reduce the likelihood and impact of the risk event.
    • Risk mitigation actions can be to either implement new controls or enhance existing ones.
    Example 1

    Most risk responses will reduce both the likelihood of the risk event occurring and its potential impact.

    Example

    Mitigation: Purchase and implement enterprise mobility management (EMM) software with remote wipe capability.

    • EMM reduces the likelihood that sensitive data is accessed by a nefarious actor.
    • The remote-wipe capability reduces the impact by closing the window that sensitive data can be accessed from.
    		 Example 2

    However, some risk responses will have a greater effect on decreasing the likelihood of a risk event with little effect on decreasing impact.

    Example

    Mitigation: Create policies that restrict which personnel can access sensitive data on mobile devices.

    • This mitigation decreases the number of corporate phones that have access to (or are storing) sensitive data, thereby decreasing the likelihood that a device is compromised.
    		 Example 3

    Others will reduce the potential impact without decreasing its likelihood of occurring.

    Example

    Mitigation: Use robust encryption for all sensitive data.

    • Corporate-issued mobile phones are just as likely to fall into the hands of nefarious actors, but the financial impact they can inflict on the organization is greatly reduced.

    Pursue projects that reduce the likelihood or impact of the risk event (continued)

    Use the following IT functions to guide your selection of risk mitigation actions:

    Process Improvement

    Key processes that would most directly improve the risk profile:

    • Change Management
    • Project Management
    • Vendor Management
    		 Infrastructure Management
    • Disaster Recovery Plan/Business Continuity Plan
    • Redundancy and Resilience
    • Preventative Maintenance
    • Physical Environment Security
    Personnel
    • Greater staff depth in key areas
    • Increased discipline around documentation
    • Knowledge Management
    • Training
    		 Rationalization and Simplification

    This is a foundational activity, as complexity is a major source of risk:

    • Application Rationalization – reducing the number of applications
    • Data Management – reducing the volume and locations of data

    Transfer risks to a third party

    Risk transfer: the exchange of uncertain future costs for fixed present costs.

    Insurance

    The most common form of risk transfer is the purchase of insurance.

    • The uncertain future cost of an IT risk event can be transferred to an insurance company who assumes the risk in exchange for insurance premiums.
    • The most common form of IT-relevant insurance is cyberinsurance.

    Not all risks can be insured. Insurable risks typically possess the following five characteristics:

    1. The loss must be accidental (the risk event cannot be insured if it could have been avoided by taking reasonable actions).
    2. The insured cannot profit from the occurrence of the risk event.
    3. The loss must be able to be measured in monetary terms.
    4. The organization must have an insurable interest (it must be the party that incurs the loss).
    5. An insurance company must offer insurance against that risk.
    		 Other Forms of Risk Transfer

    Other forms of risk transfer include:

    • Self-insurance
      • Appropriate funds can be set aside in advance to address the financial impact of a risk event should it occur.
    • Warranties
    • Contractual transfer
      • The financial impact of a risk event can be transferred to a third party through clauses agreed to in a contract.
      • For example, a vendor can be contractually obligated to assume all costs resulting from failing to secure the organization’s data.

      • Example email addressing fields of an IT Risk Transfer to an insurance company.

    Accept risks that fall below established thresholds

    Risk Acceptance

    Accepting a risk means tolerating the expected cost of a risk event. It is a conscious and deliberate decision to retain the threat.

    You may choose to accept a risk event for one of the following three reasons:

    1. The risk severity (expected cost) of the risk event falls below acceptability thresholds and does not justify an investment in a risk avoidance, mitigation, or transfer measure.
    2. The risk severity (expected cost) exceeds acceptability thresholds but all effective risk avoidance, mitigation, and transfer measures are ineffective or prohibitively expensive.
    3. The risk severity (expected cost) exceeds acceptability thresholds but there are no feasible risk avoidance, mitigation, and transfer measures to be implemented.

    Info-Tech Insight

    Constant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management.

    3.1.4 Risk response cost-benefit analysis (optional)

    The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

    This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk response projects that cannot be addressed by IT’s existing budget.

    Instructions:
    1. Reopen the Risk Costing Tool. For each risk that you conducted an expected cost assessment in section 2.2 for, find the Excel sheet that corresponds to the risk number (e.g. R001).
    2. Identify between one and four risk response options for the risk event and document them in the Risk Costing Tool.
      • The “Risk Response 1” field will be automatically populated with expected cost data for a scenario where no action was taken (risk acceptance). This will serve as a baseline for comparing alternative responses.
      • For the following steps, go through the risk responses one by one.
    3. Estimate the first-year cost for the risk response.
      • This cost should reflect initial capital expenditures and first-year operating expenditures.
    		 Screenshot of the Risk Response cost-benefit-analysis from the Risk Costing Tool with 'Capital Expenditures' and 'Operating Expenditures' highlighted.

    Record the results in the Risk Costing Tool.

    3.1.4 Risk response cost-benefit analysis (continued)

    The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

    Instructions:

    1. Estimate residual risk likelihood and financial impact for Year 1 with the risk response in place.
      • Rather than estimating the likelihood level (low, medium, high), determine a precise likelihood value of the risk event occurring once the response has been implemented.
      • Estimate the dollar value of financial impacts if the risk event were to occur with the risk response in place.
        • Screenshot of the Risk Response cost-benefit-analysis from the Risk Costing Tool with figured for 'Financial Impact' and 'Probability' highlighted. The tool will calculate the expected residual cost of the risk event: (Financial Impact x Likelihood) - Costs = Expected Residual Cost
    2. Select the highest value risk response and document it in the Risk Register Tool.
    3. Document your analysis and recommendations in the Risk Event Action Plan.

    Note: See Activity 3.1.5 to build multi-year cost projections for risk responses.

    3.1.5 Create multi-year cost projections (optional)

    Select between risk response options by projecting their costs and benefits over multiple years.

    • It can be difficult to choose between risk response options that require different payment schedules. A risk response project with costs spread out over more than one year (e.g. incremental upgrades to an IT system) may be more advantageous than a project with costs concentrated up front that may cost less in the long run (e.g. replacing the system).
    • However, the impact that risk response projects have on reducing risk severity is not necessarily static. For example, an expensive project like replacing a system may drastically reduce the risk severity of a system failure. Whereas, incremental system upgrades may only marginally reduce risk severity in the short term but reach similar levels as a full system replacement in a few years.
    Instructions:

    Calculate expected cost for multiple years using the Risk Costing Tool for:

    • Risk events that are subject to change in severity over time.
    • Risk responses that reduce the severity of the risk gradually.
    • Risk responses that cannot be implemented immediately.

    Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the risk event.

    		Sample charts on the cost of risk responses from the Risk Costing Tool.

    Record the results in the Risk Costing Tool.

    Step 3.2

    Report IT Risk Priorities

    Activities
    • 3.2.1 Obtain executive approval for risk action plans
    • 3.2.2 Socialize the Risk Report
    • 3.2.3 Transfer ownership of risk responses to project managers
    • 3.2.4 Finalize the Risk Management Program Manual

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team

    Outcomes of this step

    • Obtained approval for risk action plans
    • Communicated IT’s risk recommendations to senior leadership
    • Embedded risk management into day-to-day IT operations

    Monitor, Respond, and Report on IT Risk

    Step 3.1 Step 3.2

    Effectively deliver IT risk expertise to the business

    Communicate IT risk management in two directions:

    1. Up to senior leadership (and ERM if applicable)
    2. Down to IT employees (embedding risk awareness)

      3. Visualization of communicating Up to 'Senior Leadership' and Down to 'IT Personnel'.

    		 Create a strong paper trail and obtain sign-off for the ITRC’s recommendations.

    Now that you have collected all of the necessary raw data, you must communicate your insights and recommendations effectively.

    A fundamental task of risk management is communicating risk information to senior management. It is your responsibility to enable them to make informed risk decisions. This can be considered upward communication.

    The two primary goals of upward communication are:

    1. Transferring accountability for high-priority IT risks to the ERM or to senior leadership.
    2. Obtaining funds for risk response projects recommended by the ITRC.

    Good risk management also has a trickle-down effect impacting all of IT. This can be considered downward communication.

    The two primary goals of downward communication are:

    1. Fostering a risk-aware IT culture.
    2. Ensuring that the IT risk management program maintains momentum and runs effectively.

    3.2.1 Obtain executive approval for risk action plans

    Best Practices and Key Benefits

    Best practice is for all acceptable risks to also be signed-off by senior leadership. However, for ITRCs that brainstorm 100+ risks, this may not be possible. If this is the case, prioritize accepted risks that were assessed to be closest to the organization’s thresholds.

    By receiving a stamp of approval for each key risk from senior management, you ensure that:

    1. The organization is aware of important IT risks that may impact business objectives.
    2. The organization supports the risk assessment conducted by the ITRC.
    3. The organization supports the plan of action and monitoring responsibilities proposed by the ITRC.
    4. If a risk event were to occur, the organization holds ultimate accountability.
    		 Sample of the Risk Event Action Plan template.

    Task:
    All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior leadership team.

    • In the assessment phase, you evaluated risks using severity thresholds approved by the business and determined whether or not they justified a risk response.
    • Whether your recommendation was to accept the risk or to analyze possible risk responses, the business should be made aware of most IT risks.

    3.2.2 Socialize the risk report

    Create a succinct, impactful document that summarizes the outcomes of risk assessment and highlights the IT risk council’s top recommendations to the senior leadership team.

    The Risk Report contains:
    • An executive summary page highlighting the main takeaways for senior management:
      • A short summary of results from the most recent risk assessment
      • Dashboard
      • A list of top 10 risks ordered from most severe to least
    • Subsequent individual risk analyses (1 to 10)
      • Detailed risk assessment data
      • Risk responses
      • Risk response analysis
      • Multi-year cost projection (see the following slide)
      • Dashboard
      • Recommendations
    		 Sample of the Risk Report template.

    Risk Report

    Pursue projects that reduce the likelihood or impact of the risk event

    Encourage risk awareness to extend the benefits of risk management to every aspect of IT.

    Benefits of risk awareness:

    • More preventative and proactive approaches to IT projects are discussed and considered.
    • Changes to the IT threat landscape are more likely to be detected, communicated, and acted upon.
    • IT possesses a realistic perception of its ability to perform functions and provide services.
    • Contingency plans are put in place to hedge against risk events.
    • Fewer IT risks go unidentified.
    • CIOs and business executives make better risk decisions.

    Consequences of low risk awareness:

    • False confidence about the number of IT risks impacting the organization and their severity.
    • Risk-relevant information is not communicated to the ITRC, which may result in inaccurate risk assessments.
    • Confusion surrounding whose responsibility it is to consider how risk impacts IT decision making.
    • Uncertainty and panic when unanticipated risks impact the IT department and the organization.

    Embedding risk management in the IT department is a full-time job

    Take concrete steps to increase risk-aware decision making in IT.

    The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.

    Embed risk management in project planning

    Make time for discussing project risks at every project kick-off.
    • A main benefit of including senior personnel from across IT in the ITRC is that they are able to disseminate the IT risk council’s findings to their respective practices.
    • At project kick-off meetings, schedule time to identify and assess project-specific risks.
    • Encourage the project team to identify strategies to reduce the likelihood and impact of those risks and document these in the project charter.
    • Lead by example by being clear and open about what constitutes acceptable and unacceptable risks.

    Embed risk management with employee

    Train IT staff on the ITRC’s planned responses to specific risk events.
    • If a response to a particular risk event is not to implement a project but rather to institute new policies or procedures, ensure that changes are communicated to employees and that they receive training.
    Provide risk management education opportunities.
    • Remember that a more risk-aware IT employee provides more value to the organization.
    • Invest in your employees by encouraging them to pursue education opportunities like receiving risk management accreditation or providing them with educational experiences such as workshops, seminars, and eLearning.

    Embedding risk management in the IT department is a full-time job (continued)

    Encourage risk awareness by adjusting performance metrics and job titles.

    Performance metrics:

    Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk management responsibilities into the performance assessments of certain ITRC members or other IT personnel.

    • Personalize the risk management program metrics you have documented in your Risk Management Program Manual.
    • Evidence that KPIs are monitored and frequently reported is also a good indicator that risk owners are fulfilling their risk management responsibilities.

      • Info-Tech Insight

      If risk management responsibilities are not built into performance assessments, it is less likely that they will invest time and energy into these tasks. Adding risk management metrics to performance assessments directly links good job performance with good risk management, making it more likely that ITRC activities and initiatives gain traction throughout the IT department.

    Job descriptions:

    Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing KRIs and monitoring risks on a week-to-week basis.

    • Some examples include IT Risk Officer, IT Risk Manager, and IT Risk Analyst.

    3.2.3 Transfer ownership of risk responses to project managers

    Once risk responses have obtained approval and funding, it is time to transform them into fully-fledged projects.

    Image of a hand giving a key to another hand and a circle split into quadrants of Governance with 'Governance of Risks' being put into 'Governance of Projects'.

    3.2.4 Finalize the Risk Management Program Manual

    Go back through the Risk Management Program Manual and ensure that the material will accurately reflect your approach to risk management going forward.

    Remember, the program manual is a living document that should be evolving alongside your risk management program, reflecting best practices, knowledge, and experiences accrued from your own assessments and experienced risk events.

    The best way to ensure that the program manual continues to guide and document your risk management program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with making necessary adjustments and additions.

    Sample of the Risk Management Program Manual. Risk Management Program Manual

    “Upon completing the Info-Tech workshop, the deliverables that we were left with were really outstanding. We put together a 3-year project plan from a high level, outlining projects that will touch upon our high risk areas.” (Director of Security & Risk, Water Management Company)

    Don’t allow your risk management program to flatline

    54% of small businesses haven’t implemented controls to respond to the threat of cyber attacks (Source: Insurance Bureau of Canada, 2021)

    Don’t be lulled into a false sense of security. It might be your greatest risk.

    So you’ve identified the most important IT risks and implemented projects to protect IT and the business.

    Unfortunately, your risk assessment is already outdated.

    Perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation.

    To continue the momentum of your newly forged IT risk management program, read Info-Tech’s research on conducting periodic risk assessments and “health checks”:

    Revive Your Risk Management Program With a Regular Health Check

    • Complete Info-Tech’s Risk Management Health Check to seize the momentum you created by building a robust IT risk management program and create a process for conducting periodic health checks and embedding ongoing risk management into every aspect of IT.
    • Our focus is on using data to make IT risk assessment less like an art and more like a science. Ongoing data-driven risk management is self-improving and grounded in historical data.

    Appendix I: Familiarize yourself with key risk terminology

    Review important risk management terms and definitions.

    Risk

    		An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the likelihood of a perceived threat or opportunity occurring and the magnitude of its impact on objectives (Office of Government Commerce, 2007).

    Threat

    		An event that can create a negative outcome (e.g. hostile cyber/physical attacks, human errors).

    Vulnerability

    		A weakness that can be taken advantage of in a system (e.g. weakness in hardware, software, business processes).

    Risk Management

    		The systematic application of principles, approaches, and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses. This provides a disciplined environment for proactive decision making (Office of Government Commerce, 2007).

    Risk Category

    		Distinct from a risk event, a category is an abstract profile of risk. It represents a common group of risks. For example, you can group certain types of risks under the risk category of IT Operations Risks.

    Risk Event

    		A specific occurrence of an event that falls under a particular risk category. For example, a phishing attack is a risk event that falls under the risk category of IT Security Risks.

    Risk Appetite

    		An organization’s attitude towards risk taking, which determines the amount of risk that it considers acceptable. Risk appetite also refers to an organization’s willingness to take on certain levels of exposure to risk, which is influenced by the organization’s capacity to financially bear risk.

    Enterprise Risk Management

    		(ERM) – A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of organizational risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS, 2015).

    Appendix II: Likelihood vs. Frequency

    Why we measure likelihood, not frequency:

    The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some frameworks measure likelihood using Frequency rather than Likelihood.

    Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).

    • For risk assessment, historical data regarding the frequency of a risk event is commonly used to indicate the likelihood that the event will happen in the future.

    Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25% likelihood that the event will occur within the next year).

    False Objectivity

    While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.

    Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher degree of belief that the risk event will occur within the next year.

    Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next year has an expected impact of $30,000.

    Appendix III: Should max impacts sway decision making?

    Don’t just fixate on the most likely impact – be aware of high-impact outcomes.

    During assessment, risks are evaluated according to their most likely financial impact.

    • For example, a service outage will likely last for two hours and may have an expected cost of $14,000.

    Naturally, focusing on the most likely financial impact will exclude higher impacts that – while theoretically possible – are so unlikely that they do not warrant any real consideration.

    • For example, it is possible that a service outage could last for days; however, the likelihood for such an event may be well below 1%.

    While the risk severity level assessment allows you to present impacts as a range of values (e.g. $50,000 to $75,000), the expected cost assessment requires you to select specific values.

    • However, this analysis may fail to consider much higher potential impacts that have non-negligible likelihood values (likelihood values that you cannot ignore).
    • What you consider “non-negligible” will depend on your organizational risk tolerance/appetite.

    Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2).

    • A good example is a data breach. While small to medium impacts are far more likely to occur than a devastating intrusion, the high-impact scenario cannot be ignored completely.

    For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating the risk severity level or expected cost.

    		 Figure 1 is a graph presenting a 'Normal Likelihood Distribution', the axes being 'Likelihood' and 'Financial Impact'.
    Figure 2 is a graph presenting a 'Fat-Tailed Likelihood Distribution' with a point at the top of the parabola labelled 'Most Likely Impact' but with a much wider bottom labelled 'Fat-Tailed Outcomes', the axes being 'Likelihood' and 'Financial Impact'.

    Leverage Info-Tech’s research on security and compliance risk to identify additional risk events

    Title card of the Info-tech blueprint 'Take Control of Compliance Improvement to Conquer Every Audit' with subtitle 'Don't gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor.


    Take Control of Compliance Improvement to Conquer Every Audit

    Info-Tech Insight

    Don’t gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor.

    Take an agile approach to analyze your gaps and prioritize your remediations. You don’t always have to be fully compliant as long as your organization understands and can live with the consequences.

    Stock photo of a woman sitting at a computer surrounded by rows of computers.


    Develop and Implement a Security Risk Management Program

    Info-Tech Insight

    Security risk management equals cost effectiveness.

    Time spent upfront identifying and prioritizing risks can mean the difference between spending too much and staying on budget.

    Research Contributors and Experts

    Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Christine Coz
    Executive Counsellor
    Info-Tech Research Group

    Milena Litoiu
    Principal Research Director
    Info-Tech Research Group

    Scott Magerfleisch
    Executive Advisor
    Info-Tech Research Group

    Aadil Nanji
    Research Director
    Info-Tech Research Group

    Andy Neill
    Associate Vice-President of Research
    Info-Tech Research Group

    Daisha Pennie
    IT Risk Management
    Oklahoma State University

    Ken Piddington
    CIO and Executive Advisor
    MRE Consulting

    Frank Sewell
    Research Director
    Info-Tech Research Group

    Andrew Sharpe
    Research Director
    Info-Tech Research Group

    Chris Warner
    Consulting Director- Security
    Info-Tech Research Group

    Sterling Bjorndahl
    Director of IT Operations
    eHealth Saskatchewan

    Research Contributors and Experts

    Ibrahim Abdel-Kader
    Research Analyst
    Info-Tech Research Group

    Tamara Dwarika
    Internal Auditor
    A leading North American Utility

    Anne Leroux
    Director
    ES Computer Training

    Ian Mulholland
    Research Director
    Info-Tech Research Group

    Michel Fossé
    Consulting Services Manager
    IBM Canada (LGS)

    Petar Hristov
    Research Director
    Info-Tech Research Group

    Steve Woodward
    Research Director
    CEO, Cloud Perspectives

    *Plus 10 additional interviewees who wish to remain anonymous.

    Bibliography

    “2021 State of the CIO.” IDG, 28 January 2021. Web.

    “4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.

    Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Oversight,” AICPA, April 2021. Web.

    COBIT 2019. ISACA, 2019. Web.

    “Cognyte jeopardized its database exposing 5 billion records, including earlier data breaches.” SecureBlink, 21 June 2021. Web.

    Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web.

    Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Committee of Sponsoring Organizations of the Treadway Commission, Deloitte & Touche LLP, 2012. Web.

    “Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web.

    Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and Its Risks.” Harvard Business Review, February 2007. Web.

    Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic Management. Sage Publications, 1998.

    “Enterprise Risk Management Maturity Model.” OECD, 9 February 2021. Web.

    Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 February 2017. Web.

    “Governance Institute of Australia Risk Management Survey 2020.” Governance Institute of Australia, 2020. Web.

    “Guidance on Enterprise Risk Management.” COSO, 2022. Web.

    Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine, 9 December 2021. Web.

    Holmes, Aaron. “533 million Facebook users’ phone numbers and personal data have been leaked online.” Business Insider, 3 April 2021. Web.

    Bibliography

    “Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web.

    “ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web.

    ISO 31000 Risk Management. ISO, 2018. Web.

    Lawton, George. “10 Enterprise Risk Management Trends in 2022.” TechTarget, 2 February 2022. Web.

    Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Guests’ Personal Information.” The New York Times, 19 February 2020. Web.

    Management of Risk (M_o_R): Guidance for Practitioners. Office of Government Commerce, 2007. Web.

    “Many small businesses vulnerable to cyber attacks.” Insurance Bureau of Canada (IBC), 5 October 2021.

    Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 December 2019. Web.

    “Measuring and Mitigating Reputational Risk.” Marsh, September 2014. Web.

    Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 22 December 2021. Web.

    “Operational Risk Management Excellence – Get to Strong Survey: Executive Report.” KMPG and RMA, 2014. Web.

    “Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web.

    Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web.

    Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web.

    Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk, 13 January 2021. Web.

    “What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web.

    Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO, 26 January 2022. Web.

    Design a Tabletop Exercise to Support Your Security Operation

    • Buy Link or Shortcode: {j2store}319|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $12,599 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data.
    • Security incidents are inevitable, but how they are handled is critical.
    • The increasing use of sophisticated malware is making it difficult for organizations to identify the true intent behind the attack campaign.
    • The incident response is often handled in an ad hoc or ineffective manner.

    Our Advice

    Critical Insight

    • Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and share information mutually with other organizations to stay ahead of incoming threats.
    • Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
    • You might experience a negative return on your security control investment. As technology in the industry evolves, threat actors will adopt new tools, tactics, and procedures; a tabletop exercise will help ensure teams are leveraging your security investment properly and providing relevant situational awareness to stay on top of the rapidly evolving threat landscape.

    Impact and Result

    Establish and design a tabletop exercise capability to support and test the efficiency of the core prevention, detection, analysis, and response functions that consist of an organization's threat intelligence, security operations, vulnerability management, and incident response functions.

    Design a Tabletop Exercise to Support Your Security Operation Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design a tabletop exercise, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Plan

    Evaluate the need for a tabletop exercise.

    • Design a Tabletop Exercise to Support Your Security Operation – Phase 1: Plan

    2. Design

    Determine the topics, scope, objectives, and participant roles and responsibilities.

    • Design a Tabletop Exercise to Support Your Security Operation – Phase 2: Design

    3. Develop

    Create briefings, guides, reports, and exercise injects.

    • Design a Tabletop Exercise to Support Your Security Operation – Phase 3: Develop
    • Design a Tabletop Exercise to Support Your Security Operation – Inject Examples

    4. Conduct

    Host the exercise in a conference or classroom setting.

    • Design a Tabletop Exercise to Support Your Security Operation – Phase 4: Conduct

    5. Evaluate

    Plan to ensure measurement and continued improvement.

    • Design a Tabletop Exercise to Support Your Security Operation – Phase 5: Evaluate
    [infographic]

    Drive Business Value With a Right-Sized Project Gating Process

    • Buy Link or Shortcode: {j2store}445|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $61,999 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Low sponsor commitment on projects.
    • Poor quality on completed projects.
    • Little to no visibility into the project portfolio.
    • Organization does not operationalize change .
    • Analyzing, fixing, and redeploying is a constant struggle. Even when projects are done well, they fail to deliver the intended outcomes and benefits.

    Our Advice

    Critical Insight

    • Stop applying a one-size-fits-all-projects approach to governance.
    • Engage the sponsor by shifting the accountability to the business so they can get the most out of the project.
    • Do not limit the gating process to project management – expand to portfolio management.

    Impact and Result

    • Increase Project Throughput: Do more projects by ensuring the right projects and right amount of projects are approved and executed.
    • Validate Project Quality: Ensure issues are uncovered and resolved with standard check points in the project.
    • Increase Reporting and Visibility: Easily compare progress of projects across the portfolio and report outcomes to leadership.
    • Reduce Resource Waste: Terminate low-value projects early and assign the right resources to approved projects.
    • Achieve Intended Project Outcomes: Keep the sponsor engaged throughout the gating process to achieve desired outcomes.

    Drive Business Value With a Right-Sized Project Gating Process Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design a right-sized project gating process, review Info-Tech’s methodology, and understand the four ways we can support you.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Lay the groundwork for tailored project gating

    This phase will walk you through the following activities:

  • Understand the role of gating and why we need it.
  • Determine what projects will follow the gating process and how to classify them.
  • Establish the role of the project sponsor throughout the entire project lifecycle.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 1: Lay the Groundwork for Tailored Project Gating
    • Project Intake Classification Matrix
    • Project Sponsor Role Description Template

    2. Establish level 1 project gating

    This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 2: Establish Level 1 Project Gating
    • Project Gating Strategic Template

    3. Establish level 2 project gating

    This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 3: Establish Level 2 Project Gating

    4. Establish level 3 project gating

    This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities. It will also help you determine next steps and milestones for the adoption of the new process.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 4: Establish Level 3 Project Gating
    • Project Gating Reference Document
    [infographic]

    Workshop: Drive Business Value With a Right-Sized Project Gating Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay the Groundwork for Tailored Project Gating

    The Purpose

    Understand the role of gating and why we need it.

    Determine what projects will follow the gating process and how to classify them.

    Establish the role of the project sponsor throughout the entire project lifecycle.

    Key Benefits Achieved

    Get stakeholder buy-in for the process.

    Ensure there is a standard leveling process to determine size, risk, and complexity of requests.

    Engage the project sponsor throughout the portfolio and project processes.

    Activities

    1.1 Project Gating Review

    1.2 Establish appropriate project levels

    1.3 Define the role of the project sponsor

    Outputs

    Project Intake Classification Matrix

    Project Sponsor Role Description Template

    2 Establish Level 1 Project Gating

    The Purpose

    This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.

    Key Benefits Achieved

    Create a lightweight project gating process for small projects.

    Activities

    2.1 Review level 1 project gating process

    2.2 Determine what gates should be part of your custom level 1 gating process

    2.3 Establish required artifacts for each gate

    2.4 Define the stakeholder’s roles and responsibilities at each gate

    Outputs

    Documented outputs in the Project Gating Strategic Template

    3 Establish Level 2 Project Gating

    The Purpose

    This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.

    Key Benefits Achieved

    Create a heavier project gating process for medium projects.

    Activities

    3.1 Review level 2 project gating process

    3.2 Determine what gates should be part of your custom level 2 gating process

    3.3 Establish required artifacts for each gate

    3.4 Define the stakeholder’s roles and responsibilities at each gate

    Outputs

    4 Establish Level 3 Project Gating

    The Purpose

    This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities.

    Come up with a roadmap for the adoption of the new project gating process.

    Key Benefits Achieved

    Create a comprehensive project gating process for large projects.

    Activities

    4.1 Review level 3 project gating process

    4.2 Determine what gates should be part of your custom level 3 gating process

    4.3 Establish required artifacts for each gate

    4.4 Define the stakeholder’s roles and responsibilities at each gate

    4.5 Determine next steps and milestones for process adoption

    Outputs

    Documented outputs in the Project Gating Strategic Template

    Documented Project Gating Reference Document for all stakeholders

    Make Sense of Strategic Portfolio Management

    • Buy Link or Shortcode: {j2store}447|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As an IT leader, you’re responsible for steering the realization of business strategy through wise investments in and responsible stewardship of assets, applications, portfolios, programs, products, and projects.
    • You need a tool to help align goals and facilitate processes across business units. You’re aware of a tool space called Strategic Portfolio Management, and it looks like it could help, but you’re unsure of how it’s different from some of the existing tools you already pay for and don’t use to their full functionality.

    Our Advice

    Critical Insight

    As a software space, strategic portfolio management lacks a unified definition. In the same way that it took many years for project portfolio management to stabilize as a concept distinct from traditional enterprise project management, strategic portfolio management is experiencing a similar period of formational uncertainty. Unpacking what’s truly new and valuable in helping to define strategy and drive strategic outcomes versus what’s just repackaged as SPM is an important first step, but it's not an easy undertaking.

    Impact and Result

    In this concise publication, we will cut through the marketing to unpack what strategic portfolio management is, and what makes it distinct from similar capabilities. We’ll help to situate you in the space and assess the extent to which your tooling needs can be met by a strategic portfolio management offering.

    Make Sense of Strategic Portfolio Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make Sense of Strategic Portfolio Management Storyboard – A guide to help you drive strategic outcomes.

    In this concise publication we introduce you to strategic portfolio management and consider the extent to which your organization can leverage an SPM application to help drive strategic outcomes.

    • Make Sense of Strategic Portfolio Management Storyboard

    2. Strategic Portfolio Management Needs Assessment Tool – Use this tool to determine if your organization can benefit from the features and functionality of an SPM approach.

    Use this Excel workbook to determine if your organization can benefit from the features and functionality of an SPM approach or whether you need something more like a traditional project portfolio management tool.

    • Strategic Portfolio Management Needs Assessment
    [infographic]

    Further reading

    Make Sense of Strategic Portfolio Management

    Separate what's new and valuable from bloated claims on the hype cycle.

    Analyst Perspective

    Do you need strategic portfolio management, or do you need to do portfolio management more strategically?

    Travis Duncan, Research Director, PPM and CIO Strategy

    Travis Duncan
    Research Director, PPM and CIO Strategy
    Info-Tech Research Group

    While the market is eager to get users into what they're calling "strategic portfolio management," there's a lot of uncertainty out there about what this market is and how it's different from other, more established portfolio disciplines – most significantly, project portfolio management.

    Indeed, if you look at how the space is covered within the industry, you'll encounter a dog's breakfast of players, a comparison of apples and oranges: Jira in the same quadrants as Planisware, Smartsheets in the same profiles as Planview and ServiceNow. While each of the individual players is impressive, their areas of focus are unique and the extent to which they should be compared together under the category of strategic portfolio management is questionable.

    It speaks to some of the grey area within the SPM space more generally, which is at a bit of a crossroads: Will it formally shed the guardrails of its antecedents to become its own space, or will it devolve into a bait and switch through which capabilities that struggled to gain much traction beyond IT settings seek to infiltrate the business and grow their market share under a different name?

    Part of it is up to the rest of us as users and potential customers. Clarifying what we need before we jump into something simply because our prior attempts failed will help determine whether we need a unique space for strategic portfolio management or whether we simply need to do portfolio management more strategically.

    Executive Summary

    Your Challenge Common Obstacles Info-Tech's Approach
    • As an IT leader, you're responsible for steering the realization of business strategy through wise investments in/ and responsible stewardship of: assets, applications, portfolios, programs, products, and projects.
    • You need a tool to help align goals and facilitate processes and communications across business units. You're aware of a tool space called strategic portfolio management, and it looks like it could help, but you're unsure of how it's different from some of the existing tools you already license.
    • As a software space, strategic portfolio management lacks a unified definition. Unpacking what's truly new in helping to define strategy and drive strategic outcomes versus what's just repackaged as SPM is no small undertaking.
    • Because SPM can span different business units, ways of working, and roles, getting buy-in, alignment, and adoption can be even more precarious than it is when implementing other types of solutions.
    • In this concise publication, we will cut through the marketing to unpack what strategic portfolio management is and what makes it distinct from similar capabilities.
    • Assess the extent to which your tooling needs can be met by a strategic portfolio management offering or the extent to which you may need to look at other software categories.
    • With a better understanding of the space, we hope to help facilitate better internal discussions around the value of SPM for your business needs.

    Info-Tech Insight
    In the same way that it took many years for PPM to stabilize as a concept distinct from traditional enterprise project management, strategic portfolio management is experiencing a similar period of formational uncertainty. In a space that can be all things to all users, clarify your actual needs before jumping onto a bandwagon and ending up with something that you don't need, and that the organization can't adopt.

    Strategic portfolio management is enterprise portfolio management

    Evolved from various other capabilities and vendor solutions, strategic portfolio management (SPM) seeks to connect strategy to execution.

    While the concept of 'strategic portfolio management' has been written about within project portfolio management circles for nearly 20 years, SPM, as a distinct organizational competence and software category, is a relatively new and largely vendor-driven capability.

    First emerging in the discourse during the mid-to-late 2010s, SPM has evolved from its roots in traditional enterprise project portfolio management. Though, as we will discuss, it has other antecedents not limited to PPM.

    In this publication, we'll unpack what SPM is, how it is distinct (and, in turn, how it is not distinct) from PPM and other capabilities, and we will consider the extent to which your organization can and should leverage an SPM application to help drive strategic outcomes.

    –The increasing need to deliver value from digital initiatives is giving rise to strategic portfolio management, a digital investment management discipline that enables strategy realization in complex dynamic environments."
    – OnePlan, "Is Strategic Portfolio Management the Future of PPM?"

    Only 2% of business leaders are confident that they will achieve 80% to 100% of their strategic objectives.
    Source: Smith, 2022

    Put strategic portfolio management in context

    SPM is a new stage in the history of project portfolio management more generally. While it's emerging as a distinct capability, and it borrows from capabilities beyond PPM, unpacking its distinctiveness is best done by first understanding its source.

    Understand the recent triggers for strategic portfolio management

    Triggers for the emergence of strategic portfolio management in the discourse include the pace of technology-introduced change, the waning of enterprise project management, and challenges around enterprise PPM tool adoption.

    Spot the difference?

    Scope, focus, and audience are just a few of the factors distinguishing what the market calls "SPM" from traditional PPM.

    Project Portfolio Management Differentiator Strategic Portfolio Management
    Work-Level (Tactical) Primary Orientation High-Level (Strategic)
    CIO Accountable for Outcomes CxO
    Project Manager Responsible for Outcomes Product Management Organization
    Project Managers, PMO Staff Targeted Users Business Leaders, ePMO Staff
    Project Portfolio(s) Essential Scope Multi-Portfolio (Project, Application, Product, Program, etc.)
    IT Project Delivery and Business Results Delivery Core Focus Business Strategy and Change Delivery
    Project Scope Change Impact Sensitivity Enterprise Scope
    IT and/or Business Benefit Language of Value Value Stream
    Project Timelines Main View Strategy Roadmaps
    Resource Capacity Primary Currency Money
    Work-Assignment Details Modalities of Planning Value Milestones & OKRs
    Work Management Modalities of Execution Governance (Project, Product, Strategy, Program, etc.)
    Project Completion Definitions of "Done" Business Capability Realization

    Info-Tech Insight
    The distinction between the two capabilities is not necessarily as black and white as the table above would have it (some "PPM" tools offer what we're identifying above as "SPM" capabilities), but it can be helpful to think in these binaries when trying to distinguish the two capabilities. At the very least, SPM broadens its scope to target more executive and business users, and functions best when it's speaking at a higher level, to a business audience.

    Strategic portfolio management offers a more holistic view of the enterprise

    At its best, strategic portfolio management can accommodate various paradigms of work management and incorporate different types of portfolio management.

    Perhaps the biggest evolution from traditional PPM that strategic portfolio management promises is that it casts a wider net in terms of the types of work it tracks (and how it tracks that work) and the types of portfolios it accommodates.

    Not bound to the concepts of "projects" and a "project portfolio" specifically, SPM broadens its scope to encompass capabilities like product and product portfolio management, enterprise architecture management, security and risk management, and more.

    • Where a PPM solution only shows one piece of the puzzle, SPM looks at the entire investment ecosystem, tracking strategic goals, the ideas generated to help achieve those goals, and all the various kinds of investments made in the service of those goals.
    • what's more, where traditional PPM tools required users to adhere to a certain way of working and managing tasks, SPM is more flexible, relying on integrations across various ways of working to provide higher-level insight on the progress of work and the achievement of goals.

    Deliver business strategy and change effectively

    Info-Tech's Strategic Portfolio Management Framework

    "An SPM tool will capture business strategy, business capabilities, operating models, the enterprise architecture and the project portfolio with unmatched visibility into how they all relate. This will give...a robust understanding of the impact of a proposed IT change " and enable IT and business to act like cocreators driving innovation."
    – Paula Ziehr

    You might need a strategic portfolio management tool if–

    If you find yourself facing any of these situations, it might be time to step away from your PPM tool and into an SPM approach:

    • Your organization is facing a large implementation that will cross multiple departmental units and requires alignment across senior leadership (e.g. a digital transformation initiative).
    • You currently have disparate systems tracking different portfolios (project, product, applications, etc.) and types of investments, but lack insight into the whole in terms of how work efforts and investments tie back to strategy realization.
    • You are an ePMO or a strategy realization office that doesn't manage work necessarily, but that rather ensures that the work, assets, and capabilities that are funded connect to strategy and drive the realization of strategy.

    Sixty one percent of leaders acknowledge their companies struggle to bridge the gap between creating a strategy and executing on that strategy.
    Source: StrategyBlocks, 2020

    Get to know your strategic portfolio management stakeholders

    In terms of users, SPM's focus is further up the org chart than most applications, relying on high-level but usable outputs to help drive decision making.

    ePMO or Strategy Realization Office Senior Leadership and Executive Stakeholders Business Leads and IT Directors and Managers
    SPM tools are best facilitated through enterprise PMOs or strategy realization offices. After all, in enterprises, these are the entities charged with the planning, execution, and tracking of strategy.

    Their roles within the tool typically entail:

    • Helping to facilitate processes and collect data.
    • Data quality and curation.
    • Report distribution and consumption.
    		 As those with the accountability and authority to drive the organization's strategy, you could argue that these stakeholders are the primary stakeholders for an SPM tool.

    Their roles within the tool typically entail:

    • Using strategy map and ideation functionalities.
    • Using reports to steward strategy realization.
    		 SPM targets more business users as well as senior IT managers and directors.

    Their roles within the tool typically entail:

    • Using strategy map and ideation functionalities.
    • Providing updates to ePMOs on progress.

    What should you look for in a strategic portfolio management tool? (1 of 2)

    Standard features for SPM include:

    Name Description
    Analytics and Reporting SPM should provide access to real-time dashboards and data interpretation, which can be exported as reports in a range of formats.
    Strategy Mapping and Road Mapping SPM should provide access to up-to-date timeline views of strategies and initiatives, including the ability to map such things as dependencies, market needs, funding, priorities, governance, and accountabilities.
    Value Tracking and Measurement SPM should include the ability to forecast, track, and measure return on investment for strategic investments. This includes accommodations for various paradigms of value delivery (e.g. traditional value delivery and measurement, OKRs, as well as value mapping and value streams).
    Ideation and Innovation Management SPM should include the ability to facilitate innovation management processes across the organization, including the ability to support stage gates from ideation through to approval; to articulate, socialize, and test ideas; perform impact assessments; create value canvas and OKR maps; and prioritize.
    Multi-Portfolio Management SPM should include the ability to perform various modalities of portfolio management and portfolio optimization, including project portfolio management, applications portfolio management, asset portfolio management, etc.
    Interoperability/APIs An SPM tool should enable seamless integration with other applications for data interoperability.

    What should you look for in a strategic portfolio management tool? (2 of 2)

    Advanced features for SPM can include:

    Name Description
    Product Management SPM can include product-management-specific functionality, including the ability to connect product families, roadmaps, and backlogs to enterprise goals and priorities, and track team-level activities at the sprint, release, and campaign levels.
    Enterprise Architecture Management SPM can include the ability to define and map the structure and operation of an organization in order to effectively coordinate various domains of architecture and governance (e.g. business architecture, data architecture, application architecture, security architecture, etc.) in order to effectively plan and introduce change.
    Security and Risk Management SPM can include the ability to identify and track enterprise risks and ensure compliance controls are met.
    Lean Portfolio Management SPM can include the ability to plan and report on portfolio performance independent from task level details of product, program, or project delivery.
    Investment and Financial Management SPM can include the ability to forecast, track, and report on financials at various levels (strategy, product, program, project, etc.).
    Multi-Methodology Delivery SPM can include the ability to plan and execute work in a way that accommodates various planning and delivery paradigms (predictive, iterative, Kanban, lean, etc.).

    What's promising within the space?

    As this space continues to stabilize, the following are some promising associations for business and IT enablement.

    1. SPM accommodates various ways of working.
    • Where traditional PPM and work management tools required that users change their processes and tasking paradigms to fit within the tool's rigid task management and data structures, the best SPM tools are those that are adaptable to various ways of working and can accommodate many tasking and work management models.
    • Sometimes this is done through extensive integrations and APIs that pull data from existing work management applications into a single view within the SPM tool, and other times, this is done by abstracting the task-level details into a higher-level reporting structure (it can depend on the solution). In any event, the best SPMs are bound to one work management model.
    2. SPM puts the focus on value and change.
    • With its focus on the planning and execution of strategy, SPM can't avoid putting a spotlight on value and value realization. The best SPM tools include the ability to forecast, track, and measure return on investment for strategic investments, and they accommodate for various paradigms of value delivery (e.g. traditional value delivery and measurement, OKRs, as well as value mapping and value streams).
    • Of course, you can't realize value without successfully fostering change. And while SPM tools don't necessarily offer functionality explicitly identifiable as organizational change management, they can act as agents of change in putting the spotlight on the execution of change at the executive level.
    3. SPM fosters a coherent approach to demand management.
    • With its goal of ensuring that strategy informs the organization of portfolios and guides the selection of projects and delivery of products, SPM can potentially bring some order to what is often a chaotic demand-management landscape, ensuring that planned and in-progress work is well justified from an ROI perspective.

    What's of concern within the space?

    As a progeny from other capabilities, SPM has some risks and connotations potential users should be wary of.

    1. The space is rife with IT buzzwords and, as a concept, is sometimes used as a repackaging of failing concepts.
    • You don't need to spend too much time engaging with the literature around SPM before you notice the marketing appeals heavily to concepts like "digitalization," "digital transformation," "continual innovation," "agility/Agile," and the like. While these are all important concepts, and the pursuit of them is worthwhile in many cases, there's no denying they're used as consultant and vendor buzzwords, deployed to excite our imaginations, without necessarily providing much meat around what they mean or how they're deployed and successfully sustained.
    • Indeed, many concepts and capabilities that appear in relation to SPM are on the downward swing of industry hype cycles, suggesting that SPM may be being used by vendors and consultants as another attempt to repackage and capitalize on these concepts even as practitioners grow weary and suspicious of the marketing claims built up around them.
    2. Some solutions that identify as SPM are not.
    • Because it's on the upward swing of its place in the hype cycle, many established PPM and service management vendors are applying the 'strategic portfolio management" label to their products without necessarily doing anything different from a functionality perspective to fit within the space. As a result, SPM vendor landscapes can compare work management, project management, demand management tools, and more. Users who want SPM functionality need to stay frosty to ensure they get what they pay for.
    3. SPM tools may have a capacity blind spot.
    • The biggest barrier to getting things done and done well in modern enterprises is approving more work than you have the capacity to deliver. While SPM offerings can help with better demand management, not many of them cover the capacity side with the same level of improvement.

    Does your organization need a strategic portfolio management tool?

    Use Info-Tech's Strategic Portfolio Management Needs Assessment to gauge your readiness for SPM.

    • As noted in previous places in this deck, there is often a grey area in the market between project portfolio management tools and strategic portfolio management tools.
    • Some PPM tools offer SPM functionality, while some SPM tools avoid traditional PPM outcomes and stay at a higher, strategic level.
    • Depending on the scope of your PMO or portfolio optimization needs, you may need a tool that has just one, or both, of these capabilities.
    • Use Info-Tech's Strategic Portfolio Management Needs Assessment to help you assess whether you require a high-level strategy management tool, a more low-level project portfolio management tool, or a mix of both.

    Download Info-Tech's Strategic Portfolio Management Needs Assessment

    1.1 Assess your needs

    10 to 20 minutes

    1. The Strategic Portfolio Management Needs Assessment is a 41-question survey broken up into three parts: (1) PMO Type, (2) Features and Functionality, (3) Roles.
    2. Go through each section using the provided dropdowns to help identify the orientation of your PMO, the feature and functionality needs of your office, as well as the roles whose needs will need to be serviced through the potential tool implementation.

    This screenshot shows a sample output from the assessment. Based upon your inputs, you'll be grouped within three ranges:

    1. Green: Based upon your inputs, you will benefit from an SPM tool.
    2. Yellow: You may benefit from an SPM tool, but you may also require something more traditional. Clarify your requirements before proceeding.
    3. Red: you're unlikely to leverage many of the benefits of an SPM tool at this time. Look for a more tactical solution.

    Sample Output from the assessment tool

    Input Output
    • Understanding of existing project management, project portfolio management, and work management applications.
    • Recommendation on PPM/SPM tool type
    Materials Participants
    • Strategic Portfolio Management Needs Assessment tool
    • Portfolio managers and/or ePMO directors
    • Project managers and product managers
    • Business stakeholders

    Explore the SPM vendor landscape

    Use Info-Tech's application selection resources to help find the right solution for your organization.

    If the analysis in the previous slides suggested you can benefit from an SPM tool, you can quick-start your vendor evaluation process with SoftwareReviews.

    SoftwareReviews has extensive coverage of not just the SPM space, but of the project portfolio management (pictured to the top right) and project management spaces as well. So, from the tactical to the strategic, SoftwareReviews can help you find the right tools.

    Further, as you settle in on a shortlist, you can begin your vendor analysis using our rapid application selection methodology (see framework on bottom right). For more information see our The Rapid Application Selection Framework blueprint.

    Info-Tech's Rapid Application Selection Framework

    Info-Tech's Rapid Application Selection Framework (RASF)

    Related Info-Tech Research

    Develop a Project Portfolio Management Strategy
    Drive IT project throughput by throttling resource capacity.

    Prepare an Actionable Roadmap for your PMO
    Turn planning into action with a realistic PMO timeline.

    Maintain an Organized Portfolio
    Align portfolio management practices with COBIT (APO05: Manage Portfolio)

    Bibliography

    Angliss, Katy, and Pete Harpum. Strategic Portfolio Management: In the Multi-Project and Program Organization. Book. Routledge. 30 Dec. 2022.

    Anthony, James. "95 Essential Project Management Statistics: 2022 Market Share & Data Analysis." Finance Online. 2022. Web. Accessed 21 March 2022

    Banham, Craig. "Integrating strategic planning with portfolio management." Sopheon. Webinar. Accessed 6 Feb. 2023.

    Garfein, Stephen J. "Executive Guide to Strategic Portfolio Management: roadmap for closing the gap between strategy and results." PMI. Conference Paper. Oct. 2007. Accessed 6 Feb. 2023.

    Garfein, Stephen J. "Strategic Portfolio Management: A smart, realistic and relatively fast way to gain sustainable competitive advantage." PMI. Conference Paper. 2 March 2005. Accessed 6 Feb. 2023.

    Hontar, Yulia. "Strategic Portfolio Management." PPM Express. Blog 16 June 2022. Accessed 6 Feb. 2023.

    Milsom, James. "6 Strategic Portfolio Management Trends for 2023." i-nexus. Blog. 25 Jan. 2022. Accessed 6 Feb. 2023.

    Milsom, James. "Strategic Portfolio Management 101." i-nexus. 8 Dec. 2021. Blog . Accessed 6 Feb. 2023.

    OnePlan, "Is Strategic Portfolio Management the Future of PPM?" YouTube. 17 Nov. 2022. Accessed 6 Feb. 2023.

    OnePlan. "Strategic Portfolio Management for Enterprise Agile." YouTube. 27 May 2022. Accessed 6 Feb. 2023.

    Piechota, Frank. "Strategic Portfolio Management: Enabling Successful Business Outcomes." Shibumi. Blog . 31 May 2022. Accessed 6 Feb. 2023.

    ServiceNow. "Strategic Portfolio Management—The Thing You've Been Missing." ServiceNow. Whitepaper. 2021. Accessed 6 Feb. 2023.

    Smith, Shepherd, "50+ Eye-Opening Strategic Planning Statistics" ClearPoint Strategy. Blog. 13 Sept. 2022. Accessed 6 Feb. 2023.

    SoftwareAG. "What is Strategic Portfolio Management (SPM)?" SoftwareAG. Blog. Accessed 6 Feb. 2023.

    Stickel, Robert. "What It Means to be Adaptive." OnePlan. Blog. 24 May 2021. Accessed 6 Feb. 2023.

    UMT360. "What is Strategic Portfolio Management?" YouTube. Webinar. 22 Oct. 2020. Accessed 6 Feb. 2023.

    Wall, Caroline. "Elevating Strategy Planning through Strategic Portfolio Management." StrategyBlocks. Blog. 26 Feb. 2020. Accessed 6 Feb. 2023.

    Westmoreland, Heather. "What is Strategic Portfolio Management." Planview. Blog. 19 Oct 2002. Accessed 6 Feb. 2023.

    Wiltshire, Andrew. "Shibumi Included in Gartner Magic Quadrant for Strategic Portfolio Management for the 2nd Straight Year." Shibumi. Blog. 20 Apr. 2022. Accessed 6 Feb. 2023.

    Ziehr, Paula. "Keep your eye on the prize: Align your IT investments with business strategy." SoftwareAG. Blog. 5 Jul. 2022. Accessed 6 Feb. 2023.

    Cost and Budget Management

    • Buy Link or Shortcode: {j2store}8|cart{/j2store}
    • Related Products: {j2store}8|crosssells{/j2store}
    • Up-Sell: {j2store}8|upsells{/j2store}
    • member rating overall impact: 9.5/10
    • member rating average dollars saved: $2,000
    • member rating average days saved: 5
    • Parent Category Name: Financial Management
    • Parent Category Link: /financial-management
    • byline: Effective IT budgets tell a story.

    The challenge

    • IT is seen as a cost center in most organizations. Your IT spend is fuelled by negative sentiment instead of contributing to business value.

    • Budgetary approval is difficult, and in many cases, the starting point is lowering the cost-income ratio without looking at the benefits.
    • Provide the right amount of detail in your budgets to tell your investment and spending story. Align it with the business story. Too much detail only increases confusion, too little suspicion.

    Our advice

    Insight

    An effective IT budget complements the business story with how you will achieve the expected business targets.

    • Partner with the business to understand the strategic direction of the company and its future needs.
    • Know your costs and the value you will deliver.
    • Present your numbers and story clearly and credibly. Excellent delivery is part of good communication.
    • Guide your company by clearly explaining the implications of different choices they can make.

    Impact and results 

    • Get a head-start on your IT forecasting exercise by knowing the business strategy and what initiatives they will launch.
    • The coffee corner works! Pre-sell your ideas in quick chats.
    • Do not make innovation budgets bigger than they need to be. It undermines your credibility.
    • You must know your history to accurately forecast your IT operations cost and how it will evolve based on expected business changes.
    • Anticipate questions. IT discretionary proposals are often challenged. Think ahead of time about what areas your business partners will focus on and be ready with researched and credible responses.
    • When you have an optimized budget, tie further cost reductions to consequences in service delivery or deferred projects, or a changed operating model.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why you should develop a budget based on value delivery. We'll show you our methodology and the ways we can help you in completing this.

    Plan for budget success

    • Build an IT Budget That Demonstrates Value Delivery – Phase 1: Plan (ppt)
    • IT Budget Interview Guide (doc)

    Build your budget.

    • Build an IT Budget That Demonstrates Value Delivery – Phase 2: Build (ppt)
    • IT Cost Forecasting Tool (xls)

    Sell your budget

    • Build an IT Budget That Demonstrates Value Delivery – Phase 3: Sell (ppt)
    • IT Budget Presentation (ppt)

     

    Leverage Web Analytics to Reinforce Your Web Experience Management Strategy

    • Buy Link or Shortcode: {j2store}563|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Organizations are unaware of the capabilities of web analytics tools and unsure how to leverage these new technologies to enhance their web experience.
    • Traditional solutions offer only information and data about the activity on the website. It is difficult for organizations to understand the customer motivations and behavioral patterns using the data.
    • In addition, there is an overwhelming number of vendors offering various solutions. Understanding which solution best fits your business needs is crucial to avoid overspending.

    Our Advice

    Critical Insight

    • Understanding organizational goals and business objectives is essential in effectively leveraging web analytics.
    • It is easy to get lost in a sea of expensive web analytical tools. Choosing tools that align with the business objectives will keep the costs of customer acquisition and retention to a minimum.
    • Beyond selection and implementation, leveraging web analytic tools requires commitment from the organization to continuously monitor key KPIs to ensure good customer web experience.

    Impact and Result

    • Understand what web analytic tools are and some key trends in the market space. Learn about top advanced analytic tools that help understand user behavior.
    • Discover top vendors in the market space and some of the top-level features they offer.
    • Understand how to use the metrics to gather critical insights about the website’s use and key initiatives for successful implementation.

    Leverage Web Analytics to Reinforce Your Web Experience Management Strategy Research & Tools

    Leverage Web Analytics to Reinforce Your Web Experience Management Strategy Storyboard – A deck outlining the importance of web analytic tools and how they can be leveraged to meet your business needs.

    This research offers insight into web analytic tools, key trends in the market space, and an introduction to advanced web analytics techniques. Follow our five-step initiative to successfully select and implement web analytics tools and identify which baseline metrics to measure and continuously monitor for best results.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Leverage Web Analytics to Reinforce Your Web Experience Management Strategy Storyboard
    [infographic]

    Further reading

    Leverage Web Analytics to Reinforce Your Web Experience Management Strategy

    Web analytics tools are the gateway to understanding customer behavior.

    EXECUTIVE BRIEF

    Analyst Perspective

    In today’s world, users want to consume concise content and information quickly. Websites have a limited time to prove their usefulness to a new user. Content needs to be as few clicks away from the user as possible. Analyzing user behavior using advanced analytics techniques can help website designers better understand their audience.

    Organizations need to implement sophisticated analytics tools to track user data from their website. However, simply extracting data is not enough to understand the user motivation. A successful implementation of a web analytics tool will comprise both understanding what a customer does on the website and why the customer does what they do.

    This research will introduce some fundamental and advanced analytics tools and provide insight into some of the vendors in the market space.

    Photo of Sai Krishna Rajaramagopalan, Research Specialist, Applications − Enterprise Applications, Info-Tech Research Group. Sai Krishna Rajaramagopalan
    Research Specialist, Applications − Enterprise Applications
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • Web analytics solutions have emerged as applications that provide extensive information and data about users visiting your webpage. However, many organizations are unaware of the capabilities of these tools and unsure how to leverage these new technologies to enhance user experience.
    		 Common Obstacles
    • Traditional solutions offer information and data about customers’ activity on the website but no insight into their motivations and behavioral patterns.
    • In addition, an overwhelming number of vendors are offering various solutions. Understanding which solution best fits your business needs is crucial to avoid overspending.
    		 Info-Tech’s Approach
    • This research is aimed to help you understand what web analytic tools are and some key trends in the market space. Learn about top advanced analytic tools that help you understand user behavior. Discover top vendors in the market space and some of the high-level features offered.
    • This research also explains techniques and metrics to gather critical insights about your website’s use and will aid in understanding users’ motivations and patterns and better predict their behavior on the website.

    Info-Tech Insight

    It is easy to get lost in a sea of expensive web analytics tools. Choose tools that align with your business objectives to keep the costs of customer acquisition and retention to a minimum.

    Ensure the success of your web analytics programs by following five simple steps

    1. ORGANIZATIONAL GOALS

    The first key step in implementing and succeeding with web analytics tools is to set clearly defined organizational goals, e.g. improving product sales.

    3. KPI METRICS

    Define key performance indicators (KPIs) that help track the organization’s performance, e.g. number of page visits, conversion rates, bounce rates.

    5. REVIEW

    Continuous improvement is essential to succeed in understanding customers. The world is a dynamic place, and you must constantly revise your organizational goals, business objectives, and KPIs to remain competitive.

    		Centerpiece representing the five surrounding steps.

    2. BUSINESS OBJECTIVES

    The next step is to lay out business objectives that help to achieve the organization’s goals, e.g. to increase customer leads, increase customer transactions, increase web traffic.

    4. APPLICATION SELECTION

    Understand the web analytics tool space and which combination of tools and vendors best fits the organization’s goals.

    Web Analytics Introduction

    Understand traditional and advanced tools and their capabilities.

    Understanding web analytics

    • Web analytics is the branch of analytics that deals with the collection, reporting, and analysis of data generated by users visiting and interacting with a website.
    • The purpose of web analytics is to measure user behavior, optimize the website’s user experience and flow, and gain insights that help meet business objectives like increasing conversions and sales.
    • Web analytics allows you to see how your website is performing and how people are acting while on your website. What’s important is what you can do with this knowledge.
    • Data collected through web analytics may include traffic sources, referring sites, page views, paths taken, and conversion rates. The compiled data often forms a part of customer relationship management analytics to facilitate and streamline better business decisions.
    • Having strong web analytics is important in understanding customer behavior and fine-tuning marketing and product development approaches accordingly.
    		 Example of a web analytics dashboard.

    Why you should leverage web analytics

    Leveraging web analytics allows organizations to better understand their customers and achieve their business goals.

    The global web analytics market size is projected to reach US$5,156.3 million by 2026, from US$2,564 million in 2019, at a CAGR of 10.4% during 2021-2026. (Source: 360 Research Reports, 2021) Of the top 1 million websites with the highest traffic, there are over 3 million analytics technologies used. Google Analytics has the highest market share, with 50.3%. (Source: “Top 1 Million Sites,” BuiltWith, 2022)
    Of the 200 million active websites, 57.3% employ some form of web analytics tool. This trend is expected to grow as more sophisticated tools are readily available at a cheaper cost. (Source: “On the Entire Internet,” BuiltWith, 2022; Siteefy, 2022) A three-month study by Contentsquare showed a 6.9% increase in traffic, 11.8% increase in page views, 12.4% increase in transactions, and 3.6% increase in conversion rates through leveraging web analytics. (Source: Mordor Intelligence, 2022)

    Case Study

    		 Logo for Ryanair.
    INDUSTRY
    Aviation
    SOURCE
    AT Internet
    Web analytics

    Ryanair is a low-fare airline in Europe that receives nearly all of its bookings via its website. Unhappy with its current web analytics platform, which was difficult to understand and use, Ryanair was looking for a solution that could adapt to its requirements and provide continuous support and long-term collaboration.

    Ryanair chose AT Internet for its intuitive user interface that could effectively and easily manage all the online activity. AT was the ideal partner to work closely with the airline to strengthen strategic decision making over the long term, increase conversions in an increasingly competitive market, and increase transactions on the website.

    Results

    By using AT Internet Web Analytics to improve email campaigns and understand the behavior of website visitors, Ryanair was able to triple click-through rates, increase visitor traffic by 16%, and decrease bounce rate by 18%.

    		Arrows denoting increases or decreases in certain metrics: '3x increase in click-through rates', '16% increase in visitor traffic', '18% decrease in bounce rate'.

    Use traditional web analytics tools to understand your consumer

    What does the customer do?
    • Traditional web analytics allows organizations to understand what is happening on their website and what customers are doing. These tools deliver hard data to measure the performance of a website. Some of the data measured through traditional web analytics are:
    • Visit count: The number of visits received by a webpage.
    • Bounce rate: The percentage of visitors that leave the website after only viewing the first page compared to total visitors.
    • Referrer: The previous website that sent the user traffic to a specific website.
    • CTA clicks: The number of times a user clicks on a call to action (CTA) button.
    • Conversion rate: Proportion of users that reach the final outcome of the website.
    		 Example of a traditional web analytics dashboard.

    Use advanced web analytics techniques to understand your consumer

    Why does the customer do what they do?
    • Traditional web analytic tools fail to explain the motivation of users. Advanced analytic techniques help organizations understand user behavior and measure user satisfaction. The techniques help answer questions like: Why did a user come to a webpage? Why did they leave? Did they find what they were looking for? Some of the advanced tools include:
    • Heatmapping: A visual representation of where the users click, scroll, and move on a webpage.
    • Recordings: A recording of the mouse movement and clicks for the entire duration of a user’s visit.
    • Feedback forms and surveys: Voice of the customer tools allowing users to give direct feedback about websites.
    • Funnel exploration: The ability to visualize the steps users take to complete tasks on your site or app.
    		 Example of an advanced web analytics dashboard.

    Apply industry-leading techniques to leverage web analytics

    Heatmapping
    • Heatmaps are used to visualize where users move their mouse, click, and scroll in a webpage.
    • Website heatmaps use a warm-to-cold color scheme to indicate user activity, with the warmest color indicating the highest visitor engagement and the coolest indicating the lowest visitor engagement.
    • Organizations can use this tool to evaluate the elements of the website that attract users and identify which sections require improvement to increase user engagement.
    • Website designers can make changes and compare the difference in user interaction to measure the effectiveness of the changes.
    • Scrollmaps help designers understand what the most popular scroll-depth of your webpage is – and that’s usually a prime spot for an important call to action.
    		 Example of a website with heatmapping overlaid.
    (Source: An example of a heatmap layered with a scrollmap from Crazy Egg, 2020)

    Apply industry-leading techniques to leverage web analytics

    Funneling

    • Funnels are graphical representations of a customer’s journey while navigating through the website.
    • Funnels help organizations identify which webpage users land on and where users drop off.
    • Organizations can capture every user step to find the unique challenges between entry and completion. Identifying what friction stands between browsing product grids and completing a transaction allows web designers to then eliminate it.
    • Designers can use A/B testing to experiment with different design philosophies to compare conversion statistics.
    • Funneling can be expanded to cross-channel analytics by incorporating referral data, cookies, and social media analytics.
    		 Example of a bar chart created through funneling.

    Apply industry-leading techniques to leverage web analytics

    Session recordings

    • Session recordings are playbacks of users’ interaction with the website on a single session. User interaction can vary between mouse clicks, keyboard input, and mouse scroll.
    • Recordings help organizations understand user motivation and help identify why users undertake certain tasks or actions on the webpage.
    • Playbacks can also be used to see if users are confused anywhere between the landing page and final transaction phase. This way, playbacks further help ensure visitors complete the funneling seamlessly.
    		 Example of a session recording featuring a line created by the mouse's journey.

    Apply industry-leading techniques to leverage web analytics

    Feedback and microsurveys

    • Feedback can be received directly from end users to help organizations improve the website.
    • Receiving feedback from users can be difficult, since not every user is willing to spend time to submit constructive and detailed feedback. Microsurveys are an excellent alternative.
    • Users can submit short feedback forms consisting of a single line or emojis or thumbs up or down.
    • Users can directly highlight sections of the page about which to submit feedback. This allows designers to quickly pinpoint areas for improvement. Additionally, web designers can play back recordings when feedback is submitted to get a clear idea about the challenges users face.
    		 Example of a website with a microsurvey in the corner.

    Market Overview

    Choose vendors and tools that best match your business needs.

    Top-level traditional features

    Feature Name

    Description
    Visitor Count Tracking Counts the number of visits received by a website or webpage.
    Geographic Analytics Uses location information to enable the organization to provide location-based services for various demographics.
    Conversion Tracking Measures the proportion of users that complete a certain task compared to total number of users.
    Device and Browser Analytics Captures and summarizes device and browser information.
    Bounce and Exit Tracking Calculates exit rate and bounce rate on a webpage.
    CTA Tracking Measures the number of times users click on a call to action (CTA) button.
    Audience Demographics Captures, analyzes, and displays customer demographic/firmographic data from different channels.
    Aggregate Traffic Reporting Works backward from a conversion or other key event to analyze the differences, trends, or patterns in the paths users took to get there.
    Social Media Analytics Captures information on social signals from popular services (Twitter, Facebook, LinkedIn, etc.).

    Top-level advanced features

    Feature Name

    Description

    HeatmappingShows where users have clicked on a page and how far they have scrolled down a page or displays the results of eye-tracking tests through the graphical representation of heatmaps.
    Funnel ExplorationVisualizes the steps users take to complete tasks on your site or app.
    A/B TestingEnables you to test the success of various website features.
    Customer Journey ModellingEffectively models and displays customer behaviors or journeys through multiple channels and touchpoints.
    Audience SegmentationCreates and analyzes discrete customer audience segments based on user-defined criteria or variables.
    Feedback and SurveysEnables users to give feedback and share their satisfaction and experience with website designers.
    Paid Search IntegrationIntegrates with popular search advertising services (i.e. AdWords) and can make predictive recommendations around areas like keywords.
    Search Engine OptimizationProvides targeted recommendations for improving and optimizing a page for organic search rankings (i.e. via A/B testing or multivariate testing).
    Session RecordingRecords playbacks of users scrolling, moving, u-turning, and rage clicking on your site.

    Evaluate software category leaders using SoftwareReviews’ vendor rankings and awards

    		 Logo for SoftwareReviews.
    Sample of SoftwareReviews' The Data Quadrant. The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    Sample of SoftwareReviews' The Emotional Footprint. The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    		 Logo for SoftwareReviews.
    Fact-based reviews of business software from IT professionals. Top-tier data quality backed by a rigorous quality assurance process. CLICK HERE to ACCESS

    Comprehensive software reviews
    to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    Product and category reports with state-of-the-art data visualization. User-experience insight that reveals the intangibles of working with a vendor.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.

    Top vendors in the web analytics space

    Logo for Google Analytics. Google Analytics provides comprehensive traditional analytics tools, free of charge, to understand the customer journey and improve marketing ROI. Twenty-four percent of all web analytical tools used on the internet are provided by Google analytics.
    Logo for Hotjar. Hotjar is a behavior analytics and product experience insights service that helps you empathize with and understand your users through their feedback via tools like heatmaps, session recordings, and surveys. Hotjar complements the data and insights you get from traditional web analytics tools like Google Analytics.
    Logo for Crazy Egg. Crazy Egg is a website analytics tool that helps you optimize your site to make it more user-friendly, more engaging, and more conversion-oriented. It does this through heatmaps and A/B testing, which allow you to see how people are interacting with your site.
    Logo for Amplitude Analytics. Amplitude Analytics provides intelligent insight into customer behavior. It offers basic functionalities like measuring conversion rate and engagement metrics and also provides more advanced tools like customer journey maps and predictive analytics capabilities through AI.

    Case Study

    		Logo for Miller & Smith.
    INDUSTRY
    Real Estate
    SOURCE
    Crazy Egg

    Heatmaps and playback recordings

    Challenge

    Miller & Smith had just redesigned their website, but the organization wanted to make sure it was user-friendly as well as visually appealing. They needed an analytics platform that could provide information about where visitors were coming from and measure the effectiveness of the marketing campaigns.

    Solution

    Miller & Smith turned to Crazy Egg to obtain visual insights and track user behavior. They used heatmaps and playback recordings to see user activity within webpages and pinpoint any issues with user interface. In just a few weeks, Miller & Smith gained valuable data to work with: the session recordings helped them understand how users were navigating the site, and the heatmaps allowed them to see where users were clicking – and what they were skipping.

    Results

    Detailed reports generated by the solution allowed Miller & Smith team to convince key stakeholders and implement the changes easily. They were able to pinpoint what changes needed to be made and why these changes would improve their experience.

    Within few weeks, the bounce rate improved by 7.5% and goal conversion increased by 8.5% over a similar period the previous year.

    Operationalizing Web Analytics Tools

    Execute initiatives for successful implementation.

    Ensure success of your web analytics programs by following five simple steps

    1. ORGANIZATIONAL GOALS

    The first key step in implementing and succeeding with web analytics tools is to set clearly defined organizational goals, e.g. improving product sales.

    3. KPI METRICS

    Define key performance indicators (KPIs) that help track the organization’s performance, e.g. number of page visits, conversion rates, bounce rates.

    5. REVIEW

    Continuous improvement is essential to succeed in understanding customers. The world is a dynamic place, and you must constantly revise your organizational goals, business objectives, and KPIs to remain competitive.

    		Centerpiece representing the five surrounding steps.

    2. BUSINESS OBJECTIVES

    The next step is to lay out business objectives that help to achieve the organization’s goals, e.g. to increase customer leads, increase customer transactions, increase web traffic.

    4. APPLICATION SELECTION

    Understand the web analytics tool space and which combination of tools and vendors best fits the organization’s goals.

    1.1 Understand your organization’s goals

    30 minutes

    Output: Organization’s goal list

    Materials: Whiteboard, Markers

    Participants: Core project team

    1. Identify the key organizational goals for both the short term and the long term.
    2. Arrange the goals in descending order of priority.

    Example table of goals ranked by priority and labeled short or long term.

    1.2 Align business objectives with organizational goals

    30 minutes

    Output: Business objectives

    Materials: Whiteboard, Markers

    Participants: Core project team

    1. Identify the key business objectives that help attain organization goals.
    2. Match each business objective with the corresponding organizational goals it helps achieve.
    3. Arrange the objectives in descending order of priority.

    Example table of business objectives ranked by priority and which organization goal they're linked to.

    Establish baseline metrics

    Baseline metrics will be improved through:

    1. Efficiently using website elements and CTA button placement
    2. Reducing friction between the landing page and end point
    3. Leveraging direct feedback from users to continuously improve customer experience

    1.3 Establish baseline metrics that you intend to improve via your web analytics tools

    30 minutes

    Example table with metrics, each with a current state and goal state.

    Accelerate your software selection project

    Vendor selection projects often demand extensive and unnecessary documentation.

    Software Selection Insight

    Balance the effort-to-information ratio required for a business impact assessment to keep stakeholders engaged. Use documentation that captures the key data points and critical requirements without taking days to complete. Stakeholders are more receptive to formal selection processes that are friction free.

    The Software Selection Workbook

    Work through the straightforward templates that tie to each phase of the Rapid Application Selection Framework, from assessing the business impact to requirements gathering.

    Sample of the Software Selection Workbook deliverable.

    The Vendor Evaluation Workbook

    Consolidate the vendor evaluation process into a single document. Easily compare vendors as you narrow the field to finalists.

    Sample of the Vendor Evaluation Workbook deliverable.

    The Guide to Software Selection: A Business Stakeholder Manual

    Quickly explain the Rapid Application Selection Framework to your team while also highlighting its benefits to stakeholders.

    Sample of the Guide to Software Selection: A Business Stakeholder Manual deliverable.

    Revisit the metrics you identified and revise your goals

    Track the post-deployment results, compare the metrics, and set new targets for the next fiscal year.

    Example table of 'Baseline Website Performance Metrics' with the column 'Revised Target' highlighted.

    Related Info-Tech Research

    Stock image of two people going over a contract. Modernize Your Corporate Website to Drive Business Value

    Drive higher user satisfaction and value through UX-driven websites.

    Stock image of a person using the cloud on their smartphone. Select and Implement a Web Experience Management Solution

    Your website is your company’s face to the world: select a best-of-breed platform to ensure you make a rock-star impression with your prospects and customers!

    Stock image of people studying analytics. Create an Effective Web Redesign Strategy

    Ninety percent of web redesign projects, executed without an effective strategy, fail to accomplish their goals.

    Bibliography

    "11 Essential Website Data Factors and What They Mean." CivicPlus, n.d. Accessed 26 July 2022.

    “Analytics Usage Distribution in the Top 1 Million Sites.” BuiltWith, 1 Nov. 2022. Accessed 26 July 2022.

    "Analytics Usage Distribution on the Entire Internet." BuiltWith, 1 Nov. 2022. Accessed 26 July 2022.

    Bell, Erica. “How Miller and Smith Used Crazy Egg to Create an Actionable Plan to Improve Website Usability.” Crazy Egg, n.d. Accessed 26 July 2022.

    Brannon, Jordan. "User Behavior Analytics | Enhance The Customer Journey." Coalition Technologies, 8 Nov 2021. Accessed 26 July 2022.

    Cardona, Mercedes. "7 Consumer Trends That Will Define The Digital Economy In 2021." Adobe Blog, 7 Dec 2020. Accessed 26 July 2022.

    “The Finer Points.“ Analytics Features. Google Marketing Platform, 2022. Accessed 26 July 2022.

    Fitzgerald, Anna. "A Beginner’s Guide to Web Analytics." HubSpot, 21 Sept 2022. Accessed 26 July 2022.

    "Form Abandonment: How to Avoid It and Increase Your Conversion Rates." Fullstory Blog, 7 April 2022. Accessed 26 July 2022.

    Fries, Dan. "Plug Sales Funnel Gaps by Identifying and Tracking Micro-Conversions." Clicky Blog, 9 Dec 2019. Accessed 7 July 2022.

    "Funnel Metrics in Saas: What to Track and How to Improve Them?" Userpilot Blog, 23 May 2022. Accessed 26 July 2022.

    Garg, Neha. "Digital Experimentation: 3 Key Steps to Building a Culture of Testing." Contentsquare, 21 June 2021. Accessed 26 July 2022.

    “Global Web Analytics Market Size, Status and Forecast 2021-2027.” 360 Research Reports, 25 Jan. 2021. Web.

    Hamilton, Stephanie. "5 Components of Successful Web Analytics." The Daily Egg, 2011. Accessed 26 July 2022.

    "Hammond, Patrick. "Step-by-Step Guide to Cohort Analysis & Reducing Churn Rate." Amplitude, 15 July 2022. Accessed 26 July 2022.

    Hawes, Carry. "What Is Session Replay? Discover User Pain Points With Session Recordings." Dynatrace, 20 Dec 2021. Accessed 26 July 2022.

    Huss, Nick. “How Many Websites Are There in the World?” Siteefy, 8 Oct. 2022. Web.

    Nelson, Hunter. "Establish Web Analytics and Conversion Tracking Foundations Using the Google Marketing Platform.” Tortoise & Hare Software, 29 Oct 2022. Accessed 26 July 2022.

    "Product Analytics Vs Product Experience Insights: What’s the Difference?" Hotjar, 14 Sept 2021. Accessed 26 July 2022.

    “Record and watch everything your visitors do." Inspectlet, n.d. Accessed 26 July 2022.

    “Ryanair: Using Web Analytics to Manage the Site’s Performance More Effectively and Improve Profitability." AT Internet, 1 April 2020. Accessed 26 July 2022.

    Sibor, Vojtech. "Introducing Cross-Platform Analytics.” Smartlook Blog, 5 Nov 2022. Accessed 26 July 2022.

    "Visualize Visitor Journeys Through Funnels.” VWO, n.d. Accessed 26 July 2022.

    "Web Analytics Market Share – Growth, Trends, COVID-19 Impact, and Forecasts (2022-2027)." Mordor Intelligence, 2022. Accessed 26 July 2022.

    “What is the Best Heatmap Tool for Real Results?” Crazy Egg, 27 April 2020. Web.

    "What Is Visitor Behavior Analysis?" VWO, 2022. Accessed 26 July 2022.

    Zheng, Jack G., and Svetlana Peltsverger. “Web Analytics Overview.” IGI Global, 2015. Accessed 26 July 2022.

    Marketing Management Suite Software Selection Guide

    • Buy Link or Shortcode: {j2store}552|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Selecting and implementing the right MMS platform – one that aligns with your requirements is a significant undertaking.
    • Despite the importance of selecting and implementing the right MMS platform, many organizations struggle to define an approach to picking the most appropriate vendor and rolling out the solution in an effective and cost-efficient manner.
    • IT often finds itself in the unenviable position of taking the fall for an MMS platform that doesn’t deliver on the promise of the MMS strategy.

    Our Advice

    Critical Insight

    • MMS platform selection must be driven by your overall customer experience management strategy. Link your MMS selection to your organization’s CXM framework.
    • Determine what exactly you require from your MMS platform; leverage use cases to help guide selection.
    • Ensure strong points of integration between your MMS and other software such as CRM and POS. Your MMS solution should not live in isolation; it must be part of a wider ecosystem.

    Impact and Result

    • An MMS platform that effectively meets business needs and delivers value.
    • Reduced costs during MMS vendor platform selection and faster time to results after implementation.

    Marketing Management Suite Software Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Marketing Management Suite Software Selection Guide – A deck that walks you through the process of building your business case and selecting the proper MMS platform.

    This blueprint will help you build a business case for selecting the right MMS platform, define key requirements, and conduct a thorough analysis and scan of the current state of the ever-evolving MMS market space.

    • Marketing Management Suite Software Selection Guide Storyboard
    [infographic]

    Further reading

    Marketing Management Suite Software Selection Guide

    Streamline your organizational approach to selecting a right-sized marketing management platform.

    Analyst perspective

    A robustly configured and comprehensive MMS platform is a crucial ingredient to help kick-start your organization's cross-channel and multichannel marketing management initiatives.

    Modern marketing management suites (MMS) are imperative given today's complex, multitiered, and often non-standardized marketing processes. Relying on isolated methods such as lead generation or email marketing techniques for executing key cross-channel and multichannel marketing initiatives is not enough to handle the complexity of contemporary marketing management activities.

    Organizations need to invest in highly customizable and functionally extensive MMS platforms to provide value alongside the marketing value chain and a 360-degree view of the consumer's marketing journey. IT needs to be rigorously involved with the sourcing and implementation of the new MMS tool, and the necessary business units also need to own the requirements and be involved from the initial stages of software selection.

    To succeed with MMS implementation, consider drafting a detailed roadmap that outlines milestone activities for configuration, security, points of integration, and data migration capabilities and provides for ongoing application maintenance and support.

    This is a picture of Yaz Palanichamy

    Yaz Palanichamy
    Senior Research Analyst, Customer Experience Strategy
    Info-Tech Research Group

    Executive summary

    Your Challenge

    • Many organizations struggle with taking a systematic and structured approach to selecting a right-sized marketing management suite (MMS) – an indispensable part of managing an organization's specific and nuanced marketing management needs.
    • Organizations must define a clear-cut strategic approach to investing in a new MMS platform. Exercising the appropriate selection and implementation rigor for a right-sized MMS tool is a critical step in delivering concrete business value to sustain various marketing value chains across the organization.

    Common Obstacles

    • An MMS vendor that is not well aligned to marketing requirements wastes resources and causes an endless cascade of end-user frustration.
    • The MMS market is rapidly evolving, making it difficult for vendors to retain a competitive foothold in the space.
    • IT managers and/or marketing professionals often find themselves in the unenviable position of taking the fall for MMS platforms that fail to deliver on the promise of the overarching marketing management strategy.

    Info-Tech's Approach

    • MMS platform selection must be driven by your overall marketing management strategy. Email marketing techniques, social marketing, and/or lead management strategies are often not enough to satisfy the more sophisticated use cases demanded by increasingly complex customer segmentation levels.
    • For organizations with a large audience or varied product offerings, a well-integrated MMS platform enables the management of various complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.

    Info-Tech Insight

    IT must collaborate with marketing professionals and other key stakeholder groups to define a unified vision and holistic outlook for a right-sized MMS platform.

    Info-Tech's methodology for selecting a right-sized marketing management suite platform

    1. Understand Core MMS Features

    2. Build the Business Case & Streamline Requirements

    3. Discover the MMS Market Space & Prepare for Implementation

    Phase Steps

    1. Define MMS Platforms
    2. Classify Table Stakes & Differentiating Capabilities
    3. Explore Trends
    1. Build the Business Case
    2. Streamline the Requirements Elicitation Process for a New MMS Platform
    3. Develop an Inclusive RFP Approach
    1. Discover Key Players in the Vendor Landscape
    2. Engage the Shortlist & Select Finalist
    3. Prepare for Implementation

    Phase Outcomes

    1. Consensus on scope of MMS and key MMS platform capabilities
    1. MMS platform selection business case
    2. Top-level use cases and requirements
    3. Procurement vehicle best practices
    1. Market analysis of MMS platforms
    2. Overview of shortlisted vendors
    3. Implementation considerations

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Understand what a marketing management suite is. Discuss core capabilities and key trends.

    Call #2: Build the business case
    to select a right-sized MMS.

    Call #3: Define your core
    MMS requirements.

    Call #4: Build and sustain procurement vehicle best practices.

    Call #5: Evaluate the MMS vendor landscape and short-list viable options.


    Call #6: Review implementation considerations.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The MMS procurement process should be broken into segments:

    1. Create a vendor shortlist using this buyer's guide.
    2. Define a structured approach to selection.
    3. Review the contract.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    EXECUTIVE BRIEF

    What are marketing management suite platforms?

    Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.

    Key product capabilities for sophisticated MMS platforms include but are not limited to:

    • Email marketing
    • Lead nurturing
    • Social media management
    • Content curation and distribution
    • Marketing reporting and analytics
    • Consistent brand messaging

    Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.

    Info-Tech Insight

    Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.

    Marketing Management Suite Software Selection Buyer's Guide

    Info-Tech Insight

    A right-sized MMS software selection and procurement decision should involve comprehensive requirements and needs analysis by not just Marketing but also other organizational units such as IT, in conjunction with input suppled from the internal vendor procurement team.

    MMS Software Selection & Vendor Procurement Journey. The three main steps are: Envision the Art of the Possible; Elicit Granular Requirements; Contextualize the MMS Vendor Market Space

    Phase 1

    Understand Core MMS Features

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Level-set an understanding of MMS technology.
    • Define which MMS features are table stakes (standard) and which are key differentiating functionalities.
    • Identify the art of the possible in a modern MMS platform from sales, marketing, and service lenses.

    This phase involves the following participants:

    • CMO
    • Digital Marketing Project Manager
    • Marketing Data Analytics Analyst
    • Marketing Management Executive

    What are marketing management suite platforms?

    Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.

    Key product capabilities for sophisticated MMS platforms include but are not limited to:

    • Email marketing
    • Lead nurturing
    • Social media management
    • Content curation and distribution
    • Marketing reporting and analytics
    • Consistent brand messaging

    Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.

    Info-Tech Insight

    Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.

    Marketing through the ages

    Tracing the foundational origins of marketing management practices

    Initial traction for marketing management strategies began with the need to holistically understand the effects of advertising efforts and how the media mix could be best optimized.

    1902

    		1920s-1930s

    1942

    1952-1964

    1970s-1990s

    Recognizing the increasing need for focused and professional marketing efforts, the University of Pennsylvania offers the first marketing course, dubbed "The Marketing of Products."

    As broadcast media began to peak, marketers needed to manage a greater number of complex and interspersed marketing channels.

    The introduction of television ads in 1942 offered new opportunities for brands to reach consumers across a growing media landscape. To generate the highest ROI, marketers sought to understand the consumer and focus on more tailored messaging and product personalization. Thus, modern marketing practices were born.

    Following the introduction of broadcast media, marketers had to develop strategies beyond traditional spray-and-pray methods. The first modern marketing measurement concept, "marketing mix," was conceptualized in 1952 and popularized in 1964 by Neil Borden.

    This period marked the digital revolution and the new era of marketing. With the advent of new communications technology and the modern internet, marketing management strategies reached new heights of sophistication. During the early 1990s, search engines emerged to help users navigate the web, leading to early forms of search engine optimization and advertising.

    Where it's going: the future state of marketing management

    1. Increasing Complexity Driving Consumer Purchasing Decisions
      • "The main complexity is dealing with the increasing product variety and changing consumer demands, which is forcing marketers to abandon undifferentiated marketing strategies and even niche marketing strategies and to adopt a mass customization process interacting one-to-one with their customers." – Complexity, 2019
    2. Consumers Seeking More Tailored Brand Personalization
      • Financial Services marketers lead all other industries in AI application adoption, with 37% currently using them (Salesforce, 2019).
    3. The Inclusion of More AI-Enabled Marketing Strategies
      • According to a 2022 Nostro report, 70% of consumers say it is important that brands continue to offer personalized consumer experiences.
    4. Green Marketing
      • Recent studies have shown that up to 80% of all consumers are interested in green marketing strategies (Marketing Schools, 2020).

    Marketing management by the numbers

    Key trends

    6%

    As a continuously growing discipline, marketing management roles are predicted to grow faster than average, at a rate of 6% over the next decade.

    Source: U.S. Bureau of Labor Statistics, 2021

    17%

    While many marketing management vendors offer A/B testing, only 17% of marketers are actively using A/B testing on landing pages to increase conversion rates.

    Source: Oracle, 2022

    70%

    It is imperative that technology and SaaS companies begin to use marketing automation as a core component of their martech strategy to remain competitive. About 70% of technology and SaaS companies are employing integrated martech tools.

    Source: American Marketing Association, 2021

    Understand MMS table stakes features

    Organizations can expect nearly all MMS vendors to provide the following functionality

    Email Marketing

    Lead Nurturing

    Reporting, Analytics, and Marketing KPIs

    Marketing Campaign Management

    Integrational Catalog

    The use of email alongside marketing efforts to promote a business' products and services. Email marketing can be a powerful tool to maintain connections with your audience and ensure sustained brand promotion.

    The process of developing and nurturing relationships with key customer contacts at every major touchpoint in their customer journey. MMS platforms can use automated lead-nurturing functions that are triggered by customer behavior.

    The use of well-defined metrics to help curate, gather, and analyze marketing data to help track performance and improve the marketing department's future marketing decisions and strategies.

    Tools needed for the planning, execution, tracking, and analysis of direct marketing campaigns. Such tools are needed to help gauge your buyers' sentiments toward your company's product offerings and services.

    MMS platforms should generally have a comprehensive open API/integration catalog. Most MMS platforms should have dedicated integration points to interface with various tools across the marketing landscape (e.g. social media, email, SEO, CRM, CMS tools, etc.).

    Identify differentiating MMS features

    While not always deemed must-have functionality, these features may be the deciding factor when choosing between two MMS-focused vendors.

    Digital Asset Management (DAM)

    A DAM can help manage digital media asset files (e.g. photos, audio files, video).

    Customer Data Management

    Customer data management modules help your organization track essential customer information to maximize your marketing results.

    Text-Based Marketing

    Text-based marketing strategy is ideal for any organization primarily focused on coordinating structured and efficient marketing campaigns.

    Customer
    Journey Orchestration

    Customer journey orchestration enables users to orchestrate customer conversations and journeys across the entire marketing value chain.

    AI-Driven Workflows

    AI-powered workflows can help eliminate complexities and allow marketers to automate and optimize tasks across the marketing spectrum.

    Dynamic Segmentation

    Dynamic segmentation to target audience cohorts based on recent actions and stated preferences.

    Advanced Email Marketing

    These include capabilities such as A/B testing, spam filter testing, and detailed performance reporting.

    Ensure you understand the art of the possible across the MMS landscape

    Understanding the trending feature sets that encompass the broader MMS vendor landscape will best equip your organization with the knowledge needed to effectively match today's MMS platforms with your organization's marketing requirements.

    Holistically examine the potential of any MMS solution through three main lenses:

    Data-Driven
    Digital Advertising

    Adapt innovative techniques such as conversational marketing to help collect, analyze, and synthesize crucial audience information to improve the customer marketing experience and pre-screen prospects in a more conscientious manner.

    Next Best Action Marketing

    Next best action marketing (NBAM) is a customer-centric paradigm/marketing technique designed to capture specific information about customers and their individual preferences. Predicting customers' future actions by understanding their intent during their purchasing decisions stage will help improve conversion rates.

    AI-Driven Customer
    Segmentation

    The use of inclusive and innovative AI-based forecast modeling techniques can help more accurately analyze customer data to create more targeted segments. As such, marketing messages will be more accurately tailored to the customer that is reading them.

    Art of the possible: data-driven digital advertising

    CONVERSATIONAL MARKETING INTELLIGENCE

    Are you curious about the measures needed to boost engagement among your client base and other primary target audience groups? Conversational marketing intelligence metrics can help collect and disseminate key descriptive data points across a broader range of audience information.

    AI-DRIVEN CONVERSATIONAL MARKETING DEVICES

    Certain social media channels (e.g. LinkedIn and Facebook) like to take advantage of click-to-Messenger-style applications to help drive meaningful conversations with customers and learn more about their buying preferences. In addition, AI-driven chatbot applications can help the organization glean important information about the customer's persona by asking probing questions about their marketing purchase behaviors and preferences.

    METAVERSE- DRIVEN BRANDING AND ADVERTISING

    One of the newest phenomena in data-driven marketing technology and digital advertising techniques is the metaverse, where users can represent themselves and their brand via virtual avatars to further gamify their marketing strategies. Moreover, brands can create immersive experiences and engage with influencers and established communities and collect a wealth of information about their audience that can help drive customer retention and loyalty.

    Case study

    This is the logos for Gucci and Roblox.

    Metaverse marketing extends the potential for commercial brand development and representation: a deep dive into Gucci's metaverse practice

    INDUSTRY: Luxury Goods Apparel
    SOURCE: Vogue Business

    Challenge

    Beginning with a small, family-owned leather shop known as House of Gucci in Florence, Italy, businessman and fashion designer Guccio Gucci sold saddles, leather bags, and other accessories to horsemen during the 1920s. Over the years, Gucci's offerings have grown to include various other personal luxury goods.

    As consumer preferences have evolved over time, particularly with the younger generation, Gucci's professional marketing teams looked to invest in virtual technology environments to help build and sustain better brand awareness among younger consumer audiences.

    Solution

    In response to the increasing presence of metaverse-savvy gamers on the internet, Gucci began investing in developing its online metaverse presence to bolster its commercial marketing brand there.

    A recent collaboration with Roblox, an online gaming platform that offers virtual experiences, provided Gucci the means to showcase its fashion items using the Gucci Garden – a virtual art installation project for Generation Z consumers, powered by Roblox's VR technology. The Gucci Garden virtual system featured a French-styled garden environment where players could try on and buy Gucci virtual fashion items to dress up their blank avatars.

    Results

    Gucci's disruptive, innovative metaverse marketing campaign project with Roblox is proof of its commitment to tapping new marketing growth channels to showcase the brand to engage new and prospective consumers (e.g. Roblox's player base) across more unique sandboxed/simulation environments.

    The freedom and flexibility in the metaverse environments allows brands such as Gucci to execute a more flexible digital marketing approach and enables them to take advantage of innovative metaverse-driven technologies in the market to further drive their data-driven digital marketing campaigns.

    Art of the possible: next best action marketing (NBAM)

    NEXT BEST ACTION PREDICTIVE MODELING

    To improve conversion propensity, next best action techniques can use predictive modeling methods to help build a dynamic overview of the customer journey. With information sourced from actionable marketing intelligence data, MMS platforms can use NBAM techniques to identify customer needs based on their buying behavior, social media interactions, and other insights to determine what unique set of actions should be taken for each customer.

    MACHINE LEARNING–BASED RECOMMENDER SYSTEMS

    Rules-based recommender systems can help assign probabilities of purchasing behaviors based on the patterns in touchpoints of a customer's journey and interaction with your brand. For instance, a large grocery chain company such as Walmart or Whole Foods will use ML-based recommender systems to decide what coupons they should offer to their customers based on their purchasing history.

    Art of the possible: AI-driven customer segmentation

    MACHINE/DEEP LEARNING (ML/DL) ALGORITHMS

    The inclusion of AI in data analytics helps make customer targeting more accurate
    and meaningful. Organizations can analyze customer data more thoroughly and generate in-depth contextual and descriptive information about the targeted segments. In addition, they can use this information to automate the personalization of marketing campaigns for a specific target audience group.

    UNDERSTANDING CUSTOMER SENTIMENTS

    To greatly benefit from AI-powered customer segmentation, organizations must deploy specialized custom AI solutions to help organize qualitative comments into quantitative data. This approach requires companies to use custom AI models and tools that will analyze customer sentiments and experiences based on data extracted from various touchpoints (e.g. CRM systems, emails, chatbot logs).

    Phase 2

    Build the Business Case and Streamline Requirements

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Define and build the business case for the selection of a right-sized MMS platform.
    • Elicit and prioritize granular requirements for your MMS platform.

    This phase involves the following participants:

    • CMO
    • Technical Marketing Analyst
    • Digital Marketing Project Manager
    • Marketing Data Analytics Analyst
    • Marketing Management Executive

    Software Selection Engagement

    5 Advisory Calls over a 5-Week Period to Accelerate Your Selection Process

    Expert analyst guidance over 5 weeks on average to select software and negotiate with the vendor.

    Save money, align stakeholders, speed up the process and make better decisions.

    Use a repeatable, formal methodology to improve your application selection process.

    Better, faster results, guaranteed, included in your membership.

    This is an image of the plan for five advisory calls over a five-week period.

    CLICK HERE to book your Selection Engagement

    Elicit and prioritize granular requirements for your marketing management suite (MMS) platform

    Understanding business needs through requirements gathering is the key to defining everything you need from your software. However, it is an area where people often make critical mistakes.

    Poorly scoped requirements

    Best practices

    • Fail to be comprehensive and miss certain areas of scope.
    • Focus on how the solution should work instead of what it must accomplish.
    • Have multiple levels of detail within the requirements, causing inconsistency and confusion.
    • Drill all the way down to system-level detail.
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow.
    • Omit constraints or preferences that buyers think are obvious.
    • Get a clear understanding of what the system needs to do and what it is expected to produce.
    • Test against the principle of MECE – requirements should be "mutually exclusive and collectively exhaustive."
    • Explicitly state the obvious and assume nothing.
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes.
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors.

    Info-Tech Insight
    Poor requirements are the number one reason projects fail. Review Info-Tech's Improve Requirements Gathering blueprint to learn how to improve your requirements analysis and get results that truly satisfy stakeholder needs.

    Info-Tech's approach

    Develop an inclusive and thorough approach to the RFP process

    Identity Need; Define Business requirements; Gain Business Authorization; Perform RFI/RFP; Negotiate Agreement; Purchase Goods and Services; Assess and Measure Performance.

    Info-Tech Insight

    Review Info-Tech's process and understand how you can prevent your organization from leaking negotiation leverage while preventing vendors from taking control of your RFP.

    The Info-Tech difference:

    1. The secret to managing an RFP is to make it as manageable and as thorough as possible. The RFP process should be like any other aspect of business – by developing a standard process. With a process in place, you are better able to handle whatever comes your way, because you know the steps you need to follow to produce a top-notch RFP.
    2. The business then identifies the need for more information about a product/service or determines that a purchase is required.
    3. A team of stakeholders from each area impacted gather all business, technical, legal, and risk requirements. What are the expectations of the vendor relationship post-RFP? How will the vendors be evaluated?
    4. Based on the predetermined requirements, either an RFI or an RFP is issued to vendors with a due date.

    Leverage Info-Tech's Contract Review Service to level the playing field with your shortlisted vendors

    You may be faced with multiple products, services, master service agreements, licensing models, service agreements, and more.
    Use Info-Tech's Contract Review Service to gain insights on your agreements:

    1. Are all key terms included?
    2. Are they applicable to your business?
    3. Can you trust that results will be delivered?
    4. What questions should you be asking from an IT perspective?

    Validate that a contract meets IT's and the business' needs by looking beyond the legal terminology. Use a practical set of questions, rules, and guidance to improve your value for dollar spent.

    This is an image of three screenshots from Info-Tech's Contract Review Service.

    CLICK to BOOK The Contract Review Service

    CLICK to DOWNLOAD Master Contract Review and Negotiation for Software Agreements

    Phase 3

    Discover the MMS Market Space and Prepare for Implementation

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Dive into the key players of the MMS vendor landscape.
    • Understand best practices for building a vendor shortlist.
    • Understand key implementation considerations for MMS.

    This phase involves the following participants:

    • CMO
    • Marketing Management Executive
    • Applications Manager
    • Digital Marketing Project Manager
    • Sales Executive
    • Vendor Outreach and Partnerships Manager

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:

    1. Reviewing your requirements.
    2. Checking out SoftwareReviews.
    3. Shortlisting your vendors.
    4. Conducting demos and detailed proposal reviews.
    5. Selecting and contracting with a finalist!

    Get to know the key players in the MMS landscape

    The following slides provide a top-level overview of the popular players you will encounter in your MMS shortlisting process.

    This is a series of images of the logos for the companies which will be discussed later in this blueprint.

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    This is an image of two screenshots from the Data Quadrant Report.

    The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    This is an image of two screenshots from the Emotional Footprint Report.

    The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    • Fact-based reviews of business software from IT professionals.
    • Product and category reports with state-of-the-art data visualization.
    • Top-tier data quality backed by a rigorous quality assurance process.
    • User-experience insight that reveals the intangibles of working with a vendor.

    CLICK HERE to ACCESS

    Comprehensive software reviews
    to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today's technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Advanced Campaign Management
    • Email Marketing Automation
    • Multichannel Integration

    Areas to Improve:

    • Mobile Marketing Management
    • Advanced Data Segmentation
    • Pricing Sensitivity and Implementation Support Model

    This is an image of SoftwareReviews analysis for Adobe Experience Cloud.

    history

    This is the Logo for Adobe Experience Cloud

    "Adobe Experience Cloud (AEC), formerly Adobe Marketing Cloud (AMC), provides a host of innovative multichannel analytics, social, advertising, media optimization, and content management products (just to name a few). The Adobe Marketing Cloud package allows users with valid subscriptions to download the entire collection and use it directly on their computer with open access to online updates. Organizations that have a deeply ingrained Adobe footprint and have already reaped the benefits of Adobe's existing portfolio of cloud services products (e.g. Adobe Creative Cloud) will find the AEC suite a functionally robust and scalable fit for their marketing management and marketing automation needs.

    However, it is important to note that AEC's pricing model is expensive when compared to other competitors in the space (e.g. Sugar Market) and, therefore, is not as affordable for smaller or mid-sized organizations. Moreover, there is the expectation of a learning curve with the AEC platform. Newly onboarded users will need to spend some time learning how to navigate and work comfortably with AEC's marketing automaton modules. "
    - Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Adobe Experience Cloud Platform pricing is opaque.
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    2021

    Adobe Experience Platform Launch is integrated into the Adobe Experience Platform as a suite of data collection technologies (Experience League, Adobe).

    November 2020

    Adobe announces that it will spend $1.5 billion to acquire Workfront, a provider of marketing collaboration software (TechTarget, 2020).

    September 2018

    Adobe acquires marketing automation software company Marketo (CNBC, 2018).

    June 2018

    Adobe buys e-commerce services provider Magento Commerce from private equity firm Permira for $1.68 billion (TechCrunch, 2018).

    2011

    Adobe acquires DemDex, Inc. with the intention of adding DemDex's audience-optimization software to the Adobe Online Marketing Suite (Adobe News, 2011).

    2009

    Adobe acquires online marketing and web analytics company Omniture for $1.8 billion and integrates its products into the Adobe Marketing Cloud (Zippia, 2022).

    Adobe platform launches in December 1982.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Workflow Management
    • Advanced Data Segmentation
    • Marketing Operations Management

    Areas to Improve:

    • Email Marketing Automation
    • Marketing Asset Management
    • Process of Creating and/or Managing Marketing Lists

    This is an image of SoftwareReviews analysis for Dynamics 365

    history

    This is the logo for Dynamics 365

    2021

    Microsoft Dynamics 365 suite adds customer journey orchestration as a viable key feature (Tech Target, 2021)

    2019

    Microsoft begins adding to its Dynamics 365 suite in April 2019 with new functionalities such as virtual agents, fraud detection, new mixed reality (Microsoft Dynamics 365 Blog, 2019).

    2017

    Adobe and Microsoft expand key partnership between Adobe Experience Manager and Dynamics 365 integration (TechCrunch, 2017).

    2016

    Microsoft Dynamics CRM paid seats begin growing steadily at more than 2.5x year-over-year (TechCrunch, 2016).

    2016

    On-premises application, called Dynamics 365 Customer Engagement, contains the Dynamics 365 Marketing Management platform (Learn Microsoft, 2023).

    Microsoft Dynamics 365 product suite is released on November 1, 2016.

    "Microsoft Dynamics 365 for Marketing remains a viable option for organizations that require a range of innovative MMS tools that can provide a wealth of functional capabilities (e.g. AI-powered analytics to create targeted segments, A/B testing, personalizing engagement for each customer). Moreover, Microsoft Dynamics 365 for Marketing offers trial options to sandbox their platform for free for 30 days to help users familiarize themselves with the software before buying into the product suite.

    However, ensure that you have the time to effectively train users on implementing the MS Dynamics 365 platform. The platform does not score high on customizability in SoftwareReviews reports. Developers have only a limited ability to modify the core UI, so organizations need to be fully equipped with the knowledge needed to successfully navigate MS-based applications to take full advantage of the platform. For organizations deep in the Microsoft stack, D365 Marketing is a compelling option."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Dynamics 365
    Marketing

    Dynamics 365
    Marketing (Attachment)

    • Starts from $1,500 per tenant/month*
    • Includes 10,000 contacts, 100,000 interactions, and 1,000 SMS messages
    • For organizations without any other Dynamics 365 application
    • Starts from $750 per tenant/month*
    • Includes 10,000 contacts, 100,000 interactions, and 1,000 SMS messages
    • For organizations with a qualifying Dynamics 365 application

    * Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Analytics
    • Marketing Workflow Management
    • Lead Nurturing

    Areas to Improve:

    • Advanced Campaign Management
    • Email Marketing Automation
    • Marketing Segmentation

    This is an image of SoftwareReviews analysis for HubSpot

    history

    This is an image of the Logo for HubSpot

    2022

    HubSpot Marketing Hub releases Campaigns 2.0 module for its Marketing Hub platform (HubSpot, 2022).

    2018


    HubSpot announces the launch of its Marketing Hub Starter platform, a new offering that aims to give growing teams the tools they need to start marketing right (HubSpot Company News, 2018).

    2014

    HubSpot celebrates its first initial public offering on the NYSE market (HubSpot Company News, 2014).

    2013

    HubSpot opens its first international office location in Dublin, Ireland
    (HubSpot News, 2013).

    2010

    Brian Halligan and Dharmesh Shah write "Inbound Marketing," a seminal book that focuses on inbound marketing principles (HubSpot, n.d.).

    HubSpot opens for business in Cambridge, MA, USA, in 2005.

    "HubSpot's Marketing Hub software ranks consistently high in scores across SoftwareReviews reports and remains a strong choice for organizations that want to run successful inbound marketing campaigns that make customers interested and engaged with their business. HubSpot Marketing Hub employs comprehensive feature sets, including the option to streamline ad tracking and management, perform various audience segmentation techniques, and build personalized and automated marketing campaigns.

    However, SoftwareReviews reports indicate end users are concerned that HubSpot Marketing Hub's platform may be slightly overpriced in recent years and not cost effective for smaller and mid-sized companies that are working with a limited budget. Moreover, when it comes to mobile user accessibility reports, HubSpot's Marketing Hub does not directly offer data usage reports in relation to how mobile users navigate various web pages on the customer's website."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    HubSpot Marketing Hub (Starter Package)

    HubSpot Marketing Hub (Professional Package)

    HubSpot Marketing Hub (Enterprise Package)

    • Starts from $50/month*
    • Includes 1,000 marketing contacts
    • All non-marketing contacts are free, up to a limit of 15 million overall contacts (marketing contacts + non-marketing contracts)
    • Starts from $890/month*
    • Includes 2,000 marketing contacts
    • Onboarding is required for a one-time fee of $3,000
    • Starts from $3600/month*
    • Includes 10,000 marketing contacts
    • Onboarding is required for a one-time fee of $6,000

    *Pricing correct as of October 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Email Marketing Automation
    • Customer Journey Mapping
    • Contacts Management

    Areas to Improve:

    • Pricing Model Flexibility
    • Integrational API Support
    • Antiquated UI/CX Design Elements

    This is an image of SoftwareReviews analysis for Maropost

    history

    This is an image of the Logo for MAROPOST Marketing Cloud

    2022

    Maropost acquires Retail Express, leading retail POS software in Australia for $55M (PRWire, 2022).

    2018


    Maropost develops innovative product feature updates to its marketing cloud platform (e.g. automated social campaign management, event segmentation for mobile apps) (Maropost, 2019).

    2015

    US-based communications organization Success selects Maropost Marketing Cloud for marketing automation use cases (Apps Run The World, 2015).

    2017

    Maropost is on track to become one of Toronto's fastest-growing companies, generating $30M in annual revenue (MarTech Series, 2017).

    2015

    Maropost is ranked as a "High Performer" in the Email Marketing category in a G2 Crowd Grid Report (VentureBeat, 2015).

    Maropost is founded in 2011 as a customer-centric ESP platform.

    Maropost Marketing Cloud – Essential

    Maropost
    Marketing Cloud –Professional

    Maropost
    Marketing Cloud –Enterprise

    • Starts from $279/month*
    • Includes baseline features such as email campaigns, A/B campaigns, transactional emails, etc.
    • Starts from $849/month*
    • Includes additional system functionalities of interest (e.g. mobile keywords, more journeys for marketing automation use cases)
    • Starts from $1,699/month*
    • Includes unlimited number of journeys
    • Upper limit for custom contact fields is increased by 100-150

    *Pricing correct as of October 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Advanced Data Segmentation
    • Marketing Analytics
    • Multichannel Integration

    Areas to Improve:

    • Marketing Operations
      Management
    • Marketing Asset Management
    • Community Marketing Management

    This is an image of SoftwareReviews analysis for Oracle Marketing Cloud.

    history

    This is an image of the Logo for Oracle Marketing Cloud

    2021

    New advanced intelligence capabilities within Oracle Eloqua Marketing Automation help deliver more targeted and personalized messages (Oracle, Marketing Automation documentation).

    2015


    Oracle revamps its marketing cloud with new feature sets, including Oracle ID Graph for cross-platform identification of customers, AppCloud Connect, etc. (Forbes, 2015).

    2014

    Oracle announces the launch of the Oracle Marketing Cloud (TechCrunch, 2014).

    2005

    Oracle acquires PeopleSoft, a company that produces human resource management systems, in 2005 for $10.3B (The Economic Times, 2016).

    1982

    Oracle becomes the first company to sell relational database management software (RDBMS). In 1982 it has revenue of $2.5M (Encyclopedia.com).

    Relational Software, Inc (RSI) – later renamed Oracle Corporation – is founded in 1977.

    "Oracle Marketing Cloud offers a comprehensive interwoven and integrated marketing management solution that can help end users launch cross-channel marketing programs and unify all prospect and customer marketing signals within one singular view. Oracle Marketing Cloud ranks consistently high across our SoftwareReviews reports and sustains top scores in overall customer experience rankings at a factor of 9.0. The emotional sentiment of users interacting with Oracle Marketing Cloud is also highly favorable, with Oracle's Emotional Footprint score at +93.

    Users should be aware that some of the reporting mechanisms and report-generation capabilities may not be as mature as those of some of its competitors in the MMS space (e.g. Salesforce, Adobe). Data exportability also presents a challenge in Oracle Marketing Cloud and requires a lot of internal tweaking between end users of the system to function properly. Finally, pricing sensitivity may be a concern for small and mid-sized organizations who may find Oracle's higher-tiered pricing plans to be out of reach. "
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Oracle Marketing Cloud pricing is opaque.
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Analytics
    • Advanced Campaign Management
    • Email Marketing Automation
    • Social Media Marketing Management

    Areas to Improve:

    • Community Marketing Management
    • Marketing Operations Management
    • Pricing Sensitivity and Vendor Support Model

    This is an image of SoftwareReviews analysis for Salesforce

    history

    This is an image of the Logo for Salesforce Marketing Cloud

    2022

    Salesforce announces sustainability as a core company value (Forbes, 2022).

    2012



    Salesforce unveils Salesforce Marketing Cloud during Dreamforce 2012, with 90,000 registered attendees (Dice, 2012).

    2009

    Salesforce launches Service Cloud, bringing customer service and support automation features to the market (TechCrunch, 2009).

    2003


    The first Dreamforce event is held at the Westin St. Francis hotel in downtown San Francisco
    (Salesforce, 2020).

    2001


    Salesforce delivers $22.4M in revenue for the fiscal year ending January 31, 2002 (Salesforce, 2020).

    Salesforce is founded in 1999.

    "Salesforce Marketing Cloud is a long-term juggernaut of the marketing management software space and is the subject of many Info-Tech member inquiries. It retains strong composite and customer experience (CX) scores in our SoftwareReviews reports. Some standout features of the platform include marketing analytics, advanced campaign management functionalities, email marketing automation, and customer journey management capabilities. In recent years Salesforce has made great strides in improving the overall user experience by investing in new product functionalities such as the Einstein What-If Analyzer, which helps test how your next email campaign will impact overall customer engagement, triggers personalized campaign messages based on an individual user's behavior, and uses powerful real-time segmentation and sophisticated AI to deliver contextually relevant experiences that inspire customers to act.

    On the downside, we commonly see Salesforce's solutions as costlier than competitors' offerings, and its commercial/sales teams tend to be overly aggressive in marketing its solutions without a distinct link to overarching business requirements. "
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Marketing Cloud Basics

    Marketing Cloud Pro

    Marketing Cloud Corporate

    Marketing Cloud Enterprise

    • Starts at $400*
    • Per org/month
    • Personalized promotional email marketing
    • Starts at $1,250*
    • Per org/month
    • Personalized marketing automation with email solutions
    • Starts at $3,750*
    • Per org/month
    • Personalized cross-channel strategic marketing solutions

    "Request a Quote"

    *Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Email Marketing Automation
    • Marketing Workflow Management
    • Marketing Analytics

    Areas to Improve:

    • Mobile Marketing Management
    • Marketing Operations Management
    • Advanced Data Segmentation

    This is an image of SoftwareReviews analysis for SAP

    history

    This is an image of the Logo for SAP

    2022

    SAP announces the second cycle of the 2022 SAP Customer Engagement Initiative. (SAP Community Blog, 2022).

    2020

    SAP acquires Austrian cloud marketing company Emarsys (TechCrunch, 2020).

    2015

    SAP Digital for Customer Engagement launches in May 2015 (SAP News, 2015).

    2009

    SAP begins branching out into three markets of the future (mobile technology, database technology, and cloud). SAP acquires some of its competitors (e.g. Ariba, SuccessFactors, Business Objects) to quickly establish itself as a key player in those areas (SAP, n.d.).

    1999

    SAP responds to the internet and new economy by launching its mysap.com strategy (SAP, n.d.).

    SAP is founded In 1972.

    "Over the years, SAP has positioned itself as one of the usual suspects across the enterprise applications market. While SAP has a broad range of capabilities within the CRM and customer experience space, it consistently underperforms in many of our user-driven SoftwareReviews reports for MMS and adjacent areas, ranking lower in MMS product feature capabilities such as email marketing automation and advanced campaign management than other mainstream MMS vendors, including Salesforce Marketing Cloud and Adobe Experience Cloud. The SAP Customer Engagement Marketing platform seems decidedly a secondary focus for SAP, behind its more compelling presence across the enterprise resource planning space.

    If you are approaching an MMS selection from a greenfield lens and with no legacy vendor baggage for SAP elsewhere, experience suggests that your needs will be better served by a vendor that places greater primacy on the MMS aspect of their portfolio."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    SAP Customer Engagement Marketing pricing is opaque:
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Social Media Automation
    • Email Marketing Automation
    • Marketing Analytics

    Areas to Improve:

    • Ease of Data Integration
    • Breadth of Features
    • Marketing Workflow Management

    b

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Campaign Management
    • Segmentation
    • Email Delivery

    Areas to Improve:

    • Mobile Optimization
    • A/B Testing
    • Content Authoring

    This is an image of SoftwareReviews analysis for ZOHO Campaigns.

    history

    This is an image of the Logo for ZOHO Campaigns

    2021

    Zoho announces CRM-Campaigns sync (Zoho Campaigns Community Learning, 2021).

    2020

    Zoho reaches more than 50M customers in January ( Zippia, n.d.).

    2017

    Zoho launches Zoho One, a comprehensive suite of 40+ applications (Zoho Blog, 2017).

    2012

    Zoho releases Zoho Campaigns (Business Wire, 2012).

    2007

    Zoho expands into the collaboration space with the release of Zoho Docs and Zoho Meetings (Zoho, n.d.).

    2005

    Zoho CRM is released (Zoho, n.d.).

    Zoho platform is founded in 1996.

    "Zoho maintains a long-running repertoire of end-to-end software solutions for business development purposes. In addition to its flagship CRM product, the company also offers Zoho Campaigns, which is an email marketing software platform that enables contextually driven marketing techniques via dynamic personalization, email interactivity, A/B testing, etc. For organizations that already maintain a deep imprint of Zoho solutions, Zoho Campaigns will be a natural extension to their immediate software environment.

    Zoho Campaigns is a great ecosystem play in environments that have a material Zoho footprint. In the absence of an existing Zoho environment, it's prudent to consider other affordable products as well."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Free Version

    Standard

    Professional

    • Starts at $0*
    • Per user/month billed annually
    • Up to 2,000 contacts
    • 6,000 emails/month
    • Starts at $3.75*
    • Per user/month billed annually
    • Up to 100,000 contacts
    • Advanced email templates
    • SMS marketing
    • Starts at $6*
    • Per user/month billed annually
    • Advanced segmentation
    • Dynamic content

    *Pricing correct as of October 2022. Listed in USD and absent discounts.

    See pricing on vendor's website for latest information.

    Leverage Info-Tech's research to plan and execute your MMS implementation

    Use Info-Tech's three-phase implementation process to guide your planning:

    1. Assess

    2. Prepare

    3. Govern & Course Correct

    Download Info-Tech's Governance and Management of Enterprise Software Implementation
    Establish and execute an end-to-end, agile framework to succeed with the implementation of a major enterprise application.

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:

    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value to encourage relationship building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing them.

    Proximity

    Distributed teams create complexity as communication can break down. This can be mitigated by:

    • Location: Placing teams in proximity to eliminate the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication Tools: Having the right technology (e.g. video conference) to help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:

    • Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.
    • Role Clarity: Having a clear definition of what everyone's role is.

    Selecting a right-sized MMS platform

    This selection guide allows organizations to execute a structured methodology for picking an MMS platform that aligns with their needs. This includes:

    • Alignment and prioritization of key business and technology drivers for an MMS selection business case.
    • Identification of key use cases and requirements for a right-sized MMS platform.
    • A comprehensive market scan of key players in the MMS market space.

    This formal MMS selection initiative will drive business-IT alignment, identify pivotal sales and marketing automation priorities, and thereby allow for the rollout of a streamlined MMS platform that is highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Summary of accomplishment

    Knowledge Gained

    • What marketing management is
    • Historical origins of marketing management
    • The future of marketing management
    • Key trends in marketing management suites

    Processes Optimized

    • Requirements gathering
    • RFPs and contract reviews
    • Marketing management suite vendor selection
    • Marketing management platform implementation

    Marketing Management

    • Adobe Experience Cloud
    • Microsoft Dynamics 365 for Marketing
    • HubSpot Marketing Hub
    • Maropost Marketing Cloud
    • Oracle Marketing Cloud

    Vendors Analyzed

    • Salesforce Marketing Cloud
    • SAP
    • Sugar Market
    • Zoho Campaigns

    Related Info-Tech Research

    Select a Marketing Management Suite

    Many organizations struggle with taking a systematic approach to selection that pairs functional requirements with specific marketing workflows, and as a result they choose a marketing management suite (MMS) that is not well aligned to their needs, wasting resources and causing end-user frustration.

    Get the Most Out of Your CRM

    Customer relationship management (CRM) application portfolios are often messy,
    with multiple integration points, distributed data, and limited ongoing end-user training. A properly optimized CRM ecosystem will reduce costs and increase productivity.

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution. Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.

    Bibliography

    "16 Biggest Tech Acquisitions in History." The Economic Times, 28 July 2016. Web.
    "Adobe Acquires Demdex – Brings Audience Optimization to $109 Billion Global Online Ad Market." Adobe News, 18 Jan 2011. Accessed Nov 2022.
    "Adobe Company History Timeline." Zippia, 9 Sept 2022. Accessed Nov 2022.
    "Adobe to acquire Magento for $1.68B." TechCrunch, 21 May 2018. Accessed Dec 2022.
    Anderson, Meghan Keaney. "HubSpot Launches European Headquarters." HubSpot Company News, 3 Mar 2013.
    Arenas-Gaitán, Jorge, et al. "Complexity of Understanding Consumer Behavior from the Marketing Perspective." Journal of Complexity, vol. 2019, 8 Jan 2019. Accessed Sept 2022.
    Bureau of Labor Statistics. "Advertising, Promotions, and Marketing Managers." Occupational Outlook Handbook. U.S. Department of Labor, 8 Sept 2022. Accessed 1 Nov 2022.
    "Campaigns." Marketing Hub, HubSpot, n.d. Web.
    Conklin, Bob. "Adobe report reveals best marketing practices for B2B growth in 2023 and beyond." Adobe Experience Cloud Blog, 23 Sept 2022. Web.
    "Consumer Behavior Stats 2021: The Post-Pandemic Shift in Online Shopping Habit" Nosto.com, 7 April 2022. Accessed Oct 2022.
    "Data Collection Overview." Experience League, Adobe.com, n.d. Accessed Dec 2022.
    Duduskar, Avinash. "Interview with Tony Chen, CEO at Channel Factory." MarTech Series, 16 June 2017. Accessed Nov 2022.
    "Enhanced Release of SAP Digital for Customer Engagement Helps Anyone Go Beyond CRM." SAP News, 8 Dec. 2015. Press release.
    Fang, Mingyu. "A Deep Dive into Gucci's Metaverse Practice." Medium.com, 27 Feb 2022. Accessed Oct 2022.
    Flanagan, Ellie. "HubSpot Launches Marketing Hub Starter to Give Growing Businesses the Tools They Need to Start Marketing Right." HubSpot Company News, 17 July 2018. Web.
    Fleishman, Hannah. "HubStop Announces Pricing of Initial Public Offering." HubSpot Company News, 8 Oct. 204. Web.
    Fluckinger, Don. "Adobe to acquire Workfront for $1.5 billion." TechTarget, 10 Nov 2020. Accessed Nov 2022.
    Fluckinger, Don. "Microsoft Dynamics 365 adds customer journey orchestration." TechTarget, 2 March 2021. Accessed Nov 2022.
    Green Marketing: Explore the Strategy of Green Marketing." Marketing Schools, 19 Nov 2020. Accessed Oct 2022.
    Ha, Anthony. "Oracle Announces Its Cross-Platform Marketing Cloud." TechCrunch, 30 April 2014. Web.
    Heyd, Kathrin. "Partners Welcome – SAP Customer Engagement Initiative 2022-2 is open for your registration(s)!" SAP Community Blog, 21 June 2022. Accessed Nov 2022.
    HubSpot. "Our Story." HubSpot, n.d. Web.
    Jackson, Felicia. "Salesforce Tackles Net Zero Credibility As It Adds Sustainability As A Fifth Core Value." Forbes, 16 Feb. 2022. Web.
    Kolakowski, Nick. "Salesforce CEO Marc Benioff Talks Social Future." Dice, 19 Sept. 2012. Web.
    Lardinois, Frederic. "Microsoft's Q4 earnings beat Street with $22.6B in revenue, $0.69 EPS." TechCrunch, 19 July 2016. Web.
    Levine, Barry. "G2 Crowd report finds the two email marketing tools with the highest user satisfaction." Venture Beat, 30 July 2015. Accessed Nov 2022.
    Looking Back, Moving Forward: The Evolution of Maropost for Marketing." Maropost Blog, 21 May 2019. Accessed Oct 2022.
    Maher, Sarah. "What's new with HubSpot? Inbound 2022 Feature Releases." Six & Flow, 9 July 2022. Accessed Oct 2022.
    Marketing Automation Provider, Salesfusion, Continues to Help Marketers Achieve Their Goals With Enhanced User Interface and Powerful Email Designer Updates." Yahoo Finance, 10 Dec 2013. Accessed Oct 2022.
    "Maropost Acquires Retail Express for $55 Million+ as it Continues to Dominate the Global Commerce Space." Marapost Newsroom, PRWire.com, 19 Jan 2022. Accessed Nov 2022.
    McDowell, Maghan. "Inside Gucci and Roblox's new virtual world." Vogue Business, 17 May 2021. Web.
    Miller, Ron. "Adobe and Microsoft expand partnership with Adobe Experience Manager and Dynamics 265 Integration." TechCrunch, 3 Nov 2017. Accessed Nov 2022.
    Miller, Ron. "Adobe to acquire Magento for $1.68B" TechCrunch, 21 May 2018. Accessed Nov 2022.
    Miller, Ron. "SAP continues to build out customer experience business with Emarys acquisition." TechCrunch, 1 Oct. 2020. Web.
    Miller, Ron. "SugarCRM moves into marketing automation with Salesfusion acquisition." TechCrunch, 16 May 2019.
    Novet, Jordan. "Adobe confirms it's buying Marketo for $4.75 billion." CNBC, 20 Sept 2018. Accessed Dec 2022.
    "Oracle Corp." Encyclopedia.com, n.d. Web.
    Phillips, James. "April 2019 Release launches with new AI, mixed reality, and 350+ feature updates." Microsoft Dynamics 365 Blog. Microsoft, 2 April 2019. Web.
    S., Aravindhan. "Announcing an important update to Zoho CRM-Zoho Campaigns integration." Zoho Campaigns Community Learning, Zoho, 1 Dec. 2021. Web.
    Salesforce. "The History of Salesforce." Salesforce, 19 March 2020. Web.
    "Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment" GlobeNewswire, 6 May 2016. Accessed Oct 2022. Press release.
    "Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment." Marketwired, 6 May 2016. Web.
    "Salesfusion is Now Sugar Market: The Customer FAQ." SugarCRM Blog, 31 July 2019. Web.
    "Salesfusion's Marketing Automation Platform Drives Awareness and ROI for Education Technology Provider" GlobeNewswire, 25 June 2015. Accessed Nov 2022. Press release.
    SAP. "SAP History." SAP, n.d. Web.
    "State of Marketing." 5th Edition, Salesforce, 15 Jan 2019. Accessed Oct 2022.
    "Success selects Maropost Marketing Cloud for Marketing Automation." Apps Run The World, 10 Jan 2015. Accessed Nov 2022.
    "SugarCRM Acquires SaaS Marketing Automation Innovator Salesfusion." SugarCRM, 16 May 2019. Press release.
    Sundaram, Vijay. "Introducing Zoho One." Zoho Blog, 25 July 2017. Web.
    "The State of MarTech: Is you MarTech stack working for you?" American Marketing Association, 29 Nov 2021. Accessed Oct 2022.
    "Top Marketing Automation Statistics for 2022." Oracle, 15 Jan 2022. Accessed Oct 2022.
    Trefis Team. "Oracle Energizes Its Marketing Cloud With New Features." Forbes, 7 April 2015. Accessed Oct 2022.
    Vivek, Kumar, et al. "Microsoft Dynamics 365 Customer Engagement (on-premises) Help, version 9.x." Learn Dynamics 365, Microsoft, 9 Jan 2023. Web.
    "What's new with HubSpot? Inbound 2022 feature releases" Six and Flow, 9 July 2022. Accessed Nov 2022.
    Widman, Jeff. "Salesforce.com Launches The Service Cloud,, A Customer Service SaaS Application." TechCrunch, 15 Jan. 2009. Web.
    "Zoho History." Zippia, n.d. Web.
    "Zoho Launches Zoho Campaigns." Business Wire, 14 Aug. 2012. Press release.
    Zoho. "About Us." Zoho, n.d. Web.

    Need hands-on assistance?

    Engage Info-Tech for a Software Selection Workshop!

    40 Hours of Advisory Assistance Delivered On-Line or In-Person

    Select Better Software, Faster.

    40 Hours of Expert Analyst Guidance
    Project & Stakeholder Management Assistance
    Save money, align stakeholders, Speed up the process & make better decisions.
    Better, faster results, guaranteed, $25K standard engagement fee

    This is an image of the plan for five advisory calls over a five week period.

    CLICK HERE to book your Workshop Engagement

    Satisfy Digital End Users With Low- and No-Code

    • Buy Link or Shortcode: {j2store}185|cart{/j2store}
    • member rating overall impact: 8.5/10 Overall Impact
    • member rating average dollars saved: $2,460 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Your organization decided to invest in digital solutions to support their transition to a digital and automated workplace. They are ready to begin the planning and delivery of these solutions.
    • However, IT capacity is constrained due to the high and aggressive demand to meet business priorities and maintain mission critical applications. Technical experience and skills are difficult to find, and stakeholders are increasing their expectations to deliver technologies faster with high quality using less resources.
    • Stakeholders are interested in low and no code solutions as ways to their software delivery challenges and explore new digital capabilities.

    Our Advice

    Critical Insight

    • Current software delivery inefficiencies and lack of proper governance and standards impedes the ability to successfully scale and mature low and no code investments and see their full value.
    • Many operating models and culture do not enable or encourage the collaboration needed to evaluate business opportunities and underlying operational systems.This can exacerbate existing shadow IT challenges and promote a negative perception of IT.
    • Low and no code tools bring significant organizational, process, and technical changes that IT and the business may not be prepared or willing to accept and adopt, especially when these tools support business and worker managed applications and services.

    Impact and Result

    • Establish the right expectations. Profile your digital end users and their needs and challenges. Discuss current IT and business software delivery and digital product priorities to determine what to expect from low- and no-code.
    • Build your low- and no-code governance and support. Clarify the roles, processes, and tools needed for low- and no-code delivery and management through IT and business collaboration.
    • Evaluate the fit of low- and no-code and shortlist possible tools. Obtain a thorough view of the business and technical complexities of your use cases. Indicate where and how low- and no-code is expected to generate the most return.

    Satisfy Digital End Users With Low- and No-Code Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Satisfy Digital End Users With Low- and No-Code Deck – A step-by-step guide on selecting the appropriate low- and no-code tools and building the right people, processes, and technologies to support them.

    This blueprint helps you develop an approach to understand your low- and no-code challenges and priorities and to shortlist, govern, and manage the right low- and no-code tools.

    • Satisfy Digital End Users With Low- and No-Code – Phases 1-3

    2. Low- and No-Code Communication Template – Clearly communicate the goal and approach of your low- and no-code implementation in a language your audience understands.

    This template narrates a story to describe the need and expectations of your low- and no-code initiative to get buy-in from stakeholders and interested parties.

    • Low- and No-Code Communication Template

    Infographic

    Workshop: Satisfy Digital End Users With Low- and No-Code

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Select Your Tools

    The Purpose

    Understand the personas of your low- and no-code users and their needs.

    List the challenges low- and no-code is designed to solve or the opportunities you hope to exploit.

    Identify the low- and no-code tools to address your needs.

    Key Benefits Achieved

    Level set expectations on what low- and no-code can deliver.

    Identify areas where low- and no-code can be the most beneficial.

    Select the tools to best address your problem and opportunities.

    Activities

    1.1 Profile your digital end users

    1.2 Set reasonable expectations

    1.3 List your use cases

    1.4 Shortlist your tools

    Outputs

    Digital end-user skills assessment

    Low- and no-code objectives and metrics

    Low- and no-code use case opportunities

    Low- and no-code tooling shortlist

    2 Deliver Your Solution

    The Purpose

    Optimize your product delivery process to accommodate low- and no-code.

    Review and improve your product delivery and management governance model.

    Discuss how to improve your low- and no-code capacities.

    Key Benefits Achieved

    Encourage business-IT collaborative practices and improve IT’s reputation.

    Shift the right accountability and ownership to the business.

    Equip digital end users with the right skills and competencies.

    Activities

    2.1 Adapt your delivery process

    2.2 Transform your governance

    2.3 Identify your low- and no-code capacities

    Outputs

    Low- and no-code delivery process and guiding principles

    Low- and no-code governance, including roles and responsibilities, product ownership and guardrails

    List of low- and no-code capacity improvements

    3 Plan Your Adoption

    The Purpose

    Design a CoE and/or CoP to support low- and no-code capabilities.

    Build a roadmap to illustrate key low- and no-code initiatives.

    Key Benefits Achieved

    Ensure coordinated, architected, and planned implementation and adoption of low- and no-code consistently across the organization.

    Reaffirm support for digital end users new to low- and no-code.

    Clearly communicate your approach to low- and no-code.

    Activities

    3.1 Support digital end users and facilitate cross-functional sharing

    3.2 Yield results with a roadmap

    Outputs

    Low- and no-code supportive body design (e.g. center of excellence, community of practice)

    Low- and no-code roadmap

    Improve your core processes

    Improve your core processes

    We have over 45 fully detailed
    and interconnected process guides
    for you to improve your operations

    Managing and improving your processes is key to attaining commercial success

    Our practical guides help you to improve your operations

    We have hundreds of practical guides, grouped in many processes in our model. You may not need all of them. I suggest you browse within the belo top-level categories below and choose where to focus your attention. And with Tymans Group's help, you can go one process area at a time.

    If you want help deciding, please use the contact options below or click here.

    Check out our guides

    Our research and guides are priced from €299,00

    • Gert Taeymans Guidance

      Tymans Group Guidance & Consulting

      Tymans Group guidance and (online) consulting using both established and forward-looking research and field experience in our management domains.

      Contact

    • Tymans Group
      & Info-Tech
      Combo

      Get both inputs, all of the Info-tech research (with cashback rebate), and Tymans Group's guidance.

      Contact

    • Info-Tech Research

      Info-Tech offers a vast knowledge body, workshops, and guided implementations. You can buy Info-Tech memberships here at Tymans Group with cashback, reducing your actual outlay.

      Contact

    Register to read more …

    Build a Roadmap for Service Management Agility

    • Buy Link or Shortcode: {j2store}280|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Business is moving faster than ever and IT is getting more demands at a faster pace.
    • Many IT organizations have traditional structures and approaches that have served them well in the past. However, these frameworks and approaches alone are no longer sufficient for today’s challenges and rapidly changing environment.
    • The inability to adaptively design and deliver services as requirements change has led to diminishing service quality and an increase in shadow IT.

    Our Advice

    Critical Insight

    • Being Agile is a mindset. It is not meant to be prescriptive, but to encourage you to leverage the best approaches, frameworks, and tools to meet your needs and get the job done now.
    • The goal of service management is to enable and drive value for the business. Service management practices have to be flexible and adaptable enough to manage and deliver the right service value at the right time at the right level of quality.

    Impact and Result

    • Understand Agile principles, how they align with service management principles, and what the optimal states for agility look like.
    • Use Info-Tech’s advice and tools to perform an assessment of your organization’s state of agility, identify the gaps, and create a custom roadmap to incorporate agility into your service management practice.
    • Increase business satisfaction. The ultimate outcome of having agility in your service delivery is satisfied customers.

    Build a Roadmap for Service Management Agility Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create a roadmap for service management agility, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the optimal state for agility

    Understand the components of agility and what the optimal states are for service management agility.

    • Build a Roadmap for Service Management Agility – Phase 1: Understand the Optimal States for Agility

    2. Assess your current state of agility

    Determine the current state of agility in the service management practice.

    • Build a Roadmap for Service Management Agility – Phase 2: Assess Your Current State of Agility
    • Service Management Agility Assessment Tool

    3. Build the roadmap

    Create a roadmap for service management agility and present it to key stakeholders to obtain their support.

    • Build a Roadmap for Service Management Agility – Phase 3: Build the Roadmap for Service Management Agility
    • Service Management Agility Roadmap Template
    • Building Agility Into Our Service Management Practice Stakeholders Presentation Template
    [infographic]

    Workshop: Build a Roadmap for Service Management Agility

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define the Optimal States for Agility in Service Management

    The Purpose

    Understand agility and how it can complement service management.

    Understand how the components of culture, structure, processes, and resources enable agility in service management.

    Key Benefits Achieved

    Clear understanding of Agile principles.

    Identifying opportunities for agility.

    Understanding of how Agile principles align with service management.

    Activities

    1.1 Understand agility.

    1.2 Understand how Agile methodologies can complement service management through culture, structure, processes, and resources.

    Outputs

    Summary of Agile principles.

    Summary of optimal components in culture, structure, processes, and resources that enable agility.

    2 Assess Your Current State of Agility in Service Management

    The Purpose

    Assess your current organizational agility with respect to culture, structure, processes, and resources.

    Identify your agility strengths and weaknesses with the agility score.

    Key Benefits Achieved

    Understand your organization’s current enablers and constraints for agility.

    Have metrics to identify strengths or weaknesses in culture, structure, processes, and resources.

    Activities

    2.1 Complete an agility assessment.

    Outputs

    Assessment score of current state of agility.

    3 Build the Roadmap for Service Management Agility

    The Purpose

    Determine the gaps between the current and optimal states for agility.

    Create a roadmap for service management agility.

    Create a stakeholders presentation.

    Key Benefits Achieved

    Have a completed custom roadmap that will help build sustainable agility into your service management practice.

    Present the roadmap to key stakeholders to communicate your plans and get organizational buy-in.

    Activities

    3.1 Create a custom roadmap for service management agility.

    3.2 Create a stakeholders presentation on service management agility.

    Outputs

    Completed roadmap for service management agility.

    Completed stakeholders presentation on service management agility.

    Build an Application Department Strategy

    • Buy Link or Shortcode: {j2store}180|cart{/j2store}
    • member rating overall impact: 9.2/10 Overall Impact
    • member rating average dollars saved: $220,866 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Application delivery has modernized. There are increasing expectations on departments to deliver on organizational and product objectives with increasing velocity.
    • Application departments produce many diverse, divergent products, applications, and services with expectations of frequent updates and changes based on rapidly changing landscapes

    Our Advice

    Critical Insight

    • There is no such thing as a universal “applications department.” Unlike other domains of IT, there are no widely accepted frameworks that clearly outline universal best practices of application delivery and management.
    • Different software needs and delivery orientations demand a tailored structure and set of processes, especially when managing a mixed portfolio or multiple delivery methods.

    Impact and Result

    Understand what your department’s purpose is through articulating its strategy in three steps:

    • Determining your application department’s values, principles, and orientation.
    • Laying out the goals, objectives, metrics, and priorities of the department.
    • Building a communication plan to communicate your overall department strategy.

    Build an Application Department Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build an application department strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take stock of who you are

    Consider and record your department’s values, principles, orientation, and capabilities.

    • Build an Application Department Strategy – Phase 1: Take Stock of Who You Are
    • Application Department Strategy Supporting Workbook

    2. Articulate your strategy

    Define your department’s strategy through your understanding of your department combined with everything that you do and are working to do.

    • Build an Application Department Strategy – Phase 2: Articulate Your Strategy
    • Application Department Strategy Template

    3. Communicate your strategy

    Communicate your department’s strategy to your key stakeholders.

    • Build an Application Department Strategy – Phase 3: Communicate Your Strategy

    Infographic

    Workshop: Build an Application Department Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Take Stock of Who You Are

    The Purpose

    Understand what makes up your application department beyond the applications and services provided.

    Key Benefits Achieved

    Articulating your guiding principles, values, capabilities, and orientation provides a foundation for expressing your department strategy.

    Activities

    1.1 Identify your team’s values and guiding principles.

    1.2 Define your department’s orientation.

    Outputs

    A summary of your department’s values and guiding principles

    A clear view of your department’s orientation and supporting capabilities

    2 Articulate Your Strategy

    The Purpose

    Lay out all the details that make up your application department strategy.

    Key Benefits Achieved

    A completed application department strategy canvas containing everything you need to communicate your strategy.

    Activities

    2.1 Write your application department vision statement.

    2.2 Define your application department goals and metrics.

    2.3 Specify your department capabilities and orientation.

    2.4 Prioritize what is most important to your department.

    Outputs

    Your department vision

    Your department’s goals and metrics that contribute to achieving your department’s vision

    Your department’s capabilities and orientation

    A prioritized roadmap for your department

    3 Communicate Your Strategy

    The Purpose

    Lay out your strategy’s communication plan.

    Key Benefits Achieved

    Your application department strategy presentation ready to be presented to your stakeholders.

    Activities

    3.1 Identify your stakeholders.

    3.2 Develop a communication plan.

    3.3 Wrap-up and next steps

    Outputs

    List of prioritized stakeholders you want to communicate with

    A plan for what to communicate to each stakeholder

    Communication is only the first step – what comes next?

    The challenge of corporate security management

    • Buy Link or Shortcode: {j2store}41|cart{/j2store}
    • Related Products: {j2store}41|crosssells{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security and Risk
    • Parent Category Link: /security-and-risk
    • byline: Align security and business objectives to obtain the greatest benefit from both.

    Corporate security management is a vital aspect in every modern business, regardless of business area or size. At Tymans Group we offer expert security management consulting to help your business set up proper protocols and security programs. More elaborate information about our security management consulting services and solutions can be found below.

    Corporate security management components

    You may be experiencing one or more of the following:

    • The risk goals should support business goals. Your business cannot operate without security, and security is there to conduct business safely. 
    • Security governance supports security strategy and security management. These three components form a protective arch around your business. 
    • Governance and management are like the legislative branch and the executive branch. Governance tells people what to do, and management's job is to verify that they do it.

    Our advice with regards to corporate security management

    Insight

    To have a successful information security strategy, take these three factors into account:

    • Holistic: your view must include people, processes, and technology.
    • Risk awareness: Base your strategy on the actual risk profile of your company and then add the appropriate best practices.
    • Business-aligned: When your strategic security plan demonstrates alignment with the business goals and supports it, embedding will be much more straightforward.

    Impact and results of our corporate security management approach

    • The approach of our security management consulting company helps to provide a starting point for realistic governance and realistic corporate security management.
    • We help you by implementing security governance and managing it, taking into account your company's priorities, and keeping costs to a minimum.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within the corporate security management domain have access to:

    Get up to speed

    Read up on why you should build your customized corporate information security governance and management system. Review our methodology and understand the four ways we can support you.

    Align your security objectives with your business goals

    Determine the company's risk tolerance.

    • Implement a Security Governance and Management Program – Phase 1: Align Business Goals With Security Objectives (ppt)
    • Information Security Governance and Management Business Case (ppt)
    • Information Security Steering Committee Charter (doc)
    • Information Security Steering Committee RACI Chart (doc)
    • Security Risk Register Tool (xls)

    Build a practical governance framework for your company

    Our best-of-breed security framework makes you perform a gap analysis between where you are and where you want to be (your target state). Once you know that, you can define your goals and duties.

    • Implement a Security Governance and Management Program – Phase 2: Develop an Effective Governance Framework (ppt)
    • Information Security Charter (doc)
    • Security Governance Organizational Structure Template (doc)
    • Security Policy Hierarchy Diagram (ppt)
    • Security Governance Model Facilitation Questions (ppt)
    • Information Security Policy Charter Template (doc)
    • Information Security Governance Model Tool (Visio)
    • Pdf icon 20x20
    • Information Security Governance Model Tool (PDF)

    Now that you have built it, manage your governance framework.

    There are several essential management activities that we as a security management consulting company suggest you employ.

    • Implement a Security Governance and Management Program – Phase 3: Manage Your Governance Framework (ppt)
    • Security Metrics Assessment Tool (xls)
    • Information Security Service Catalog (xls)
    • Policy Exception Tracker (xls)
    • Information Security Policy Exception Request Form (doc)
    • Security Policy Exception Approval Workflow (Visio)
    • Security Policy Exception Approval Workflow (PDF)
    • Business Goal Metrics Tracking Tool (xls)

    Book an online appointment for more advice

    We are happy to tell you more about our corporate security management solutions and help you set up fitting security objectives. As a security management consulting firm we offer solutions and advice, based on our own extensive experience, which are practical and people-orientated. Discover our services, which include data security management and incident management and book an online appointment with CEO Gert Taeymans to discuss any issues you may be facing regarding risk management or IT governance.

    cybersecurity

    Maximize Your American Rescue Plan Funding

    • Buy Link or Shortcode: {j2store}74|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $661,499 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Cost & Budget Management
    • Parent Category Link: /cost-and-budget-management
    • Will funding from COVID-19 stimulus opportunities mean more human and financial resources for IT?
    • Are there governance processes in place to successfully execute large projects?
    • What does a large, one-time influx of capital mean for keeping-the-lights-on budgets?
    • How will ARP funding impact your internal resourcing?
    • How can you ensure that IT is not left behind or an afterthought?

    Our Advice

    Critical Insight

    • Seek a one-to-many relationship between IT solutions and business problems. Use the central and overarching nature of IT to identify one solution to multiple business problems that span multiple programs, departments, and agencies.
    • Lack of specific guidance should not be a roadblock to starting. Be proactive by initiating the planning process so that you are ready to act as soon as details are clear.
    • IT involvement is the lynchpin for success. The pandemic has made this theme self-evident, and it needs to stay that way.
    • The fact that this funding is called COVID-19 relief might make you think you should only use it for recovery, but actually it should be viewed as an opportunity to help the organization thrive post-pandemic.

    Impact and Result

    • Shift IT’s role from service provider to innovator. Take ARP funding as a once-in-a-lifetime opportunity to create future enterprise capabilities by thinking big to consider IT innovation that can transform the business and its initiatives for the post-pandemic world.
    • Whether your organization is eligible for a direct or an indirect transfer, be sure you understand the requirements to apply for funding internally through a business case or externally through a grant application.
    • Gain the skills to execute the project with confidence by developing a comprehensive statement of work and managing your projects and vendor relationships effectively.

    Maximize Your American Rescue Plan Funding Research & Tools

    Use our research to help maximize ARP funding.

    Follow Info-Tech's approach to think big, align with the business, analyze budget and staffing, execute with confidence, and ensure compliance and reporting.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    [infographic]

    Workshop: Maximize Your American Rescue Plan Funding

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Think Big

    The Purpose

    Push the boundaries of conventional thinking and consider IT innovations that truly transform the business.

    Key Benefits Achieved

    A list of innovative IT opportunities that your IT department can use to transform the business

    Activities

    1.1 Discuss the objectives of ARP and what they mean to IT departments.

    1.2 Identify drivers for change.

    1.3 Review IT strategy.

    1.4 Augment your IT opportunities list.

    Outputs

    Revised IT vision

    List of innovative IT opportunities that can transform the business

    2 Align With the Business

    The Purpose

    Partner with the business to reprioritize projects and initiatives for the post-pandemic world.

    Key Benefits Achieved

    Assessment of the organization’s new and existing IT opportunities and alignment with business objectives

    Activities

    2.1 Assess alignment of current and new IT initiatives with business objectives.

    2.2 Review and update prioritization criteria for IT projects.

    Outputs

    Preliminary list of IT initiatives

    Revised project prioritization criteria

    3 Analyze IT Budget and Staffing

    The Purpose

    Identify IT budget deficits resulting from pandemic response and discover opportunities to support innovation through new staff and training.

    Key Benefits Achieved

    Prioritized shortlist of business-aligned IT initiative and projects

    Activities

    3.1 Classify initiatives into project categories using ROM estimates.

    3.2 Identify IT budget needs for projects and ongoing services.

    3.3 Identify needs for new staff and skills training.

    3.4 Determine business benefits of proposed projects.

    3.5 Prioritize your organization’s projects.

    Outputs

    Prioritized shortlist of business-aligned IT initiatives and projects

    4 Plan Next Steps

    The Purpose

    Tie IT expenditures to direct transfers or link them to ARP grant opportunities.

    Key Benefits Achieved

    Action plan to obtain ARP funding

    Activities

    4.1 Tie projects to direct transfers, where applicable.

    4.2 Align list of projects to indirect ARP grant opportunities.

    4.3 Develop an action plan to obtain ARP funding.

    4.4 Discuss required approach to project governance.

    Outputs

    Action plan to obtain ARP funding

    Project governance gaps

    Domino – Maintain, Commit to, or Vacate?

    • Buy Link or Shortcode: {j2store}113|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    If you have a Domino/Notes footprint that is embedded within your business units and business processes and is taxing your support organization, you may have met resistance from the business and been asked to help the organization migrate away from the Lotus Notes platform. The Lotus Notes platform was long used by technology and businesses and a multipurpose solution that, over the years, became embedded within core business applications and processes.

    Our Advice

    Critical Insight

    For organizations that are struggling to understand their options for the Domino platform, the depth of business process usage is typically the biggest operational obstacle. Migrating off the Domino platform is a difficult option for most organizations due to business process and application complexity. In addition, migrating clients have to resolve the challenges with more than one replaceable solution.

    Impact and Result

    The most common tactic is for the organization to better understand their Domino migration options and adopt an application rationalization strategy for the Domino applications entrenched within the business. Options include retiring, replatforming, migrating, or staying with your Domino platform.

    Domino – Maintain, Commit to, or Vacate? Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Domino – Maintain, Commit to, or Vacate? – A brief deck that outlines key migration options for HCL Domino platforms.

    This blueprint will help you assess the fit, purpose, and price of Domino options; develop strategies for overcoming potential challenges; and determine the future of Domino for your organization.

    • Domino – Maintain, Commit to, or Vacate? Storyboard

    2. Application Rationalization Tool – A tool to understand your business-developed applications, their importance to business process, and the potential underlying financial impact.

    Use this tool to input the outcomes of your various application assessments.

    • Application Rationalization Tool
    [infographic]

    Further reading

    Domino – Maintain, Commit to, or Vacate?

    Lotus Domino still lives, and you have options for migrating away from or remaining with the platform.

    Executive Summary

    Info-Tech Insight

    “HCL announced that they have somewhere in the region of 15,000 Domino customers worldwide, and also claimed that that number is growing. They also said that 42% of their customers are already on v11 of Domino, and that in the year or so since that version was released, it’s been downloaded 78,000 times. All of which suggests that the Domino platform is, in fact, alive and well.”
    – Nigel Cheshire in Team Studio

    Your Challenge

    You have a Domino/Notes footprint embedded within your business units and business processes. This is taxing your support organization; you are meeting resistance from the business, and you are now asked to help the organization migrate away from the Lotus Notes platform. The Lotus Notes platform was long used by technology and businesses as a multipurpose solution that, over the years, became embedded within core business applications and processes.

    Common Obstacles

    For organizations that are struggling to understand their options for the Domino platform, the depth of business process usage is typically the biggest operational obstacle. Migrating off the Domino platform is a difficult option for most organizations due to business process and application complexity. In addition, migrating clients have to resolve the challenges with more than one replaceable solution.

    Info-Tech Approach

    The most common tactic is for the organization to better understand their Domino migration options and adopt an application rationalization strategy for the Domino applications entrenched within the business. Options include retiring, replatforming, migrating, or staying with your Domino platform.

    Review

    Is “Lotus” Domino still alive?

    Problem statement

    The number of member engagements with customers regarding the Domino platform has, as you might imagine, dwindled in the past couple of years. While many members have exited the platform, there are still many members and organizations that have entered a long exit program, but with how embedded Domino is in business processes, the migration has slowed and been met with resistance. Some organizations had replatformed the applications but found that the replacement target state was inadequate and introduced friction because the new solution was not a low-code/business-user-driven environment. This resulted in returning the Domino platform to production and working through a strategy to maintain the environment.

    This research is designed for:

    • IT strategic direction decision-makers
    • IT managers responsible for an existing Domino platform
    • Organizations evaluating migration options for mission-critical applications running on Domino

    This research will help you:

    1. Evaluate migration options.
    2. Assess the fit and purpose.
    3. Consider strategies for overcoming potential challenges.
    4. Determine the future of this platform for your organization.

    The “everything may work” scenario

    Adopt and expand

    Believe it or not, Domino and Notes are still options to consider when determining a migration strategy. With HCL still committed to the platform, there are options organizations should seek to better understand rather than assuming SharePoint will solve all. In our research, we consider:

    Importance to current business processes

    • Importance of use
    • Complexity in migrations
    • Choosing a new platform

    Available tools to facilitate

    • Talent/access to skills
    • Economies of scale/lower cost at scale
    • Access to technology

    Info-Tech Insight

    With multiple options to consider, take the time to clearly understand the application rationalization process within your decision making.

    • Archive/retire
    • Application migration
    • Application replatform
    • Stay right where you are

    Eliminate your bias – consider the advantages

    “There is a lot of bias toward Domino; decisions are being made by individuals who know very little about Domino and more importantly, they do not know how it impacts business environment.”

    – Rob Salerno, Founder & CTO, Rivet Technology Partners

    Domino advantages include:

    Modern Cloud & Application

    • No-code/low-code technology

    Business-Managed Application

    • Business written and supported
    • Embrace the business support model
    • Enterprise class application

    Leverage the Application Taxonomy & Build

    • A rapid application development platform
    • Develop skill with HCL training

    HCL Domino is a supported and developed platform

    Why consider HCL?

    • Consider scheduling a Roadmap Session with HCL. This is an opportunity to leverage any value in the mission and brand of your organization to gain insights or support from HCL.
    • Existing Domino customers are not the only entities seeking certainty with the platform. Software solution providers that support enterprise IT infrastructure ecosystems (backup, for example) will also be seeking clarity for the future of the platform. HCL will be managing these relationships through the channel/partner management programs, but our observations indicate that Domino integrations are scarce.
    • HCL Domino should be well positioned feature-wise to support low-code/NoSQL demands for enterprises and citizen developers.

    Visualize Your Application Roadmap

    1. Focus on the application portfolio and crafting a roadmap for rationalization.
      • The process is intended to help you determine each application’s functional and technical adequacy for the business process that it supports.
    2. Document your findings on respective application capability heatmaps.
      • This drives your organization to a determination of application dispositions and provides a tool to output various dispositions for you as a roadmap.
    3. Sort the application portfolio into a disposition status (keep, replatform, retire, consolidate, etc.)
      • This information will be an input into any cloud migration or modernization as well as consolidation of the infrastructure, licenses, and support for them.

    Our external support perspective

    by Darin Stahl

    Member Feedback

    • Some members who have remaining Domino applications in production – while the retire, replatform, consolidate, or stay strategy is playing out – have concerns about the challenges with ongoing support and resources required for the platform. In those cases, some have engaged external services providers to augment staff or take over as managed services.
    • While there could be existing support resources (in house or on retainer), the member might consider approaching an external provider who could help backstop the single resource or even provide some help with the exit strategies. At this point, the conversation would be helpful in any case. One of our members engaged an external provider in a Statement of Work for IBM Domino Administration focused on one-time events, Tier 1/Tier 2 support, and custom ad hoc requests.
    • The augmentation with the managed services enabled the member to shift key internal resources to a focus on executing the exit strategies (replatform, retire, consolidate), since the business knowledge was key to that success.
    • The member also very aggressively governed the Domino environment support needs to truly technical issues/maintenance of known and supported functionality rather than coding new features (and increasing risk and cost in a migration down the road) – in short, freezing new features and functionality unless required for legal compliance or health and safety.
    • There obviously are other providers, but at this point Info-Tech no longer maintains a market view or scan of those related to Domino due to low member demand.

    Domino database assessments

    Consider the database.

    • Domino database assessments should be informed through the lens of a multi-value database, like jBase, or an object system.
    • The assessment of the databases, often led by relational database subject matter experts grounded in normalized databases, can be a struggle since Notes databases must be denormalized.
    Key/Value Column

    Use case: Heavily accessed, rarely updated, large amounts of data
    Data Model: Values are stored in a hash table of keys.
    Fast access to small data values, but querying is slow
    Processor friendly
    Based on amazon's Dynamo paper
    Example: Project Voldemort used by LinkedIn

    		 this is a Key/Value example

    Use case: High availability, multiple data centers
    Data Model: Storage blocks of data are contained in columns
    Handles size well
    Based on Google's BigTable
    Example: Hadoop/Hbase used by Facebook and Yahoo

    		 This is a Column Example
    Document Graph

    Use case: Rapid development, Web and programmer friendly
    Data Model: Stores documents made up of tagged elements. Uses Key/Value collections
    Better query abilities than Key/Value databases.
    Inspired by Lotus Notes.
    Example: CouchDB used by BBC

    		 This is a Document Example

    Use case: Best at dealing with complexity and relationships/networks
    Data model: Nodes and relationships.
    Data is processed quickly
    Inspired by Euler and graph theory
    Can easily evolve schemas
    Example: Neo4j

    		 This is a Graph Example

    Understand your options

    Archive/Retire

    Store the application data in a long-term repository with the means to locate and read it for regulatory and compliance purposes.

    Migrate

    Migrate to a new version of the application, facilitating the process of moving software applications from one computing environment to another.

    Replatform

    Replatforming is an option for transitioning an existing Domino application to a new modern platform (i.e. cloud) to leverage the benefits of a modern deployment model.

    Stay

    Review the current Domino platform roadmap and understand HCL’s support model. Keep the application within the Domino platform.

    Archive/retire

    Retire the application, storing the application data in a long-term repository.

    Abstract

    The most common approach is to build the required functionality in whatever new application/solution is selected, then archive the old data in PDFs and documents.

    Typically this involves archiving the data and leveraging Microsoft SharePoint and the new collaborative solutions, likely in conjunction with other software-as-a-service (SaaS) solutions.

    Advantages

    • Reduce support cost.
    • Consolidate applications.
    • Reduce risk.
    • Reduce compliance and security concerns.
    • Improve business processes.

    Considerations

    • Application transformation
    • eDiscovery costs
    • Legal implications
    • Compliance implications
    • Business process dependencies

    Info-Tech Insights

    Be aware of the costs associated with archiving. The more you archive, the more it will cost you.

    Application migration

    Migrate to a new version of the application

    Abstract

    An application migration is the managed process of migrating or moving applications (software) from one infrastructure environment to another.

    This can include migrating applications from one data center to another data center, from a data center to a cloud provider, or from a company’s on-premises system to a cloud provider’s infrastructure.

    Advantages

    • Reduce hardware costs.
    • Leverage cloud technologies.
    • Improve scalability.
    • Improve disaster recovery.
    • Improve application security.

    Considerations

    • Data extraction, starting from the document databases in NSF format and including security settings about users and groups granted to read and write single documents, which is a powerful feature of Lotus Domino documents.
    • File extraction, starting from the document databases in NSF format, which can contain attachments and RTF documents and embedded files.
    • Design of the final relational database structure; this activity should be carried out without taking into account the original structure of the data in Domino files or the data conversion and loading, from the extracted format to the final model.
    • Design and development of the target-state custom applications based on the new data model and the new selected development platform.

    Application replatform

    Transition an existing Domino application to a new modern platform

    Abstract

    This type of arrangement is typically part of an application migration or transformation. In this model, client can “replatform” the application into an off-premises hosted provider platform. This would yield many benefits of cloud but in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux) and the associated application.

    Two challenges are particularly significant when migrating or replatforming Domino applications:

    • The application functionality/value must be reproduced/replaced with not one but many applications, either through custom coding or a commercial-off-the-shelf/SaaS solution.
    • Notes “databases” are not relational databases and will not migrate simply to an SQL database while retaining the same business value. Notes databases are essentially NoSQL repositories and are difficult to normalize.

    Advantages

    • Leverage cloud technologies.
    • Improve scalability.
    • Align to a SharePoint platform.
    • Improve disaster recovery.
    • Improve application security.

    Considerations

    • Application replatform resource effort
    • Network bandwidth
    • New platform terms and conditions
    • Secure connectivity and communication
    • New platform security and compliance
    • Degree of complexity

    Info-Tech Insights

    There is a difference between a migration and a replatform application strategy. Determine which solution aligns to the application requirements.

    Stay with HCL

    Stay with HCL, understanding its future commitment to the platform.

    Abstract

    Following the announced acquisition of IBM Domino and up until around December 2019, HCL had published no future roadmap for the platform. The public-facing information/website at the time stated that HCL acquired “the product family and key lab services to deliver professional services.” Again, there was no mention or emphasis on upcoming new features for the platform. The product offering on their website at the time stated that HCL would leverage its services expertise to advise clients and push applications into four buckets:

    1. Replatform
    2. Retire
    3. Move to cloud
    4. Modernize

    That public-facing messaging changed with release 11.0, which had references to IBM rebranded to HCL for the Notes and Domino product – along with fixes already inflight. More information can be found on HCL’s FAQ page.

    Advantages

    • Known environment
    • Domino is a supported platform
    • Domino is a developed platform
    • No-code/low-code optimization
    • Business developed applications
    • Rapid application framework

    This is the HCL Domino Logo

    Understand your tools

    Many tools are available to help evaluate or migrate your Domino Platform. Here are a few common tools for you to consider.

    Notes Archiving & Notes to SharePoint

    Summary of Vendor

    “SWING Software delivers content transformation and archiving software to over 1,000 organizations worldwide. Our solutions uniquely combine key collaborative platforms and standard document formats, making document production, publishing, and archiving processes more efficient.”*

    Tools

    Lotus Notes Data Migration and Archiving: Preserve historical data outside of Notes and Domino

    Lotus Note Migration: Replacing Lotus Notes. Boost your migration by detaching historical data from Lotus Notes and Domino.

    Headquarters

    Croatia

    Best fit

    • Application archive and retire
    • Migration to SharePoint

    This is an image of the SwingSoftware Logo

    * swingsoftware.com

    Domino Migration to SharePoint

    Summary of Vendor

    “Providing leading solutions, resources, and expertise to help your organization transform its collaborative environment.”*

    Tools

    Notes Domino Migration Solutions: Rivit’s industry-leading solutions and hardened migration practice will help you eliminate Notes Domino once and for all.

    Rivive Me: Migrate Notes Domino applications to an enterprise web application

    Headquarters

    Canada

    Best fit

    • Application Archive & Retire
    • Migration to SharePoint

    This is an image of the RiVit Logo

    * rivit.ca

    Lotus Notes to M365

    Summary of Vendor

    “More than 300 organizations across 40+ countries trust skybow to build no-code/no-compromise business applications & processes, and skybow’s community of customers, partners, and experts grows every day.”*

    Tools

    SkyBow Studio: The low-code platform fully integrated into Microsoft 365

    Headquarters:

    Switzerland

    Best fit

    • Application Archive & Retire
    • Migration to SharePoint

    This is an image of the SkyBow Logo

    * skybow.com | About skybow

    Notes to SharePoint Migration

    Summary of Vendor

    “CIMtrek is a global software company headquartered in the UK. Our mission is to develop user-friendly, cost-effective technology solutions and services to help companies modernize their HCL Domino/Notes® application landscape and support their legacy COBOL applications.”*

    Tools

    CIMtrek SharePoint Migrator: Reduce the time and cost of migrating your IBM® Lotus Notes® applications to Office 365, SharePoint online, and SharePoint on premises.

    Headquarters

    United Kingdom

    Best fit

    • Application replatform
    • Migration to SharePoint

    This is an image of the CIMtrek Logo

    * cimtrek.com | About CIMtrek

    Domino replatform/Rapid application selection framework

    Summary of Vendor

    “4WS.Platform is a rapid application development tool used to quickly create multi-channel applications including web and mobile applications.”*

    Tools

    4WS.Platform is available in two editions: Community and Enterprise.
    The Platform Enterprise Edition, allows access with an optional support pack.

    4WS.Platform’s technical support provides support services to the users through support contracts and agreements.

    The platform is a subscription support services for companies using the product which will allow customers to benefit from the knowledge of 4WS.Platform’s technical experts.

    Headquarters

    Italy

    Best fit

    • Application replatform

    This is an image of the 4WS PLATFORM Logo

    * 4wsplatform.org

    Activity

    Understand your Domino options

    Application Rationalization Exercise

    Info-Tech Insight

    Application rationalization is the perfect exercise to fully understand your business-developed applications, their importance to business process, and the potential underlying financial impact.

    This activity involves the following participants:

    • IT strategic direction decision-makers.
    • IT managers responsible for an existing Domino platform
    • Organizations evaluating platforms for mission-critical applications.

    Outcomes of this step:

    • Completed Application Rationalization Tool

    Application rationalization exercise

    Use this Application Rationalization Tool to input the outcomes of your various application assessments

    In the Application Entry tab:

    • Input your application inventory or subset of apps you intend to rationalize, along with some basic information for your apps.

    In the Business Value & TCO Comparison tab, determine rationalization priorities.

    • Input your business value scores and total cost of ownership (TCO) of applications.
    • Review the results of this analysis to determine which apps should require additional analysis and which dispositions should be prioritized.

    In the Disposition Selection tab:

    • Add to or adapt our list of dispositions as appropriate.

    In the Rationalization Inputs tab:

    • Add or adapt the disposition criteria of your application rationalization framework as appropriate.
    • Input the results of your various assessments for each application.

    In the Disposition Settings tab:

    • Add or adapt settings that generate recommended dispositions based on your rationalization inputs.

    In the Disposition Recommendations tab:

    • Review and compare the rationalization results and confirm if dispositions are appropriate for your strategy.

    In the Timeline Considerations tab:

    • Enter the estimated timeline for when you execute your dispositions.

    In the Portfolio Roadmap tab:

    • Review and present your roadmap and rationalization results.

    Follow the instructions to generate recommended dispositions and populate an application portfolio roadmap.

    This image depicts a scatter plot graph where the X axis is labeled Business Value, and the Y Axis is labeled Cost. On the graph, the following datapoints are displayed: SF; HRIS; ERP; ALM; B; A; C; ODP; SAS

    Info-Tech Insight

    Watch out for misleading scores that result from poorly designed criteria weightings.

    Related Info-Tech Research

    Build an Application Rationalization Framework

    Manage your application portfolio to minimize risk and maximize value.

    Embrace Business-Managed Applications

    Empower the business to implement their own applications with a trusted business-IT relationship.

    Satisfy Digital End Users With Low- and No-Code

    Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.

    Maximize the Benefits from Enterprise Applications with a Center of Excellence

    Optimize your organization’s enterprise application capabilities with a refined and scalable methodology.

    Drive Successful Sourcing Outcomes With a Robust RFP Process

    Leverage your vendor sourcing process to get better results.

    Research Authors

    Darin Stahl, Principal Research Advisor, Info-Tech Research Group

    Darin Stahl, Principal Research Advisor,
    Info-Tech Research Group

    Darin is a Principal Research Advisor within the Infrastructure practice, leveraging 38+ years of experience. His areas of focus include IT operations management, service desk, infrastructure outsourcing, managed services, cloud infrastructure, DRP/BCP, printer management, managed print services, application performance monitoring, managed FTP, and non-commodity servers (zSeries, mainframe, IBM i, AIX, Power PC).

    Troy Cheeseman, Practice Lead, Info-Tech Research Group

    Troy Cheeseman, Practice Lead,
    Info-Tech Research Group

    Troy has over 24 years of experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) startups.

    Research Contributors

    Rob Salerno, Founder & CTO, Rivit Technology Partners

    Rob Salerno, Founder & CTO, Rivit Technology Partners

    Rob is the Founder and Chief Technology Strategist for Rivit Technology Partners. Rivit is a system integrator that delivers unique IT solutions. Rivit is known for its REVIVE migration strategy which helps companies leave legacy platforms (such as Domino) or move between versions of software. Rivit is the developer of the DCOM Application Archiving solution.

    Bibliography

    Cheshire, Nigel. “Domino v12 Launch Keeps HCL Product Strategy On Track.” Team Studio, 19 July 2021. Web.

    “Is LowCode/NoCode the best platform for you?” Rivit Technology Partners, 15 July 2021. Web.

    McCracken, Harry. “Lotus: Farewell to a Once-Great Tech Brand.” TIME, 20 Nov. 2012. Web.

    Sharwood, Simon. “Lotus Notes refuses to die, again, as HCL debuts Domino 12.” The Register, 8 June 2021. Web.

    Woodie, Alex. “Domino 12 Comes to IBM i.” IT Jungle, 16 Aug. 2021. Web.

    The Complete Manual for Layoffs

    • Buy Link or Shortcode: {j2store}514|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $30,999 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead

    When the economy is negatively influenced by factors beyond any organization’s control, the impact can be felt almost immediately on the bottom line. This decline in revenue as a result of a weakening economy will force organizations to reconsider every dollar they spend.

    Our Advice

    Critical Insight

    • The remote work environment many organizations find themselves in adds a layer of complexity to the already sensitive process of laying off employees.
    • Carrying out layoffs must be done while keeping personal contact as your first priority. That personal contact should be the basis for all subsequent communication with laid-off and remaining staff, even after layoffs have occurred.

    Impact and Result

    By following our process, we can provide your organization with the direction, tools, and best practices to lay off employees. This will need to be done with careful consideration into your organization’s short- and longer-term strategic goals.

    The Complete Manual for Layoffs Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for layoffs

    Understand the most effective cost-cutting solutions and set layoff policies and guidelines.

    • The Complete Manual for Layoffs Storyboard
    • Layoffs SWOT Analysis Template
    • Redeployment and Layoff Strategy Workbook
    • Sample Layoffs Policy
    • Cost-Cutting Planning Tool
    • Termination Costing Tool

    2. Objectively identify employees

    Develop an objective layoff selection method and plan for the transfer of essential responsibilities.

    • Workforce Planning Tool
    • Employee Layoff Selection Tool

    3. Prepare to meet with employees

    Plan logistics, training, and a post-layoff plan communication.

    • Termination Logistics Tool
    • IT Knowledge Transfer Risk Assessment Tool
    • IT Knowledge Transfer Plan Template
    • IT Knowledge Identification Interview Guide Template
    • Knowledge Transfer Job Aid
    • Layoffs Communication Package

    4. Meet with employees

    Collaborate with necessary departments and deliver layoffs notices.

    • Employee Departure Checklist Tool

    5. Monitor and manage departmental effectiveness

    Plan communications for affected employee groups and monitor organizational performance.

    • Ten Ways to Connect With Your Employees
    • Creating Connections
    [infographic]

    Implement Crisis Management Best Practices

    • Buy Link or Shortcode: {j2store}415|cart{/j2store}
    • member rating overall impact: 9.7/10 Overall Impact
    • member rating average dollars saved: $50,532 Average $ Saved
    • member rating average days saved: 42 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • There’s a belief that you can’t know what crisis will hit you next, so you can’t prepare for it. As a result, resilience planning stops at more-specific planning such as business continuity planning or IT disaster recovery planning.
    • Business contingency and IT disaster recovery plans focus on how to resume normal operations following an incident. The missing piece is the crisis management plan – the overarching plan that guides the organization’s initial response, assessment, and action.
    • Organizations without a crisis management plan are far less able to minimize the impact of other crises such as a security breach, health & safety incident, or attacks on their reputation.

    Our Advice

    Critical Insight

    • Effective crisis management has a long-term demonstrable impact on your organization, long after the crisis is resolved. While all organizations can expect a short-term negative impact when a crisis hits, if the crisis is managed well, the research shows that your market capitalization can actually increase long term.
    • Crisis communication is more science than art and should follow a structured approach. Crisis communication is about more than being a good writer or having a social media presence. There are specific messages that must be included, and specific audiences to target, to get the results you need.
    • IT has a critical role in non-IT crises (as well as IT crises). Many crises are IT events (e.g. security breach). For non-IT events, IT is critical in supporting crisis communication and the operational response (e.g. COVID-19 and quickly ramping up working-from-home).

    Impact and Result

    • You can anticipate the types of crisis your organization may face in the future and build flexible plans that can be adapted in a crisis to meet the needs of the moment.
    • Identify potential crises that present a high risk to your organization.
    • Document emergency response and crisis response plans that provide a framework for addressing a range of crises.
    • Establish crisis communication guidelines to avoid embarrassing and damaging communications missteps.

    Implement Crisis Management Best Practices Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement crisis management best practices, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify potential crises and your crisis management team

    Identify, analyze, and prioritized potential crises based on risk to the organization. Set crisis management team roles and responsibilities. Adopt a crisis management framework.

    • Example Crisis Management Process Flowcharts (Visio)
    • Example Crisis Management Process Flowcharts (PDF)
    • Business Continuity Teams and Roles Tool

    2. Document your emergency and crisis response plans

    Document workflows for notification, situational assessment, emergency response, and crisis response.

    • Emergency Response Plan Checklist
    • Emergency Response Plan Summary
    • Emergency Response Plan Staff Instructions
    • Pandemic Response Plan Example
    • Pandemic Policy

    3. Document crisis communication guidelines

    Develop and document guidelines that support the creation and distribution of crisis communications.

    • Crisis Communication Guidelines and Templates

    4. Complete and maintain your crisis management plan

    Summarize your crisis management and response plans, create a roadmap to implement potential improvement projects, develop training and awareness initiatives, and schedule maintenance to keep the plan evergreen.

    • Crisis Management Plan Summary Example
    • BCP Project Roadmap Tool
    • Organizational Learning Guide
    [infographic]

    Workshop: Implement Crisis Management Best Practices

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Potential Crises and Your Crisis Management Team

    The Purpose

    Identify and prioritize relevant potential crises.

    Key Benefits Achieved

    Enable crisis management pre-planning and identify gaps in current crisis management plans.

    Activities

    1.1 Identify high-risk crises.

    1.2 Assign roles and responsibilities on the crisis management team.

    1.3 Review Info-Tech’s crisis management framework.

    Outputs

    List of high-risk crises.

    CMT membership and responsibilities.

    Adopt the crisis management framework and identify current strengths and gaps.

    2 Document Emergency Response and Crisis Management Plans

    The Purpose

    Outline emergency response and crisis response plans.

    Key Benefits Achieved

    Develop and document procedures that enable rapid, effective, and reliable crisis and emergency response.

    Activities

    2.1 Develop crisis notification and assessment procedures.

    2.2 Document your emergency response plans.

    2.3 Document crisis response plans for potential high-risk crises.

    Outputs

    Documented notification and assessment workflows.

    Emergency response plans and checklists.

    Documented crisis response workflows.

    3 Document Crisis Communication Guidelines

    The Purpose

    Define crisis communication guidelines aligned with an actionable crisis communications framework.

    Key Benefits Achieved

    Document workflows and guidelines support crisis communications.

    Activities

    3.1 Establish the elements of baseline crisis communications.

    3.2 Identify audiences for the crisis message.

    3.3 Modify baseline communication guidelines based on audience and organizational responsibility.

    3.4 Create a vetting process.

    3.5 Identify communications channels.

    Outputs

    Baseline communications guidelines.

    Situational modifications to crisis communications guidelines.

    Documented vetting process.

    Documented communications channels

    4 Complete and Maintain Your Crisis Management Plan

    The Purpose

    Summarize the crisis management plan, establish an organizational learning process, and identify potential training and awareness activities.

    Key Benefits Achieved

    Plan ahead to keep your crisis management practice evergreen.

    Activities

    4.1 Review the CMP Summary Template.

    4.2 Create a project roadmap to close gaps in the crisis management plan.

    4.3 Outline an organizational learning process.

    4.4 Schedule plan reviews, testing, and updates.

    Outputs

    Long-term roadmap to improve crisis management capabilities.

    Crisis management plan maintenance process and awareness program.

    Reduce Risk With Rock-Solid Service-Level Agreements

    • Buy Link or Shortcode: {j2store}365|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Organizations can struggle to understand what service-level agreements (SLAs) are required and how they can differ depending on the service type. In addition, these other challenges can also cloud an organization’s knowledge of SLAs:

    • No standardized SLAs documents, service levels, or metrics
    • Dealing with lost productivity and revenue due to persistent downtime
    • Not understanding SLAs components and what service levels are required for a particular service
    • How to manage the SLA and hold the vendor accountable

    Our Advice

    Critical Insight

    SLAs need to have clear, easy-to-measure objectives, to meet expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to its obligations.

    Impact and Result

    This project will provide several benefits and learnings for almost all IT workers:

    • Better understanding of an SLA framework and required SLA elements
    • Standardized service levels and metrics aligned to the organization’s requirements
    • Reduced time in reviewing, evaluating, and managing service provider SLAs

    Reduce Risk With Rock-Solid Service-Level Agreements Research & Tools

    Start here – Read our Executive Brief

    Understand how to resolve your challenges with SLAs and their components and ensuring adequate metrics. Learn how to create meaningful SLAs that meet your requirements and manage them effectively.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand SLA elements – Understand the elements of SLAs, service types, service levels, metrics/KPIs, monitoring, and reporting

    • SLA Checklist
    • SLA Evaluation Tool

    2. Create requirements – Create your own SLA criteria and templates that meet your organization’s requirements

    • SLA Template & Metrics Reference Guide

    3. Manage obligations – Learn the SLA Management Framework to track providers’ performance and adherence to their commitments.

    • SLO Tracker & Trending Tool

    Infographic

    Workshop: Reduce Risk With Rock-Solid Service-Level Agreements

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Elements of SLAs

    The Purpose

    Understand key components and elements of an SLA.

    Key Benefits Achieved

    Properly evaluate an SLA for required elements.

    Activities

    1.1 SLA overview, objectives, SLA types, service levels

    1.2 SLA elements and objectives

    1.3 SLA components: monitoring, reporting, and remedies

    1.4 SLA checklist review

    Outputs

    SLA Checklist 

    Evaluation Process

    SLA Checklist

    Evaluation Process

    SLA Checklist

    Evaluation Process

    SLA Checklist

    Evaluation Process

    2 Create SLA Criteria and Management Framework

    The Purpose

    Apply knowledge of SLA elements to create internal SLA requirements.

    Key Benefits Achieved

    Templated SLAs that meet requirements.

    Framework to manage SLOs.

    Activities

    2.1 Creating SLA criteria and requirements

    2.2 SLA templates and policy

    2.3 SLA evaluation activity

    2.4 SLA Management Framework

    2.5 SLA monitoring, tracking, and remedy reconciliation

    Outputs

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Further reading

    Reduce Risk With Rock-Solid Service-Level Agreements

    Hold Service Providers more accountable to their contractual obligations with meaningful SLA components & remedies

    EXECUTIVE BRIEF

    Analyst Perspective

    Reduce Risk With Rock-Solid Service-Level Agreements

    Every year organizations outsource more and more IT infrastructure to the cloud, and IT operations to managed service providers. This increase in outsourcing presents an increase in risk to the CIO to save on IT spend through outsourcing while maintaining required and expected service levels to internal customers and the organization. Ensuring that the service provider constantly meets their obligations so that the CIO can meet their obligation to the organization can be a constant challenge. This brings forth the importance of the Service Level Agreement.

    Research clearly indicates that there is a general lack of knowledge when comes to understanding the key elements of a Service Level Agreement (SLA). Even less understanding of the importance of the components of Service Levels and the Service Level Objectives (SLO) that service provider needs to meet so that the outsourced service consistently meets requirements of the organization. Most service providers are very good at providing the contracted service and they all are very good at presenting SLOs that are easy to meet with very few or no ramifications if they don’t meet their objectives. IT leaders need to be more resolute in only accepting SLOs that are meaningful to their requirements and have meaningful, proactive reporting and associated remedies to hold service providers accountable to their obligations.

    Ted Walker

    Principal Research Director, Vendor Practice

    Info-Tech Research Group

    Executive Brief

    Vendors provide service level commitments to customers in contracts to show a level of trust, performance, availability, security, and responsiveness in an effort create a sense of confidence that their service or platform will meet your organization’s requirements and expectations. Sifting through these promises can be challenging for many IT Leaders. Customers struggle to understand and evaluate what’s in the SLA – are they meaningful and protect your investment? Not understanding the details of SLAs applicable to various types of Service (SaaS, MSP, Service Desk, DR, ISP) can lead to financial and compliance risk for the organization as well as poor customer satisfaction.

    This project will provide IT leadership the knowledge & tools that will allow them to:

    • Understand what SLAs are and why they need them.
    • Develop standard SLAs that meet the organization’s requirements.
    • Negotiate meaningful remedies aligned to Service Levels metrics or KPIs.
    • Create SLA monitoring & reporting and remedies requirements to hold the provider accountable.

    This research:

    1. Is designed for:
    • The CIO or CFO who needs to better understand their provider’s SLAs.
    • The CIO or BU that could benefit from improved service levels.
    • Vendor management who needs to standardize SLAs for the organization IT leadership that needs consistent service levels to the business
    • The contract manager who needs a better understanding of contact SLAs
  • Will help you:
    • Understand what a Service Level Agreement is and what it’s for
    • Learn what the components are of an SLA and why you need them
    • Create a checklist of required SLA elements for your organization
    • Develop standard SLA template requirements for various service types
    • Learn the importance of SLA management to hold providers accountable
  • Will also assist:
    • Vendor management
    • Procurement and sourcing
    • Organizations that need to understand SLAs within contract language
    • With creating standardized monitoring & reporting requirements
    • Organizations get better position remedies & credits to hold vendors accountable to their commitments

    • Reduce Risk With Rock-Solid Service-Level Agreements (SLAs)

    Hold service providers more accountable to their contractual obligations with meaningful SLA components and remedies

    The Problem

    IT Leadership doesn't know how to evaluate an SLA.

    Misunderstanding of obligations given the type of service provided (SAAS, IAAS, DR/BCP, Service Desk)

    Expectations not being met, leading to poor service from the provider.

    No way to hold provider accountable.

    Why it matters

    SLAS are designed to ensure that outsourced IT services meet the requirements and expectations of the organization. Well-written SLAs with all the required elements, metrics, and remedies will allow IT departments to provide the service levels to their customer and avoid financial and contractual risk to the organization.

    The Solution

    1. Understand the key service elements within an SLA
    • Develop a solid understanding of the key elements within an SLA and why they're important.
  • Establish requirements to create SLA criteria
    • Prioritize contractual services and establish concise SLA checklists and performance metrics.
  • Manage SLA obligations to ensure commitments are met
    • Review the five steps for effective SLA management to track provider performance and deal with chronic issues.

    • Service types

    • Availability/Uptime
    • Response Times
    • Resolution Time
    • Accuracy
    • First-Call Resolution

    Agreement Types

    • SaaS/IaaS
    • Service Desk
    • MSP
    • Co-Location
    • DR/BCP
    • Security Ops

    Performance Metrics

    • Reporting
    • Remedies & Credits
    • Monitoring
    • Exclusion

    Example SaaS Provider

    • Response Times ✓
    • Availability/Uptime ✓
    • Resolution Time ✓
    • Update Times ✓
    • Coverage Time ✓
    • Monitoring ✓
    • Reporting ✓
    • Remedies/Credits ✓

    SLA Management Framework

    1. SLO Monitoring
    • SLOs must be monitored by the provider, otherwise they can't be measured.
  • Concise Reporting
    • This is the key element for the provider to validate their performance.
  • Attainment Tracking
    • Capturing SLO metric attainment provides performance trending for each provider.
  • Score carding
    • Tracking details provide input into overall vendor performance ratings.
  • Remedy Reconciliation
    • From SLO tracking, missed SLOs and associated credits needs to be actioned and consumed.

    • Executive Summary

    Your Challenge

    To understand which SLAs are required for your organization and how they can differ depending on the service type. In addition, these other challenges can also cloud your knowledge of SLAs

    • No standardized SLA documents, Service levels, or metrics
    • Dealing with lost productivity & revenue due to persistent downtime
    • Understanding SLA components and what service levels are requires for a particular service
    • How to manage the SLA and hold the vendor accountable

    Common Obstacles

    There are several unknowns that SLA can present to different departments within the organization:

    • Little knowledge of what service levels are required
    • Not knowing SLO standards for a service type
    • Lack of resources to manage vendor obligations
    • Negotiating required metrics/KPIs with the provider
    • Low understanding of the risk that poor SLAs can present to the organization

    Info-Tech's Approach

    Info-Tech has a three-step approach to effective SLAs

    • Understand the elements of an SLA
    • Create Requirements for your organization
    • Manage the SLA obligations

    There are some basic components that every SLA should have – most don’t have half of what is required

    Info-Tech Insight

    SLAs need to have clear, easy to measure objectives to meet your expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to their obligations.

    Your challenge

    This research is designed to help organizations gain a better understanding of what an SLA is, understand the importance of SLAs in IT contracts, and ensure organizations are provided with rock-solid SLAs that meet their requirements and not just what the vendor wants to provide.

    • Vendors can make SLAs weak and difficult to understand; sometimes the metrics are meaningless. Not fully understanding what makes up a good SLA can bring unknown risks to the organization.
    • Managing vendor SLA obligations effectively is important. Are adequate resources available? Does the vendor provide manual vs. automated processes and which do you need? Is the process proactive from the vendor or reactive from the customer?

    SLAs come in many variations and for many service types. Understanding what needs to be in them is one of the keys to reducing risk to your organization.

    “One of the biggest mistakes an IT leader can make is ignoring the ‘A’ in SLA,” adds Wendy M. Pfeiffer, CIO at Nutanix. “

    An agreement isn’t a one-sided declaration of IT capabilities, nor is it a one-sided demand of business requirements,” she says. “An agreement involves creating a shared understanding of desired service delivery and quality, calculating costs related to expectations, and then agreeing to outcomes in exchange for investment.” (15 SLA mistakes IT leaders still make | CIO)

    Common obstacles

    There are typically a lot of unknowns when it comes to SLAs and how to manage them.

    Most organizations don’t have a full understanding of what SLAs they require and how to ensure they are met by the vendor. Other obstacles that SLAs can present are:

    • Inadequate resources to create and manage SLAs
    • Poor awareness of standard or required SLA metrics/KPIs
    • Lack of knowledge about each provider’s commitment as well as your obligations
    • Low vendor willingness to provide or negotiate meaningful SLAs and credits
    • The know-how or resources to effectively monitor and manage the SLA’s performance

    SLAs need to address your requirements

    55% of businesses do not find all of their service desk metrics useful or valuable (Freshservice.com)

    27% of businesses spend four to seven hours a month collating metric reports (Freshservice.com)

    Executive Summary

    Info-Tech’s Approach

    • Understand the elements of an SLA
      • Availability
      • Monitoring
      • Response Times
      • SLO Calculation
      • Resolution Time
      • Reporting
      • Milestones
      • Exclusions
      • Accuracy
      • Remedies & Credits
    • Create standard SLA requirements and criteria
      • SLA Element Checklist
      • Corporate Requirements and Standards
      • SLA Templates and Policy
    • Effectively Manage the SLA Obligations
      • SLA Management Framework
        • SLO Monitoring
        • Concise Reporting
        • Attainment Tracking
        • Score Carding
        • Remedy Reconciliation

    Info-Tech’s three phase approach

    Reduce Risk With Rock-Solid Service-Level Agreements

    Phase 1

    Understand SLA Elements

    Phase Content:

    • 1.1 What are SLAs, types of SLAs, and why are they needed?
    • 1.2 Elements of an SLA
    • 1.3 Obligation management monitoring, Reporting requirements
    • 1.4 Exclusions
    • 1.5 SLAs vs. SLOs vs. SLIs

    Outcome:

    This phase will present you with an understanding of the elements of an SLA: What they are, why you need them, and how to validate them.

    Phase 2

    Create Requirements

    Phase Content:

    • 2.1 Create a list of your SLA criteria
    • 2.2 Develop SLA policy & templates
    • 2.3 Create a negotiation strategy
    • 2.4 SLA Overachieving discussion

    Outcome:

    This phase will leverage knowledge gained in Phase 1 and guide you through the creation of SLA requirements, criteria, and templates to ensure that providers meet the service level obligations needed for various service types to meet your organization’s service expectations.

    Phase 3

    Manage Obligations

    Phase Content:

    • 3.1 SLA Monitoring, Tracking
    • 3.2 Reporting
    • 3.3 Vendor SLA Reviews & Optimizing
    • 3.4 Performance management

    Outcome:

    This phase will provide you with an SLA management framework and the best practices that will allow you to effectively manage service providers and their SLA obligations.

    Insight summary

    Overarching insight

    SLAs need to have clear, easy-to-measure objectives to meet your expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to their obligations.

    Phase 1 insight

    Not understanding the required elements of an SLA and not having meaningful remedies to hold service providers accountable to their obligations can present several risk factors to your organization.

    Phase 2 insight

    Creating standard SLA criteria for your organization’s service providers will ensure consistent service levels for your business units and customers.

    Phase 3 insight

    SLAs can have appropriate SLOs and remedies but without effective management processes they could become meaningless.

    Tactical insight

    Be sure to set SLAs that are easily measurable from regularly accessible data and that are straight forward to interpret.

    Tactical insight

    Beware of low, easy to attain service levels and metrics/KPIs. Service levels need to meet your expectations and needs not the vendor’s.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    SLA Tracker & Trending Tool

    Track the provider’s SLO attainment and see how their performance is trending over time

    SLA Evaluation Tool

    Evaluate SLA service levels, metrics, credit values, reporting, and other elements

    SLA Template & Metrics Reference Guide

    Reference guide for typical SLA metrics with a generic SLA Template

    Service-Level Agreement Checklist

    Complete SLA component checklist for core SLA and contractual elements.

    Key deliverable:

    Service-Level Agreement Evaluation Tool

    Evaluate each component of the SLA , including service levels, metrics, credit values, reporting, and processes to meet your requirements

    Blueprint objectives

    Understand the components of an SLA and effectively manage their obligations

    • To provide an understanding of different types of SLAs, their required elements, and what they mean to your organization. How to identify meaningful service levels based on service types. We will break down the elements of the SLA such as service types and define service levels such as response times, availability, accuracy, and associated metrics or KPIs to ensure they are concise and easy to measure.
    • To show how important it is that all metrics have remedies to hold the service provider accountable to their SLA obligations.

    Once you have this knowledge you will be able to create and negotiate SLA requirements to meet your organization’s needs and then manage them effectively throughout the term of the agreement.

    InfoTech Insight:

    Right-size your requirements and create your SLO criteria based on risk mitigation and create measurements that motivate the desired behavior from the SLA.

    Blueprint benefits

    IT Benefits

    • An understanding of standard SLA service levels and metrics
    • Reduced financial risk through clear and concise easy-to-measure metrics and KPIs
    • Improved SLA commitments from the service provider
    • Meaningful reporting and remedies to hold the provider accountable
    • Service levels and metrics that meet your requirements to support your customers

    Business Benefits

    • Better understanding of an SLA framework and required SLA elements
    • Improved vendor performance
    • Standardized service levels and metrics aligned to your organization’s requirements
    • Reduced time in reviewing and comprehending vendor SLAs
    • Consistent performance from your service providers

    Measure the value of this blueprint

    1. Dollars Saved
    • Improved performance from your service provider
    • Reduced financial risk through meaningful service levels & remedies
    • Dollars gained through:
      • Reconciled credits from obligation tracking and management
      • Savings due to automated processes
  • Time Saved
    • Reduced time in creating effective SLAs through requirement templates
    • Time spent tracking and managing SLA obligations
    • Reduced negotiation time
    • Time spent tracking and reconciling credits
  • Knowledge Gained
    • Understanding of SLA elements, service levels, service types, reporting, and remedies
    • Standard metrics and KPIs required for various service types and levels
    • How to effectively manage the service provider obligations
    • Tactics to negotiate appropriate service levels to meet your requirements

    • Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way wound help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between three to six calls over the course of two to three months.

    Phase 1 - Understand

    • Call #1: Scope requirements, objectives, and your specific SLA challenges

    Phase 2 - Create Requirements

    • Call #2: Review key SLA and how to identify them
    • Call #3: Deep dive into SLA elements and why you need them
    • Call #4: Review your service types and SLA criteria
    • Call #5: Create internal SLA requirements and templates

    Phase 3 - Management

    • Call #6: Review SLA Management Framework
    • Call #7: Review and create SLA Reporting and Tracking

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2
    Understanding SLAs SLA Templating & Management
    Activities

    1.1 SLA overview, objectives, SLA types, service levels

    1.2 SLA elements and objectives

    1.3 SLA components – monitoring, reporting, remedies

    1.4 SLA Checklist review

    2.1 Creating SLA criteria and requirements

    2.2 SLA policy & template

    2.3 SLA evaluation activity

    2.4 SLA management framework

    2.5 SLA monitoring, tracking, remedy reconciliation

    Deliverables
    1. SLA Checklist
    2. SLA policy & template creation
    3. SLA management gap analysis
    1. Evaluation of current SLAs
    2. SLA tracking and trending
    3. Create internal SLA management framework

    Reduce Risk With Rock-Solid Service-Level Agreements

    Phase 1

    Phase 1

    Understand SLA Elements

    Phase Steps

    • 1.1 What are SLAs, the types of SLAs, and why are they needed?
    • 1.2 Elements of an SLA
    • 1.3 Obligation management monitoring, Reporting requirements
    • 1.4 Exclusions and exceptions
    • 1.5 SLAs vs. SLOs vs. SLIs

    Create Requirements

    Manage Obligations

    1.1 What are SLAs, the types of SLAs, and why are they needed?

    SLA Overview

    What is a Service Level Agreement?

    An SLA is an overarching contractual agreement between a service provider and a customer (can be external or internal) that describes the services that will be delivered by the provider. It describes the service levels and associated performance metrics and expectations, how the provider will show it has attained the SLAs, and defines any remedies or credits that would apply if the provider fails to meet its commitments. Some SLAs also include a change or revision process.

    SLAs come in a few forms. Some are unique, separate, standalone documents that define the service types and levels in more detail and is customized to your needs. Some are separate documents that apply to a service and are web posted or linked to an MSA or SSA. The most common is to have them embedded in, or as an appendix to an MSA or SSA. When negotiating an MSA it’s generally more effective to negotiate better service levels and metrics at the same time.

    Objectives of an SLA

    To be effective, SLAs need to have clearly described objectives that define the service type(s) that the service provider will perform, along with commitment to associated measurable metrics or KPIs that are sufficient to meet your expectations. The goal of these service levels and metrics is to ensure that the service provider is committed to providing the service that you require, and to allow you to maintain service levels to your customers whether internal or external.

    1.1 What are SLAs, the types of SLAs, and why are they needed?

    Key Elements of an SLA

    Principle service elements of an SLA

    There are several more common service-related elements of an SLA. These generally include:

    • The Agreement – the document that defines service levels and commitments.
    • The service types – the type of service being provided by the vendor. These can include SaaS, MSP, Service Desk, Telecom/network, PaaS, Co-Lo, BCP, etc.
    • The service levels – these are the measurable performance objectives of the SLA. They include availability (uptime), response times, restore times, priority level, accuracy level, resolution times, event prevention, completion time, etc.
    • Metrics/KPIs – These are the targets or commitments associated to the service level that the service provider is obligated to meet.
    • Other elements – Reporting requirements, monitoring, remedies/credit values and process.

    Contractual Construct Elements

    These are construct components of an SLA that outline their roles and responsibilities, T&Cs, escalation process, etc.

    In addition, there are several contractual-type elements including, but not limited to:

    • A statement regarding the purpose of the SLA.
    • A list of services being supplied (service types).
    • An in-depth description of how services will be provided and when.
    • Vendor and customer requirements.
    • Vendor and customer obligations.
    • Acknowledgment/acceptance of the SLA.
    • They also list each party’s responsibilities and how issues will be escalated and resolved.

    Common types of SLAs explained

    Service-level SLA

    • This service-level agreement construct is the Service-based SLA. This SLA covers an identified service for all customers in general (for example, if an IT service provider offers customer response times for a service to several customers). In a service-based agreement, the response times would be the same and apply to all customers using the service. Any customer using the service would be provided the same SLA – in this case the same defined response time.

    Customer-based SLA

    • A customer-based SLA is a unique agreement with one customer. The entire agreement is defined for one or all service levels provided to a particular customer (for example, you may use several services from one telecom vendor). The SLAs for these services would be covered in one contract between you and the vendor, creating a unique customer-based vendor agreement. Another scenario could be where a vendor offers general SLAs for its services but you negotiate a specific SLA for a particular service that is unique or exclusive to you. This would be a customer-based SLA as well.

    Multi-level SLA

    • This service-level agreement construct is the multi-level SLA. In a multi-level SLA, components are defined to the organizational levels of the customer with cascading coverage to sublevels of the organization. The SLA typically entails all services and is designed to the cover each sub-level or department within the organization. Sometimes the multi-level SLA is known as a master organization SLA as it cascades to several levels of the organization.

    InfoTech Insight: Beware of low, easy to attain Service levels and metrics/KPIs. Service levels need to meet your requirements, expectations, and needs not the vendor’s.

    1.2 Elements of SLA-objectives, service types, and service levels

    Objectives of Service Levels

    The objective of the service levels and service credits are to:

    • Ensure that the services are of a consistently high quality and meet the requirements of the customer
    • Provide a mechanism whereby the customer can attain meaningful recognition of the vendors failure to deliver the level of service for which it was contracted to deliver
    • Incentivize the vendor or service provider to comply with and to expeditiously provide a remedy for any failure to attain the service levels committed to in the SLA
    • To ensure that the service provider fulfills the defined objectives of the outsourced service

    Service types

    There are several service types that can be part of an SLA. Service types are the different nature of services associated with the SLA that the provider is performing and being measured against. These can include:

    Service Desk, SaaS, PaaS, IaaS, ISP/Telecom/Network MSP, DR & BCP, Co-location security ops, SOW.

    Each service type should have standard service level targets or obligations that can vary depending on your requirements and reliance on the service being provided.

    Service levels

    Service levels are measurable targets, metrics, or KPIs that the service provider has committed to for the particular service type. Service levels are the key element of SLAs – they are the performance expectations set between you and the provider. The service performance of the provider is measured against the service level commitments. The ability of the provider to consistently meet these metrics will allow your organization to fully benefit from the objectives of the service and associated SLAs. Most service levels are time related but not all are.

    Common service levels are:

    Response times, resolution times per percent, restore/recovery times, accuracy, availability/uptime, completion/milestones, updating/communication, latency.

    Each service level has standard or minimum metrics for the provider. The metrics, or KPIs, should be relatively easy to measure and report against on a regular basis. Service levels are generally negotiable to meet your requirements.

    1.2.1 Activity SLA Checklist Tool

    1-2 hours

    Input

    • SLA content, Service elements
    • Contract terms & exclusions
    • Service metrices/KPIs

    Output

    • A concise list of SLA components
    • A list of missing SLA elements
    • Evaluation of the SLA

    Materials

    • Comprehensive checklist
    • Service provider SLA
    • Internal templates or policies

    Participants

    • Vendor or contract manager
    • IT or business unit manager
    • Legal
    • Finance

    Using this checklist will help you review a provider’s SLA to ensure it contains adequate service levels and remedies as well as contract-type elements.

    Instructions:

    Use the checklist to identify the principal service level elements as well as the contractual-type elements within the SLA.

    Review the SLA and use the dropdowns in the checklist to verify if the element is in the SLA and whether it is within acceptable parameters as well the page or section for reference.

    The checklist contains a list of service types that can be used for reference of what SLA elements you should expect to see in that service type SLA.

    Download the SLA Checklist Tool

    1.3 Monitoring, reporting requirements, remedies/credit process

    Monitoring & Reporting

    As mentioned, well-defined service levels are key to the success of the SLA. Validating that the metrics/KPIs are being met on a consistent basis requires regular monitoring and reporting. These elements of the SLA are how you hold the provider accountable to the SLA commitments and obligations. To achieve the service level, the service must be monitored to validate that timelines are met and accuracy is achieved.

    • Data or details from monitoring must then be presented in a report and delivered to the customer in an agreed-upon format. These formats can be in a dashboard, portal, spreadsheet, or csv file, and they must have sufficient criteria to validate the service-level metric. Reports should be kept for future review and to create historical trending.
    • Monitoring and reporting should be the responsibility of the service provider. This is the only way that they can validate to the customer that a service level has been achieved.
    • Reporting criteria and delivery timelines should be defined in the SLA and can even have a service level associated with it, such as a scheduled report delivery on the fifth day of the following month.
    • Reports need to be checked and balanced. When defining report criteria, be sure to define data source(s) that can be easily validated by both parties.
    • Report criteria should include compliance requirements, target metric/KPIs, and whether they were attained.
    • The report should identify any attainment shortfall or missed KPIs.

    Too many SLAs do not have these elements as often the provider tries to put the onus on the customer to monitor their performance of the service levels. .

    1.3.1 Monitoring, reporting requirements, remedies/credit process

    Remedies and Credits

    Service-level reports validate the performance of the service provider to the SLA metrics or KPIs. If the metrics are met, then by rights, the service provider is doing its job and performing up to expectations of the SLA and your organization.

    • What if the metrics are not being met either periodically or consistently? Solving this is the goal of remedies. Remedies are typically monetary costs (in some form) to the provider that they must pay for not meeting a service-level commitment. Credits can vary significantly and should be aligned to the severity of the missed service level. Sometimes there no credits offered by the vendor. This is a red flag in an SLA.
    • Typically expressed as a monetary credit, the SLA will have service levels and associated credits if the service-level metric/KPI is not met during the reporting period. Credits can be expressed in a dollar format, often defined as a percentage of a monthly fee or prorated annual fee. Although less common, some SLAs offer non-financial credits. These could include: an extension to service term, additional modules, training credits, access to a higher support level, etc.
    • Regardless of how the credit is presented, this is typically the only way to hold your provider accountable to their commitments and to ensure they perform consistently to expectations. You must do a rough calculation to validate the potential monetary value and if the credit is meaningful enough to the provider.

    Research shows that credit values that equate to just a few dollars, when you are paying the provider tens of thousands of dollars a month for a service or product, the credit is insignificant and therefore doesn’t incent the provider to achieve or maintain a service level.

    1.3.2 Monitoring, reporting requirements, remedies/credit process

    Credit Process

    Along with meaningful credit values, there must be a defined credit calculation method and credit redemption process in the SLA.

    Credit calculation. The credit calculation should be simple and straight forward. Many times, we see providers define complicated methods of calculating the credit value. In some cases complicated service levels require higher effort to monitor and report on, but this shouldn’t mean that the credit for missing the service level needs to require the same effort to calculate. Do a sample credit calculation to validate if the potential credit value is meaningful enough or meets your requirements.

    Credit redemption process. The SLA should define the process of how a credit is provided to the customer. Ideally the process should be fairly automated by the service provider. If the report shows a missed service level, that should trigger a credit calculation and credit value posted to account followed by notification. In many SLAs that we review, the credit process is either poorly defined or not defined at all. When it is defined, the process typically requires the customer to follow an onerous process and submit a credit request that must then be validated by the provider and then, if approved, posted to your account to be applied at year end as long as you are in complete compliance with the agreement and up-to-date on your account etc. This is what we need to avoid in provider-written SLAs. You need a proactive process where the service provider takes responsibility for missing an SLA and automatically assigns an accurate credit to your account with an email notice.

    Secondary level remedies. These are remedies for partial performance. For example, the platform is accessible but some major modules are not working (i.e.: the payroll platform is up and running and accessible but the tax table is not working properly so you can’t complete your payroll run on-time). Consider the requirement of a service level, metric, and remedy for critical components of a service and not just the platform availability.

    Info-Tech Insight SLA’s without adequate remedies to hold the vendor accountable to their commitments make the SLAs essentially meaningless.

    1.4 Exclusions indemnification, force majeure, scheduled maintenance

    Contract-Related Exclusions

    Attaining service-level commitments by the provider within an SLA can depend on other factors that could greatly influence their performance to service levels. Most of these other factors are common and should be defined in the SLA as exclusions or exceptions. Exceptions/exclusions can typically apply to credit calculations as well. Typical exceptions to attaining service levels are:

    • Denial of Service (DoS) attacks
    • Communication/ISP outage
    • Outages of third-party hosting
    • Actions or inactions of the client or third parties
    • Scheduled maintenance but not emergency maintenance
    • Force majeure events which can cover several different scenarios

    Attention should be taken to review the exceptions to ensure they are in fact not within the reasonable control of the provider. Many times the provider will list several exclusions. Often these are not reasonable or can be avoided, and in most cases, they allow the service provider the opportunity to show unjustified service-level achievements. These should be negotiated out of the SLA.

    1.5 Activity SLA Evaluation Tool

    1-2 hours

    Input

    • SLA content
    • SLA elements
    • SLA objectives
    • SLO calculation methods

    Output

    • Rating of the SLA service levels and objectives
    • Overall rating of the SLA content
    • Targeted list of required improvements

    Materials

    • SLA comprehensive checklist
    • Service provider SLA

    Participants

    • Vendor or contract manager
    • IT manager or leadership
    • Application or business unit manager

    The SLA Evaluation Tool will allow you evaluate an SLA for content. Enter details into the tool and evaluate the service levels and SLA elements and components to ensure the agreement contains adequate SLOs to meet your organization’s service requirements.

    Instructions:

    Review and identify SLA elements within the service provider’s SLA.

    Enter service-level details into the tool and rate the SLOs.

    Enter service elements details, validate that all required elements are in the SLA, and rate them accordingly.

    Capture and evaluate service-level SLO calculations.

    Review the overall rating for the SLA and create a targeted list for improvements with the service provider.

    Download the SLA Evaluation Tool

    1.5 Clarification: SLAs vs. SLOs vs. SLIs

    SLA – Service-Level Agreement The promise or commitment

    • This is the formal agreement between you and your service provider that contains their service levels and obligations with measurable metrics/KPIs and associated remedies. SLAs can be a separate or unique document, but are most commonly embedded within an MSA, SOW, SaaS, etc. as an addendum or exhibit.

    SLO – Service-Level Objective The goals or targets

    • This service-level agreement construct is the customer-based SLA. A Customer-based SLA is a unique agreement with one customer. The entire agreement is defined for one or all service levels provided to a particular customer. For example, you may use several services from one telecom vendor. The SLAs for these services would be covered in one contract between you and the Telco vendor, creating a unique customer-based to vendor agreement. Another scenario: a vendor offers general SLAs for its services and you negotiate a specific SLA for a particular service that is unique or exclusive to you. This would be a customer-based SLA as well.

    Other common names are Metrics and Key Performance Indicators (KPIs )

    SLI – Service-Level Indicator How did we do? Did we achieve the objectives?

    • An SLI is the actual metric attained after the measurement period. SLI measures compliance with an SLO (service level objective). So, for example, if your SLA specifies that your systems will be available 99.95% of the time, your SLO is 99.95% uptime and your SLI is the actual measurement of your uptime. Maybe it’s 99.96%. maybe 99.99% or even 99.75% For the vendor to be compliant to the SLA, the SLI(s) must meet or exceed the SLOs within the SLA document.

    Other common names: attainment, results, actual

    Info-Tech Insight:

    Web-posted SLAs that are not embedded within a signed MSA, can present uncertainty and risk as they can change at any time and typically without direct notice to the customer

    Reduce Risk With Rock-Solid Service-Level Agreements

    Phase 2

    Understand SLA Elements

    Phase 2

    Create Requirements

    Phase Steps

    • 2.1 Create a list of your SLA criteria
    • 2.2 Develop SLA policy & templates
    • 2.3 Create a negotiation strategy
    • 2.4 SLA overachieving discussion

    Manage Obligations

    2.1 Create a list of your SLA criteria

    Principle Service Elements

    With your understanding of the types of SLAs and the elements that comprise a well-written agreement

    • The next step is to start to create a set of SLA criteria for service types that your organization outsources or may require in the future.
    • This criteria should define the elements of the SLA with tolerance levels that will require the provider to meet your service expectations.
    • Service levels, metrics/KPIs, associated remedies and reporting criteria. This criteria could be captured into table-like templates that can be referenced or inserted into service provider SLAs.
    • Once you have defined minimum service-level criteria, we recommend that you do a deeper review of the various service provider types that your organization has in place. The goal of the review is to understand the objective of the service type and associated service levels and then compare them to your requirements for the service to meet your expectations. Service levels and KPIs should be no less than if your IT department was providing the service with its own resources and infrastructure.
    • Most IT departments have service levels that they are required to meet with their infrastructure to the business units or organization, whether it’s App delivery, issue or problem resolution, availability etc. When any of these services are outsourced to an external service provider, you need to make all efforts to ensure that the service levels are equal to or better than the previous or existing internal expectations.
    • Additionally, the goal is to identify service levels and metrics that don’t meet your requirements or expectations and/or service levels that are missing.

    2.2 Develop SLA policies and templates

    Contract-type Elements

    After creating templates for minimum-service metrics & KPIs, reporting criteria templates, process, and timing, the next step should be to work on contract-type elements and additional service-level components. These elements should include:

    • Reporting format, criteria, and timelines
    • Monitoring requirements
    • Minimum acceptable remedy or credits process; proactive by provider vs. reactive by customer
    • Roles & responsibilities
    • Acceptable exclusion details
    • Termination language for persistent failure to meet SLOs

    These templates or criteria minimums can be used as guidelines or policy when creating or negotiating SLAs with a service provider.

    Start your initial element templates for your strategic vendors and most common service types: SaaS, IaaS, Service Desk, SecOps, etc. The goal of SLA templates is to create simple minimum guidelines for service levels that will allow you to meet your internal SLAs and expectations. Having SLA templates will show the service provider that you understand your requirements and may put you in a better negotiating position when reviewing with the provider.

    When considering SLO metrics or KPIs consider the SMART guidance:

    Simple: A KPI should be easy to measure. It should not be complicated, and the purpose behind recording it must be documented and communicated.

    Measurable: A KPI that cannot be measured will not help in the decision-making process. The selected KPIs must be measurable, whether qualitatively or quantitatively. The procedure for measuring the KPIs must be consistent and well-defined.

    Actionable: KPIs should contribute to the decision-making process of your organization. A KPI that does not make any such contributions serves no purpose.

    Relevant: KPIs must be related to operations or functions that a security team seeks to assess.

    Time-based: KPIs should be flexible enough to demonstrate changes over time. In a practical sense, an ideal KPI can be grouped together by different time intervals.

    (Guide for Security Operations Metrics)

    2.2.1 Activity: Review SLA Template & Metrics Reference Guide

    1-2 hours

    Input

    • Service level metrics
    • List of who is accountable for PPM decisions

    Output

    • SLO templates for service types
    • SLA criteria that meets your organization’s requirements

    Materials

    • SLA Checklist
    • SLA criteria list with SLO & credit values
    • PPM Decision Review Workbook

    Participants

    • Vendor manager
    • IT leadership
    • Procurement or contract manager
    1. Review the SLA Template and Metrics Reference Guide for common metrics & KPIs for the various service types. Each Service Type tab has SLA elements and SLO metrics typically associated with the type of service.
    2. Some service levels have common or standard credits* that are typically associated with the service level or metric.
    3. Use the SLA Template to enter service levels, metrics, and credits that meet your organization’s criteria or requirements for a given service type.

    Download the SLA Template & Metrics Reference Guide

    *Credit values are not standard values, rather general ranges that our research shows to be the typical ranges that credit values should be for a given missed service level

    2.3 Create a negotiation strategy

    Once you have created service-level element criteria templates for your organization’s requirements, it’s time to document a negotiation position or strategy to use when negotiating with service providers. Not all providers are flexible with their SLA commitments, in fact most are reluctant to change or create “unique” SLOs for individual customers. Particularly cloud vendors providing IaaS, SaaS, or PaaS, SLAs. ISP/Telcom, Co-Lo and DR/BU providers also have standard SLOs that they don’t like to stray far from. On the other hand, security ops (SIEM), service desk, hardware, and SOW/PS providers who are generally contracted to provide variable services are somewhat more flexible with their SLAs and more willing to meet your requirements.

    • Service providers want to avoid being held accountable to SLOs, and their SLAs are typically written to reflect that.

    The goal of creating internal SLA templates and policies is to set a minimum baseline of service levels that your organization is willing to accept, and that will meet their requirements and expectations for the outsourced service. Using these templated SLOs will set the basis for negotiating the entire SLA with the provider. You can set the SLA purpose, objectives, roles, and responsibilities and then achieve these from the service provider with solid SLOs and associated reporting and remedies.

    Info-Tech Insight

    Web-posted SLAs that are not embedded within a signed MSA can present uncertainty and risk as they can change at any time and typically without direct notice to the customer

    2.3.1 Negotiating strategy guidance

    • Be prepared. Create a negotiating plan and put together a team that understands your organization’s requirements for SLA.
    • Stay informed. Request provider’s recent performance data and negotiate SLOs to the provider’s average performance.
    • Know what you need. Corporate SLA templates or policies should be positioned to service providers as baseline minimums.
    • Show some flexibility. Be willing to give up some ground on one SLO in exchange for acceptance of SLOs that may be more important to your organization.
    • Re-group. Have a fallback position or Plan B. What if the provider can’t or won’t meet your key SLOs? Do you walk?
    • Do your homework. Understand what the typical standard SLOs are for the type of service level.

    2.4 SLO overachieving incentive discussion

    Monitoring & Reporting

    • SLO overachieving metrics are seen in some SLAs where there is a high priority for a service provider to meet and or exceed the SLOs within the SLA. These are not common terms but can be used to improve the overall service levels of a provider. In these scenarios the provider is sometimes rewarded for overachieving on the SLOs, either consistently or on a monthly or quarterly basis. In some cases, it can make financial sense to incent the service provider to overachieve on their commitments. Incentives can drive behaviors and improved performance by the provider that can intern improve the benefits to your organization and therefore justify an incent of some type.
    • Example: You could have an SLO for invoice accuracy. If not achieved, it could cost the vendor if they don’t meet the accuracy metric, however if they were to consistently overachieve the metric it could save accounts payable hours of time in validation and therefore you could pass on some of these measurable savings to the provider.
    • Overachieving incentives can add complexity to the SLA so they need to be easily measurable and simple to manage.
    • Overachieving incentives can also be used in provider performance improvement plans, where a provider might have poor trending attainment and you need to have them improve their performance in a short period of time. Incentives typically will motivate provider improvement and generally will cost much less than replacing the provider.
    • There is another school of thought that you shouldn’t have to pay a provider for doing their job; however, others are of the opinion that incentives or bonuses improve the overall performance of individuals or teams and are therefore worth consideration if both parties benefit from the over performance.

    Reduce Risk With Rock-Solid Service-Level Agreements

    Phase 3

    Understand SLA Elements

    Create Requirements

    Phase 3

    Manage Obligations

    Phase Steps

    • 3.1 SLA monitoring and tracking
    • 3.2 Reporting
    • 3.3 Vendor SLA reviews & optimizing
    • 3.4 Performance management

    3.1 SLA monitoring, tracking, and remedy reconciliation

    The next step to effective SLAs is the management component. It could be fruitless if you were to spend your time and efforts negotiating your required service levels and metrics and don’t have some level of managing the SLA. In that situation you would have no way of knowing if the service provider is attaining their SLOs.

    There are several key elements to effective SLA management:

    • SLO monitoring
    • Simple, concise reporting
    • SLO attainment tracking
    • Score carding & trending
    • Remedy reconciliation

    SLA Management framework

    SLA Monitoring → Concise Reporting → Attainment Tracking → Score Carding →Remedy Reconciliation

    “A shift we’re beginning to see is an increased use of data and process discovery tools to measure SLAs,” says Borowski of West Monroe. “While not pervasive yet, these tools represent an opportunity to identify the most meaningful metrics and objectively measure performance (e.g., cycle time, quality, compliance). When provided by the client, it also eliminates the dependency on provider tools as the source-of-truth for performance data.” – Stephanie Overby

    3.1 SLA management framework

    SLA Performance Management

    • SLA monitoring provides data for SLO reports or dashboards. Reports provide attainment data for tacking over time. Attainment data feeds scorecards and allows for trending analysis. Missed attainment data triggers remedies.
    • All service providers monitor their systems, platforms, tickets, agents, sensors etc. to be able to do their jobs. Therefore, monitoring is readily available from your service provider in some form.
    • One of the key purposes of monitoring is to generate data into internal reports or dashboards that capture the performance metrics of the various services. Therefore, service-level and metric reports are readily available for all of the service levels that a service provider is contracted or engaged to provide.
    • Monitoring and reporting are the key elements that validate how your service provider is meeting its SLA obligations and thus are very important elements of an SLA. SLO report data becomes attainment data once the metric or KPI has been captured.
    • As a component of effective SLA management, this attainment data needs to be tracked/recorded in an easy-to-read format or table over a period of time. Attainment data can then be used to generate scorecards and trending reports for your review both internally and with the provider as required.
    • If attainment data shows that the service provider is meeting their SLA obligations, then the SLA is meeting your requirements and expectations. If on the other hand, attainment data shows that obligations are not being met, then actions must be taken to hold the service provider accountable. The most common method is through remedies that are typically in the form of a credit through a defined process (see Sec. 1.3). Any credits due for missed SLOs should also be tracked and reported to stakeholders and accounting for validation, reconciliation, and collection.

    3.2 Reporting

    Monitoring & Reporting

    • Many SLAs are silent on monitoring and reporting elements and require that the customer, if aware or able, to monitor the providers service levels and attainment and create their own KPI and reports. Then if SLOs are not met there is an arduous process that the customer must go through to request their rightful credit. This manual and reactive method creates all kinds of risk and cost to the customer and they should make all attempts to ensure that the service provider proactively provides SLO/KPI attainment reports on a regular basis.
    • Automated monitoring and reporting is a common task for many IT departments. There is no reason that a service provider can’t send reports proactively in a format that can be easily interpreted by the customer. The ideal state would be to capture KPI report data into a customer’s internal service provider scorecard.
    • Automated or automatic credit posting is another key element that service providers tend to ignore, primarily in hopes that the customer won’t request or go through the trouble of the process. This needs to change. Some large cloud vendors already have automated processes that automatically post a credit to your account if they miss an SLO. This proactive credit process should be at the top of your negotiation checklist. Service providers are avoiding thousands of credit dollars every year based on the design of their credit process. As more customers push back and negotiate more efficient credit processes, vendors will soon start to change and may use it as a differentiator with their service.

    3.2.1 Performance tracking and trending

    What gets measured gets done

    SLO Attainment Tracking

    A primary goal of proactive and automated reporting and credit process is to capture the provider’s attainment data into a tracker or vendor scorecard. These tracking scorecards can easily create status reports and performance trending of service providers, to IT leadership as well as feed QBR agenda content.

    Remedy Reconciliation

    Regardless of how a credit is processed it should be tracked and reconciled with internal stakeholders and accounting to ensure credits are duly applied or received from the provider and in a timely manner. Tracking and reconciliation must also align with your payment terms, whether monthly or annually.

    “While the adage, ‘You can't manage what you don't measure,’ continues to be true, the downside for organizations using metrics is that the provider will change their behavior to maximize their scores on performance benchmarks.” – Rob Lemos

    3.2.1 Activity SLA Tracker and Trending Tool

    1-2 hours setup

    Input

    • SLO metrics/KPIs from the SLA
    • Credit values associated with SLO

    Output

    • Monthly SLO attainment data
    • Credit tracking
    • SLO trending graphs

    Materials

    • Service provider SLO reports
    • Service provider SLA
    • SLO Tracker & Trending Tool

    Participants

    • Contract or vendor managers
    • Application or service managers
    • Service provider

    An important activity in the SLA management framework is to track the provider’s SLO attainment on a monthly or quarterly basis. In addition, if an SLO is missed, an associated credit needs to be tracked and captured. This activity allows you to capture the SLOs from the SLA and track them continually and provide data for trending and review at vendor performance meetings and executive updates.

    Instructions: Enter SLOs from the SLA as applicable.

    Each month, from the provider’s reports or dashboards, enter the SLO metric attainment.

    When an SLO is met, the cell will turn green. If the SLO is missed, the cell will turn red and a corresponding cell in the Credit Tracker will turn green, meaning that a credit needs to be reconciled.

    Use the Trending tab to view trending graphs of key service levels and SLOs.

    Download the SLO Tracker and Trending Tool

    3.3 Vendor SLA reviews and optimizing

    Regular reviews should be done with providers

    Collecting attainment data with scorecards or tracking tools provides summary information on the performance of the service provider to their SLA obligations. This information should be used for regular reviews both internally and with the provider.

    Regular attainment reviews should be used for:

    • Performance trending upward or downward
    • Identifying opportunities to revise or improve SLOs
    • Optimizing SLO and processes
    • Creating a Performance Improvement Plan (PIP) for the service provider

    Some organizations choose to review SLA performance with providers at regular QBRs or at specific SLA review meetings

    This should be determined based on the criticality, risk, and strategic importance of the provider’s service. Providers that provide essential services like ERP, payroll, CRM, HRIS, IaaS etc. should be reviewed much more regularly to ensure that any decline in service is identified early and addressed properly in accordance with the service provider. Negative trending performance should also be documented for consideration at renewal time.

    3.4 Performance management

    Dealing with persistent poor performance and termination

    Service providers that consistently miss key service level metrics or KPIs present financial and security risk to the organization. Poor performance of a service provider reflects directly on the IT leadership and will affect many other business aspects of the organization including:

    • Ability to conduct day-to-day business activities
    • Meet internal obligations and expectations
    • Employee productivity and satisfaction
    • Maintain corporate policies or industry compliance
    • Meet security requirements

    Communication is key. Poor performance of a service provider needs to be dealt with in a timely manner in order to avoid more critical impact of the poor performance. Actions taken with the provider can also vary depending again on the criticality, risk, and strategic importance of the provider’s service.

    Performance reviews should provide the actions required with the goal of:

    • Making the performance problems into opportunities
    • Working with the provider to create a PIP with aggressive timelines and ramifications if not attained
    • Non-renewal or termination consideration, if feasible including provider replacement options, risk, costs, etc.
    • SLA renegotiation or revisions
    • Warning notifications to the service provider with concise issues and ramifications

    To avoid the issues and challenges of dealing with chronic poor performance, consider a Persistent or Chronic Failure clause into the SLA contract language. These clauses can define chronic failure, scenarios, ramifications there of, and defined options for the client including increased credit values, non-monetary remedies, and termination options without liability.

    Info-Tech Insight

    It’s difficult to prevent chronic poor performance but you can certainly track it and deal with it in a way that reduces risk and cost to your organization.

    SLA Hall of Shame

    Crazy service provider SLA content collection

    • Excessive list of unreasonable exclusions
    • Subcontractors’ behavior could be excluded
    • Downtime credit, equal to downtime percent x the MRC
    • Controllable FM events (internal labor issues, health events)
    • Difficult downtime or credit calculations that don’t make sense
    • Credits are not valid if agreement is terminated early or not renewed
    • Customer is not current on their account, SLA or credits do not count/apply
    • Total downtime = to prorated credit value (down 3 hrs = 3/720hrs = 0.4% credit)
    • SLOs don’t apply if customer fails to report the issue or request a trouble ticket
    • Downtime during off hours (overnight) do not count towards availability metrics
    • Different availability commitments based on different support-levels packages
    • Extending the agreement term by the length of downtime as a form of a remedy

    SLA Dos and Don’ts

    Dos

    • Do negotiate SLOs to vendor’s average performance
    • Do strive for automated reporting and credit processes
    • Do right-size and create your SLO criteria based on risk mitigation
    • Do review SLA attainment results with strategic service providers on a regular basis
    • Do ensure that all key elements and components of an SLA are present in the document or appendix

    Don'ts

    • Don’t accept the providers response that “we can’t change the SLOs for you because then we’d have to change them for everyone”
    • Don’t leave SLA preparation to the last minute. Give it priority as you negotiate with the provider
    • Don’t create complex SLAs with numerous service levels and SLOs that need to be reported and managed
    • Don’t aim for absolute perfection. Rather, prioritize which service levels are most important to you for the service

    Summary of Accomplishment

    Problem Solved

    Knowledge Gained

    • Understanding of the elements and components of an SLA
    • A list of SLO metrics aligned to service types that meet your organization’s criteria
    • SLA metric/KPI templates
    • SLA Management process for your provider’s service objectives
    • Reporting and tracking process for performance trending

    Deliverables Completed

    • SLA component and contract element checklist
    • Evaluation or service provider SLAs
    • SLA templates for strategic service types
    • SLA tracker for strategic service providers

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Related Info-Tech Research

    Improve IT-Business Alignment Through an Internal SLA

    • Understand business requirements, clarify current capabilities, and enable strategies to close service-level gaps.

    Data center Co-location SLA & Service Definition Template

    • In essence, the SLA defines the “product” that is being purchased, permitting the provider to rationalize resources to best meet the needs of varied clients, and permits the buyer to ensure that business requirements are being met.

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments

    • Keep your information security risks manageable when leveraging the benefits of cloud computing.

    Bibliography

    Henderson, George. “3 Most Common Types of Service Level Agreement (SLA).” Master of Project Academy. N.d. Web.

    “Guide to Security Operations Metrics.” Logsign. Oct 5, 2020. Web.

    Lemos, Rob. “4 lessons from SOC metrics: What your SpecOps team needs to know.” TechBeacon. N.d. Web.

    “Measuring and Making the Most of Service Desk Metrics.” Freshworks. N.d. Web.

    Overby, Stephanie. “15 SLA Mistakes IT Leaders Still Make.” CIO. Jan 21, 2021.

    Cost-Optimize Your Security Budget

    • Buy Link or Shortcode: {j2store}250|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $2,078 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • The security budget has been slashed and the team needs to do more with less.
    • Mitigating risk is still the top priority, only now we need to reassess effectiveness and efficiency to ensure we are getting the greatest level of protection for the least amount of money.

    Our Advice

    Critical Insight

    A cost-optimized security budget is one that has the greatest impact on risk for the least amount of money spent.

    Impact and Result

    • Focus on business needs and related risks. Review the risk-reduction efficacy of your people, processes, and technology and justify what can be cut and what must stay.
    • Info-Tech will guide you through this process, and by the end of this blueprint you will have a cost-optimized security budget and an executive presentation to explain your revised spending.

    Cost-Optimize Your Security Budget Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should cost-optimize your security budget, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Cost-optimize your technology and managed services

    This phase will help you assess the efficacy of your current technology and service providers.

    • Threat and Risk Assessment Tool
    • In-House vs. Outsourcing Decision-Making Tool

    2. Cost-optimize your staffing

    This phase will help you assess if layoffs are necessary.

    • Security Employee Layoff Selection Tool

    3. Cost-optimize your security strategy

    This phase will help you revise the pending process-based initiatives in your security strategy.

    • Security Cost Optimization Workbook
    • Security Cost Optimization Executive Presentation
    [infographic]

    Assess Your Cybersecurity Insurance Policy

    • Buy Link or Shortcode: {j2store}255|cart{/j2store}
    • member rating overall impact: 9.1/10 Overall Impact
    • member rating average dollars saved: $33,656 Average $ Saved
    • member rating average days saved: 7 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations must adapt their information security programs to accommodate insurance requirements.
    • Organizations need to reduce insurance costs.
    • Some organizations must find alternatives to cyber insurance.

    Our Advice

    Critical Insight

    • Shopping for insurance policies is not step one.
    • First and foremost, we must determine what the organization is at risk for and how much it would cost to recover.
    • The cyber insurance market is still evolving. As insurance requirements change, effectively managing cyber insurance requires that your organization proactively manages risk.

    Impact and Result

    Perform an insurance policy comparison with scores based on policy coverage and exclusions.

    Assess Your Cybersecurity Insurance Policy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Your Cybersecurity Insurance Policy Storyboard - A step-by-step document that walks you through how to acquire cyber insurance, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Use this blueprint to score your potential cyber insurance policies and develop skills to overcome common insurance pitfalls.

    • Assess Your Cybersecurity Insurance Policy Storyboard

    2. Acquire cyber insurance with confidence – Learn the essentials of the requirements gathering, policy procurement, and review processes.

    Use these tools to gather cyber insurance requirements, prepare for the underwriting process, and compare policies.

    • Threat and Risk Assessment Tool
    • DRP Business Impact Analysis Tool
    • Legacy DRP Business Impact Analysis Tool
    • DRP BIA Scoring Context Example
    • Cyber Insurance Policy Comparison Tool
    • Cyber Insurance Controls Checklist

    Infographic

    Build an IT Succession Plan

    • Buy Link or Shortcode: {j2store}476|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $338,474 Average $ Saved
    • member rating average days saved: 17 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • Pending retirements in key roles create workforce risks and potentially impact business continuity.
    • Fifty-six percent of organizations have not engaged in succession planning, so they haven’t identified at-risk key roles or successors for those roles.

    Our Advice

    Critical Insight

    • Just under 60% of organizations haven't tackled succession planning.
    • This means that three out of five organizations don’t know what skills they need for the future or what their key roles truly are. They also haven’t identified at-risk key roles or successors for those roles.
    • In addition, 74% of organizations have no formal process for facilitating knowledge transfer between individuals, so knowledge will be lost.

    Impact and Result

    • Info-Tech's Key Roles Succession Planning Tool will help you assess key role incumbent risk factors as well as identify potential successors and their readiness. Pay particular attention to those employees in key roles that are nearing retirement, and flag them as high risk.
    • Plan for the transfer of critical knowledge held by key role incumbents. Managers and HR leaders see significant tacit knowledge gaps in younger workers; prioritize tacit knowledge in your transfer plan and leverage multiple transfer methods.
    • Explore alternative work arrangements to ensure sufficient time to prepare successors. A key role incumbent must be available to complete knowledge transfer.
    • Define formal transition plans for all employees in at-risk key roles and their successors by leveraging your workforce and succession planning outputs, knowledge transfer strategy, and selected alternative work arrangements.

    Build an IT Succession Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an IT Succession Plan Deck – A step-by-step document that walks you through how to future-proof your IT team.

    Protect your team and organization from losses associated with departure of people from key roles. This blueprint will help you build an IT succession plan to ensure critical knowledge doesn’t walk out the door and continuity of business when people in key roles leave.

    • Build an IT Succession Plan Storyboard

    2. Critical Role Identifier – A tool to help you determine which roles are most critical to the success of your team.

    The purpose of this tool is to help facilitate a conversation around critical roles.

    • Critical Role Identifier

    3. Key Role Succession Planning Template – A tool that walks you through reviewing your talent, succession planning, and determining successor readiness.

    This tool will help IT leaders work through key steps in succession development for each employee in the team, and present summaries of the findings for easy reference and defensibility.

    • Key Roles Succession Planning Tool

    4. Role Profile Template – A template that helps you outline the minimum requirements for each critical role addressed in succession planning.

    This template is a guide and the categories can be customized to your organization.

    • Role Profile Template

    5. Individual Talent Profile Template – A template to assess an employee against the role profiles of critical roles.

    This profile provides the basis for evidence-based comparison of talent in talent calibration sessions.

    • Individual Talent Profile Template

    6. Role Transition Plan Template – A template to help you plan to implement knowledge transfer and alternative work arrangements.

    As one person exits a role and a successor takes over, a clear checklist-based plan will help ensure a smooth transition.

    • Role Transition Plan Template
    [infographic]

    Further reading

    INFO~TECH RESEARCH GROUP

    Build an IT Succession Plan

    Future-proof your IT team.


    Build an IT Succession Plan

    Future-proof your IT team.

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    Most organizations are unprepared for the loss of employees who hold key roles.

    • The departure of employees in key roles results in the loss of valuable knowledge, core business relationships, and profits.
    • Pending retirements in key roles create workforce risks and potentially impact business continuity.

    Planning and executing on key role transition can take years. CIOs should prepare now to mitigate the risk of loss later.

    		Common Obstacles
    • The number of organizations which have not engaged in succession planning is 56%; they haven’t identified at-risk key roles, or successors for those roles.
    • Analyzing key roles at the incumbent and successor level introduces real-life, individual-focused factors that have a major impact on role-related risk.
    		Info-Tech’s Approach
    • Plan for the transfer of critical knowledge held by key role incumbents.
    • Explore alternative work arrangements to ensure sufficient time to prepare successors.
    • Define formal transition plans for all employees in at-risk key roles and their successors.

    Info-Tech Insight

    Losing employees in key roles without adequate preparation hinders productivity, knowledge retention, relationships, and opportunities. Implement scalable succession planning to mitigate the risks.

    Most organizations are unprepared for the loss of employees who hold key roles

    Due to the atmosphere of uncertainty.

    Not only do they not have the right processes in place, but they are also ill-equipped to deal with the sheer volume of retirees in the future.

    Over 58% of organizations are unprepared for Baby Boomer retirement. Only 8% said they were very prepared.

    Pie chart with percentages of organizations who are prepared for Baby Boomer retirement.
    (Source: McLean & Company, 2013; N=120)

    A survey done by SHRM and AARP found similar results: 41% of HR professionals said their organizations have done nothing and don’t plan to do anything to prepare for a possible worker shortage as Boomers retire.

    (Source: Poll: Organizations Can Do More to Prepare for Talent Shortage as Boomers Retire)     		This means that three out of five organizations don’t know what skills they need for the future, or what their key roles truly are. They also have not identified at-risk key roles or successors for those roles.
    (Source: McLean & Company, 2013, N=120)

    To make matters worse, 74% of organizations have no formal process for facilitating knowledge transfer between individuals, so knowledge will be lost.

    Pie chart with percentages of organizations with a formal process for facilitating knowledge transfer.
    (Source: McLean & Company, 2013; N=120)

    Most organizations underestimate the costs associated with ignoring succession planning

    “In many cases, executives have no idea what knowledge they are losing.” (TLNT: Lost Knowledge – What Are You and Your Organization Doing About It?”)
    Objections to succession planning now: The risks of this mindset…
    “The recession bought us time to plan for Baby Boomer retirement.” Forty-two percent of organizations believe this to be true and may feel a false sense of security. Assume it takes three years to identify an internal successor for a key role, develop them, and execute the transition. Add the idea that, like most organizations, you don’t have a repeatable process for doing this. Do you still have enough time?
    “The skills possessed by my organization’s Baby Boomers are easy to develop in others internally.” Forty percent of organizations agree with this statement, but given the low rate of workforce planning taking place, most may not actually know the skills and knowledge they need to meet future business goals. These organizations may realize their loss too late.
    “We don’t have the time to invest in succession planning.” Thirty-nine percent of organizations cite this as an obstacle, which is a very real concern. Adopting a simple, scalable process that focuses on the most mission critical key roles will be easier to digest, as well as eliminate time wasted trying to recoup losses in the long run. The costs of not planning are much higher than the costs of planning.
    “We don’t know when our boomers plan to retire, so we can’t really plan for it.” The fact that 42% of organizations do not know employees’ retirement plans is proof positive that they’re operating blind. You can’t plan for something if you don’t have any information about what to plan for or the time frame you’re working against.
    “My organization puts a premium on fresh ideas over experience.” While nearly 45% of organizations prioritize fresh ideas, 50% value experience more. Succession planning and knowledge transfer are important strategies for ensuring experience is retained long enough for it to be passed along in the organization.

    Use Info-Tech’s tools and templates

    Talent Review

    Succession Planning

    Knowledge Transfer
    Key tools and templates to help you complete your project deliverables
    Key Roles Succession Planning Tool
    Critical Role Identifier
    Role Profile Template
    Individual Talent Profile Template    		 Key Roles Succession Planning Tool
    Role Profile Template
    Individual Talent Profile Template    		 Role Transition Plan Template
    Key Roles Succession Planning Tool
    Role Profile Template
    Individual Talent Profile Template
    Your completed project deliverables

    Critical Role Identifier

    Key Roles Succession Plan

    Key Role Profiles

    Individual Talent Profiles

    Key Role Transition Plans

    Ignoring succession planning could cause significant costs

    Losing knowledge will undermine your strategy in four ways:

    Inefficiency

    Inefficiency due to “reinvention of the wheel.” When workers leave and don’t effectively transfer their knowledge, duplication of effort to solve problems and find solutions occurs.

    		 Innovation

    Reduced capacity to innovate. Older workers know what works and what doesn’t, what’s new and what’s not. They can identify the status quo faster to make way for novel thinking.

    		 Competitive Advantage

    Loss of competitive advantage. Losing knowledge and/or established client relationships hurts your asset base and stifles growth.

    		Vulnerability

    Increased vulnerability. Losing knowledge can impede your organizational ability to identify, understand, and mitigate risks. You’ll have to learn through experience all over again.

    Succession planning improves performance by reducing the impact of sudden departures

    Business Continuity

    Succession planning limits disruption to daily operations and minimizes recruitment costs:

    • The average time to fill a vacant role externally in the US is approximately 43 days (Workable). Succession planning can reduce this via a talent pool of ready-now successors.
    		 Engagement & Retention

    Effective succession planning is a tool for engaging, developing, and retaining employees:

    • Of departing employees, 45% cite lack of opportunities for career advancement as the moderate, major, or primary reason they left (McLean & Company Exit Survey, 2018, N=7,530).
    		 Innovation & Growth

    Knowledge is a strategic asset, and succession planning can help retain, grow, and capitalize on it:

    • Retaining the experience and expertise of individuals departing from critical roles supports and enhances the quality of innovation (Harvard Business Review, 2008).

    Info-Tech’s approach

    Talent Review

    Conduct a talent review to identify key roles

    Short bracket.    		 Succession Planning

    Succession planning helps you assess which key roles are most at risk

    Long bracket.    		 Knowledge Transfer

    Utilize methods that make it easy to apply the knowledge in day-to-day practice.

    Long bracket.
    Identify Critical Roles Assess Talent Identify Successors Develop Successors Select Successors Identify Critical Knowledge Select Transfer Methods Document Role Transition Plans

    Future-Proofed IT Team
    • Business continuity
    • The right people, in the right positions, at the right time
    • Retention due to employee development & growth
    • IT success
    • Decreased impact of sudden departures
    • Improved performance

    Info-Tech’s methodology for building an IT succession plan

    1. Talent Review 2. Succession Planning 3. Knowledge Transfer
    Phase Steps
    1. Identify critical roles
    2. Assess talent
    1. Identify successor pool
    2. Develop successors
    3. Select successors
    1. Identify critical knowledge
    2. Select knowledge transfer methods
    3. Document role transition plans
    Phase Outcomes
    • Documented business priorities
    • Identified critical roles including required skills and knowledge that support achievement of business strategy
    • Key at-risk roles identified.
    • Potential successors for key roles identified.
    • Gap assessment between key role incumbents and potential successors.
    • Critical knowledge risks identified.
    • Appropriate knowledge transfer methods selected.
    • Documented knowledge transfer initiatives for key role transition plans.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is six to ten calls over the course of four to eight months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3
    Call #1: Scope requirements, objectives, and your specific challenges. Call #2:Review business priorities and clarify criteria weighting.

    Call #3: Review key role criteria. Explain information collection process.

    		 Call #4: Review risk and readiness assessments.

    Call #5: Analyze gaps between key roles and successors for key considerations.

    		 Call #6: Feedback and recommendations on critical knowledge risks.

    Call #7: Review selected transfer methods.

    		 Call #8: Analyze role transition plans for flags.

    Build an IT Succession Plan

    Phase 1

    Talent Review

    Phase 1

    1.1 Identify Critical Roles

    1.2 Assess Talent

    		 Phase 2

    2.1 Identify Successors

    2.2 Develop Successors

    2.3 Select Successors

    		 Phase 3

    3.1 Identify Critical Knowledge

    3.2 Select Transfer Methods

    3.3 Document Role Transition Plan

    This phase will walk you through:

    • Identifying your business priorities
    • Identifying your critical roles including required skills and knowledge that support achievement of business strategy

    Tools and resources used:

    • Key Roles Succession Planning Tool
    • Key Role Profile
    • Individual Talent Profile
    • Critical Role Identifier

    This phase involves the following participants:

    • IT leadership/management team
    • HR

    Conduct a talent review to identify key roles

    Sixty percent of organizations have not engaged in formal workforce planning, so they don’t know what skills they need or what their key roles truly are. (Source: McLean & Company, 2013; N=139)
    1. A talent review ensures that each work unit has the right people, in the right place, at the right time to successfully execute the business strategy.
    2. Only 40% of organizations have engaged in some form of workforce planning.
    3. The first step is to identify your business focus; with this information you can start to note the key roles that drive your business strategy.

    Key roles

    Where an organization’s most valued skills and knowledge reside

    Organizations should prepare now to mitigate the risk of loss later.

    Key roles are:

    • Held by the most senior people in the organization, who carry the bulk of leadership and decision-making responsibility.
    • Highly technical or specialized, and therefore difficult to replace.
    • Tied closely to unique or proprietary processes or possess knowledge that cannot be procured externally.
    • Critical to the continuation of business and cannot be left vacant without risking business operations.

    Info-Tech Insight

    Losing employees in key roles without adequate preparation for their departure has a direct impact on the bottom line in terms of disrupted productivity, lost knowledge, severed relationships, and missed opportunities.

    		A tree of key roles, starting with CEO and branching down.

    Identifying key roles is the first step in a range of workforce management activities because it helps establish organizational needs and priorities, as well as focusing planning effort.

    A talent review allows you to identify the knowledge and skills you need today and for the long term.

    Knowing what you need is the first step in determining what you have and what you need to keep.

    • A talent review is an analytic planning process used to ensure a work unit has the right people, in the right place, at the right time, and for the right cost in order to successfully execute its business strategy. It allows organizations to:
    • Evaluate workforce demographics, review skills, and conduct position inventories.
    • Evaluate business continuity risk from a talent perspective by identifying potential workforce shortages.
    • Identify critical positions, critical skills for each position, and percentage of critical workers retiring to assess the potential impact of losing them.
    • Look at the effect of loss on new product development, revenues, costs, and business strategic objectives.

    Caution

    A talent review is a high-level planning process which does not take individual employees into consideration. Succession planning looks at individuals and will be discussed in Phase 2.

    A talent review gets you to think in terms of:

    • Where your organization wants to be in five years.
    • What skills the organization needs to meet business goals between now and then.
    • How it can be best positioned for the longer-term future.

    Note: Planning against a time frame longer than five years is difficult because uncertainty in the external business environment will have unforeseen effects. Revisit your plan annually and update it, considering changes.

    Step 1.1

    Identify critical roles

    Activities
    • 1.1.1 Document Business Priorities, Goals, and Challenges
    • 1.1.2 Clarify Key Role Criteria and Weighting
    • 1.1.3 Evaluate Role Importance
    • 1.1.4 Key Role Selection and Comparison
    • 1.1.5 Capture Key Elements of Critical Roles

    The primary goal of this step is to ensure we have effectively identified key roles based on business priorities, goals, and challenges, and to capture the key elements of critical roles.

    Outcomes of this step

    • Documented business priorities, goals, and challenges.
    • Key elements of critical roles captured.
    • Key role criteria and weighting.
    Talent Review
    Step 1.1 Step 1.2

    Business priorities will determine the knowledge and skills you value most

    Venn diagram of business priorities: 'Customer Focus', 'Operational Focus', and 'Product Focus'.
    Note: Most organizations will be a blend of all three, with one predominating    		 “I’ve been in the position where the business assumes everyone knows what is required. It’s not until you get people into a room that it becomes clear there is misalignment. It all seems very intuitive but in a lot of cases they haven’t made the critical distinctions regarding what exactly the competencies are. They haven’t spent the time figuring out what they know.” (Anne Roberts, Principal, Leadership Within Inc.)

    1.1.1 Document business priorities

    Input: Business strategic plan

    Output: Completed workforce planning worksheet (Tab 2) of the Key Roles Succession Planning Tool

    Materials: Key Roles Succession Planning Tool

    Participants: IT leadership

    Start by identifying your business priorities based on your strategic plan. The goal of this exercise is to blast away assumptions and make sure leadership has a common understanding of your target.

    With the questions on the previous slide in mind document your business priorities, business goals, and business challenges in Tab 2 of the Key Roles Succession Planning Tool worksheet.

    Get clear answers to these questions:

    • Are we customer focused, product focused, or operationally focused? In other words, is your organization known for:
      • Great customer service or a great customer experience?
      • The lowest price?
      • Having the latest technology, or the best quality product?
    • What are our organizational/departmental business goals? To improve operational effectiveness, are we really talking about reducing operational costs?
    • What are the key business challenges to address within the context of our focus?

    Key Roles Succession Planning Tool

    Clarify what defines a key role

    A key role is crucial to achieving organizational objectives, drives business performance, and includes specialized and rare competencies. Key roles are high in strategic value and rarity – for example, the developer role for a tech company.
    Chart with axes 'Rarity' and 'Strategic Value'. Lowest in both are 'Supporting Roles', Highest in both are 'Critical Roles', and the space in the middle are 'Core Roles'. Look at two dimensions when examining roles:
    • Strategic value refers to the importance of the role in keeping the organization functioning and executing on the strategic objectives.
    • Rarity refers to how difficult it is to find and develop the competencies in the role.

    Info-tech insight

    Traditionally, succession planning has only addressed top management roles. However, until you look at the evidence, you won’t know if these are indeed high-value roles, and you may be missing other critical roles further down the hierarchy.

    Use the Critical Role Identifier to facilitate the identification of critical roles with your leaders.

    1.1.2 Clarify key role criteria & weighting

    Input: Business strategic plan

    Output: Weighted criteria to help identify critical roles

    Materials: Critical Role Identifier

    Participants: IT leadership

    1. Using Tab 2 of the Critical Role Identifier tool, along with the information on the previous slide, determine the relative importance of four criteria as contributing to the importance of a role within the organization.
    2. Rate each of the four criteria: strategic value, rarity, revenue generation, business/operation continuity, and any custom criteria numerically. You might choose only one or two criteria – they all do not need to be included.
    3. Document your decisions in Tab 2 of the Critical Role Identifier.

    Critical Role Identifier

    1.1.3 Evaluate role importance

    Input: List of IT roles

    Output: Full list of roles and a populated Critical Role Selection sheet (Tab 4)

    Materials: Critical Role Identifier

    Participants: IT leadership

    1. Using Tab 3 of the Critical Role Identifier, collect information about IT roles.
    2. Start by listing each role under consideration, and its department or subcategory.
    3. For each criteria statement listed across the top of the sheet, select an option from the drop-down menu to reflect the appropriate answer scale rating. Replace the text in grey with information customized to your team. If criteria has a weighting of zero in Tab 2, the questions associated with that criteria will be greyed out and do not have to be answered.

    Critical Role Identifier

    Identify the key roles that support and drive your business priorities

    Focus on key IT roles instead of all roles to save time and concentrate effort on your highest risk areas.

    Key Roles include:

    • Strategic Roles: Roles that give the greatest competitive advantage. Often these are roles that involve decision-making responsibility.
    • Core Roles: Roles that must provide consistent results to achieve business goals.
    • Proprietary Roles: Roles that are tied closely to unique or proprietary internal processes or knowledge that cannot be procured externally. These are often highly technical or specialized.
    • Required Roles: Roles that support the department and are required to keep it moving forward day-to-day.
    • Influential Roles: Positions filled by employees who are the backbone of the organization, the go-to people who are the corporate culture.
    		 Ask these questions to identify key roles:
    1. What are the roles that have a significant impact on delivering the business strategy?
    2. What are the key differentiating roles for our organization?
    3. Which roles, if vacant, would leave the organization open to non-compliance with regulatory or legal requirements?
    4. Which roles have a direct impact on the customer?
    5. Which roles, if vacant, would create system, function, or process failure for the organization?

    1.1.4 Key role selection and comparison

    Input: Tab 3 of the Critical Role Identifier

    Output: List of roles from highest to lowest criticality score, List of key roles entered in Tab 2 of the Key Roles Succession Planning Tool

    Materials: Critical Role Identifier, Key Roles Succession Planning Tool

    Participants: IT leadership

    1. Using tab 4 of the Critical Role Identifier, which displays the results of the role importance evaluation, review the weighted criticality score. To add or remove roles or departments make changes on Tab 3.
    2. Use this table to see the scores and roles from highest to lowest based on your weightings and scoring.
    3. In column J, classify the roles as critical, core, or supporting based on the weighted overall score and the individual criteria scores.
      1. Critical – is crucial to achieving organizational objectives, drives business performance, and includes specialized and rare skills.
      2. Core – is related to operational excellence. Highly strategically valuable but easy to find or develop.
      3. Supporting – is important in keeping business functioning; however, the strategic value is low. Competencies are easy to develop.
    4. Once you’ve selected the key roles, transfer them into Tab 2 of the Key Roles Succession Planning Tool worksheet where you have documented your business priorities.

    Critical Role Identifier

    Key Roles Succession Planning Tool

    1.1.5 Capture key elements of critical roles

    Input: Job descriptions, Success profiles, Competency profiles

    Output: List of required skills and knowledge for key roles, Role profiles documented for key roles

    Materials: Key Roles Succession Planning Tool, Role Profile Template

    Participants: IT leadership

    1. Document the minimum requirements for critical roles in column E and F of Tab 2 of the Key Roles Succession Planning Tool. Include elements that drive talent decisions, are measurable, and are oriented to future organizational needs.
    2. Consider how leadership competencies and technical skills tie to business expansion plans, new service offerings, etc.
    3. Use the Role Profile Template to help in this process and to maintain up-to-date information.
    4. Role profiles may be informed by existing job descriptions, success profiles, or competency profiles.
    5. Conduct regular maintenance on your role profiles. Outdated and inaccurate role-related information can make succession planning efforts ineffective.

    Key Roles Succession Planning Tool

    Role Profile Template

    Case Study

    Conduct a “sanity check” by walking through a checklist of all roles to ensure you haven’t missed anything.
    INDUSTRY
    Large Provincial Hospital
    SOURCE
    Payroll Manager
    Challenge
    • Key roles may not be what you think they are.
    • The Payroll Manager of a large Provincial hospital, with 20-year tenure, announced her retirement.
    • Throughout her tenure, this employee took on many tasks outside the scope of her role, including pension calculations/filings and other finance-related tasks that required a high level of specialized knowledge of internal systems.
    		 Solution
    • Little time or effort was placed on fully understanding what she did day-to-day.
    • Furthermore, the search for a replacement was left far too late, which meant that she vacated the role without training a replacement.
    • Low level roles can become critical to business continuation if they’re occupied by only one person, creating a “single point of failure” if they become vacant.
    		 Results
    • It wasn’t until after she left that it became obvious how much extra work she was doing, which made it nearly impossible to find a replacement.
    • Her manager found a replacement to take the payroll duties but had to distribute the other duties to colleagues (who were very unhappy about the extra tasks).
    • This role may not seem like a “key role,” but the incumbent turned it into one. Keep tabs on what people are working on to avoid overly nuanced role requirements.

    Step 1.2

    Assess talent

    Activities
    • 1.2.1 Identify Current Incumbents’ Information
    • 1.2.2 Identify Potential Successors and Collect Information

    The primary goal of this step is to assess departmental talent and identify gaps between potential successors and key roles. This analysis is intended to support departmental access to suitable talent ensuring future business success.

    Outcomes of this step

    • Collection of current incumbents’ information.
    • Collection of potential successor information.
    • Gap assessment.

    Talent Review

    Step 1.1 Step 1.2

    Find out key role incumbents’ career plans

    Have career discussions with key role incumbents

    • Do not ask employees directly about their retirement plans as this can be misconstrued as age discrimination – let them take the initiative.
    • To take the spotlight away from older workers and potential feelings of discrimination, supervisors should be having these discussions with their employees at least annually.
    • Having this discussion creates an opportunity for employees to share their retirement plans, if they have any.
    • Warning: This is not the time to make promises about the future. For example, alternative work arrangements cannot be guaranteed without further analysis and planning.
    		 Do the following:
    1. Book a meeting with employees and ask them to prepare for a career development discussion.
    2. Ask direct questions about motivation, lifestyle preferences, and passions.
    3. Spend the time to understand your employees’ goals and their development needs.
    If an employee discloses that they plan to leave within the next few years:
    1. Gather information about approximate exit dates (non-binding).
    2. Find out their opinions about how they would like to transition out of their role, including any alternative work arrangements they would like to pursue.

    Potential questions to ask during career discussions with key role incumbents

    • Where do you see yourself in five years?
    • What role would you see yourself in after this one?
    • What gets you excited about coming to work?
    • Describe your greatest strengths. How would you like to use those strengths in the future?
    • What is standing in the way of your career goals?
    ** Do not ask employees directly about their retirement plans as this can be misconstrued as age discrimination – let them take the initiative.**    		 Stock photo of a smiling employee with grey hair.

    1.2.1 Identify current incumbents' information

    Input: Key roles list, Employee information

    Output: List of key roles with individual incumbent information

    Materials: Key Roles Succession Planning Tool – Succession Plan Worksheet (Tab 3)

    Participants: IT leadership/management team, HR, Current incumbents if necessary

    Identify current incumbents for all key roles and collect information about them.

    Using Tab 3 of the Key Roles Succession Planning Tool identify the incumbent (the person currently in the role) for all key roles.

    Distribute the worksheet to department managers and team leaders to complete the information below for each key role.

    For that incumbent, also document:

    1. Their time in that role.
    2. Their overall performance in current role (does not meet, meets, or exceeds expectations).
    3. Next step in career (target role or retirement).
    4. Time until exit from the current role (known or estimated).
    5. Development needs for next step in career.
    6. Any additional knowledge and skills they possess beyond the role description that is of value to the organization.

    Upon completion, managers and team leaders should review the results with the department leader.

    Key Roles Succession Planning Tool

    Identify potential successors for all key roles

    It’s imperative that multiple sources of information are used to ensure no potential successor is missed and to gain a complete candidate picture.

    Work collaboratively with the management team and HR business partners for names of potential successors.

    The management team includes:

    • The incumbent’s direct supervisor.
    • Managers from the department in which the key role exists.
    • Leaders of teams with which potential successors have worked.
    • The key role incumbent (assuming it’s appropriate to do so).

    Use management roundtable discussions to identify and analyze each potential successor.

    • Participants should come equipped with names of potential successors and be prepared to provide a rationale for their recommendation.
    • Provide all participants with the key role job description in advance of the meeting, including responsibilities and required knowledge and skills.

    Don’t confuse successors with high potentials!

    • Identifying high potential employees involves recognizing those employees who consistently outperform their peers, progress more quickly than their peers, and live the company culture. They are usually striving for leadership roles.
    • While you also want your successors to exemplify these qualities of excellence, succession planning is specifically about identifying the employees who currently possess (or soon will possess) the skills and knowledge required to take over a key role.
    • Remember: Key roles are not limited to leadership roles, so cast a wider net when identifying succession candidates.
    See the following slide for sources of information participants should consult to back up their recommendations and vet succession candidates.

    Determine how employees will be identified for talent assessment

    Description Advice
    Management-nominated employees
    • Managers or skip-level leaders nominate potential successors within or outside their team.
    • Limit bias by requiring management nominations to be based on specific evidence of performance and potential.
    High-potential employees (HiPos)
    • Consider employees who are in an existing high-potential program.
    • Determine whether the HiPo program sufficiently assesses for critical role requirements. Successors must possess the skills and knowledge required for specific critical roles. Expand assessment beyond just HiPo.
    Self-nominated employees
    • Employees are informed about succession planning and asked to indicate their interest in critical roles.
    • Train managers to support the program and to handle difficult conversations (e.g. employee submitted self-nomination and was unsuccessful).
    All employees
    • All employees across a division, geography, function, or leadership level are invited for assessment.
    • While less common, this approach is appropriate for highly inclusive cultures. Be prepared to invest significantly more time and resources.
    When identifying employees, keep the following advice in mind:

    Widen the net

    Don’t limit yourself to the next level down or the same functional group.

    Match transparency

    With less transparency, there are fewer options, and you risk missing out on potential successors.

    Select the appropriate talent assessment methods

    Identify all talent assessment types used in your organization and examine their ability to inform decision-making for critical role assignments. Select multiple sources to ensure a robust talent assessment approach:

    A sound talent assessment methodology will involve both quantitative and qualitative components. Multiple data inputs and perspectives will help ensure relevant information is prioritized and suitable candidates aren’t overlooked.

    However, beware that too many inputs may slow down the process and frustrate managers.

    Beware of biases in talent assessments. A common tendency is for people to recommend successors who are exactly like them or who they like personally, not necessarily the best person for the job. HR must (diplomatically) challenge leaders to use evidence-based assessments.

    Good Successor Information Sources

    • 360-Degree Feedback – (breadth and accuracy)
    • HR-led Interviews – (objectivity and confirmation)
    • Talent Review Meetings – (leadership input)
    • Stretch Assignments – (challenge comfort zones)
    • Competency-Based Aptitude Tests – (objective data)
    • Job Simulations – (real-life testing)
    • Recent Performance Evaluations – (predictor of future performance)

    Prepare to customize the Individual Talent Profile Template

    Ensure the role profile and individual talent profile are synchronized to enable comparing employee qualifications and readiness to critical role requirements. Sample of the Role Profile.

    Role Profile

    A role profile contains information on the skills, competencies, and other minimum requirements for the critical role. It details the type of incumbent that would fit a critical role.    		 Stock image of a chain link.

    Use both in conjunction during:

    • Talent assessment
    • Successor identification
    • Successor development
    • Successor selection
    		 Sample the Individual Talent Profile.

    Individual Talent Profile

    A talent profile provides information about a person. In addition to responding to role profile criteria, it provides information on an employee’s past experiences and performance, career aspirations, and future potential.

    1.2.2 Identify Potential Successors’ Information

    Input: Key roles list, Employee information, Completed role profiles and/or Tab 2 role information.

    Output: List of potential successors for key roles that are selected for talent assessment

    Materials: Key Roles Succession Planning Tool – Succession Plan Worksheet (Tab 3)

    Participants: IT leadership, IT team leads, Employees

    Identify potential successors for key roles and collect critical information.

    Have managers and team leads complete column I on Tab 3 of the Key Roles Succession Planning Tool and review with the department leader.

    There may be more than one potential successor for key roles; this is okay.

    Once the list is compiled, complete an individual talent profile for each potential successor. Record an employee’s:

    1. Employee information
    2. Career goals
    3. Experience and education
    4. Achievements
    5. Competencies
    6. Performance
    7. Any assessment results

    Once the profiles are completed, they can be compared to the role profile to identify development needs.

    Key Roles Succession Planning Tool

    Individual Talent Profile Template

    Build an IT Succession Plan

    Phase 2

    Succession Planning

    Phase 1

    1.1 Identify Critical Roles

    1.2 Assess Talent

    		Phase 2

    2.1 Identify Successors

    2.2 Develop Successors

    2.3 Select Successors

    		Phase 3

    3.1 Identify Critical Knowledge

    3.2 Select Transfer Methods

    3.3 Document Role Transition Plan

    This phase will walk you through how to:

    • Conduct an assessment to identify “at risk” key role incumbents.
    • Identify potential successors for key roles and collect critical information.
    • Assess gaps between key role incumbents and potential successors.

    Tools and resources used:

    • Key Roles Succession Planning Tool
    • Key Role Profile
    • Individual Talent Profile

    This phase involves the following participants:

    • IT leadership/management team
    • HR

    Succession planning helps you assess which key roles are most at risk

    Drilling down to the incumbent and successor level introduces “real life,” individual-focused factors that have a major impact on role-related risk.

    Succession planning is an organizational process for identifying and developing talent internally to fill key business roles. It allows organizations to:

    • Understand the career plans of employees to allow organizations to plan more accurately.
    • Identify suitable successors for key roles and assess their readiness.
    • Mitigate risks to long-term business continuity and growth.
    • Avoid external replacement costs including headhunting and recruitment, HR administration, and productivity loss.
    • Retain internal tacit knowledge.
    • Increase engagement and retention; keeping talented people reinforces career path opportunities and builds team culture.

    Caution:

    Where the talent review was about high-level strategic planning for talent requirements, succession planning looks at individual employees and plans for which employees will fulfill which key roles next.    		 “I ask the questions, What are the risks we have with these particular roles? Is there a way to disperse this knowledge to other members of the group? If yes, then how do we do that?” (Director of HR, Service Industry)

    Succession planning ultimately must drill down to individual people – namely, the incumbent and potential successors.

    This is because individual human beings possess a unique knowledge and skill set, along with their own personal aspirations and life circumstances.

    The risks associated with a key role are theoretical. When people are introduced into the equation, the “real life” risk of loss for that key role can change dramatically.

    Succession Planning

    Funnel titled 'Succession Planning' with 'Critical Roles' at the top of the funnel, 'Critical Knowledge and Skills' as the middle of the funnel, 'Individuals' as the bottom of the funnel, and it drains into 'Incumbent's Potential Successors'.

    Step 2.1

    Identify Successors

    Activities
    • 2.1.1 Conduct Individual Risk Assessment
    • 2.1.2 Successor Readiness Assessment

    This step highlights the relative positioning of all employees assessed for departure risk compared to the potential successors’ readiness, identifying gaps that create risk for the organization, and need mitigation strategies.

    Outcomes of this step

    • Individual risk assessment results – mitigate, manage, accept matrix.
    • Potential successor readiness ranking.
    • Determination on transparency level with successors.

    Succession Planning

    Step 2.1 Step 2.2 Step 2.3

    Decide how to obtain information on employee interest in critical roles

    Not all employees may want to be considered as part of the succession planning program. It might not fit their short- or long-term plans. Avoid misalignment and outline steps to ascertain employee interest.

    Transparency

    • Use your target transparency level to:
      • Determine the degree of employees’ participation in self-assessment.
      • Guide organization-wide and targeted messaging about succession planning (see Step 3).

    Timing

    • Ensure program-level communication has occurred before asking employees about their interests in critical roles, in order to garner more trust and engagement.
    • Decide at what point along the succession planning process (if at all) that employee’s career interests will be collected and incorporated.

    Manager accountability and resources

    • Identify resources needed for managers to conduct targeted career conversations with employees (e.g. training, communication guides, key messaging).
    • If program communication is to be implemented organization-wide, approach accordingly.

    Obtaining employee interest ensures process efficiency because:

    • Time isn’t wasted focusing on candidates who aren’t interested.
    • The assessment group is narrowed down through self-selection.

    Level-set expectations with employees:

    • Communicate that they will be considered for assessment and talent review discussions.
    • Ensure they understand that everyone assessed will not necessarily be identified or selected as a successor.

    Conduct a risk assessment

    Identify key role incumbents who may leave before you’re ready.

    Pay particular attention to those employees nearing retirement and flag them as high risk.

    Understand the impact that employee age has on key role risk. Keep the following in mind when filling out the Individual Risk Assessment of the Key Roles Succession Planning Tool. See the next slide for more details on this.
    High Risk Arrow pointing both ways vertically. Anyone 60 years of age or older, or anyone who has indicated they will be retiring within five years.
    Moderate Risk Employees in their early 50s are still many years away from retirement but have enough years remaining in their career to make a significant move to a new role outside of your organization. Furthermore, they have specialized skills making them more attractive to external organizations.
    Employees in their late 50s are likely more than five years away from retirement but are also less likely than younger employees to leave your organization for another role elsewhere. This is because of increasing personal risk in making such a move, and persistent employer unwillingness to hire older employees.
    Low Risk Technically, when it comes to succession planning for key roles held by employees over the age of 50, no one should be considered “low risk for departure.
    		Pull some hard demographic data.

    Compile a report that breaks down employees into age-based demographic groups.

    Flag those over the age of 50 – they’re in the “retirement zone” and could decide to leave at any time.

    Check to see which key role incumbents fall into the “over 50” age demographic. You’ll want to shortlist these people for an individual risk assessment.

    Update this report twice a year to keep it current.

    For those people on your shortlist, gather the information that supervisors gained from the career discussions that took place. Specifically, draw out information that indicates their retirement plans.

    2.1.1 Conduct Individual Risk Assessment

    Input: Completed Succession Plan worksheet

    Output: Risk assessment of key role incumbents, understanding of which key role departures to manage, mitigate, and accept

    Materials: Key Roles Succession Planning Tool – Individual Risk Assessment (Tab 4), Key Roles Succession Planning Tool – Risk Assessment Results (Tab 5)

    Participants: IT leadership/management team

    Assign values for probability of departure and impact of departure using the Key Roles Succession Planning Tool.

    For those in key roles and those over 50, complete the Individual Risk Assessment (Tab 4) of the Key Roles Succession Planning Tool:

    1. Assess each key role incumbent’s probability of departure based on your knowledge. If the person is going to another job, is a known flight risk, or faces dismissal, the probability is high.
      • 0-40: Unlikely to Leave. If the employee is new to the role, highly engaged, or a high potential.
      • 41-60: Unknown. If the employee is sending mixed messages about happiness at work, or sending no messages, it may be difficult to guess.
      • 61-100: Likely to Leave. If the employee is nearing retirement, actively job searching, disengaged, or faces dismissal, then the probability of departure is high.
    2. Assess the role and the individual’s impact of departure on a scale of 1 (no impact) to 100 (devasting impact).
    3. Review the risk assessment results on tab 5 of the planning tool. The employees that appear in the mitigate quadrant are your succession planning priorities.

    Key Roles Succession Planning Tool

    Define readiness criteria for successor identification

    1. Select the types of readiness and the number of levels:

      Readiness by time horizon:

      • Successors are identified as ready based on how long it is estimated they will take to acquire the minimum requirements of the critical role.
      • Levels example: Ready Now, Ready in 1-2 Years, Ready in 3-5 Years.

      Readiness by moves:

      • Successors are identified as ready based on how many position moves they have made or how many developmental experiences they have had.
      • Levels example: Ready Now, Ready after 1 Move, Ready after 2 Moves.
    2. Create definitions for each readiness level:
      Example:

      Performance

      Potential
      Ready Now Definition: Ability to deliver in current role Requirement: Meets or exceeds expectations Definition: Ability to take on greater responsibility Requirement: Demonstrates learning agility
      The 9-box is an effective way to map performance and potential requirements and can guide management decision making in talent review and calibration sessions. See McLean & Company’s 9-Box Job Aid for more information. Sample of the 9-Box Job Aid, a 9-field matrix with axes 'Potential: Low to High' and 'Performance: Low to High'.
      “Time means nothing. If you say someone will be ready in a year, and you’ve done nothing in that year to develop them, they won’t be ready. We look at it as moves or experiences: ready now, ready in one move, ready in two moves.” (Amanda Mathieson, Senior Manager, Talent Management, Tangerine)

    2.1.2 Successor Readiness Assessment

    Input: Individual talent profiles, List of potential successors (Tab 3)

    Output: Readiness ranking for each potential successor

    Materials: Key Roles Succession Planning Tool

    Participants: IT leadership/management team

    Assign values for probability of departure and impact of departure using the Key Roles Succession Planning Tool.

    Using Tab 6 of the Key Roles Succession Planning Tool, evaluate the readiness of each potential successor that you previously identified.

    1. Enter the name, current role, and target role of each potential successor into the spreadsheet.
    2. For each employee, fill in a response from “strongly agree” to “strongly disagree” for the assessment criteria statements listed in column B of Tab 6. This will give you a readiness ranking in row 68.

    Key Roles Succession Planning Tool

    Decide if and how successors will be told about their status in the succession plan

    1. Decide if employees will be told. Be as transparent as possible. This will provide several benefits to your organization (e.g. higher engagement, retention) while managing potential risks (e.g. perception that the process is unfair, reducing motivation to perform).
    2. Decide who will tell them. Decide based on the culture of your organization; are official communications usually conveyed through the direct manager, HR, senior leaders, or steering committee?
    1. Determine how you will tell them.

      Suggested messaging to non-successors:

      • Not being identified as a successor does not mean that an employee is not valued by the organization, nor does it indicate the employee will be let go. It simply means that the organization needs a backup plan to manage risk.
      • Employees can still develop toward a critical role they are interested in, and the organization will continue to evaluate whether they can be a potential successor.
      • It is the employee’s responsibility to own their development and communicate to their manager any interest they have in critical roles.

      Suggested messaging to successors:

      • Being identified as a successor is an investment in employee development – not a guaranteed promotion.
      • Successor status may change based on changes to the critical role itself, or if performance is not on par with expectations.
      • The organization strives to be as fair and objective as possible through evidence-based assessments of performance and potential.

    Case Study

    Failing to have a career aspiration discussion with a potential successor leaves a sales director in a bind.

    INDUSTRY
    Professional Services
    SOURCE
    Confidential
    Challenge
    • A senior sales director in a medium-sized private company knew there would be a key management opportunity opening up in six months. He had one candidate in mind: a key contributor from the sales floor.
    • The sales manager assumed that the sales representative would want the management position and began planning the candidate’s required training in order to get him ready.
    		 Solution
    • Three months before the position opened up, the manager finally approached the representative about the opportunity, telling the representative that he was an excellent candidate for the role.
    • However, the sales representative was not interested in managing people. He wanted to come in, do a really great day’s worth of work, and then go home and be done. He already loved what he did.
    		Results
    • The sales representative turned down the offer point blank, leaving the manager with less than three months to find and groom a new internal successor.
    • The manager failed on several fronts. First, he did not ask the employee about his career aspirations. Second, he did not groom a pool of potential successors for the role, affording no protection in the event that the primary candidate couldn’t or wouldn’t assume the role.

    Step 2.2

    Develop Successors

    Activities
    • 2.2.1 Outline Successor Development Process

    The primary goal of this step is to identify the steps that need to be taken to develop potential successors. Focus on training employees for their future role, not just their current one.

    Outcomes of this step

    • Identified gaps between key role exits and successor readiness.

    Succession Planning

    Step 2.1 Step 2.2 Step 2.3

    2.2.1 Outline Successor Development Process

    Input: Role profiles, Talent profiles, Talent assessments

    Output: Identified gaps between key role exits and successor readiness

    Materials: Key Roles Succession Planning Tool – Successor Identification (Tab 7)

    Participants: IT leadership/management team

    Prepare successors for their next role, not just their current one.

    Use role and talent profiles and any talent assessment results to identify gaps for development.

    1. Outline the steps involved in the individual development planning process for successors. Key steps include identifying development timeline, learning needs, learning resources and strategies, and accomplishment metrics/evidence.
    2. Identify learning elements successor development will involve based on critical role type. For example, coaching and/or mentoring, leadership training, functional skills training, or targeted experiences/projects.
    3. Select metrics with associated timelines to measure the progress of successor development plans. Establish guidelines for employee and manager accountability in developing prioritized competencies.
    4. Determine monitoring cadence of successor development plans (i.e. how often successor development plans will be tracked to ensure timely progress). Identify who will be involved in monitoring the process (e.g. steering committee).

    Info-Tech insight

    Succession planning without integrated efforts for successor development is simply replacement planning. Get successors ready for promotion by ensuring a continuously monitored and customized development plan is in place.

    Integrate knowledge transfer in the successor development process

    1

    		 Brainstorm ideas to encourage knowledge-sharing and transfer from incumbent to successor.

    2

    		 Integrate knowledge-transfer methods into the successor development process.
    Identify key knowledge areas to include:
    • Specialized technical knowledge
    • Specialized research and development processes
    • Unique design capabilities/methods/models
    • Special formulas/algorithms/techniques
    • Proprietary production processes
    • Decision-making criteria
    • Innovative sales methods
    • Knowledge about key customers
    • Relationships with key stakeholders
    • Company history and values
    		 Use multiple methods for effective knowledge transfer.

    Explicit knowledge is easily explained and codified, such as facts and procedures. Knowledge transfer methods tend to be more formal and one-way. For example:

    • Formal documentation of processes and best practices
    • Self-published knowledgebase
    • Formal training sessions

    Tacit knowledge accumulates over years of experience and is hard to articulate. Knowledge transfer methods are often informal and interactive. For example:

    • Mentoring and job shadowing
    • Multigenerational work teams
    • Networks and communities
    Knowledge transfer can occur via a wide range of methods that need to be selected and integrated into daily work to suit the needs of the knowledge to be transferred and of the people involved. See Phase 3 for more details on knowledge transfer.

    Step 2.3

    Select Successors

    The goal of this step is to determine how critical roles will be filled when vacancies arise.

    Outcomes of this step

    • Agreement with HR on the process to fill vacancies when key roles exit.

    Succession Planning

    Step 2.1 Step 2.2 Step 2.3

    Determine how critical roles will be filled when vacancies arise

    Choose one of two approaches to successor selection:
    • Talent review meeting:
      • Conduct a talent review meeting with functional leaders to discuss key open positions and select the right successors. Ascertain successor interest prior to the meeting, if not obtained already.
      • If multiple successors are ready now, use both role and talent profiles to arrive at a final decision.
      • If only one successor is ready now, outline steps for their promotion process. Which leaders should be involved for final approval? What is TA’s role?
    • Talent acquisition (TA) process:
      • Align with TA to implement a formal recruitment process to select the right successor (open application and interview process to talent pool).
      • Decide if a talent review meeting is required afterwards to agree on the final successor or if the interview panel will make the final decision.

    Work together with Talent Acquisition (TA) to outline special treatment of critical role vacancies. Ensure TA is aware of succession plan(s).

    Explicitly determine the level of preference for internal successors versus external hires to your TA team to ensure alignment. This will create an environment where promotion from within is customary.

    Build an IT Succession Plan

    Phase 3

    Knowledge Transfer

    Phase 1

    1.1 Identify Critical Roles

    1.2 Assess Talent

    		Phase 2

    2.1 Identify Successors

    2.2 Develop Successors

    2.3 Select Successors

    		Phase 3

    3.1 Identify Critical Knowledge

    3.2 Select Transfer Methods

    3.3 Document Role Transition Plan

    This phase will show you to:

    • Identify critical knowledge risks.
    • Select appropriate transfer methods.
    • Document knowledge transfer initiatives for key role transition plans.

    Tools and resources used:

    • Role Transition Plan Template

    This phase involves the following participants:

    • IT leadership/management team
    • HR
    • Incumbent & successor managers

    Mitigate risk – formalize knowledge transfer

    Use Info-Tech’s Mitigate Key IT Employee Knowledge Loss blueprint to build and implement your knowledge transfer plan.

    Effective knowledge transfer allows organizations to:
    • Maintain or improve speed and productivity by ensuring the right people have the right skills to do their jobs well.
    • Increase agility because knowledge is more evenly distributed amongst employees. Multiple people can perform a given task and no one person becomes a bottleneck.
    • Capture and sustain knowledge; creating a knowledge database provides all employees access to the information, now and in the future.
    		 Knowledge transfer between those in key roles and potential successors yields the highest dividends for:
    • Senior level successions.
    • External hires.
    • Senior expatriate transfers.
    • Developmental stretch assignments.
    • Internal cross-divisional transfers and promotions.
    • High organizational dependency on unique expert knowledge.
    • Critical function/project/team transitions.
    • Large scale reorganizations and mergers & acquisitions.
    (Source: Piktialis and Greenes, 2008)    		 Sample of the Mitigate Key IT Employee Knowledge Loss blueprint.

    Mitigate Key IT Employee Knowledge Loss

    Knowledge transfer is complex and must be both multi-faceted and well supported

    Knowledge transfer is the capture, organization, and distribution of knowledge held by individuals to ensure that it is accessible and usable by others.

    Knowledge transfer is not stopping, learning, and returning to work. Nor is it simply implementing a document management system. Arrow pointing right. Knowledge transfer is a wide range of methods that must be carefully selected and integrated into daily work in order to meet the needs of the knowledge to be transferred and the people involved.

    Knowledge transfer works best when the following techniques are applied

    • Use multiple methods and media to transfer the knowledge.
    • Ensure a two-way interaction between the knowledge source and recipient.
    • Support knowledge transfer with active mentoring.
    • Transfer knowledge at the point of need; that is, when it’s immediately useful.
    • Offer experience-oriented training to reinforce knowledge absorption.
    • Use a knowledge management system to permanently capture knowledge shared.
    		 Personalization is the key.

    Dwyer & Dwyer say that providing “insights to a particular person (or people) needing knowledge at the time of the requirement” is the difference between knowledge transfer that sticks and knowledge that is forgotten.
    “Designing a system in which the employee must interrupt his or her work to learn or obtain new knowledge is not productive. Focus on ‘teachable moments.” (Karl Kapp, “Tools and Techniques for Transferring Know-How from Boomers to Gamers”)

    Step 3.1

    Identify Critical Knowledge to Transfer

    The goal of this step is to understand what knowledge and skills much be transferred, keeping in mind the various types of knowledge.

    Outcomes of this step

    • Critical knowledge and skills for key roles documented in the Key Role Transition plans.

    Knowledge Transfer

    Step 3.1 Step 3.2 Step 3.3

    Understand what knowledge and skills must be transferred

    There are two basic types of knowledge:

    Explicit knowledge:
    Easily explained and codified, e.g. facts and procedures.    		 Image of a head with gears inside. Tacit knowledge:
    Accumulates over years of experience and is hard to verbalize.
    • You should already have a good idea of what knowledge and skills are valued from the worksheets completed earlier.
    • Focus on identifying the knowledge, skills, and relationships essential to the specific incumbent in a key role and what it is he or she does to perform that key role well.
    Document critical knowledge and skills for key roles in the:

    Role Transition Plan Template
    1. Identify key knowledge areas. These include:
      • Specialized technical knowledge and research and development process.
      • Unique design capabilities/methods/models.
      • Special formulas/algorithms/techniques.
      • Proprietary production processes.
      • Decision-making criteria.
      • Innovative sales methods.
      • Knowledge about key customers.
      • Relationships with key stakeholders.
      • Company history and values.
    2. Ask questions of both sources and receivers of knowledge to help determine the best knowledge transfer methods to use.
      • What is the nature of the knowledge? Explicit or tacit?
      • Why is it important to transfer?
      • How will the knowledge be used?
      • What knowledge is critical for success?
      • How will the users find and access it?
      • How will it be maintained and remain relevant and usable?
      • What are the existing knowledge pathways or networks connecting sources to recipients?

    Step 3.2

    Select Knowledge Transfer Methods

    Activities
    • 3.2.1 Select Knowledge Transfer Methods

    This step helps you identify the knowledge transfer methods that will be the most effective, considering the knowledge or skill that needs to be transferred and the individuals involved.

    Outcomes of this step

    • Knowledge transfer methods chosen documented in the Key Role Transition Plans.

    Knowledge Transfer

    Step 3.1 Step 3.2 Step 3.3

    Knowledge transfer methods available

    Be prepared to use various methods to transfer knowledge and use them all liberally.

    The most common knowledge transfer method is simply to have a collaborative culture

    Horizontal bar chart ranking knowledge transfer methods by commonality.
    (Source: McLean & Company, 2013; N=121)

    A basic willingness for a role incumbent to share with a successor is the most powerful item in your tacit knowledge transfer toolkit.

    Formal documentation is critical for explicit knowledge sharing, yet only 40% of organizations use it.

    Rewarding and recognizing employees for doing knowledge transfer well is underutilized yet has emerged as an important reinforcing component of any effective knowledge transfer program.
    Don’t forget it!

    3.2.1 Select Knowledge Transfer Methods

    Input: Role profiles, Talent profiles

    Output: Methods for integrating knowledge transfer into day-to-day practice

    Materials: Role Transition Plan Template

    Participants: IT leadership/management team, HR, Knowledge source, Knowledge recipient

    Utilize methods that make it easy to apply the knowledge in day-to-day practice.

    Select your method according to the following criteria:

    1. The type of knowledge. A soft skill, like professionalism, is best taught via mentoring, while a technical process is best documented and applied on-the-job.
    2. What the knowledge recipient is comfortable with. The recipient may get bored during formal training sessions and retain more during job shadowing.
    3. What the knowledge source is comfortable with. The source may be uncomfortable with blogs and wikis, but comfortable with SharePoint.
    4. The cost. Some methods require an investment in time (e.g. mentoring), while others require an investment in technology (e.g. knowledge bases).
      • The good news is that many supporting technologies may already exist in your organization or can be acquired for free.
      • Methods that cost time may be difficult to get underway since employees may feel they don’t have the time or must change the way they work.

    The more integrated knowledge transfer is in day-to-day activities, the more likely it is to be successful and the lower the time cost. This is because real learning is happening at the same time real work is being accomplished.

    Document the knowledge transfer methods in the Role Transition Plan Template.

    Role Transition Plan Template

    Explore alternative work arrangements

    Ensure sufficient time to prepare successors

    If a key role incumbent isn’t around to complete knowledge transfer, it’s all for naught.

    Alternative work arrangements are critical tools that employers can use to achieve a mutually beneficial solution that mitigates the risk of loss associated with key roles.

    Alternative work arrangements not only support employees who want to keep working, but they allow the business to retain employees that are needed in key roles.

    In a survey from The Conference Board, one out of four older workers indicated that they continue to work because their company provided them with needed flexibility.

    And, nearly half said that more flexibility would make them less likely to retire. (Source: Ivey Business Journal)

    Flexible work options are the most used form of alternative work arrangement

    Horizontal bar chart ranking alternative work arrangements by usage.
    (Source: McLean & Company, N=44)

    Choose the alternative work arrangement that works best for you and the employee

    Alternative Work Arrangement

    Description

    Ideal Use

    Caveats
    Flexible work options Employees work the same number of hours but have flexibility in when and where they work (e.g. from home, evenings). Employees who work fairly independently, with no or few direct reports. Employee may become isolated or disconnected, impeding knowledge transfer methods that require interaction or one-on-one time.
    Contract-based work Working for a defined period of time on a specific project on a non-salaried or non-wage basis. Project-oriented work that requires specialized knowledge or skills. Available work may be sporadic or specific projects more intensive than the employee wants. Knowledge transfer must be built into the contractual arrangement.
    Part-time roles Half-days or a certain number of days per week; indefinite with no end date in mind. Employees whose roles can be readily narrowed and upon whom people and critical processes are not dependent. It may be difficult to break a traditionally full-time job down into a part-time role given the size and nature of associated tasks.
    Graduated retirement Retiring employee has a set retirement date, gradually reducing hours worked per week over time. Roles where a successor has been identified and is available to work alongside the incumbent in an overlapping capacity while he or she learns. The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement.

    The arrangement chosen may be a combination of multiple options

    Alternative Work Arrangement

    Description

    Ideal Use

    Caveats

    Part-year jobs or job sharingWorking part of the year and having the rest of the year off, unpaid.Project-oriented work where ongoing external relationships do not need to be maintained. The employee is unavailable for knowledge transfer activities for a large portion of the year. Another risk is that the employee may opt not to return at the end of the extended time off, with little notice.
    Increased paid time offAdditional vacation days upon reaching a certain age.Best used as recognition or reward for long-term service. This may be a particularly useful retention incentive in organizations that do not offer pension plans. The company may not be able to financially afford to pay for such extensive time off. If the role incumbent is the only one in the role, this may mean crucial work is not being done.
    Altered rolesConcentration of a job description on fewer tasks that allows the employee to focus on his or her specific expertise.Roles where a successor has been identified and is available to work alongside the incumbent, with the incumbent’s new role highly focused on mentoring. The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement.

    Alternative work arrangements require senior management support

    Senior management and other employees must see the value of retaining older workers, or they will not be supportive of these solutions.

    Any changes made to an employee’s work arrangement has an impact on people, processes, and policies.

    If the knowledge and skills of older employees aren’t valued, then:

    • Alternative arrangements will be seen as wasteful accommodation of a low-value employee.
    • Time won’t be allowed to manage the transition properly and make appropriate changes.
    • Other employees may resent any workload spillover.
    		 Alternate work arrangements can’t be implemented on a whim.

    Make sure alternative work arrangements can be done right and are supported – they’re often solutions that come with additional work. Determine the effects and make appropriate adjustments.

    • Review processes, particularly hand-off and approval points, to ensure tasks will still be handled seamlessly.
    • Assess organizational policies to ensure no violations are occurring or to rework policies (where possible) to accommodate alternative work arrangements.
    • Speak to affected employees to answer questions, identify obstacles, gain support, redefine their job descriptions if required, and make appropriate compensation adjustments. Always provide appropriate training when skills requirements are expanded.

    Step 3.3

    Document Role Transition Plans for all Key Roles

    Activities
    • 3.3.1 Document Role Transition Plans

    The primary goal of this step is to build clear checklist-based plans for each key role to help ensure a smooth transition as a successor takes over.

    Outcomes of this step

    • Completed key role transition plans

    Knowledge Transfer

    Step 3.1 Step 3.2 Step 3.3

    3.3.1 Document Role Transition Plans

    Input: Role profiles, Talent profiles, Talent assessments, Workforce plans

    Output: A clear checklist-based plan to help ensure a smooth transition.

    Materials: Role Transition Plan Template

    Participants: IT leadership/management team, Incumbent, Successor(s), HR

    Define a transition plan for all employees in at-risk key roles, and their successors.

    You should already have a good idea of what knowledge and skills are valued from the worksheets completed earlier. Focus on identifying the knowledge, skills, and relationships essential to the specific incumbent in a key role and what it is they do to perform that key role well.

    Using the Role Transition Plan Template develop a plan to transfer what needs to be transferred from the incumbent to the successor.

    1. Record the incumbent and successor information in the template.
    2. Summarize the key accountabilities and expectations of the incumbent’s role. This summary should highlight specific tasks and initiatives that the successor must take on, including success enablers. Attach the job description for a full description of accountabilities and expectations.
    3. Document the knowledge and skills requirements for the key role, as well as any additional knowledge and skills possessed by the key role incumbent that will aid the successor.
    4. Document any alternative work arrangements to the incumbent’s roles.
    5. Populate the Role Transition Checklist for key transition activities that must be completed by certain dates. A list of sample checklist items has been provided. Add, delete, or modify list items to suit your needs.

    Role Transition Plan Template

    DairyNZ leverages alternative work arrangements

    Ensures successful knowledge transfer
    INDUSTRY
    Agricultural research
    SOURCE
    Rose Macfarlane, General Manager Human Resources, DairyNZ
    Challenge
    • DairyNZ employs many people in specialized science research roles. Some very senior employees are international experts in their field.
    • Several experts have reached or are nearing retirement age. These pending retirements have come as no surprise.
    • However, due to the industry’s lack of development investment in the past, there is a 20–30-year experience gap in the organization for some key roles.
    		 Solution
    • One principal scientist gave over two years’ notice. His replacement – an external candidate – had been identified in advance and was hired once retirement notice was given.
    • The incumbent’s role was amended. He worked alongside his successor for 18 months in a controlled hand-over process.
    		 Results
    • The result was ideal in that the advance notice allowed full knowledge transfer to take place.

    Research Contributors and Experts

    Anne Roberts
    Principal, Leadership Within Inc. al,
    • Anne T. Roberts is an experienced organization development professional and executive business coach who works with leaders and their organizations to help them create, articulate and implement their change agenda. Her extensive experience in change management, organizational design, meeting design and facilitation, communication and leadership alignment has helped leaders tap into their creativity, drive and energy. Her ability to work with and coach people at the leadership level on a wide range of topics has them face their own organizational stories.
    		 Amanda Mathieson
    Senior Manager, Talent Management, Tangerine
    • Amanda is responsible for researching people- and leadership-focused trends, developing thought models, and providing resources, tools, and processes to build and drive the success of leaders in a disruptive world.
    • Her expertise in leadership development, organizational change management, and performance and talent management comes from her experience in various industries spanning pharmaceutical, retail insurance, and financial services. She takes a practical, experiential approach to people and leadership development that is grounded in adult learning methodologies and leadership theory. She is passionate about identifying and developing potential talent, as well as ensuring the success of leaders as they transition into more senior roles.

    Related Info-Tech Research

    Stock image of a brain. Mitigate Key IT Employee Knowledge Loss
    • Transfer IT knowledge before it’s gone.
    • Effective knowledge transfer mitigates risks from employees leaving the organization and is a key asset driving innovation and customer service.
    Stock image of sticky notes being organized on a board. Implement an IT Employee Development Plan
    • There is a growing gap between the competencies organizations have been focused on developing, and what is needed in the future.
    • Employees have been left to drive their own development, with little direction or support and without the alignment of development to organizational needs.

    Bibliography

    “Accommodating Older Workers’ Needs for Flexible Work Options.” Ivey Business Journal, July/August 2005. Accessed Jan 7, 2013.

    Christensen, Kathleen and Marcie Pitt-Catsouphes. “Approaching 65: A Survey of Baby Boomers Turning 65 Years Old”. AARP, Dec. 2010.

    Coyne, Kevin P. and Shawn T. Coyne. “The Baby Boomer Retirement Fallacy and What It Means to You. “ HBR Blog Network. Harvard Business Review, May 16, 2008. Accessed 8 Jan. 2013.

    Dwyer, Kevin and Ngoc Luong Dwyer. “Managing the Baby Boomer Brain Drain: The Impact of Generational Change on Human Resource Management.” ChangeFactory, April 2010. Accessed Jan 9, 2013.

    Gurchiek, Kathy. “Poll: Organizations Can Do More to Prepare for Talent Shortage as Boomers Retire.” SHRM, Nov 17, 2010. Accessed Jan 3, 2013.

    Howden, Daniel. “What Is Time to Fill? KPIs for Recruiters.” Workable, 24 March 2016. Web.

    Kapp, Karl M. “Tools and Techniques for Transferring Know-How from Boomers to Gamers.” Global Business and Organizational Excellence, July/August 2007. Web.

    Piktialis, Diane and Kent A. Greenes. Bridging the Gaps: How to Transfer Knowledge in Today’s Multigenerational Workplace. The Conference Board, 2008.

    Pisano, Gary P. “You need an Innovation Strategy.” Harvard Business Review, June 2015.

    Vilet, Jacque. “Lost Knowledge – What Are You and Your Organization Doing About It?” TLNT, 25 April 2012. Accessed 5 Jan. 2013.

    Craft a Customer-Driven Market Strategy With Unbiased Data

    • Buy Link or Shortcode: {j2store}611|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Market strategies are informed by gut feel and endless brainstorming instead of market data to take their product from concept to customer.
    • Hiring independent market research firms results in a lack of unbiased third-party data. Research firms tell vendors what they want to hear instead of offering an agnostic view of software trends.
    • Dissatisfied customers don’t tell you directly why they are leaving, so there is no feedback loop back into product improvements.
    • Often a market strategy is built after a product is developed to force the product’s fit in the market. The product marketing team has no say in the product vision or future improvements.

    Our Advice

    Critical Insight

    • Adopt the 5 P’s to building a winning market strategy: Proposition, Product, Pricing, Placement, and Promotion.
    • You can’t be everything to everyone. Testing your proposition in the market to see what sticks is a risky move. Promise future value using past successes by gaining a deeper understanding of which customers and submarkets truly align to your product.
    • Customers have learned to avoid shiny new objects but still expect rapid feature releases. Differentiating features require a closer look at the underpinning vendor capabilities. Having intentional feature releases requires a feedback loop into the product roadmap and increases influence by the product marketing team.
    • Price transparency and sensitivity should drive what you offer to customers. Negotiating solely on price is a race to the bottom.

    Impact and Result

    • Leverage this report to gain insights on the software selection process and what top vendors do best.
    • Gain a bird’s-eye view on customer purchasing behavior using over 40,000 data points on satisfaction and importance collected directly from the source.
    • Build a winning market strategy influenced by real customer data that drives vendor success.

    Craft a Customer-Driven Market Strategy With Unbiased Data Research & Tools

    Read the storyboard

    Read our storyboard to find out why you should leverage SoftwareReviews data to craft your market strategy, review Info-Tech’s methodology, and understand unbiased customer data on software purchasing triggers.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Craft a Customer-Driven Market Strategy With Unbiased Data Storyboard
    [infographic]

    Prepare for the Upgrade to Windows 11

    • Buy Link or Shortcode: {j2store}166|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Windows 10 is going EOL in 2025.That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Our Advice

    Critical Insight

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system. Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    Impact and Result

    Windows 11 hardware requirements will result in devices that are not eligible for the upgrade. Companies will be left to spend money on replacement devices. Following the Info-Tech guidance will help clients properly budget for hardware replacements before Windows 10 is no longer supported by Microsoft. Eligible devices can be upgraded, but Info-Tech guidance can help clients properly plan the upgrade using the upgrade ring approach.

    Prepare for the Upgrade to Windows 11 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for the Upgrade to Windows 11 Deck – A look into some of the pros and cons of Microsoft’s latest desktop operating system, along with guidance on moving forward with this inevitable upgrade.

    Discover the reason for the release of Windows 11, what you require to be eligible for the upgrade, what features were added or updated, and what features were removed. Our guidance will assist you with a planned and controlled rollout of the Windows 11 upgrade. We also provide guidance on how to approach a device refresh plan if some devices are not eligible for Windows 11. The upgrade is inevitable, but you have time, and you have options.

    • Prepare for the Upgrade to Windows 11 Storyboard

    2. What Are My Options If My Devices Cannot Upgrade to Windows 11? – Build a Windows 11 Device Replacement budget with our Hardware Asset Management Budgeting Tool.

    This tool will help you budget for a hardware asset refresh and to adjust the budget as necessary to accommodate any unexpected changes. The tool can easily be modified to assist in developing and justifying the budget for hardware assets for a Windows 11 project. Follow the instructions on each tab and feel free to play with the HAM budgeting tool to fit your needs.

    • HAM Budgeting Tool
    [infographic]

    Further reading

    Prepare for the Upgrade to Windows 11

    The upgrade is inevitable, but you have time, and you have options.

    Analyst Perspective

    Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    “You hear that Mr. Anderson? That is the sound of inevitability.” ("The Matrix Quotes" )

    The fictitious Agent Smith uttered those words to Keanu Reeves’ character, Neo, in The Matrix in 1999, and while Agent Smith was using them in a very sinister and figurative context, the words could just as easily be applied to the concept of upgrading to the Windows 11 operating system from Microsoft in 2022.

    There have been two common, recurring themes in the media since late 2019. One is the global pandemic and the other is cyber-related crime. Microsoft is not in a position to make an impact on a novel coronavirus, but it does have the global market reach to influence end-user technology and it appears that it has done just that. Windows 11 is a step forward in endpoint security and functionality. It also solidifies the foundation for future innovations in end-user operating systems and how they are delivered. Windows-as-a-Service (WAAS) is the way forward for Microsoft. Windows 10 is living on borrowed time, with a defined end of support date of October 14, 2025. Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    It is inevitable!

    P.J. Ryan

    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Windows 10 is going EOL in 2025. That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft-initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Common Obstacles

    • The difference between Windows 10 and Windows 11 is not clear. Windows 11 looks like Windows 10 with some minor changes, mostly cosmetic. Many online users don’t see the need. Why upgrade? What are the benefits?
    • The cost of upgrading devices just to be eligible for Windows 11 is high.
    • Your end users don’t like change. This is not going to go over well!

    Info-Tech's Approach

    • Spend wisely. Space out your endpoint replacements and upgrades over several years. You do not have to upgrade everything right away.
    • Be patient. Windows 11 contained some bugs when it was initially released. Microsoft fixed most of the issues through monthly quality updates, but you should ensure that you are comfortable with the current level of functionality before you upgrade.
    • Use the upgrade ring approach. Test your applications with a small group first, and then stage the rollout to increasingly larger groups over time.

    Info-Tech Insight

    There is a lot of talk about Windows 11, but this is only an operating system upgrade, and it is not a major one. Understand what is new, what is added, and what is missing. Check your devices to determine how many are eligible and ineligible. Many organizations will have to spend capital on endpoint upgrades. Solid asset management practices will help.

    Insight summary

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    Many organizations will have to spend capital on endpoint upgrades.

    Microsoft now insists that modern hardware is required for Windows 11 for not only security but also for improved stability. That same hardware requirement will mean that many devices that are only three or four years old (as well as older ones) may not be eligible for Windows 11.

    Windows 11 is a virtualization challenge for some providers.

    The hardware requirements for physical devices are also required for virtual devices. The TPM module appears to be the biggest challenge. Oracle VirtualBox and Citrix Hypervisor as well as AWS and Google are unable to support Windows 11 virtual devices as of the time of writing.

    Windows 10 will be supported by Microsoft until October 2025.

    That will remove some of the pressure felt due to the ineligibility of many devices and the need to refresh them. Take your time and plan it out, keeping within budget constraints. Use the upgrade ring approach for systems that are eligible for the Windows 11 upgrade.

    New look and feel, and a center screen taskbar.

    Corners are rounded, some controls look a little different, but overall Windows 11 is not a dramatic shift from Windows 10. It is easier to navigate and find features. Oh, and yes, the taskbar (and start button) is shifted to the center of the screen, but you can move them back to the left if desired.

    The education industry gets extra attention with the release of Windows 11.

    Windows 11 comes with multiple subscription-based education offerings, but it also now includes a new lightweight SE edition that is intended for the K-8 age group. Microsoft also released a Windows 11 Education SE specific laptop, at a very attractive price point. Other manufacturers also offer Windows 11 SE focused devices.

    Why Windows 11?

    Windows 10 was supposed to be the final desktop OS from Microsoft, wasn’t it?

    Maybe. It depends who you ask.

    Jerry Nixon, a Microsoft developer evangelist, gained notoriety when he uttered these words while at a Microsoft presentation as part of Microsoft Ignite in 2015: “Right now we’re releasing Windows 10, and because Windows 10 is the last version of Windows, we’re all still working on Windows 10,” (Hachman). Microsoft never officially made that statement. Interestingly enough, it never denied the comments made by Jerry Nixon either.

    Perhaps Microsoft released a new operating system as a financial grab, a way to make significant revenue?

    Nope.

    Windows 11 is a free upgrade or is included with any new computer purchase.

    Market share challenges?

    Doubtful.

    It’s true that Microsoft's market share of desktop operating systems is dropping while Apple OS X and Google Chrome OS are rising.

    In fact, Microsoft has relinquished over 13% of the market share since 2012 and Apple has almost doubled its market share. BUT:

    Microsoft is still holding 75.12% of the market while Apple is in the number 2 spot with 14.93% (gs.statcounter.com).

    The market share is worth noting for Microsoft but it hardly warrants a new operating system.

    New look and feel?

    Unlikely

    New start button and taskbar orientation, new search window, rounded corners, new visual look on some controls like the volume bar, new startup sound, new Windows logo, – all minor changes. Updates could achieve the same result.

    Security?

    Likely the main reason.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    The features are available on all Windows 11 physical devices, due to the common hardware requirements.

    Windows 11 hardware-based security

    These hardware options and features were available in Windows 10 but not enforced. With Windows 11, they are no longer optional. Below is a description and explanation of the main features.

    Feature What it is How it works
    TPM 2.0 (Trusted Platform Module) Chip TPM is a chip on the motherboard of the computer. It is used to store encryption keys, certificates, and passwords. TPM does this securely with tamper-proof prevention. It can also generate encryption keys and it includes its own unique encryption key that cannot be altered (helpdeskgeek.com). You do not need to enter your password once you setup Windows Hello, so the password is no longer easy to capture and steal. It is set up on a device per device basis, meaning if you go to a different device to sign in, your Windows Hello authentication will not follow you and you must set up your Hello pin or facial recognition again on that particular device. TPM (Trusted Platform Module) can store the credentials used by Windows Hello and encrypt them on the module.
    Windows Hello Windows Hello is an alternative to using a password for authentication. Users can use a pin, a fingerprint, or facial recognition to authenticate.
    Device Encryption Device encryption is only on when your device is off. It scrambles the data on your disk to make it unreadable unless you have the key to unscramble it. If your endpoint is stolen, the contents of the hard drive will remain encrypted and cannot be accessed by anyone unless they can properly authenticate on the device and allow the system to unscramble the encrypted data.
    UEFI Secure Boot Capable UEFI is an acronym for Unified Extensible Firmware Interface. It is an interface between the operating system and the computer firmware. Secure Boot, as part of the firmware interface, ensures that only unchangeable and approved software and drivers are loaded at startup and not any malware that may have infiltrated the system (Lumunge). UEFI, with Secure Boot, references a database containing keys and signatures of drivers and runtime code that is approved as well as forbidden. It will not let the system boot up unless the signature of the driver or run-time code that is trying to execute is approved. This UEFI Secure boot recognition process continues until control is handed over to the operating system.
    Virtualization Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) VBS is security based on virtualization capabilities. It uses the virtualization features of the Windows operating system, specifically the Hyper-V hypervisor, to create and isolate a small chunk of memory that is isolated from the operating system. HVCI checks the integrity of code for violations. The Code Integrity check happens in the isolated virtual area of memory protected by the hypervisor, hence the acronym HVCI (Hypervisor Protected Code Integrity) (Murtaza). In the secure, isolated region of memory created by VBS with the hypervisor, Windows will run checks on the integrity of the code that runs various processes. The isolation protects the stored item from tampering by malware and similar threats. If they run incident free, they are released to the operating system and can run in the standard memory space. If issues are detected, the code will not be released, nor will it run in the standard memory space of the operating system, and damage or compromise will be prevented.

    How do all the hardware-based security features work?

    This scenario explains how a standard boot up and login should happen.

    You turn on your computer. Secure Boot authorizes the processes and UEFI hands over control to the operating system. Windows Hello works with TPM and uses a pin to authenticate the user and the operating systems gives you access to the Windows environment.

    Now imagine the same process with various compromised scenarios.

    You turn on your computer. Secure Boot does not recognize the signature presented to it by the second process in the boot sequence. You will be presented with a “Secure Boot Violation” message and an option to reboot. Your computer remains protected.

    You boot up and get past the secure boot process and UEFI passes control over to the Windows 11 operating system. Windows Hello asks for your pin, but you cannot remember the pin and incorrectly enter it three times before admitting temporary defeat. Windows Hello did not find a matching pin on the TPM and will not let you proceed. You cannot log in but in the eyes of the operating system, it has prevented an unauthorized login attempt.

    You power up your computer, log in without issue, and go about your morning routine of checking email, etc. You are not aware that malware has infiltrated your system and modified a page in system memory to run code and access the operating system kernel. VBS and HVCI check the integrity of that code and detect that it is malicious. The code remains isolated and prevented from running, protecting your system.

    TPM, Hello, UEFI with Secure Boot, VBS and HVCI all work together like a well-oiled machine.

    “Microsoft's rationale for Windows 11's strict official support requirements – including Secure Boot, a TPM 2.0 module, and virtualization support – has always been centered on security rather than raw performance.” – Andrew Cunningham, arstechnica.com

    “Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. These features in combination have been shown to reduce malware by 60% on tested devices.” – Steven J. Vaughan-Nichols, Computerworld

    Can any device upgrade to Windows 11?

    In addition to the security-related hardware requirements listed previously, which may exclude some devices from Windows 11 eligibility, Windows 11 also has a minimum requirement for other hardware components.

    Windows 7 and Windows 10 were publicized as being backward compatible and almost any hardware would be able to run those operating systems. That changed with Windows 11. Microsoft now insists that modern hardware is required for Windows 11 for not only security but also improved stability.

    Software Requirement

    You must be running Windows 10 version 2004 or greater to be eligible for a Windows 11 upgrade (“Windows 11 Requirements”).

    Complete hardware requirements for Windows 11

    • 1 GHz (or faster) compatible 64-bit processor with two or more cores
    • 4 GB RAM
    • 64 GB or more of storage space
    • Compatible with DirectX 12 or later with WDDM 2.0 driver
      • DirectX connects the hardware in your computer with Windows. It allows software to display graphics using the video card or play audio, as long as that software is DirectX compatible. Windows 11 requires version 12 (“What are DirectX 12 compatible graphics”).
      • WDDM is an acronym for Windows Display Driver Model. WDDM is the architecture for the graphics driver for Windows (“Windows Display Driver Model”).
      • Version 2.0 of WDDM is required for Windows 11.
    • 720p display greater than 9" diagonally with 8 bits per color channel
    • UEFI Secure Boot capable
    • TPM 2.0 chip

      • (“Windows 11 Requirements”)

    Windows 11 may challenge your virtual environment

    When Windows 11 was initially released, some IT administrators experienced issues when trying to install or upgrade to Windows 11 in the virtual world.

    The Challenge

    The issues appeared to be centered around the Windows 11 hardware requirements, which must be detected by the Windows 11 pre-install check before the operating system will install.

    The TPM 2.0 chip requirement was indeed a challenge and not offered as a configuration option with Citrix Hypervisor, the free VMware Workstation Player or Oracle VM VirtualBox when Windows 11 was released in October 2021, although it is on the roadmap for Oracle and Citrix Hypervisor. VMware provides alternative products to the free Workstation Player that do support a virtual TPM. Oracle and Citrix reported that the feature would be available in the future and Windows 11 would work on their platforms.

    Short-Term Solutions

    VMware and Microsoft users can add a vTPM hardware type when configuring a virtual Windows 11 machine. Microsoft Azure does offer Windows 11 as an option as a virtual desktop. Citrix Desktop-As-A-Service (DAAS) will connect to Azure, AWS, or Google Cloud and is only limited by the features of the hosting cloud service provider.

    Additional Insight

    According to Microsoft, any VM running Windows 11 must meet the following requirements (“Virtual Machine Support”):

    • It must be a generation 2 VM, and upgrading a generation 1 VM to Windows 11 (in-place) is not possible
    • 64 GB of storage or greater
    • Secure Boot capable with the virtual TPM enabled
    • 4 GB of memory or greater
    • 2 or more virtual processors
    • The CPU of the physical computer that is hosting the VM must meet the Windows 11 (“Windows Processor Requirements”)

    What’s new or updated in Windows 11?

    The following two slides highlight some of the new and updated features in Windows 11.

    Security

    The most important change with Windows 11 is what you cannot see – the security. Windows 11 adds requirements and controls to make the user and device more secure, as described in previous slides.

    Taskbar

    The most prominent change in relation to the look and feel of Windows 11 is the shifting of the taskbar (and Start button) to the center of the screen. Some users may find this more convenient but if you do not and prefer the taskbar and start button back on the left of your screen, you can change it in taskbar settings.

    Updated Apps

    Paint, Photos, Notepad, Media Player, Mail, and other standard Windows apps have been updated with a new look and in some cases minor enhancements.

    User Interface

    The first change users will notice after logging in to Windows 11 is the new user interface – the look and feel. You may not notice the additional colors added to the Windows palette, but you may have thought that the startup sound was different, and the logo also looks different. You would be correct. Other look-and-feel items that changed include the rounded corners on windows, slightly different icons, new wallpapers, and controls for volume and brightness are now a slide bar. File explorer and the settings app also have a new look.

    Microsoft Teams

    Microsoft Teams is now installed on the taskbar by default. Note that this is for a personal Microsoft account only. Teams for Work or School will have to be installed separately if you are using a work or school account.

    What’s new or updated in Windows 11?

    Snap Layouts

    Snap layouts have been enhanced and snap group functionality has been added. This will allow you to quickly snap one window to the side of the screen and open other Windows in the other side. This feature can be accessed by dragging the window you wish to snap to the left or right edge of the screen. The window should then automatically resize to occupy that half of the screen and allow you to select other Windows that are already open to occupy the remaining space on the screen. You can also hover your mouse over the maximize button in the upper right-hand corner of the window. A small screen with multiple snap layouts will appear for your selection. Multiple snapped Windows can be saved as a “Snap Group” that will open together if one of the group windows are snapped in the future.

    Widgets

    Widgets are expanding. Microsoft started the re-introduction of widgets in Windows 10, specifically focusing on the weather. Widgets now include other services such as news, sports, stock prices, and others.

    Android Apps

    Android apps can now run in Windows 11. You will have to use the Amazon store to access and install Android apps, but if it is available in the Amazon store, you can install it on Windows 11.

    Docking

    Docking has improved with Windows 11. Windows knows when you are docked and will minimize apps when you undock so they are not lost. They will appear automatically when you dock again.

    This is not intended to be an inclusive list but does cover some of the more prominent features.

    What’s missing from Windows 11?

    The following features are no longer found in Windows 11:

    • Backward compatibility
      • The introduction of the hardware requirements for Windows 11 removed the backward compatibility (from a hardware perspective) that made the transition from previous versions of Windows to their successor less of a hardware concern. If a computer could run Windows 7, then it could also run Windows 10. That does not automatically mean it can also run Windows 11.
    • Internet Explorer
      • Internet Explorer is no longer installed by default in Windows 11. Microsoft Edge is now the default browser for Windows. Other browsers can also be installed if preferred.
    • Tablet mode
      • Windows 11 does not have a "tablet" mode, but the operating system will maximize the active window and add more space between icons to make selecting them easier if the 2-in-1 hardware detects that you wish to use the device as a tablet (keyboard detached or device opened up beyond 180 degrees, etc.).
    • Semi-annual updates
      • It may take six months or more to realize that semi-annual feature updates are missing. Microsoft moved to an annual feature update schema but continued with monthly quality updates with Windows 11.
    • Specific apps
      • Several applications have been removed (but can be manually added from the Microsoft Store by the user). They include:
        • OneNote for Windows 10
        • 3D Viewer
        • Paint 3D
        • Skype
    • Cortana (by default)
      • Cortana is missing from Windows 11. It is installed but not enabled by default. Users can turn it on if desired.

    Microsoft included a complete list of features that have been removed or deprecated with Windows 11, which can be found here Windows 11 Specs and System Requirements.

    Windows 11 editions

    • Windows 11 is offered in several editions:
      • Windows 11 Home
      • Windows 11 Pro
      • Windows 11 Pro for Workstations
      • Windows 11 Enterprise Windows 11 for Education
      • Windows 11 SE for Education
    • Windows 11 hardware requirements and security features are common throughout all editions.
    • The new look and feel along with all the features mentioned previously are common to all editions as well.
    • Windows Home
      • Standard offering for home users
    • Pro versus Pro for Workstations
      • Windows 11 Pro and Pro for Workstations are both well suited for the business environment with available features such as support for Active Directory or Azure Active Directory, Windows Autopilot, OneDrive for Business, etc.
      • Windows Pro for Workstations is designed for increased demands on the hardware with the higher memory limits (2 TB vs. 6 TB) and processor count (2 CPU vs. 4 CPU).
      • Windows Pro for Workstations also features Resilient File System, Persistent Memory, and SMB Direct. Neither of these features are available in the Windows 11 Pro edition.
      • Windows 11 Pro and Pro for Workstations are both very business focused, although Pro may also be a common choice for non-business users (Home and Education).
    • Enterprise Offerings
      • Enterprise licenses are subscription based and are part of the Microsoft 365 suite of offerings.
      • Windows 11 Enterprise is Windows 11 Pro with some additional addons and functionality in areas such as device management, collaboration, and security services.
      • The level of the Microsoft 365 Enterprise subscription (E3 or E5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the E5 subscription.

    Windows 11 Education Editions

    With the release of a laptop targeted specifically at the education market, Microsoft must be taking notice of the Google Chrome educational market penetration, especially with headlines like these.

    “40 Million Chromebooks in Use in Education” (Thurrott)

    “The Unprecedented Growth of the Chromebook Education Market Share” (Carklin)

    “Chromebooks Gain Market Share as Education Goes Online” (Hruska)

    “Chromebooks Gain Share of Education Market Despite Shortages” (Mandaro)

    “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand” (Duke)

    • Education licenses are subscription based and are part of the Microsoft 365 suite of offerings. Educational pricing is one benefit of the Microsoft 365 Education model.
    • Windows 11 Education is Windows 11 Pro with some additional addons and functionality similar to the Enterprise offerings for Windows 11 in areas such as device management, collaboration, and security services. Windows 11 Education also adds some education specific settings such as Classroom Tools, which allow institutions to add new students and their devices to their own environment with fewer issues, and includes OneNote Class Notebook, Set Up School PCs app, and Take a Test app.
    • The level of the Microsoft 365 Education subscription (A3 or A5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the A5 subscription.
    • Windows 11 SE for Education:
      • A cloud-first edition of Windows 11 specifically designed for the K-8 education market.
      • Windows 11 SE is a light version of Windows 11 that is designed to run on entry-level devices with better performance and security on that hardware.
      • Windows 11 SE requires Intune for Education and only IT admins can install applications.
    • Microsoft and others have come out with Windows SE specific devices at a low price point.
      • The Microsoft Surface Laptop SE comes pre-loaded with Windows 11 SE and can be purchased for US$249.00.
      • Dell, Asus, Acer, Lenovo, and others also offer Windows 11 SE specific devices (“Devices for Education”).

    Initial Reactions

    Below you can find some actual initial reactions to Windows 11.

    Initial reactions are mixed, as is to be expected with any new release of an operating system. The look and feel is new, but it is not a huge departure from the Windows 10 look and feel. Some new features are well received such as the snap feature.

    The shift of the taskbar (and start button) is the most popular topic of discussion online when it comes to Windows 11 reactions. Some love it and some do not. The best part about the shift of the taskbar is that you can adjust it in settings and move it back to its original location.

    The best thing about reactions is that they garner attention, and thanks in part to all the online reactions and comments, Microsoft is continually improving Windows 11 through quality updates and annual feature releases.

    “My 91-year-old Mum has found it easy!” Binns, Paul ITRG

    “It mostly looks quite nice and runs well.” Jmbpiano, Reddit user

    “It makes me feel more like a Mac user.” Chang, Ben Info-Tech

    “At its core, Windows 11 appears to be just Windows 10 with a fresh coat of paint splashed all over it.” Rouse, Rick RicksDailyTips.com

    “Love that I can snap between different page orientations.” Roberts, Jeremy Info-Tech

    “I finally feel like Microsoft is back on track again.” Jawed, Usama Neowin

    “A few of the things that seemed like issues at first have either turned out not to be or have been fixed with patches.” Jmbpiano, Reddit user

    “The new interface is genuinely intuitive, well-designed, and colorful.” House, Brett AnandTech

    “No issues. Have it out on about 50 stations.” Sandrews1313, Reddit User

    “The most striking change is to the Start menu.” Grabham, Dan pocket-lint.com

    How do I upgrade to Windows 11?

    The process is very similar to applying updates in Windows 10.

    • Windows 11 is offered as an upgrade through the standard Windows 10 update procedure. Windows Update will notify you when the Windows 11 upgrade is ready (assuming your device is eligible for Windows 11).
      • Allow the update (upgrade in this case) to proceed, reboot, and your endpoint will come back to life with Windows 11 installed and ready for you.
    • A fresh install can be delivered by downloading the required Windows 11 installation media from the Microsoft Software Download site for Windows 11.
    • Business users can control the timing and schedule of the Windows 11 rollout to corporate endpoints using Microsoft solutions such as WSUS, Configuration Manager, Intune and Endpoint Manager, or by using other endpoint management solutions.
    • WSUS and Configuration Manager will have to sync the product category for Windows 11 to manage the deployment.
    • Windows Update for Business policies will have to use the target version capability rather than using the feature update referrals alone.
    • Organizations using Intune and a Microsoft 365 E3 license will be able to use the Feature Update Deployments page to select Windows 11.
    • Other modern endpoint management solutions may also allow for a controlled deployment.

    Info-Tech Insight

    The upgrade itself may be a simple process but be prepared for the end-user reactions that will follow. Some will love it but others will despise it. It is not an optional upgrade in the long run, so everyone will have to learn to accept it.

    When can I upgrade to Windows 11?

    You can upgrade right now BUT there is no need to rush. Windows 11 was released in October 2021 but that doesn’t mean you have to upgrade everyone right away. Plan this out.

    • Build deployment rings into your Windows 11 upgrade approach: This approach, also referred to as Canary Releases or deployment rings, allows you to ensure that IT can support users if there's a major problem with the upgrade. Instead of disrupting all end users, you are only disrupting a portion of end users.
      • Deploy the initial update to your test environment.
      • After testing is successful or changes have been made, deploy Windows 11 to your pilot group of users.
      • After the pilot group gives you the thumbs up, deploy to the rest of production in phases. Phases are sometimes by office/location, sometimes by department, sometimes by persona (i.e. defer people that don't handle updates well), and usually by a combination of these factors.
      • Increase the size of each ring as you progress.
    • Always back up your data before any upgrade.

    Deployment Ring Example

    Pilot Ring - Individuals from all departments - 10 users

    Ring #1 - Dev, Finance - 20 Users

    Ring #2 - Research - 100 Users

    Ring #3 - Sales, IT, Marketing - 500 Users

    Upgrade your eligible devices and users to Windows 11

    Build Windows 11 Deployment Rings

    Instructions:

    1. Identify who will be in the pilot group. Use individuals instead of user groups.
    2. Identify how many standard rings you need. This number will be based on the total number of employees per office.
    3. Map groups to rings. Define which user groups will be in each ring.
    4. Allow some time to elapse between upgrades. Allow the first group to work with Windows 11 and identify any potential issues that may arise before upgrading the next group.
    5. Track and communicate. Record all information into a spreadsheet like the one on the right. This will aid in communication and tracking.
    Ring Department or Group Total Users Delay Time Before Next Group
    Pilot Ring Individuals from all departments 10 Three weeks
    Ring 1 Dev Finance 20 Two weeks
    Ring 2 Research 100 One week
    Ring 3 Sales, IT Marketing 500 N/A

    What are my options if my devices cannot upgrade to Windows 11?

    Don’t rush out to replace all the ineligible endpoint devices. You have some time to plan this out. Windows 10 will be available and supported by Microsoft until October 2025.

    Use asset management strategies and budget techniques in your Windows 11 upgrade approach:

    • Start with current inventory and determine which devices will not be eligible for upgrade to Windows 11.
    • Prioritize the devices for replacement, taking device age, the role of the user the device supports, and delivery times for remote users into consideration.
    • Take this opportunity to review overall device offerings and end-user compute strategy. This will help decide which devices to offer going forward while improving end-user satisfaction.
    • Determine the cost for replacement devices:
      • Compare vendor offerings using an RFP process.
    • Use the hardware asset management planning spreadsheet on the next slide to budget for the replacements over the coming months leading up to October 2025.

    Leverage Info-Tech research to improve your end-user computing strategy and hardware asset management processes:

    New to End User Computing Strategies? Start with Modernize and Transform Your End-User Computing Strategy.

    New to IT asset management? Use Info-Tech’s Implement Hardware Asset Management blueprint.

    Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    Build a Windows 11 Device Replacement Budget

    The link below will open up a hardware asset management (HAM) budgeting tool. This tool can easily be modified to assist in developing and justifying the budget for hardware assets for the Windows 11 project. The tool will allow you to budget for hardware asset refresh and to adjust the budget as needed to accommodate any changes. Follow the instructions on each tab to complete the tool.

    A sample of a possible Windows 11 budgeting spreadsheet is shown on the right, but feel free to play with the HAM budgeting tool to fit your needs.

    HAM Budgeting Tool

    Windows 11 Replacement Schedule
    2022 2023 2024 2025
    Department Total to replace Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Left to allocate
    Finance 120 20 20 20 10 10 20 20 0
    HR 28 15 13 0
    IT 30 15 15 0
    Research 58 8 15 5 20 5 5 0
    Planning 80 10 15 15 10 15 15 0
    Other 160 5 30 5 15 15 30 30 30 0
    Totals 476 35 38 35 35 35 35 38 35 50 35 35 35 35 0

    Related Info-Tech Research

    Modernize and Transform Your End-User Computing Strategy

    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Implement Hardware Asset Management

    This project will help you analyze the current state of your HAM program, define assets that will need to be managed, and build and involve the ITAM team from the beginning to help embed the change. It will also help you define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

    Bibliography

    aczechowski, et al. “Windows 11 Requirements.” Microsoft, 3 June 2022. Accessed 13 June 2022.

    Binns, Paul. Personal interview. 07 June 2022.

    Butler, Sydney. “What Is Trusted Platform Module (TPM) and How Does It Work?” Help Desk Geek, 5 August 2021. Accessed 18 May 2022.

    Carklin, Nicolette. “The Unprecedented Growth of the Chromebook Education Market Share.” Parallels International GmbH, 26 October 2021. Accessed 19 May 2022.

    Chang, Ben. Personal interview. 26 May 2022.

    Cunningham, Andrew. “Why Windows 11 has such strict hardware requirements, according to Microsoft.” Ars Technica, 27 August 2021. Accessed 19 May 2022.

    Dealnd-Han, et al. “Windows Processor Requirements.” Microsoft, 9 May 2022. Accessed 18 May 2022.

    “Desktop Operating Systems Market Share Worldwide.” Statcounter Globalstats, June 2021–June 2022. Accessed 17 May 2022.

    “Devices for education.” Microsoft, 2022. Accessed 13 June 2022.

    Duke, Kent. “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand.” Android Police, 16 November 2020. Accessed 18 May 2022.

    Grabham, Dan. “Windows 11 first impressions: Our initial thoughts on using Microsoft's new OS.” Pocket-Lint, 24 June 2021. Accessed 3 June 2022.

    Hachman, Mark. “Why is there a Windows 11 if Windows 10 is the last Windows?” PCWorld, 18 June 2021. Accessed 17 May 2022.

    Howse, Brett. “What to Expect with Windows 11: A Day One Hands-On.” Anandtech, 16 November 2020. Accessed 3 June 2022.

    Hruska, Joel. “Chromebooks Gain Market Share as Education Goes Online.” Extremetech, 26 October 2020. Accessed 19 May 2022.

    Jawed, Usama. “I am finally excited about Windows 11 again.” Neowin, 26 February 2022. Accessed 3 June 2022.

    Jmbpiano. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    Lumunge, Erick. “UEFI and Legacy boot.” OpenGenus, n.d. Accessed 18 May 2022.

    Bibliography

    Mandaro, Laura. “Chromebooks Gain Share of Education Market Despite Shortages.” The Information, 9 September 2020. Accessed 19 May 2022.

    Murtaza, Fawad. “What Is Virtualization Based Security in Windows?” Valnet Inc, 24 October 2021. Accessed 17 May 2022.

    Roberts, Jeremy. Personal interview. 27 May 2022.

    Rouse, Rick. “My initial thoughts about Windows 11 (likes and dislikes).” RicksDailyTips.com, 5 September 2021. Accessed 3 June 2022.

    Sandrews1313. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    “The Matrix Quotes." Quotes.net, n.d. Accessed 18 May 2022.

    Thurrott, Paul.” Google: 40 Million Chromebooks in Use in Education.” Thurrott, 21 January 2020. Accessed 18 May 2022.

    Vaughan-Nichols, Steven J. “The real reason for Windows 11.” Computerworld, 6 July 2021, Accessed 19 May 2022.

    “Virtual Machine Support.” Microsoft,3 June 2022. Accessed 13 June 2022.

    “What are DirectX 12 compatible graphics and WDDM 2.x.” Wisecleaner, 20 August 2021. Accessed 19 May 2022.

    “Windows 11 Specs and System Requirements.” Microsoft, 2022. Accessed 13 June 2022.

    “Windows Display Driver Model.” MiniTool, n.d. Accessed 13 June 2022.

    Transform Your Field Technical Support Services

    • Buy Link or Shortcode: {j2store}112|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • Redefine the role of deskside or field technicians as demand for service evolves and service teams are restructured.
    • Redefine the role of onsite technicians when the help desk is outsourced.
    • Define requirements when supplementing with outsourced field services teams.
    • Identify barriers to streamlining processes.
    • Look for opportunities to streamline processes and better use technical teams.
    • Communicate and manage change to support roles.

    Our Advice

    Critical Insight

    • Service needs to be defined in a way that considers the organizational need for local, hands-on technicians, the need for customer service, and the need to make the best use of resources that you have.
    • Service level agreements will need to be refined and metrics will need to be analyzed for capacity and skilled planning.
    • Organizational change management will be key to persuade users to engage with the technical team in a way that supports the new structure.

    Impact and Result

    • Many IT teams are struggling to keep up with demand while trying to refocus on customer service. With more remote workers than ever, organizations who have traditionally provided desktop and field services have been revaluating the role of the field service technicians. Add in the price of fuel, and there is even more reason to assess the support model.
    • Often changes to the way IT does support, especially if moving centralized support to an outsourcer, is met with resistance by end users who don’t see the value of phoning someone else when their local technician is still available to problem solve. This speaks to the need to ensure the central group is providing value to end users as well as the technical team.
    • With the challenges of finding the right number of technicians with the right skills, it’s time to rethink remote support and how that can be used to train and upskill the people you have. And it’s time to think about how to use field services tools to make the best use of your technician’s time.

    Transform Your Field Technical Support Services Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Transform Field Services Guide – A brief deck that outlines key migration steps to improve our remote client support services.

    This blueprint will help you:

    • Transform Your Field Technical Services Storyboard

    2. Transform Field Services Template – A template to create a transformation proposal.

    This template will help you to build your proposal to transform your field services.

    • Proposal to Transform Field Technical Services Template
    [infographic]

    Further reading

    Transform Your Field Technical Support Services

    Improve service and reduce costs through digital transformation.

    Analyst Perspective

    Improve staffing challenges through digital transformation.

    Many IT teams are struggling to keep up with demand while trying to refocus on customer service. With more remote workers than ever, organizations who have traditionally provided desktop and field services have been revaluating the role of the field service technicians. Add in the price of fuel, and there is even more reason to assess the support model. Often changes to the way IT does support, especially if moving centralized support to an outsourcer, is met with resistance by end users who don’t see the value of phoning someone else when their local technician is still available to problem solve. This speaks to the need to ensure the central group is providing value to end users as well as the technical team. With the challenges of finding the right number of technicians with the right skills, it’s time to rethink remote support and how that can be used to train and upskill the people you have. And it’s time to think about how to use field services tools to make the best use of your technician’s time.

    The image contains a picture of Sandi Conrad.

    Sandi Conrad

    Principal Research Director

    Infrastructure & Operations Practice

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    With remote work becoming a normal employee offering for many organizations, self-serve/self-solve becoming more prominent, and a common call out to improve customer service, there is a need to re-examine the way many organizations are supplying onsite support. For organizations with a small number of offices, a central desk with remote tools may be enough or can be combined with a concierge service or technical center, but for organizations with multiple offices it becomes difficult to provide a consistent level of service for all customers unless there is a team onsite for each location. This may not be financially possible if there isn’t enough work to keep a technical team busy full-time.

    Common Obstacles

    Where people have a choice between calling a central phone number or talking to the technician down the hall, the in-person experience often wins out. End users may resist changes to in-person support as work is rerouted to a centralized group by choosing to wait for their favorite technician to show up onsite rather than reporting issues centrally. This can make the job of the onsite technician more challenging as they need to schedule time in every visit for unplanned work. And where technicians need to support multiple locations, travel needs to be calculated into lost technician time and costs.

    Info-Tech’s Approach

    • Service needs to be defined in a way that considers the organizational need for local, hands-on technicians, the need for customer service, and the need to make the best use of resources that you have.
    • Service-level agreements will need to be refined and metrics will need to be analyzed for capacity and skilled planning.
    • Organizational change management will be key to persuade users to engage with the technical team in a way that supports the new structure.

    Info-Tech Insight

    Improving process will be helpful for smaller teams, but as teams expand or work gets more complicated, investment in appropriate tools to support field services technicians will enable them to be more efficient, reduce costs, and improve outcomes when visits are warranted.

    Your challenge

    This research is designed to help organizations who are looking to:

    • Redefine the role of deskside or field technicians as demand for service evolves and service teams are restructured.
    • Redefine the role of onsite technicians when the help desk is outsourced.
    • Define requirements when supplementing with outsourced field services teams.
    • Identify barriers to streamlining processes.
    • Look for opportunities to streamline processes and better use technical teams.
    • Communicate and manage change to support roles.

    With many companies having new work arrangements for users, where remote work may be a permanent offering or if your digital transformation is well underway, this provides an opportunity to rethink how field support needs to be done.

    What is field services?

    Field services is in-person support delivered onsite at one or more locations. Management of field service technicians may include queue management, scheduling service and maintenance requests, triaging incidents, dispatching technicians, ordering parts, tracking job status, and billing.

    The image contains a diagram to demonstrate what may be supported by field services and what should be supported by field services.

    What challenges are you trying to solve within your field services offering?

    Focus on the reasons for the change to ensure the outcome can be met. Common goals include improved customer service, better technician utilization, and increased response time and stability.

    • Discuss specific challenges the team feels are contributing to less-than-ideal customer service.
    • Does the team have the skills, knowledge, and tools they need to be successful? Technicians may be solving issues with the customer looking over their shoulder. Having quick access to knowledge articles or to subject matter experts who can provide deeper expertise remotely may be the difference between a single visit to resolve or multiple or extended visits.
    • What percentage of tickets would benefit from triage and troubleshooting done remotely before sending a technician onsite? Where there are a high number of no-fault-found visits, this may be imperative to improving technician availability.
    • Review method for distribution of tickets, including batching criteria and dispatching of technicians. Are tickets being dispatched efficiently? By location and/or priority? Is there an attempt to solve more tickets centrally? Should there be? What SLA adjustment is reasonable for onsite visits?
    • Has the support value been defined?
    The image contains a graph to demonstrate Case Casuals in Field Services, where the highest at 55% is break/fix.

    Field services will see the biggest improvements through technology updates

    Customer Intake

    Provide tools for scheduling technicians, self-serve and self- or assisted-solve through ITSM or CRM-based portal and visual remote tools.

    		 The image contains a picture to demonstrate the different field services.

    Triage and Troubleshoot

    Upgrade remote tools to visual remote solutions to troubleshoot equipment as well as software. Eliminate no-fault-found visits and improve first-time fix rate by visually inspecting equipment before technician deployments.

    Improve Communications

    FSM GPS and SMS updates can be set to notify customers when a technician is close by and can be used for customer sign-off to immediately update service records and launch survey or customer billing where applicable.

    Schedule Technicians

    Field service management (FSM) ITSM modules will allow skills-based scheduling for remote technicians and determine best route for multi-site visits.

    Enable Work From Anywhere

    FSM mobile applications can provide technicians with daily schedules, turn-by-turn directions, access to inventory, knowledge articles, maintenance, and warranty and asset records. Visual remote captures service records and enables access to SMEs.

    Manage Expectations

    Know where technicians are for routing to emergency calls and managing workload using field service management solutions with GPS.

    Digital transformation can dramatically improve customer and technician experience

    The image contains an arrown that dips and rises dramatically to demonstrate how digital transformation can dramatically increase customer and technician experience.
    Sources: 1 - TechSee, 2019; 2 - Glartek; 3 - Geoforce; 4 - TechSee, 2020

    Improve technician utilization and scheduling with field services management software

    Field services management (FSM) software is designed to improve scheduling of technicians by skills and location while reducing travel time and mileage. When integrated with ITSM software, the service record is transferred to the field technician for continuity and to prepare for the job. FSM mobile apps will enable technicians to receive schedule updates through the day and through GPS update the dispatcher as technicians move from site to site.

    FSM solutions are designed to manage large teams of technicians, providing automated dispatch recommendations based on skills matching and proximity.

    Routes can be mapped to reduce travel time and mileage and adjusted to respond to emergency requests by technician skills or proximity. Automation will provide suggestions for work allocation.

    Spare parts management may be part of a field services solution, enabling technicians to easily identify parts needed and update real-time inventory as parts are deployed.

    Push notifications in real-time streamline communications from the field to the office, and enable technicians to close service records while in the field.

    Dispatchers can easily view availability, assign work orders, attach notes to work orders, and immediately receive updates if technicians acknowledge or reject a job.

    Maintenance work can be built into online checklists and forms to provide a technician with step-by-step instructions and to ensure a complete review.

    Skills and location-based routing allow dispatchers to be able to see closest tech for emergency deployments.

    Improve time to resolve while cutting costs by using visual remote support tools

    Visual remote support tools enable live video sessions to clearly see what the client or field service technician sees, enabling the experts to provide real-time assistance where the experts will provide guidance to the onsite person. Getting a view of the technology will reduce issues with getting the right parts, tools, and technicians onsite and dramatically reduce second visits.

    Visual remote tools can provide secure connections through any smartphone, with no need for the client to install an application.

    The technicians can take control of the camera to zoom in, turn on the flashlight for extra lighting, take photos, and save video directly to the tickets.

    Optical character recognition allows automatic text capture to streamline process to check warranty, recalls, and asset history.

    Visual, interactive workflows enhance break/fix and inspections, providing step-by-step guidance visual evidence and using AI and augmented reality to assess the images, and can provide next steps by connecting to a visual knowledgebase.

    Integration with field service management tools will allow information to easily be captured and uploaded immediately into the service record.

    Self-serve is available through many of these tools, providing step-by-step instructions using visual cues. These solutions are designed to work in low-bandwidth environments, using Wi-Fi or cellular service, and sessions can be started with a simple link sent through SMS.

    Stabilize Infrastructure & Operations During Work-From-Anywhere

    • Buy Link or Shortcode: {j2store}309|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    Work-from-anywhere isn’t going anywhere. IT Infrastructure & Operations needs to:

    • Rebuild trust in the stability of IT infrastructure and operations.
    • Identify gaps created from the COVID-19 rush to remote work.
    • Identify how IT can better support remote workers.

    IT went through an initial crunch to enable remote work. It’s time to be proactive and learn from our mistakes.

    Our Advice

    Critical Insight

    • The nature of work has fundamentally changed. IT departments must ensure service continuity, not for how the company worked in 2019, but how the company is working now and will be working tomorrow.
    • Revisit the basics. Don’t focus on becoming an innovator until you have improved network access, app access, file access, and collaboration tools.
    • Aim for near-term innovation. Once you’re a trusted operator, become a business partner by directly empowering end users at home and in the office.

    Impact and Result

    Build a work-from-anywhere strategy that resonates with the business.

    • Strengthen the foundations of collaboration tools, app access, file access, network access, and endpoint standards.
    • Explore opportunities to strengthen IT operations.
    • Proactively help the business through employee experience monitoring and facilities optimization.

    Stabilize Infrastructure & Operations During Work-From-Anywhere Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a strategy for improving how well IT infrastructure and operations support work-from-anywhere, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Stabilize IT infrastructure

    Ensure your fundamentals are solid.

    2. Update IT operations

    Revisit your practices to ensure you can effectively operate in work-from-anywhere.

    3. Optimize IT infrastructure & operations

    Offer additional value to the business by proactively addressing these items.

    • Roadmap Tool

    Infographic

    Workshop: Stabilize Infrastructure & Operations During Work-From-Anywhere

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Stabilize IT Infrastructure

    The Purpose

    Strengthen the foundations of IT infrastructure.

    Key Benefits Achieved

    Improved end-user experience

    Stabilized environment

    Activities

    1.1 Review work-from-anywhere framework and identify capability gaps.

    1.2 Review diagnostic results to identify satisfaction gaps.

    1.3 Record improvement opportunities for foundational capabilities: collaboration, network, file access, app access.

    1.4 Identify deliverables and opportunities to provide value for each.

    Outputs

    Projects and initiatives to stabilize IT infrastructure

    Deliverables and opportunities to provide value for foundational capabilities

    2 Update IT Operations and Optimize

    The Purpose

    Update IT operational practices to support work-from-anywhere more effectively.

    Key Benefits Achieved

    Improved IT operations

    Activities

    2.1 Identify IT infrastructure and operational capability gaps.

    2.2 Record improvement opportunities for DRP & BCP.

    2.3 Record improvement opportunities for endpoint and systems management practices.

    2.4 Record improvement opportunities for IT operational practices.

    2.5 Explore office space optimization and employee experience monitoring.

    Outputs

    Projects and initiatives to update IT operations to better support work-from-anywhere

    Longer-term strategic initiatives

    Deliverables and opportunities to provide value for each capability

    Navigate the Digital ID Ecosystem to Enhance Customer Experience

    • Buy Link or Shortcode: {j2store}76|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • Amid the pandemic-fueled surge in online services, organizations require secure solutions to safeguard digital interactions. These solutions must be uniform, interoperable, and fortified against security threats.
    • Although the digital identity ecosystem has garnered significant attention and investment, many organizations remain uncertain about its potential for authentication and the authorization required for B2B and B2C transactions, and in turn reducing their cost of operations and transferring their data risks.

    Our Advice

    Critical Insight

    • Limited / lack of understanding of the global digital ID ecosystem and its varying approaches across countries handicaps businesses in defining the benefits digital ID can bring to customer interactions and overall business management.
    • In addition, key obstacles exist in balancing customer privacy, data security, and regulatory requirements while pursuing excellent end-user experience and high customer adoption.
    • Info-Tech Insight: Focusing on customer touchpoints and transforming them are key to excellent experience and increasing their life-time value (LTV) to them and to your organization. Digital ID is that tool of transformation.

    Impact and Result

    • Digital ID has many dimensions, and its ecosystem's sustainability lies in the key principles it is built on. Understanding the digital identity ecosystem and its responsibilities is crucial to formulating an approach to adopt it. Also, focusing on key success factors drives digital ID adoption.
    • Before embarking on the digital identity adoption journey, it is essential to assess your readiness. It is also necessary to understand the risks and challenges. Specific steps to digital ID adoption can help realize the potential of digital identity and enhance the customers' experience.

    Navigate the Digital ID Ecosystem to Enhance Customer Experience Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Navigate the Digital ID Ecosystem to Enhance Customer Experience Storyboard – Learn how to adopt Digital ID to drive benefits, enhance customer experience, improve efficiency, manage data risks, and uncover new opportunities.

    This research focuses on verified digital identity ecosystems and explores risks, opportunities, and challenges of relying on verified digital IDs and also how adopting digital identity initiatives can improve customer experience and operational efficiency. It covers:

  • Definition and dimensions of digital identity
  • Key responsibilities and principles of digital identity ecosystem
  • Success factors for digital identity adoption
  • Global evolution and unique approaches in Estonia, India, Canada, UK, and Australia
  • Industries that benefit most from digital ID development
  • Key use cases of digital ID
  • Benefits to governments, ID providers, ID consumers, and end users
  • Readiness checklist and ten steps to digital ID adoption
  • Risks and challenges of digital identity adoption
  • Key recommendations to realize potential of digital identity
  • Taxonomy and definitions of terms in the digital identity ecosystem

    • Navigate the Digital ID Ecosystem to Enhance Customer Experience Storyboard
    • Familiarize Yourself With the Digital ID Ecosystem Taxonomy
    • Assess Your Digital ID Adoption Readiness

    Infographic

    Further reading

    Navigate the Digital ID Ecosystem to Enhance Customer Experience

    Beyond the hype: How it can help you become more customer-focused?

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Amid the pandemic-fueled surge of online services, organizations require secure solutions to safeguard digital interactions. These solutions must be uniform, interoperable, and fortified against security threats.

    Although the digital identity ecosystem has garnered significant attention and investment, many organizations remain uncertain about its potential for authentication and authorization required for B2B and B2C transactions.

    They still wonder if digital ID can help reduce cost of operations and transfer data risks.

    Limited or lack of understanding of the global Digital ID ecosystem and its varying approaches across countries handicap businesses in defining the potential benefits Digital ID can bring to customer interactions and overall business management.

    In addition, key obstacles exist in balancing customer privacy (including the right to be forgotten), data security, and regulatory requirements while pursuing desired end-user experience and high customer adoption.

    Digital ID has many dimensions, and its ecosystem's sustainability lies in the key principles it is built on. Understanding the digital identity ecosystem and its responsibilities is crucial to formulate an approach to adopt it. Also, focusing on key success factors drives digital ID adoption.

    Before embarking on the digital identity adoption journey, it is essential to assess your readiness. It is also necessary to understand the risks and challenges. Specific steps to digital ID adoption can help realize the potential of digital identity and enhance the customers' experience.

    Info-Tech Insight

    Focusing on customer touchpoints and transforming them is key to excellent user experience and increasing their lifetime value (LTV) to them and to your organization. Digital ID is that tool of transformation.

    Analyst Perspective

    Manish Jain.

    Manish Jain

    Principal Research Director

    Analyst Profile

    “I just believed. I believed that the technology would change people's lives. I believed putting real identity online - putting technology behind real identity - was the missing link.”

    - Sheryl Sandberg (Brockes, Emma. “Facebook’s Sheryl Sandberg: who are you calling bossy?” The Guardian, 5 April 2014)

    Sometimes dismissed as mere marketing gimmicks, digital identity initiatives are anything but. While some argue that any online credential is a "Digital ID," rendering the hype around it pointless, the truth is that a properly built digital ID ecosystem has the power to transform laggard economies into global digital powerhouses. Moreover, digital IDs can help businesses transfer some of their cybersecurity risks and unlock new revenue channels by enabling a foundation for secure and efficient value delivery.

    In addition, digital identity is crucial for digital and financial inclusion, simplifying onboarding processes and opening up new opportunities for previously underserved populations. For example, in India, the Aadhaar digital ID ecosystem brought over 481 million1 people into the formal economy by enabling access to financial services. Similarly, in Indonesia, the e-KIP digital ID program paved the way for 10 million new bank accounts, 94% of which were for women2.

    However, digital identity initiatives also come with valid concerns, such as the risk of a single point of failure and the potential to widen the digital divide.

    This research focuses on the verified digital identity ecosystem, exploring the risks, opportunities, and challenges organizations face relying on these verified digital IDs to know their customers before delivering value. By understanding and adopting digital identity initiatives, organizations can unlock their full potential and provide a seamless customer experience while ensuring operational efficiency.

    1 India Aadhaar PMJDY (https://pmjdy.gov.in/account)
    2 Women’s World Banking, 2020.

    Digital Identity Ecosystem and vital ingredients of adoption

    Digital Identity Ecosystem.

    What is digital identity?

    Definitions may vary, depending on the focus.

    “Digital identity (ID) is a set of attributes that links a physical person with their online interactions. Digital ID refers to one’s online persona - an online footprint. It touches important aspects of one’s everyday life, from financial services to health care and beyond.” - DIACC Canada

    “Digital identity is a digital representation of a person. It enables them to prove who they are during interactions and transactions. They can use it online or in person.” - UK Digital Identity and Attributes Trust Framework

    “Digital identity is an electronic representation of an entity (person or other entity such as a business) and it allows people and other entities to be recognized online.” - Australia Trusted Digital Identity Framework

    A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity.

    Digital identity has many dimensions*, and in turn categories

    Trust

    • Verified (Govt. issued IDs)
    • Unverified (Email Id)

    Subject

    • Individual
    • Organization
    • Device
    • Service

    Usability

    • Single-purpose (Disposable)
    • Multi-purpose (Reusable)

    Provider

    • Sovereign Government
    • Provincial Government
    • Local Government
    • Public Organization
    • Private Organization
    • Self

    Jurisdiction

    • Global (Passport)
    • National (DL)
    • State/Provincial (Health Card)
    • Local (Voting Card)
    • Private (Social)

    Form

    • Physical Card
    • Virtual Identifier
    • Online/App Account
    • PKI Keys
    • Tokens

    Governance

    • Sovereign
    • Federated
    • Decentralized
    • Trust Framework -based
    • Self-sovereign

    Expiry

    • Permanent (Lifetime, Years)
    • Temporary (Minutes, Hours)
    • Revocable

    Usage Mode

    • online only
    • offline only
    • Online/offline

    Purpose

    • Authorization (driver’s license, passport, employment)
    • Authentication (birth certificate, social security number)
    • Activity Linking (preferences, habits, and priorities)
    • Historical Record (Resume, educational financial, health history)
    • Social Interactions (Social Media)
    • Machine Connectivity

    Info-Tech Insight

    Digital ID has taken different meanings for different people, serving different purposes in different environments. Based on various aspects of Digital Identification, it can be categorized in several types. However, most of the time when people refer to a form of identification as Digital ID, they refer to a verified id with built-in trust either from the government OR the eco-system.

    * Please refer to Taxonomy for the definition of each of the dimensions

    Understanding a digital identity ecosystem is key to formulating your approach to adopt it

    The image contains a screenshot of a digital identity ecosystem diagram.

    Info-Tech Insight

    Digital identity ecosystems comprise many entities playing different roles, and sometimes more than one. In addition, variations in approach by jurisdictions drive how many active players are in the ecosystem for that jurisdiction.

    For example, in countries like Estonia and India, government plays the role of trust and governance authority as well as ID provider, but didn’t start with any Digital ID wallet. In contrast, in Ukraine, Diia App is primarily a Digital ID Wallet. Similarly, in the US, different states are adopting private Digital ID Wallet providers like Apple.

    Digital ID ecosystem’s sustainability lies in the key principles it is built on

    Social, economic, and legal alignment with target stakeholders
    Transparent governance and operation
    Legally auditable and enforceable
    Robust and Resilient – High availability
    Security – At rest, in progress, and in transit
    Privacy and Control with users
    Omni-channel Convenience – User and Operations
    Minimum data transfer between entities
    Technical interoperability enabled through open standards and protocol
    Scalable and interoperable at policy level
    Cost effective – User and operations
    Inclusive and accessible

    Info-Tech Insight

    A transparent, resilient, and auditable digital ID system must be aligned with socio-economic realities of the target stakeholders. It not only respects their privacy and security of their data by minimizing the data transfer between entities, but also drives desired customer experience by providing an omni-channel, interoperable, scalable, and inclusive ecosystem while still being cost-effective for the collaborators.

    Source: Adapted from Canada PCTF, UK Trust framework, European Commission, Australia TDIF, and others

    Focus on key success factors to drive the digital ID adoption

    Digital ID success factors

    Legislative regulatory framework – Removes uncertainty
    Security & Privacy Assurance- builds trust
    Smooth user experience – Drives preferences
    Transparent ecosystem – Drives inclusivity
    Multi-channel – Drive consistent experience online / offline
    Inter-operability thorough open standards
    Digital literacy – Education and awareness
    Multi-purpose & reusable – Reduce consumer burden
    Collaborative ecosystem –Build network effect

    Source: Adapted from Canada PCTF, UK digital identity & attributes trust framework , European eIDAS, and others

    Info-Tech Insight

    Driving adoption of Digital ID requires affirmative actions from all ecosystem players including governing authorities, identity providers, and identity consumers (relying parties).

    These nine success factors can help drive sustainable adoption of the Digital ID.

    Among many responsibilities the ecosystem players have, identity governance is the key to sustainability

    • Digital identity provision
      • Creating identity attributes
      • Create a reusable identity and attribute service
      • Create a digital identity
      • Assess and manage quality of an identity and attributes
      • Making identity provision inclusive and accessible
    • Digital identity resolution
      • Enabling inclusive access to products and services through digital identity
      • Authenticate and authorize identity subjects before permitting access to their identity and attributes
    • Digital identity governance
      • Manage digital identity and attributes
      • Make Identity service interoperable, and sharable
      • Recover digital identity and attribute accounts
      • Notifying users on accessing identity or making changes on more attributes
      • Report and audit – exclusion, accessibility
      • Retiring an identity or attribute service
      • Respond to complaints and disputes
    • Enterprise risk management and governance
    		 The image contains a screenshot of a diagram to demonstrate how identity governance is the key to sustainability.
    • Privacy and security
      • Use encryption
      • Privacy compliance framework
      • Consumer Privacy Protection laws (CPPA, GDPR etc.)
      • Acquiring and managing user consents & agreements
      • Prohibited processing of personal data
      • Security controls and governance
    • Information management
      • Record management
      • Archival
      • Disposal (on expiry or to comply with regulations)
      • CIA (confidentiality, integrity, availability)
    • Fraud management
      • Fraud monitoring and reporting
      • Fraud intelligence and analysis
      • Sharing threat indicators
      • Legal, policies and procedures for fraud management
    • Incident response
      • Respond to fraud incidents
      • Respond to a service delivery incident
      • Responding to data breaches
      • Performing and participating in investigation

    Global evolution of digital ID is following the socio-economic aspirations of countries

    The image contains a screenshot of a graph that demonstrates global evolution of digital ID.

    Source: Adapted from the book: Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018

    Info-Tech Insight

    The world became global a long time ago; however, it sustained economic progress without digital IDs for most of the world's population.

    With the pandemic, when political rhetoric pointed to the demand for localized supply chains, economies became irreversibly digital. In this digital economy, the digital ID ecosystem is the fulcrum of sustainable growth.

    At a time in overlapping jurisdictions, multiple digital IDs can exist. For example, one is issued by a local municipality, one by the province, and another by the national government.

    Global footprint of digital ID is evolving rapidly, but varies in approach

    The image contains a screenshot of a Global footprint of digital ID.

    Info-Tech Insight

    Countries’ approach to the digital ID is rooted in their socio-economic environment and global aspirations.

    Emerging economies with large underserved populations prioritize fast implementation of digital ID through centralized systems.

    Developed economies with smaller populations, low trust in government, and established ID systems prioritize developing trust frameworks to drive decentralized full-scale implementation.

    There is no right way except the one which follows Digital ID principles and aligns with a country’s and its people’s aspirations.

    Estonia's e-identity is the key to its digital agenda 2030

    • Regulatory Body and Operational Governance: Estonian Information System Authority (RIA).
    • Identity Providers: Government of Estonia; Private sector doesn’t issue IDs but can leverage Digital ID ecosystem.
    • Decentralized Approach: Permissioned Blockchain Architecture with built-in data traceability implemented on KSI (Keyless Signature Infrastructure).
    • X-Road – Secure, interoperable open-source data exchange platform between collection point where Data is stored.
    • Digital Identity Form: e-ID
    • Key Use cases:
      • Financial, Telecom: e-KYC, e-Banking
      • Digital Authentication: ID Card, Mobile ID, Smart ID, Digital Signatures
      • E-governance: e-Voting, e-Residency, e-Services Registries, e-Business Register
      • Smart City and mobility: Freight Transportation, Passenger Mobility
      • Healthcare: e-Health Record, e-Prescription, e-Ambulance
    • ID-card
    • Smart ID
    • Mobile ID
    • e-Residency

    Uniqueness

    Estonia pioneered the digital ID implementation with a centralized approach and later transitioned to a decentralized ecosystem driving trust to attract non-citizens into Estonia’s digital economy.

    99% Of Estonian residents have an ID card enabling use of electronic ID

    1.4 B Digital signatures given (2021)

    99% Public Services available as e-Services

    17K+ Productive years saved (five working days/citizen/year saved accessing public services)

    25K E-resident companies contributed more than €32 million in tax

    *Source: https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf ;

    https://www.e-resident.gov.ee/dashboard

    The image contains a timeline of events from 2001-2020 for Estonia..

    India’s Aadhaar is the foundation of its digital journey through “India stack”

    • Regulatory Accountability and Operational Governance: Unique Identification Authority of India (UIDAI).
    • Identity Provider: Govt. of India.
    • Digital Identity Form: Physical and electronic ID Card; Online (Identifier + OTP), and offline (identifier + biometric) usage; mAadhaar App & Web Portal
    • India Stack: a set of open APIs and digital assets to leverage Aadhaar in identity, data, and payments at scale.
    • Key Use cases:
      • Financial, Telecom: eKYC, Unified Payments Interface (UPI)
      • Digital Wallet: Digi Locker
      • Digital Authentication: eSign, and Aadhaar Auth.
      • Public Welfare: Public Distribution of Service, Social Pension, Employment Guarantee
      • Public service access: Enrollment to School, Healthcare

    1.36B People enrolled

    80% Beneficiaries feel Aadhaar has made PDS, employment guarantee and social pensions more reliable

    91.6% Are very satisfied or somewhat satisfied with Aadhaar

    14B eKYC transactions done by 218 eKYC authentication agencies (KUA)

    Source: https://uidai.gov.in/aadhaar_dashboard/india.php; https://www.stateofaadhaar.in/

    World Bank Report on Private Sector Impacts from ID

    Uniqueness

    “The Aadhaar digital identity system could reduce onboarding costs for Indian firms from 1,500 rupees to as low as an estimated 10 rupees.”

    -World Bank Report on Private Sector Impacts from ID

    With lack of public trust in private sector, government brought in private sector executives in public ecosystem to lead the largest identity program globally and build the India stack to leverage the power of Digital Identity.

    The image contains a screenshot of India's Aadhaar timeline from 2009-2022.

    Ukraine’s Diia is a resilient act to preserve their identities during threat to their existence

    Regulatory Accountability and Operational Governance: Ministry of Digital Transformation.

    Identity provider: Federated govt. agencies.

    Digital identity form: Diia App & Portal as a digital wallet for all IDs including digital driving license.

    • Key use cases:
      • eGovernance – Issuing license and permits, business registration, vaccine certificates.
      • Public communication: air-raid alerts, notifications, court decisions and fines.
      • Financial, Telecom: KYC compliance, mobile donations.
      • eBusiness: Diia City legal framework for IT industry, Diia Business Portal for small and medium businesses.
      • Digital sharing and authentication: Diia signature and Diia QR.
      • Public service access: Diia Education Portal for digital education and digital skills development, healthcare.

    18.5M People downloaded the Diia app.

    14 Digital IDs provided by other ID providers are available through Diia.

    70 Government services are available through Diia.

    ~1M Private Entrepreneurs used Diia to register their companies.

    1300 Tons of paper estimated to be saved by reducing paper applications for new IDs and replacements.

    Source:

    • Ukraine Govt. Website for Invest and trade
    • Diia Case study prepared for the office of Canadian senator colin deacon.

    Uniqueness

    “One of the reasons for the Diia App's popularity is its focus on user experience. In September 2022, the Diia App simplified 25 public services and digitized 16 documents. The Ministry of Digital Transformation aims to make 100% of all public services available online by 2024.”

    - Vladyslava Aleksenko

    Project Lead—digital Identity, Ukraine

    The image contains a screenshot of the timeline for Diia.

    Canada’s PCTF (Pan Canadian Trust Framework) driving the federated digital identity ecosystem

    • Regulatory Accountability: Treasury Board of Canada Secretariat (TBS); Canadian Digital Service (CDS); Office of CIO
    • Standard Setting: Digital Identification and Authentication Council of Canada (DIACC)
    • Frameworks:
      • Treasury Board Directive on Identity Management
      • Pan Canadian Trust Framework (PCTF)
      • Voilà Verified Trustmark Program: ISO aligned compliance certification program on PCTF
      • Governing / Certificate Authority: Trustmark Oversight Board (TOB) and DIACC accredited assessor
      • Operational Governance: Federated between identity providers and identity consumers
      • Identity Providers: Public and Private Sector
      • Other entities involved: Digital ID Lab (Voila Verified Auditor); Kuma (Accredited Assessor)
    		The image contains a screenshot of PCTF Components.

    82% People supportive of Digital ID.

    2/3 Canadians prefer public-private partnership for Pan-Canadian digital ID framework.

    >40% Canadians prefer completing various tasks and transactions digitally.

    75% Canadians are willing to share personal information for better experience.

    >80% Trust government, healthcare providers, and financial institutions with their personal information.

    Source: DIACC Survey 2021

    Uniqueness

    Although a few provinces in Canada started their Digital ID journey already, federally, Canada lacked an approach.

    Now Canada is developing a federated Digital ID ecosystem driven through the Pan-Canadian Trust Framework (PCTF) led by a non-profit (DIACC) formed with public and private partnership.

    The image contains a screenshot of Canada's PCTF timeline from 2002-2025.

    Australia’s digital id is pivotal to its vision to become one of the Top-3 digital governments globally by 2025*

    * Australia Digital Government Strategy 2021
    • Regulatory responsibility and standard: Digital Transformation Agency (DTA)’s Digital Identity
    • Operational support and oversight: Service Australia, Interim Oversight Authority (IOA).
    • Accredited identity providers (by 2022): Australian Taxation Office (ATO)’s myGovID, Australia Post’s Digital ID, MasterCard’s ID, OCR Labs App
    • Framework: Trusted Digital Identity Framework (TDIF)
      • Digital Identity Exchange
      • Identity Service Providers and Attribute Verification Service
      • Attribute Service Providers
      • Credential Service Providers
      • Relying Parties
    • Others: States such as NSW, Victoria, and Queensland have their own digital identity programs

    8.6M People using myGovID by Jun-2022

    117 Services accessible through Digital Id System

    The image contains a screenshot diagram of Digital Identity.

    Uniqueness

    Australia started its journey of Digital ID with a centralized Digital ID ecosystem.

    However, now it preparing to transition to a centrally governed Trust framework-based ecosystem expanding to private sector.

    The image contains a screenshot of Australia's Digital id timeline from 2014-2022.

    UK switches gear to the Trust Framework approach to build a public-private digital ID ecosystem

    • Government: Ministry of Digital Infrastructure / Department of Digital, Culture, Media, and Sport
    • Governing Body / Certificate Authority / Operational Governance: TBD
    • Approach: Trust Framework-based UK Digital Identity and attributes trust framework (UKDIATF)
    • Identity providers: Transitioning from “GOV.UK Verify” to a federated digital identity system aligned with “Trust Framework” – enabling both government (“One Login for Government”) and private sector identity providers.
    		The image contains a screenshot of the Trust Framework.

    Uniqueness

    UK embarked its Digital ID journey through Gov.UK Verify but decided to scrap it recently.

    It is now preparing to build a trust framework-based federated digital ID ecosystem with roles like schema-owners and orchestration service providers for private sector and drive the collaboration between industry players.

    The image contains a screenshot of UK timeline from 2011-2023.

    Digital ID will transform all industries, though financial services and e-governance will gain most

    Cross Industry

    Financial Services

    Insurance

    E-governance

    Healthcare & Lifesciences

    Travel and Tourism

    E-Commerce

    • Onboarding (customer, employee, patient, etc.)
    • Fraud-prevention (identity theft)
    • Availing restricted services (buying liquor)
    • Secure-sharing of credentials and qualifications (education, experience, gig worker)
    • For businesses, customer 360
    • For businesses, reliable data-driven decision making with lower frequency of ‘astroturfing’ (false identities) and ‘ballot-stuffing’ (duplicate identities)
    • Account opening
    • Asset transfer
    • Payments
    • For businesses, risk management - know your customer (KYC), anti-money laundering (AML), customer due diligence (CDD)
    • Insurance history
    • Insurance claim
    • Public distribution schemes (PDS)
    • Subsidy payments (direct to consumer)
    • Obtain government benefits (maternity, pension, employment guarantee / insurance payments)
    • Tax filing
    • Issuing credentials (birth certificate, passport)
    • Voting
    • For businesses, availing governments supports
    • For SMB businesses, easier regulatory compliance
    • Digital health
    • Out of state public healthcare
    • Secure access to health and diagnostic records
    • For businesses, data sharing between providers and with payers
    • Travel booking
    • Cross-border travel
    • Car rental
    • Secure peer-to-peer sales
    • Secure peer-to-peer sales

    USE CASE

    Car rental

    INDUSTRY: Travel & Tourism

    Source: Info-Tech Research Group

    Challenge

    Solution

    Results

    Verifying the driver’s license (DL) is the first step a car rental company takes before handing over the keys.

    While the rental company only need to know the validity of the DL and if it belongs to the presenter, is bears the liability of much more data presented to them through the DL.

    For customers, it is impossible to rent a car if they forget their DL. If the customer has their driver’s license, they compromise their privacy and security as they hand over their license to the representative.

    The process is not only time consuming, it also creates unnecessary risks to both the business and the renter.

    A digital id-based rental process allows the renter to present the digital id online or in person.

    As the customer approaches the car rental they present their digital id on the mobile app, which has already authenticated the presenter though the biometrics or other credentials.

    The customer selects the purpose of the business as “Car Rental”, and only the customer’s name, photo, and validity of the DL appear on the screen for the representative to see (selective disclosures).

    If the car pick-up is online, only this information is shared with the car rental company, which in turn shares the car and key location with the renter.

    A digital identity-based identity verification can ensure a rental company has access to the minimum data it needs to comply with local laws, which in turn reduces its data leak risk.

    It also reduces customer risks linked to forgetting the DL, and data privacy.

    Digital identity also reduces the risk originated from identity fraud leading to stolen cars.

    USE CASE

    e-Governance public distribution service

    INDUSTRY: Government

    Source: Info-Tech Research Group

    Challenge

    Solution

    Results

    In both emerging and developed economies, public distribution of resources – food, subsidies, or cash – is a critical process through which many people (especially from marginalized sections) survive on.

    They often either don’t have required valid proof of identity or fall prey to low-level corruption when someone defrauds them by claiming the benefit.

    As a result, they either completely miss out on claiming government-provided social benefits OR only receive a part of what they are eligible for.

    A Digital ID based public distribution can help created a Direct Benefit Transfer ecosystem.

    Here beneficiaries register (manually OR automatically from other government records) for the benefits they are eligible for.

    On the specific schedule, they receive their benefit – monetary benefit in their bank accounts, and non-cash benefits, in person from authorized points-of-sales (POS), without any middleman with discretionary decision powers on the distribution.

    India launched its Financial Inclusion Program (Prime Minister's Public Finance Scheme) in 2014.

    The program was linked with India’s Digital Id Aadhaar to smoothen the otherwise bureaucratic and discretionary process for opening a bank account.

    In last eight years, ~481M (Source: PMJDY) beneficiaries have opened a bank account and deposited ~ ₹1.9Trillion (USD$24B), a part of which came as social benefits directly deposited to these accounts from the government of India.

    USE CASE

    Real-estate investment and sale

    INDUSTRY: Asset Management

    Source: Info-Tech Research Group

    Challenge

    Solution

    Results

    “Impersonators posing as homeowners linked to 32 property fraud cases in Ontario and B.C.” – Global News Canada1

    “The level of fraud in the UK is such that it is now a national security threat” – UK Finance Lobby Group2

    Real estate is the most expensive investment people make in their lives. However, lately it has become a soft target for title fraud. Fraudsters steal the title to one’s home and sell it or apply for a new mortgage against it.

    At the root cause of these fraud are usually identity theft when a fraudster steals someone’s identity and impersonates them as the title owner.

    Digital identity tagged to the home ownership / title record can reduce the identity fraud in title transfer.

    When a person wants to sell their house OR apply for a new mortgage on house, multiple notifications will be triggered to their contact attributes on digital ID – phone, email, postal address, and digital ID Wallet, if applicable.

    The homeowner will be mandated to authorize the transaction on at least two channels they had set as preferred, to ensure that the transaction has the consent of the registered homeowner.

    This process will stop any fraud transactions until at least two modes are compromised.

    Even if two modes are compromised, the real homeowner will receive the notification on offline communication modes, and they can then alert the institution or lawyer to block the transaction.

    It will especially help elderly people, who are more prone to fall prey to identity frauds when somebody uses their IDs to impersonate them.

    1 Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)

    2 UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf)

    Adopting digital ID benefits everybody – governments, id providers, id consumers, and end users

    Governments & identity providers

    (public & private)

    Customers and end users

    (subjects)

    Identity consumer

    (relying parties)

    • Growth in GDP
    • Save costs of providing identity
    • Unlock new revenue source by economic expansion
    • Choice and convenience
    • Control of what data is shared
    • Experience driven by simplicity and data minimalization
    • Reduced cost of availing services
    • Operational efficiency
    • Overall cost efficiency of delivering service and products
    • Reduce risk of potential litigation
    • Reduce risk of fraud
    • Enhanced customer experience leading to increased lifetime value
    • Streamlined storage and access
    • Encourage innovation

    Digital ID will transform all industries, though financial services and e-governance will gain most

    Governments and identity providers (public and private)

    • Growth in GDP by reducing bureaucracy and discretion from the governance processes.
      • As per a McKinsey report, digital ID could unlock the economic value equivalent of 3%-13% of GDP across seven focus countries (Brazil, Ethiopia, India, Nigeria, China, UK, USA) in 2030.
      • “Estonia saves two percent of GDP by signing things digitally; imagine if it could go global.” - aavi Rõivas, Prime Minister of the Republic of Estonia (International Peace Institute)
    • Unlock new revenue source by economic expansion.
      • Estonia earned €32 million in tax revenue from e-resident companies (e-Estonia).
    • Save costs of providing identity in collaboration with 3rd parties and reduce fraud.
      • Canada estimates savings of $482 million for provincial and federal governments, and $4.5 billion for private sector organizations through digital id adoption (2022 Budget Statement).

    Digital ID brings end users choice, convenience, control, and cost-saving, driving overall experience

    Customers and end users (subjects)

    • Choice: Citizens have the choice and convenience to interact safely and conveniently online and offline.
    • Convenience: No compulsion to make physical trips to access service, as end users can identify themselves safely and reliably online, as they do offline.
    • Control: A decentralized, privacy enhancing solution – neither government nor private companies control your digital ID. How and when you use digital ID is entirely up to you.
    • Cost Saving: Save costs of availing service by reducing the offline documentation.
    • Experience: Improved experience while availing service without a need to present multiple documents every time.

    Digital id benefits identity consumers by enhancing multiple dimensions of their value streams

    Identity consumer (relying parties)

    • Operational efficiency: Eliminating unnecessary steps and irrelevant data from the value stream increases overall operational efficiency.
    • Cost efficiency: Helps businesses to reduce overall cost of operations like regulatory requirements.
      • World Bank estimated that the Aadhaar could reduce onboarding costs for Indian firms from ₹1,500/- ($23) to as low as an estimated ₹10/- ($0.15) (*World Bank ID4D)
    • Reduce risk of potential litigation issues: Encourage data minimization.
    • Privacy and security: Businesses can reduce the risk of fraud to organizations and users and can significantly boost the privacy and security of their IT assets.
    • Enhanced customer experience: The decrease in the number of touchpoints and faster turnaround.
    • Streamlined storage and access: Store all available data in a single place, and when required.
    • Encourage innovation: Reduce efforts required in authentication and authorization of users.

    Before embarking on the digital identity adoption journey, assess your readiness

    Legislative coverage

    Does your target jurisdiction have adequate legislative framework to enable uses of digital identities in your industry?

    Trust framework

    If the Digital ID ecosystem in your target jurisdiction is trust framework-based, do you have adequate understanding of it?

    Customer touch-points

    Do you have exact understanding of value stream and customer touch-points where you interact with user identity?

    Relevant identity attributes

    Do you have exact understanding of the identity attributes that your business processes need to deliver customer value?

    Regulatory compliance

    Do you have required systems to ensure your compliance with industry regulations around customer PII and identity?

    Interoperability with IMS

    Is your existing identity management system interoperable with Open-source Digital Identity ecosystem?

    Enterprise governance

    Have you established an integrated enterprise governance framework covering business processes, technical systems, and risk management?

    Communication strategy

    Do have a clear strategy (mode, method, means) to communicate with your target customer and persuade them to adopt digital identity?

    Security operations center

    Do you have security operations center coordinating detection, response, resolution, and communication of potential data breaches?

    Ten steps to adopt to enhance the customer experience

    Considering the complexity of digital identity adoption, and its impact on customer experience, it is vital to assess the ecosystem and adopt an MVP approach before a big-bang launch.

    Diagram to help assess the ecosystem.

    1. Define the use case and identify the customer touchpoint in the value stream which can be improved with a verified digital identity.
    2. Ensure your organization is ready to adopt digital identity (Refer to Digital identity adoption readiness),
    3. Identify an Identity Service Provider (Government, private sector), if there are options.
    4. Understand its technical requirements and assess, to the finer detail, your technical landscape for interoperability.
    5. Set-up a business contract for terms of usages and liabilities.
    6. Create and execute a Minimum Viable Program (MVP) of integration which can be tested with real customers.
    7. Extend MVP to the complete solution and define key success metrics.
    8. Canary-launch with a segment of target customers before a full launch.
    9. Educate customers on the usages and benefits, and adapt your communication plan taking feedback
    10. Monitor and continuously improve the solution based on the feedback from ecosystem partners and end-customers, and regulatory changes.

    Understand and manage the risks and challenges of digital identity adoption

    Digital ID adoption is a major change for everyone in the ecosystem.

    Manage associated risks to avoid the derailing of integration with your business processes and a negative impact on customer experience.

    Manage Risks.

    1. Privacy and security risks – Customer’s sensitive data may get centralized with the identity provider.
    2. Single point of failure while relying a specific IDs; it also increases the impact of identity theft and fraud risk.
    3. Centralization and control risks – Identity provider or identity service broker / orchestrator may control who can participate.
    4. Not universal, interoperability risks – if purpose-specific.
    5. Impact omni-channel experience - Not always available (legal / printable) for offline use.
    6. Exclusion and discrimination risks – Specific data requirements may exclude a group of people.
    7. Scope for misuse and misinterpretation if compromised and not reclaimed in timely manner.
    8. Adoption and usability risks – Subjects / relying parties may not see benefit due to lack of awareness or suspicion.
    9. Liability Agreement gaps between identity provider and identity consumer (relying party).

    Recommendations to help you realize the potential of digital identity into your value streams

    1

    Customer-centricity

    Digital identity initiative should prioritize customer experience when evaluating its fit in the value stream. Adopting it should not sacrifice end-user experience to gain a few brownie points.

    See Info-Tech’s Adopt Design Thinking in Your Organization blueprint, to ensure customer remains at the center of your Digital Adoption initiative.

    2

    Privacy and security

    Adopting digital identity reduces data risk by minimizing data transfer between providers and consumers. However, securing identity attributes in value streams still requires strengthening enterprise security systems and processes.

    See Info-Tech’s Assess and Govern Identity Security blueprint for the actions you may take to secure and govern digital identity.

    3

    Inclusion and awareness

    Adopting digital identity may alter customer interaction with an organization. To avoid excluding target customer segments, design digital identity accordingly. Educating and informing customers about the changes can facilitate faster adoption.

    See Info-Tech’s Social Media blueprint and IT Diversity & Inclusion Tactics to make inclusion and awareness part of digital adoption

    4

    Quantitative success metrics

    To measure the success of a digital ID adoption program, it's essential to use quantitative metrics that align with business KPIs. Some measurable KPIs may include:

    • Reduction in number of IDs business used to serve 90% of customers
    • Reduction in overall cost of operation
      • Reduction in cost of user authentication
    • Reduction in process cycle time (less time required to complete a task – e.g. KYC)

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues..

    Attributes: An identity attribute is a statement or information about a specific aspect of entity’s identity ,substantiating they are who they claim to be, own, or have.

    Attribute (or Credential) provider: An attribute or credential provider could be an organization which issues the primary attribute or credential to a subject or entity. They are also responsible for identity-attribute binding, credential maintenance, suspension, recovery, and authentication.

    Attribute (or Credential) service provider: An attribute service provider could be an organization which originally vetted user’s credentials and certified a specific attribute of their identity. It could also be a software, such as digital wallet, which can store and share a user’s attribute with a third party once consented by the user. (Source: UK Govt. Trust Framework)

    Attribute binding: This is a process an attribute service providers uses to link the attributes they created to a person or an organization through an identifier. This process makes attributes useful and valuable for other entities using these attributes. For example, when a new employee joins a company, they are given a unique employee number (an identifier), which links the person with their job title and other aspects (attributes) of his job. (Source: UK Govt. Trust Framework)

    Authentication service provider: An organization which is responsible for creating and managing authenticators and their lifecycle (issuance, suspension, recovery, maintenance, revocation, and destruction of authenticators). (Source: DIACC)

    Authenticator: Information or biometric characteristics under the control of an individual that is a specific instance of something the subject has, knows, or does. E.g. private signing keys, user passwords, or biometrics like face, fingerprints. (Source: Canada PCTF)

    Authentication (identity verification): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

    Authorization: The process of validating if the authenticated entity has permission to access a resource (service or product).

    Biometrics attributes: Human attributes like retina (iris), fingerprint, heartbeat, facial, handprint, thumbprint, voice print.

    Centralized identity: Digital identities which are fully governed by a centralized government entity. It may have enrollment or registration agencies, private or public sector, to issue the identities, and the technical system may still be decentralized to keep data federated.

    Certificate Authority (CA or accredited assessors): An organization or an entity that conducts assessments to validate the framework compliance of identity or attribute providers (such as websites, email addresses, companies, or individual persons) serving other users, and binding them to cryptographic keys through the issuance of electronic documents known as digital certificates.

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues..

    Collective (non-resolvable) attributes: Nationality, domicile, citizenship, immigration status, age group, disability, income group, membership, (outstanding) credit limit, credit score range.

    Contextual identity: A type of identity which establishes an entity’s existence in a specific context – real or virtual. These can be issued by public or private identity providers and are governed by the organizational policies. E.g. employee ID, membership ID, social media ID, machine ID.

    Credentials: A physical or a digital representation of something that establishes an entity’s eligibility to do something for which it is seeking permission, or an association/affiliation with another, generally well-known entity. E.g. Passport, DL, password. In the context of Digital Identity, every identity needs to be attached with a credential to ensure that the subject of the identity can control how and by whom that identity can be used.

    Cryptographic hash function: A hash function is a one-directional mathematical operation performed on a message of any length to get a unique, deterministic, and fixed size numerical string (the hash) which can’t be reverse engineered to get the input data without deploying disproportionate resources. It is the foundation of modern security solutions in DLT / blockchain as they help in verifying the integrity and authenticity of the message.

    Decentralized identity (DID) or self-sovereign identity: This is a way to give back the control of identity to the subject whose identity it is, using an identity wallet in which they collect verified information about themselves from certified issuers (such as the government). By controlling what information is shared from the wallet to requesting third parties (e.g. when registering for a new online service), the user can better manage their privacy, such as only presenting proof that they’re over 18 without needing to reveal their date of birth. Source: (https://www.gsma.com/identity/decentralised-identity)

    Digital identity wallet: A type of digital wallet refers to a secure, trusted software applications (native mobile app, mobile web apps, or Rivas-hosted web applications) based on common standards, allowing a user to store and use their identity attributes, identifiers, and other credentials without loosing or sharing control of them. This is different than Digital Payment Wallets used for financial transactions. (Source: https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf)

    Digital identity: A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity. E.g. Estonia eID , India Aadhar, digital citizenship ID.

    Digital object architecture: DOA is an open architecture for interoperability among various information systems, including ID wallets, identity providers, and consumers. It focuses on digital objects and comprises three core components: the identifier/resolution system, the repository system, and the registry system. There are also two protocols that connect these components. (Source: dona.net)

    Digital signature: A digital signature is an electronic, encrypted stamp of authentication on digital information such as email messages, macros, or electronic documents. A signature confirms that the information originated from the signer and has not been altered. (Source: Microsoft)

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues..

    Entity (or Subject): In the context of identity, an entity is a person, group, object, or a machine whose claims need to be ascertained and identity needs to be established before his request for a service or products can be fulfilled. An entity can also be referred to as a subject whose identity needs to be ascertained before delivering a service.

    Expiry: This is another dimension of an identity and determines the validity of an ID. Most of the identities are longer term, but there can be a few like digital tokens and URLs which can be issued for a few hours or even minutes. There are some which can be revoked after a pre-condition is met.

    Federated identity: Federated identity is an agreement between two organizations about the definition and use of identity attributes and identifiers of a consumer entity requesting a service. If successful, it allows a consumer entity to get authenticated by one organization (identity provider) and then authorized by another organization. E.g. accessing a third-party website using Google credentials.

    Foundational identity: A type of identity which establishes an entity’s existence in the real world. These are generally issued by public sector / government agencies, governed by a legal farmwork within a jurisdiction, and are widely accepted at least in that jurisdiction. E.g. birth certificate, citizenship certificate.

    Governance: This is a dimension of identity that covers the governance model for a digital ID ecosystem. While traditionally it has been under the sovereign government or a federated structure, in recent times, it has been decentralized through DLT technologies or trust-framework based. It can also be self-sovereign, where individuals fully control their data and ID attributes.

    Identifier: A digital identifier is a string of characters that uniquely represents an entity’s identity in a specific context and scope even if one or more identity attributes of the subject change over time. E.g. driver’s license, SSN, SIN, email ID, digital token, user ID, device ID, cookie ID.

    Identity: An identity is an instrument used by an entity to provide the required information about itself to another entity in order to avail a service, access a resource, or exercise a privilege. An identity formed by 1-n identity attributes and a unique identifier.

    Identity and access management (IAM): IAM is a set of frameworks, technologies, and processes to enable the creation, maintenance, and use of digital identity, ensuring that the right people gain access to the right materials and records at the right time. (Source: https://iam.harvard.edu/)

    Identity consumer (Relying party): An organization, or an entity relying on identity provider to mitigate IT risks around knowing its customers before delivering the end-user value (product/service) without deteriorating end-user experience. E.g. Canada Revenue Agency using SecureKey service and relying on Banking institutions to authenticate users; Telecom service providers in India relying on Aadhaar identity system to authenticate the customer's identity.

    Identity form: A dimension of identity that defines its forms depending on the scope it wants to serve. It can be a physical card for offline uses, a virtual identifier like a number, or an app/account with multiple identity attributes. Cryptographic keys and tokens can also be forms of identity.

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues...

    Identity infrastructure provider: Organizations involved in creating and maintaining technological infrastructure required to manage the lifecycle of digital identities, attributes, and credentials. They implement functions like security, privacy, resiliency, and user experience as specified in the digital identity policy and trust framework.

    Identity proofing: A process of asserting the identification of a subject at a useful identity assurance level when the subject provides evidence to a credential service provider (CSP), reliably identifying themselves. (Source: NIST Special Publication 800-63A)

    Identity provider (Attestation authority): An organization or an entity validating the foundation or contextual claims of a subject and establishing identifier(s) for a subject. E.g. DMV (US) and MTA (Canada) issuing drivers’ licenses; Google / Facebook issuing authentication tokens for their users logging in on other websites.

    Identity validation: The process of confirming or denying the accuracy of identity information of a subject as established by an authorized party. It doesn’t ensure that the presenter is using their own identity.

    Identity verification (Authentication): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

    Internationalized resource identifier (IRI): IRIs are equivalent to URIs except that IRIs also allow non-ascii characters in the address space, while URIs only allow us-ascii encoding. (Source: w3.org)

    Jurisdiction: A dimension of identity that covers the physical area or virtual space where an identity is legally acceptable for the purpose defined under law. It can be global, like it is for passport, or it can be local within a municipality for specific services. For unverified digital IDs, it can be the social network.

    Multi-factor Authentication (MFA): Multi-factor authentication is a layered approach to securing digital assets (data and applications), where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. These factors can be a combination of (i) something you know like a password/PIN; (ii) something you have like a token on mobile device; and (iii) something you are like a biometric. (Adapted from https://www.cisa.gov/publication/multi-factor-authentication-mfa)

    Oauth (Open authorization): OAuth is a standard authorization protocol and used for access delegation. It allows internet users to access websites by using credentials managed by a third-party authorization server / Identity Provider. It is designed for HTTP and allows access tokens to be issued by an authorization server to third-party websites. E.g. Google, Facebook, Twitter, LinkedIn use Oauth to delegate access.

    OpenID: OpenID is a Web Authentication Protocol and implements reliance authentication mechanism. It facilitates the functioning of federated identity by allowing a user to use an existing account (e.g. Google, Facebook, Yahoo) to sign into third-party websites without needing to create new credentials. (Source: https://openid.net/).

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues...

    Personally identifiable information (PII): PII is a set of attributes which can be used, through direct or indirect means, to infer the real-world identity of the individual whose information is input. E.g. National ID (SSN/SIN/Aadhar) DL, name, date of birth, age, address, age, identifier, university credentials, health condition, email, domain name, website URI (web resolvable) , phone number, credit card number, username/password, public key / private key. (Source: https://www.dol.gov)

    Predicates: The mathematical or logical operations such as equality or greater than on attributes (e.g. prove your salary is greater than x or your age is greater than y) to prove a claim without sharing the actual values.

    Purpose: This dimension of a digital id defines for what purpose digital id can be used. It can be one or many of these – authentication, authorization, activity linking, historical record keeping, social interactions, and machine connectivity for IoT use cases.

    Reliance authentication: Relying on a third-party authentication before providing a service. It is a method followed in a federated entity system.

    Risk-based authentication: A mechanism to protect against account compromise or identity theft. It correlates an authentication request with transitional facts like requester’s location, past frequency of login, etc. to reduce the risk of potential fraud.

    Scheme in trust framework: A specific set of rules (standard and custom) around the use of digital identities and attributes as agreed by one or more organizations. It is useful when those organizations have similar products, services, business processes. (Source: UK Govt. Trust Framework). E.g. Many credit unions agree on how they will use the identity in loan origination and servicing.

    Selective disclosure (Assertion): A way to present one’s identity by sharing only a limited amount information that is critical to make an authentication / authorization decision. E.g. when presenting your credentials, you could share something proving you are 18 years or above, but not share your name, exact age, address, etc.

    Trust: A dimension of an identity, which essentially is a belief in the reliability, truth, ability, or strength of that identity. While in the physical world all acceptable form of identities come with a verified trust, in online domain, it can be unverified. Also, where an identity is only acceptable as per the contract between two entities, but not widely.

    Trust framework: The trust framework is a set of rules that different organizations agree to follow to deliver one or more of their services. This includes legislation, standards, guidance, and the rules in this document. By following these rules, all services and organizations using the trust framework can describe digital identities and attributes they’ve created in a consistent way. This should make it easier for organizations and users to complete interactions and transactions or share information with other trust framework participants. (Source: UK Govt. Trust Framework)

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues...

    Uniform resource identifier (URI): A universal name in registered name spaces and addresses referring to registered protocols or name spaces.

    Uniform resource locator (URL): A type of URI which expresses an address which maps onto an access algorithm using network protocols. (Source: https://www.w3.org/)

    Uniform resource name (URN): A type of URI that includes a name within a given namespace but may not be accessible on the internet.

    Usability: A dimension of identity that defines how many times it can be used. While most of the identities are multi-use, a few digital identities are in token form and can be used only once to authenticate oneself.

    Usage mode: A dimension of identity that defines the service mode in which a digital ID can be used. While all digital IDs are made for online usage, many can also be used in offline interactions.

    Verifiable credentials: This W3C standard specification provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable. (Source: https://www.w3.org/TR/vc-data-model/)

    X.509 Certificates: X.509 certificates are standard digital documents that represent an entity providing a service to another entity. They're issued by a certification authority (CA), subordinate CA, or registration authority. These certificates play an important role in ascertaining the validity of an identity provider and in turn the identities issued by it. (Source: https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates)

    Zero-knowledge proofs: A method by which one party (the prover) can prove to another party (the verifier) that something is true, without revealing any information apart from the fact that this specific statement is true. (Source: 1989 SIAM Paper)

    Zero-trust security: A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. It evaluates each access request as if it is a fraud attempt, and grants access only if it passes the authentication and authorization test. (Source: Adapted from NIST, SP 800-207: Zero Trust Architecture, 2020)

    Related Info-Tech Research

    Build a Zero Trust Roadmap
    Leverage an iterative and repeatable process to apply zero trust to your organization.

    Assess and Govern Identity Security
    Strong identity security and governance are the keys to the zero-trust future.

    Adopt Design Thinking in Your Organization
    Innovation needs design thinking to ensure customer remains at the center of everything the organization does.

    Social Media
    Leveraging Social Media to connect with your customers and educate them to drive the value proposition of your efforts.

    IT Diversity & Inclusion Tactics
    Equip your teams to create an inclusive environment and mobilize inclusion efforts across the organization.


    Research Contributors and Experts

    David Wallace

    David Wallace
    Executive Counselor

    Erik Avakian

    Erik Avakian
    Technical Counselor, Data Architecture and Governance

    Matthew Bourne

    Matthew Bourne
    Managing Partner, Public Sector Global Services

    Mike Tweedie

    Mike Tweedie
    Practice Lead, CIO Research Development

    Aaron Shum

    Aaron Shum
    Vice President, Security & Privacy

    Works Cited

    India Aadhaar PMJDY (https://pmjdy.gov.in/account)
    Theis, S., Rusconi, G., Panggabean, E., Kelly, S. (2020). Delivering on the Potential of Digitized G2P: Driving Women’s Financial Inclusion and Empowerment through Indonesia’s Program Keluarga Harapan. Women’s World Banking.
    DIACC Canada (https://diacc.ca/the-diacc/)
    UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    Australia Trusted Digital Identity Framework (https://www.digitalidentity.gov.au/tdif#changes)
    eIDAS (https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation)
    Europe Digital Wallet – POTENTIAL (https://www.digital-identity-wallet.eu/)
    Canada PCTF (https://diacc.ca/trust-framework/)
    Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018
    e-Estonia website (https://e-estonia.com/solutions/e-identity/id-card/)
    Aadhaar Dashboard (https://uidai.gov.in/)
    DIACC Website (https://diacc.ca/the-diacc/)
    Australia Digital ID website (https://www.digitalidentity.gov.au/tdif#changes)
    UK Policy paper - digital identity & attributes trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    Ukraine Govt. website (https://ukraine.ua/invest-trade/digitalization/)
    Singapore SingPass Website (https://www.tech.gov.sg/products-and-services/singpass/)
    Norway BankID Website (https://www.bankid.no/en/private/about-us/)
    Brazil National ID Card website (https://www.gov.br/casacivil/pt-br/assuntos/noticias/2022/julho/nova-carteira-de-identidade-nacional-modelo-unico-a-partir-de-agosto)
    Indonesia Coverage in Professional Security Magazine (https://www.professionalsecurity.co.uk/products/id-cards/indonesian-cards/)
    Philippine ID System (PhilSys) website (https://www.philsys.gov.ph/)
    China coverage on eGovReview (https://www.egovreview.com/article/news/559/china-announces-plans-national-digital-ids)
    Thales Group Website - DHS’s Automated Biometric Identification System IDENT (https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/customer-cases/ident-automated-biometric-identification-system)
    FranceConnect (https://franceconnect.gouv.fr/)
    Germany: Office for authorization cert. (https://www.personalausweisportal.de/Webs/PA/DE/startseite/startseite-node.html)
    Italian Digital Services Authority (https://www.spid.gov.it/en/)
    Monacco Mconnect (https://mconnect.gouv.mc/en)
    Estonia eID (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
    E-Residency Dashboard (https://www.e-resident.gov.ee/dashboard)
    Unique ID authority of India (https://uidai.gov.in/aadhaar_dashboard/india.php)
    State of Aadhaar (https://www.stateofaadhaar.in/)
    World Bank (https://documents1.worldbank.org/curated/en/219201522848336907/pdf/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
    WorldBank - ID4D 2022 Annual Report (https://documents.worldbank.org/en/publication/documents-reports/documentdetail/099437402012317995/idu00fd54093061a70475b0a3b50dd7e6cdfe147)
    Ukraine Govt. Website for Invest and trade (https://ukraine.ua/invest-trade/digitalization/)
    Diia Case study prepared for the office of Canadian senator colin deacon (https://static1.squarespace.com/static/63851cbda1515c69b8a9a2b9/t/6398f63a9d78ae73d2fd5725/1670968891441/2022-case-study-report-diia-mobile-application.pdf)
    Canadian Digital Identity Research (https://diacc.ca/wp-content/uploads/2022/04/DIACC-2021-Research-Report-ENG.pdf)
    Voilà Verified Trustmark (https://diacc.ca/voila-verified/)
    Digital Identity, 06A Federation Onboarding Guidance paper, March 2022 (https://www.digitalidentity.gov.au/sites/default/files/2022-04/TDIF%2006A%20Federation%20Onboarding%20Guidance%20-%20Release%204.6%20%28Doc%20Version%201.2%29.pdf)
    UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    A United Nations Estimate of KYC/AML (https://www.imf.org/Publications/fandd/issues/2018/12/imf-anti-money-laundering-and-economic-stability-straight)
    India Aadhaar PMJDY (https://pmjdy.gov.in/account)
    Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)
    UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf) McKinsey Digital ID report ( https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/digital-identification-a-key-to-inclusive-growth) International Peace Institute ( https://www.ipinst.org/2016/05/information-technology-and-governance-estonia#7)
    E-Estonia Report (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
    2022 Budget Statement (https://diacc.ca/2022/04/07/2022-budget-statement/)
    World Bank ID4D - Private Sector Economic Impacts from Identification Systems 2018 (https://documents1.worldbank.org/curated/en/219201522848336907/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
    DIACC Canada (https://diacc.ca/the-diacc/)
    UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    https://www.gsma.com/identity/decentralised-identity
    https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
    Microsoft Digital signatures and certificates (https://support.microsoft.com/en-us/office/digital-signatures-and-certificates-8186cd15-e7ac-4a16-8597-22bd163e8e96)
    https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
    https://www.dona.net/digitalobjectarchitecture
    IAM (https://iam.harvard.edu/)
    NIST Special Publication 800-63A (https://pages.nist.gov/800-63-3/sp800-63a.html)
    https://www.cisa.gov/publication/multi-factor-authentication-mfa
    https://openid.net/
    U.S. DEPARTMENT OF LABOR (https://www.dol.gov/)
    UK govt. trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    https://www.w3.org/
    Verifiable Credentials Data Model v1.1 (https://www.w3.org/TR/vc-data-model/)
    https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates

    First 30 Days Pandemic Response Plan

    • Buy Link or Shortcode: {j2store}418|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Given the speed and scope of the spread of the pandemic, governments are responding with changes almost daily as to what organizations and people can and can’t do. This volatility and uncertainty challenges organizations to respond, particularly in the absence of a business continuity or crisis management plan.

    Our Advice

    Critical Insight

    • Assess the risk to and viability of your organization in order to create appropriate action and communication plans quickly.

    Impact and Result

    • HR departments must be directly involved in developing the organization’s pandemic response plan. Use Info-Tech's Risk and Viability Matrix and uncover the crucial next steps to take during the first 30 days of the COVID-19 pandemic.

    First 30 Days Pandemic Response Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a response plan for the first 30 days of a pandemic

    Manage organizational risk and viability during the first 30 days of a crisis.

    • First 30 Days Pandemic Response Plan Storyboard
    • Crisis Matrix Communications Template: Business As Usual
    • Crisis Matrix Communications Template: Organization Closing
    • Crisis Matrix Communications Template: Manage Risk and Leverage Resilience
    • Crisis Matrix Communications Template: Reduce Labor and Mitigate Risk
    [infographic]

    IT Governance

    • Buy Link or Shortcode: {j2store}22|cart{/j2store}
    • Related Products: {j2store}22|crosssells{/j2store}
    • Up-Sell: {j2store}22|upsells{/j2store}
    • member rating overall impact: 9.2/10
    • member rating average dollars saved: $124,127
    • member rating average days saved: 37
    • Parent Category Name: Strategy and Governance
    • Parent Category Link: /strategy-and-governance
    • byline: Avoid bureaucracy and achieve alignment with a practical approach.
    Read our concise Executive Brief to find out why you may want to redesign your IT governance, Review our methodology, and understand how we can support you in completing this process.

    Prepare Your Application for PaaS

    • Buy Link or Shortcode: {j2store}181|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • The application may have been written a long time ago, and have source code, knowledge base, or design principles misplaced or lacking, which makes it difficult to understand the design and build.
    • The development team does not have a standardized practice for assessing cloud benefits and architecture, design principles for redesigning an application, or performing capacity for planning activities.

    Our Advice

    Critical Insight

    • An infrastructure-driven cloud strategy overlooks application specific complexities. Ensure that an application portfolio strategy is a precursor to determining the business value gained from an application perspective, not just an infrastructure perspective.
    • Business value assessment must be the core of your decision to migrate and justify the development effort.
    • Right-size your application to predict future usage and minimize unplanned expenses. This ensures that you are truly benefiting from the tier costing model that vendors offer.

    Impact and Result

    • Identify and evaluate what cloud benefits your application can leverage and the business value generated as a result of migrating your application to the cloud.
    • Use Info-Tech’s approach to building a robust application that can leverage scalability, availability, and performance benefits while maintaining the functions and features that the application currently supports for the business.
    • Standardize and strengthen your performance testing practices and capacity planning activities to build a strong current state assessment.
    • Use Info-Tech’s elaboration of the 12-factor app to build a clear and robust cloud profile and target state for your application.
    • Leverage Info-Tech’s cloud requirements model to assess the impact of cloud on different requirements patterns.

    Prepare Your Application for PaaS Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a right-sized, design-driven approach to moving your application to a PaaS platform, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Prepare Your Application for PaaS – Phases 1-2

    1. Create your cloud application profile

    Bring the business into the room, align your objectives for choosing certain cloud capabilities, and characterize your ideal PaaS environment as a result of your understanding of what the business is trying to achieve. Understand how to right-size your application in the cloud to maintain or improve its performance.

    • Prepare Your Application for PaaS – Phase 1: Create Your Cloud Application Profile
    • Cloud Profile Tool

    2. Evaluate design changes for your application

    Assess the application against Info-Tech’s design scorecard to evaluate the right design approach to migrating the application to PaaS. Pick the appropriate cloud path and begin the first step to migrating your app – gathering your requirements.

    • Prepare Your Application for PaaS – Phase 2: Evaluate Design Changes for Your Application
    • Cloud Design Scorecard Tool

    [infographic]

     
     

    Implement a New IT Organizational Structure

    • Buy Link or Shortcode: {j2store}276|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $30,999 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Organizational Design
    • Parent Category Link: /organizational-design
    • Organizational design implementations can be highly disruptive for IT staff and business partners. Without a structured approach, IT leaders may experience high turnover, decreased productivity, and resistance to the change.
    • CIOs walk a tightrope as they manage the operational and emotional turbulence while aiming to improve business satisfaction within IT. Failure to achieve balance could result in irreparable failure.

    Our Advice

    Critical Insight

    • Mismanagement will hurt you. The majority of IT organizations do not manage organizational design implementations effectively, resulting in decreased satisfaction, productivity loss, and increased IT costs.
    • Preventing mismanagement is within your control. 72% of change management issues can be directly improved by managers. IT leaders have a tendency to focus their efforts on operational changes rather than on people.

    Impact and Result

    Leverage Info-Tech’s organizational design implementation process and deliverables to build and implement a detailed transition strategy and to prepare managers to lead through change.

    Follow Info-Tech’s 5-step process to:

    1. Effect change and sustain productivity through real-time employee engagement monitoring.
    2. Kick off the organizational design implementation with effective communication.
    3. Build an integrated departmental transition strategy.
    4. Train managers to effectively lead through change.
    5. Develop personalized transition plans.

    Implement a New IT Organizational Structure Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how you should implement a new organizational design, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a change communication strategy

    Create strategies to communicate the changes to staff and maintain their level of engagement.

    • Implement a New Organizational Structure – Phase 1: Build a Change Communication Strategy
    • Organizational Design Implementation FAQ
    • Organizational Design Implementation Kick-Off Presentation

    2. Build the organizational transition plan

    Build a holistic list of projects that will enable the implementation of the organizational structure.

    • Implement a New Organizational Structure – Phase 2: Build the Organizational Transition Plan
    • Organizational Design Implementation Project Planning Tool

    3. Lead staff through the reorganization

    Lead a workshop to train managers to lead their staff through the changes and build transition plans for all staff members.

    • Implement a New Organizational Structure – Phase 3: Lead Staff Through the Reorganization
    • Organizational Design Implementation Manager Training Guide
    • Organizational Design Implementation Stakeholder Engagement Plan Template
    • Organizational Design Implementation Transition Plan Template
    [infographic]

    Workshop: Implement a New IT Organizational Structure

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build Your Change Project Plan

    The Purpose

    Create a holistic change project plan to mitigate the risks of organizational change.

    Key Benefits Achieved

    Building a change project plan that encompasses both the operational changes and minimizes stakeholder and employee resistance to change.

    Activities

    1.1 Review the new organizational structure.

    1.2 Determine the scope of your organizational changes.

    1.3 Review your MLI results.

    1.4 Brainstorm a list of projects to enable the change.

    Outputs

    Project management planning and monitoring tool

    McLean Leadership Index dashboard

    2 Finalize Change Project Plan

    The Purpose

    Finalize the change project plan started on day 1.

    Key Benefits Achieved

    Finalize the tasks that need to be completed as part of the change project.

    Activities

    2.1 Brainstorm the tasks that are contained within the change projects.

    2.2 Determine the resource allocations for the projects.

    2.3 Understand the dependencies of the projects.

    2.4 Create a progress monitoring schedule.

    Outputs

    Completed project management planning and monitoring tool

    3 Enlist Your Implementation Team

    The Purpose

    Enlist key members of your team to drive the implementation of your new organizational design.

    Key Benefits Achieved

    Mitigate the risks of staff resistance to the change and low engagement that can result from major organizational change projects.

    Activities

    3.1 Determine the members that are best suited for the team.

    3.2 Build a RACI to define their roles.

    3.3 Create a change vision.

    3.4 Create your change communication strategy.

    Outputs

    Communication strategy

    4 Train Your Managers to Lead Through Change

    The Purpose

    Train your managers who are more technically focused to handle the people side of the change.

    Key Benefits Achieved

    Leverage your managers to translate how the organizational change will directly impact individuals on their teams.

    Activities

    4.1 Conduct the manager training workshop with managers.

    4.2 Review the stakeholder engagement plans.

    4.3 Review individual transition plan template with managers.

    Outputs

    Conflict style self-assessments

    Stakeholder engagement plans

    Individual transition plan template

    5 Build Your Transition Plans

    The Purpose

    Complete transition plans for individual members of your staff.

    Key Benefits Achieved

    Create individual plans for your staff members to ease the transition into their new roles.

    Activities

    5.1 Bring managers back in to complete transition plans.

    5.2 Revisit the new organizational design as a source of information.

    5.3 Complete aspects of the templates that do not require staff feedback.

    5.4 Discuss strategies for transitioning.

    Outputs

    Individual transition plan template

    Further reading

    Implement a New IT Organizational Structure

    Prioritize quick wins and critical services during IT org changes.

    This blueprint is part 3/3 in Info-Tech’s organizational design program and focuses on implementing a new structure

    Part 1: Design Part 2: Structure Part 3: Implement
    IT Organizational Architecture Organizational Sketch Organizational Structure Organizational Chart Transition Strategy Implement Structure
    1. Define the organizational design objectives.
    2. Develop strategically-aligned capability map.
    3. Create the organizational design framework.
    4. Define the future state work units.
    5. Create future state work unit mandates.
    1. Assign work to work units (accountabilities and responsibilities).
    2. Develop organizational model options (organizational sketches).
    3. Assess options and select go-forward model.
    1. Define roles by work unit.
    2. Create role mandates.
    3. Turn roles into jobs.
    4. Define reporting relationships between jobs.
    5. Define competency requirements.
    1. Determine number of positions per job.
    2. Conduct competency assessment.
    3. Assign staff to jobs.
    1. Form OD implementation team.
    2. Develop change vision.
    3. Build communication presentation.
    4. Identify and plan change projects.
    5. Develop organizational transition plan.
    1. Train managers to lead through change.
    2. Define and implement stakeholder engagement plan.
    3. Develop individual transition plans.
    4. Implement transition plans.
    Risk Management: Create, implement, and monitor risk management plan.
    HR Management: Develop job descriptions, conduct job evaluation, and develop compensation packages.

    Monitor and Sustain Stakeholder Engagement →

    The sections highlighted in green are in scope for this blueprint. Click here for more information on designing or on structuring a new organization.

    Our understanding of the problem

    This Research is Designed For:

    • CIOs

    This Research Will Help You:

    • Effectively implement a new organizational structure.
    • Develop effective communications to minimize turnover and lost productivity during transition.
    • Identify a detailed transition strategy to move to your new structure with minimal interruptions to service quality.
    • Train managers to lead through change and measure ongoing employee engagement.

    This Research Will Also Assist:

    • IT Leaders

    This Research Will Help Them:

    • Effectively lead through the organizational change.
    • Manage difficult conversations with staff and mitigate staff concerns and turnover.
    • Build clear transition plans for their teams.

    Executive summary

    Situation

    • Organizational Design (OD) projects are typically undertaken in order to enable organizational priorities, improve IT performance, or to reduce IT costs. However, due to the highly disruptive nature of the change, only 25% of changes achieve their objectives over the long term. (2013 Towers Watson Change and Communication ROI Survey)

    Complication

    • OD implementations can be highly disruptive for IT staff and business partners. Without a structured approach, IT leaders may experience high turnover, decreased productivity, and resistance to the change.
    • CIOs walk a tightrope as they manage the operational and emotional turbulence while aiming to improve business satisfaction within IT. Failure to achieve balance could result in irreparable failure.

    Resolution

    • Leverage Info-Tech’s organizational design implementation process and deliverables to build and implement a detailed transition strategy and to prepare managers to lead through change. Follow Info-Tech’s 5-step process to:
      1. Effect change and sustain productivity through real-time employee engagement monitoring.
      2. Kick off the organizational design implementation with effective communication.
      3. Build an integrated departmental transition strategy.
      4. Train managers to effectively lead through change.
      5. Develop personalized transition plans.

    Info-Tech Insight

    1. Mismanagement will hurt you. The majority of IT organizations do not manage OD implementations effectively, resulting in decreased satisfaction, productivity loss, and increased IT costs.
    2. Preventing mismanagement is within your control. 72% of change management issues can be directly improved by managers. (Abilla, 2009) IT leaders have a tendency to focus their efforts on operational changes rather than on people. This is a recipe for failure.

    Organizational Design Implementation

    Managing organizational design (OD) changes effectively is critical to maintaining IT service levels and retaining top talent throughout a restructure. Nevertheless, many organizations fail to invest appropriate consideration and resources into effective OD change planning and execution.

    THREE REASONS WHY CIOS NEED TO EFFECTIVELY MANAGE CHANGE:

    1. Failure is the norm; not the exception. According to a study by Towers Watson, only 55% of organizations experience the initial value of a change. Even fewer organizations, a mere 25%, are actually able to sustain change over time to experience the full expected benefits. (2013 Towers Watson Change and Communication ROI Survey)
    2. People are the biggest cause of failure. Organizational design changes are one of the most difficult types of changes to manage as staff are often highly resistant. This leads to decreased productivity and poor results. The most significant people challenge is the loss of momentum through the change process which needs to be actively managed.
    3. Failure costs money. Poor IT OD implementations can result in increased turnover, lost productivity, and decreased satisfaction from the business. Managing the implementation has a clear ROI as the cost of voluntary turnover is estimated to be 150% of an employee’s annual salary. (Inc)

    86% of IT leaders believe organization and leadership processes are critical, yet the majority struggle to be effective

    PERCENTAGE OF IT LEADERS WHO BELIEVE THEIR ORGANIZATION AND LEADERSHIP PROCESSES ARE HIGHLY IMPORTANT AND HIGHLY EFFECTIVE

    A bar graph, with the following organization and leadership processes listed on the Y-axis: Human Resources Management; Leadership, Culture, Values; Organizational Change Management; and Organizational Design. The bar graph shows that over 80% of IT leaders rate these processes as High Importance, but less than 40% rate them as having High Effectiveness.

    GAP BETWEEN IMPORTANCE AND EFFECTIVENESS

    Human Resources Management - 61%

    Leadership, Culture, Values - 48%

    Organizational Change Management - 55%

    Organizational Design - 45%

    Note: Importance and effectiveness were determined by identifying the percentage of individuals who responded with 8-10/10 to the questions…

    • “How important is this process to the organization’s ability to achieve business and IT goals?” and…
    • “How effective is this process at helping the organization to achieve business and IT goals?”

    Source: Info-Tech Research Group, Management and Governance Diagnostic. N=22,800 IT Professionals

    Follow a structured approach to your OD implementation to improve stakeholder satisfaction with IT and minimize risk

    • IT reorganizations are typically undertaken to enable strategic goals, improve efficiency and performance, or because of significant changes to the IT budget. Without a structured approach to manage the organizational change, IT might get the implementation done, but fail to achieve the intended benefits, i.e. the operation succeeds, but the patient has died on the table.
    • When implementing your new organizational design, it’s critical to follow a structured approach to ensure that you can maintain IT service levels and performance and achieve the intended benefits.
    • The impact of organizational structure changes can be emotional and stressful for staff. As such, in order to limit voluntary turnover, and to maintain productivity and performance, IT leaders need to be strategic about how they communicate and respond to resistance to change.

    TOP 3 BENEFITS OF FOLLOWING A STRUCTURED APPROACH TO IMPLEMENTING ORGANIZATIONAL DESIGN

    1. Improved stakeholder satisfaction with IT. A detailed change strategy will allow you to successfully transition staff into new roles with limited service interruptions and with improved stakeholder satisfaction.
    2. Experience minimal voluntary turnover throughout the change. Know how to actively engage and minimize resistance of stakeholders throughout the change.
    3. Execute implementation on time and on budget. Effectively managed implementations are 65–80% more likely to meet initial objectives than those with poor organizational change management. (Boxley Group, LLC)

    Optimize your organizational design implementation results by actively preparing managers to lead through change

    IT leaders have a tendency to make change even more difficult by focusing on operations rather than on people. This is a recipe for failure. People pose the greatest risk to effective implementation and as such, IT managers need to be prepared and trained on how to lead their staff through the change. This includes knowing how to identify and manage resistance, communicating the change, and maintaining positive momentum with staff.

    Staff resistance and momentum are the most challenging part of leading through change (McLean & Company, N=196)

    A bar graph with the following aspects of Change Management listed on the Y-Axis, in increasing order of difficulty: Dealing with Technical Issues; Monitoring metrics to measure progress; Amending policies and processes; Coordinating with stakeholders; Getting buy-in from staff; Maintaining a positive momentum with staff.

    Reasons why change fails: 72% of failures can be directly improved by the manager (shmula)

    A pie chart showing the reasons why change fails: Management behavior not supportive of change = 33%; Employee resistance to change = 39%; Inadequate resources or budget = 14%; and All other obstacles = 14%.

    Leverage organizational change management (OCM) best practices for increased OD implementation success

    Effective change management correlates with project success

    A line graph, with Percent of respondents that met or exceeded project objectives listed on the Y-axis, and Poor, Fair, Good, and Excellent listed on the X-axis. The line represents the overall effectiveness of the change management program, and as the value on the Y-axis increases, so does the value on the X-axis.

    Source: Prosci. From Prosci’s 2012 Best Practices in Change Management benchmarking report.

    95% of projects with excellent change management met or EXCEEDED OBJECTIVES, vs. 15% of those with poor OCM. (Prosci)

    143% ROI on projects with excellent OCM. In other words, for every dollar spent on the project, the company GAINS 43 CENTS. This is in contrast to 35% ROI on projects with poor OCM. (McKinsey)

    Info-Tech’s approach to OD implementation is a practical and tactical adaptation of several successful OCM models

    BUSINESS STRATEGY-ORIENTED OCM MODELS. John Kotter’s 8-Step model, for instance, provides a strong framework for transformational change but doesn’t specifically take into account the unique needs of an IT transformation.

    GENERAL-PURPOSE OCM FRAMEWORKS such as ACMP’s Standard for Change Management, CMI’s CMBoK, and Prosci’s ADKAR model are very comprehensive and need to be configured to organizational design implementation-specific initiatives.

    COBIT MANAGEMENT PRACTICE BAI05: MANAGE ORGANIZATIONAL CHANGE ENABLEMENT follows a structured process for implementing enterprise change quickly. This framework can be adapted to OD implementation; however, it is most effective when augmented with the people and management training elements present in other frameworks.

    References and Further Reading

    Tailoring a comprehensive, general-purpose OCM framework to an OD implementation requires familiarity and experience. Info-Tech’s OD implementation model adapts the best practices from a wide range of proven OCM models and distills it into a step-by-step process that can be applied to an organizational design transformation.

    The following OD implementation symptoms can be avoided through structured planning

    IN PREVIOUS ORGANIZATIONAL CHANGES, I’VE EXPERIENCED…

    “Difficultly motivating my staff to change.”

    “Higher than average voluntary turnover during and following the implementation.”

    “An overall sense of staff frustration or decreased employee engagement.”

    “Decreased staff productivity and an inability to meet SLAs.”

    “Increased overtime caused by being asked to do two jobs at once.”

    “Confusion about the reporting structure during the change.”

    “Difficulty keeping up with the rate of change and change fatigue from staff.”

    “Business partner dissatisfaction about the change and complaints about the lack of effort or care put in by IT employees.”

    “Business partners not wanting to adjust to the change and continuing to follow outdated processes.”

    “Decrease in stakeholder satisfaction with IT.”

    “Increased prevalence of shadow IT during or following the change.”

    “Staff members vocally complaining about the IT organization and leadership team.”

    Follow this blueprint to develop and execute on your OD implementation

    IT leaders often lack the experience and time to effectively execute on organizational changes. Info-Tech’s organizational design implementation program will provide you with the needed tools, templates, and deliverables. Use these insights to drive action plans and initiatives for improvement.

    How we can help

    • Measure the ongoing engagement of your employees using Info-Tech’s MLI diagnostic. The diagnostic comes complete with easily customizable reports to track and act on employee engagement throughout the life of the change.
    • Use Info-Tech’s customizable project management tools to identify all of the critical changes, their impact on stakeholders, and mitigate potential implementation risks.
    • Develop an in-depth action plan and transition plans for individual stakeholders to ensure that productivity remains high and that service levels and project expectations are met.
    • Align communication with real-time staff engagement data to keep stakeholders motivated and focused throughout the change.
    • Use Info-Tech’s detailed facilitation guide to train managers on how to effectively communicate the change, manage difficult stakeholders, and help ensure a smooth transition.

    Leverage Info-Tech’s customizable deliverables to execute your organizational design implementation

    A graphic with 3 sections: 1.BUILD A CHANGE COMMUNICATION STRATEGY; 2.BUILD THE ORGANIZATIONAL TRANSITION PLAN; 3.1 TRAIN MANAGERS TO LEAD THROUGH CHANGE; 3.2 TRANSITION STAFF TO NEW ROLES. An arrow emerges from point one and directs right, over the rest of the steps. Text above the arrow reads: ONGOING ENGAGEMENT MONITORING AND COMMUNICATION. Dotted arrows emerge from points two and three directing back toward point one. Text below the arrow reads: COMMUNICATION STRATEGY ITERATION.

    CUSTOMIZABLE PROJECT DELIVERABLES

    1. BUILD A CHANGE COMMUNICATION STRATEGY

    • McLean Leadership Index: Real-Time Employee Engagement Dashboard
    • Organizational Design
    • Implementation Kick-Off Presentation
    • Organizational Design Implementation FAQ

    2. BUILD THE ORGANIZATIONAL TRANSITION PLAN

    • Organizational Design Implementation Project Planning Tool

    3.1 TRAIN MANAGERS TO LEAD THROUGH CHANGE

    3.2 TRANSITION STAFF TO NEW ROLES

    • Organizational Design Implementation Manager Training Guide
    • Organizational Design Implementation Transition Plan Template

    Leverage Info-Tech’s tools and templates to overcome key engagement program implementation challenges

    KEY SECTION INSIGHTS:

    BUILD A CHANGE COMMUNICATION STRATEGY

    Effective organizational design implementations mitigate the risk of turnover and lost productivity through ongoing monitoring and managing of employee engagement levels. Take a data-driven approach to managing engagement with Info-Tech’s real-time MLI engagement dashboard and adjust your communication and implementation strategy before engagement risks become issues.

    BUILD THE ORGANIZATIONAL TRANSITION PLAN

    Your organizational design implementation is made up of a series of projects and needs to be integrated into your larger project schedule. Too often, organizations attempt to fit the organizational design implementation into their existing schedules which results in poor resource planning, long delays in implementation, and overall poor results.

    LEAD STAFF THROUGH THE REORGANIZATION

    The majority of IT managers were promoted because they excelled at the technical aspect of their job rather than in people management. Not providing training is setting your organization up for failure. Train managers to effectively lead through change to see a 72% decrease in change management issues. (Abilla, 2009)

    METRICS:

    1. Voluntary turnover: Conduct an exit interview with all staff members during and after transition. Identify any staff members who cite the change as a reason for departure. For those who do leave, multiply their salary by 1.5% (the cost of a new hire) and track this over time.
    2. Business satisfaction trends: Conduct CIO Business Vision one year prior to the change vs. one year after change kick-off. Prior to the reorganization, set metrics for each category for six months after the reorganization, and one year following.
    3. Saved development costs: Number of hours to develop internal methodology, tools, templates, and process multiplied by the salary of the individual.

    Use this blueprint to save 1–3 months in implementing your new organizational structure

    Time and Effort Using Blueprint Without Blueprint
    Assess Current and Ongoing Engagement 1 person ½ day – 4 weeks 1–2 hours for diagnostic set up (allow extra 4 weeks to launch and review initial results). High Value 4–8 weeks
    Set Up the Departmental Change Workbooks 1–5 people 1 day 4–5 hours (varies based on the scope of the change). Medium Value 1–2 weeks
    Design Transition Strategy 1–2 people 1 day 2–10 hours of implementation team’s time. Medium Value 0–2 weeks
    Train Managers to Lead Through Change 1–5 people 1–2 weeks 1–2 hours to prepare training (allow for 3–4 hours per management team to execute). High Value 3–5 weeks

    These estimates are based on reviews with Info-Tech clients and our experience creating the blueprint.

    Totals:

    Workshop: 1 week

    GI/DIY: 2-6 weeks

    Time and Effort Saved: 8-17 weeks

    CIO uses holistic organizational change management strategies to overcome previous reorganization failures

    CASE STUDY

    Industry: Manufacturing

    Source: Client interview

    Problem

    When the CIO of a large manufacturing company decided to undertake a major reorganization project, he was confronted with the stigma of a previous CIO’s attempt. Senior management at the company were wary of the reorganization since the previous attempt had failed and cost a lot of money. There was major turnover since staff were not happy with their new roles costing $250,000 for new hires. The IT department saw a decline in their satisfaction scores and a 10% increase in help desk tickets. The reorganization also cost the department $400,000 in project rework.

    Solution

    The new CIO used organizational change management strategies in order to thoroughly plan the implementation of the new organizational structure. The changes were communicated to staff in order to improve adoption, every element of the change was mapped out, and the managers were trained to lead their staff through the change.

    Results

    The reorganization was successful and eagerly adopted by the staff. There was no turnover after the new organizational structure was implemented and the engagement levels of the staff remained the same.

    $250,000 - Cost of new hires and salary changes

    10% - Increase in help desk tickets

    $400,000 - Cost of project delays due to the poorly effective implementation of changes

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Implement a New Organizational Structure

    3. Lead Staff Through the Reorganization
    1. Build a Change Communication Strategy 2. Build the Organizational Transition Plan 3.1 Train Managers to Lead Through Change 3.2 Transition Staff to New Roles
    Best-Practice Toolkit

    1.1 Launch the McLean Leadership Index to set a baseline.

    1.2 Establish your implementation team.

    1.3 Build your change communication strategy and change vision.

    2.1 Build a holistic list of change projects.

    2.2 Monitor and track the progress of your change projects.

    3.1.1 Conduct a workshop with managers to prepare them to lead through the change.

    3.1.2 Build stakeholder engagement plans and conduct conflict style self-assessments.

    3.2.1 Build transition plans for each of your staff members.

    3.2.2 Transition your staff to their new roles.

    Guided Implementations
    • Set up your MLI Survey.
    • Determine the members and roles of your implementation team.
    • Review the components of a change communication strategy.
    • Review the change dimensions and how they are used to plan change projects.
    • Review the list of change projects.
    • Review the materials and practice conducting the workshop.
    • Debrief after conducting the workshop.
    • Review the individual transition plan and the process for completing it.
    • Final consultation before transitioning staff to their new roles.
    Onsite Workshop Module 1: Effectively communicate the reorganization to your staff. Module 2: Build the organizational transition plan. Module 3.1: Train your managers to lead through change. Module 3.2: Complete your transition plans

    Phase 1 Results:

    • Plans for effectively communicating with your staff.

    Phase 2 Results:

    • A holistic view of the portfolio of projects required for a successful reorg

    Phase 3.1 Results:

    • A management team that is capable of leading their staff through the reorganization

    Phase 3.2 Results:

    • Completed transition plans for your entire staff.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Build Your Change Project Plan

    1.1 Review the new organizational structure.

    1.2 Determine the scope of your organizational changes.

    1.3 Review your MLI results.

    1.4 Brainstorm a list of projects to enable the change.

    Finalize Change Project Plan

    2.1 Brainstorm the tasks that are contained within the change projects.

    2.2 Determine the resource allocation for the projects.

    2.3 Understand the dependencies of the projects.

    2.4 Create a progress monitoring schedule

    Enlist Your Implementation Team

    3.1 Determine the members that are best suited for the team.

    3.2 Build a RACI to define their roles.

    3.3 Create a change vision.

    3.4 Create your change communication strategy.

    Train Your Managers to Lead Through Change

    4.1 Conduct the manager training workshop with managers.

    4.2 Review the stakeholder engagement plans.

    4.3 Review individual transition plan template with managers

    Build Your Transition Plans

    5.1 Bring managers back in to complete transition plans.

    5.2 Revisit new organizational design as a source for information.

    5.3 Complete aspects of the template that do not require feedback.

    5.4 Discuss strategies for transitioning.

    Deliverables
    1. McLean Leadership Index Dashboard
    2. Organizational Design Implementation Project Planning Tool
    1. Completed Organizational Design Implementation Project Planning Tool
    1. Communication Strategy
    1. Stakeholder Engagement Plans
    2. Conflict Style Self-Assessments
    3. Organizational Design Implementation Transition Plan Template
    1. Organizational Design Implementation Transition Plan Template

    Phase 1

    Build a Change Communication Strategy

    Build a change communication strategy

    Outcomes of this Section:

    • Launch the McLean Leadership Index
    • Define your change team
    • Build your reorganization kick-off presentation and FAQ for staff and business stakeholders

    This section involves the following participants:

    • CIO
    • IT leadership team
    • IT staff

    Key Section Insight:

    Effective organizational design implementations mitigate the risk of turnover and lost productivity through ongoing monitoring of employee engagement levels. Take a data-driven approach to managing engagement with Info-Tech’s real-time MLI engagement dashboard and adjust your communication and implementation strategy in real-time before engagement risks become issues.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Build a Change Communication Strategy

    Proposed Time to Completion (in weeks): 1-6 weeks

    Step 1.1: Launch Your McLean Leadership Index Survey

    Start with an analyst kick off call:

    • Discuss the benefits and uses of the MLI.
    • Go over the required information (demographics, permissions, etc.).
    • Set up a live demo of the survey.

    Then complete these activities…

    • Launch the survey with your staff.
    • Have a results call with a member of the Info-Tech staff.

    With these tools & templates:

    McLean Leadership Index

    Step 1.2: Establish Your Implementation Team

    Review findings with analyst:

    • Review what members of your department should participate.
    • Build a RACI to determine the roles of your team members.

    Then complete these activities…

    • Hold a kick-off meeting with your new implementation team.
    • Build the RACI for your new team members and their roles.

    Step 1.3: Build Your Change Communication Strategy

    Finalize phase deliverable:

    • Customize your reorganization kick-off presentation.
    • Create your change vision. Review the communication strategy.

    Then complete these activities…

    • Hold your kick-off presentation with staff members.
    • Launch the reorganization communications.

    With these tools & templates:

    • Organizational Design Implementation Kick-Off Presentation
    • Organizational Design Implementation FAQ

    Set the stage for the organizational design implementation by effectively introducing and communicating the change to staff

    Persuading people to change requires a “soft,” empathetic approach to keep them motivated and engaged. But don’t mistake “soft” for easy. Managing the people and communication aspects around the change are amongst the toughest work there is, and require a comfort and competency with uncertainty, ambiguity, and conflict.

    Design Engagement Transition
    Communication

    Communication and engagement are the chains linking your design to transition. If the organizational design initiative is going to be successful it is critical that you manage this effectively. The earlier you begin planning the better. The more open and honest you are about the change the easier it will be to maintain engagement levels, business satisfaction, and overall IT productivity.

    Kick-Off Presentation Inputs

    • LAUNCH THE MCLEAN LEADERSHIP INDEX
    • IDENTIFY YOUR CHANGE TEAM
    • DETERMINE CHANGE TEAM RESPONSIBILITIES
    • DEVELOP THE CHANGE VISION
    • DEFINE KEY MESSAGES AND GOALS
    • IDENTIFY MAJOR CHANGES
    • IDENTIFY KEY MILESTONES
    • BUILD AND MAINTAIN A CHANGE FAQ

    Use the MLI engagement dashboard to measure your current state and the impact of the change in real-time

    The McLean Leadership Index diagnostic is a low-effort, high-impact program that provides real-time metrics on staff engagement levels. Use these insights to understand your employees’ engagement levels throughout the organizational design implementation to measure the impact of the change and to manage turnover and productivity levels throughout the implementation.

    WHY CARE ABOUT ENGAGEMENT DURING THE CHANGE? ENGAGED EMPLOYEES REPORT:

    39% Higher intention to stay at the organization.

    29% Higher performance and increased likelihood to work harder and longer hours. (Source: McLean and Company N=1,308 IT Employees)

    Why the McLean Leadership Index?

    Based on the Net Promoter Score (NPS), the McLean Leadership Index is one question asked monthly to assess engagement at various points in time.

    Individuals responding to the MLI question with a 9 or 10 are your Promoters and are most positive and passionate. Those who answer 7 or 8 are Passives while those who answer 0 to 6 are Detractors.

    Track your engagement distribution using our online dashboard to view MLI data at any time and view results based on teams, locations, manager, tenure, age, and gender. Assess the reactions to events and changes in real-time, analyze trends over time, and course-correct.

    Dashboard reports: Know your staff’s overall engagement and top priorities

    McLean Leadership Index

    OVERALL ENGAGEMENT RESULTS

    You get:

    • A clear breakdown of your detractors, passives, and promotors.
    • To view results by team, location, and individual manager.
    • To dig deeper into results by reviewing results by age, gender, and tenure at the organization to effectively identify areas where engagement is weak.

    TIME SERIES TRENDS

    You get:

    • View of changes in engagement levels for each team, location, and manager.
    • Breakdown of trends weekly, monthly, quarterly, and yearly.
    • To encourage leaders to monitor results to analyze root causes for changes and generate improvement initiatives.

    QUALITATIVE COMMENTS

    You get:

    • To view qualitative comments provided by staff on what is impacting their engagement.
    • To reply directly to comments without impacting the anonymity of the individuals making the comments.
    • To leverage trends in the comments to make changes to communication approaches.

    Launch the McLean Leadership Index in under three weeks

    Info-Tech’s dedicated team of program managers will facilitate this diagnostic program remotely, providing you with a convenient, low-effort, high-impact experience.

    We will guide you through the process with your goals in mind to deliver deep insight into your successes and areas to improve.

    What You Need To Do:

    1. Contact Info-Tech to launch the program and test the functionality in a live demo.
    2. Identify demographics and set access permissions.
    3. Complete manager training with assistance from Info-Tech Advisors.
    4. Participate in a results call with an Info-Tech Advisor to review results and develop an action plan.

    Info-Tech’s Program Manager Will:

    1. Collect necessary inputs and generate your custom dashboard.
    2. Launch, maintain, and support the online system in the field.
    3. Send out a survey to 25% of the staff each week.
    4. Provide ongoing support over the phone, and the needed tools and templates to communicate and train staff as well as take action on results.

    Explore your initial results in a one-hour call with an Executive Advisor to fully understand the results and draw insights from the data so you can start your action plan.

    Start Your Diagnostic Now

    We'll help you get set up as soon as you're ready.

    Start Now

    Communication has a direct impact on employee engagement; measure communication quality using your MLI results

    A line graph titled: The impact of manager communication on employee engagement. The X-axis is labeled from Strongly Disagree to Strongly Agree, and the Y-axis is labeled: Percent of Engaged Respondents. There are 3 colour-coded lines: dark blue indicates My manager provides me with high-quality feedback; light blue indicates I clearly understand what is expected of me on the job; and green indicates My manager keeps me well informed about decisions that affect me. The line turns upward as it moves to the right of the graph.

    (McLean & Company, 2015 N=17,921)

    A clear relationship exists between how effective a manager’s communication is perceived to be and an employee’s level of engagement. If engagement drops, circle back with employees to understand the root causes.

    Establish an effective implementation team to drive the organizational change

    The implementation team is responsible for developing and disseminating information around the change, developing the transition strategy, and for the ongoing management of the changes.

    The members of the implementation team should include:

    • CIO
    • Current IT leadership team
    • Project manager
    • Business relationship managers
    • Human resources advisor

    Don’t be naïve – building and executing the implementation plan will require a significant time commitment from team members. Too often, organizations attempt to “fit it in” to their existing schedules resulting in poor planning, long delays, and overall poor results. Schedule this work like you would a project.

    TOP 3 TIPS FOR DEFINING YOUR IMPLEMENTATION TEAM

    1. Select a Project Manager. Info-Tech strongly recommends having one individual accountable for key project management activities. They will be responsible for keeping the project on time and maintaining a holistic view of the implementation.
    2. Communication with Business Partners is Critical. If you have Business Relationship Managers (BRMs), involve them in the communication planning or assign someone to play this role. You need your business partners to be informed and bought in to the implementation to maintain satisfaction.
    3. Enlist Your “Volunteer Army.” (Kotter’s 8 Principles) If you have an open culture, Info-Tech encourages you to have an extended implementation team made up of volunteers interested in supporting the change. Their role will be to support the core group, assist in planning, and communicate progress with peers.

    Determine the roles of your implementation team members

    1.1 30 Minutes

    Input

    • Implementation team members

    Output

    • RACI for key transition elements

    Materials

    • RACI chart and pen

    Participants

    • Core implementation committee
    1. Each member should be actively engaged in all elements of the organizational design implementation. However, it’s important to have one individual who is accountable for key activities and ensures they are done effectively and measured.
    2. Review the chart below and as a group, brainstorm any additional key change components.
    3. For each component listed below, identify who is Accountable, Responsible, Consulted, and Informed for each (suggested responsibility below).
    CIO IT Leaders PM BRM HR
    Communication Plan A R R R C
    Employee Engagement A R R R C

    Departmental Transition Plan

    		 R A R I R
    Organizational Transition Plan R R A I C
    Manager Training A R R I C

    Individual Transition Plans

    		 R A R I I
    Technology and Logistical Changes R R A I I
    Hiring A R I I R
    Learning and Development R A R R R
    Union Negotiations R I I I A
    Process Development R R A R I

    Fast-track your communication planning with Info-Tech’s Organizational Design Implementation Kick-Off Presentation

    Organizational Design Implementation Kick-Off Presentation

    Communicate what’s important to your staff in a simple, digestible way. The communication message should reflect what is important to your stakeholders and what they want to know at the time.

    • Why is this change happening?
    • What are the goals of the reorganization?
    • What specifically is changing?
    • How will this impact me?
    • When is this changing?
    • How and where can I get more information?

    It’s important that the tone of the meeting suits the circumstances.

    • If the reorganization is going to involve lay-offs: The meeting should maintain a positive feel, but your key messages should stress the services that will be available to staff, when and how people will be communicated with about the change, and who staff can go to with concerns.
    • If the reorganization is to enable growth: Focus on celebrating where the organization is going, previous successes, and stress that the staff are critical in enabling team success.

    Modify the Organizational Design ImplementationKick-Off Presentation with your key messages and goals

    1.2 1 hour

    Input

    • New organizational structure

    Output

    • Organizational design goal statements

    Materials

    • Whiteboard & marker
    • ODI Kick-off Presentation

    Participants

    • OD implementation team
    1. Within your change implementation team, hold a meeting to identify and document the change goals and key messages.
    2. As a group, discuss what the key drivers were for the organizational redesign by asking yourselves what problem you were trying to solve.
    3. Select 3–5 key problem statements and document them on a whiteboard.
    4. For each problem statement, identify how the new organizational design will allow you to solve those problems.
    5. Document these in your Organizational Design Implementation Kick-Off Presentation.

    Modify the presentation with your unique change vision to serve as the center piece of your communication strategy

    1.3 1 hour

    Input

    • Goal statements

    Output

    • Change vision statement

    Materials

    • Sticky notes
    • Pens
    • Voting dots

    Participants

    • Change team
    1. Hold a meeting with the change implementation team to define your change vision. The change vision should provide a picture of what the organization will look like after the organizational design is implemented. It should represent the aspirational goal, and be something that staff can all rally behind.
    2. Hand out sticky notes and ask each member to write down on one note what they believe is the #1 desired outcome from the organizational change and one thing that they are hoping to avoid (you may wish to use your goal statements to drive this).
    3. As a group, review each of the sticky notes and group similar statements in categories. Provide each individual with 3 voting dots and ask them to select their three favorite statements.
    4. Select your winning statements in teams of 2–3. Review each statement and as a team work to strengthen the language to ensure that the statement provides a call to action, that it is short and to the point, and motivational.
    5. Present the statements back to the group and select the best option through a consensus vote.
    6. Document the change vision in your Organizational Design Implementation Kick-Off Presentation.

    Customize the presentation identifying key changes that will be occurring

    1.4 2 hours

    Input

    • Old and new organizational sketch

    Output

    • Identified key changes that are occurring

    Materials

    • Whiteboard
    • Sticky notes & Pens
    • Camera

    Participants

    • OD implementation team
    1. On a whiteboard, draw a high-level picture of your previous organizational sketch and your new organizational sketch.
    2. Using sticky notes, ask individuals to highlight key high-level challenges that exist in the current model (consider people, process, and technology).
    3. Consider each sticky note, and highlight and document how and where your new sketch will overcome those challenges and the key differences between the old structure and the new.
    4. Take a photo of the two sketches and comments, and document these in your Organizational Design Implementation Kick-Off Presentation.

    Modify the presentation by identifying and documenting key milestones

    1.5 1 hour

    Input

    • OD implementation team calendars

    Output

    • OD implementation team timeline

    Materials

    • OD Implementation Kick-Off Presentation

    Participants

    • OD implementation team
    1. Review the timeline in the Organizational Design Implementation Kick-Off Presentation. As a group, discuss the key milestones identified in the presentation:
      • Kick-off presentation
      • Departmental transition strategy built
      • Organizational transition strategy built
      • Manager training
      • One-on-one meetings with staff to discuss changes to roles
      • Individual transition strategy development begins
    2. Review the timeline, and keeping your other commitments in mind, estimate when each of these tasks will be completed and update the timeline.

    Build an OD implementation FAQ to proactively address key questions and concerns about the change

    Organizational Design Implementation FAQ

    Leverage this template as a starting place for building an organizational design implementation FAQ.

    This template is prepopulated with example questions and answers which are likely to arise.

    Info-Tech encourages you to use the list of questions as a basis for your FAQ and to add additional questions based on the changes occurring at your organization.

    It may also be a good idea to store the FAQ on a company intranet portal so that staff has access at all times and to provide users with a unique email address to forward questions to when they have them.

    Build your unique organizational design implementation FAQ to keep staff informed throughout the change

    1.6 1 hour + ongoing

    Input

    • OD implementation team calendars

    Output

    • OD implementation team timeline

    Materials

    • OD Implementation Kick-Off Presentation

    Participants

    • OD implementation team
    1. Download a copy of the Organizational Design Implementation FAQ and as a group, review each of the key questions.
    2. Delete any questions that are not relevant and add any additional questions you either believe you will receive or which you have already been asked.
    3. Divide the questions among team members and have each member provide a response to these questions.
    4. The CIO and the project manager should review the responses for accuracy and ensure they are ready to be shared with staff.
    5. Publish the responses on an IT intranet site and make the location known to your IT staff.

    Dispelling rumors by using a large implementation team

    CASE STUDY

    Industry: Manufacturing

    Source: CIO

    Challenge

    When rumors of the impending reorganization reached staff, there was a lot of confusion and some of the more vocal detractors in the department enforced these rumors.

    Staff were worried about changes to their jobs, demotions, and worst of all, losing their jobs. There was no communication from senior management to dispel the gossip and the line managers were also in the dark so they weren’t able to offer support.

    Staff did not feel comfortable reaching out to senior management about the rumors and they didn’t know who the change manager was.

    Solution

    The CIO and change manager put together a large implementation team that included many of the managers in the department. This allowed the managers to handle the gossip through informal conversations with their staff.

    The change manager also built a communication strategy to communicate the stages of the reorganization and used FAQs to address the more common questions.

    Results

    The reorganization was adopted very quickly since there was little confusion surrounding the changes with all staff members. Many of the personnel risks were mitigated by the communication strategy because it dispelled rumors and took some of the power away from the vocal detractors in the department.

    An engagement survey was conducted 3 months after the reorganization and the results showed that the engagement of staff had not changed after the reorganization.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1a: Launch the MLI Dashboard (Pre-Work)

    Prior to the workshop, Info-Tech’s advisors will work with you to launch the MLI diagnostic to understand the overall engagement levels of your organization.

    1b: Review Your MLI Results

    The analysts will facilitate several exercises to help you and your team identify your current engagement levels, and the variance across demographics and over time.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.1: Define Your Change Team Responsibilities

    Review the key responsibilities of the organizational design implementation team and define the RACI for each individual member.

    1.3: Define Your Change Vision and Goals

    Identify the change vision statement which will serve as the center piece for your change communications as well as the key message you want to deliver to your staff about the change. These messages should be clear, emotionally impactful, and inspirational.

    1.4: Identify Key Changes Which Will Impact Staff

    Collectively brainstorm all of the key changes that are happening as a result of the change, and prioritize the list based on the impact they will have on staff. Document the top 10 biggest changes – and the opportunities the change creates or problems it solves.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.5: Define the High-Level Change Timeline

    Identify and document the key milestones within the change as a group, and determine key dates and change owners for each of the key items. Determine the best way to discuss these timelines with staff, and whether there are any which you feel will have higher levels of resistance.

    1.5: Build the FAQ and Prepare for Objection Handling

    As a group, brainstorm the key questions you believe you will receive about the change and develop a common FAQ to provide to staff members. The advisor will assist you in preparing to manage objections to limit resistance.

    Phase 2

    Build The Organizational Transition Plan

    Build the organizational transition plan

    Outcomes of this section:

    • A holistic list of projects that will enable the implementation of the organizational structure.
    • A schedule to monitor the progress of your change projects.

    This section involves the following participants:

    • CIO
    • Reorganization Implementation Team

    Key Section Insight:

    Be careful to understand the impacts of the change on all groups and departments. For best results, you will need representation from all departments to limit conflict and ensure a smooth transition. For large IT organizations, you will need to have a plan for each department/work unit and create a larger integration project.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Build the Organizational Transition Plan

    Proposed Time to Completion (in weeks): 2-4 weeks

    Step 2.1: Review the Change Dimensions and How They Are Used to Plan Change Projects

    Start with an analyst kick off call:

    • Review the purpose of the kick-off meeting.
    • Review the change project dimensions.
    • Review the Organizational Design Implementation Project Planning Tool.

    Then complete these activities…

    • Conduct your kick-off meeting.
    • Brainstorm a list of reorganization projects and their related tasks.

    With these tools & templates:

    • Organizational Design Implementation Project Planning Tool

    Step 2.2: Review the List of Change Projects

    Review findings with analyst:

    • Revisit the list of projects and tasks developed in the brainstorming session.
    • Assess the list and determine resourcing and dependencies for the projects.
    • Review the monitoring process.

    Then complete these activities…

    • Complete the Organizational Design Implementation Project Planning Tool.
    • Map out your project dependencies and resourcing.
    • Develop a schedule for monitoring projects.

    With these tools & templates:

    • Organizational Design Implementation Project Planning Tool

    Use Info-Tech’s Organizational Design Implementation Project Planning Tool to plan and track your reorganization

    • Use Info-Tech’s Organizational Design Implementation Project Planning Tool to document and track all of the changes that are occurring during your reorganization.
    • Automatically build Gantt charts for all of the projects that are being undertaken, track problems in the issue log, and monitor the progress of projects in the reporting tab.
    • Each department/work group will maintain its own version of this tool throughout the reorganization effort and the project manager will maintain a master copy with all of the projects listed.
    • The chart comes pre-populated with example data gathered through the research and interview process to help generate ideas for your own reorganization.
    • Review the instructions at the top of each work sheet for entering and modifying the data within each chart.

    Have a short kick-off meeting to introduce the project planning process to your implementation team

    2.1 30 minutes

    Output

    • Departmental ownership of planning tool

    Materials

    • OD Implementation Project Planning Tool

    Participants

    • Change Project Manager
    • Implementation Team
    • Senior Management (optional)
    1. The purpose of this kick-off meeting is to assign ownership of the project planning process to members of the implementation team and to begin thinking about the portfolio of projects required to successfully complete the reorganization.
    2. Use the email template included on this slide to invite your team members to the meeting.
    3. The topics that need to be covered in the meeting are:
      • Introducing the materials/templates that will be used throughout the process.
      • Assigning ownership of the Organizational Design Implementation Project Planning Tool to members of your team.
        • Ownership will be at the departmental level where each department or working group will manage their own change projects.
      • Prepare your implementation team for the next meeting where they will be brainstorming the list of projects that will need to be completed throughout the reorganization.
    4. Distribute/email the tools and templates to the team so that they may familiarize themselves with the materials before the next meeting.

    Hello [participant],

    We will be holding our kickoff meeting for our reorganization on [date]. We will be discussing the reorganization process at a high level with special attention being payed to the tools and templates that we will be using throughout the process. By the end of the meeting, we will have assigned ownership of the Project Planning Tool to department representatives and we will have scheduled the next meeting where we’ll brainstorm our list of projects for the reorganization.

    Consider Info-Tech’s four organizational change dimensions when identifying change projects

    CHANGE DIMENSIONS

    • TECHNOLOGY AND LOGISTICS
    • COMMUNICATION
    • STAFFING
    • PROCESS

    Technology and Logistics

    • These are all the projects that will impact the technology used and physical logistics of your workspace.
    • These include new devices, access/permissions, new desks, etc.

    Communication

    • All of the required changes after the reorganization to ongoing communications within IT and to the rest of the organization.
    • Also includes communication projects that are occurring during the reorganization.

    Staffing

    • These projects address the changes to your staff’s roles.
    • Includes role changes, job description building, consulting with HR, etc.

    Process

    • Projects that address changes to IT processes that will occur after the reorganization.

    Use these trigger questions to help identify all aspects of your coming changes

    STAFFING

    • Do you need to hire short or long-term staff to fill vacancies?
    • How long does it typically take to hire a new employee?
    • Will there be staff who are new to management positions?
    • Is HR on board with the reorganization?
    • Have they been consulted?
    • Have transition plans been built for all staff members who are transitioning roles/duties?
    • Will gaps in the structure need to be addressed with new hires?

    COMMUNICATION

    • When will the change be communicated to various members of the staff?
    • Will there be disruption to services during the reorganization?
    • Who, outside of IT, needs to know about the reorganization?
    • Do external communications need to be adjusted because of the reorganization? Moving/centralizing service desk, BRMs, etc.?
    • Are there plans/is there a desire to change the way IT communicates with the rest of the organization?
    • Will the reorganization affect the culture of the department? Is the new structure compatible with the current culture?

    Use these trigger questions to help identify all aspects of your coming changes (continued)

    TECHNOLOGY AND LOGISTICS

    • Will employees require new devices in their new roles?
    • Will employees be required to move their workspace?
    • What changes to the workspace are required to facilitate the new organization?
    • Does new furniture have to be purchased to accommodate new spaces/staff?
    • Is the workspace adequate/up to date technologically (telephone network, Wi-Fi coverage, etc.)?
    • Will employees require new permissions/access for their changing roles?
    • Will permissions/access need to be removed?
    • What is your budget for the reorganization?
    • If a large geographical move is occurring, have problems regarding geography, language barriers, and cultural sensitivities been addressed?

    PROCESS

    • What processes need to be developed?
    • What training for processes is required?
    • Is the daily functioning of the IT department predicted to change?
    • Are new processes being implemented during the reorganization?
    • How will the project portfolio be affected by the reorganization?
    • Is new documentation required to accompany new/changing processes?

    Brainstorm the change projects to be carried out during the reorganization for your team/department

    2.2 3 hours

    Input

    • Constructive group discussion

    Output

    • Thorough list of all reorganization projects

    Materials

    • Whiteboard, sticky notes
    • OD Implementation Project Planning Tool

    Participants

    • Implementation Team
    • CIO
    • Senior Management
    1. Before the meeting, distribute the list of trigger questions presented on the two previous slides to prepare your implementation team for the brainstorming session.
    2. Begin the meeting by dividing up your implementation team into the departments/work groups that they represent (and have ownership of the tool over).
    3. Distribute a different color of sticky notes to each team and have them write out each project they can think of for each of the change planning dimensions (Staffing, Communication, Process and Technology/Logistics) using the trigger questions.
    4. After one hour, ask the groups to place the projects that they brainstormed onto the whiteboard divided into the four change dimensions.
    5. Discuss the complete list of projects on the board.
      • Remove projects that are listed more than once since some projects will be universal to some/all departments.
      • Adjust the wording of projects for the sake of clarity.
      • Identify projects that are specific to certain departments.
    6. Document the list of high-level projects on tab 2 “Project Lists” within the OD Implementation Project Planning Tool after the activity is complete.

    Prioritize projects to assist with project planning modeling

    Prioritization is the process of ranking each project based on its importance to implementation success. Hold a meeting for the implementation team and extended team to prioritize the project list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation teams will use these priority levels to ensure efforts are targeted towards the proper projects. A simple way to do this for your implementation is to use the MoSCoW Model of Prioritization to effectively order requirements.

    The MoSCoW Model of Prioritization

    MUST HAVE - Projects must be implemented for the organizational design to be considered successful.

    SHOULD HAVE - Projects are high priority that should be included in the implementation if possible.

    COULD HAVE - Projects are desirable but not necessary and could be included if resources are available.

    WON'T HAVE - Projects won’t be in the next release, but will be considered for the future releases.

    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994.

    Keep the following criteria in mind as you determine your priorities

    Effective Prioritization Criteria

    Criteria Description
    Regulatory & Legal Compliance These requirements will be considered mandatory.
    Policy or Contract Compliance Unless an internal policy or contract can be altered or an exception can be made, these projects will be considered mandatory.
    Business Value Significance Give a higher priority to high-value projects.
    Business Risk Any project with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Implementation Complexity Give a higher priority to quick wins.
    Alignment with Strategy Give a higher priority to requirements that enable the corporate strategy and IT strategy.
    Urgency Prioritize projects based on time sensitivity.
    Dependencies A project on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.
    Funding Availability Do we have the funding required to make this change?

    Prioritize the change projects within your team/department to be executed during the reorganization

    2.3 3 hours

    Input

    • Organizational Design Implementation Project Planning Tool

    Output

    • Prioritized list of projects

    Materials

    • Whiteboard, sticky notes
    • OD Implementation Project Planning Tool

    Participants

    • Implementation Team
    • Extended Implementation Team
    1. Divide the group into their department teams. Draw 4 columns on a whiteboard, including the following:
      • Must have
      • Should have
      • Could have
      • Won’t have
    2. As a group, review each project and collaboratively identify which projects fall within each category. You should have a strong balance between each of the categories.
    3. Beginning with the “must have” projects, determine if each has any dependencies. If any of the projects are dependent on another, add the dependency project to the “must have” category. Group and circle the dependent projects.
    4. Continue the same exercise with the “should have” and “could have” options.
    5. Record the results on tab “2. Project List” of the Organizational Design Implementation Project Planning Tool using the drop down option.

    Determine resource availability for completing your change projects

    2.4 2 hours

    Input

    • Constructive group discussion

    Output

    • Thorough list of all reorganization projects

    Materials

    • Whiteboard, sticky notes
    • OD Implementation Project Planning Tool

    Participants

    • Implementation Team
    • CIO
    • Senior Management
    1. Divide the group into their department teams to plan the execution of the high-level list of projects developed in activity 2.2.
    2. Review the list of high-level projects and starting with the “must do” projects, consider each in turn and brainstorm all of the tasks required to complete these projects. Write down each task on a sticky note and place it under the high-level project.
    3. On the same sticky note as the task, estimate how much time would be required to complete each task. Be realistic about time frames since these projects will be on top of all of the regular day-to-day work.
    4. Along with the time frame, document the resources that will be required and who will be responsible for the tasks. If you have a documented Project Portfolio, use this to determine resourcing.
    5. After mapping out the tasks, bring the group back together to present their list of projects, tasks, and required resources.
      • Go through the project task lists to make sure that nothing is missed.
      • Review the timelines to make sure they are feasible.
      • Review the resources to ensure that they are available and realistic based on constraints (time, current workload, etc.).
      • Repeat the process for the Should do and Could do projects.
    1. Document the tasks and resources in tab “3. Task Monitoring” in the OD Implementation Project Planning Tool after the activity is complete.

    Map out the change project dependencies at the departmental level

    2.5 2 hours

    Input

    • Constructive group discussion

    Output

    • Thorough list of all reorganization projects

    Materials

    • Whiteboard, sticky notes
    • OD Implementation Project Planning Tool

    Participants

    • Implementation Team
    • CIO
    • Senior Management
    1. Divide the group into their department teams to map the dependencies of their tasks created in activity 2.3.
    2. Take the project task sticky notes created in the previous activity and lay them out along a timeline from start to finish.
    3. Determine the dependencies of the tasks internal to the department. Map out the types of dependencies.
      • Finish to Start: Preceding task must be completed before the next can start.
      • Start to Start: Preceding task must start before the next task can start.
      • Finish to Finish: Predecessor must finish before successor can finish.
      • Start to Finish: Predecessor must start before successor can finish.
    4. Bring the group back together and review each group’s timeline and dependencies to make sure that nothing has been missed.
    5. As a group, determine whether there are dependencies that span the departmental lists of projects.
    6. Document all of the dependencies within the department and between departmental lists of projects and tasks in the OD Implementation Project Planning Tool.

    Amalgamate all of the departmental change planning tools into a master copy

    2.6 3 hours

    Input

    • Department-specific copies of the OD Implementation Project Planning Tool

    Output

    • Universal list of all of the change projects

    Materials

    • Whiteboard and sticky notes

    Participants

    • Implementation Project Manager
    • Members of the implementation team for support (optional)
    1. Before starting the activity, gather all of the OD Implementation Project Planning Tools completed at the departmental level.
    2. Review each completed tool and write all of the individual projects with their timelines on sticky notes and place them on the whiteboard.
    3. Build timelines using the documented dependencies for each department. Verify that the resources (time, people, physical) are adequate and feasible.
    4. Combine all of the departmental project planning tools into one master tool to be used to monitor the overall status of the reorganization. Separate the projects based on the departments they are specific to.
    5. Finalize the timeline based on resource approval and using the dependencies mapped out in the previous exercise.
    6. Approve the planning tools and store them in a shared drive so they can be accessed by the implementation team members.

    Create a progress monitoring schedule

    2.7 1 hour weekly

    Input

    • OD Implementation Project Planning Tools (departmental & organizational)

    Output

    • Actions to be taken before the next pulse meeting

    Participants

    • Implementation Project Manager
    • Members of the implementation team for support
    • Senior Management
    1. Hold weekly pulse meetings to keep track of project progress.
    2. The agenda of each meeting should include:
      • Resolutions to problems/complications raised at the previous week’s meeting.
      • Updates on each department’s progress.
      • Raising any issues/complications that have appeared that week.
      • A discussion of potential solutions to the issues/complications.
      • Validating the work that will be completed before the next meeting.
      • Raising any general questions or concerns that have been voiced by staff about the reorganization.
    3. Upload notes from the meeting about resolutions and changes to the schedules to the shared drive containing the tools.
    4. Increase the frequency of the meetings towards the end of the project if necessary.

    Building a holistic change plan enables adoption of the new organizational structure

    CASE STUDY

    Industry: Manufacturing

    Source: CIO

    Challenge

    The CIO was worried about the impending reorganization due to problems that they had run into during the last reorganization they had conducted. The change management projects were not planned well and they led to a lot of uncertainty before and after the implementation.

    No one on the staff was ready for the reorganization. Change projects were completed four months after implementation since many of them had not been predicted and cataloged. This caused major disruptions to their user services leading to drops in user satisfaction.

    Solution

    Using their large and diverse implementation team, they spent a great deal of time during the early stages of planning devoted to brainstorming and documenting all of the potential change projects.

    Through regular meetings, the implementation team was able to iteratively adjust the portfolio of change projects to fit changing needs.

    Results

    Despite having to undergo a major reorganization that involved centralizing their service desk in a different state, there were no disruptions to their user services.

    Since all of the change projects were documented and completed, they were able to move their service desk staff over a weekend to a workspace that was already set up. There were no changes to the user satisfaction scores over the period of their reorganization.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.2 Brainstorm Your List of Change Projects

    Review your reorganization plans and facilitate a brainstorming session to identify a complete list of all of the projects needed to implement your new organizational design.

    2.5 Map Out the Dependencies and Resources for Your Change Projects

    Examine your complete list of change projects and determine the dependencies between all of your change projects. Align your project portfolio and resource levels to the projects in order to resource them adequately.

    Phase 3

    Lead Staff Through the Reorganization

    Train managers to lead through change

    Outcomes of this Section:

    • Completed the workshop: Lead Staff Through Organizational Change
    • Managers possess stakeholder engagement plans for each employee
    • Managers are prepared to fulfil their roles in implementing the organizational change

    This section involves the following participants:

    • CIO
    • IT leadership team
    • IT staff

    Key Section Insight:

    The majority of IT managers were promoted because they excelled at the technical aspect of their job rather than in people management. Not providing training is setting your organization up for failure. Train managers to effectively lead through change to see a 72% decrease in change management issues. (Source: Abilla, 2009)

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Train Managers to Lead Through Change

    Proposed Time to Completion (in weeks): 1-2 weeks

    Step 3.1: Train Your Managers to Lead Through the Change

    Start with an analyst kick off call:

    • Go over the manager training workshop section of this deck.
    • Review the deliverables generated from the workshop (stakeholder engagement plan and conflict style self-assessment).

    Then complete these activities…

    • Conduct the workshop with your managers.

    With these tools & templates:

    • Organizational Design Implementation Manager Training Guide
    • Organizational Design Implementation Stakeholder Engagement Plan Template

    Step 3.2: Debrief After the Workshop

    Review findings with analyst:

    • Discuss the outcomes of the manager training.
    • Mention any feedback.
    • High-level overview of the workshop deliverables.

    Then complete these activities…

    • Encourage participants to review and revise their stakeholder engagement plans.
    • Review the Organizational Design Implementation Transition Plan Template and next steps.

    Get managers involved to address the majority of obstacles to successful change

    Managers all well-positioned to translate how the organizational change will directly impact individuals on their teams.

    Reasons Why Change Fails

    EMPLOYEE RESISTANCE TO CHANGE - 39%

    MANAGEMENT BEHAVIOR NOT SUPPORTIVE OF CHANGE - 33%

    INADEQUATE RESOURCE OR BUDGET - 14%

    OTHER OBSTACLES - 14%

    72% of change management issues can be directly improved by management.

    (Source: shmula)

    Why are managers crucial to organizational change?

    • Managers are extremely well-connected.
      • They have extensive horizontal and vertical networks spanning the organization.
      • Managers understand the informal networks of the organization.
    • Managers are valuable communicators.
      • Managers have established strong relationships with employees.
      • Managers influence the way staff perceive messaging.

    Conduct a workshop with managers to help them lead their teams through change

    Organizational Design Implementation Manager Training Guide

    Give managers the tools and skills to support their employees and carry out difficult conversations.

    Understand the role of management in communicating the change

    Understand reactions to change

    Resolve conflict

    Respond to FAQs

    Monitor and measure employee engagement

    Prepare managers to effectively execute their role in the organizational change by running a 2-hour training workshop.

    Complete the activities on the following slides to:

    • Plan and prepare for the workshop.
    • Execute the group exercises.
    • Help managers develop stakeholder engagement plans for each of their employees.
    • Initiate the McLean Leadership Index™ survey to measure employee engagement.

    Plan and prepare for the workshop

    3.1 Plan and prepare for the workshop.

    Output

    • Workshop participants
    • Completed workshop prep

    Materials

    • Organizational Design Implementation Manager Training Guide

    Instructions

    1. Create a list of all managers that will be responsible for leading their teams through the change.
    2. Select a date for the workshop.
      • The training session will run approximately 2 hours and should be scheduled within a week of when the implementation plan is communicated organization-wide.
    3. Review the material outlined in the presentation and prepare the Organizational Design Implementation Manager Training Guide for the workshop:
      • Copy and print the “Pre-workshop Facilitator Instructions” and “Facilitator Notes” located in the notes section below each slide.
      • Revise frequently asked questions (FAQs) and responses.
      • Delete instruction slides.

    Invite managers to the workshop

    Workshop Invitation Email Template

    Make necessary modifications to the Workshop Invitation Email Template and send invitations to managers.

    Hi ________,

    As you are aware, we are starting to roll out some of the initiatives associated with our organizational change mandate. A key component of our implementation plan is to ensure that managers are well-prepared to lead their teams through the transition.

    To help you proactively address the questions and concerns of your staff, and to ensure that the changes are implemented effectively, we will be conducting a workshop for managers on .

    While the change team is tasked with most of the duties around planning, implementing, and communicating the change organization-wide, you and other managers are responsible for ensuring that your employees understand how the change will impact them specifically. The workshop will prepare you for your role in implementing the organizational changes in the coming weeks, and help you refine the skills and techniques necessary to engage in challenging conversations, resolve conflicts, and reduce uncertainty.

    Please confirm your attendance for the workshop. We look forward to your participation.

    Kind regards,

    Change team

    Prepare managers for the change by helping them build useful deliverables

    ODI Stakeholder Engagement Plan Template & Conflict Style Self-Assessment

    Help managers create useful deliverables that continue to provide value after the workshop is completed.

    Workshop Deliverables

    Organizational Design Implementation Stakeholder Engagement Plan Template

    • Document the areas of change resistance, detachment, uncertainty, and support for each employee.
    • Document strategies to overcome resistance, increase engagement, reduce uncertainty, and leverage their support.
    • Create action items to execute after the workshop.

    Conflict Style Self-Assessment

    • Determine how you approach conflicts.
    • Analyze the strengths and weaknesses of this approach.
    • Identify ways to adopt different conflict styles depending on the situation.

    Book a follow-up meeting with managers and determine which strategies to Start, Stop, or Continue

    3.2 1 hour

    Output

    • Stakeholder engagement templates

    Materials

    • Sticky notes
    • Pen and paper

    Participants

    • Implementation Team
    • Managers
    1. Schedule a follow-up meeting 2–3 weeks after the workshop.
    2. Facilitate an open conversation on approaches and strategies that have been used or could be used to:
      • Overcome resistance
      • Increase engagement
      • Reduce uncertainty
      • Leverage support
    3. During the discussion, document ideas on the whiteboard.
    4. Have participants vote on whether the approaches and strategies should be started, stopped, or continued.
      • Start: actions that the team would like to begin.
      • Stop: actions that the team would like to stop.
      • Continue: actions that work for the team and should proceed.
    5. Encourage participants to review and revise their stakeholder engagement plans.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1 The Change Maze

    Break the ice with an activity that illustrates the discomfort of unexpected change, and the value of timely and instructive communication.

    3.2 Perform a Change Management Retrospective

    Leverage the collective experience of the group. Share challenges and successes from previous organizational changes and apply those lessons to the current transition.

    3.3 Create a Stakeholder Engagement Plan

    Have managers identify areas of resistance, detachment, uncertainty, and support for each employee and share strategies for overcoming resistance and leveraging support to craft an action plan for each of their employees.

    3.4 Conduct a Conflict Style Self-Assessment

    Give participants an opportunity to better understand how they approach conflicts. Administer the Conflict Style Self-Assessment to identify conflict styles and jumpstart a conversation about how to effectively resolve conflicts.

    Transition your staff to their new roles

    Outcomes of this Section:

    • Identified key responsibilities to transition
    • Identified key relationships to be built
    • Built staff individual transition plans and timing

    This section involves the following participants:

    • All IT staff members

    Key Section Insight

    In order to ensure a smooth transition, you need to identify the transition scheduled for each employee. Knowing when they will retire and assume responsibilities and aligning this with the organizational transition will be crucial.

    Phase 3b outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3b: Transition Staff to New Roles

    Proposed Time to Completion (in weeks): 2-4

    Step 4.1: Build Your Transition Plans

    Start with an analyst kick off call:

    • Review the Organizational Design Implementation Transition Plan Template and its contents.
    • Return to the new org structure and project planning tool for information to fill in the template.

    Then complete these activities…

    • Present the template to your managers.
    • Have them fill in the template with their staff.
    • Approve the completed templates.

    With these tools & templates:

    • Organizational Design Implementation Project Planning Tool
    • Organizational Design Implementation Transition Plan Template

    Step 4.2: Finalize Your Transition Plans

    Review findings with analyst:

    • Discuss strategies for timing the transition of your employees.
    • Determine the readiness of your departments for transitioning.

    Then complete these activities…

    • Build a transition readiness timeline of your departments.
    • Move your employees to their new roles.

    With these tools & templates:

    • Organizational Design Implementation Project Planning Tool
    • Organizational Design Implementation Transition Plan Template

    Use Info-Tech’s transition plan template to map out all of the changes your employees will face during reorganization

    Organizational Design Implementation Transition Plan Template

    • Use Info-Tech’s Organizational Design Implementation Transition Plan Template to document (in consultation with your employees) all of the changes individual staff members need to go through in order to transition into their new roles.
    • It provides a holistic view of all of the changes aligned to the change planning dimensions, including:
      • Current and new job responsibilities
      • Outstanding projects
      • Documenting where the employee may be moving
      • Technology changes
      • Required training
      • New relationships that need to be made
      • Risk mitigation
    • The template is designed to be completed by managers for their direct reports.

    Customize the transition plan template for all affected staff members

    4.1 30 minutes per employee

    Output

    • Completed transition plans

    Materials

    • Individual transition plan templates (for each employee)

    Participants

    • Implementation Team
    • Managers
    1. Implementation team members should hold one-on-one meetings with the managers from the departments they represent to go through the transition plan template.
    2. Some elements of the transition plan can be completed at the initial meeting with knowledge from the implementation team and documentation from the new organizational structure:
      • Employee information (except for the planned transition date)
      • New job responsibilities
      • Logistics and technology changes
      • Relationships (recommendations can be made about beneficial relationships to form if the employee is transitioning to a new role)
    3. After the meeting, managers can continue filling in information based on their own knowledge of their employees:
      • Current job responsibilities
      • Outstanding projects
      • Training (identify gaps in the employee’s knowledge if their role is changing)
      • Risks (potential concerns or problems for the employee during the reorganization)

    Verify and complete the individual transition plans by holding one-on-one meetings with the staff

    4.2 30 minutes per employee

    Output

    • Completed transition plans

    Materials

    • Individual transition plan templates (for each employee)

    Participants

    • Managers
    • Staff (Managers’ Direct Reports)
    1. After the managers complete everything they can in the transition plan templates, they should schedule one-on-one meetings with their staff to review the completed document to ensure the information is correct.
    2. Begin the meeting by verifying the elements that require the most information from the employee:
      • Current job responsibilities
      • Outstanding projects
      • Risks (ask about any problems or concerns they may have about the reorganization)
    3. Discuss the following elements of the transition plan to get feedback:
      • Training (ask if there is any training they feel they may need to be successful at the organization)
      • Relationships (determine if there are any relationships that the employee would like to develop that you may have missed)
    4. Since this may be the first opportunity that the staff member has had to discuss their new role (if they are moving to one), review their new job title and new job responsibilities with them. If employees are prepared for their new role, they may feel more accountable for quickly adopting the reorganization.
    5. Document any questions that they may have so that they can be answered in future communications from the implementation team.
    6. After completing the template, managers will sign off on the document in the approval section.

    Validate plans with organizational change project manager and build the transition timeline

    4.3 3 hours

    Input

    • Individual transition plans
    • Organizational Design Implementation Project Planning Tool

    Output

    • Timeline outlining departmental transition readiness

    Materials

    • Whiteboard

    Participants

    • Implementation Project Manager
    • Implementation Team
    • Managers
    1. After receiving all of the completed individual transition plan templates from managers, members of the implementation team need to approve the contents of the templates (for the departments that they represent).
    2. Review the logistics and technology requirements for transition in each of the templates and align them with the completion dates of the related projects in the Project Planning Tool. These dates will serve as the earliest possible time to transition the employee. Use the latest date from the list to serve as the date that the whole department will be ready to transition.
    3. Hand the approved transition plan templates and the dates at which the departments will be ready for transitioning to the Implementation Project Manager.
    4. The Project Manager needs to verify the contents of the transition plans and approve them.
    5. On a calendar or whiteboard, list the dates that each department will be ready for transitioning.
    6. Review the master copy of the Project Planning Tool. Determine if the outstanding projects limit your ability to transition the departments (when they are ready to transition). Change the ready dates of the departments to align with the completion dates of those projects.
    7. Use these dates to determine the timeline for when you would like to transition your employees to their new roles.

    Overcoming inexperience by training managers to lead through change

    CASE STUDY

    Industry: Manufacturing

    Source: CIO

    Challenge

    The IT department had not undergone a major reorganization in several years. When they last reorganized, they experienced high turnover and decreased business satisfaction with IT.

    Many of the managers were new to their roles and only one of them had been around for the earlier reorganization. They lacked experience in leading their staff through major organizational changes.

    One of the major problems they faced was addressing the concerns, fears, and resistance of their staff properly.

    Solution

    The implementation team ran a workshop for all of the managers in the department to train them on the change and how to communicate the impending changes to their staff. The workshop included information on resistance and conflict resolution.

    The workshop was conducted early on in the planning phases of the reorganization so that any rumors or gossip could be addressed properly and quickly.

    Results

    The reorganization was well accepted by the staff due to the positive reinforcement from their managers. Rumors and gossip about the reorganization were under control and the staff adopted the new organizational structure quickly.

    Engagement levels of the staff were maintained and actually improved by 5% immediately after the reorganization.

    Voluntary turnover was minimal throughout the change as opposed to the previous reorganization where they lost 10% of their staff. There was an estimated cost savings of $250,000–$300,000.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.2.1 Build Your Staff Transition Plan

    Review the contends of the staff transition plan, and using the organizational change map as a guide, build the transition schedule for one employee.

    3.2.1 Review the Transition Plan With the Transition Team

    Review and validate the results for your transition team schedule with other team members. As a group, discuss what makes this exercise difficult and any ideas for how to simplify the exercise.

    Works cited

    American Productivity and Quality Center. “Motivation Strategies.” Potentials Magazine. Dec. 2004. Web. November 2014.

    Bersin, Josh. “Time to Scrap Performance Appraisals?” Forbes Magazine. 5 June 2013. Web. 30 Oct 2013.

    Bridges, William. Managing Transitions, 3rd Ed. Philadelphia: Da Capo Press, 2009.

    Buckley, Phil. Change with Confidence – Answers to the 50 Biggest Questions that Keep Change Leaders up at Night. Canada: Jossey-Bass, 2013.

    “Change and project management.” Change First. 2014. Web. December 2009. <http://www.changefirst.com/uploads/documents/Change_and_project_management.pdf>.

    Cheese, Peter, et al. “Creating an Agile Organization.” Accenture. Oct. 2009. Web. Nov. 2013.

    Croxon, Bruce et al. “Dinner Series: Performance Management with Bruce Croxon from CBC's 'Dragon's Den.'” HRPA Toronto Chapter. Sheraton Hotel, Toronto, ON. 12 Nov. 2013. Panel discussion.

    Culbert, Samuel. “10 Reasons to Get Rid of Performance Reviews.” Huffington Post Business. 18 Dec. 2012. Web. 28 Oct. 2013. <http://www.huffingtonpost.com/samuel-culbert/performance-reviews_b_2325104.html>.

    Denning, Steve. “The Case Against Agile: Ten Perennial Management Objections.” Forbes Magazine. 17 Apr. 2012. Web. Nov. 2013.

    Works cited cont.

    “Establish A Change Management Structure.” Human Technology. Web. December 2014.

    Estis, Ryan. “Blowing up the Performance Review: Interview with Adobe’s Donna Morris.” Ryan Estis & Associates. 17 June 2013. Web. Oct. 2013. <http://ryanestis.com/adobe-interview/>.

    Ford, Edward L. “Leveraging Recognition: Noncash incentives to Improve Performance.” Workspan Magazine. Nov 2006. Web. Accessed May 12, 2014.

    Gallup, Inc. “Gallup Study: Engaged Employees Inspire Company Innovation.” Gallup Management Journal. 12 Oct. 2006. Web. 12 Jan 2012.

    Gartside, David, et al. “Trends Reshaping the Future of HR.” Accenture. 2013. Web. 5 Nov. 2013.

    Grenville-Cleave, Bridget. “Change and Negative Emotions.” Positive Psychology News Daily. 2009.

    Heath, Chip, and Dan Heath. Switch: How to Change Things When Change Is Hard. Portland: Broadway Books. 2010.

    HR Commitment AB. Communicating organizational change. 2008.

    Keller, Scott, and Carolyn Aiken. “The Inconvenient Truth about Change Management.” McKinsey & Company, 2009. <http://www.mckinsey.com/en.aspx>.

    Works cited cont.

    Kotter, John. “LeadingChange: Why Transformation Efforts Fail.” Harvard Business Review. March-April 1995. <http://hbr.org>.

    Kubler-Ross, Elisabeth and David Kessler. On Grief and Grieving: Finding the Meaning of Grief Through the Five Stages of Loss. New York: Scribner. 2007.

    Lowlings, Caroline. “The Dangers of Changing without Change Management.” The Project Manager Magazine. December 2012. Web. December 2014. <http://changestory.co.za/the-dangers-of-changing-without-change-management/>.

    “Managing Change.” Innovative Edge, Inc. 2011. Web. January 2015. <http://www.getcoherent.com/managing.html>.

    Muchinsky, Paul M. Psychology Applied to Work. Florence: Thomson Wadsworth, 2006.

    Nelson, Kate and Stacy Aaron. The Change Management Pocket Guide, First Ed., USA: Change Guides LLC, 2005.

    Nguyen Huy, Quy. “In Praise of Middle Managers.” Harvard Business Review. 2001. Web. December 2014. <https://hbr.org/2001/09/in-praise-of-middle-managers/ar/1>

    “Only One-Quarter of Employers Are Sustaining Gains From Change Management Initiatives, Towers Watson Survey Finds.” Towers Watson. August 2013. Web. January 2015. <http://www.towerswatson.com/en/Press/2013/08/Only-One-Quarter-of-Employers-Are-Sustaining-Gains-From-Change-Management>.

    Shmula. “Why Transformation Efforts Fail.” Shmula.com. September 28, 2009. <http://www.shmula.com/why-transformation-efforts-fail/1510/>

    Hire or Develop a World-Class CISO

    • Buy Link or Shortcode: {j2store}243|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • It is difficult to find a “unicorn”: a candidate who is already fully developed in all areas.
    • The role of the CISO has changed so much in the past three years, it is unclear what competencies are most important.
    • Current CISOs need to scope out areas of future development.

    Our Advice

    Critical Insight

    The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

    Impact and Result

    • Clarify the competencies that are important to your organizational needs and use them to find a candidate with those specific strengths.
    • If you are a current CISO, complete a self-assessment and identify your high-priority competency gaps so you can actively work to develop those areas.
    • Create an actionable plan to develop the CISO’s capabilities and regularly reassess these items to ensure constant improvement.

    Hire or Develop a World-Class CISO Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Hire of Develop a World-Class CISO Deck – A step-by-step guide on finding or developing the CISO that best fits your organization.

    Use this blueprint to hire or develop a world-class Chief Information Security Officer (CISO) with the competencies that suit your specific organizational needs. Once you have identified the right candidate, create a plan to develop your CISO.

    • Hire or Develop a World-Class CISO – Phases 1-4

    2. CISO Core Competency Evaluation Tool – Determine which competencies your organization needs and which competencies your CISO needs to work on.

    This tool will help you determine which competencies are a priority for your organizational needs and which competencies your CISO needs to develop.

    • CISO Core Competency Evaluation Tool

    3. CISO Stakeholder Power Map Template – Visualize stakeholder and CISO relationships.

    Use this template to identify stakeholders who are key to your security initiatives and to understand your relationships with them.

    • CISO Stakeholder Power Map Template

    4. CISO Stakeholder Management Strategy Template – Develop a strategy to improve stakeholder and CISO relationships.

    Create a strategy to cultivate your stakeholder relationships and manage each relationship in the most effective way.

    • CISO Stakeholder Management Strategy Template

    5. CISO Development Plan Template – Develop a plan to support a world-class CISO.

    This tool will help you create and implement a plan to remediate competency gaps.

    • CISO Development Plan Template

    Infographic

    Further reading

    Hire or Develop a World-Class CISO

    Find a strategic and security-focused champion for your business.

    Analyst Perspective

    Create a plan to become the security leader of tomorrow

    The days are gone when the security leader can stay at a desk and watch the perimeter. The rapidly increasing sophistication of technology, and of attackers, has changed the landscape so that a successful information security program must be elastic, nimble, and tailored to the organization’s specific needs.

    The Chief Information Security Officer (CISO) is tasked with leading this modern security program, and this individual must truly be a Chief Officer, with a finger on the pulses of the business and security processes at the same time. The modern, strategic CISO must be a master of all trades.

    A world-class CISO is a business enabler who finds creative ways for the business to take on innovative processes that provide a competitive advantage and, most importantly, to do so securely.

    Cameron Smith, Research Lead, Security and Privacy

    Cameron Smith
    Research Lead, Security & Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • CEOs/CXOs are looking to hire or develop a senior security leader and aren’t sure where to start.
    • Conversely, security practitioners are looking to upgrade their skill set and are equally stuck in terms of what an appropriate starting point is.
    • Organizations are looking to optimize their security plans and move from a tactical position to a more strategic one.

    Common Obstacles

    • It is difficult to find a “unicorn”: a candidate who is already fully developed in all areas.
    • The role of the CISO has changed so much in the past three years, it is unclear what competencies are most important.
    • You are a current CISO and need to scope out your areas of future development.

    Info-Tech’s Approach

    • Clarify the competencies that are important to your organizational needs and use them to find a candidate with those specific strengths.
    • If you are a current CISO, complete a self-assessment and identify your high-priority competency gaps so you can actively work to develop those areas.
    • Create an actionable plan to develop the CISO’s capabilities and regularly reassess these items to ensure constant improvement.

    Info-Tech Insight
    The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

    Your challenge

    This Info-Tech blueprint will help you hire and develop a strategic CISO

    • Security without strategy is a hacker’s paradise.
    • The outdated model of information security is tactical, where security acts as a watchdog and responds.
    • The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

    Around one in five organizations don’t have an individual with the sole responsibility for security1

    1 Navisite

    Info-Tech Insight
    Assigning security responsibilities to departments other than security can lead to conflicts of interest.

    Common obstacles

    It can be difficult to find the right CISO for your organization

    • The smaller the organization, the less likely it will have a CISO or equivalent position.
    • Because there is a shortage of qualified candidates, qualified CISOs can demand high salaries and many CISO positions will go unfilled.
    • It is easier for larger companies to attract top CISO talent, as they generally have more resources available.

    Source: Navisite

    Only 36% of small businesses have a CISO (or equivalent position).

    48% of mid-sized businesses have a CISO.

    90% of large organizations have a CISO.

    Source: Navisite

    Strategic versus tactical

    CISOs should provide leadership based on a strategic vision 1

    Strategic CISO Tactical CISO

    Proactive

    Focus is on protecting hyperdistributed business processes and data

    Elastic, flexible, and nimble

    Engaged in business design decisions

    Speaks the language of the audience (e.g. business, financial, technical)

    Reactive

    Focus is on protecting current state

    Perimeter and IT-centric approach

    Communicates with technical jargon

    1 Journal of Computer Science and Information Technology

    Info-Tech has identified three key behaviors of the world-class CISO

    To determine what is required from tomorrow’s security leader, Info-Tech examined the core behaviors that make a world-class CISO. These are the three areas that a CISO engages with and excels in.

    Later in this blueprint, we will review the competencies and skills that are required for your CISO to perform these behaviors at a high level.

    Align

    Aligning security enablement with business requirements

    Enable

    Enabling a culture of risk management

    Manage

    Managing talent and change

    Info-Tech Insight
    Through these three overarching behaviors, you can enable a security culture that is aligned to the business and make security elastic, flexible, and nimble to maintain the business processes.

    Info-Tech’s approach

    Understand what your organization needs in a CISO: Consider the core competencies of a CISO. Assess: Assess candidates' core competencies and the CISO's stakeholder relationships. Plan improvements: Identify resources to close competency gaps and an approach to improve stakeholder relationships. Executive development: Decide next steps to support your CISO moving forward and regularly reassess to measure progress.

    Info-Tech’s methodology to Develop or Hire a World-Class CISO

    1. Launch 2. Assess 3. Plan 4. Execute
    Phase Steps
    1. Understand the core competencies
    2. Measure security and business satisfaction and alignment
    1. Assess stakeholder relationships
    2. Assess core competencies
    1. Identify resources to address your CISO’s competency gaps
    2. Plan an approach to improve stakeholder relationships
    1. Decide next actions and support your CISO moving forward
    2. Regularly reassess to measure development and progress
    Phase Outcomes

    At the end of this phase, you will have:

    • Determined the current gaps in satisfaction and business alignment for your IT security program.
    • Identified the desired qualities in a security leader, specific to your current organizational needs.

    At the end of this phase, you will have:

    • Used the core competencies to help identify the ideal candidate.
    • Identified areas for development in your new or existing CISO.
    • Determined stakeholder relationships to cultivate.

    At the end of this phase, you will have:

    • Created a high-level plan to address any deficiencies.
    • Improved stakeholder relations.

    At the end of this phase, you will have:

    • Created an action-based development plan, including relevant metrics, due dates, and identified stakeholders. This plan is the beginning, not the end. Continually reassessing your organizational needs and revisiting this blueprint’s method will ensure ongoing development.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    CISO Core Competency Evaluation Tool

    Assess the competency levels of a current or prospective CISO and identify areas for improvement.

    Stakeholder Power Map Template

    Visualize the importance of various stakeholders and their concerns.

    Stakeholder Management Strategy Template

    Document a plan to manage stakeholders and track actions.

    Key deliverable:

    CISO Development Plan Template

    The CISO Development Plan Template is used to map specific activities and time frames for competency development to address gaps and achieve your goal.

    Strategic competencies will benefit the organization and the CISO

    Career development should not be seen as an individual effort. By understanding the personal core competencies that Info-Tech has identified, the individual wins by developing relevant new skills and the organization wins because the CISO provides increased value.

    Organizational Benefits Individual Benefits
    • Increased alignment between security and business objectives
    • Development of information security that is elastic, nimble, and flexible for the business
    • Reduction in wasted efforts and resources, and improvement in efficiency of security and the organization as a whole
    • True synergy between security and business stakeholders, where the goals of both groups are being met
    • Increased opportunity as you become a trusted partner within your organization
    • Improved relationships with peers and stakeholders
    • Less resistance and more support for security initiatives
    • More involvement and a stronger role for security at all levels of the organization

    Measured value of a world-class CISO

    Organizations with a CISO saw an average of $145,000 less in data breach costs.1

    However, we aren’t talking about hiring just any CISO. This blueprint seeks to develop your CISO’s competencies and reach a new level of effectiveness.

    Organizations invest a median of around $375,000 annually in their CISO.2 The CISO would have to be only 4% more effective to represent $15,000 more value from this position. This would offset the cost of an Info-Tech workshop, and this conservative estimate pales in comparison to the tangible and intangible savings as shown below.

    Your specific benefits will depend on many factors, but the value of protecting your reputation, adopting new and secure revenue opportunities, and preventing breaches cannot be overstated. There is a reason that investment in information security is on the rise: Organizations are realizing that the payoff is immense and the effort is worthwhile.

    Tangible cost savings from having a world-class CISO Intangible cost savings from having a world-class CISO
    • Cost savings from incident reduction.
    • Cost savings achieved through optimizing information security investments, resulting in savings from previously misdiagnosed issues.
    • Cost savings from ensuring that dollars spent on security initiatives support business strategy.
    • More opportunities to create new business processes through greater alignment between security and business.
    • Improved reputation and brand equity achieved through a proper evaluation of the organization’s security posture.
    • Continuous improvement achieved through a good security assessment and measurement strategy.
    • Ability to plan for the future since less security time will be spent firefighting and more time will be spent engaged with key stakeholders.

    1 IBM Security
    2 Heidrick & Struggles International, Inc.

    Case Study

    In the middle of difficulty lies opportunity

    SOURCE
    Kyle Kennedy
    CISO, CyberSN.com

    Challenge
    The security program identified vulnerabilities at the database layer that needed to be addressed.

    The decision was made to move to a new vendor. There were multiple options, but the best option in the CISO’s opinion was a substantially more expensive service that provided more robust protection and more control features.

    The CISO faced the challenge of convincing the board to make a financial investment in his IT security initiative to implement this new software.

    Solution
    The CISO knew he needed to express this challenge (and his solution!) in a way that was meaningful for the executive stakeholders.

    He identified that the business has $100 million in revenue that would move through this data stream. This new software would help to ensure the security of all these transactions, which they would lose in the event of a breach.

    Furthermore, the CISO identified new business plans in the planning stage that could be protected under this initiative.

    Results
    The CISO was able to gain support for and implement the new database platform, which was able to protect current assets more securely than before. Also, the CISO allowed new revenue streams to be created securely.

    This approach is the opposite of the cautionary tales that make news headlines, where new revenue streams are created before systems are put in place to secure them.

    This proactive approach is the core of the world-class CISO.

    Info-Tech offers various levels of support to best suit your needs

    Guided Implementation

    What does a typical GI on this topic look like?

    Launch Assess Plan Execute

    Call #1: Review and discuss CISO core competencies.

    Call #2: Discuss Security Business Satisfaction and Alignment diagnostic results.

    Call #3: Discuss the CISO Stakeholder Power Map Template and the importance of relationships.

    Call #4: Discuss the CISO Core Competency Evaluation Tool.

    Call #5: Discuss results of the CISO Core Competency Evaluation and identify resources to close gaps.

    Call #6: Review organizational structure and key stakeholder relationships.

    Call #7: Discuss and create your CISO development plan and track your development

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 10 calls over the course of 3 to 6 months.

    Phase 1

    Launch

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.1 Identify Resources to Address Competency Gaps
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Review and understand the core competencies of a world-class CISO.
    • Launch your diagnostic survey.
    • Evaluate current business satisfaction with IT security.
    • Determine the competencies that are valuable to your IT security program’s needs.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    An organization hires a new Information Security Manager into a static and well-established IT department.

    Situation: The organization acknowledges the need for improved information security, but there is no framework for the Security Manager to make successful changes.

    Challenges Next Steps
    • The Security Manager is an outsider in a company with well-established habits and protocols. He is tasked with revamping the security strategy to create unified threat management.
    • Initial proposals for information security improvements are rejected by executives. It is a challenge to implement changes or gain support for new initiatives.
    • The Security Manager will engage with individuals in the organization to learn about the culture and what is important to them.
    • He will assess existing misalignments in the business so that he can target problems causing real pains to individuals.

    Follow this case study throughout the deck to see this organization’s results

    Step 1.1

    Understand the Core Competencies of a World-Class CISO

    Activities

    Review core competencies the security leader must develop to become a strategic business partner

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step
    Analysis and understanding of the eight strategic CISO competencies required to become a business partner

    Launch

    Core competencies

    Info-Tech has identified eight core competencies affecting the CISO’s progression to becoming a strategic business partner.

    Business Acumen
    A CISO must focus primarily on the needs of the business.

    Leadership
    A CISO must be a security leader and not simply a practitioner.

    Communication
    A CISO must have executive communication skills

    Technical Knowledge
    A CISO must have a broad technical understanding.

    Innovative Problem Solving
    A good CISO doesn’t just say “no,” but rather finds creative ways to say “yes.”

    Vendor Management
    Vendor and financial management skills are critical to becoming a strategic CISO.

    Change Management
    A CISO improves security processes by being an agent of change for the organization.

    Collaboration
    A CISO must be able to use alliances and partnerships strategically.

    1.1 Understand the core competencies a CISO must focus on to become a strategic business partner

    < 1 hour

    Over the next few slides, review each world-class CISO core competency. In Step 1.2, you will determine which competencies are a priority for your organization.

    CISO Competencies Description
    Business Acumen

    A CISO must focus primarily on the needs of the business and how the business works, then determine how to align IT security initiatives to support business initiatives. This includes:

    • Contributing to business growth with an understanding of the industry, core functions, products, services, customers, and competitors.
    • Understanding the business’ strategic direction and allowing it to securely capitalize on opportunities.
    • Understanding the key drivers of business performance and the use of sound business practice.
    Leadership

    A CISO must be a security leader, and not simply a practitioner. This requires:

    • Developing a holistic view of security, risk, and compliance for the organization.
    • Fostering a culture of risk management.
    • Choosing a strong team. Having innovative and reliable employees who do quality work is a critical component of an effective department.
      • This aspect involves identifying talent, engaging your staff, and managing their time and abilities.

    1.1 Understand the core competencies (continued)

    CISO Competencies Description
    Communication

    Many CISOs believe that using technical jargon impresses their business stakeholders – in fact, it only makes business stakeholders become confused and disinterested. A CISO must have executive communication skills. This involves:

    • Clearly communicating with business leaders in meaningful language (i.e. business, financial, social) that they understand by breaking down the complexities of IT security into simple and relatable concepts.
    • Not using acronyms or technological speak. Easy-to-understand translations will go a long way.
    • Strong public speaking and presentation abilities.
    Technical Knowledge

    A CISO must have a broad technical understanding of IT security to oversee a successful security program. This includes:

    • Understanding key security and general IT technologies and processes.
    • Assembling a complementary team, because no individual can have deep knowledge in all areas.
    • Maintaining continuing education to stay on top of emerging technologies and threats.

    1.1 Understand the core competencies (continued)

    CISO Competencies Description
    Innovative Problem Solving

    A good CISO doesn’t just say “no,” but rather finds creative ways to say “yes.” This can include:

    • Taking an active role in seizing opportunities created by emerging technologies.
    • Facilitating the secure implementation of new, innovative revenue models.
    • Developing solutions for complex business problems that require creativity and ingenuity.
    • Using information and technology to drive value around the customer experience.
    Vendor Management

    With the growing use of “anything as a service,” negotiation, vendor, and financial management skills are critical to becoming a strategic CISO.

    • The CISO must be able to evaluate service offerings and secure favorable contracts with the right provider. It is about extracting the maximum value from vendors for the dollars you are spending.
    • Vendor products must be aligned with future business plans to create maximum ongoing value.
    • The CISO must develop financial management skills. This includes the ability to calculate total cost of ownership, return on investment, and project spending over multiyear business plans.

    1.1 Understand the core competencies (continued)

    CISO Competencies Description
    Change Management

    A world-class CISO improves security processes by being an agent of change for the organization. This involves:

    • Leading, guiding, and motivating teams to adopt a responsible risk management culture.
    • Communicating important and complex ideas in a persuasive way.
    • Demonstrating an ability to change themselves and taking the initiative in adopting more efficient behaviors.
    • Handling unplanned change, such as unforeseen attacks or personnel changes, in a professional and proactive manner.
    Collaboration

    A CISO must be able to use alliances and partnerships strategically to benefit both the business and themselves. This includes:

    • Identifying formal and informal networks and constructive relationships to enable security development.
    • Leveraging stakeholders to influence positive outcomes for the organization.
    • Getting out of the IT or IT security sphere and engaging relationships in diverse areas of the organization.

    Step 1.2

    Evaluate satisfaction and alignment between the business and IT security

    Activities

    • Conduct the Information Security Business Satisfaction and Alignment diagnostic
    • Use your results as input into the CISO Core Competency Evaluation Tool

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step
    Determine current gaps in satisfaction and alignment between information security and your organization.

    If seeking to hire/develop a CISO: Your diagnostic results will help develop a profile of the ideal CISO candidate to use as a hiring and interview guide.

    If developing a current CISO, use your diagnostic results to identify existing competency gaps and target them for improvement.

    For the CISO seeking to upgrade capabilities: Use the core competencies guide to self-assess and identify competencies that require improvement.

    Launch

    1.2 Get started by conducting Info-Tech’s Information Security Business Satisfaction and Alignment diagnostic

    Suggested Time: One week for distribution, completion, and collection of surveys
    One-hour follow-up with an Info-Tech analyst

    The primary goal of IT security is to protect the organization from threats. This does not simply mean bolting everything down, but it means enabling business processes securely. To do this effectively requires alignment between IT security and the overall business.

    • Once you have completed the diagnostic, call Info-Tech to review your results with one of our analysts.
    • The results from this assessment will provide insights to inform your entries in the CISO Core Competency Evaluation Tool.

    Call an analyst to review your results and provide you with recommendations.

    Info-Tech Insight
    Focus on the high-priority competencies for your organization. You may find a candidate with perfect 10s across the board, but a more pragmatic strategy is to find someone with strengths that align with your needs. If there are other areas of weakness, then target those areas for development.

    1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

    After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

    • Your diagnostic results will indicate where your information security program is aligned well or poorly with your business.
    • For example, the diagnostic may show significant misalignment between information security and executives over the level of external compliance. The CISO behavior that would contribute to solving this is aligning security enablement with business requirements.
      • This misalignment may be due to a misunderstanding by either party. The competencies that will contribute to resolving this are communication, technical knowledge, and business acumen.
      • This mapping method is what will be used to determine which competencies are most important for your needs at the present moment.

    Download the CISO Core Competency Evaluation Tool

    1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

    After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

    1. Starting on Tab 2: CISO Core Competencies, use your understanding of each competency from section 1.1 along with the definitions described in the tool.
      • For each competency, assign a degree of importance using the drop-down menu in the second column from the right.
      • Importance ratings will range from not at all important at the low end to critically important at the high end.
      • Your importance score will be influenced by several factors, including:
        • The current alignment of your information security department.
        • Your organizational security posture.
        • The size and structure of your organization.
        • The existing skills and maturity within your information security department.

    Download the CISO Core Competency Evaluation Tool

    1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

    After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

    1. Still on Tab 2. CISO Core Competencies, you will now assign a current level of effectiveness for each competency.
      • This will range from foundational at a low level of effectiveness up to capable, then inspirational, and at the highest rating, transformational.
      • Again, this rating will be very specific to your organization, depending on your structure and your current employees.
      • Fundamentally, these scores will reflect what you want to improve in the area of information security. This is not an absolute scale, and it will be influenced by what skills you want to support your goals and direction as an organization.

    Download the CISO Core Competency Evaluation Tool

    Phase 2

    Assess

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Use the CISO Core Competency Evaluation Tool to create and implement an interview guide.
    • Assess and analyze the core competencies of your prospective CISOs. Or, if you are a current CISO, use the CISO Core Competency Evaluation Tool as a self-analysis and identify areas for personal development.
    • Evaluate the influence, impact, and support of key executive business stakeholders using the CISO Stakeholder Power Map Template.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    The new Security Manager engages with employees to learn the culture.

    Outcome: Understand what is important to individuals in order to create effective collaboration. People will engage with a project if they can relate it to something they value.

    Actions Next Steps
    • The Security Manager determines that he must use low-cost small wins to integrate with the organizational culture and create trust and buy-in and investment will follow.
    • The Security Manager starts a monthly newsletter to get traction across the organization, create awareness of his mandate to improve information security, and establish himself as a trustworthy partner.
    • The Security Manager will identify specific ways to engage and change the culture.
    • Create a persuasive case for investing in information security based on what resonates with the organization.

    Follow this case study throughout the deck to see this organization’s results

    Step 2.1

    Identify key stakeholders for the CISO and assess current relationships

    Activities

    Evaluate the power, impact, and support of key stakeholders

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    • Power map of executive business stakeholders
    • Evaluation of each stakeholder in terms of influence, impact, and current level of support

    Assess

    Identify key stakeholders who own business processes that intersect with security processes

    Info-Tech Insight
    Most organizations don’t exist for the sole purpose of doing information security. For example, if your organization is in the business of selling pencils, then information security is in business to enable the selling of pencils. All the security in the world is meaningless if it doesn’t enable your primary business processes. The CISO must always remember the fundamental goals of the business.

    The above insight has two implications:

    1. The CISO needs to understand the key business processes and who owns them, because these are the people they will need to collaborate with. Like any C-level, the CISO should be one of the most knowledgeable people in the organization regarding business processes.
    2. Each of these stakeholders stands to win or lose depending on the performance of their process, and they can act to either block or enable your progress.
      • To work effectively with these stakeholders, you must learn what is important to them, and pose your initiatives so that you both benefit.

    When people are not receptive to the CISO, it’s usually because the CISO has not been part of the discussion when plans were being made. This is the heart of proactivity.

    You need to be involved from the start … from the earliest part of planning.

    The job is not to come in late and say “No” ... the job is to be involved early and find creative and intelligent ways to say “Yes.”

    The CISO needs to be the enabling security asset that drives business.

    – Elliot Lewis, CEO at Keyavi Data

    Evaluate the importance of business stakeholders and the support necessary from them

    The CISO Stakeholder Power Map Template is meant to provide a visualization of the CISO’s relationships within the organization. This should be a living document that can be updated throughout the year as relationships develop and the structure of an organization changes.

    At a glance, this tool should show:

    • How influential each stakeholder is within the company.
    • How supportive they currently are of the CISO’s initiatives.
    • How strongly each person is impacted by IT security activities.

    Once this tool has been created, it provides a good reference as the CISO works to develop lagging relationships. It shows the landscape of influence and impact within the organization, which may help to guide the CISO’s strategy in the future.

    Evaluate the importance of business stakeholders and the support necessary from them

    Download the CISO Stakeholder Power Map Template

    Evaluate the importance of business stakeholders and the support necessary from them

    1. Identify key stakeholders.
      1. Focus on owners of important business processes.
    2. Evaluate and map each stakeholder in terms of:
      1. Influence (up/down)
      2. Support (left/right)
      3. Impact (size of circle)
      4. Involvement (color of circle)
    3. Decide whether the level of support from each stakeholder needs to change to facilitate success.

    Evaluate the importance of business stakeholders and the support necessary from them

    Info-Tech Insight
    Some stakeholders must work closely with your incoming CISO. It is worth consideration to include these individuals in the interview process to ensure you will have partners that can work well together. This small piece of involvement early on can save a lot of headache in the future.

    Where can you find your desired CISO?

    Once you know which competencies are a priority in your new CISO, the next step is to decide where to start looking. This person may already exist in your company.

    Internal

    Take some time to review your current top information security employees or managers. It may be immediately clear that certain people will or will not be suitable for the CISO role. For those that have potential, proceed to Step 2.2 to map their competencies.

    Recruitment

    If you do not have any current employees that will fit your new CISO profile, or you have other reasons for wanting to bring in an outside individual, you can begin the recruitment process. This could start by posting the position for applications or by identifying and targeting specific candidates.

    Ready to start looking for your ideal candidate? You can use Info-Tech’s Chief Information Security Officer job description template.

    Use the CISO job description template

    Alternatives to hiring a CISO

    Small organizations are less able to muster the resources required to find and retain a CISO,

    Technical Counselor Seat

    In addition to having access to our research and consulting services, you can acquire a Technical Counselor Seat from our Security & Risk practice, where one of our senior analysts would serve with you on a retainer. You may find that this option saves you the expense of having to hire a new CISO altogether.

    Virtual CISO

    A virtual CISO, or vCISO, is essentially a “CISO as a service.” A vCISO provides an organization with an experienced individual that can, on a part-time basis, lead the organization’s security program through policy and strategy development.

    Why would an organization consider a vCISO?

    • A vCISO can provide services that are flexible, technical, and strategic and that are based on the specific requirements of the organization.
    • They can provide a small organization with program maturation within the organization’s resources.
    • They can typically offer depth of experience beyond what a small business could afford if it were to pursue a full-time CISO.

    Source: InfoSec Insights by Sectigo Store

    Why would an organization not consider a vCISO?

    • The vCISO’s attention is divided among their other clients.
    • They won’t feel like a member of your organization.
    • They won’t have a deep understanding of your systems and processes.

    Source: Georgia State University

    Step 2.2

    Assess CISO candidates and evaluate their current competency

    Activities

    Assess CISO candidates in terms of desired core competencies

    or

    Self-assess your personal core competencies

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    and

    • Any key stakeholders or collaborators you choose to include in the assessment process

    Outcomes of this step

    • You have assessed your requirements for a CISO candidate.
    • The process of hiring is under way, and you have decided whether to hire a CISO, develop a CISO, or consider a Counselor Seat as another option.

    Assess

    2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to assess your CISO candidate

    Use Info-Tech’s CISO Core Competency Evaluation Tool to assess your CISO candidate

    Download the CISO Core Competency Evaluation Tool

    Info-Tech Insight
    The most important competencies should be your focus. Unless you are lucky enough to find a candidate that is perfect across the board, you will see some areas that are not ideal. Don’t forget the importance you assigned to each competency. If a candidate is ideal in the most critical areas, you may not mind that some development is needed in a less important area.

    2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

    After deciding the importance of and requirements for each competency in Phase 1, assess your CISO candidates.

    Your first pass on this tool will be to look at internal candidates. This is the develop a CISO option.

    1. In the previous phase, you rated the Importance and Current Effectiveness for each competency in Tab 2. CISO Core Competencies. In this step, use Tab 3. Gap Analysis to enter a Minimum Level and a Desired Level for each competency. Keep in mind that it may be unrealistic to expect a candidate to be fully developed in all aspects.
    2. Next, enter a rating for your candidate of interest for each of the eight competencies.
    3. This scorecard will generate an overall suitability score for the candidate. The color of the output (from red to green) indicates the suitability, and the intensity of the color indicates the importance you assigned to that competency.

    Download the CISO Core Competency Evaluation Tool

    2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

    • If the internal search does not identify a suitable candidate, you will want to expand your search.
    • Repeat the scoring process for external candidates until you find your new CISO.
    • You may want to skip your external search altogether and instead contact Info-Tech for more information on our Counselor Seat options.

    Download the CISO Core Competency Evaluation Tool

    Phase 3

    Plan

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.1 Identify Resources to Address Competency Gaps
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Create a plan to develop your competency gaps.
    • Construct and consider your organizational model.
    • Create plan to cultivate key stakeholder relationships.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    The new Security Manager changes the security culture by understanding what is meaningful to employees.

    Outcome: Engage with people on their terms. The CISO must speak the audience’s language and express security terms in a way that is meaningful to the audience.

    Actions Next Steps
    • The Security Manager identifies recent events where ransomware and social engineering attacks were successful in penetrating the organization.
    • He uses his newsletter to create organization-wide discussion on this topic.
    • This very personal example makes employees more receptive to the Security Manager’s message, enabling the culture of risk management.
    • The Security Manager will leverage his success in improving the information security culture and awareness to gain support for future initiatives.

    Follow this case study throughout the deck to see this organization’s results

    Step 3.1

    Identify resources for your CISO to remediate competency gaps

    Activities

    Create a plan to remediate competency gaps

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    • Identification of core competency deficiencies
    • A plan to close the gaps

    Plan

    3.1 Close competency gaps with Info-Tech’s Cybersecurity Workforce Development Training

    Resources to close competency gaps

    Info-Tech’s Cybersecurity Workforce Training develops critical cybersecurity skills missing within your team and organization. The leadership track provides the same deep coverage of technical knowledge as the analyst track but adds hands-on support and has a focus on strategic business alignment, program management, and governance.

    The program builds critical skills through:

    • Standardized curriculum with flexible projects tailored to business needs
    • Realistic cyber range scenarios
    • Ready-to-deploy security deliverables
    • Real assurance of skill development

    Info-Tech Insight
    Investing in a current employee that has the potential to be a world-class CISO may take less time, effort, and money than finding a unicorn.

    Learn more on the Cybersecurity Workforce Development webpage

    3.1 Identify resources for your CISO to remediate competency gaps

    < 2 hours

    CISO Competencies Description
    Business Acumen

    Info-Tech Workshops & Blueprints

    Actions/Activities

    • Take a business acumen course: Acumen Learning, What the CEO Wants You to Know: Building Business Acumen.
    • Meet with business stakeholders. Ask them to take you through the strategic plan for their department and then identify opportunities where security can provide support to help drive their initiatives.
    • Shadow another C-level executive. Understand how they manage their business unit and demonstrate an eagerness to learn.
    • Pursue an MBA or take a business development course.

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Leadership

    Info-Tech Training and Blueprints

    Action/Activities

    • Communicate your vision for security to your team. You will gain buy-in from your employees by including them in the creation of your program, and they will be instrumental to your success.

    Info-Tech Insight
    Surround yourself with great people. Insecure leaders surround themselves with mediocre employees that aren’t perceived as a threat. Great leaders are supported by great teams, but you must choose that great team first.

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Communication

    Info-Tech Workshops & Blueprints

    Build and Deliver an Optimized IT Update Presentation: Show IT’s value and relevance by dropping the technical jargon and speaking to the business in their terms.

    Master Your Security Incident Response Communications Program: Learn how to talk to your stakeholders about what’s going on when things go wrong.

    Develop a Security Awareness and Training Program That Empowers End Users: Your weakest link is between the keyboard and the chair, so use engaging communication to create positive behavior change.

    Actions/Activities

    Learn to communicate in the language of your audience (whether business, finance, or social), and frame security solutions in terms that are meaningful to your listener.

    Technical Knowledge

    Actions/Activities

    • In many cases, the CISO is progressing from a strong technical background, so this area is likely a strength already.
    • However, as the need for executive skills are being recognized, many organizations are opting to hire a business or operations professional as a CISO. In this case, various Info-Tech blueprints across all our silos (e.g. Security, Infrastructure, CIO, Apps) will provide great value in understanding best practices and integrating technical skills with the business processes.
    • Pursue an information security leadership certification: GIAC, (ISC)², and ISACA are a few of the many organizations that offer certification programs.

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Innovative Problem Solving

    Info-Tech Workshops & Blueprints

    Actions/Activities

    Vendor Management

    Info-Tech Blueprints & Resources

    Actions/Activities

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Change Management

    Info-Tech Blueprints

    Actions/Activities

    • Start with an easy-win project to create trust and support for your initiatives.
    Collaboration

    Info-Tech Blueprints

    Actions/Activities

    • Get out of your office. Have lunch with people from all areas of the business. Understanding the goals and the pains of employees throughout your organization will help you to design effective initiatives and cultivate support.
    • Be clear and honest about your goals. If people know what you are trying to do, then it is much easier for them to work with you on it. Being ambiguous or secretive creates confusion and distrust.

    3.1 Create the CISO’s personal development plan

    • Use Info-Tech’s CISO Development Plan Template to document key initiatives that will close previously identified competency gaps.
    • The CISO Development Plan Template is used to map specific actions and time frames for competency development, with the goal of addressing competency gaps and helping you become a world-class CISO. This template can be used to document:
      • Core competency gaps
      • Security process gaps
      • Security technology gaps
      • Any other career/development goals
    • If you have a coach or mentor, you should share your plan and report progress to that person. Alternatively, call Info-Tech to speak with an executive advisor for support and advice.
      • Toll-Free: 1-888-670-8889

    What you will need to complete this exercise

    • CISO Core Competency Evaluation Tool results
    • Information Security Business Satisfaction and Alignment diagnostic results
    • Insights gathered from business stakeholder interviews

    Step 3.2

    Plan an approach to improve your relationships

    Activities

    • Review engagement strategies for different stakeholder types
    • Create a stakeholder relationship development plan

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    • Stakeholder relationship strategy deliverable

    Plan

    Where should the CISO sit?

    Where the CISO sits in the organization can have a big impact on the security program.

    • Organizations with CISOs in the C-suite have a fewer security incidents.1
    • Organizations with CISOs in the C-suite generally have better IT ability.1
    • An organization whose CISO reports to the CIO risks conflict of interest.1
    • 51% of CISOs believe their effectiveness can be hampered by reporting lines.2
    • Only half of CISOs feel like they are in a position to succeed.2

    A formalized security organizational structure assigns and defines the roles and responsibilities of different members around security. Use Info-Tech’s blueprint Implement a Security Governance and Management Program to determine the best structure for your organization.

    Who the CISO reports to, by percentage of organizations3

    Who the CISO reports to, by percentage of organizations

    Download the Implement a Security Governance and Management Program blueprint

    1. Journal of Computer Science and Information
    2. Proofpoint
    3. Heidrick & Struggles International, Inc

    3.2 Make a plan to manage your key stakeholders

    Managing stakeholders requires engagement, communication, and relationship management. To effectively collaborate and gain support for your initiatives, you will need to build relationships with your stakeholders. Take some time to review the stakeholder engagement strategies for different stakeholder types.

    Influence Mediators
    (Satisfy)         		Key Players
    (Engage)
    Spectators
    (Monitor)     		Noisemakers
    (Inform)
    Support for you

    When building relationships, I find that what people care about most is getting their job done. We need to help them do this in the most secure way possible.

    I don’t want to be the “No” guy, I want to enable the business. I want to find to secure options and say, “Here is how we can do this.”

    – James Miller, Information Security Director, Xavier University

    Download the CISO Stakeholder Management Strategy Template

    Key players – Engage

    Goal Action
    Get key players to help champion your initiative and turn your detractors into supporters. Actively involve key players to take ownership.
    Keep It Positive Maintain a Close Relationship
    • Use their positive support to further your objectives and act as your foundation of support.
    • Key players can help you build consensus among other stakeholders.
    • Get supporters to be vocal in your town halls.
    • Ask them to talk to other stakeholders over whom they have influence.
    • Get some quick wins early to gain and maintain stakeholder support and help convert them to your cause.
    • Use their influence and support to help persuade blockers to see your point of view.
    • Collaborate closely. Key players are tuned in to information streams that are important. Their advice can keep you informed and save you from being blindsided.
    • Keep them happy. By definition, these individuals have a stake in your plans and can be affected positively or negatively. Going out of your way to maintain relationships can be well worth the effort.

    Info-Tech Insight
    Listen to your key players. They understand what is important to other business stakeholders, and they can provide valuable insight to guide your future strategy.

    Mediators – Satisfy

    Goal Action
    Turn mediators into key players Increase their support level.
    Keep It Positive Maintain a Close Relationship
    • Make stakeholders part of the conversation by consulting them for input on planning and strategy.
    • Sample phrases:
      • “I’ve heard you have experience in this area. Do you have time to answer a few questions?”
      • “I’m making some decisions and I would value your thoughts. Can I get your perspective on this?”
    • Enhance their commitment by being inclusive. Encourage their support whenever possible.
    • Make them feel acknowledged and solicit feedback.
    • Listen to blockers with an open mind to understand their point of view. They may have valuable insight.
    • Approach stakeholders on their individual playing fields.
      • They want to know that you understand their business perspective.
    • Stubborn mediators might never support you. If consulting doesn’t work, keep them informed of important decision-making points and give them the opportunity to be involved if they choose to be.

    Info-Tech Insight
    Don’t dictate to stakeholders. Make them feel like valued contributors by including them in development and decision making. You don’t have to incorporate all their input, but it is essential that they feel respected and heard.

    Noisemakers – Inform

    Goal Action
    Have noisemakers spread the word to increase their influence. Encourage noisemakers to influence key stakeholders.
    Keep It Positive Maintain a Close Relationship
    • Identify noisemakers who have strong relationships with key stakeholders and focus on them.
      • These individuals may not have decision-making power, but their opinions and advice may help to sway a decision in your favor.
    • Look for opportunities to increase their influence over others.
    • Put effort into maintaining the positive relationship so that it doesn’t dwindle.
    • You already have this group’s support, but don’t take it for granted.
    • Be proactive, pre-emptive, and transparent.
    • Address issues or bad news early and be careful not to exaggerate their significance.
    • Use one-on-one meetings to give them an opportunity to express challenges in a private setting.
    • Show individuals in this group that you are a problem-solver:
      • “The implementation was great, but we discovered problems afterward. Here is what we’re doing about it.”

    Spectators – Monitor

    Goal Action
    Keep spectators content and avoid turning them into detractors. Keep them well informed.
    Keep It Positive Maintain a Close Relationship
    • A hands-on approach is not required with this group.
    • Keep them informed with regular, high-altitude communications and updates.
    • Use positive, exciting announcements to increase their interest in your initiatives.
    • Select a good venue for generating excitement and assessing the mood of spectators.
    • Spectators may become either supporters or blockers. Monitor them closely and keep in touch with them to stop these individuals from becoming blockers.
    • Listen to questions from spectators carefully. View any engagement as an opportunity to increase participation from this group and generate a positive shift in interest.

    3.2 Create the CISO’s stakeholder management strategy

    Develop a strategy to manage key stakeholders in order to drive your personal development plan initiatives.

    • The purpose of the CISO Stakeholder Management Strategy Template is to document the results of the power mapping exercise, create a plan to proactively manage stakeholders, and track the actions taken.
    • Use this in concert with Info-Tech’s CISO Stakeholder Power Map Template to help visualize the importance of key stakeholders to your personal development. You will document:
      • Stakeholder role and type.
      • Current relationship with the stakeholder.
      • Level of power/influence and degree of impact.
      • Current and desired level of support.
      • Initiatives that require the stakeholder’s engagement.
      • Actions to be taken – along with the status and results.

    What you will need to complete this exercise

    • Completed CISO Stakeholder Power Map
    • Security Business Satisfaction and Alignment Diagnostic results

    Download the CISO Stakeholder Management Strategy Template

    Phase 4

    Execute

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.1 Identify Resources to Address Competency Gaps
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Populate the CISO Development Plan Template with appropriate targets and due dates.
    • Set review and reassess dates.
    • Review due dates with CISO.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    The new Security Manager leverages successful cultural change to gain support for new security investments.

    Outcome: Integrating with the business on a small level and building on small successes will lead to bigger wins and bigger change.

    Actions Next Steps
    • By fostering positive relationships throughout the organization, the Security Manager has improved the security culture and established himself as a trusted partner.
    • In an organization that had seen very little change in years, he has used well developed change management, business acumen, leadership, communication, collaboration, and innovative problem-solving competencies to affect his initiatives.
    • He can now return to the board with a great deal more leverage in seeking support for security investments.
    • The Security Manager will leverage his success in improving the information security culture and awareness to gain support for future initiatives.

    Step 4.1

    Decide next actions and support your CISO moving forward

    Activities

    • Complete the Info-Tech CISO Development Plan Template
    • Create a stakeholder relationship development plan

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    Next actions for each of your development initiatives

    Execute

    Establish a set of first actions to set your plan into motion

    The CISO Development Plan Template provides a simple but powerful way to focus on what really matters to execute your plan.

    • By this point, the CISO is working on the personal competency development while simultaneously overseeing improvements across the security program, managing stakeholders, and seeking new business initiatives to engage with. This can be a lot to juggle effectively.
    • Disparate initiatives like these can hinder progress by creating confusion.
    • By distilling your plan down to Subject > Action > Outcome, you immediately restore focus and turn your plans into actionable items.
    • The outcome is most valuable when it is measurable. This makes progress (or lack of it) very easy to track and assess, so choose a meaningful metric.
    Item to Develop
    (competency/process/tech)
    First Action Toward Development
    Desired Outcome, Including a Measurable Indicator

    Download the CISO Development Plan Template

    4.1 Create a CISO development plan to keep all your objectives in one place

    Use Info-Tech’s CISO Development Plan Template to create a quick and simple yet powerful tool that you can refer to and update throughout your personal and professional development initiatives. As instructed in the template, you will document the following:

    Your Item to Develop The Next Action Required The Target Outcome
    This could be a CISO competency, a security process item, a security technology item, or an important relationship (or something else that is a priority). This could be as simple as “schedule lunch with a stakeholder” or “email Info-Tech to schedule a Guided Implementation call.” This part of the tool is meant to be continually updated as you progress through your projects. The strength of this approach is that it focuses your project into simple actionable steps that are easily achieved, rather than looking too far down the road and seeing an overwhelming task ahead. This will be something measurable like “reduce spending by 10%” or “have informal meeting with leaders from each department.”

    Info-Tech Insight
    A good plan doesn’t require anything that is outside of your control. Good measurable outcomes are behavior based rather than state based.
    “Increase the budget by 10%” is a bad goal because it is ultimately reliant on someone else and can be derailed by an unsupportive executive. A better goal is “reduce spending by 10%.” This is something more within the CISO’s control and is thus a better performance indicator and a more achievable goal.

    4.1 Create a CISO development plan to keep all your objectives in one place

    Below you will find sample content to populate your CISO Development Plan Template. Using this template will guide your CISO in achieving the goals identified here.

    The template itself is a metric for assessing the development of the CISO. The number of targets achieved by the due date will help to quantify the CISO’s progress.

    You may also want to include improvements to the organization’s security program as part of the CISO development plan.

    Area for Development Item for Development Next Action Required Key Stakeholders/ Owners Target Outcome Due Date Completed
    Core Competencies:
    Communication     		Executive
    communication     		Take economics course to learn business language Course completed [Insert date] [Y/N]
    Core Competencies:
    Communication     		Improve stakeholder
    relationships     		Email Bryce from finance to arrange lunch Improved relationship with finance department [Insert date] [Y/N]
    Technology Maturity: Security Prevention Identity and access management (IAM) system Call Info-Tech to arrange call on IAM solutions 90% of employees entered into IAM system [Insert date] [Y/N]
    Process Maturity: Response & Recovery Disaster recovery Read Info-Tech blueprint on disaster recovery Disaster recovery and backup policies in place [Insert date] [Y/N]

    Check out the First 100 Days as CISO blueprint for guidance on bringing improvements to the security program

    4.1 Use your action plan to track development progress and inform stakeholders

    • As you progress toward your goals, continually update the CISO development plan. It is meant to be a living document.
    • The Next Action Required should be updated regularly as you make progress so you can quickly jump in and take meaningful actions without having to reassess your position every time you open the plan. This is a simple but very powerful method.
    • To view your initiatives in customizable ways, you can use the drop-down menu on any column header to sort your initiatives (i.e. by due date, completed status, area for development). This allows you to quickly and easily see a variety of perspectives on your progress and enables you to bring upcoming or incomplete projects right to the top.
    Area for Development Item for Development Next Action Required Key Stakeholders/ Owners Target Outcome Due Date Completed
    Core Competencies:
    Communication     		Executive
    communication     		Take economics course to learn business language Course completed [Insert date] [Y/N]
    Core Competencies:
    Communication     		Improve stakeholder
    relationships     		Email Bryce from finance to arrange lunch Improved relationship with finance department [Insert date] [Y/N]
    Technology Maturity: Security Prevention Identity and access management (IAM) system Call Info-Tech to arrange call on IAM solutions 90% of employees entered into IAM system [Insert date] [Y/N]
    Process Maturity: Response & Recovery Disaster recovery Read Info-Tech blueprint on disaster recovery Disaster recovery and backup policies in place [Insert date] [Y/N]

    Step 4.2

    Regularly reassess to track development and progress

    Activities

    Create a calendar event for you and your CISO, including which items you will reassess and when

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    Scheduled reassessment of the CISO’s competencies

    Execute

    4.2 Regularly evaluate your CISO’s progress

    < 1 day

    As previously mentioned, your CISO development plan is meant to be a living document. Your CISO will use this as a companion tool throughout project implementation, but periodically it will be necessary to re-evaluate the entire program to assess your progress and ensure that your actions are still in alignment with personal and organizational goals.

    Info-Tech recommends performing the following assessments quarterly or twice yearly with the help of our executive advisors (either over the phone or onsite).

    1. Sit down and re-evaluate your CISO core competencies using the CISO Core Competency Evaluation Tool.
    2. Analyze your relationships using the CISO Stakeholder Power Map Template.
    3. Compare all of these against your previous results to see what areas you have strengthened and decide if you need to focus on a different area now.
    4. Consider your CISO Development Plan Template and decide whether you have achieved your desired outcomes. If not, why?
    5. Schedule your next reassessment, then create a new plan for the upcoming quarter and get started.
    Materials
    • Laptop
    • CISO Development Plan Template
    Participants
    • CISO
    • Hiring executive (possibly)
    Output
    • Complete CISO and security program development plan

    Summary of Accomplishment

    Knowledge Gained

    • Understanding of the competencies contributing to a successful CISO
    • Strategic approach to integrate the CISO into the organization
    • View of various CISO functions from a variety of business and executive perspectives, rather than just a security view

    Process Optimized

    • Hiring of the CISO
    • Assessment and development of stakeholder relationships for the CISO
    • Broad planning for CISO development

    Deliverables Completed

    • IT Security Business Satisfaction and Alignment Diagnostic
    • CISO Core Competency Evaluation Tool
    • CISO Stakeholder Power Map Template
    • CISO Stakeholder Management Strategy Template
    • CISO Development Plan Template

    If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation

    Contact your account representative for more information

    workshop@infotech.com
    1-888-670-8889

    Related Info-Tech Research

    Build an Information Security Strategy
    Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context.

    The First 100 Days as CISO
    Every CISO needs to follow Info-Tech’s five-step approach to truly succeed in their new position. The meaning and expectations of a CISO role will differ from organization to organization and person to person, but the approach to the new position will be relatively the same.

    Implement a Security Governance and Management Program
    Business and security goals should be the same. Businesses cannot operate without security, and security's goal is to enable safe business operations.

    Research Contributors

    • Mark Lester, Information Security Manager, South Carolina State Ports Authority
    • Kyle Kennedy, CISO, CyberSN.com
    • James Miller, Information Security Director, Xavier University
    • Elliot Lewis, Vice President Security & Risk, Info-Tech Research Group
    • Andrew Maroun, Enterprise Security Lead, State of California
    • Brian Bobo, VP Enterprise Security, Schneider National
    • Candy Alexander, GRC Security Consultant, Towerall Inc.
    • Chad Fulgham, Chairman, PerCredo
    • Ian Parker, Head of Corporate Systems Information Security Risk and Compliance, Fujitsu EMEIA
    • Diane Kelly, Information Security Manager, Colorado State Judicial Branch
    • Jeffrey Gardiner, CISO, Western University
    • Joey LaCour, VP & Chief Security, Colonial Savings
    • Karla Thomas, Director IT Global Security, Tower Automotive
    • Kevin Warner, Security and Compliance Officer, Bridge Healthcare Providers
    • Lisa Davis, CEO, Vicinage
    • Luis Brown, Information Security & Compliance Officer, Central New Mexico Community College
    • Peter Clay, CISO, Qlik
    • Robert Banniza, Senior Director IT Center Security, AMSURG
    • Tim Tyndall, Systems Architect, Oregon State

    Bibliography

    Dicker, William. "An Examination of the Role of vCISO in SMBs: An Information Security Governance Exploration." Dissertation, Georgia State University, May 2, 2021. Accessed 30 Sep. 2022.

    Heidrick & Struggles. "2022 Global Chief Information Security Officer (CISO) Survey" Heidrick & Struggles International, Inc. September 6, 2022. Accessed 30 Sep. 2022.

    IBM Security. "Cost of a Data Breach Report 2022" IBM. August 1, 2022. Accessed 9 Nov. 2022.

    Mehta, Medha. "What Is a vCISO? Are vCISO Services Worth It?" Infosec Insights by Sectigo, June 23, 2021. Accessed Nov 22. 2022.

    Milica, Lucia. “Proofpoint 2022 Voice of the CISO Report” Proofpoint. May 2022. Accessed 6 Oct. 2022.

    Navisite. "The State of Cybersecurity Leadership and Readiness" Navisite. November 9, 2021. Accessed 9 Nov. 2022.

    Shayo, Conrad, and Frank Lin. “An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function” Journal of Computer Science and Information Technology, vol. 7, no. 1, June 2019. Accessed 28 Sep. 2022.

    Simplify Remote Deployment With Zero-Touch Provisioning

    • Buy Link or Shortcode: {j2store}310|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $5,199 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: End-User Computing Strategy
    • Parent Category Link: /end-user-computing-strategy

    Provide better end-user device support to a remote workforce:

    • Remain compliant while purchasing, deploying, supporting, and decommissioning devices.
    • Save time and resources during device deployment while providing a high-quality experience to remote end users.
    • Build a set of capabilities that will let you support different use cases.

    Our Advice

    Critical Insight

    • Zero-touch is more than just deployment. This is more difficult than turning on a tool and provisioning new devices to end users.
    • Consider the entire user experience and device lifecycle to show value to the organization. Don’t forget that you will eventually need to touch the device.

    Impact and Result

    Approach zero-touch provisioning and patching from the end user’s experience:

    • Align your zero-touch approach with stakeholder priorities and larger IT strategies.
    • Build your zero-touch provisioning and patching plan from both the asset lifecycle and the end-user perspective to take a holistic approach that emphasizes customer service.
    • Tailor deployment plans to more easily scope and resource deployment projects.

    Simplify Remote Deployment With Zero-Touch Provisioning Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should adopt zero-touch provisioning, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Design the zero-touch experience

    Design the user’s experience and build a vision to direct your zero-touch provisioning project. Update your ITAM practices to reflect the new experience.

    • Zero-Touch Provisioning and Support Plan
    • HAM Process Workflows (Visio)
    • HAM Process Workflows (PDF)
    • End-User Device Management Standard Operating Procedure

    2. Update device management, provisioning, and patching

    Leverage new tools to manage remote endpoints, keep those devices patched, and allow users to get the apps they need to work.

    • End-User Device Build Book Template

    3. Build a roadmap and communication plan

    Create a roadmap for migrating to zero-touch provisioning.

    • Roadmap Tool
    • Communication Plan Template
    [infographic]

    Understand and Apply Internet-of-Things Use Cases to Drive Organizational Success

    • Buy Link or Shortcode: {j2store}535|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • The Internet of Things (IoT) is a rapidly proliferating technology – connected devices have experienced unabated growth over the last ten years.
    • The business wants to capitalize on the IoT and move the needle forward for proactive customer service and operational efficiency.
    • Moreover, IT wants to maintain its reputation as forward-thinking, and the business wants to be innovative.

    Our Advice

    Critical Insight

    • Leverage Info-Tech’s comprehensive three-phase approach to IoT projects: understand the fundamentals of IoT capabilities, assess where the IoT will drive value within the organization, and present findings to stakeholders.
    • Conduct a foundational IoT discussion with stakeholders to level set expectations about the technology’s capabilities.
    • Determine your organization’s approach to the IoT in terms of both hardware and software.
    • Determine which use case your organization fits into: three of the use cases highlighted in this report include predictive customer service, smart offices, and supply chain applications.

    Impact and Result

    • Our methodology addresses the possible issues by using a case-study approach to demonstrate the “Art of the Possible” for the IoT.
    • With an understanding of the IoT, it is possible to find applicable use cases for this emerging technology and get a leg up on competitors.

    Understand and Apply Internet-of-Things Use Cases to Drive Organizational Success Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should care about the IoT’s potential to transform the service and the workplace, and how Info-Tech will support you as you identify and build your IoT use cases.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand core IoT use cases

    Analyze the scope of the IoT and the three most prominent enterprise use cases.

    • Understand and Apply Internet-of-Things Use Cases to Drive Organizational Success – Phase 1: Understand Core IoT Use Cases

    2. Build the business case for IoT applications

    Develop and prioritize use cases for the IoT using Info-Tech’s IoT Initiative Framework.

    • Understand and Apply Internet-of-Things Use Cases to Drive Organizational Success – Phase 2: Build the Business Case for IoT Initiatives

    3. Present IoT initiatives to stakeholders

    Present the IoT initiative to stakeholders and understand the way forward for the IoT initiative.

    • Understand and Apply Internet-of-Things Use Cases to Drive Organizational Success – Phase 3: Present IoT Initiatives to Stakeholders
    • Internet of Things Stakeholder Presentation Template
    [infographic]

    Establish High-Value IT Performance Dashboards and Metrics

    • Buy Link or Shortcode: {j2store}58|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $8,599 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement

    While most CIOs understand the importance of using metrics to measure IT’s accomplishments, needs, and progress, when it comes to creating dashboards to communicate these metrics, they:

    • Concentrate on the data instead of the audience.
    • Display information specific to IT activities instead of showing how IT addresses business goals and problems.
    • Use overly complicated, out of context graphs that crowd the dashboard and confuse the viewer.

    Our Advice

    Critical Insight

    While most CIOs understand the importance of using metrics to measure IT’s accomplishments, needs, and progress, when it comes to creating dashboards to communicate these metrics, they:

    • Concentrate on the data instead of the audience.
    • Display information specific to IT activities instead of showing how IT addresses business goals and problems.
    • Use overly complicated, out of context graphs that crowd the dashboard and confuse the viewer.

    Impact and Result

    Use Info-Tech’s ready-made dashboards for executives to ensure you:

    • Speak to the right audience
    • About the right things
    • In the right quantity
    • Using the right measures
    • At the right time.

    Establish High-Value IT Performance Dashboards and Metrics Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish High-Value IT Performance Metrics and Dashboards – a document that walks you through Info-Tech’s ready-made IT dashboards.

    This blueprint guides you through reviewing Info-Tech’s IT dashboards for your audience and organization, then walks you through practical exercises to customize the dashboards to your audience and organization. The blueprint also gives practical guidance for delivering your dashboards and actioning your metrics.

    • Establish High-Value IT Performance Metrics and Dashboards Storyboard

    2. Info-Tech IT Dashboards and Guide – Ready-made IT dashboards for the CIO to communicate to the CXO.

    IT dashboards with visuals and metrics that are aligned and organized by CIO priority and that allow you to customize with your own data, eliminating 80% of the dashboard design work.

    • Info-Tech IT Dashboards and Guide

    3. IT Dashboard Workbook – A step-by-step tool to identify audience needs, translate needs into metrics, design your dashboard, and track/action your metrics.

    The IT Dashboard Workbook accompanies the Establish High Value IT Metrics and Dashboards blueprint and guides you through customizing the Info-Tech IT Dashboards to your audience, crafting your messages, delivering your dashboards to your audience, actioning metrics results, and addressing audience feedback.

    • Info-Tech IT Dashboards Workbook

    4. IT Metrics Library

    Reference the IT Metrics Library for ideas on metrics to use and how to measure them.

    • IT Metrics Library

    5. HR Metrics Library

    Reference the HR Metrics Library for ideas on metrics to use and how to measure them.

    • HR Metrics Library

    Infographic

    Workshop: Establish High-Value IT Performance Dashboards and Metrics

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Test Info-tech’s IT Dashboards Against Your Audience’s Needs and Translate Audience Needs Into Metrics

    The Purpose

    Introduce the Info-Tech IT Dashboards to give the participants an idea of how they can be used in their organization.

    Understand the importance of starting with the audience and understanding audience needs before thinking about data and metrics.

    Explain how audience needs translate into metrics.

    Key Benefits Achieved

    Understanding of where to begin when it comes to considering dashboards and metrics (the audience).

    Identified audience and needs and derived metrics from those identified needs.

    Activities

    1.1 Review the info-Tech IT Dashboards and document impressions for your organization.

    1.2 Identify your audience and their attributes.

    1.3 Identify timeline and deadlines for dashboards.

    1.4 Identify and prioritize audience needs and desired outcomes.

    1.5 Associate metrics to each need.

    1.6 Identify a dashboard for each metric.

    Outputs

    Initial impressions of Info-Tech IT Dashboards.

    Completed Tabs 2 and 3 of the IT Dashboard Workbook.

    2 Inventory Your Data and Assess Data Quality and Readiness

    The Purpose

    Provide guidance on how to derive metrics and assess data.

    Key Benefits Achieved

    Understand the importance of considering how you will measure each metric and get the data.

    Understand that measuring data can be costly and that sometimes you just can’t afford to get the measure or you can’t get the data period because the data isn’t there.

    Understand how to assess data quality and readiness.

    Activities

    2.1 Complete a data inventory for each metric on each dashboard: determine how you will measure the metric, the KPI, any observation biases, the location of the data, the type of source, the owner, and the security/compliance requirements.

    2.2 Assess data quality for availability, accuracy, and standardization.

    2.3 Assess data readiness and the frequency of measurement and reporting.

    Outputs

    Completed Tab 4 of the IT Dashboard Workbook.

    3 Design and Build Your Dashboards

    The Purpose

    Guide participants in customizing the Info-Tech IT Dashboards with the data identified in previous steps.

    This step may vary as some participants may not need to alter the Info-Tech IT Dashboards other than to add their own data.

    Key Benefits Achieved

    Understanding of how to customize the dashboards to the participants’ organization.

    Activities

    3.1 Revisit the Info-Tech IT Dashboards and use the identified metrics to determine what should change in them.

    3.2 Build your dashboards by editing the Info-Tech IT Dashboards with your changes as planned in Step 3.1.

    Outputs

    Assessed Info-Tech IT Dashboards for your audience’s needs.

    Completed Tab 5 of the IT Dashboard Workbook.

    Finalized dashboards.

    4 Deliver Your Dashboard and Plan to Action Metrics

    The Purpose

    Guide participants in learning how to create a story around the dashboards.

    Guide participants in planning to action metrics and where to record results.

    Guide participants in how to address results of metrics and feedback from audience about dashboards.

    Key Benefits Achieved

    Participants understand how to speak to their dashboards.

    Participants understand how to action metrics results and feedback about dashboards.

    Activities

    4.1 Craft your story.

    4.2 Practice delivering your story.

    4.3 Plan to action your metrics.

    4.4 Understand how to record and address your results.

    Outputs

    Completed Tabs 6 and 7 of the IT Dashboard Workbook.

    5 Next Steps and Wrap-Up

    The Purpose

    Finalize work outstanding from previous steps and answer any questions.

    Key Benefits Achieved

    Participants have thought about and documented how to customize the Info-Tech IT Dashboards to use in their organization, and they have everything they need to customize the dashboards with their own metrics and visuals (if necessary).

    Activities

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Outputs

    Completed IT Dashboards tailored to your organization.

    Completed IT Dashboard Workbook

    Further reading

    Establish High-Value IT Performance Dashboards and Metrics

    Spend less time struggling with visuals and more time communicating about what matters to your executives.

    Analyst Perspective

    A dashboard is a communication tool that helps executives make data-driven decisions

    CIOs naturally gravitate toward data and data analysis. This is their strength. They lean into this strength, using data to drive decisions, track performance, and set targets because they know good data drives good decisions.

    However, when it comes to interpreting and communicating this complex information to executives who may be less familiar with data, CIOs struggle, often falling back on showing IT activity level data instead of what the executives care about. This results in missed opportunities to tell IT’s unique story, secure funding, reveal important trends, or highlight key opportunities for the organization.

    Break through these traditional barriers by using Info-Tech’s ready-made IT dashboards. Spend less time agonizing over visuals and layout and more time concentrating on delivering IT information that moves the organization forward.

    Photo of Diana MacPherson
    Diana MacPherson
    Senior Research Analyst, CIO
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    While most CIOs understand the importance of using metrics to measure IT’s accomplishments, needs, and progress, when it comes to creating dashboards to communicate these metrics, they:

    • Concentrate on the data instead of the audience.
    • Display information specific to IT activities instead of showing how IT addresses business goals and problems.
    • Use overly complicated, out of context graphs that crowd the dashboard and confuse the viewer.

    Common Obstacles

    CIOs often experience these challenges because they:

    • Have a natural bias toward data and see it as the whole story instead of a supporting character in a larger narrative.
    • Assume that the IT activity metrics that are easy to get and useful to them are equally interesting to all their stakeholders.
    • Do not have experience communicating visually to an audience unfamiliar with IT operations or lingo.

    Info-Tech’s Approach

    Use Info-Tech’s ready-made dashboards for executives to ensure you:

    • Speak to the right audience
    • About the right things
    • In the right quantity
    • Using the right measures
    • At the right time

    Info-Tech Insight

    The purpose of a dashboard is to drive decision making. A well designed dashboard presents relevant, clear, concise insights that help executives make data-driven decisions.

    Your challenge

    CIOs struggle to select the right metrics and dashboards to communicate IT’s accomplishments, needs, and progress to their executives. CIOs:

    • Fail to tailor metrics to their audience, often presenting graphs that are familiar and useful to them, but not their executives. This results in dashboards full of IT activities that executives neither understand nor find valuable.
    • Do not consider the timeliness of their metrics, which has the same effect as not tailoring their metrics: the executives do not care about the metrics they are shown.
    • Present too many metrics, which not only clutters the board but also dilutes the message the CIO needs to communicate.
    • Do not act on the results of their metrics and show progress, which makes metrics meaningless. Why measure something if you won’t act on the results?

    The bottom line: CIOs often communicate to the wrong audience, about the wrong things, in the wrong amount, using the wrong metrics, at the wrong time.

    In a survey of 500 executives, organizations that struggled with dashboards identified the reasons as:
    61% Inadequate context
    54% Information overload

    — Source: Exasol

    CXOs and CIOs agree that IT performance metrics need improvement

    When asked which performance indicators should be implemented in your business, CXOs and CIOs both agree that IT needs to improve its metrics across several activity areas: technology performance, cost and salary, and risk.

    A diagram that shows performance indicators and metrics from cxo and cio.

    The Info-Tech IT Dashboards center key metrics around these activities ensuring you align your metrics to the needs of your CXO audience.

    Info-Tech CEO/CIO Alignment Survey Benchmark Report n=666

    The Info-Tech IT Dashboards are organized by the top CIO priorities

    The top six areas that a CIO needs to prioritize and measure outcomes, no matter your organization or industry, are:

    • Managing to a budget: Reducing operational costs and increasing strategic IT spend
    • Customer/constituent satisfaction: Directly and indirectly impacting customer experience.
    • Risk management: Actively knowing and mitigating threats to the organization.
    • Delivering on business objectives: Aligning IT initiatives to the vision of the organization.
    • Employee engagement: Creating an IT workforce of engaged and purpose-driven people.
    • Business leadership relations: Establishing a network of influential business leaders.

    Deliver High-Value IT Dashboards to Your Executives

    A diagram that shows Delivering High-Value IT Dashboards to Your Executives

    Info-Tech’s approach

    Deliver High-Value Dashboards to Your Executives

    A diagram that shows High-Value Dashboard Process.

    Executives recognize the benefits of dashboards:
    87% of respondents to an Exasol study agreed that their organization’s leadership team would make more data-driven decisions if insights were presented in a simpler and more understandable way
    (Source: Exasol)

    The Info-Tech difference:

    We created dashboards for you so you don’t have to!

    1. Eliminate 80% of the dashboard design work by selecting from our ready-made Info-Tech IT Dashboards.
    2. Use our IT Dashboard Workbook to adjust the dashboards to your audience and organization.
    3. Follow our blueprint and IT Dashboard Workbook tool to craft, and deliver your dashboard to your CXO team, then action feedback from your audience to continuously improve.

    Info-Tech’s methodology for establishing high-value dashboards

    1. Test Info-Tech’s IT Dashboards Against Your Audience’s Needs

    Phase Steps

    1. Validate Info-Tech’s IT Dashboards for Your Audience
    2. Identify and Document Your Audience’s Needs

    Phase Outcomes

    1. Initial impressions of Info-Tech IT Dashboards
    2. Completed Tabs 2 of the IT Dashboard Workbook

    2. Translate Audience Needs into Metrics

    Phase Steps

    1. Review Info-Tech’s IT Dashboards for Your Audience
    2. Derive Metrics from Audience Needs
    3. Associate metrics to Dashboards

    Phase Outcomes

    1. Completed IT Tab 3 of IT Dashboard Workbook

    3. Ready Your Data for Dashboards

    Phase Steps

    1. Assess Data Inventory
    2. Assess Data Quality
    3. Assess Data Readiness
    4. Assess Data Frequency

    Phase Outcomes

    1. Assessed Info-Tech IT Dashboards for your audience’s needs
    2. Completed Tab 5 of the IT Dashboard Workbook
    3. Finalized dashboards

    4. Build and Deliver Your Dashboards

    Phase Steps

    1. Design Your Dashboard
    2. Update Your Dashboards
    3. Craft Your Story and Deliver Your Dashboards

    Phase Outcomes

    1. Completed IT Tab 5 and 6 of IT Dashboard Workbook and finalized dashboards

    5. Plan, Record, and Action Your Metrics

    Phase Steps

    1. Plan How to Record Metrics
    2. Record and Action Metrics

    Phase Outcomes

    1. Completed IT Dashboards tailored to your organization
    2. Completed IT Dashboard Workbook

    How to Use This Blueprint

    Choose the path that works for you

    A diagram that shows path of using this blueprint.

    The Info-Tech IT Dashboards address several needs:

    1. New to dashboards and metrics and not sure where to begin? Let the phases in the blueprint guide you in using Info-Tech’s IT Dashboards to create your own dashboards.
    2. Already know who your audience is and what you want to show? Augment the Info-Tech’s IT Dashboards framework with your own data and visuals.
    3. Already have a tool you would like to use? Use the Info-Tech’s IT Dashboards as a design document to customize your tool.

    Insight Summary

    The need for easy-to-consume data is on the rise making dashboards a vital data communication tool.

    70%: Of employees will be expected to use data heavily by 2025, an increase from 40% in 2018.
    — Source: Tableau

    Overarching insight

    A dashboard’s primary purpose is to drive action. It may also serve secondary purposes to update, educate, and communicate, but if a dashboard does not drive action, it is not serving its purpose.

    Insight 1

    Start with the audience. Resist the urge to start with the data. Think about who your audience is, what internal and external environmental factors influence them, what problems they need to solve, what goals they need to achieve, then tailor the metrics and dashboards to suit.

    Insight 2

    Avoid showing IT activity-level metrics. Instead use CIO priority-based metrics to report on what matters to the organization. The Info-Tech IT Dashboards are organized by the CIO priorities: risks, financials, talent, and strategic initiatives.

    Insight 3

    Dashboards show the what not the why. Do not assume your audience will draw the same conclusions from your graphs and charts as you do. Provide the why by interpreting the results, adding insights and calls to action, and marking key areas for discussion.

    Insight 4

    A dashboard is a communication tool and should reflect the characteristics of good communication. Be clear, concise, consistent, and relevant.

    Insight 5

    Action your data. Act and report progress on your metrics. Gathering metrics has a cost, so if you do not plan to action a metric, do not measure it.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Photo of Dashboards

    Key deliverable: Dashboards

    Ready-made risk, financials, talent, and strategic initiatives dashboards that organize your data in a visually appealing way so you can concentrate on the metrics and communication.

    Photo of IT Dashboard Workbook

    IT Dashboard Workbook

    The IT Dashboard Workbook keeps all your metrics, data, and dashboard work in one handy file!

    Photo of IT Dashboard Guide

    IT Dashboard Guide

    The IT Dashboard Guide provides the Info-Tech IT Dashboards and information about how to use them.

    Blueprint benefits

    CIO Benefits

    • Reduces the burden of figuring out what metrics to show executives and how to categorize and arrange the visuals.
    • Increases audience engagement through tools and methods that guide CIOs through tailoring metrics and dashboards to audience needs.
    • Simplifies CIO messages so executives better understand IT needs and value.
    • Provides CIOs with the tools to demonstrate transparency and competency to executive leaders.
    • Provides tools and techniques for regular review and action planning of metrics results, which leads to improved performance, efficiency, and effectiveness.

    Business Benefits

    • Provides a richer understanding of the IT landscape and a clearer connection of how IT needs and issues impact the organization.
    • Increases understanding of the IT team’s contribution to achieving business outcomes.
    • Provides visibility into IT and business trends.
    • Speeds up decision making by providing insights and interpretations to complex situations.

    Measure the value of this blueprint

    Realize measurable benefits after using Info-Tech’s approach:

    Determining what you should measure, what visuals you should use, and how you should organize your visuals, is time consuming. Calculate the time it has taken you to research what metrics you should show, create the visuals, figure out how to categorize the visuals, and layout your visuals. Typically, this takes about 480 hours of time. Use the ready-made Info-Tech IT Dashboards and the IT Dashboard Workbook to quickly put together a set of dashboards to present your CXO. Using these tools will save approximately 480 hours.

    A study at the University of Minnesota shows that visual presentations are 43% more effective at persuading their audiences (Bonsignore). Estimate how persuasive you are now by averaging how often you have convinced your audience to take a specific course of action. After using the Info-Tech IT Dashboards and visual story telling techniques described in this blueprint, average again. You should be 43% more persuasive.

    Further value comes from making decisions faster. Baseline how long it takes, on average, for your executive team to make a decision before using Info-Tech’s IT Dashboards then time how long decisions take when you use your Info-Tech’s IT Dashboards. Your audience should reach decisions 21% faster according to studies at Stanford University and the Wharton School if business (Bonsignore).

    Case Study

    Visuals don’t have to be fancy to communicate clear messages.

    • Industry: Construction
    • Source: Anonymous interview participant

    Challenge

    Year after year, the CIO of a construction company attended business planning with the Board to secure funding for the year. One year, the CEO interrupted and said, “You're asking me for £17 million. You asked me for £14 million last year and you asked me for £12 million the year before that. I don't quite understand what we get for our money.”

    The CEO could not understand how fixing laptops would cost £17 million and for years no one had been able to justify the IT spend.

    Solutions

    The CIO worked with his team to produce a simple one-page bubble diagram representing each IT department. Each bubble included the total costs to deliver the service, along with the number of employees. The larger the bubble, the higher the cost. The CIO brought each bubble to life as he explained to the Board what each department did.

    The Board saw, for example, that IT had architects who thought about the design of a service, where it was going, the life cycle of that service, and the new products that were coming out. They understood what those services cost and knew how many architects IT had to provide for those services.

    Recommendations

    The CEO remarked that he finally understood why the CIO needed £17 million. He even saw that the costs for some IT departments were low for the amount of people and offered to pay IT staff more (something the CIO had requested for years).

    Each year the CIO used the same slide to justify IT costs and when the CIO needed further investment for things like security or new products, an upgrade, or end of life support, the sign-offs came very quickly because the Board understood what IT was doing and that IT wasn't a bottomless pit.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation
    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop
    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting
    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    What does a typical GI on this topic look like?

    A diagram that shows Guided Implementation in 5 phases.

    Workshop overview

    Day 1: Test Info-tech’s IT Dashboards Against Your Audience’s Needs and Translate Audience Needs Into Metrics

    Activities
    1.1 Review the info-Tech IT Dashboards and document impressions for your organization.
    1.2 Identify your audience’s attributes.
    1.3 Identify timeline and deadlines for dashboards.
    1.4 Identify and prioritize audience needs and desired outcomes.
    1.5 Associate metrics to each need.
    1.6 Identify a dashboard for each metric.

    Deliverables
    1. Initial impressions of Info-Tech IT Dashboards.
    2. Completed Tabs 2 and 3 of the IT Dashboard Workbook.

    Day 2: Inventory Your Data; Assess Data Quality and Readiness

    Activities
    2.1 Complete a data inventory for each metric on each dashboard: determine how you will measure the metric, the KPI, any observation biases, the location of the data, the type of source, and the owner and security/compliance requirements.
    2.2 Assess data quality for availability, accuracy, and standardization.
    2.3 Assess data readiness and frequency of measurement and reporting.

    Deliverables
    1. Completed Tab 4 of the IT Dashboard Workbook.

    Day 3: Design and Build Your Dashboards

    Activities
    3.1 Revisit the Info-Tech IT Dashboards and use the identified metrics to determine what should change on the dashboards.
    3.2 Build your dashboards by editing the Info-Tech IT Dashboards with your changes as planned in Step 3.1.

    Deliverables
    1. Assessed Info-Tech IT Dashboards for your audience’s needs.
    2. Completed Tab 5 of the IT Dashboard Workbook.
    3. Finalized dashboards.

    Day 4: Deliver Your Dashboard and Plan to Action Metrics

    Activities
    4.1 Craft your story.
    4.2 Practice delivering your story.
    4.3 Plan to action your metrics.
    4.4 Understand how to record and address your results.

    Deliverables
    1. Completed Tabs 6 and 7 of the IT Dashboard Workbook.

    Day 5: Next Steps and Wrap-Up (offsite)

    Activities
    5.1 Complete in-progress deliverables from previous four days
    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. Completed IT Dashboards tailored to your organization.
    2. Completed IT Dashboard Workbook.

    Contact your account representative for more information.

    workshops@infotech.com
    1-888-670-8889

    What is an IT dashboard?

    A photo of Risks - Protect the Organization. A photo of Financials: Transparent, fiscal responsibility
    A photo of talent attrat and retain top talent A photo of Strategic Initiatives: Deliver Value to Customers.

    An IT dashboard is…
    a visual representation of data, and its main purpose is to drive actions. Well-designed dashboards use an easy to consume presentation style free of clutter. They present their audience with a curated set of visuals that present meaningful metrics to their audience.

    Dashboards can be both automatically or manually updated and can show information that is dynamic or a snapshot in time.

    Info-Tech IT Dashboards

    Review the Info-Tech IT Dashboards

    We created dashboards so you don’t have to.

    A photo of Risks - Protect the Organization. A photo of Financials: Transparent, fiscal responsibility A photo of talent attrat and retain top talent A photo of Strategic Initiatives: Deliver Value to Customers.

    Use the link below to download the Info-Tech IT Dashboards and consider the following:

    1. What are your initial reactions to the dashboards?
    2. Are the visuals appealing? If so, what makes them appealing?
    3. Can you use these dashboards in your organization? What makes them usable?
    4. How would you use these dashboards to speak your own IT information to your audience?

    Download the Info-Tech IT Dashboards

    Why Use Dashboards When We Have Data?

    How graphics affect us

    Cognitively

    • Engage our imagination
    • Stimulate the brain
    • Heighten creative thinking
    • Enhance or affect emotions

    Emotionally

    • Enhance comprehension
    • Increase recollection
    • Elevate communication
    • Improve retention

    Visual clues

    • Help decode text
    • Attract attention
    • Increase memory

    Persuasion

    • 43% more effective than text alone

    — Source: (Vogel et al.)

    Phase 1

    Test Info-Tech’s IT Dashboards Against Your Audience’s Needs

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Documenting impressions for using Info-Tech’s IT Dashboards for your audience.
    • Documenting your audience and their needs and metrics for your IT dashboards

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Info-Tech IT Dashboard organization and audience

    We created a compelling way to organize IT dashboards so you don’t have to. The Info-Tech IT Dashboards are organized by CIO Priorities, and these are consistent irrespective of industry or organization. This is a constant that you can organize your metrics around.

    A photo of Info-Tech IT Dashboards

    Dashboard Customization

    The categories represent a constant around which you can change the order; for example, if your CXO is more focused on Financials, you can switch the Financials dashboard to appear first.

    The Info-Tech IT Dashboards are aimed at a CXO audience so if your audience is the CXO, then you may decide to change very little, but you can customize any visual to appeal to your audience.

    Phase 1 will get you started with your audience.

    Always start with the audience

    …and not the data!

    Reliable, accurate data plays a critical role in dashboards, but data is only worthwhile if it is relevant to the audience who consumes it, and dashboards are only as meaningful as the data and metrics they represent.

    Instead of starting with the data, start with the audience. The more IT understands about the audience, the more relevant the metrics will be to their audience and the more aligned leadership will be with IT.

    Don’t forget yourself and who you are. Your audience will have certain preconceived notions about who you are and what you do. Consider these when you think about what you want your audience to know.

    46% executives identify lack of customization to individual user needs as a reason they struggle with dashboards.
    — Source: (Exasol)

    Resist the Data-First Temptation

    If you find yourself thinking about data and you haven’t thought about your audience, pull yourself back to the audience.

    Ask first Ask later
    Who is this dashboard for? What data should I show?
    How will the audience use the dashboard to make decisions? Where do I get the data?
    How can I show what matters to the audience? How much effort is required to get the data?

    Meaningful measures rely on understanding your audience and their needs

    It is crucial to think about who your audience is so that you can translate their needs into metrics and create meaningful visuals for your dashboards.

    A diagram that highlights step 1-3 of understanding your audience in the high-value dashboard process.

    Step 1.1

    Review and Validate Info-Tech’s IT Dashboards for Your Audience

    Activities:
    1.1.1 Examine Info-Tech’s IT Dashboards.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 1.1 & 1.2 to Test Info-Tech’s IT Dashboards Against Your Audience’s Needs.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Info-Tech dashboards reviewed for your organization’s audience.

    1.1.1 Examine the Info-Tech IT Dashboards

    30 minutes

    1. If you haven’t already downloaded the Info-Tech IT Dashboards, click the link below to download.
    2. Complete a quick review of the dashboards and consider how your audience would receive them.
    3. Document your thoughts, with special emphasis on your audience in the Info-Tech Dashboard Impressions slide.

    A diagram that shows Info-Tech IT Dashboards

    Download Info-Tech IT Dashboards

    Reviewing visuals can help you think about how your audience will respond to them

    Jot down your thoughts below. You can refer to this later as you consider your audience.

    Consider:

    • Who is your dashboard audience?
    • Are their needs different from the Info-Tech IT Dashboard audience’s? If so, how?
    • Will the visuals work for your audience on each dashboard?
    • Will the order of the dashboards work for your audience?
    • What is missing?

    Step 1.2

    Identify and Document Your Audience’s Needs

    Activities:
    1.2.1 Document your audience’s needs in the IT Dashboard Workbook.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 1.1 & 1.2 to Test Info-Tech’s IT Dashboards Against Your Audience’s Needs.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Audience details documented in IT Dashboard Workbook

    Identify Your Audience and dig deeper to understand their needs

    Connect with your audience

    • Who is your audience?
    • What does your audience care about? What matters to them?
    • How is their individual success measured? What are their key performance indicators (KPIs)?
    • Connect the challenges and pain points of your audience to how IT can help alleviate those pain points:
      • For example, poor financial performance could be due to a lack of digitization. Identify areas where IT can help alleviate this issue.
      • Try to uncover the root cause behind the need. Root causes are often tied to broad organizational objectives, so think about how IT can impact those objectives.

    Validate the needs you’ve uncovered with the audience to ensure you have not misinterpreted them and clarify the desired timeline and deadline for the dashboard.

    Document audiences and needs on Tab 2 of the IT Dashboard Workbook

    Typical Audience Needs
    Senior Leadership
    • Inform strategic planning and track progress toward objectives.
    • Understand critical challenges.
    • Ensure risks are managed.
    • Ensure budgets are managed.
    Board of Directors
    • Understand organizational risks.
    • Ensure organization is fiscally healthy.
    Business Partners
    • Support strategic workforce planning.
    • Surface upcoming risks to workforce.
    CFO
    • IT Spend
    • Budget Health and Risks

    Prioritize and select audience needs that your dashboard will address

    Prioritize needs by asking:

    • Which needs represent the largest value to the entire organization (i.e. needs that impact more of the organization than just the audience)?
    • Which needs will have the largest impact on the audience’s success?
    • Which needs are likely to drive action (e.g. if supporting a decision, is the audience likely to be amenable to changing the way they make that decision based on the data)?

    Select three to five of the highest priority needs for each audience to include on a dashboard.

    Prioritize needs on Tab 2 of the IT Dashboard Workbook

    A diagram that shows 3 tiers of high priority, medium priority, and low priority.

    1.2.1 Document Your Audience Needs in the IT Dashboard Workbook

    1 hour

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 2. The workbook contains pre-populated text that reflects information about Info-Tech’s IT Dashboards. You may want to keep the pre-populated text as reference as you identify your own audience then remove after you have completed your updates.

    A table of documenting audience, including key attributes, desired timeline, deadline, needs, and priority.

    Download Info-Tech IT Dashboard Workbook

    Phase 2

    Translate Audience Needs Into Metrics

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Revisiting the Info-Tech IT Dashboards for your audience.
    • Documenting your prioritized audience’s needs and the desired outcome of each in the IT Dashboard Workbook.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Linking audience needs to metrics has positive outcomes

    When you present metrics that your audience cares about, you:

    • Deliver real value and demonstrate IT’s value as a trusted partner.
    • Improve the relationship between the business and IT.
    • Enlighten the business about what IT does and how it is connected to the organization.

    29% of respondents to The Economist Intelligence Unit survey cited inadequate collaboration between IT and the business as one of the top barriers to the organization’s digital objectives.
    — Source: Watson, Morag W., et al.

    Dashboard Customization

    The Info-Tech IT Dashboards use measures for each dashboard that correspond with what the audience (CXO) cares about. You can find these measures in the IT Dashboard Workbook. If your audience is the CXO, you may have to change a little but you should still validate the needs and metrics in the IT Dashboard Workbook.

    Phase 2 covers the process of translating needs into metrics.

    Once you know what your audience needs, you know what to measure

    A diagram that highlights step 4-5 of knowing your audience needs in the high-value dashboard process.

    Step 2.1

    Document Desired Outcomes for Each Prioritized Audience Need

    Activities:
    2.1.1 Compare the Info-Tech IT Dashboards with your audience’s needs.
    2.1.2 Document prioritized audience needs and the desired outcome of each in the IT Dashboard Workbook.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 2.1 to 2.3 to translate audience needs into metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Understanding of how well Info-Tech IT Dashboards address audience needs.
    • Documented desired outcomes for each audience need.

    2.1.1 Revisit Info-Tech’s IT Dashboards and Review for Your Audience

    30 minutes

    1. If you haven’t already downloaded the Info-Tech IT Dashboards, click the link below to download.
    2. Click the link below to download the Info-Tech IT Dashboard Workbook.
    3. Recall your first impressions of the dashboards that you recorded on earlier in Phase 1 and open up the audience and needs information you documented in Tab 2 of the IT Dashboard Workbook.
    4. Compare the dashboards with your audience’s needs that you documented on Tab 2.
    5. Record any updates to your thoughts or impressions on the next slide. Think about any changes to the dashboards that you would make so that you can reference it when you build the dashboards.

    Download Info-Tech IT Dashboard Workbook

    A photo of Info-Tech IT Dashboards
    The Info-Tech IT Dashboards contain a set of monthly metrics tailored toward a CXO audience.

    Download Info-Tech IT Dashboards

    Knowing what your audience needs, do the metrics the visuals reflect address them?

    Any changes to the Info-Tech IT Dashboards?

    Consider:

    • Are your audience’s needs already reflected in the visuals in each of the dashboards? If so, validate this in the next activity by reviewing the prioritized needs, desired outcomes, and associated metrics already documented in the IT Dashboard Workbook.
    • Are there any visuals your audience would need that you don’t see reflected in the dashboards? Write them here to use in the next exercise.

    Desired outcomes make identifying metrics easier

    When it’s not immediately apparent what the link between needs and metrics is, brainstorm desired outcomes.

    A diagram that shows an example of desired outcomes

    2.1.2 Document your audience’s desired outcome per prioritized need

    Now that you’ve examined the Info-Tech IT Dashboards and considered the needs of your audience, it is time to understand the outcomes and goals of each need so that you can translate your audience’s needs into metrics.

    1 hour

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 3. The workbook contains pre-populated text that reflects information about Info-Tech’s IT Dashboards. You may want to keep the pre-populated text as reference as you identify your own audience then remove it after you have completed your updates.

    A diagram that shows desired outcome per prioritized need

    Download Info-Tech IT Dashboard Workbook

    Deriving Meaningful Metrics

    Once you know the desired outcomes, you can identify meaningful metrics

    A diagram of an example of meaningful metrics.

    Common Metrics Mistakes

    Avoid the following oversights when selecting your metrics.

    A diagram that shows 7 metrics mistakes

    Step 2.2

    Derive Metrics From Audience Needs

    Activities:
    2.2.1 Derive metrics using the Info-Tech IT Dashboards and the IT Dashboard Workbook.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 2.1 to 2.3 to translate audience needs into metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented metrics for audience needs.

    2.2.1 Derive metrics from desired outcomes

    Now that you have completed the desired outcomes, you can determine if you are meeting those desired outcomes. If you struggle with the metrics, revisit the desired outcomes. It could be that they are not measurable or are not specific enough.

    2 hours

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 3. The workbook contains pre-populated text that reflects information about Info-Tech’s IT Dashboards. You may want to keep the pre-populated text as reference as you identify your own audience then remove it after you have completed your updates.

    A diagram that shows derive metrics from desired outcomes

    Download Info-Tech IT Dashboard Workbook

    Download IT Metrics Library

    Download HR Metrics Library

    Step 2.3

    Associate Metrics to Dashboards

    Activities:
    2.3.1 Review the metrics and identify which dashboard they should appear on.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 2.1 to 2.3 to translate audience needs into metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Metrics associated to each dashboard.

    2.3.1 Associate metrics to dashboards

    30 minutes

    Once you have identified all your metrics from Step 2.2, identify which dashboard they should appear on. As with all activities, if the Info-Tech IT Dashboard meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information.

    A diagram that shows associate metrics to dashboards

    Phase 3

    Ready Your Data for Dashboards

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Inventorying your data
    • Assessing your data quality
    • Determining data readiness
    • Determining data measurement frequency

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Can you measure your metrics?

    Once appropriate service metrics are derived from business objectives, the next step is to determine how easily you can get your metric.

    A diagram that highlights step 5 of measuring your metrics in the high-value dashboard process.

    Make sure you select data that your audience trusts

    40% of organizations say individuals within the business do not trust data insights.
    — Source: Experian, 2020

    Phase 3 covers the process of identifying data for each metric, creating a data inventory, assessing the readiness of your data, and documenting the frequency of measuring your data. Once complete, you will have a guide to help you add data to your dashboards.

    Step 3.1

    Assess Data Inventory

    Activities:
    3.1.1 Download the IT Dashboard Workbook and complete the data inventory section on Tab 4.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 3.1 to 3.4 to ready your data for dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented data inventory for each metric.

    3.1.1 Data Inventory

    1 hour

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 4. The pre-populated text is arranged into the tables according to the dashboard they appear on; you may need to scroll down to see all the dashboard tables.

    Create a data inventory by placing each metric identified on Tab 3 into the corresponding dashboard table. Complete each column as described below.

    A diagram that shows 9 columns of data inventory.

    Metrics Libraries: Use the IT Metrics Library and HR Metrics Library for ideas for metrics to use and how to measure them.

    Download Info-Tech IT Dashboard Workbook

    Step 3.2

    Assess Data Quality

    Activities:
    3.2.1 Use the IT Dashboard Workbook to complete an assessment of data quality on Tab 4.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 3.1 to 3.4 to ready your data for dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented data quality assessment for each metric.

    3.2.1 Assess Data Quality

    1 hour

    Document the data quality on Tab 4 of the IT Dashboard Workbook by filling in the data availability, data accuracy, and data standardization columns as described below.

    A diagram that shows data availability, data accuracy, and data standardization columns.

    Data quality is a struggle for many organizations. Consider how much uncertainty you can tolerate and what would be required to improve your data quality to an acceptable level. Consider cost, technological resources, people resources, and time required.

    Download Info-Tech IT Dashboard Workbook

    Step 3.3

    Assess Data Readiness

    Activities:
    3.3.1 Use the IT Dashboard Workbook to determine the readiness of your data.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 3.1 to 3.4 to ready your data for dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented data readiness for each metric

    3.3.1 Determine Data Readiness

    1 hour

    Once the data quality has been documented and examined, complete the Data Readiness section of Tab 4 in the Info-Tech IT Dashboard Workbook. Select a readiness classification using the definitions below. Use the readiness of your data to determine the level of effort required to obtain the data and consider the constraints and cost/ROI to implement new technology or revise processes and data gathering to produce the data.

    A diagram that shows data readiness section

    Remember: Although in most cases, simple formulas that can be easily understood are the best approach, both because effort is lower and data that is not manipulated is more trustworthy, do not abandon data because it is not perfect but instead plan to make it easier to obtain.

    Download Info-Tech IT Dashboard Workbook

    Step 3.4

    Assess Data Frequency

    Activities:
    3.4.1 Use the IT Dashboard Workbook to determine the readiness of your data and how frequently you will measure your data.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 3.1 to 3.4 to assess data inventory, quality, and readiness.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented frequency of measurement for each metric.

    3.4.1 Document Planned Frequency of measurement

    10 minutes

    Document the planned frequency of measurement for all your metrics on Tab 4 of the IT Dashboard Workbook.

    For each metric, determine how often you will need to refresh it on the dashboard and select a frequency from the drop down. The Info-tech IT Dashboards assume a monthly refresh.

    Download Info-Tech IT Dashboard Workbook

    Phase 4

    Build and Deliver Your Dashboards

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Designing your dashboards
    • Updating your dashboards
    • Crafting your story
    • Delivering your dashboards

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Using your dashboard to tell your story with visuals

    Now that you have linked metrics to the needs of your audience and you understand how to get your data, it is time to start building your dashboards.

    A diagram that highlights step 6 of creating meaningful visuals in the high-value dashboard process.

    Using visual language

    • Shortens meetings by 24%
    • Increases the ability to reach consensus by 21%
    • Strengthens persuasiveness by 43%

    — Source: American Management Association

    Phase 4 guides you through using the Info-Tech IT Dashboard visuals for your audience’s needs and your story.

    Step 4.1

    Design Your Dashboard

    Activities:
    4.1.1 Plan and validate dashboard metrics, data, level of effort and visuals.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 4.1 to 4.3 to build and deliver your dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Identified and validated metrics, data, and visuals for your IT dashboards.

    Use clear visuals that avoid distracting the audience

    Which visual is better to present?

    Sample A:
    A photo of Sample A visuals

    Sample B:
    A diagram Sample B visuals

    Select the appropriate visuals

    Identify the purpose of the visualization. Determine which of the four categories below aligns with the story and choose the appropriate visual to display the data.

    Relationship

    A photo of Scatterplots
    Scatterplots

    • Used to show relationships between two variables.
    • Can be difficult to interpret for audiences that are not familiar with them.

    Distribution

    A photo of Histogram
    Histogram

    • Use a histogram to show spread of a given numeric variable.
    • Can be used to organize groups of data points.
    • Requires continuous data.
    • Can make comparisons difficult.

    A photo of Scatterplot
    Scatterplot

    • Can show correlation between variables.
    • Show each data plot, making it easier to compare.

    Composition

    A photo of Pie chart
    Pie chart

    • Use pie charts to show different categories.
    • Avoid pie charts with numerous slices.
    • Provide numbers alongside slices, as it can be difficult to compare slices based on size alone.

    A photo of Table
    Table

    • Use tables when there are a large number of categories.
    • Presents information in a simple way.

    Comparison

    A photo of Bar graph
    Bar graph

    • Use to compare categories.
    • Easy to understand, familiar format.

    A photo of Line chart
    Line chart

    • Use to show trends or changes over time.
    • Clear and easy to analyze.

    (Calzon)

    Examples of data visualization

    To compare categories, use a bar chart:
    2 examples of bar chart
    Conclusion: Visualizing the spend in various areas helps prioritize.


    To show trends, use a line graph:
    An example of line graph.
    Conclusion: Overlaying a trend line on revenue per employee helps justify headcount costs.


    To show simple results, text is sometimes more clear:
    A diagram that shows examples of text and graphics.
    Conclusion: Text with meaningful graphics conveys messages quickly.


    To display relative percentages of values, use a pie chart:
    An example of pie chart.
    Conclusion: Displaying proportions in a pie chart gives an at-a-glance understanding of the amount any area uses.

    Choose effective colors and design

    Select colors that will enhance the story

    • Use color strategically to help draw the audience’s attention and highlight key information.
    • Choose two to three colors to use consistently throughout the dashboard, as too many colors will be distracting to the audience.
    • Use colors that connect with the audience (e.g., organization or department colors).
    • Don’t use colors that are too similar in shade or brightness level, as those with colorblindness might have difficulty discerning them.

    Keep the design simple and clear

    • Leave white space to separate sections and keep the dashboard simple.
    • Don’t measure everything; show just enough to address the audience’s needs.
    • Use blank space between data points to provide natural contrast (e.g., leaving space between each bar on a bar graph). Don’t rely on contrast between colors to separate data (Miller).
    • Label each data point directly instead of using a separate key, so anyone who has difficulty discerning color can still interpret the data (Miller).

    Example

    A example that shows colours and design of a chart.

    Checklist to build compelling visuals in your presentation

    Leverage this checklist to ensure you are creating the perfect visuals and graphs for your presentation.

    Checklist:

    • Do the visuals grab the audience’s attention?
    • Will the visuals mislead the audience/confuse them?
    • Do the visuals facilitate data comparison or highlight trends and differences in a more effective manner than words?
    • Do the visuals present information simply, cleanly, and accurately?
    • Do the visuals illustrate messages and themes from the accompanying text?

    4.1.1 Plan and validate your dashboard visuals

    1 hour

    Click the links below to download the Info-Tech IT Dashboards and the IT Dashboard Workbook. Open the IT Dashboard Workbook and select Tab 5. For each dashboard, represented by its own table, open the corresponding Info-Tech IT Dashboard as reference.

    A diagram of dashboard and its considerations when selecting visuals.

    Download Info-Tech IT Dashboards

    Download Info-Tech IT Dashboard Workbook

    Step 4.2

    Update Your Dashboards

    Activities:
    4.2.1 Update the visuals on the Info-Tech IT Dashboards with data and visuals identified in the IT Dashboard Workbook.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 4.1 to 4.3 to build and deliver your dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Dashboards updated with your visuals, metrics, and data identified in the IT Dashboard Workbook.

    4.2.1 Update visuals with your own data

    2 hours

    1. Get the data that you identified in Tab 4 and Tab 5 of the IT Dashboard Workbook.
    2. Click the link below to go to the Info-Tech IT Dashboards and follow the instructions to update the visuals.

    Do not worry about the Key Insights or Calls to Action; you will create this in the next step when you plan your story.

    Download Info-Tech IT Dashboards

    Step 4.3

    Craft Your Story and Deliver Your Dashboards

    Activities:
    4.3.1 Craft Your Story
    4.3.2 Finalize Your Dashboards
    4.3.3 Practice Delivering Your Story With Your Dashboards

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 4.1 to 4.3 to build and deliver your dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented situations, key insights, and calls to action for each dashboard/visual.
    • A story to tell for each dashboard.
    • Understanding of how to practice delivering the dashboards using stories.

    Stories are more easily understood and more likely to drive decisions

    IT dashboards are valuable tools to provide insights that drive decision making.

    • Monitor: Track and report on strategic areas IT supports.
    • Provide insights: sPresent important data and information to audiences in a clear and efficient way.

    “Data storytelling is a universal language that everyone can understand – from people in STEM to arts and psychology.” — Peter Jackson, Chief Data and Analytics Officer at Exasol

    Storytelling provides context, helping the audience understand and connect with data and metrics.

    • 93% of respondents (business leaders and data professionals) agreed that decisions made as a result of successful data storytelling have the potential to help increase revenue.
    • 92% of respondents agreed that data storytelling was critical to communicate insights effectively.
    • 87% percent of respondents agreed that leadership teams would make more data-driven decisions if insights gathered from data were presented more simply.

    — Exasol

    For more visual guidance, download the IT Dashboard Guide

    Include all the following pieces in your message for an effective communication

    A diagram of an effective message, including consistent, clearn, relevant, and concise.

    Info-Tech Insight

    Time is a non-renewable resource. The message crafted must be considered a value-adding communication to your audience.

    Enable good communication with these components

    Be Consistent

    • The core message must be consistent regardless of audience, channel, or medium.
    • Test your communication with your team or colleagues to obtain feedback before delivering to a broader audience.
    • A lack of consistency can be interpreted as an attempt at deception. This can hurt credibility and trust.

    Be Clear

    • Say what you mean and mean what you say.
    • Choice of language is important: “Do you think this is a good idea? I think we could really benefit from your insights and experience here.” Or do you mean: “I think we should do this. I need you to do this to make it happen.”
    • Avoid jargon.

    Be Relevant

    • Talk about what matters to the audience.
    • Tailor the details of the message to the audience’s specific concerns.
    • IT thinks in processes but wider audiences focus mostly on results; talk in terms of results.
    • IT wants to be understood, but this does not matter to stakeholders. Think: “What’s in it for them?”
    • Communicate truthfully; do not make false promises or hide bad news.

    Be Concise

    • Keep communication short and to the point so key messages are not lost in the noise.
    • There is a risk of diluting your key message if you include too many other details.
    • If you provide more information than necessary, the clarity and consistency of the message can be lost.

    Draft the core messages to communicate

    1. Hook your audience: Use a compelling introduction that ensures your target audience cares about the message. Start with a story or metaphor and then support with the data on your dashboard. Avoid rushing in with data first.
    2. Demonstrate you can help: Let the audience know that based on the unique problem, you can help. There is value in engaging and working with you further.
    3. Write for the ear: Use concise and clear sentences, avoid technological language, and when you read it aloud ensure it sounds like how you would normally speak.
    4. Interpret visuals for your audience: Do not assume they will reach the same conclusions as you. For example, walk them through what a chart shows even if the axes are labeled, tell them what a trend line indicates or what the comparison between two data points means.
    5. Identify a couple of key insights: Think about one or two key takeaways you want your audience to leave with.
    6. Finish with a call to action: Your concluding statement should not be a thank-you but a call to action that ignites how your audience will behave after the communication. Dashboards exist to drive decisions, so if you have no call to action, you should ask if you need to include the visual.

    4.3.1 Craft Your Story

    1 hour

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 6. The workbook contains grey text that reflects a sample story about the Info-Tech IT Dashboards. You may want to keep the sample text as reference, then remove after you have entered your information.

    A diagram of dashboard to craft your story.

    Download Info-Tech IT Dashboard Workbook

    4.3.2 Finalize Your Dashboards

    30 minutes

    1. Take the Key Insights and Calls to Action that you documented in Tab 6 of the IT Dashboard Workbook and place them in their corresponding dashboard.
    2. Add any text to your dashboard as necessary but only if the visual requires more information. You can add explanations more effectively during the presentation.

    A diagram that shows strategic initiatives: deliver value to customers.

    Tip: Aim to be brief and concise with any text. Dashboards simplify information and too much text can clutter the visuals and obscure the message.

    Download Info-Tech IT Dashboard Workbook

    4.3.3 Practice Delivering Your Story With Your Dashboards

    1 hour

    Ideally you can present your dashboard to your audience so that you are available to clarify questions and add a layer of interpretation that would crowd out boards if added as text.

    1. To prepare to tell your story, consult the Situation, Key Insights, and Call to Action sections that you documented for each dashboard in Tab 6 of the Info-Tech IT Dashboard Workbook.
    2. Practice your messages as you walk through your dashboards. The next two slides provide delivery guidance.
    3. Once you deliver your dashboards, update Tab 6 with audience feedback. Often dashboards are iterative and when your audience sees them, they are usually inspired to think about what else they would like to see. This is good and shows your audience is engaged!

    Don’t overwhelm your audience with information and data. You spent time to craft your dashboards so that they are clear and concise, so spend time practicing delivering a message that matches your clear, concise dashboards

    Download Info-Tech IT Dashboard Workbook

    Hone presentation skills before meeting with key stakeholders

    Using voice and body

    Think about the message you are trying to convey and how your body can support that delivery. Hands, stance, and frame all have an impact on what might be conveyed.

    If you want your audience to lean in and be eager about your next point, consider using a pause or softer voice and volume.

    Be professional and confident

    State the main points of your dashboard confidently. While this should be obvious, it needs to be stated explicitly. Your audience should be able to clearly see that you believe the points you are stating.

    Present in a way that is genuine to you and your voice. Whether you have an energetic personality or a calm and composed personality, the presentation should be authentic to you.

    Connect with your audience

    Look each member of the audience in the eye at least once during your presentation or if you are presenting remotely, look into the camera. Avoid looking at the ceiling, the back wall, or the floor. Your audience should feel engaged – this is essential to keeping their attention.

    Avoid reading the text from your dashboard, and instead paraphrase it while maintaining eye/camera contact.

    Info-Tech Insight

    You are responsible for the response of your audience. If they aren’t engaged, it is on you as the communicator.

    Communication Delivery Checklist

    • Have you practiced delivering the communication to team members or coaches?
    • Have you practiced delivering the communication to someone with little to no technology background?
    • Are you making yourself open to feedback and improvement opportunities?
    • If the communication is derailed from your plan, are you prepared to handle that change?
    • Can you deliver the communication without reading your notes word for word?
    • Have you adapted your voice throughout the communication to highlight specific components you want the audience to focus on?
    • Are you presenting in a way that is genuine to you and your personality?
    • Can you communicate the message within the time allotted?
    • Are you moving in an appropriate manner based on your communication (e.g., toward the screen, across the stage, hand gestures)
    • Do you have room for feedback on the dashboards? Solicit feedback with your audience after the meeting and record it in Tab 6 of the IT Dashboard Workbook.

    Phase 5

    Plan, record, and action your metrics

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Planning to track your metrics
    • Recording your metrics
    • Actioning your metrics

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Actioning your metrics to drive results

    To deliver real value from your dashboards, you need to do something with the results.

    Don’t fail on execution! The whole reason you labor to create inviting visuals and meaningful metrics is to action those metrics. The metrics results inform your entire story! It’s important to plan and do, but everything is lost if you fail to check and act.

    70%: of survey respondents say that managers do not get insights from performance metrics to improve strategic decision making.
    60%: of survey respondents say that operational teams do not get insights to improve operation decision making.

    (Bernard Marr)

    “Metrics aren’t a passive measure of progress but an active part of an organization’s everyday management….Applying the “plan–do–check–act” feedback loop…helps teams learn from their mistakes and identify good ideas that can be applied elsewhere”

    (McKinsey)

    Step 5.1

    Plan How to Record Metrics

    Activities:
    5.1.1 For each dashboard, add a baseline and target to existing metrics and KPIs.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 5.1 to 5.2 to plan, record, and action your metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Baselines and targets identified and recorded for each metric.

    5.1.1 Identify Baselines and Targets

    1 hour

    To action your metrics, you must first establish what your baselines and targets are so that you can determine if you are on track.

    To establish baselines:
    If you do not have a baseline. Run your metric to establish one.

    To establish targets:

    • Use historical data and trends of performance.
    • If you do not have historical data, establish an initial target based on stakeholder-identified requirements and expectations.
    • You can also run the metrics report over a defined period of time and use the baseline level of achievement to establish an initial target.
    • The target may not always be a number – it could be a trend. The initial target may be changed after review with stakeholders.

    Actions for Success:
    How will you ensure you can get this metric? For example, if you would like to measure delivered value, to make sure the metric is measurable, you will need to ensure that measures of success are documented for an imitative and then measured once complete.

    • If you need help with Action plans, the IT Metrics Library includes action plans for all of its metrics that may help

    A diagram of identify metrics and to identify baselines and targets.

    Download Info-Tech IT Dashboard Workbook

    Step 5.2

    Record and Action Metrics

    Activities:
    5.2.1 Record and Action Results

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 5.1 to 5.2 to plan, record, and action your metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Understanding of what and where to record metrics once run.

    5.2.1 Record and Action Results

    1 hour

    After analyzing your results, use this information to update your dashboards. Revisit Tab 6 of the IT Dashboard Workbook to update your story. Remember to record any audience feedback about the dashboards in the Audience Feedback section.

    Action your measures as well as your metrics

    What should be measured can change over time as your organization matures and the business environment changes. Understanding what creates business value for your organization is critical. If metrics need to be changed, record metrics actions under Identified Actions on Tab 7. A metric will need to be addressed in one of the following ways:

    • Added: A new metric is required or an existing metric needs large-scale changes (example: calculation method or scope).
    • Changed: A minor change is required to the presentation format or data. Note: a major change in a metric would be performed through the Add option.
    • Removed: The metric is no longer required, and it needs to be removed from reporting and data gathering. A final report date for that metric should be determined.
    • Maintained: The metric is still useful and no changes are required to the metric, its measurement, or how it’s reported.

    A diagram of record results and identify how to address results.

    Don’t be discouraged if you need to update your metrics a few times before you get it right. It can take some trial and error to find the measures that best indicate the health of what you are measuring.

    Download Info-Tech IT Dashboard Workbook

    Tips for actioning results

    Sometimes actioning your metrics results requires more analysis

    If a metric deviates from your target, you may need to analyze how to correct the issue then run the metric again to see if the results have improved.

    Identify Root Cause
    Root Cause Analysis can include problem exploration techniques like The 5 Whys, fishbone diagrams, or affinity mapping.

    Select a Solution
    Once you have identified a possible root cause, use the same technique to brainstorm and select a solution then re-run your metrics.

    Consider Tension Metrics
    Consider tension metrics when selecting a solution. Will improving one area affect another? A car can go faster but it will consume more fuel – a project can be delivered faster but it may affect the quality.

    Summary of Accomplishment

    Problem Solved

    1. Using this blueprint and the IT Dashboard Workbook, you validated and customized the dashboards for your audience and organization, which reduced or eliminated time spent searching for and organizing your own visuals.
    2. You documented your dashboards’ story so you are ready to present them to your audience.
    3. You assessed the data for your dashboards and you built a metrics action-tracking plan to maintain your dashboards’ metrics.

    If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.

    Contact your account representative for more information.
    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.

    workshops@infotech.com
    1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    A photo of Info-Tech IT Dashboards
    Review the Info-Tech IT Dashboards
    Determine how you can use the Info-Tech IT Dashboards in your organization and the anticipated level of customization.

    A photo of the IT Dashboard Workbook
    Plan your dashboards
    Complete the IT Dashboard Workbook to help plan your dashboards using Info-Tech’s IT Dashboards.

    Research Contributors and Experts

    Photo of John Corrado
    John Corrado
    Head of IT
    X4 Pharmaceuticals

    As head of IT, John is charged with the creation of strategic IT initiatives that align with X4s vision, mission, culture, and long-term goals and is responsible for the organization’s systems, security, and infrastructure. He works closely developing partnerships with X4tizens across the organization to deliver value through innovative programs and services.

    Photo of Grant Frost
    Grant Frost
    Chief Information & Security Officer
    Niagara Catholic School Board

    Grant Frost is an experienced executive, information technologist and security strategist with extensive experience in both the public and private sector. Grant is known for, and has extensive experience in, IT transformation and the ability to increase capability while decreasing cost in IT services.

    Photo of Nick Scozzaro
    Nick Scozzaro
    CEO and Co-Founder of MobiStream and ShadowHQ
    ShadowHQ

    Nick got his start in software development and mobility working at BlackBerry where he developed a deep understanding of the technology landscape and of what is involved in both modernizing legacy systems and integrating new ones. Working with experts across multiple industries, he innovated, learned, strategized, and ultimately helped push the boundaries of what was possible.

    Photo of Joseph Sanders
    Joseph Sanders
    Managing Director of Technology/Cyber Security Services
    Kentucky Housing Corporation

    In his current role Joe oversees all IT Operations/Applications Services that are used to provide services and support to the citizens of Kentucky. Joe has 30+ years of leadership experience and has held several executive roles in the public and private sector. He has been a keynote speaker for various companies including HP, IBM, and Oracle.

    Photo of Jochen Sievert
    Jochen Sievert
    Director Performance Excellence & IT
    Zeon Chemicals

    Jochen moved to the USA from Duesseldorf, Germany in 2010 to join Zeon Chemicals as their IT Manager. Prior to Zeon, Jochen has held various technical positions at Novell, Microsoft, IBM, and Metro Management Systems.

    Info-Tech Contributors

    Ibrahim Abdel-Kader, Research Analyst
    Donna Bales, Principal Research Director
    Shashi Bellamkonda, Principal Research Director
    John Burwash, Executive Counselor
    Tony Denford, Research Lead
    Jody Gunderman, Senior Executive Advisor
    Tom Hawley, Managing Partner
    Mike Higginbotham, Executive Counselor
    Valence Howden, Principal Research Director
    Dave Kish, Practice Lead
    Carlene McCubbin, Practice Lead
    Jennifer Perrier, Principal Research Director
    Gary Rietz, Executive Counselor
    Steve Schmidt, Senior Managing Partner
    Aaron Shum, Vice President, Security & Privacy
    Ian Tyler-Clarke, Executive Counselor

    Plus, an additional four contributors who wish to remain anonymous.

    Related Info-Tech Research

    Photo of Build an IT Risk Taxonomy

    Build an IT Risk Taxonomy

    Use this blueprint as a baseline to build a customized IT risk taxonomy suitable for your organization.

    Photo of Create a Holistic IT Dashboard

    Create a Holistic IT Dashboard

    This blueprint will help you identify the KPIs that matter to your organization.

    Photo of Develop Meaningful Service Metrics

    Develop Meaningful Service Metrics

    This blueprint will help you Identify the appropriate service metrics based on stakeholder needs.

    Photo of IT Spend & Staffing Benchmarking

    IT Spend & Staffing Benchmarking

    Use this benchmarking service to capture, analyze, and communicate your IT spending and staffing.

    Photo of Key Metrics for Every CIO

    Key Metrics for Every CIO

    This short research piece highlights the top metrics for every CIO, how those align to your CIO priorities, and action steps against those metrics.

    Photo of Present Security to Executive Stakeholders

    Present Security to Executive Stakeholders

    This blueprint helps you identify communication drivers and goals and collect data to support your presentation. It provides checklists for building and delivering a captivating security presentation.

    Bibliography

    “10 Signs You Are Sitting on a Pile of Data Debt.” Experian, n.d. Web.

    “From the What to the Why: How Data Storytelling Is Key to Success.” Exasol, 2021. Web.

    Bonsignore, Marian. “Using Visual Language to Create the Case for Change.” Amarican Management Association. Accessed 19 Apr. 2023.

    Calzon, Bernardita. “Top 25 Dashboard Design Principles, Best Practices & How To’s.” Datapine, 5 Apr. 2023.

    “Data Literacy.” Tableau, n.d. Accessed 3 May 2023.

    “KPIs Don’t Improve Decision-Making In Most Organizations.” LinkedIn, n.d. Accessed 2 May 2023.

    Miller, Amanda. “A Comprehensive Guide to Accessible Data Visualization.” Betterment, 2020. Accessed May 2022.

    “Performance Management: Why Keeping Score Is so Important, and so Hard.” McKinsey. Accessed 2 May 2023.

    Vogel, Douglas, et al. Persuasion and the Role of Visual Presentation Support: The UM/3M Study. Management Information Systems Research Center School of Management University of Minnesota, 1986.

    Watson, Morag W., et al. ”IT’s Changing Mandate in an Age of Disruption.” The Economist Intelligence Unit Limited, 2021.

    Build a Service Desk Consolidation Strategy

    • Buy Link or Shortcode: {j2store}479|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Incompatible technologies. Organizations with more than one service desk are likely to have many legacy IT service management (ITSM) solutions. These come with a higher support cost, costly skill-set maintenance, and the inability to negotiate volume licensing discounts.
    • Inconsistent processes. Organizations with more than one service desk often have incompatible processes, which can lead to inconsistent service support across departments, less staffing flexibility, and higher support costs.
    • Lack of data integration. Without a single system and consistent processes, IT leaders often have only a partial view of service support activities. This can lead to rigid IT silos, limit the ability to troubleshoot problems, and streamline process workflows.

    Our Advice

    Critical Insight

    • Every step should put people first. It’s tempting to focus the strategy on designing processes and technologies for the target architecture. However, the most common barrier to success is workforce resistance to change.
    • A consolidated service desk is an investment, not a cost-reduction program. Focus on efficiency, customer service, and end-user satisfaction. There will be many cost savings, but viewing them as an indirect consequence of the pursuit of efficiency and customer service is the best approach.

    Impact and Result

    • Conduct a comprehensive assessment of existing service desk people, processes, and technology.
    • Identify and retire resources and processes that are no longer meeting business needs, and consolidate and modernize resources and processes that are worth keeping.
    • Identify logistic and cost considerations and create a roadmap of consolidation initiatives.
    • Communicate the change and garner support for the consolidation initiative.

    Build a Service Desk Consolidation Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a service desk consolidation strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop a shared vision

    Engage stakeholders to develop a vision for the project and perform a comprehensive assessment of existing service desks.

    • Build a Service Desk Consolidation Strategy – Phase 1: Develop a Shared Vision
    • Stakeholder Engagement Workbook
    • Consolidate Service Desk Executive Presentation
    • Consolidate Service Desk Assessment Tool
    • IT Skills Inventory and Gap Assessment Tool

    2. Design the consolidated service desk

    Outline the target state of the consolidated service desk and assess logistics and cost of consolidation.

    • Build a Service Desk Consolidation Strategy – Phase 2: Design the Consolidated Service Desk
    • Consolidate Service Desk Scorecard Tool
    • Consolidated Service Desk SOP Template
    • Service Desk Efficiency Calculator
    • Service Desk Consolidation TCO Comparison Tool

    3. Plan the transition

    Build a project roadmap and communication plan.

    • Build a Service Desk Consolidation Strategy – Phase 3: Plan the Transition
    • Service Desk Consolidation Roadmap
    • Service Desk Consolidation Communications and Training Plan Template
    • Service Desk Consolidation News Bulletin & FAQ Template
    [infographic]

    Workshop: Build a Service Desk Consolidation Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Engage Stakeholders to Develop a Vision for the Service Desk

    The Purpose

    Identify and engage key stakeholders.

    Conduct an executive visioning session to define the scope and goals of the consolidation.

    Key Benefits Achieved

    A list of key stakeholders and an engagement plan to identify needs and garner support for the change.

    A common vision for the consolidation initiative with clearly defined goals and objectives.

    Activities

    1.1 Identify key stakeholders and develop an engagement plan.

    1.2 Brainstorm desired service desk attributes.

    1.3 Conduct an executive visioning session to craft a vision for the consolidated service desk.

    1.4 Define project goals, principles, and KPIs.

    Outputs

    Stakeholder Engagement Workbook

    Executive Presentation

    2 Conduct a Full Assessment of Each Service Desk

    The Purpose

    Assess the overall maturity, structure, organizational design, and performance of each service desk.

    Assess current ITSM tools and how well they are meeting needs.

    Key Benefits Achieved

    A robust current state assessment of each service desk.

    An understanding of agent skills, satisfaction, roles, and responsibilities.

    An evaluation of existing ITSM tools and technology.

    Activities

    2.1 Review the results of diagnostics programs.

    2.2 Map organizational structure and roles for each service desk.

    2.3 Assess overall maturity and environment of each service desk.

    2.4 Assess current information system environment.

    Outputs

    Consolidate Service Desk Assessment Tool

    3 Design Target Consolidated Service Desk

    The Purpose

    Define the target state for consolidated service desk.

    Identify requirements for the service desk and a supporting solution.

    Key Benefits Achieved

    Detailed requirements and vision for the consolidated service desk.

    Gap analysis of current vs. target state.

    Documented standardized processes and procedures.

    Activities

    3.1 Identify requirements for target consolidated service desk.

    3.2 Build requirements document and shortlist for ITSM tool.

    3.3 Use the scorecard comparison tool to assess the gap between existing service desks and target state.

    3.4 Document standardized processes for new service desk.

    Outputs

    Consolidate Service Desk Scorecard Tool

    Consolidated Service Desk SOP

    4 Plan for the Transition

    The Purpose

    Break down the consolidation project into specific initiatives with a detailed timeline and assigned responsibilities.

    Plan the logistics and cost of the consolidation for process, technology, and facilities.

    Develop a communications plan.

    Key Benefits Achieved

    Initial analysis of the logistics and cost considerations to achieve the target.

    A detailed project roadmap to migrate to a consolidated service desk.

    A communications plan with responses to anticipated questions and objections.

    Activities

    4.1 Plan the logistics of the transition.

    4.2 Assess the cost and savings of consolidation to refine business case.

    4.3 Identify initiatives and develop a project roadmap.

    4.4 Plan communications for each stakeholder group.

    Outputs

    Consolidation TCO Tool

    Consolidation Roadmap

    Executive Presentation

    Communications Plan

    News Bulletin & FAQ Template

    Further reading

    Build a Service Desk Consolidation Strategy

    Manage the dark side of growth.

    ANALYST PERSPECTIVE

    A successful service desk consolidation begins and ends with people.

    "It’s tempting to focus strategic planning on the processes and technology that will underpin the consolidated service desk. Consistent processes and a reliable tool will cement the consolidation, but they are not what will hold you back.

    The most common barrier to a successful consolidation is workforce resistance to change. Cultural difference, perceived risks, and organizational inertia can hinder data gathering, deter collaboration, and impede progress from the start.

    Building a consolidated service desk is first and foremost an exercise in organizational change. Garner executive support for the project, enlist a team of volunteers to lead the change, and communicate with key stakeholders early and often. The key is to create a shared vision for the project and engage those who will be most affected."

    Sandi Conrad

    Senior Director, Infrastructure Practice

    Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • CIOs who need to reduce support costs and improve customer service.
    • IT leaders tasked with the merger of two or more IT organizations.
    • Service managers implementing a shared service desk tool.
    • Organizations rationalizing IT service management (ITSM) processes.

    This Research Will Help You:

    • Develop a shared vision for the consolidated service desk.
    • Assess key metrics and report on existing service desk architecture.
    • Design a target service desk architecture and assess how to meet the new requirements.
    • Deploy a strategic roadmap to build the consolidated service desk architecture.

    Executive summary

    Situation

    Every organization must grow to survive. Good growth makes an organization more agile, responsive, and competitive, which leads to further growth.

    The proliferation of service desks is a hallmark of good growth when it empowers the service of diverse end users, geographies, or technologies.

    Complication

    Growth has its dark side. Bad growth within a business can hinder agility, responsiveness, and competitiveness, leading to stagnation.

    Supporting a large number of service desks can be costly and inefficient, and produce poor or inconsistent customer service, especially when each service desk uses different ITSM processes and technologies.

    Resolution

    Manage the dark side of growth. Consolidating service desks can help standardize ITSM processes, improve customer service, improve service desk efficiency, and reduce total support costs. A consolidation is a highly visible and mission critical project, and one that will change the public face of IT. Organizations need to get it right.

    Building a consolidated service desk is an exercise in organizational change. The success of the project will hinge on how well the organization engages those who will be most affected by the change. Build a guiding coalition for the project, create a shared vision, enlist a team of volunteers to lead the change, and communicate with key stakeholders early and often.

    Use a structured approach to facilitate the development of a shared strategic vision, design a detailed consolidated architecture, and anticipate resistance to change to ensure the organization reaps project benefits.

    Info-Tech Insight

    1. Every step should put people first. It’s tempting to focus the strategy on designing processes and technologies for the target architecture. However, the most common barrier to success is workforce resistance to change.
    2. A consolidated service desk is an investment, not a cost-reduction program. Focus on efficiency, customer service, and end-user satisfaction. Cost savings, and there will be many, should be seen as an indirect consequence of the pursuit of efficiency and customer service.

    Focus the service desk consolidation project on improving customer service to overcome resistance to change

    Emphasizing cost reduction as the most important motivation for the consolidation project is risky.

    End-user satisfaction is a more reliable measure of a successful consolidation.

    • Too many variables affect the impact of the consolidation on the operating costs of the service desk to predict the outcome reliably.
    • Potential reductions in costs are unlikely to overcome organizational resistance to change.
    • Successful service desk consolidations can increase ticket volume as agents capture tickets more consistently and increase customer service.

    The project will generate many cost savings, but they will take time to manifest, and are best seen as an indirect consequence of the pursuit of customer service.

    Info-Tech Insight

    Business units facing a service desk consolidation are often concerned that the project will lead to a loss of access to IT resources. Focus on building a customer-focused consolidated service desk to assuage those fears and earn their support.

    End users, IT leaders, and process owners recognize the importance of the service desk.

    2nd out of 45

    On average, IT leaders and process owners rank the service desk 2nd in terms of importance out of 45 core IT processes. Source: Info-Tech Research Group, Management and Governance Diagnostic (2015, n = 486)

    42.1%

    On average, end users who were satisfied with service desk effectiveness rated all other IT services 42.1% higher than dissatisfied end users. Source: Info-Tech Research Group, End-User Satisfaction Survey 2015, n = 133)

    38.0%

    On average, end users who were satisfied with service desk timeliness rated all other IT services 38.0% higher than dissatisfied end users. Source: Info-Tech Research Group, End-User Satisfaction Survey (2015, n = 133)

    Overcome the perceived barriers from differing service unit cultures to pursue a consolidated service desk (CSD)

    In most organizations, the greatest hurdles that consolidation projects face are related to people rather than process or technology.

    In a survey of 168 service delivery organizations without a consolidated service desk, the Service Desk Institute found that the largest internal barrier to putting in place a consolidated service desk was organizational resistance to change.

    Specifically, more than 56% of respondents reported that the different cultures of each service unit would hinder the level of collaboration such an initiative would require.

    The image is a graph titled Island cultures are the largest barrier to consolidation. The graph lists Perceived Internal Barriers to CSD by percentage. The greatest % barrier is Island cultures, with executive resistance the next highest.

    Service Desk Institute (n = 168, 2007)

    Info-Tech Insight

    Use a phased approach to overcome resistance to change. Focus on quick-win implementations that bring two or three service desks together in a short time frame and add additional service desks over time.

    Avoid the costly proliferation of service desks that can come with organizational growth

    Good and bad growth

    Every organization must grow to survive, and relies heavily on its IT infrastructure to do that. Good growth makes an organization more agile, responsive, and competitive, and leads to further growth.

    However, growth has its dark side. Bad growth hobbles agility, responsiveness, and competitiveness, and leads to stagnation.

    As organizations grow organically and through mergers, their IT functions create multiple service desks across the enterprise to support:

    • Large, diverse user constituencies.
    • Rapidly increasing call volumes.
    • Broader geographic coverage.
    • A growing range of products and services.

    A hallmark of bad growth is the proliferation of redundant and often incompatible ITSM services and processes.

    Project triggers:

    • Organizational mergers
    • ITSM tool purchase
    • Service quality or cost-reduction initiatives
    Challenges arising from service desk proliferation:
    Challenge Impact
    Incompatible Technologies
    • Inability to negotiate volume discounts.
    • Costly skill set maintenance.
    • Increased support costs.
    • Increased shadow IT.
    Inconsistent Processes
    • Low efficiency.
    • High support costs.
    • Inconsistent support quality.
    • Less staffing flexibility.
    Lack of Data Integration
    • Only partial view of IT.
    • Inefficient workflows.
    • Limited troubleshooting ability.
    Low Customer Satisfaction
    • Fewer IT supporters.
    • Lack of organizational support.

    Consolidate service desks to integrate the resources, processes, and technology of your support ecosystem

    What project benefits can you anticipate?

    • Consolidated Service Desk
      • End-user group #1
      • End-user group #2
      • End-user group #3
      • End-user group #4

    A successful consolidation can significantly reduce cost per transaction, speed up service delivery, and improve the customer experience through:

    • Single point of contact for end users.
    • Integrated ITSM solution where it makes sense.
    • Standardized processes.
    • Staffing integration.
    Project Outcome

    Expected Benefit

    Integrated information The capacity to produce quick, accurate, and segmented reports of service levels across the organization.
    Integrated staffing Flexible management of resources that better responds to organizational needs.
    Integrated technology Reduced tool procurement costs, improved data integration, and increased information security.
    Standardized processes Efficient and timely customer service and a more consistent customer experience.

    Standardized and consolidated service desks will optimize infrastructure, services, and resources benefits

    • To set up a functioning service desk, the organization will need to invest resources to build and integrate tier 1, tier 2, and tier 3 capabilities to manage incidents and requests.
    • The typical service desk (Figure 1) can address a certain number of tickets from all three tiers. If your tickets in a given tier are less than that number, you are paying for 100% of service costs but consuming only a portion of it.
    • The consolidated model (Figure 2) reduces the service cost by reducing unused capacity.
    • Benefits of consolidation include a single service desk solution, a single point of contact for the business, data integration, process standardization, and consolidated administration, reporting, and management.

    The image is a graphic showing 2 figures. The first shows ring graphs labelled Service Desk 1 and Service Desk 2, with the caption Service provisioning with distinct service desks. Figure 2 shows one graphic, captioned Service provisioning with Consolidated service providers. At the bottom of the image, there is a legend.

    Info-Tech’s approach to service desk consolidation draws on key metrics to establish a baseline and a target state

    The foundation of a successful service desk consolidation initiative is a robust current state assessment. Given the project’s complexity, however, determining the right level of detail to include in the evaluation of existing service desks can be challenging.

    The Info-Tech approach to service desk consolidation includes:

    • Envisioning exercises to set project scope and garner executive support.
    • Surveys and interviews to identify the current state of people, processes, technologies, and service level agreements (SLAs) in each service desk, and to establish a baseline for the consolidated service desk.
    • Service desk comparison tools to gather the results of the current state assessment for analysis and identify current best practices for migration to the consolidated service desk.
    • Case studies to illustrate the full scope of the project and identify how different organizations deal with key challenges.

    The project blueprint walks through a method that helps identify which processes and technologies from each service desk work best, and it draws on them to build a target state for the consolidated service desk.

    Inspiring your target state from internal tools and best practices is much more efficient than developing new tools and processes from scratch.

    Info-Tech Insight

    The two key hurdles that a successful service desk consolidation must overcome are organizational complexity and resistance to change.

    Effective planning during the current state assessment can overcome these challenges.

    Identify existing best practices for migration to the consolidated service desk to foster agent engagement and get the consolidated service desk up quickly.

    A consolidation project should include the following steps and may involve multiple transition phases to complete

    Phase 1: Develop a Shared Vision

    • Identify stakeholders
    • Develop vision
    • Measure baseline

    Phase 2: Design the Consolidation

    • Design target state
    • Assess gaps to reach target
    • Assess logistics and cost

    Phase 3: Plan the Transition

    • Develop project plan and roadmap
    • Communicate changes
    • Make the transition
      • Evaluate and prepare for next transition phase (if applicable)
      • Evaluate and stabilize
        • CSI

    Whether or not your project requires multiple transition waves to complete the consolidation depends on the complexity of the environment.

    For a more detailed breakdown of this project’s steps and deliverables, see the next section.

    Follow Info-Tech’s methodology to develop a service desk consolidation strategy

    Phases Phase 1: Develop a Shared Vision Phase 2: Design the Consolidated Service Desk Phase 3: Plan the Transition
    Steps 1.1 - Identify and engage key stakeholders 2.1 - Design target consolidated service desk 3.1 - Build the project roadmap
    1.2 - Develop a vision to give the project direction
    1.3 - Conduct a full assessment of each service desk 2.2 - Assess logistics and cost of consolidation 3.2 - Communicate the change
    Tools & Templates Executive Presentation Consolidate Service Desk Scorecard Tool Service Desk Consolidation Roadmap
    Consolidate Service Desk Assessment Tool Consolidated Service Desk SOP Communications and Training Plan Template
    Service Desk Efficiency Calculator News Bulletin & FAQ Template
    Service Desk Consolidation TCO Comparison Tool

    Service desk consolidation is the first of several optimization projects focused on building essential best practices

    Info-Tech’s Service Desk Methodology aligns with the ITIL framework

    Extend

    Facilitate the extension of service management best practices to other business functions to improve productivity and position IT as a strategic partner.

    Standardize

    Build essential incident, service request, and knowledge management processes to create a sustainable service desk that meets business needs.

    Improve

    Build a continual improvement plan for the service desk to review and evaluate key processes and services, and manage the progress of improvement initiatives.

    Adopt Lean

    Build essential incident, service request, and knowledge management processes to create a sustainable service desk that boosts business value.

    Select and Implement

    Review mid-market and enterprise service desk tools, select an ITSM solution, and build an implementation plan to ensure your investment meets your needs.

    Consolidate

    Build a strategic roadmap to consolidate service desks to reduce end-user support costs and sustain end-user satisfaction.

    Our Approach to the Service Desk

    Service desk optimization goes beyond the blind adoption of best practices.

    Info-Tech’s approach focuses on controlling support costs and making the most of IT’s service management expertise to improve productivity.

    Complete the projects sequentially or in any order.

    Info-Tech draws on the COBIT framework, which focuses on consistent delivery of IT services across the organization

    The image shows Info-Tech's IT Management & Governance Framework. It is a grid of boxes, which are colour-coded by category. The framework includes multiple connected categories of research, including Infrastructure & Operations, where Service Desk is highlighted.

    Oxford University IT Service Desk successfully undertook a consolidation project to merge five help desks into one

    CASE STUDY

    Industry: Higher Education

    Source: Oxford University, IT Services

    Background

    Until 2011, three disparate information technology organizations offered IT services, while each college had local IT officers responsible for purchasing and IT management.

    ITS Service Desk Consolidation Project

    Oxford merged the administration of these three IT organizations into IT Services (ITS) in 2012, and began planning for the consolidation of five independent help desks into a single robust service desk.

    Complication

    The relative autonomy of the five service desks had led to the proliferation of different tools and processes, licensing headaches, and confusion from end users about where to acquire IT service.

    Oxford University IT at a Glance

    • One of the world’s oldest and most prestigious universities.
    • 36 colleges with 100+ departments.
    • Over 40,000 IT end users.
    • Roughly 350 ITS staff in 40 teams.
    • 300 more distributed IT staff.
    • Offers more than 80 services.

    Help Desks:

    • Processes → Business Services & Projects
    • Processes → Computing Services
    • Processes → ICT Support Team

    "IT Services are aiming to provide a consolidated service which provides a unified and coherent experience for users. The aim is to deliver a ‘joined-up’ customer experience when users are asking for any form of help from IT Services. It will be easier for users to obtain support for their IT – whatever the need, service or system." – Oxford University, IT Services

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Build a Service Desk Consolidation Strategy – project overview

    1. Develop shared vision 2. Design consolidation 3. Plan transition
    Best-Practice Toolkit

    1.1 Identify and engage key stakeholders

    1.2 Develop a vision to give the project direction

    1.3 Conduct a full assessment of each service desk

    2.1 Design target consolidated service desk

    2.2 Assess logistics and cost of consolidation

    3.1 Build project roadmap

    3.2 Communicate the change

    Guided Implementations
    • Build the project team and define their roles and responsibilities, then identify key stakeholders and formulate an engagement plan
    • Develop an executive visioning session plan to formulate and get buy-in for the goals and vision of the consolidation
    • Use diagnostics results and the service desk assessment tool to evaluate the maturity and environment of each service desk
    • Define the target state of the consolidated service desk in detail
    • Identify requirements for the consolidation, broken down by people, process, technology and by short- vs. long-term needs
    • Plan the logistics of the consolidation for process, technology, and facilities, and evaluate the cost and cost savings of consolidation with a TCO tool
    • Identify specific initiatives for the consolidation project and evaluate the risks and dependencies for each, then plot initiatives on a detailed project roadmap
    • Brainstorm potential objections and questions and develop a communications plan with targeted messaging for each stakeholder group
    Onsite Workshop

    Module 1: Engage stakeholders to develop a vision for the service desk

    Module 2: Conduct a full assessment of each service desk

    		Module 3: Design target consolidated service desk Module 4: Plan for the transition

    Phase 1 Outcomes:

    • Stakeholder engagement and executive buy-in
    • Vision for the consolidation
    • Comprehensive assessment of each service desk’s performance

    Phase 2 Outcomes:

    • Defined requirements, logistics plan, and target state for the consolidated service desk
    • TCO comparison

    Phase 3 Outcomes:

    • Detailed consolidation project roadmap
    • Communications plan and FAQs

    Info-Tech delivers: Use our tools and templates to accelerate your project to completion

    • Service Desk Assessment Tool (Excel)
    • Executive Presentation (PowerPoint)
    • Service Desk Scorecard Comparison Tool (Excel)
    • Service Desk Efficiency Calculator (Excel)
    • Service Desk Consolidation Roadmap (Excel)
    • Service Desk Consolidation TCO Tool (Excel)
    • Communications and Training Plan (Word)
    • Consolidation News Bulletin & FAQ Template (PowerPoint)

    Measured value for Guided Implementations (GIs)

    Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

    GI Measured Value
    Phase 1:
    • Time, value, and resources saved by using Info-Tech’s methodology to engage stakeholders, develop a project vision, and assess your current state.
    • For example, 2 FTEs * 10 days * $80,000/year = $6,200
    Phase 2:
    • Time, value, and resources saved by using Info-Tech’s tools and templates to design the consolidated service desk and evaluate cost and logistics.
    • For example, 2 FTEs * 5 days * $80,000/year = $3,100
    Phase 3:
    • Time, value, and resources saved by following Info-Tech’s tools and methodology to build a project roadmap and communications plan.
    • For example, 1 FTE * 5 days * $80,000/year = $1,500
    Total savings $10,800

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Pre-Workshop Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
    Activities

    Module 0: Gather relevant data

    0.1 Conduct CIO Business Vision Survey

    0.2 Conduct End-User Satisfaction Survey

    0.3 Measure Agent Satisfaction

    Module 1: Engage stakeholders to develop a vision for the service desk

    1.1 Identify key stakeholders and develop an engagement plan

    1.2 Brainstorm desired service desk attributes

    1.3 Conduct an executive visioning session to craft a vision for the consolidated service desk

    1.4 Define project goals, principles, and KPIs

    Module 2: Conduct a full assessment of each service desk

    2.1 Review the results of diagnostic programs

    2.2 Map organizational structure and roles for each service desk

    2.3 Assess overall maturity and environment of each service desk

    2.4 Assess current information system environment

    Module 3: Design target consolidated service desk

    3.1 Identify requirements for target consolidated service desk

    3.2 Build requirements document and shortlist for ITSM tool

    3.3 Use the scorecard comparison tool to assess the gap between existing service desks and target state

    3.4 Document standardized processes for new service desk

    Module 4: Plan for the transition

    4.1 Plan the logistics of the transition

    4.2 Assess the cost and savings of consolidation to refine business case

    4.3 Identify initiatives and develop a project roadmap

    4.4 Plan communications for each stakeholder group

    Deliverables
    1. CIO Business Vision Survey Diagnostic Results
    2. End-User Satisfaction Survey Diagnostic Results
    1. Stakeholder Engagement Workbook
    2. Executive Presentation
    1. Consolidate Service Desk Assessment Tool
    1. Consolidate Service Desk Scorecard Tool
    2. Consolidated Service Desk SOP
    1. Consolidation TCO Tool
    2. Executive Presentation
    3. Consolidation Roadmap
    4. Communications Plan
    5. News Bulletin & FAQ Template

    Insight breakdown

    Phase 1 Insight

    Don’t get bogged down in the details. A detailed current state assessment is a necessary first step for a consolidation project, but determining the right level of detail to include in the evaluation can be challenging. Gather enough data to establish a baseline and make an informed decision about how to consolidate, but don’t waste time collecting and evaluating unnecessary information that will only distract and slow down the project, losing management interest and buy-in.

    How we can help

    Leverage the Consolidate Service Desk Assessment Tool to gather the data you need to evaluate your existing service desks.

    Phase 2 Insight

    Select the target state that is right for your organization. Don’t feel pressured to move to a complete consolidation with a single point of contact if it wouldn’t be compatible with your organization’s needs and abilities, or if it wouldn’t be adopted by your end users. Design an appropriate level of standardization and centralization for the service desk and reinforce and improve processes moving forward.

    How we can help

    Leverage the Consolidate Service Desk Scorecard Tool to analyze the gap between your existing processes and your target state.

    Phase 3 Insight

    Getting people on board is key to the success of the consolidation, and a communication plan is essential to do so. Develop targeted messaging for each stakeholder group, keeping in mind that your end users are just as critical to success as your staff. Know your audience, communicate to them often and openly, and ensure that every communication has a purpose.

    How we can help

    Leverage the Communications Plan and Consolidation News Bulletin & FAQ Template to plan your communications.

    Phase 1

    Develop a Shared Vision

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Develop shared vision

    Proposed Time to Completion (in weeks): 4-8

    Step 1.1: Identify and engage key stakeholders

    Discuss with an analyst:

    • Build the project team and define their roles and responsibilities
    • Identify key stakeholders and formulate an engagement plan

    Then complete these activities…

    • Assign project roles and responsibilities
    • Identify key stakeholders
    • Formalize an engagement plan and conduct interviews

    With these tools & templates:

    Stakeholder Engagement Workbook

    Step 1.2: Develop a vision to give the project direction

    Discuss with an analyst:

    • Develop an executive visioning session plan to formulate and get buy-in for the goals and vision of the consolidation

    Then complete these activities…

    • Host an executive visioning exercise to define the scope and goals of the consolidation

    With these tools & templates:

    Consolidate Service Desk Executive Presentation

    Step 1.3: Conduct a full assessment of each service desk

    Discuss with an analyst:

    • Use diagnostics results and the service desk assessment tool to evaluate the maturity and environment of each service desk
    • Assess agent skills, satisfaction, roles and responsibilities

    Then complete these activities…

    • Analyze organizational structure
    • Assess maturity and environment of each service desk
    • Assess agent skills and satisfaction

    With these tools & templates:

    Consolidate Service Desk Assessment Tool

    IT Skills Inventory and Gap Assessment Tool

    Phase 1 Outcome:

    • A common vision for the consolidation initiative, an analysis of existing service desk architectures, and an inventory of existing best practices.

    Step 1.1: Get buy-in from key stakeholders

    Phase 1

    Develop a shared vision

    1.1 Identify and engage key stakeholders

    1.2 Develop a vision to give the project direction

    1.3 Conduct a full assessment of each service desk

    This step will walk you through the following activities:
    • 1.1.1 Assign roles and responsibilities
    • 1.1.2 Identify key stakeholders for the consolidation
    • 1.1.3 Conduct stakeholder interviews to understand needs in more depth, if necessary
    This step involves the following participants:
    • Project Sponsor
    • CIO or IT Director
    • Project Manager
    • IT Managers and Service Desk Manager(s)
    Step Outcomes:
    • A project team with clearly defined roles and responsibilities
    • A list of key stakeholders and an engagement plan to identify needs and garner support for the change

    Oxford consulted with people at all levels to ensure continuous improvement and new insights

    CASE STUDY

    Industry: Higher Education

    Source: Oxford University, IT Services

    Motivation

    The merging of Oxford’s disparate IT organizations was motivated primarily to improve end-user service and efficiency.

    Similarly, ITS positioned the SDCP as an “operational change,” not to save costs, but to provide better service to their customers.

    "The University is quite unique in the current climate in that reduction in costs was not one of the key drivers behind the project. The goal was to deliver improved efficiencies and offer a single point of contact for their user base." – Peter Hubbard, ITSM Consultant Pink Elephant

    Development

    Oxford recognized early that they needed an open and collaborative environment to succeed.

    Key IT and business personnel participated in a “vision workshop” to determine long- and short-term objectives, and to decide priorities for the consolidated service desk.

    "Without key support at this stage many projects fail to deliver the expected outcomes. The workshop involved the key stakeholders of the project and was deemed a successful and positive exercise, delivering value to this stage of the project by clarifying the future desired state of the Service Desk." – John Ireland, Director of Customer Service & Project Sponsor

    Deployment

    IT Services introduced a Service Desk Consolidation Project Blog very early into the project, to keep everyone up-to-date and maintain key stakeholder buy-in.

    Constant consultation with people at all levels led to continuous improvement and new insights.

    "We also became aware that staff are facing different changes depending on the nature of their work and which toolset they use (i.e. RT, Altiris, ITSM). Everyone will have to change the way they do things at least a little – but the changes depend on where you are starting from!" – Jonathan Marks, Project Manager

    Understand and validate the consolidation before embarking on the project

    Define what consolidation would mean in the context of your organization to help validate and frame the scope of the project before proceeding.

    What is service desk consolidation?

    Service desk consolidation means combining multiple service desks into one centralized, single point of contact.

    • Physical consolidation = personnel and assets are combined into a single location
    • Virtual consolidation = service desks are combined electronically

    Consolidation must include people, process, and technology:

    1. Consolidation of some or all staff into one location
    2. Consolidation of processes into a single set of standardized processes
    3. One consolidated technology platform or ITSM tool

    Consolidation can take the form of:

    1. Merging multiple desks into one
    2. Collapsing multiple desks into one
    3. Connecting multiple desks into a virtual desk
    4. Moving all desks to one connected platform

    Service Desk 1 - Service Desk 2 - Service Desk 3

    Consolidated Service Desk

    Info-Tech Insight

    Consolidation isn’t for everyone.

    Before you embark on the project, think about unique requirements for your organization that may necessitate more than one service desk, such as location-specific language. Ask yourself if consolidation makes sense for your organization and would achieve a benefit for the organization, before proceeding.

    1.1 Organize and build the project team to launch the project

    Solidify strong support for the consolidation and get the right individuals involved from the beginning to give the project the commitment and direction it requires.

    Project Sponsor
    • Has direct accountability to the executive team and provides leadership to the project team.
    • Legitimatizes the consolidation and provides necessary resources to implement the project.
    • Is credible, enthusiastic, and understands the organization’s culture and values.
    Steering Committee
    • Oversees the effort.
    • Ensures there is proper support from the organization and provides resources where required.
    • Resolves any conflicts.
    Core Project Team
    • Full-time employees drawn from roles that are critical to the service desk, and who would have a strong understanding of the consolidation goals and requirements.
    • Ideal size: 6-10 full-time employees.
    • May include roles defined in the next section.

    Involve the right people to drive and facilitate the consolidation

    Service desk consolidations require broad support and capabilities beyond only those affected in order to deal with unforeseen risks and barriers.

    • Project manager: Has primary accountability for the success of the consolidation project.
    • Senior executive project sponsor: Needed to “open doors” and signal organization’s commitment to the consolidation.
    • Technology SMEs and architects: Responsible for determining and communicating requirements and risks of the technology being implemented or changed, especially the ITSM tool.
    • Business unit leads: Responsible for identifying and communicating impact on business functions, approving changes, and helping champion change.
    • Product/process owners: Responsible for identifying and communicating impact on business functions, approving changes, and helping champion change.
    • HR specialists: Most valuable when roles and organizational design are affected, i.e. the consolidation requires staff redeployment or substantial training (not just using a new system or tool but acquiring new skills and responsibilities) or termination.
    • Training specialists: If you have full-time training staff in the organization, you will eventually need them to develop training courses and material. Consulting them early will help with scoping, scheduling, and identifying the best resources and channels to deliver the training.
    • Communications specialists (internal): Valuable in crafting communications plan, required if communications function owns internal communications.

    Use a RACI table (e.g. in the following section) to clarify who is to be accountable, responsible, consulted, and informed.

    Info-Tech Insight

    The more transformational the change, the more it will affect the organizational chart – not just after the implementation but through the transition.

    Take time early in the project to define the reporting structure for the project/transition team, as well as any teams and roles supporting the transition.

    Assign roles and responsibilities

    1.1.1 Use a RACI chart to assign overarching project responsibilities

    Participants
    • Project Sponsor
    • IT Director, CIO
    • Project Manager
    • IT Managers and Service Desk Manager(s)
    What You'll Need
    • RACI chart

    RACI = Responsible, Accountable, Consulted, Informed

    The RACI chart will provide clarity for overarching roles and responsibilities during the consolidation.

    1. Confirm and modify the columns to match the stakeholders in your organization.
    2. Confirm and modify the roles listed as rows if there are obvious gaps or opportunities to consolidate rows.
    3. Carefully analyze and document the roles as a group.
    Task Project Sponsor Project Manager Sr. Executives SMEs Business Lead Service Desk Managers HR Trainers Communications
    Meeting project objectives A R A R R
    Identifying risks and opportunities R A A C C C C I I
    Assessing current state I A I R C R
    Defining target state I A I C C R
    Planning logistics I A I R R C R
    Building the action plan I A C R R R R R R
    Planning and delivering communications I A C C C C R R A
    Planning and delivering training I A C C C C R R C
    Gathering and analyzing feedback and KPIs I A C C C C C R R

    Identify key stakeholders to gather input from the business, get buy-in for the project, and plan communications

    Identify the key stakeholders for the consolidation to identify the impact consolidation will have on them and ensure their concerns don’t get lost.

    1. Use a stakeholder analysis to identify the people that can help ensure the success of your project.
    2. Identify an Executive Sponsor
      • A senior-level project sponsor is someone who will champion the consolidation project and help sell the concept to other stakeholders. They can also ensure that necessary financial and human resources will be made available to help secure the success of the project. This leader should be someone who is credible, tactful, and accessible, and one who will not only confirm the project direction but also advocate for the project.

    Why is a stakeholder analysis essential?

    • Ignoring key stakeholders is an important cause of failed consolidations.
    • You can use the opinions of the most influential stakeholders to shape the project at an early stage.
    • Their support will secure resources for the project and improve the quality of the consolidation.
    • Communicating with key stakeholders early and often will ensure they fully understand the benefits of your project.
    • You can anticipate the reaction of key stakeholders to your project and plan steps to win their support.

    Info-Tech Insight

    Be diverse and aware. When identifying key stakeholders for the project, make sure to include a rich diversity of stakeholder expertise, geography, and tactics. Also, step back and add silent members to your list. The loudest voices and heaviest campaigners are not necessarily your key stakeholders.

    Identify key stakeholders for the consolidation

    1.1.2 Identify project stakeholders, particularly project champions

    Participants
    • CIO/IT Director
    • Project Sponsor
    • Project Manager
    • IT Managers
    What You’ll Need
    • Whiteboard or flip chart and markers

    Goal: Create a prioritized list of people who are affected or can affect your project so you can plan stakeholder engagement and communication.

    • Use an influence/commitment matrix to determine where your stakeholders lie.
    • High influence, high commitment individuals should be used in conjunction with your efforts to help bring others on board. Identify these individuals and engage with them immediately.
    • Beware of the high influence, low commitment individuals. They should be the first priority for engagement.
    • High commitment, low influence individuals can be used to help influence the low influence, low commitment individuals. Designate a few of these individuals as “champions” to help drive engagement on the front lines.

    Outcome: A list of key stakeholders to include on your steering committee and your project team, and to communicate with throughout the project.

    The image is a matrix, with Influence on the Y-axis and Commitment to change on the X-axis. It is a blank template.

    Overcome the value gap by gathering stakeholder concerns

    Simply identifying and engaging your stakeholders is not enough. There needs to be feedback: talk to your end users to ensure their concerns are heard and determine the impact that consolidation will have on them. Otherwise, you risk leaving value on the table.

    • Talk to the business end users who will be supported by the consolidated service desk.
    • What are their concerns about consolidation?
    • Which functions and services are most important to them? You need to make sure these won't get lost.
    • Try to determine what impact consolidation will have on them.

    According to the Project Management Institute, only 25% of individuals fully commit to change. The remaining 75% either resist or simply accept the change. Gathering stakeholder concerns is a powerful way to gain buy-in.

    The image is a graph with Business Value on the Y-Axis and Time on the X-Axis. Inside the graph, there is a line moving horizontally, separated into segments: Installation, Implementation, and Target Value. The line inclines during the first two segments, and is flat during the last. Emerging from the space between Installation and Implementation is a second line marked Actual realized value. The space between the target value line and the actual realized value line is labelled: Value gap.

    Collect relevant quantitative and qualitative data to assess key stakeholders’ perceptions of IT across the organization

    Don’t base your consolidation on a hunch. Gather reliable data to assess the current state of IT.

    Solicit direct feedback from the organization to gain critical insights into their perceptions of IT.

    • CIO Business Vision: Understanding the needs of your stakeholders is the first and most important step in building a consolidation strategy. Use the results of this survey to assess the satisfaction and importance of different IT services.
    • End-User Satisfaction: Solicit targeted department feedback on core IT service capabilities, IT communications, and business enablement. Use the results to assess the satisfaction of end users with each service broken down by department and seniority level.

    We recommend completing at least the End-User Satisfaction survey as part of your service desk consolidation assessment and planning. An analyst will help you set up the diagnostic and walk through the report with you.

    To book a diagnostic, or get a copy of our questions to inform your own survey, visit Info-Tech’s Benchmarking Tools, contact your account manager, or call toll-free 1-888-670-8889 (US) or 1-844-618-3192 (CAN).

    Data-Driven Diagnostics:

    End-User Satisfaction Survey

    CIO Business Vision

    Review the results of your diagnostics in step 1.3

    Formalize an engagement plan to cultivate support for the change from key stakeholders

    Use Info-Tech’s Stakeholder Engagement Workbook to formalize an engagement strategy

    If a more formal engagement plan is required for this project, use Info-Tech’s Stakeholder Engagement Workbook to document an engagement strategy to ensure buy-in for the consolidation.

    The engagement plan is a structured and documented approach for gathering requirements by eliciting input and validating plans for change and cultivating sponsorship and support from key stakeholders early in the project lifecycle.

    The Stakeholder Engagement Workbook situates stakeholders on a grid that identifies which ones have the most interest in and influence on your project, to assist you in developing a tailored engagement strategy.

    You can also use this analysis to help develop a communications plan for each type of stakeholder in step 3.2.

    Conduct stakeholder interviews to understand needs in more depth, if necessary

    1.1.3 Interview key stakeholders to identify needs

    • If the consolidation will be a large and complex project and there is a need to understand requirements in more depth, conduct stakeholder interviews with “high-value targets” who can help generate requirements and promote communication around requirements at a later point.
    • Choose the interview method that is most appropriate based on available resources.
    Method Description Assessment and Best Practices Stakeholder Effort Business Analyst Effort
    Structured One-on-One Interview In a structured one-on-one interview, the business analyst has a fixed list of questions to ask the stakeholder and follows up where necessary. Structured interviews provide the opportunity to quickly hone in on areas of concern that were identified during process mapping or group elicitation techniques. They should be employed with purpose – to receive specific stakeholder feedback on proposed requirements or help identify systemic constraints. Generally speaking, they should be 30 minutes or less. Low

    Medium

    Unstructured One-on-One Interview In an unstructured one-on-one interview, the business analyst allows the conversation to flow freely. The BA may have broad themes to touch on, but does not run down a specific question list. Unstructured interviews are most useful for initial elicitation, when brainstorming a draft list of potential requirements is paramount. Unstructured interviews work best with senior stakeholders (sponsors or power users), since they can be time consuming if they’re applied to a large sample size. It’s important for BAs not to stifle open dialog and allow the participants to speak openly. They should be 60 minutes or less. Medium Low

    Step 1.2: Develop a vision to give the project direction

    Phase 1

    Develop a shared vision

    1.1 Get buy-in from key stakeholders

    1.2 Develop a vision to give the project direction

    1.3 Conduct a full assessment of each service desk

    This step will walk you through the following activities:
    • 1.2.1 Brainstorm desired attributes for the consolidated service desk to start formulating a vision
    • 1.2.2 Develop a compelling vision and story of change
    • 1.2.3 Create a vision for the consolidated service desk
    • 1.2.4 Identify the purpose, goals, and guiding principles of the consolidation project
    • 1.2.5 Identify anticipated benefits and associated KPIs
    • 1.2.6 Conduct a SWOT analysis on the business
    This step involves the following participants:
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    • Business Executives
    Step outcomes

    A shared vision for the consolidated service desk that:

    • Defines the scope of the consolidation
    • Encompasses the goals and guiding principles of the project
    • Identifies key attributes of the consolidated service desk and anticipated benefits it will bring
    • Is documented in an executive presentation

    Hold an executive visioning session to kick off the project

    A major change such as service desk consolidation requires a compelling vision to engage staff and motivate them to comprehend and support the change.

    After identifying key stakeholders, gather them in a visioning session or workshop to establish a clear direction for the project.

    An executive visioning session can take up to two days of focused effort and activities with the purpose of defining the short and long-term view, objectives, and priorities for the new consolidated service desk.

    The session should include the following participants:

    • Key stakeholders identified in step 1.1, including:
      • IT management and CIO
      • Project sponsor
      • Business executives interested in the project

    The session should include the following tasks:

    • Identify and prioritize the desired outcome for the project
    • Detail the scope and definition of the consolidation
    • Identify and assess key problems and opportunities
    • Surface and challenge project assumptions
    • Clarify the future desired state of the service desk
    • Determine how processes, functions, and systems are to be included in a consolidation analysis
    • Establish a degree of ownership by senior management

    The activities throughout this step are designed to be included as part of the visioning session

    Choose the attributes of your desired consolidated service desk

    Understand what a model consolidated service desk should look like before envisioning your target consolidated service desk.

    A consolidated service desk should include the following aspects:

    • Handles all customer contacts – including internal and external users – across all locations and business units
    • Provides a single point of contact for end users to submit requests for help
    • Handles both incidents and service requests, as well as any additional relevant ITIL modules such as problem, change, or asset management
    • Consistent, standardized processes and workflows
    • Single ITSM tool with workflows for ticket handling, prioritization, and escalations
    • Central data repository so that staff have access to all information needed to resolve issues quickly and deliver high-quality service, including:
      • IT infrastructure information (such as assets and support contracts)
      • End-user information (including central AD, assets and products owned, and prior interactions)
      • Knowledgebase containing known resolutions and workarounds

    Consolidated Service Desk

    • Service Desk 1
    • Service Desk 2
    • Service Desk 3
    • Consolidated staff
    • Consolidated ITSM tool
    • Consolidated data repository

    Brainstorm desired attributes for the consolidated service desk to start formulating a vision

    1.2.1 Identify the type of consolidation and desired service desk attributes

    Participants
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    • Other interested business executives
    What You'll Need
    • Whiteboard or flip chart and markers
    Document

    Document in the Consolidate Service Desk Executive Presentation, slide 6.

    Brainstorm the model and attributes of the target consolidated service desk. You will use this to formulate a vision and define more specific requirements later on.
    1. Identify the type of consolidation: virtual, physical, or hybrid (both)
    2. Identify the level of consolidation: partial (some service desks consolidated) or complete (all service desks consolidated)
    Consolidated Service Desk Model Level of Consolidation
    Partial Complete
    Type of Consolidation Virtual
    Physical
    Hybrid

    3. As a group, brainstorm and document a list of attributes that the consolidated service desk should have.

    Examples:

    • Single point of contact for all users
    • One ITSM tool with consistent built-in automated workflows
    • Well-developed knowledgebase
    • Self-serve portal for end users with ability to submit and track tickets
    • Service catalog

    Develop a compelling vision and story of change

    1.2.2 Use a vision table to begin crafting the consolidation vision

    Participants
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    • Other interested business executives
    What You'll Need
    • Whiteboard or flip chart and markers
    Document

    Document in the Consolidate Service Desk Executive Presentation, slide 7.

    Build desire for change.

    In addition to standard high-level scope elements, consolidation projects that require organizational change also need a compelling story or vision to influence groups of stakeholders.

    Use the vision table below to begin developing a compelling vision and story of change.

    Why is there a need to consolidate service desks?
    How will consolidation benefit the organization? The stakeholders?
    How did we determine this is the right change?
    What would happen if we didn’t consolidate?
    How will we measure success?

    Develop a vision to inspire and sustain leadership and commitment

    Vision can be powerful but is difficult to craft. As a result, vision statements often end up being ineffective (but harmless) platitudes.

    A service desk consolidation project requires a compelling vision to energize staff and stakeholders toward a unified goal over a sustained period of time.

    Great visions:

    • Tell a story. They describe a journey with a beginning (who we are and how we got here) and a destination (our goals and expected success in the future).
    • Convey an intuitive sense of direction (or “spirit of change”) that helps people act appropriately without being explicitly told what to do.
    • Appeal to both emotion and reason to make people want to be part of the change.
    • Balance abstract ideas with concrete facts. Without concrete images and facts, the vision will be meaninglessly vague. Without abstract ideas and principles, the vision will lack power to unite people and inspire broad support.
    • Are concise enough to be easy to communicate and remember in any situation.

    Info-Tech Insight

    Tell a story. Stories pack a lot of information into few words. They are easy to write, remember, and most importantly – share. It’s worth spending a little extra time to get the details right.

    Create a vision for the consolidated service desk

    1.2.3 Tell a story to describe the consolidated service desk vision

    Participants
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    What You'll Need
    • Whiteboard or flip chart and markers
    • Document in the Executive Presentation, slide 8.

    Craft a vision of the future state of the service desk.

    Tell a story.

    Stories serve to give the consolidation real-world context by describing what the future state will mean for both staff and users of the service desk. The story should sum up the core of the experience of using the consolidated service desk and reflect how the service desk will fit into the life of the user.

    Stories should include:

    • Action describing the way things happen.
    • Contextual detail that helps readers relate to the person in the story.
    • Challenging ideas that contradict common belief and may be disruptive, but help suggest new directions.
    Example:

    Imagine if…

    … users could access one single online service that allows them to submit a ticket through a self-service portal and service catalog, view the status of their ticket, and receive updates about organization-wide outages and announcements. They never have to guess who to contact for help with a particular type of issue or how to contact them as there is only one point of contact for all types of incidents and service requests.

    … all users receive consistent service delivery regardless of their location, and never try to circumvent the help desk or go straight to a particular technician for help as there is only one way to get help by submitting a ticket through a single service desk.

    … tickets from any location could be easily tracked, prioritized, and escalated using standardized definitions and workflows to ensure consistent service delivery and allow for one set of SLAs to be defined and met across the organization.

    Discuss the drivers of the consolidation to identify the goals the project must achieve

    Identifying the reasons behind the consolidation will help formulate the vision for the consolidated service desk and the goals it should achieve.

    The image is a graph, titled Deployment Drivers for Those Planning a Consolidated Service Desk. From highest to lowest, they are: Improved Service Delivery/Increased Productivity; Drive on Operational Costs; and Perceived Best Practice.

    Service Desk Institute (n = 20, 2007)

    A survey of 233 service desks considering consolidation found that of the 20 organizations that were in the planning stages of consolidation, the biggest driver was to improve service delivery and/or increase productivity.

    This is in line with the recommendation that improved service quality should be the main consolidation driver over reducing costs.

    This image is a graph titled Drivers Among Those Who Have Implemented a Consolidated Service Desk. From highest to lowest, they are: Improved Service Delivery/Increased Productivity; Best Practice; Drive on Operational Costs; Internal vs Outsourcing; and Legacy.

    Service Desk Institute (n = 43, 2007)

    The drivers were similar among the 43 organizations that had already implemented a consolidated service desk, with improved service delivery and increased productivity again the primary driver.

    Aligning with best practice was the second most cited driver.

    Identify the purpose, goals, and guiding principles of the consolidation project

    1.2.4 Document goals of the project

    Participants
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    What You'll Need
    • Whiteboard or flip chart and markers
    • Document in the Executive Presentation, slide 9.

    Use the results of your stakeholder analysis and interviews to facilitate a discussion among recommended participants and document the purpose of the consolidation project, the goals the project aims to achieve, and the guiding principles that must be followed.

    Use the following example to guide your discussion:

    Purpose The purpose of consolidating service desks is to improve service delivery to end users and free up more time and resources to achieve the organization’s core mission.
    Goals
    • Align IT resources with business strategies and priorities
    • Provide uniform quality and consistent levels of service across all locations
    • Improve the end-user experience by reducing confusion about where to get help
    • Standardize service desk processes to create efficiencies
    • Identify and eliminate redundant functions or processes
    • Combine existing resources to create economies of scale
    • Improve organizational structure, realign staff with appropriate job duties, and improve career paths
    Guiding Principles

    The consolidated service desk must:

    1. Provide benefit to the organization without interfering with the core mission of the business
    2. Balance cost savings with service quality
    3. Increase service efficiency without sacrificing service quality
    4. Not interfere with service delivery or the experience of end users
    5. Be designed with input from key stakeholders

    Identify the anticipated benefits of the consolidation to weigh them against risks and plan future communications

    The primary driver for consolidation of service desks is improved service delivery and increased productivity. This should relate to the primary benefits delivered by the consolidation, most importantly, improved end-user satisfaction.

    A survey of 43 organizations that have implemented a consolidated service desk identified the key benefits delivered by the consolidation (see chart at right).

    The image is a bar graph titled Benefits Delivered by Consolidated Service Desk. The benefits, from highest to lowest are: Increased Customer Satisfaction; Optimised Resourcing; Cost Reduction; Increased Productivity/Revenue; Team Visibility/Ownership; Reporting/Accountability.

    Source: Service Desk Institute (n = 43, 2007)

    Info-Tech Insight

    Cost reduction may be an important benefit delivered by the consolidation effort, but it should not be the most valuable benefit delivered. Focus communications on anticipated benefits for improved service delivery and end-user satisfaction to gain buy-in for the project.

    Identify anticipated outcomes and benefits of consolidation

    1.2.5 Use a “stop, start, continue” exercise to identify KPIs

    What You'll Need
    • Whiteboard or flip chart and markers
    Participants
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    Document

    Document in the Executive Presentation, slide 10

    1. Divide the whiteboard into 3 columns: stop, start, and continue
    2. Identify components of your service desk that:
    • Are problematic and should be phased out (stop)
    • Provide value but are not in place yet (start)
    • Are effective and should be sustained, if not improved (continue)
  • For each category, identify initiatives or outcomes that will support the desired goals and anticipated benefits of consolidation.
    • Stop Start Continue
    • Escalating incidents without following proper protocol
    • Allowing shoulder taps
    • Focusing solely on FCR as a measure of success
    • Producing monthly ticket trend reports
    • Creating a self-serve portal
    • Communicating performance to the business
    • Writing knowledgebase articles
    • Improving average TTR
    • Holding weekly meetings with team members

    Use a SWOT analysis to assess the service desk

    • A SWOT analysis is a structured planning method that organizations can use to evaluate the strengths, weaknesses, opportunities, and threats involved in a project or business venture.
    • Use a SWOT analysis to identify the organization’s current IT capabilities and classify potential disruptive technologies as the first step toward preparing for them.
    Review these questions...
    Strengths (Internal) Weaknesses (Internal)
    • What Service Desk processes provide value?
    • How does the Service Desk align with corporate/IT strategy?
    • How does your Service Desk benefit end users?
    • Does the Service Desk produce reports or data that benefit the business?
    • Does your Service Desk culture offer an advantage?
    • What areas of your service desk require improvement?
    • Are there gaps in capabilities?
    • Do you have budgetary limitations?
    • Are there leadership gaps (succession, poor management, etc.)?
    • Are there reputational issues with the business?
    Opportunities (External) Threats (External)
    • Are end users adopting hardware or software that requires training and education for either themselves or the Service Desk staff?
    • Can efficiencies be gained by consolidating our Service Desks?
    • What is the most cost-effective way to solve the user's technology problems and get them back to work?
    • How can we automate Service Desk processes?
    • Are there obstacles that the Service Desk must face?
    • Are there issues with respect to sourcing of staff or technologies?
    • Could the existing Service Desk metrics be affected?
    • Will the management team need changes to their reporting?
    • Will SLAs need to be adjusted?

    …to help you conduct your SWOT analysis on the service desk.

    Strengths (Internal) Weaknesses (Internal)
    • End user satisfaction >80%
    • Comprehensive knowledgebase
    • Clearly defined tiers
    • TTR on tickets is <1 day
    • No defined critical incident workflow
    • High cost to solve issues
    • Separate toolsets create disjointed data
    • No root cause analysis
    • Ineffective demand planning
    • No clear ticket categories
    Opportunities (External) Threats (External)
    • Service catalog
    • Ticket Templates
    • Ticket trend analysis
    • Single POC through the use of one tool
    • Low stakeholder buy-in
    • Fear over potential job loss
    • Logistics of the move
    • End user alienation over process change

    Conduct a SWOT analysis on the business

    1.2.6 Conduct SWOT analysis

    Participants
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and Service Desk Manager(s)
    What You'll Need
    • Whiteboard or flip chart and markers
    Document
    • Document in the Executive Presentation, slide 11
    1. Break the group into two teams:
    • Assign team A strengths and weaknesses.
    • Assign team B opportunities and threats.
  • Have the teams brainstorm items that fit in their assigned areas.
    • Refer to the questions on the previous slide to help guide discussion
  • Choose someone from each group to fill in the grid on the whiteboard.
  • Conduct a group discussion about the items on the list.
    • Helpful to achieving the objective Harmful to achieving the objective
    Internal origin attributes of the organization Strengths Weaknesses

    External Origin attributes of the environment

    		Opportunities Threats

    Frame your project in terms of people, process, technology

    A framework should be used to guide the consolidation effort and provide a standardized basis of comparison between the current and target state.

    Frame the project in terms of the change and impact it will have on:

    • People
    • Process
    • Technology

    Service desk consolidation will likely have a significant impact in all three categories by standardizing processes, implementing a single service management tool, and reallocating resources. Framing the project in this way will ensure that no aspect goes forgotten.

    For each of the three categories, you will identify:

    • Current state
    • Target state
    • Gap and actions required
    • Impact, risks, and benefits
    • Communication and training requirements
    • How to measure progress/success

    People

    • Tier 1 support
    • Tier 2 support
    • Tier 3 support
    • Vendors

    Process

    • Incident management
    • Service request management
    • SLAs

    Technology

    • ITSM tools
    • Knowledgebase
    • CMDB and other databases
    • Technology supported

    Complete the Consolidate Service Desk Executive Presentation

    Complete an executive presentation using the decisions made throughout this step

    Use the Consolidate Service Desk Executive Presentation to deliver the outputs of your project planning to the business and gain buy-in for the project.

    1. Use the results of the activities throughout step 1.2 to produce the key takeaways for your executive presentation.
    2. At the end of the presentation, include 1-2 slides summarizing any additional information specific to your organization.
    3. Once complete, pitch the consolidation project to the project sponsor and executive stakeholders.
      • This presentation needs to cement buy-in for the project before any other progress is made.

    Step 1.3: Conduct a full assessment of each service desk

    Phase 1

    Develop a shared vision

    1.1 Get buy-in from key stakeholders

    1.2 Develop a vision to give the project direction

    1.3 Conduct a full assessment of each service desk

    This step will walk you through the following activities:
    • 1.3.1 Review the results of your diagnostic programs
    • 1.3.2 Analyze the organizational structure of each service desk
    • 1.3.3 Assess the overall maturity of each service desk
    • 1.3.4 Map out roles and responsibilities of each service desk using organizational charts
    • 1.3.5 Assess and document current information system environment
    This step involves the following participants:
    • CIO
    • IT Directors
    • Service Desk Managers
    • Service Desk Technicians
    Step outcomes
    • A robust current state assessment of each service desk, including overall maturity, processes, organizational structure, agent skills, roles and responsibilities, agent satisfaction, technology and ITSM tools.

    Oxford saved time and effort by sticking with a tested process that works

    CASE STUDY

    Industry: Higher Education

    Source: Oxford University, IT Services

    Oxford ITS instigated the service desk consolidation project in the fall of 2012.

    A new ITSM solution was formally acquired in the spring 2014, and amalgamated workflows designed.

    Throughout this period, at least 3 detailed process analyses occurred in close consultation with the affected IT units.

    Responsibility for understanding each existing process (incident, services, change management, etc.) were assigned to members of the project team.

    They determined which of the existing processes were most effective, and these served as the baseline – saving time and effort in the long run by sticking with tested processes that work.

    Reach out early and often.

    Almost from day one, the Oxford consolidation team made sure to consult closely with each relevant ITS team about their processes and the tools they used to manage their workflows.

    This was done both in structured interviews during the visioning stage and informally at periodic points throughout the project.

    The result was the discovery of many underlying similarities. This information was then instrumental to determining a realistic baseline from which to design the new consolidated service desk.

    "We may give our activities different names or use different tools to manage our work but in all cases common sense has prevailed and it’s perhaps not so surprising that we have common challenges that we choose to tackle in similar ways." – Andrew Goff, Change Management at Oxford ITS

    Review the results of your diagnostic programs to inform your current state assessment

    1.3.1 Understand satisfaction with the service desk

    Participants
    • CIO/IT Director
    • IT Manager
    • Service Manager(s)
    Document
    1. Set up an analyst call through your account manager to review the results of your diagnostic.
    • Whatever survey you choose, ask the analyst to review the data and comments concerning:
      • Assessments of service desk timeliness/effectiveness
      • IT business enablement
      • IT innovation leadership
  • Book a meeting with recommended participants. Go over the results of your diagnostic survey.
  • Facilitate a discussion of the results. Focus on the first few summary slides and the overall department results slide.
    • What is the level of IT support?
    • What are stakeholders’ perceptions of IT performance?
    • How satisfied are stakeholders with IT?
    • Does the department understand and act on business needs?
    • What are the business priorities and how well are you doing in meeting these priorities?
    • How can the consolidation project assist the business in achieving goals?
    • How could the consolidation improve end-user satisfaction and business satisfaction?

    • A robust current state assessment is the foundation of a successful consolidation

    You can’t determine where you’re going without a clear idea of where you are now.

    Before you begin planning for the consolidation, make sure you have a clear picture of the magnitude of what you plan on consolidating.

    Evaluate the current state of each help desk being considered for consolidation. This should include an inventory of:

    • Process:
      • Processes and workflows
      • Metrics and SLAs
    • People:
      • Organizational structure
      • Agent workload and skills
      • Facility layout and design
    • Technology:
      • Technologies and end users supported
      • Technologies and tools used by the service desk

    Info-Tech Insight

    A detailed current state assessment is a necessary first step for a consolidation project, but determining the right level of detail to include in the evaluation can be challenging. Gather enough data to establish a baseline and make an informed decision about how to consolidate, but don’t waste time collecting unnecessary information that will only distract and slow down the project.

    Review ticket handling processes for each service desk to identify best practices

    Use documentation, reports, and metrics to evaluate existing processes followed by each service desk before working toward standardized processes.

    Poor Processes vs. Optimized Processes

    Inconsistent or poor processes affect the business through:

    • Low business satisfaction
    • Low end-user satisfaction
    • High cost to resolve
    • Delayed progress on project work
    • Lack of data for reporting due to ineffective ticket categorization, tools, and logged tickets
    • No root cause analysis leads to a reactive vs. proactive service desk
    • Lack of cross-training and knowledge sharing result in time wasted troubleshooting recurring issues
    • Lack of trend analysis limits the effectiveness of demand planning

    Standardized service desk processes increase user and technician satisfaction and lower costs to support through:

    • Improved business satisfaction Improved end-user satisfaction Incidents prioritized and escalated accurately and efficiently
    • Decreased recurring issues due to root cause analysis and trends
    • Increased self-sufficiency of end users
    • Strengthened team and consistent delivery through cross-training and knowledge sharing
    • Enhanced demand planning through trend analysis and reporting

    The image is a graphic of a pyramid, with categories as follows (from bottom): FAQ/Knowledgebase; Users; Tier 1-75-80%; Tier 2-15%; Tier 3 - 5%. On the right side of the pyramid is written Resolution, with arrows extending from each of the higher sections down to Users. On the left is written Escalation, with arrows from each lower category up to the next highest. Inside the pyramid are arrows extending from the bottom to each level and vice versa.

    Analyze the organizational structure of each service desk

    1.3.2 Discuss the structure of each service desk

    Participants
    • CIO
    • Service Desk Manager(s)
    • Service Desk Technicians
    What You'll Need
    • Consolidate Service Desk Assessment Tool

    1. Facilitate a discussion among recommended participants to discuss the structure of each service desk. Decide which model best describes each service desk:

    • The Gatekeeper Model: All calls are routed through a central call group whose sole responsibility is to link the customer to the right individual or group.
    • The Call Sorting Model: All calls are sorted into categories using technology and forwarded to the right 2nd level specialist group.
    • Tiered Structure (Specialist Model): All calls are sorted through a single specialist group, such as desktop support. Their job is to log the interaction, attempt resolution, and escalate when the problem is beyond their ability to resolve.
    • Tiered Structure (Generalist Model): All calls are sorted through a single generalist group, whose responsibility is to log the interaction, attempt a first resolution, and escalate when the problem is beyond their ability to resolve.

    2. Use a flip chart or whiteboard to draw the architecture of each service desk, using the example on the right as a guide.

    The image is a graphic depicting the organizational structure of a service desk, from Users to Vendor. The graphic shows how a user request can move through tiers of service, and the ways that Tiers 2 and 3 of the service desk are broken down into areas of specialization.

    Assess the current state of each service desk using the Consolidate Service Desk Assessment Tool

    Assess the current state of each service desk

    The Consolidate Service Desk Assessment Tool will provide insight into the overall health of each existing service desk along two vectors:

    1. Process Maturity (calculated on the basis of a comprehensive survey)
    2. Metrics (calculated on the basis of entered ticket and demographic data)

    Together these answers offer a snapshot of the health, efficiency, performance, and perceived value of each service desk under evaluation.

    This tool will assist you through the current state assessment process, which should follow these steps:

    1. Send a copy of this tool to the Service Desk Manager (or other designated party) of each service desk that may be considered as part of the consolidation effort.
      • This will collect key metrics and landscape data and assess process maturity
    2. Analyze the data and discuss as a group
    3. Ask follow-up questions
    4. Use the information to compare the health of each service desk using the scorecard tool

    These activities will be described in more detail throughout this step of the project.

    Gather relevant data to assess the environment of each service desk

    Assess each service desk’s environment using the assessment tool

    Send a copy of the Consolidate Service Desk Assessment Tool to the Service Desk Manager (or other designated party) of each service desk that will be considered as part of the consolidation.

    Instruct them to complete tab 2 of the tool, the Environment Survey:

    • Enter Profile, Demographic, Satisfaction, Technology, and Ticket data into the appropriate fields as accurately as possible. Satisfaction data should be entered as percentages.
    • Notes can be entered next to each field to indicate the source of the data, to note missing or inaccurate data, or to explain odd or otherwise confusing data.

    This assessment will provide an overview of key metrics to assess the performance of each service desk, including:

    • Service desk staffing for each tier
    • Average ticket volume and distribution per month
    • # staff in IT
    • # service desk staff
    • # supported devices (PC, laptops, mobiles, etc.)
    • # desktop images

    Assess the overall maturity of each service desk

    1.3.3 Use the assessment tool to measure the maturity of each service desk

    Participants
    • CIO
    • Service Desk Manager(s)
    • Service Desk Technicians
    What You'll Need
    • Consolidate Service Desk Assessment Tool
    1. Assemble the relevant team for each service desk: process owners, functional managers, service desk manager, and relevant staff and technicians who work with the processes to be assessed. Each service desk team should meet to complete the maturity assessment together as a group.
    2. Go to tab 3 (Service Desk Maturity Survey) of the Consolidate Service Desk Assessment Tool and respond to the questions in the following categories:
    • Prerequisites (general questions)
    • People
    • Process
    • Technology
    • SLAs
  • Rate each element. Be honest. The goal is to end up with as close a representation as possible to what really exists. Only then can you identify realistic improvement opportunities. Use the maturity definitions as guides.

    • Evaluate resource utilization and satisfaction to allocate resources effectively

    Include people as part of your current state assessment to evaluate whether your resources are appropriately allocated to maximize effectiveness and agent satisfaction.

    Skills Inventory

    Use the IT Skills Inventory and Gap Assessment Tool to assess agent skills and identify gaps or overlaps.

    Agent Satisfaction

    Measure employee satisfaction and engagement to identify strong teams.

    Roles and Responsibilities

    Gather a clear picture of each service desk’s organizational hierarchy, roles, and responsibilities.

    Agent Utilization

    Obtain a snapshot of service desk productivity by calculating the average amount of time an agent is handling calls, divided by the average amount of time an agent is at work.

    Conduct a skills inventory for each service desk

    Evaluate agent skills across service desks

    After evaluating processes, evaluate the skill sets of the agents tasked with following these processes to identify gaps or overlap.

    Send the Skills Coverage Tool tab to each Service Desk Manager, who will either send it to the individuals who make up their service desk with instructions to rate themselves, or complete the assessment together with individuals as part of one-on-one meetings for discussing development plans.

    IT Skills Inventory and Gap Assessment Tool will enable you to:

    • List skills required to support the organization.
    • Document and rate the skills of the existing IT staffing contingent.
    • Assess the gaps to help determine hiring or training needs, or even where to pare back.
    • Build a strategy for knowledge sharing, transfer, and training through the consolidation project.

    Map out roles and responsibilities of each service desk using organizational charts

    1.3.4 Obtain or draw organizational charts for each location

    Clearly document service desk roles and responsibilities to rationalize service desk architecture.
    Participants
    • CIO, IT Director
    • Service Desk Manager(s)
    • Tier/Specialist Manager(s)
    What You’ll Need
    • Org. charts
    • Flip chart or whiteboard and markers
    1. Obtain or draw (on a whiteboard or flip chart) the organizational chart for each service desk to get a clear picture of the roles that fulfill each service desk. If there is any uncertainty or disagreement, discuss as a group to come to a resolution.
    2. Discuss the roles and reporting relationships within the service desk and across the organization to establish if/where inefficiencies exist and how these might be addressed through consolidation.
    3. If an up-to-date organizational chart is not in place, use this time to define the organizational structure as-is and consider future state.
    IT Director
    Service Desk Manager
    Tier 1 Help Desk Lead Tier 2 Help Desk Lead Tier 2 Apps Support Lead Tier 3 Specialist Support Lead
    Tier 1 Specialist Name Title Name Title Name Title
    Tier 1 Specialist Name Title Name Title Name Title
    Name Title Name Title Name Title
    Name Title Name Title

    Conduct an agent satisfaction survey to compare employee engagement across locations

    Evaluate agent satisfaction

    End-user satisfaction isn’t the only important satisfaction metric.

    Agent satisfaction forms a key metric within the Consolidate Service Desk Assessment Tool, and it can be evaluated in a variety of ways. Choose the approach that best suits your organization and time restraints for the project.

    Determine agent satisfaction on the basis of a robust (and anonymous) survey of service desk agents. Like the end-user satisfaction score, this measure is ideally computed as a percentage.

    There are several ways to measure agent satisfaction:

    1. If your organization runs an employee engagement survey, use the most recent survey results, separating them by location and converting them to a percentage.
    2. If your organization does not currently measure employee engagement or satisfaction, consider one of Info-Tech and McLean & Company’s two engagement diagnostics:
      • Full Engagement Diagnostic – 81 questions that provide a comprehensive view into your organization's engagement levels
      • McLean & Company’s Pulse Survey – 15 questions designed to give a high-level view of employee engagement
    3. For smaller organizations, a survey may not be feasible or make sense. In this case, consider gathering informal engagement data through one-on-one meetings.
    4. Be sure to discuss and document any reasons for dissatisfaction, including pain points with the current tools or processes.
    Document
    • Document on tab 2 of the Consolidate Service Desk Assessment Tool

    Assess the service management tools supporting your service desks

    Identify the different tools being used to support each service desk in order to assess whether and how they can be consolidated into one service management tool.

    Ideally, your service desks are already on the same ITSM platform, but if not, a comprehensive assessment of current tools is the first step toward a single, consolidated solution.

    Include the following in your tools assessment:

    • All automated ITSM solutions being used to log and track incidents and service requests
    • Any manual or other methods of tracking tickets (e.g. Excel spreadsheets)
    • Configurations and any customizations that have been made to the tools
    • How configuration items are maintained and how mature the configuration management databases (CMDB) are
    • Pricing and licensing agreements for tools
    • Any unique functions or limitations of the tools

    Info-Tech Insight

    Document not only the service management tools that are used but also any of their unique and necessary functions and configurations that users may have come to rely upon, such as remote support, self-serve, or chat support, in order to inform requirements in the next phase.

    Assess the IT environment your service desks support

    Even if you don’t do any formal asset management, take this opportunity for discovery and inventory to gain a complete understanding of your IT environment and the range of devices your service desks support.

    Inventory your IT environment, including:

    User Devices

    • Device counts by category Equipment/resources by user

    Servers

    • Server hardware, CPU, memory
    • Applications residing on servers

    Data centers

    • Including location and setup

    In addition to identifying the range of devices you currently support, assess:

    • Any future devices, hardware, or software that the service desk will need to support (e.g. BYOD, mobile)
    • How well each service desk is currently able to support these devices
    • Any unique or location-specific technology or devices that could limit a consolidation

    Info-Tech Insight

    The capabilities and configuration of your existing infrastructure and applications could limit your consolidation plans. A comprehensive technology assessment of not only the service desk tools but also the range of devices and applications your service desks supports will help you to prepare for any potential limitations or obstacles a consolidated service desk may present.

    Assess and document current information system environment

    1.3.5 Identify specific technology and tool requirements

    Participants
    • CIO
    • Service Desk Manager(s)
    • Service Desk Technicians
    What You'll Need
    • Consolidate Service Desk Assessment Tool, tab 2.
    Document

    Document information on number of devices supported and number of desktop images associated with each service desk in the section on “Technology Data” of the Consolidate Service Desk Assessment Tool.

    1. Identify and document the service management tools that are used by each service desk.
    2. For each tool, identify and document any of the following that apply:
    • Integrations
    • Configurations that were made during implementation
    • Customizations that were made during implementation
    • Version, licenses, cost
  • For each service desk, document any location-specific or unique technology requirements or differences that could impact consolidation, including:
    • Devices and technology supported
    • Databases and configuration items
    • Differing applications or hardware needs

    • If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.1 Assign roles and responsibilities

    Use a RACI chart to assign overarching responsibilities for the consolidation project.

    1.3.2 Analyze the organizational structure of each service desk

    Map out the organizational structure and flow of each service desk and discuss the model that best describes each.

    Phase 2

    Design the Consolidated Service Desk

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Design consolidated service desk

    Proposed Time to Completion (in weeks): 2-4

    Step 2.1: Model target consolidated service desk

    Start with an analyst kick-off call:

    • Define the target state of the consolidated service desk in detail
    • Identify requirements for the consolidation, broken down by people, process, technology and by short- vs. long-term needs

    Then complete these activities…

    • Set project metrics to measure success of the consolidation
    • Brainstorm people, process, technology requirements for the service desk
    • Build requirements documents and RFP for a new tool
    • Review results of the scorecard comparison tool

    With these tools & templates:

    Consolidate Service Desk Scorecard Tool

    Step 2.2: Assess logistics and cost of consolidation

    Review findings with analyst:

    • Plan the logistics of the consolidation for process, technology, and facilities
    • Evaluate the cost and cost savings of consolidation using a TCO tool

    Then complete these activities…

    • Plan logistics for process, technology, facilities, and resource allocation
    • Review the results of the Service Desk Efficiency Calculator to refine the business case for the consolidation project

    With these tools & templates:

    Service Desk Efficiency Calculator

    Service Desk Consolidation TCO Comparison Tool

    Phase 2 Results:

    • Detailed requirements and vision for the consolidated service desk, gap analysis of current vs. target state, and an initial analysis of the logistical considerations to achieve target.

    Step 2.1: Model target consolidated state

    Phase 2

    Design consolidation

    2.1 Design target consolidated service desk

    2.2 Assess logistics and cost of consolidation

    This step will walk you through the following activities:
    • 2.1.1 Determine metrics to measure the value of the project
    • 2.1.2 Set targets for each metric to measure progress and success of the consolidation
    • 2.1.3 Brainstorm process requirements for consolidated service desk
    • 2.1.4 Brainstorm people requirements for consolidated service desk
    • 2.1.5 Brainstorm technology requirements for consolidated service desk
    • 2.1.6 Build a requirements document for the service desk tool
    • 2.1.7 Evaluate alternative tools, build a shortlist for RFPs, and arrange web demonstrations or evaluation copies
    • 2.1.8 Set targets for key metrics to identify high performing service desks
    • 2.1.9 Review the results of the scorecard to identify best practices
    This step involves the following participants:
    • CIO
    • IT Director
    • Service Desk Managers
    • Service Desk Technicians
    Step Outcomes
    • A list of people, process, and technology requirements for the new consolidated service desk
    • A clear vision of the target state
    • An analysis of the gaps between existing and target service desks

    Ensure the right people and methods are in place to anticipate implementation hurdles

    CASE STUDY

    Industry: Higher Education

    Source: Oxford University, IT Services

    "Since our last update, a review and re-planning exercise has reassessed the project approach, milestones, and time scales. This has highlighted some significant hurdles to transition which needed to be addressed, resulting primarily from the size of the project and the importance to the department of a smooth and well-planned transition to the new processes and toolset." – John Ireland, Director of Customer Service & Project Sponsor

    Initial hurdles led to a partial reorganization of the project in Fall 2014

    Despite careful planning and its ultimate success, Oxford’s consolidation effort still encountered some significant hurdles along the way – deadlines were sometimes missed and important processes overlooked.

    These bumps can be mitigated by building flexibility into your plan:

    • Adopt an Agile methodology – review and revise groups of tasks as the project progresses, rather than waiting until near the end of the project to get approval for the complete implementation.
    • Your Tiger Team or Project Steering Group must include the right people – the project team should not just include senior or high-level management; members of each affected IT group should be consulted, and junior-level employees can provide valuable insight into existing and potential processes and workflows.

    Info-Tech Insight

    Ensure that the project lead is someone conversant in ITSM, so that they are equipped to understand and react to the unique challenges and expectations of a consolidation and can easily communicate with process owners.

    Use the consolidation vision to define the target service desk in more detail

    Use your baseline assessment and your consolidation vision as a guide to figure out exactly where you’re going before planning how to get there.

    With approval for the project established and a clear idea of the current state of each service desk, narrow down the vision for the consolidated service desk into a specific picture of the target state.

    The target state should provide answers to the following types of questions:

    Process:

    • Will there be one set of SLAs across the organization?
    • What are the target SLAs?
    • How will ticket categories be defined?
    • How will users submit and track their tickets?
    • How will tickets be prioritized and escalated?
    • Will a knowledgebase be maintained and accessible by both service desk and end users?

    People:

    • How will staff be reorganized?
    • What will the roles and responsibilities look like?
    • How will tiers be structured?
    • What will the career path look like within the service desk?

    Technology:

    • Will there be one single ITSM tool to support the service desk?
    • Will an existing tool be used or will a new tool be selected?
    • If a new tool is needed, what are the requirements?

    Info-Tech Insight

    Select the target state that is right for your organization. Don’t feel pressured to select the highest target state or a complete consolidation. Instead select the target state that is most compatible with your organization’s current needs and capabilities.

    Determine metrics to measure the value of the project

    2.1.1 Identify KPIs to measure the success of the consolidation

    Participants
    • CIO
    • Service Desk Manager(s)
    • Service Desk Technicians
    What You’ll Need
    • Whiteboard or flip chart and markers

    Identify three primary categories where the consolidation project is expected to yield benefits to the business. Use the example on the right to guide your discussion.

    Efficiency and effectiveness are standard benefits for this project, but the third category may depend on your organization.

    • Examples include: improved resourcing, security, asset management, strategic alignment, end-user experience, employee experience

    Identify 1-3 key performance indicators (KPIs) associated with each benefit category, which will be used to measure the success of the consolidation project. Ensure that each has a baseline measure that can be reassessed after the consolidation.

    Efficiency

    Streamlined processes to reduce duplication of efforts

    • Reduced IT spend and cost of delivery
    • One ITSM tool Improved reliability of service
    • Improved response time

    Resourcing

    Improved allocation of human and financial resources

    • Improved resource sharing
    • Improved organizational structure of service desk

    Effectiveness

    Service delivery will be more accessible and standardized

    • Improved responsive-ness to incidents and service requests
    • Improved resolution time
    • Single point of contact for end users
    • Improved reporting

    Set targets for each metric to measure progress and success of the consolidation

    2.1.2 Identify specific metrics for each KPI and targets for each

    Participants
    • IT Director
    • Service Desk Manager(s)
    • Service Desk Technicians
    What You’ll Need
    • KPIs from previous step
    • Whiteboard or flip chart and markers
    1. Select one core KPI for each critical success factor, which will be used to measure progress and success of the consolidation effort down the road.
    2. For each KPI, document the average baseline metric the organization is achieving (averaged across all service desks).
    3. Discuss and document a target metric that the project will aim to reach through the single consolidated service desk.
    4. Set a short and long-term target for each metric to encourage continuous improvement. Examples:
    Efficiency
    Business Value KPI Current Metric Short-Term (6 month) Target Long-Term (1 year) Target
    Streamlined processes to reduce duplication of efforts Improved response time 2 hours 1 hour 30 minutes
    Effectiveness
    Business Value KPI Current Metric Short-Term (6 month) Target Long-Term (1 year) Target
    Service delivery will be more accessible and standardized Improved first call resolution (% resolved at Tier 1) 50% 60% 70%

    If poor processes were in place, take the opportunity to start fresh with the consolidation

    If each service desk’s existing processes were subpar, it may be easier to build a new service desk from the basics rather than trying to adapt existing processes.

    You should have these service management essentials in place:

    Service Requests:

    • Standardize process to verify, approve, and fulfill service requests.
    • Assign priority according to business criticality and service agreements.
    • Think about ways to manage service requests to better serve the business long term.

    Incident Management:

    • Set standards to define and record incidents.
    • Define incident response actions and communications.

    Knowledgebase:

    • Define standards for knowledgebase.
    • Introduce creation of knowledgebase articles.
    • Create a knowledge-sharing and cross-training culture.

    Reporting:

    • Select appropriate metrics.
    • Generate relevant insights that shed light on the value that IT creates for the organization.

    The image is a circle comprised of 3 concentric circles. At the centre is a circle labelled Standardized Service Desk. The ring outside of it is split into 4 sections: Incident Management; Service Requests; Structure and Reporting; and Knowledgebase. The outer circle is split into 3 sections: People, Process, Technologies.

    Evaluate how your processes compare with the best practices defined here. If you need further guidance on how to standardize these processes after planning the consolidation, follow Info-Tech’s blueprint, Standardize the Service Desk.

    Even optimized processes will need to be redefined for the target consolidated state

    Your target state doesn’t have to be perfect. Model a short-term, achievable target state that can demonstrate immediate value.

    Consider the following elements when designing service desk processes:
    • Ticket input (i.e. how can tickets be submitted?)
    • Ticket classification (i.e. how will tickets be categorized?)
    • Ticket prioritization (i.e. how will critical incidents be defined?)
    • Ticket escalation (i.e. how and at what point will tickets be assigned to a more specialized resource?)
    • Ticket resolution (i.e. how will resolution be defined and how will users be notified?)
    • Communication with end users (i.e. how and how often will users be notified about the status of their ticket or of other incidents and outages?)

    Consider the following unique process considerations for consolidation:

    • How will knowledge sharing be enabled in order for all technicians to quickly access known errors and resolve problems?
    • How can first contact resolution levels be maintained through the transition?
    • How will procedures be clearly documented so that tickets are escalated properly?
    • Will ticket classification and prioritization schemes need to change?
    • Will new services such as self-serve be introduced to end users and how will this be communicated?

    Info-Tech Insight

    Don’t do it all at once. Consolidation will lead to some level of standardization. It will be reinforced and improved later through ongoing reengineering and process improvement efforts (continual improvement management).

    Brainstorm process requirements for consolidated service desk

    2.1.3 Identify process-related requirements for short and long term

    Participants
    • CIO
    • Service Desk Manager(s)
    • Service Desk Technicians
    What You'll Need
    • Whiteboard, sticky notes, markers
    • Vision and goals for the consolidation from step 1.2
    Document
    • Document internally, or leave on a whiteboard for workshop participants to return to when documenting tasks in the roadmap tool.
    1. Review the questions in the previous section to frame a discussion on process considerations and best practices for the target consolidated service desk.
    2. Use your responses to the questions to brainstorm a list of process requirements or desired characteristics for the target state, particularly around incident management and service request management.
    3. Write each requirement onto a sticky note and categorize it as one of the following:
      1. Immediate requirement for consolidated service desk
      2. Implement within 6 months
      3. Implement within 1 year

    Example:

    Whiteboard:

    • Immediate
      • Clearly defined ticket prioritization scheme
      • Critical incident process workflow
    • 6 months
      • Clearly defined SOP, policies, and procedures
      • Transactional end-user satisfaction surveys
    • 1 year
      • Change mgmt.
      • Problem mgmt.

    Define the target resource distribution and utilization for the consolidated service desk

    Consolidation can sound scary to staff wondering if there will be layoffs. Reduce that by repurposing local staff and maximizing resource utilization in your organizational design.

    Consider the following people-related elements when designing your target state:

    • How will roles and responsibilities be defined for service desk staff?
    • How many agents will be required to deal with ticket demand?
    • What is the target agent utilization rate?
    • How will staff be distributed among tiers?
    • What will responsibilities be at each tier?
    • Will performance goals and rewards be established or standardized?

    Consider the following unique people considerations for consolidation:

    • Will staffing levels change?
    • Will job titles or roles change for certain individuals?
    • How will staff be reorganized?
    • Will staff need to be relocated to one location?
    • Will reporting relationships change?
    • How will this be managed?
    • How will performance measurements be consolidated across teams and departments to focus on the business goals?
    • Will there be a change to career paths?
    • What will consolidation do to morale, job interest, job opportunities?

    Info-Tech Insight

    Identify SMEs and individuals who are knowledgeable about a particular location, end-user base, technology, or service offering. They may be able to take on a different, greater role due to the reorganization that would make better use of their skills and capabilities and improve morale.

    Brainstorm people requirements for consolidated service desk

    2.1.4 Identify people-related requirements for short and long term

    Participants
    • CIO
    • Service Desk Manager(s)
    • Service Desk Technicians
    What You'll Need
    • Whiteboard, sticky notes, markers
    • Vision and goals for the consolidation from step 1.2
    Document

    Document internally, or leave on a whiteboard for workshop participants to return to when documenting tasks in the roadmap tool.

    1. Review the questions in the previous section to frame a discussion on people considerations and best practices for the target consolidated service desk.
    2. Use your responses to the questions to brainstorm a list of requirements for the allocation and distribution of resources, including roles, responsibilities, and organizational structure.
    3. When thinking about people, consider requirements for both your staff and your end users.
    4. Write each requirement onto a sticky note and categorize it as one of the following:
      1. Immediate requirement for consolidated service desk
      2. Implement within 6 months
      3. Implement within 1 year

    Example:

    Whiteboard:

    • Immediate
      • Three tier structure with SMEs at Tier 2 and 3
      • All staff working together in one visible location
    • 6 months
      • Roles and responsibilities well defined and documented
      • Appropriate training and certifications available to staff
    • 1 year
      • Agent satisfaction above 80%
      • End-user satisfaction above 75%

    Identify the tools that will support the service desk and those the service desk will support

    One of the biggest technology-related decisions you need to make is whether you need a new ITSM tool. Consider how it will be used by a single service desk to support the entire organization.

    Consider the following technology elements when designing your target state:
    • What tool will be used to support the service desk?
    • What processes or ITIL modules can the tool support?
    • How will reports be produced? What types of reports will be needed for particular audiences?
    • Will a self-service tool be in place for end users to allow for password resets or searches for solutions?
    • Will the tool integrate with tools for change, configuration, problem, and asset management?
    • Will the majority of manual processes be automated?
    Consider the following unique technology considerations for consolidation:
    • Is an existing service management tool extensible?
    • If so, can it integrate with essential non-IT systems?
    • Can the tool support a wider user base?
    • Can the tool support all areas, departments, and technologies it will need to after consolidation?
    • How will data from existing tools be migrated to the new tool?
    • What implementation or configuration needs and costs must be considered?
    • What training will be required for the tool?
    • What other new tools and technologies will be required to support the consolidated service desk?

    Info-Tech Insight

    Talk to staff at each service desk to ask about their tool needs and requirements to support their work. Invite them to demonstrate how they use their tools to learn about customization, configuration, and functionality in place and to help inform requirements. Engaging staff in the process will ensure that the new consolidated tool will be supported and adopted by staff.

    Brainstorm technology requirements for consolidated service desk

    2.1.5 Identify technology-related requirements for short and long term

    Participants
    • CIO
    • Service Desk Manager(s)
    • Service Desk Technicians
    What You’ll Need
    • Whiteboard, sticky notes, markers
    • Vision and goals for the consolidation from step 1.2
    Document

    Document internally, or leave on a whiteboard for workshop participants to return to when documenting tasks in the roadmap tool.

    1. Review the questions in the previous section to frame a discussion on technology considerations and best practices for the target consolidated service desk.
    2. Use your responses to the questions to brainstorm a list of requirements for the tools to support the consolidated service desk, along with any other technology requirements for the target state.
    3. Write each requirement onto a sticky note and categorize it as one of the following:
      1. Immediate requirement for consolidated service desk
      2. Implement within 6 months
      3. Implement within 1 year

    Example:

    Whiteboard:

    • Immediate
      • Single ITSM tool
      • Remote desktop support
    • 6 months
      • Self-service portal
      • Regular reports are produced accurately
    • 1 year
      • Mobile portal
      • Chat integration

    Identify specific requirements for a tool if you will be selecting a new ITSM solution

    Service desk software needs to address both business and technological needs. Assess these needs to identify core capabilities required from the solution.

    Features Description
    Modules
    • Do workflows integrate seamlessly between functions such as incident management, change management, asset management, desktop and network management?

    Self-Serve

    • Does the existing tool support self-serve in the form of web forms for incident reporting, forms for service requests, as well as FAQs for self-solve?
    • Is a service catalog available or can one be integrated painlessly?
    Enterprise Service Management Needs
    • Integration of solution to all of IT, Human Resources, Finance, and Facilities for workflows and financial data can yield great benefits but comes at a higher cost and greater complexity. Weigh the costs and benefits.
    Workflow Automation
    • If IT has advanced beyond simple workflows, or if extending these workflows beyond the department, more power may be necessary.
    • Full business process management (BPM) is part of a number of more advanced service desk/service management solutions.
    License Maintenance Costs
    • Are license and maintenance costs still reasonable and appropriate for the value of the tool?
    • Will the vendor renegotiate?
    • Are there better tools out there for the same or better price?
    Configuration Costs
    • Templates, forms, workflows, and reports all take time and skills but bring big benefits. Can these changes be done in-house? How much does it cost to maintain and improve?
    Speed / Performance
    • Data growth and volume may have reached levels beyond the current solution’s ability to cope, despite database tuning.
    Vendor Support
    • Is the vendor still supporting the solution and developing the roadmap? Has it been acquired? Is the level of support still meeting your needs?

    Build a requirements document for the service desk tool

    2.1.6 Create a requirements list and demo script for an ITSM tool (optional)

    Participants
    • CIO/IT Director
    • Service Desk Manager(s)
    • Service Desk Technicians
    What You'll Need
    • Flip charts and markers
    • Templates:
      • IT Service Management Demo Script Template
      • Service Desk Software and RFP Evaluation Tool

    Create a requirements list for the service desk tool.

    1. Break the group into smaller functional groups.
    2. Brainstorm features that would be important to improving efficiencies, services to users, and visibility to data.
    3. Document on flip chart paper, labelling each page with the functional group name.
    4. Prioritize into must-have and nice-to-have items.
    5. Reconvene and discuss each list with the group.
    6. Info-Tech’s Service Desk Software and RFP Evaluation Tool can also be used to document requirements for an RFI.

    Create a demo script:

    Using information from the requirements list, determine which features will be important for the team to see during a demo. Focus on areas where usability is a concern, for example:

    • End-user experience
    • Workflow creation and modification
    • Creating templates
    • Creating service catalog items
    • Knowledgebase

    Evaluate alternative tools, build a shortlist for RFPs, and arrange web demonstrations or evaluation copies

    2.1.7 Identify an alternative tool and build an RFP (optional)

    Participants
    • CIO (optional)
    • Service Desk Manager
    • Service Desk Technician(s)
    • Service Desk Tool Administrator
    What You'll Need
    • Whiteboard or flip chart and markers
    • Service Desk RFP Template

    Evaluate current tool:

    • Investigate to determine if these features are present and just not in use.
    • Contact the vendor if necessary.
    • If enough features are present, determine if additional training is required.
    • If tool is proven to be inadequate, investigate options.

    Consider alternatives:

    Use Info-Tech’s blueprints for further guidance on selecting and implementing an ITSM tool

    1. Select a tool

    Info-Tech regularly evaluates ITSM solution providers and ranks each in terms of functionality and affordability. The results are published in the Enterprise and Mid-Market Service Desk Software Vendor Landscapes.

    2. Implement the tool

    After selecting a solution, follow the Build an ITSM Tool Implementation Plan project to develop an implementation plan to ensure the tool is appropriately designed, installed, and tested and that technicians are sufficiently trained to ensure successful deployment and adoption of the tool.

    Compare your existing service desks with the Consolidate Service Desk Scorecard Tool

    Complete the scorecard tool along with the activities of the next step

    The Consolidate Service Desk Scorecard Tool will allow you to compare metrics and maturity results across your service desks to identify weak and poor performers and processes.

    The purpose of this tool is to organize the data from up to six service desks that are part of a service desk consolidation initiative. Displaying this data in an organized fashion, while offering a robust comparative analysis, should facilitate the process of establishing a new baseline for the consolidated service desk.

    Use the results on tab 4 of the Consolidate Service Desk Assessment Tool. Enter the data from each service desk into tab “2. InfoCards” of the Consolidate Service Desk Scorecard Tool.

    Data from up to six service desks (up to six copies of the assessment tool) can be entered into this tool for comparison.

    Set targets for key metrics to identify high performing service desks

    2.1.8 Use the scorecard tool to set target metrics against which to compare service desks

    Participants
    • CIO or IT Director
    • Service Desk Manager(s)
    What You’ll Need
    • Consolidate Service Desk Scorecard Tool
    1. Review the explanations of the six core metrics identified from the service desk assessment tool. These are detailed on tab 3 of the Consolidate Service Desk Scorecard Tool.
      1. End-user satisfaction
      2. Agent satisfaction
      3. Cost per ticket
      4. Agent utilization rate
      5. First contact resolution rate
      6. First tier resolution rate
    2. For each metric (except agent utilization), define a “worst” and “best” target number. These numbers should be realistic and determined only after some consideration.
    • Service desks scoring at or above the “best” threshold for a particular metric will receive 100% on that metric; while service desks scoring at or below the “worst” threshold for a particular metric will receive 0% on that metric.
    • For agent utilization, only a “best” target number is entered. Service desks hitting this target number exactly will receive 100%, with scores decreasing as a service desk’s agent utilization gets further away from this target.
  • Identify the importance of each metric and vary the values in the “weighting” column accordingly.

    • The values entered on this tab will be used in calculating the overall metric score for each service desk, allowing you to compare the performance of existing service desks against each other and against your target state.

    Review the results of the scorecard to identify best practices

    2.1.9 Discuss the results of the scorecard tool

    Participants
    • CIO or IT Director (optional)
    • Service Desk Manager(s)
    What You'll Need
    • Consolidate Service Desk Scorecard Tool
    1. Facilitate a discussion on the results of the scorecard tool on tabs 4 (Overall Results), 5 (Maturity Results), and 6 (Metrics Results).
    2. Identify the top performing service desks(s) (SD Champions) as identified by the average of their metric and maturity scores.
    3. Identify the top performing service desk by maturity level (tab 5; Level 3 – Integrated or Optimized), paying particular attention to high scorers on process maturity and maturity in incident & service request management.
    4. Identify the top performing service desk by metric score (tab 6), paying particular attention to the metrics that tie into your KPIs.
    5. For those service desks, review their processes and identify what they are doing well to glean best practices.
      1. Incorporate best practices from existing high performing service desks into your target state.
      2. If one service desk is already performing well in all areas, you may choose to model your consolidated service desk after it.

    Document processes and procedures in an SOP

    Define the standard operating procedures for the consolidated service desk

    Develop one set of standard operating procedures to ensure consistent service delivery across locations.

    One set of standard operating procedures for the new service desk is essential for a successful consolidation.

    Info-Tech’s Consolidated Service Desk SOP Template provides a detailed example of documenting procedures for service delivery, roles and responsibilities, escalation and prioritization rules, workflows for incidents and service requests, and resolution targets to help ensure consistent service expectations across locations.

    Use this template as a guide to develop or refine your SOP and define the processes for the consolidated service desk.

    Step 2.2: Assess logistics and cost of consolidation

    Phase 2

    Design consolidation

    2.1 Design target consolidated state

    2.2 Assess logistics and cost

    This step will walk you through the following activities:
    • 2.2.1 Plan logistics for process, technology, and facilities
    • 2.2.2 Plan logistics around resource allocation
    • 2.2.3 Review the results of the Service Desk Efficiency Calculator to refine the business case for the consolidation project
    This step involves the following participants:
    • CIO or IT Director
    • Project Manager
    • Service Desk Manager(s)
    Step outcomes
    • An understanding and list of tasks to accomplish to ensure all logistical considerations for the consolidation are accounted for
    • An analysis of the impact on staffing and service levels using the Service Desk Efficiency Calculator
    • An assessment of the cost of consolidation and the cost savings of a consolidated service desk using a TCO tool

    The United States Coast Guard’s consolidation saved $20 million in infrastructure and support costs

    CASE STUDY

    Industry: US Coast Guard

    Source: CIO Rear Adm. Robert E. Day, Jr. (retired)

    Challenges

    The US Coast Guard was providing internal IT support for 42,000 members on active duty from 11 distinct regional IT service centers around the US.

    Pain Points

    1. Maintaining 11 disparate IT architectures was costly and time consuming.
    2. Staffing inefficiencies limited the USCG’s global IT service operations to providing IT support from 8am to 4pm.
    3. Individual sites were unable to offload peak volume during heavier call loads to other facilities.
    4. Enforcing adherence to standard delivery processes, procedures, and methods was nearly impossible.
    5. Personnel didn’t have a single point of contact for IT support.
    6. Leadership has limited access to consolidated analytics.

    Outcomes

    • Significant reduction in infrastructure, maintenance, and support costs.
    • Reduced risk through comprehensive disaster recovery.
    • Streamlined processes and procedures improved speed of incident resolution.
    • Increased staffing efficiencies.
    • Deeper analytical insight into service desk performance.

    Admiral Day was the CIO from 2009 to 2014. In 2011, he lead an initiative to consolidate USCG service desks.

    Selecting a new location communicated the national mandate of the consolidated service desk

    Site Selection - Decision Procedures

    • Determine location criteria, including:
      • Access to airports, trains, and highways
      • Workforce availability and education
      • Cost of land, real estate, taxes
      • Building availability Financial incentives
    • Review space requirements (i.e. amount and type of space).
    • Identify potential locations and analyze with defined criteria.
    • Develop cost models for various alternatives.
    • Narrow selection to 2-3 sites. Analyze for fit and costs.
    • Conduct site visits to evaluate each option.
    • Make a choice and arrange for securing the site.
    • Remember to compare the cost to retrofit existing space with the cost of creating a space for the consolidated service desk.

    Key Decision

    Relocating to a new location involved potentially higher implementation costs, which was a significant disadvantage.

    Ultimately, the relocation reinforced the national mandate of the consolidated service desk. The new organization would act as a single point of contact for the support of all 42,000 members of the US Coast Guard.

    "Before our regional desks tended to take on different flavors and processes. Today, users get the same experience whether they’re in Alaska or Maryland by calling one number: (855) CG-FIX IT." – Rear Adm. Robert E. Day, Jr. (retired)

    Plan the logistics of the consolidation to inform the project roadmap and cost assessment

    Before proceeding, validate that the target state is achievable by evaluating the logistics of the consolidation itself.

    A detailed project roadmap will help break down the project into manageable tasks to reach the target state, but there is no value to this if the target state is not achievable or realistic.

    Don’t forget to assess the logistics of the consolidation that can be overlooked during the planning phase:

    • Service desk size
    • Location of the service desk
    • Proximity to company management and facilities
    • Unique applications, platforms, or configurations in each location/region
    • Distribution of end-user population and varying end-user needs
    • Load balancing
    • Call routing across locations
    • Special ergonomic or accessibility requirements by location
    • Language requirements

    Info-Tech Insight

    Language barriers can form significant hurdles or even roadblocks for the consolidation project. Don’t overlook the importance of unique language requirements and ensure the consolidated service desk will be able to support end-user needs.

    Plan logistics for process, technology, and facilities

    2.2.1 Assess logistical and cost considerations around processes, technology, and facilities

    Participants
    • CIO or IT Director
    • Project Manager
    • Service Desk Manager(s)
    What You'll Need
    • Whiteboard or flip chart and markers
    • Consolidate roadmap
    Document

    Identify tasks that should form part of the roadmap and document in the roadmap tool.

    Identify costs that should be included in the TCO assessment and document in the TCO tool.

    Discuss and identify any logistic and cost considerations that will need to form part of the consolidation plan and roadmap. Examples are highlighted below.

    Logistic considerations

    • Impact of ticket intake process changes on end users
    • Process change impact on SLAs and productivity standards
    • Call routing changes and improvements
    • Workstations and workspace – is there enough and what will it look like for each agent?
    • Physical access to the service desk – will walk-ups be permitted? Is it accessible?
    • Security or authorization requirements for specific agents that may be impacted by relocation
    • Layout and design of new location, if applicable
    • Hardware, platform, network, and server implications
    • Licensing and contract limitations of the service desk tool

    Cost considerations

    • Cost savings from ITSM tool consolidation
    • Cost of new ITSM tool purchase, if applicable
    • Efficiencies gained from process simplification
    • New hardware or software purchases
    • Cost per square foot of new physical location, if applicable

    Develop a staffing plan that leverages the strengths you currently have and supplement where your needs require

    Your staff are your greatest assets; be sensitive to their concerns as you plan the consolidation.

    Keep in mind that if your target state involves reorganization of resources and the creation of resources, there will be additional staffing tasks that should form part of the consolidation plan. These include:

    • Develop job descriptions and reporting relationships
    • Evaluate current competencies Identify training and hiring needs
    • Develop migration strategy (including severance and migration packages)

    If new positions will be created, follow these steps to mitigate risks:

    1. Conduct skills assessments (a skills inventory should have been completed in phase 1)
    2. Re-interview existing staff for open positions before considering hiring outside staff
    3. Hire staff from outside if necessary

    For more guidance on hiring help desk staff, see Info-Tech’s blueprint, Manage Help Desk Staffing.

    Be sensitive to employee concerns.

    Develop guiding principles for the consolidation to ensure that employee satisfaction remains a priority throughout the consolidation.

    Examples include:

    1. Reconcile existing silos and avoid creating new silos
    2. Keep current systems where it makes sense to avoid staff having to learn multiple new systems to do their jobs and to reduce costs
    3. Repurpose staff and allocate according to their knowledge and expertise as much as possible
    4. Remain open and transparent about all changes and communicate change regularly

    Info-Tech Insight

    The most talented employees can be lost in the migration to a consolidated service desk, resulting in organizational loss of core knowledge. Mitigate this risk using measurement strategies, competency modeling, and knowledge sharing to reduce ambiguity and discomfort of affected employees.

    Plan logistics around resource allocation

    2.2.2 Assess logistical and cost considerations around people

    Participants
    • CIO or IT Director
    • Project Manager
    • Service Desk Manager(s)
    What You’ll Need
    • Whiteboard or flip chart and markers
    • Consolidate roadmap
    Document

    Identify tasks that should form part of the roadmap and document in the roadmap tool.

    Identify costs that should be included in the TCO assessment and document in the TCO tool.

    Discuss and identify any logistic and cost considerations surrounding resources and staffing that will need to form part of the consolidation plan and roadmap. Examples are highlighted below.

    Logistic considerations

    • Specialized training requirements for staff moving to new roles
    • Enablement of knowledge sharing across agents
    • Potential attrition of staff who do not wish to relocate or be reallocated
    • Relocation of staff – will staff have to move and will there be incentives for moving?
    • Skills requirements, recruitment needs, job descriptions, and postings for hiring

    Cost considerations

    • Existing and future salaries for employees
    • Potential attrition of employees
    • Retention costs and salary increases to keep employees
    • Hiring costs
    • Training needs and costs

    Assess impact on staffing with the Service Desk Efficiency Calculator

    How do organizations calculate the staffing implications of a service desk consolidation?

    The Service Desk Efficiency Calculator uses the ITIL Gross Staffing Model to think through the impact of consolidating service desk processes.

    To estimate the impact of the consolidation on staffing levels, estimate what will happen to three variables:

    • Ticket volume
    • Average call resolution
    • Spare capacity

    All things being equal, a reduction in ticket volume (through outsourcing or the implementation of self-serve options, for example), will reduce your staffing requirements (all things being equal). The same goes for a reduction in the average call resolution rate.

    Constraints:

    Spare capacity: Many organizations are motivated to consolidate service desks by potential reductions in staffing costs. However, this is only true if your service desk agents have spare capacity to take on the consolidated ticket volume. If they don’t, you will still need the same number of agents to do the work at the consolidated service desk.

    Agent capabilities: If your agents have specialised skills that you need to maintain the same level of service, you won’t be able to reduce staffing until agents are cross-trained.

    Review the results of the Service Desk Efficiency Calculator to refine the business case for the consolidation project

    2.2.3 Discuss the results of the efficiency calculator in the context of consolidation

    Participants
    • CIO or IT Director
    • Service Desk Manager(s)
    What You’ll Need
    • Completed Service Desk Efficiency Calculator

    The third tab of the Service Desk Efficiency Calculator will quantify:

    • Service Desk Staffing: The impact of different ticket distribution on service desk staffing levels.
    • Service Desk Ticket Resolution Cost: The impact of different ticket distributions on ticket resolution costs.
    • Service Management Efficiency: The business impact of service management initiatives, specifically, the time lost or captured in service management processes relative to an average full-time employee equivalent.

    Facilitate a discussion around the results.

    Evaluate where you are now and where you hope to be. Focus on the efficiency gains expected from the outsourcing project. Review the expected gains in average resolution time, the expected impact on service desk ticket volume, and the associated productivity gains.

    Use this information to refine the business case and project plan for the consolidation, if needed.

    Assess consolidation costs and cost savings to refine the business case

    While cost savings should not be the primary driver of consolidation, they should be a key outcome of the project in order to deliver value.

    Typical cost savings for a service desk consolidation are highlighted below:

    People 10-20% savings (through resource pooling and reallocation)

    Process 5-10% savings (through process simplification and efficiencies gained)

    Technology 10-15% savings (through improved call routing and ITSM tool consolidation)

    Facilities 5-10% savings (through site selection and redesign)

    Cost savings should be balanced against the costs of the consolidation itself (including hiring for consolidation project managers or consultants, moving expenses, legal fees, etc.)

    Evaluate consolidation costs using the TCO Comparison Tool described in the next section.

    Analyze resourcing and budgeting to create a realistic TCO and evaluate the benefits of consolidation

    Use the TCO tool to assess the cost and cost savings of consolidation

    • The tool compares the cost of operating two service desks vs. one consolidated service desk, along with the cost of consolidation.
    • If your consolidation effort involves more than two facilities, then use multiple copies of the tool.
      • E.g. If you are consolidating four service desks (A, B, C, and D) into one service desk (X), then use two copies of the tool. We encourage you to book an analyst call to help you get the most out of this tool and process.

    Service Desk Consolidation TCO Comparison Tool

    Refine the business case and update the executive presentation

    Check in with executives and project sponsor before moving forward with the transition

    Since completing the executive visioning session in step 1.2, you should have completed the following activities:

    • Current state assessment
    • Detailed target state and metrics
    • Gap analysis between current and target state
    • Assessment of logistics and cost of consolidation

    The next step will be to develop a project roadmap to achieve the consolidation vision.

    Before doing this, check back in with the project sponsor and business executives to refine the business case, obtain necessary approvals, and secure buy-in.

    If necessary, add to the executive presentation you completed in step 1.2, copying results of the deliverables you have completed since:

    • Consolidate Service Desk Assessment Tool (current state assessment)
    • Consolidate Service Desk Scorecard Tool
    • Service Desk Consolidation TCO Comparison Tool

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.3 Brainstorm process requirements for consolidated service desk

    Identify process requirements and desired characteristics for the target consolidated service desk.

    2.1.9 Review the results of the scorecard to identify best practices

    Review the results of the Consolidate Service Desk Scorecard Tool to identify top performing service desks and glean best practices.

    Phase 3

    Plan the Transition

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Plan the transition

    Proposed Time to Completion (in weeks): 2-4

    Step 3.1: Build project roadmap

    Discuss with an analyst:

    • Identify specific initiatives for the consolidation project and evaluate the risks and dependencies for each
    • Plot initiatives on a detailed project roadmap with assigned responsibilities

    Then complete these activities…

    • Break the consolidation project down into specific initiatives
    • Identify and document risks and dependencies
    • Plot your initiatives onto a detailed project roadmap
    • Select transition date for consolidation

    With these tools & templates:

    Service Desk Consolidation Roadmap

    Step 3.2: Communicate the change

    Discuss with an analyst:

    • Identify the goals of communication, then develop a communications plan with targeted messaging for each stakeholder group to achieve those goals
    • Brainstorm potential objections and questions as well as responses to each

    Then complete these activities…

    • Build the communications delivery plan
    • Brainstorm potential objections and questions and prepare responses
    • Complete the news bulletin to distribute to your end users

    With these tools & templates:

    Service Desk Consolidation Communications and Training Plan Template

    Service Desk Consolidation News Bulletin & FAQ Template

    Phase 3 Results:
    • A detailed project roadmap toward consolidation and a communications plan to ensure stakeholders are on board

    Step 3.1: Build the project roadmap

    Phase 3

    Plan the consolidation

    3.1 Build the project roadmap

    3.2 Communicate the change

    This step will walk you through the following activities:
    • 3.1.1 Break the consolidation project down into a series of specific initiatives
    • 3.1.2 Identify and document risks and dependencies
    • 3.1.3 Plot your initiatives onto a detailed project roadmap
    • 3.1.4 Select transition date based on business cycles
    This step involves the following participants:
    • CIO
    • IT Directors
    • Service Desk Managers
    • Consolidation Project Manager
    • Service Desk Technicians
    Step outcomes

    A detailed roadmap to migrate to a single, consolidated service desk, including:

    • A breakdown of specific tasks groups by people, process, and technology
    • Identified risks and dependencies for each task
    • A timeline for completion of each task and the overall consolidation
    • Assigned responsibility for task completion

    Failure to engage stakeholders led to the failure of a large healthcare organization’s consolidation

    CASE STUDY

    Industry: Healthcare

    Source: Organizational insider

    A large US healthcare facilities organization implemented a service desk consolidation initiative in early 2013. Only 18 months later, they reluctantly decided to return to their previous service desk model.

    Why did this consolidation effort fail?

    1. Management failed to communicate the changes to service-level staff, leading to agent confusion and pushback. Initially, each desk became part of the other’s overflow queue with no mention of the consolidation effort. Next, the independent desks began to share a basic request queue. Finally, there was a complete virtual consolidation – which came as a shock to service agents.
    2. The processes and workflows of the original service desks were not integrated, requiring service agents to consult different processes and use different workflows when engaging with end users from different facilities, even though all calls were part of the same queue.
    3. Staff at the different service centers did not have a consistent level of expertise or technical ability, even though they all became part of the same queue. This led to a perceived drop in end-user satisfaction – end users were used to getting a certain level of service and were suddenly confronted with less experienced agents.

    Before Consolidation

    Two disparate service desks:

    • With distinct geographic locations.
    • Servicing several healthcare facilities in their respective regions.
    • With distinct staff, end users, processes, and workflows.

    After Consolidation

    One virtually-consolidated service desk servicing many facilities spread geographically over two distinct locations.

    The main feature of the new virtual service desk was a single, pooled ticket queue drawn from all the end users and facilities in the new geographic regions.

    Break the consolidation project down into a series of specific initiatives

    3.1.1 Create a list of specific tasks that will form the consolidation project

    Participants
    • CIO or IT Director
    • Project Manager
    • Service Desk Manager(s)
    What You’ll Need
    • Whiteboard and markers
    • List of prioritized target state requirements
    • Consolidation roadmap
    Document

    Document the list of initiatives in the Service Desk Consolidation Roadmap.

    In order to translate your newly made decisions regarding the target state and logistical considerations into a successful consolidation strategy, create an exhaustive list of all the steps and sub-steps that will lead you from your current state to your target state.

    Use the next few steps to finish brainstorming the initiative list, identify risks and dependencies, and construct a detailed timeline populated with specific project steps.

    Instructions

    Start with the list you have been curating throughout the current and future state assessments. If you are completing this project as a workshop, add to the initiative list you have been developing on the whiteboard.

    Try to organize your initiatives into groups of related tasks. Begin arranging your initiatives into people, process, technology, or other categories.

    Whiteboard People Process Technology Other

    Evaluate the impact of potential risks and develop a backup plan for high risk initiatives

    A service desk consolidation has a high potential for risks. Have a backup plan prepared for when events don’t go as planned.

    • A consolidation project requires careful planning as it is high risk and not performed often.
    • Apply the same due diligence to the consolidation plan as you do in preparing your disaster recovery plan. Establish predetermined resolutions to realistic risks so that the team can think of solutions quickly during the consolidation.

    Potential Sources of Risk

    • Service desk tool or phone line downtime prevents ability to submit tickets
    • Unable to meet SLAs through the transition
    • Equipment failure or damage through the physical move
    • Lost data through tool migration
    • Lost knowledge from employee attrition
    Risk - degree of impact if activities do not go as planned High

    A – High Risk, Low Frequency

    Tasks that are rarely done and are high risk. Focus attention here with careful planning (e.g. consolidation)

    B – High Risk, High Frequency

    Tasks that are performed regularly and must be watched closely each time (e.g. security authorizations)

    C – Low Risk, Low Frequency

    Tasks that are performed regularly with limited impact or risk (e.g. server upgrades)

    D – Low Risk, High Frequency

    Tasks that are done all the time and are not risky (e.g. password resets)

    Low High
    Frequency - how often the activity has been performed

    Service desk consolidations fit in category A

    Identify risks for people, processes, tools, or data to ensure the project plan will include appropriate mitigations

    Each element of the consolidation has an inherent risk associated with it as the daily service flow is interrupted. Prepare in advance by anticipating these risks.

    The project manager, service desk managers, and subject matter experts (SMEs) of different areas, departments, or locations should identify risks for each of the processes, tools, resource groups (people), and any data exchanges and moves that will be part of the project or impacted by the project.

    Process - For each process, validate that workflows can remain intact throughout the consolidation project. If any gaps may occur in the process flows, develop a plan to be implemented in parallel with the consolidation to ensure service isn’t interrupted.

    Technology - For a tool consolidation, upgrade, or replacement, verify that there is a plan in place to ensure continuation of service delivery processes throughout the change.

    Make a plan for if and how data from the old tool(s) will be migrated to the new tool, and how the new tool will be installed and configured.

    People - For movement of staff, particularly with termination, identify any risks that may occur and involve your HR and legal departments to ensure all movement is compliant with larger processes within the organization.

    Info-Tech Insight

    Don’t overlook the little things. Sometimes the most minor-seeming components of the consolidation can cause the greatest difficulty. For example, don’t assume that the service desk phone number can simply roll over to a new location and support the call load of a combined service desk. Verify it.

    Identify and document risks and dependencies

    3.1.2 Risks, challenges, and dependencies exercise - Estimated Time: 60 minutes

    Participants
    • CIO or IT Director
    • Project Manager
    • Service Desk Manager(s)
    • SMEs
    What You'll Need
    • Whiteboard and markers
    • List of initiatives identified in previous activities
    • Consolidation roadmap
    Document

    Use the outcome of this activity to complete your consolidation roadmap.

    Instructions
    • Document risks and challenges, as well as dependencies associated with the initiatives identified earlier, using a different color sticky note from your initiatives.
    • See example below.
    Combine Related Initiatives
    • Look for initiatives that are highly similar, dependent on each other, or occurring at the same time. Consolidate these initiatives into a single initiative with several sub-steps in order to better organize your roadmap and reduce redundancy.
    • Create hierarchies for dependent initiatives that could affect the scheduling of initiatives on a roadmap, and reorganize the whiteboard where necessary.
    Optional:
    • Use a scoring method to categorize risks. E.g.:
      • High: will stop or delay operations, radically increase cost, or significantly reduce consolidation benefits
      • Medium: would cause some delay, cost increase, or performance shortfall, but would not threaten project viability
      • Low: could impact the project to a limited extent, causing minor delays or cost increases
    • Develop contingency plans for high risks or adjust to avoid the problem entirely
    Implement new ISTM tool:
    • Need to transition from existing tools
    • Users must be trained
    • Data and open tickets must be migrated

    Plot your initiatives onto a detailed project roadmap

    3.1.3 Estimated Time: 45 minutes

    Participants
    • CIO or IT Director
    • Project Manager
    • Service Desk Manager(s)
    Document

    Document your initiatives on tab 2 of the Service Desk Consolidation Roadmap or map it out on a whiteboard.

    Determine the sequence of initiatives, identify milestones, and assign dates.
    • The purpose of this exercise is to define a timeline and commit to initiatives to reach your goals.
    • Determine the order in which previously identified consolidation initiatives will be implemented, document previously identified risks and dependencies, assign ownership for each task, and assign dates for pilots and launch.

    Select transition date based on business cycles

    3.1.4

    Participants
    • CIO or IT Director
    • Project Manager
    • Service Desk Manager(s)
    What You'll Need
    • Consolidation roadmap
    Document

    Adjust initiatives in the consolidation roadmap if necessary.

    The transition date will be used in communications in the next step.

    1. Review the initiatives in the roadmap and the resulting sunshine diagram on tab 3.
    2. Verify that the initiatives will be possible within the determined time frame and adjust if necessary.
    3. Based on the results of the roadmap, select a target transition date for the consolidation by determining:
      1. Whether there are dates when a major effort of this kind should not be scheduled.
      2. Whether there are merger and acquisition requirements that dictate a specific date for the service desk merger.
    4. Select multiple measurable checkpoints to alert the team that something is awry and mitigate risks.
    5. Verify that stakeholders are aware of the risks and the proposed steps necessary to mitigate them, and assign the necessary resources to them.
    6. Document or adjust the target transition date in the roadmap.

    Info-Tech Insight

    Consolidating service desks doesn’t have to be done in one shot, replacing all your help desks, tools, and moving staff all at the same time. You can take a phased approach to consolidating, moving one location, department, or tool at a time to ease the transition.

    Step 3.2: Communicate the change

    Phase 3

    Design consolidation

    3.1 Build the project roadmap

    3.2 Communicate the change

    This step will walk you through the following activities:
    • 3.2.1 Build the communications delivery plan
    • 3.2.2 Brainstorm potential objections and questions and prepare responses
    This step involves the following participants:
    • IT Director
    • Project Manager
    • Service Desk Manager(s)
    • Service Desk Agents
    Step outcomes
    • A detailed communications plan with key messages, delivery timeline, and spokesperson responsibility for each key stakeholder audience
    • A set of agreed-upon responses to anticipated objections and questions to ensure consistent message delivery
    • A news bulletin and list of FAQs to distribute to end users to prepare them for the change

    Create your communication plan with everyone in mind, from the CIO to end users

    CASE STUDY

    Industry: Higher Education

    Source: Oxford University, IT Services

    Oxford implemented extremely innovative initiatives as part of its robust communications plan.

    ITS ran a one-day ITSM “business simulation” for the CIO and direct reports, increasing executive buy-in.

    The business simulation was incredibly effective as a way of getting management buy-in – it really showed what we are driving at. It’s a way of making it real, bringing people on board. ” – John Ireland, Director of Customer Service

    Detailed use cases were envisioned referencing particular ITIL processes as the backbone of the process framework.

    The use cases were very helpful, they were used […] in getting a broad engagement from teams across our department and getting buy-in from the distributed IT staff who we work with across the wider University. ” – John Ireland, Director of Customer Service

    The Oxford ITS SDCP blog was accessible to everyone.

    • Oxford’s SDCP blog acted as a project touchstone not only to communicate updates quickly, but also to collect feedback, enable collaboration, and set a project tone.
    • An informal tone and accessible format facilitated the difficult cultural shifts required of the consolidation effort.

    We in the project team would love to hear your view on this project and service management in general, so please feel free to comment on this blog post, contact us using the project email address […] or, for further information visit the project SharePoint site […] ” – Oxford ITS SDCP blog post

    Plan for targeted and timely communications to all stakeholders

    Develop a plan to keep all affected stakeholders informed about the changes consolidation will bring, and more importantly, how they will affect them.

    All stakeholders must be kept informed of the project plan and status as the consolidation progresses.
    • Management requires frequent communication with the core project group to evaluate the success of the project in meeting its goals.
    • End users should be informed about changes that are happening and how these changes will affect them.

    A communications plan should address three elements:

    1. The audience and their communication needs
    2. The most effective means of communicating with this audience
    3. Who should deliver the message

    Goals of communication:

    1. Create awareness and understanding of the consolidation and what it means for each role, department, or user group
    2. Gain commitment to the change from all stakeholders
    3. Reduce and address any concerns about the consolidation and be transparent in responding to any questions
    4. Communicate potential risks and mitigation plan
    5. Set expectations for service levels throughout and after the consolidation

    Plan the method of delivery for your communications carefully

    Plan the message, test it with a small audience, then deliver to your employees and stakeholders in person to avoid message avoidance or confusion.

    Message Format

    Email and Newsletters

    Email and newsletters are convenient and can be transmitted to large audiences easily, but most users are inundated with email already and may not notice or read the message.

    • Use email to make large announcements or invite people to meetings but not as the sole medium of communication.

    Face-to-Face Communication

    Face-to-face communication helps to ensure that users are receiving and understanding a clear message, and allows them to voice their concerns and clarify any confusion or questions.

    • Use one-on-ones for key stakeholders and team meetings for groups.

    Internal Website/Drive

    Internal sites help sustain change by making knowledge available after the consolidation, but won’t be retained beforehand.

    • Use for storing policies, how-to-guides, and SOPs.
    Message Delivery
    1. Plan your message
      1. Emphasize what the audience really needs to know, that is, how the change will impact them.
    2. Test your message
      1. Run focus groups or test your communications with a small audience (2-3 people) first to get feedback and adjust messages before delivering them more broadly.
    3. Deliver and repeat your message
      1. “Tell them what you’re going to tell them, then tell them, then tell them what you told them.”
    4. Gather feedback and evaluate communications
      1. Evaluate the effectiveness of the communications (through surveys, focus groups, stakeholder interviews, or metrics) to ensure the message was delivered and received successfully and communication goals were met.

    Address the specific concerns of the business vs. employees

    Focus on alleviating concerns from both sides of the communication equation: the business units and employees.

    Business units:

    Be attentive to the concerns of business unit management about loss of power. Appease worries about the potential risk of reduced service quality and support responsiveness that may have been experienced in prior corporate consolidation efforts.

    Make the value of the consolidation clear, and involve business unit management in the organizational change process.

    Focus on producing a customer-focused consolidated service desk. It will assuage fears over the loss of control and influence. Business units may be relinquishing control of their service desk, but they should retain the same level of influence.

    Employees:

    Employees are often fearful of the impact of a consolidation on their jobs. These fears should be addressed and alleviated as soon as possible.

    Design a communication plan outlining the changes and the reasons motivating it.

    Put support programs in place for displaced and surviving employees.

    Motivate employees during the transition and increase employee involvement in the change.

    Educate and train employees who make the transition to the new structure and new job demands.

    Info-Tech Insight

    Know your audience. Be wary of using technical jargon or acronyms that may seem like common knowledge within your department but would not be part of the vocabulary of non-technical audiences. Ensure your communications are suitable for the audience. If you need to use jargon or acronyms, explain what you mean.

    Build the communications delivery plan

    3.2.1 Develop a plan to deliver targeted messages to key stakeholder groups

    Participants
    • CIO or IT Director
    • Project Manager
    • Service Desk Manager(s)
    What You'll Need
    • Communications plan template
    • Whiteboard and markers
    Document

    Document your decisions in the communications plan template

    1. Define the goals of the communications in section 1 of the Service Desk Consolidation Communications and Training Plan Template.
    2. Determine when communication milestones/activities need to be delivered by completing the Communications Schedule in section 2.
    3. Determine the key stakeholder groups or audiences to whom you will need to deliver communications.
    4. Identify the content of the key messages that need to be delivered and select the most appropriate delivery method for each (i.e. email, team meeting, individual meetings). Designate who will be responsible for delivering the messages.
    5. Document a plan for gathering feedback and evaluating the effectiveness of the communications in section 5 (i.e. stakeholder interviews and surveys).

    Section 4 of the communications plan on objections and question handling will be completed in activity 3.2.2.

    Optional Activity

    If you completed the Stakeholder Engagement Workbook in step 1.1, you may also complete the Communications tab in that workbook to further develop your plan to engage stakeholders.

    Effectively manage the consolidation by implementing change management processes

    Implement change management processes to ensure that the consolidation runs smoothly with limited impact on IT infrastructure.

    Communicate and track changes: Identify and communicate changes to all stakeholders affected by the change to ensure they are aware of any downtime and can plan their own activities accordingly.

    Isolate testing: Test changes within a safe non-production environment to eliminate the risk of system outages that result from defects discovered during testing.

    Document back-out plans: Documented back-out/backup plans enable quick recovery in the event that the change fails.

    The image is a horizontal bar graph, titled Unplanned downtime due to change versus change management maturity. The graph shows that for a Change Management Maturity that is Informal, the % Experiencing Unplanned Downtime due to Failed Change is 41%; for Defined, it is 25%; and for Optimized, it is 19%.

    Organizations that have more mature and defined change management processes experience less unplanned downtime when implementing change across the organization.

    Sustain changes by adapting people, processes, and technologies to accept the transition

    Verify that people, process, and technologies are prepared for the consolidation before going live with the transition.

    What?

    1. Adapt people to the change

    • Add/change roles and responsibilities.
    • Move people to different roles/teams.
    • Change compensation and incentive structures to reinforce new goals, if applicable.

    2. Adapt processes to the change

    • Add/change supporting processes.
    • Eliminate or consolidate legacy processes.
    • Add/change standard operating procedures.

    3. Adapt technologies to the change

    • Add/change/update supporting technologies.
    • Eliminate or consolidate legacy technologies
    How? Work with HR on any changes involving job design, personnel changes, or compensation. Work with enterprise architects or business analysts to manage significant changes to processes that may impact the business and service levels.

    See Info-Tech’s Optimize the Change Management Processblueprint to use a disciplined change control process for technology changes.

    Info-Tech Insight

    Organizational change management (OCM) is widely recognized as a key component of project success, yet many organizations struggle to get adoption for new tools, policies, and procedures. Use Info-Tech’s blueprint on driving organizational change to develop a strategy and toolkit to achieve project success.

    Manage people by addressing their specific concerns based on their attitude toward change

    Avoid high turnover and resistance to change by engaging both the enthusiasts and the skeptics with targeted messaging.

    • Clearly articulate and strongly champion the changes that will result from the consolidation for those willing to adapt to the change.
    • Make change management practices integral to the entire project.
    • Provide training workshops on new processes, new goals or metrics, new technologies and tools, and teamwork as early as possible after consolidation.
    1. Enthusiasts - Empower them to stay motivated and promote the change
    2. Fence-Sitters/Indifferent - Continually motivate them by example but give them time to adapt to the change
    3. Skeptics - Engage them early and address their concerns and doubts to convert them to enthusiasts
    4. Saboteurs - Prevent them from spreading dissent and rumors, thus undermining the project, by counteracting negative claims early

    Leverage the Stakeholder Engagement Workbook from step 1.1 as well as Info-Tech’s blueprint on driving organizational change for more tactics on change management, particularly managing and engaging various personas.

    Prepare ahead of time for questions that various stakeholder groups may have

    Anticipate questions that will arise about the consolidation so you can prepare and distribute responses to frequently asked questions. Sample questions from various stakeholders are provided below.

    General
    1. Why is the organization moving to a consolidated service desk?
    2. Where is the consolidated service desk going to be located?
    3. Are all or only some service desks consolidating?
    4. When is the consolidation happening?
    5. What are the anticipated benefits of consolidation?

    Business

    1. What is the budget for the project?
    2. What are the anticipated cost savings and return on investment?
    3. When will the proposed savings be realized?
    4. Will there be job losses from the consolidation and when will these occur?
    5. Will the organization subsidize moving costs?

    Employees

    1. Will my job function be changing?
    2. Will my job location be changing?
    3. What will happen if I can’t relocate?
    4. Will my pay and benefits be the same?
    5. Will reporting relationships change?
    6. Will performance expectations and metrics change?

    End Users

    1. How do I get help with IT issues?
    2. How do I submit a ticket?
    3. How will I be notified of ticket status, outages?
    4. Where will the physical service desk be located?
    5. Will I be able to get help in my language?
    6. Will there be changes for levels of service?

    Brainstorm likely objections/questions to prepare responses

    3.2.2 Prepare responses to likely questions to ensure consistent messaging

    Participants
    • IT Director
    • Project Manager
    • Service Desk Manager(s)
    • Service Desk Agents
    Document

    Document your questions and responses in section 4 of the communications plan template. This should be continually updated.

    1. Brainstorm anticipated objections and questions you may hear from various stakeholder groups: service desk employees, end users, and management or executives.
    2. For each objection or question, prepare a response that will be delivered to ensure consistent messaging. Use a table like the example below.
    Group Objection/Question Response
    Service desk staff I’m comfortable with the service desk tool we’ve been using here and won’t know how to use the new one. We carefully evaluated the new solution against our requirements and selected it as the one that will provide the best service to our users and be user friendly. We tested the solution through user-acceptance testing to ensure staff will be comfortable using it, and we will provide comprehensive training to all users of the tool before launching it.
    End user I’m used to going to my favorite technician for help. How will I get service now? We are initiating a single point of contact so that you will know exactly where to go to get help quickly and easily, so that we can more quickly escalate your issue to the appropriate technician, and so that we can resolve it and notify you as soon as possible. This will make our service more effective and efficient than you having to find one individual who may be tied up with other work or unavailable.

    Keep the following in mind when formulating your responses:

    • Lead with the benefits
    • Be transparent and honest
    • Avoid acronyms, jargon, and technical terms
    • Appeal to both emotion and reason
    • Be concise and straightforward
    • Don’t be afraid to be repetitive; people need repetition to remember the message
    • Use concrete facts and images wherever possible

    Complete the Service Desk Consolidation News Bulletin & FAQ Template to distribute to your end users

    Customize the template or use as a guide to develop your own

    The Service Desk Consolidation News Bulletin & FAQ Template is intended to be an example that you can follow or modify for your own organization. It provides a summary of how the consolidation project will change how end users interact with the service desk.

    1. What the change means to end users
    2. When they should contact the service desk (examples)
    3. How to contact the service desk (include all means of contact and ticket submission)
    4. Answers to questions they may have
    5. Links to more information

    The bulletin is targeted for mass distribution to end users. A similar letter may be developed for service desk staff, though face-to-face communication is recommended.

    Instructions:

    1. Use the template as a guide to develop your own FAQ news bulletin and adjust any sections or wording as you see fit.
    2. You may wish to develop separate letters for each location, referring more specifically to their location and where the new service desk will be located.
    3. Save the file as a PDF for print or email distribution at the time determined in your communications plan.

    Keeping people a priority throughout the project ensured success

    CASE STUDY

    Industry: Higher Education

    Source: Oxford University, IT Services

    Oxford’s new consolidated service desk went live April 20, 2015.

    They moved from 3 distinct tools and 5 disparate help desks to a single service desk with one robust ITSM solution, all grounded by a unified set of processes and an integrated workflow.

    The success of this project hinged upon:

    • A bold vision, formulated early and in collaboration with all stakeholders.
    • Willingness to take time to understand the unique perspective of each role and help desk, then carefully studying existing processes and workflows to build upon what works.
    • Constant collaboration, communication, and the desire to listen to feedback from all interested parties.

    "We have had a few teething issues to deal with, but overall this has been a very smooth transition given the scale of it." – ICTF Trinity Term 2015 IT Services Report

    Beyond the initial consolidation.
    • Over the summer of 2015, ITS moved to full 24/7 support coverage.
    • Oxford’s ongoing proposition with regard to support services is to extend the new consolidated service desk beyond its current IT role:
      • Academic Admissions
      • Case Management
      • IT Purchasing
    • To gradually integrate those IT departments/colleges/faculties that remain independent at the present time.
    • Info-Tech can facilitate these goals in your organization with our research blueprint, Extend the Service Desk to Enterprise.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.1 Break the consolidation project down into a series of specific initiatives

    Create a list of specific tasks that will form the consolidation project on sticky notes and organize into people, process, technology, and other categories to inform the roadmap.

    3.2.2 Brainstorm likely objections/questions to prepare responses

    Brainstorm anticipated questions and objections that will arise from various stakeholder groups and prepare consistent responses to each.

    Related Info-Tech research

    Standardize the Service Desk - Provide timely and effective responses to user requests and resolutions of all incidents.

    Extend the Service Desk to the Enterprise - Position IT as an innovator.

    Build a Continual Improvement Plan for the Service Desk - Teach your old service desk new tricks.

    Adopt Lean IT to Streamline the Service Desk - Turn your service desk into a Lean, keen, value-creating machine.

    Vendor Landscape: Enterprise Service Desk Software - Move past tickets to proactive, integrated service.

    Vendor Landscape: Mid-Market Service Desk Software - Ensure the productivity of the help desk with the right platform.

    Build an ITSM Tool Implementation Plan - Nail your ITSM tool implementation from the outset.

    Drive Organizational Change from the PMO - Don’t let bad change happen to good projects.

    Research contributors and experts

    Stacey Keener - IT Manager for the Human Health and Performance Directorate, Johnson Space Center, NASA

    Umar Reed - Director of IT Support Services US Denton US LLP

    Maurice Pryce - IT Manager City of Roswell, Georgia

    Ian Goodhart - Senior Business Analyst Allegis Group

    Gerry Veugelaers - Service Delivery Manager New Zealand Defence Force

    Alisa Salley Rogers - Senior Service Desk Analyst HCA IT&S Central/West Texas Division

    Eddie Vidal - IS Service Desk Managers University of Miami

    John Conklin - Chief Information Officer Helen of Troy LP

    Russ Coles - Senior Manager, Computer Applications York Region District Schoolboard

    John Seddon - Principal Vanguard Consulting

    Ryan van Biljon - Director, Technical Services Samanage

    Rear Admiral Robert E. Day Jr. (ret.) - Chief Information Officer United States Coast Guard

    George Bartha - Manager of Information Technology Unifrax

    Peter Hubbard - IT Service Management Consultant Pink Elephant

    Andre Gaudreau - Manager of School Technology Operations York Region District School Board

    Craig Nekola - Manager, Information Technology Anoka County

    Bibliography and Further Reading

    Hoen, Jim. “The Single Point of Contact: Driving Support Process Improvements with a Consolidated IT Help-Desk Approach.” TechTeam Global Inc. September 2005.

    Hubbard, Peter. “Leading University embarks on IT transformation programme to deliver improved levels of service excellence.” Pink Elephant. http://pinkelephant.co.uk/about/case-studies/service-management-case-study/

    IBM Global Services. “Service Desk: Consolidation, Relocation, Status Quo.” IBM. June 2005.

    Keener, Stacey. “Help Desks: a Problem of Astronomical Proportions.” Government CIO Magazine. 1 February 2015.

    McKaughan, Jeff. “Efficiency Driver.” U.S. Coast Guard Forum Jul. 2013. Web. http://www.intergraphgovsolutions.com/documents/CoastGuardForumJuly2013.pdf

    Numara Footprints. “The Top 10 Reasons for Implementing a Consolidated Service Desk.” Numara Software.

    Roy, Gerry, and Frederieke Winkler Prins. “How to Improve Service Quality through Service Desk Consolidation.” BMC Software.

    Smith, Andrew. “The Consolidated Service Desk – An Achievable Goal?” The Service Desk Institute.

    Wolfe, Brandon. “Is it Time for IT Service Desk Consolidation?” Samanage. 4 August 2015.

    2020 Security Priorities Report

    • Buy Link or Shortcode: {j2store}245|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting

    Use this deck to learn what projects security practitioners are prioritizing for 2020. Based on a survey of 460 IT security professionals, this report explains what you need to know about the top five priorities, including:

    • Signals and drivers
    • Benefits
    • Critical uncertainties
    • Case study
    • Implications

    While the priorities should in no way be read as prescriptive, this research study provides a high-level guide to understand that priorities drive the initiatives, projects, and responsibilities that make up organizations' security strategies.

    Our Advice

    Critical Insight

    There is always more to do, and if IT leaders are to grow with the business, provide meaningful value, and ascend the ladder to achieve true business partner and innovator status, aggressive prioritization is necessary. Clearly, security has become a priority across organizations, as security budgets have continued to increase over the course of 2019. 2020’s priorities highlight that data security has become the thread that runs through all other security priorities, as data is now the currency of the modern digital economy. As a result, data security has reshaped organizations’ priorities to ensure that data is always protected.

    Impact and Result

    Ultimately, understanding how changes in technology and patterns of work stand to impact the day-to-day lives of IT staff across seniority and industries will allow you to evaluate what your priorities should be for 2020. Ensure that you’re spending your time right. Use data to validate. Prioritize and implement.

    2020 Security Priorities Report Research & Tools

    Start here – read the Executive Brief

    This storyboard will help you understand what projects security practitioners are prioritizing for 2020.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data security

    Data security often rubs against other organizational priorities like data quality, but organizations need to understand that the way they store, handle, and dispose of data is now under regulatory oversight.

    • 2020 Security Priorities Report – Priority 1: Data Security

    2. Cloud security

    Cloud security means that organizations can take advantage of automation tools not only for patching and patch management but also to secure code throughout the SDLC. It is clear that cloud will transform how security is performed.

    • 2020 Security Priorities Report – Priority 2: Cloud Security

    3. Email security

    Email security is critical, since email continues to be one of the top points of ingress for cyberattacks from ransomware to business email compromise.

    • 2020 Security Priorities Report – Priority 3: Email Security

    4. Security risk management

    Security risk management requires organizations to make decisions based on their individual risk tolerance on such things as machine learning and IoT devices.

    • 2020 Security Priorities Report – Priority 4: Security Risk Management

    5. Security awareness and training

    Human error continues to be a security issue. In 2020, organizations should tailor their security awareness and training to their people so that they are more secure not only at work but also in life.

    • 2020 Security Priorities Report – Priority 5: Security Awareness and Training
    [infographic]

    Prepare and Defend Against a Software Audit

    • Buy Link or Shortcode: {j2store}59|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $32,499 Average $ Saved
    • member rating average days saved: 6 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Audit defense starts long before you get audited. Negotiating your vendors’ audit rights and maintaining a documented consolidated licensing position ensure that you are not blindsided by a sudden audit request.
    • Notification of an impending audit can cause panic. Don't panic. While the notification will be full of strong language, your best chance of success is to take control of the situation. Prepare a measured response that buys you enough time to get your house in order before you let the vendor in.
    • If a free software asset review sounds too good to be true, then it probably is. If a vendor or one of its partners offers up a free software asset management engagement, they aren’t doing so out of the goodness of their heart — they expect to recoup their costs (and then some) from identified license discrepancies.

    Our Advice

    Critical Insight

    • The amount of business disruption depends on the scope of the audit, and the size and complexity of the organization coupled with the contractual audit clause in the contract.
    • These highly visible failures can be prevented through effective software asset management practices.
    • As complexity of licensing increases, so do penalties. If the environment is highly complex, prioritize effort by likelihood of audit and spend.
    • Ensure electronic records exist for license documentation to provide fast access for audit and information requests
    • Verify accuracy of discovered data. Ensure all devices on the network are being audited. Without a complete discovery process, data will always be inaccurate.

    Impact and Result

    • Being able to respond quickly with accurate data is critical. When deadlines are tight, and internal resources don’t exist, hire a third party as their experience will allow a faster response.
    • Negotiate terms of the audit such as deadlines, proof of license entitlement, and who will complete the audit.
    • Create a methodology to quickly and efficiently respond to audit requests.
    • Conduct annual internal audits.
    • Have a designated cross-functional IT audit team.
    • Prepare documentation in advance.
    • Manage audit logistics to minimize business disruption.
    • Dispute unwarranted findings.

    Prepare and Defend Against a Software Audit Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should be prepared and ready to defend against a software audit, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prevent an audit

    Begin your proactive audit management journey and leverage value from your software asset management program.

    • Prepare and Defend Against a Software Audit – Phase 1: Prevent an Audit
    • Audit Defense Maturity Assessment Tool
    • Effective Licensing Position Tool
    • Audit Defence RACI Template

    2. Prepare for an audit

    Prepare for an audit by effectively scoping and consolidating organizational response.

    • Prepare and Defend Against a Software Audit – Phase 2: Prepare for an Audit
    • Software Audit Scoping Email Template
    • Audit Defense Readiness Assessment

    3. Conduct the audit

    Execute the audit in a way that preserves valuable relationships while accounting for vendor specific criteria.

    • Prepare and Defend Against a Software Audit – Phase 3: Conduct an Audit
    • Software Audit Launch Email Template

    4. Manage post-audit activities

    Conduct negotiations, settle on remuneration, and close out the audit.

    • Prepare and Defend Against a Software Audit - Phase 4: Manage Post-Audit Activities
    [infographic]

    Workshop: Prepare and Defend Against a Software Audit

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prevent an Audit

    The Purpose

    Kick off the project

    Identify challenges and red flags

    Determine maturity and outline internal audit

    Clarify stakeholder responsibilities

    Build and structure audit team

    Key Benefits Achieved

    Leverage value from your audit management program

    Begin your proactive audit management journey

    A documented consolidated licensing position, which ensures that you are not blindsided by a sudden audit request

    Activities

    1.1 Perform a maturity assessment of the current environment

    1.2 Classify licensing contracts/vendors

    1.3 Conduct a software inventory

    1.4 Meter application usage

    1.5 Manual checks

    1.6 Gather software licensing data

    1.7 Reconcile licenses

    1.8 Create your audit team and assign accountability

    Outputs

    Maturity assessment

    Effective license position/license reconciliation

    Audit team RACI chart

    2 Prepare for an Audit

    The Purpose

    Create a strategy for audit response

    Know the types of requests

    Scope the engagement

    Understand scheduling challenges

    Know roles and responsibilities

    Understand common audit pitfalls

    Define audit goals

    Key Benefits Achieved

    Take control of the situation and prepare a measured response

    A dedicated team responsible for all audit-related activities

    A formalized audit plan containing team responsibilities and audit conduct policies

    Activities

    2.1 Use Info-Tech’s readiness assessment template

    2.2 Define the scope of the audit

    Outputs

    Readiness assessment

    Audit scoping email template

    3 Conduct the Audit

    The Purpose

    Overview of process conducted

    Kick-off and self-assessment

    Identify documentation requirements

    Prepare required documentation

    Data validation process

    Provide resources to enable the auditor

    Tailor audit management to vendor compliance position

    Enforce best-practice audit behaviors

    Key Benefits Achieved

    A successful audit with minimal impact on IT resources

    Reduced severity of audit findings

    Activities

    3.1 Communicate audit commencement to staff

    Outputs

    Audit launch email template

    4 Manage Post-Audit Activities

    The Purpose

    Clarify auditor findings and recommendations

    Access severity of audit findings

    Develop a plan for refuting unwarranted findings

    Disclose findings to management

    Analyze opportunities for remediation

    Provide remediation options and present potential solutions

    Key Benefits Achieved

    Ensure your audit was productive and beneficial

    Improve your ability to manage audits

    Come to a consensus on which findings truly necessitate organizational change

    Activities

    4.1 Don't accept the penalties; negotiate with vendors

    4.2 Close the audit and assess the financial impact

    Outputs

    A consensus on which findings truly necessitate organizational change

    Effective IT Communications

    • Buy Link or Shortcode: {j2store}429|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead

    IT communications are often considered ineffective. This is demonstrated by:

    • A lack of inclusion or time to present in board meetings.
    • Confusion around IT priorities and how they align to organizational objectives.
    • Segregating IT from the rest of the organization.
    • The inability to secure the necessary funding for IT-led initiatives.
    • IT employees not feeling supported or engaged.

    Our Advice

    Critical Insight

    • No one is born a good communicator. Every IT employee needs to spend the time and effort to grow their communication skills; with constant change and worsening IT crises, IT cannot afford to communicate poorly anymore.
    • The skills needed to communicate effectively as a front=line employee or CIO are the same. It is important to begin the development of these skills from the beginning of one's career.
    • Time is a non-renewable resource. Any communication needs to be considered valuable and engaging by the audience or they will be unforgiving.

    Impact and Result

    Communications is a responsibility of all members of IT. This is demonstrated through:

    • Engaging in two-way communications that are continuous and evolving.
    • Establishing a communications strategy – and following the plan.
    • Increasing the skills of all IT employees when it comes to communications.
    • Identifying audiences and their preferred means of communication.

    Effective IT Communications Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Effective IT Communications Capstone Deck – A resource center to ensure you never start communications from a blank page again.

    This capstone blueprint highlights the components, best practices, and importance of good communication for all IT employees.

    • Effective IT Communications Storyboard

    2. IT Townhall Template – A ready-to-use template to help you engage with IT employees and ensure consistent access to information.

    IT town halls must deliver value to employees, or they will withdraw and miss key messages. To engage employees, use well-crafted communications in an event that includes crowd-sourced contents, peer involvement, recognition, significant Q&A time allotment, organizational discussions, and goal alignment.

    • IT Townhall Template

    3. IT Year in Review Template – A ready-to-use template to help communicate IT successes and future objectives.

    This template provides a framework to build your own IT Year In Review presentation. An IT Year In Review presentation typically covers the major accomplishments, challenges, and initiatives of an organization's information technology (IT) department over the past year.

    • IT Year in Review Template

    Infographic

    Further reading

    Effective IT Communications

    Empower IT employees to communicate well with any stakeholder across the organization.

    Analyst perspective

    There has never been an expectation for IT to communicate well.

    Brittany Lutes

    Brittany Lutes
    Research Director
    Info-Tech Research Group

    Diana MacPherson

    Diana MacPherson
    Senior Research Analyst
    Info-Tech Research Group

    IT rarely engages in proper communications. We speak at, inform, or tell our audience what we believe to be important. But true communications seldom take place.

    Communications only occur when channels are created to ensure the continuous opportunity to obtain two-way feedback. It is a skill that is developed over time, with no individual having an innate ability to be better at communications. Each person in IT needs to work toward developing their personal communications style. The problem is we rarely invest in development or training related to communications. Information and technology fields spend time and money developing hard skills within IT, not soft ones.

    The benefits associated with communications are immense: higher business satisfaction, funding for IT initiatives, increased employee engagement, better IT to business alignment, and the general ability to form ongoing partnerships with stakeholders. So, for IT departments looking to obtain these benefits through true communications, develop the necessary skills.

    Executive summary

    Your Challenge Common Obstacles Info-Tech’s Approach
    IT communications are often considered ineffective. This is demonstrated by:
    • A lack of inclusion or time to present in board meetings.
    • Confusion around IT priorities and how they align to organizational objectives.
    • Segregating IT from the rest of the organization.
    • An inability to secure the necessary funding for IT-led initiatives.
    • IT employees not feeling supported or engaged.
    		Frequently, these barriers have prevented IT communications from being effective:
    • Using technical jargon when a universal language is needed.
    • Speaking at organization stakeholders rather than engaging through dialogue.
    • Understanding the needs of the audience.
    Overall, IT has not been expected to engage in good communications or taken a proactive approach to communicate effectively.     		Communications is a responsibility of all members of IT. This is demonstrated through:
    • Engaging in two-way communications that are continuous and evolving.
    • Establishing a communications strategy – and following the plan.
    • Increasing the skills of all IT employees when it comes to communications.
    • Identifying audiences and their preferred means of communication.

    Info-Tech Insight
    No one is born a good communicator. Every IT employee needs to spend the time and effort to grow their communication skills as constant change and worsening IT crises mean that IT cannot afford to communicate poorly anymore.

    Your challenge

    Overall satisfaction with IT is correlated to satisfaction with IT communications

    Chart showing satisfaction with it and communications

    The bottom line? For every 10% increase in communications there 8.6% increase in overall IT satisfaction. Therefore, when IT communicates with the organization, stakeholders are more likely to be satisfied with IT overall.

    Info-Tech Diagnostic Programs, N=330 organizations

    IT struggles to communicate effectively with the organization:

    • CIOs are given minimal time to present to the board or executive leaders about IT’s value and alignment to business goals.
    • IT initiatives are considered complicated and confusing.
    • The frequency and impact of IT crises are under planned for, making communications more difficult during a major incident.
    • IT managers do not have the skills to communicate effectively with their team.
    • IT employees do not have the skills to communicate effectively with one another and end users.

    Common obstacles

    IT is prevented from communicating effectively due to these barriers:

    • Difficulty assessing the needs of the audience to inform the language and means of communication that should be used.
    • Using technical jargon rather than translating the communication into commonly understood terms.
    • Not receiving the training required to develop communication skills across IT employees.
    • Frequently speak at organization stakeholders rather than engaging through dialogue.
    • Beginning many communications from a blank page, especially crisis communications.
    • Difficulty presenting complex concepts in a short time to an audience in a digestible and concise manner without diluting the point.

    Effective IT communications are rare:

    53% of CXOs believe poor communication between business and IT is a barrier to innovation.
    Source: Info-Tech CEO-CIO Alignment Survey, 2022

    69% of those in management positions don’t feel comfortable even communicating with their staff.”
    Source: TeamStage, 2022

    Info-Tech’s approach

    Effective communications is not a broadcast but a dialogue between communicator and audience in a continuous feedback loop.

    Continuous loop of dialogue

    The Info-Tech difference:

    1. Always treat every communication as a dialogue, enabling the receiver of the message to raise questions, concerns, or ideas.
    2. Different audiences will require different communications. Be sure to cater the communication to the needs of the receiver(s).
    3. Never assume the communication was effective. Create measures and adjust the communications to get the desired outcome.

    Common IT communications

    And the less common but still important communications

    Communicating Up to Board or Executives

    • Board Presentations
    • Executive Leadership Committee Meetings
    • Technology Updates
    • Budget Updates
    • Risk Updates
    • Year in Review

    Communicating Across the Organization

    • Townhalls – external to IT
    • Year in Review
    • Crisis Email
    • Intranet Communication
    • Customer/Constituent Requests for Information
    • Product Launches
    • Email
    • Watercooler Chat

    Communicating Within IT

    • Townhalls – internal to IT
    • Employee 1:1s
    • Team Meetings
    • Project Updates
    • Project Collaboration Sessions
    • Year in Review
    • All-Hands Meeting
    • Employee Interview
    • Onboarding Documentation
    • Vendor Negotiation Meetings
    • Vendor Product Meetings
    • Email
    • Watercooler Chat

    Insight Summary

    Overarching insight
    IT cannot afford to communicate poorly given the overwhelming impact and frequency of change related to technology. Learn to communicate well or get out of the way of someone who can.

    Insight 1: The skills needed to communicate effectively as a frontline employee or a CIO are the same. It’s important to begin the development of these skills from the beginning of one’s career.
    Insight 2: Time is a non-renewable resource. Any communication needs to be considered valuable and engaging by the audience or they will be unforgiving.
    Insight 3: Don’t make data your star. It is a supporting character. People can argue about the collection methods or interpretation of the data, but they cannot argue the story you share.
    Insight 4: Measure if the communication is being received and resulting in the desired outcome. If not, modify what and how the message is being expressed.
    Insight 5: Messages are also non-verbal. Practice using your voice and body to set the right tone and impact your audience.

    Communication principles

    Follow these principles to support all IT communications.

    Two-Way

    Incorporate feedback loops into your communication efforts. Providing stakeholders with the opportunity to voice their opinions and ideas will help gain their commitment and buy-in.

    Timely

    Frequent communications mitigate rumors and the spread of misinformation. Provide warning before the implementation of any changes whenever possible. Communicate as soon as possible after decisions have been made.

    Consistent

    Make sure the messaging is consistent across departments, mediums, and presenters. Provide managers with key phrases to support the consistency of messages.

    Open & Honest

    Transparency is a critical component of communication. Always tell employees that you will share information as soon as you can. This may not be as soon as you receive the information but as soon as sharing it is acceptable.

    Authentic

    Write messages in a way that embodies the personality of the organization. Don’t spin information; position it within the wider organizational context.

    Targeted

    Use your target audience profiles to determine which audiences need to consume which messages and what mediums should be employed.

    Importance of IT being a good communicator

    Don’t pay the price for poor communication.

    IT needs to communicate well because:

    • IT risk mitigation and technology initiative funding are dependent on critical stakeholders comprehending the risk impact and initiative benefit in easy-to-understand terms.
    • IT employees need clear and direct information to feel empowered and accountable to do their jobs well.
    • End users who have a good experience engaging in communications with IT employees have an overall increase in satisfaction with IT.
    • Continuously demonstrating IT’s value to the organization comes when those initiatives are clearly aligned to overall objectives.
    • Communication prevents assumptions and further miscommunication from happening among IT employees who are usually impacted and fear change the most.

    “Poor communication results in employee misunderstanding and errors that cost approximately $37 billion.”
    – Intranet Connections, 2019

    Effective communication enables organizational strategy and facilitates a two-way exchange

    Effective communication facilitates a two-way exchange

    What makes internal communications effective?

    To be effective, internal communications must be strategic. They should directly support organizational objectives, reinforce key messages to make sure they drive action, and facilitate two-way dialogue, not just one-way messaging.

    Measure the value of the communication

    Communication effectiveness can be measured through a variety of metrics:

    • Increase in Productivity
      • “When employees are offered better communication technology and skills, productivity can increase by up to 30%” (Expert Market, 2022).
    • Increase in Understanding Decision Rationale
      • Employees who report understanding the rationale behind the business decisions made by the executive leadership team (ELT) are 3.6x more likely to be engaged, compared to those who were not (McLean & Company Engagement Survey Database, 2022; N=133,167 responses, 187 organizations).
    • Increase in Revenue
      • Collaboration amongst C-suite executives led to a 27% increase in revenue compared to low collaborating C-suites (IBM, 2021).
    • Increase in End-User Satisfaction
      • 80.9% of end users are satisfied with IT’s ability to communicate with them regarding the information they need to perform their job (Info-Tech’s End-User Satisfaction Survey Database, N=20,617 end users from 126 organizations).

    Methods to determine effectiveness:

    • CIO Business Vision Survey
    • Engagement surveys
    • Focus groups
    • Suggestion boxes
    • Team meetings
    • Random sampling
    • Informal feedback
    • Direct feedback
    • Audience body language
    • Repeating the message back

    How to navigate the research center

    This research center is intended to ensure that IT never starts their communications from a blank page again:

    Tools to help IT be better communicators

    “‘Effectiveness’ can mean different things, and effectiveness for your project is going to look different than it would for any other project.”
    – Gale McCreary in WikiHow, 2022

    Audience: Organizational leadership

    Speaking with Board and executive leaders about strategy, risk, and value

    Keep in mind:

    1 2 3
    Priorities Differ Words Matter The Power of Three
    What’s important to you as CIO is very different from what is important to a board or executive leadership team or even the individual members of these groups. Share only what is important or relevant to the stakeholder(s). Simplify the message into common language whenever possible. A good test is to ensure that someone without any technical background could understand the message. Keep every slide to three points with no more than three words. You are the one to translate this information into a worth-while story to share.

    “Today’s CIOs have a story to tell. They must change the old narrative and describe the art of the (newly) possible. A great leader rises to the occasion and shares a vision that inspires the entire organization.”
    – Dan Roberts, CIO, 2019

    Communications for board presentations

    Secure funding and demonstrate IT as a value add to business objectives.

    DEFINING INSIGHT

    Stop presenting what is important to you as the CIO and present to the board what is important to them.

    Why does IT need to communicate with the board?

    • To get their buy-in and funding for critical IT initiatives.
    • To ensure that IT risks are understood and receive the funding necessary to mitigate.
    • To change the narrative of IT as a service provider to a business enabler.

    FRAMEWORK

    Framework for board presentations

    CHECKLIST

    Do’s & Don’ts of Communicating Board Presentations:

    Do: Ensure you know all the members of the board and their strengths/areas of focus.

    Do: Ensure the IT objectives and initiatives align to the business objectives.

    Do: Avoid using any technical jargon.

    Do: Limit the amount of data you are using to present information. If it can’t stand alone, it isn’t a strong enough data point.

    Do: Avoid providing IT service metrics or other operational statistics.

    Do: Demonstrate how the organization’s revenue is impacted by IT activities.

    Do: Tell a story that is compelling and excited.

    OUTCOME

    Organization Alignment

    • Approved organization objectives and IT objectives are aligned and supporting one another.

    Stakeholder Buy-In

    • Board members all understand what the future state of IT will look like – and are excited for it!

    Awareness on Technology Trends

    • It is the responsibility of the CIO to ensure the board is aware of critical technology trends that can impact the future of the organization/industry.

    Risks

    • Risks are understood, the impact they could have on the organization is clear, and the necessary controls required to mitigate the risk are funded.

    Communications for business updates

    Continuously build strong relationships with all members of business leadership.

    DEFINING INSIGHT

    Business leaders care about themselves and their goals – present ideas and initiatives that lean into this self-interest.

    Why does IT need to communicate business updates?

    • The key element here is to highlight how IT is impacting the organization’s overall ability to meet goals and targets.
    • Ensure all executive leaders know about and understand IT’s upcoming initiatives – and how they will be involved.

    FRAMEWORK

    Framework for business updates

    CHECKLIST

    Do’s & Don’ts of Communicating Business Updates:

    Do: Ensure IT is given sufficient time to present with the rest of the business leaders.

    Do: Ensure the goals of IT are clear and can be depicted visually.

    Do: Tie every IT goal to the objectives of different business leaders.

    Do: Avoid using any technical jargon.

    Do: Reinforce the positive benefits business leaders can expect.

    Do: Avoid providing IT service metrics or other operational statistics.

    Do: Demonstrate how IT is driving the digital transformation of the organization.

    OUTCOME

    Better Reputation

    • Get other business leaders to see IT as a value add to any initiative, making IT an enabler not an order taker.

    Executive Buy-In

    • Executives are concerned about their own budgets; they want to embrace all the innovation but within reason and minimal impact to their own finances.

    Digital Transformation

    • Indicate and commit to how IT can help the different leaders deliver on their digital transformation activities.

    Relationship Building

    • Establish trust with the different leaders so they want to engage with you on a regular basis.

    Audience: Organization wide

    Speaking with all members of the organization about the future of technology – and unexpected crises.

    1 2 3
    Competing to Be Heard Measure Impact Enhance the IT Brand
    IT messages are often competing with a variety of other communications simultaneously taking place in the organization. Avoid the information-overload paradox by communicating necessary, timely, and relevant information. Don’t underestimate the benefit of qualitative feedback that comes from talking to people within the organization. Ensure they read/heard and absorbed the communication. IT might be a business enabler, but if it is never communicated as such to the organization, it will only be seen as a support function. Use purposeful communications to change the IT narrative.

    Less than 50% of internal communications lean on a proper framework to support their communication activities.
    – Philip Nunn, iabc, 2020

    Communications for strategic IT initiatives

    Communicate IT’s strategic objectives with all business stakeholders and users.

    DEFINING INSIGHT

    IT leaders struggle to communicate how the IT strategy is aligned to the overall business objectives using a common language understood by all.

    Why does IT need to communicate its strategic objectives?

    • To ensure a clear and consistent view of IT strategic objectives can be understood by all stakeholders within the organization.
    • To demonstrate that IT strategic objectives are aligned with the overall mission and vision of the organization.

    FRAMEWORK

    Framework for IT strategic initiatives

    CHECKLIST

    Do’s & Don’ts of Communicating IT Strategic Objectives:

    Do: Ensure all IT leaders are aware of and understand the objectives in the IT strategy.

    Do: Ensure there is a visual representation of IT’s goals.

    Do: Ensure the IT objectives and initiatives align to the business objectives.

    Do: Avoid using any technical jargon.

    Do: Provide metrics if they are relevant, timely, and immediately understandable.

    Do: Avoid providing IT service metrics or other operational statistics.

    Do: Demonstrate how the future of the organization will benefit from IT initiatives.

    OUTCOME

    Organization Alignment

    • All employees recognize the IT strategy as being aligned, even embedded, into the overall organization strategy.

    Stakeholder Buy-In

    • Business and IT stakeholders alike understand what the future state of IT will look like – and are excited for it!

    Role Clarity

    • Employees within IT are clear on how their day-to-day activities impact the overall objectives of the organization.

    Demonstrate Growth

    • Focus on where IT is going to be maturing in the coming one to two years and how this will benefit all employees.

    Communications for crisis management

    Minimize the fear and chaos with transparent communications.

    DEFINING INSIGHT

    A crisis communication should fit onto a sticky note. If it’s not clear, concise, and reassuring, it won’t be effectively understood by the audience.

    Why does IT need to communicate when a crisis occurs?

    • To ensure all members of the organization have an understanding of what the crisis is, how impactful that crisis is, and when they can expect more information.
    • “Half of US companies don’t have a crisis communication plan” (CIO, 2017).

    FRAMEWORK

    Framework for crisis management

    CHECKLIST

    Do’s & Don’ts of Communicating During a Crisis:

    Do: Provide timely and regular updates about the crisis to all stakeholders.

    Do: Involve the Board or ELT immediately for transparency.

    Do: Avoid providing too much information in a crisis communication.

    Do: Have crisis communication statements ready to be shared at any time for possible or common IT crises.

    Do: Highlight that employee safety and wellbeing is top priority.

    Do: Work with members of the public relations team to prepare any external communications that might be required.

    OUTCOME

    Ready to Act

    • Holding statements for possible crises will eliminate the time and effort required when the crisis does occur.

    Reduce Fears

    • Prevent employees from spreading concerns and not feeling included in the crisis.

    Maintain Trust

    • Ensure Board and ELT members trust IT to respond in an appropriate manner to any crisis or major incident.

    Eliminate Negative Reactions

    • Any crisis communication should be clear and concise enough when done via email.

    Audience: IT employees

    IT employees need to receive and obtain regular transparent communications to better deliver on their expectations.

    Keep in mind:

    1 2 3
    Training for All Listening Is Critical Reinforce Collaboration
    From the service desk technician to CIO, every person within IT needs to have a basic ability to communicate. Invest in the training necessary to develop this skill set. It seems simple, but as humans we do an innately poor job at listening to others. It’s important you hear employee concerns, feedback, and recommendations, enabling the two-way aspect of communication. IT employees will reflect the types of communications they see. If IT leaders and managers cannot collaborate together, then teams will also struggle, leading to productivity and quality losses.

    “IT professionals who […] enroll in communications training have a chance to both upgrade their professional capabilities and set themselves apart in a crowded field of technology specialists.”
    – Mark Schlesinger, Forbes, 2021

    Communications for IT activities and tactics

    Get IT employees aligned and clear on their daily objectives.

    DEFINING INSIGHT

    Depending on IT goals, the structure might need to change to support better communication among IT employees.

    Why does IT need to communicate IT activities?

    • To ensure all members of the project team are aligned with their tasks and responsibilities related to the project.
    • To be able to identify, track, and mitigate any problems that are preventing the successful delivery of the project.

    FRAMEWORK

    Framework for IT activities & tactics

    CHECKLIST

    Do’s & Don’ts of Communicating IT Activities:

    Do: Provide metrics that define how success of the project will be measured.

    Do: Demonstrate how each project aligns to the overarching objectives of the organization.

    Do: Avoid having large meetings that include stakeholders from two or more projects.

    Do: Consistently create a safe space for employees to communicate risks related to the project(s).

    Do: Ensure the right tools are being leveraged for in-office, hybrid, and virtual environments to support project collaboration.

    Do: Leverage a project management software to reduce unnecessary communications.

    OUTCOME

    Stakeholder Adoption

    • Create a standard communication template so stakeholders can easily find and apply communications.

    Resource Allocation

    • Understand what the various asks of IT are so employees can be adequately assigned to tasks.

    Meet Responsibly

    • Project status meetings are rarely valuable or insightful. Use meetings for collaboration, troubleshooting, and knowledge sharing.

    Encourage Engagement

    • Recognize employees and their work against critical milestones, especially for projects that have a long timeline.

    Communications for everyday IT

    Engage employees and drive results with clear and consistent communications.

    DEFINING INSIGHT

    Employees are looking for empathy to be demonstrated by those they are interacting with, from their peers to managers. Yet, we rarely provide it.

    Why does IT need to communicate on regularly with itself?

    • Regular communication ensures employees are valued, empowered, and clear about their expectations.
    • 97% of employees believe that their ability to perform their tasks efficiently is impacted by communication (Expert Market, 2022).

    FRAMEWORK

    Framework for everyday IT

    CHECKLIST

    Do’s & Don’ts of Communicating within IT:

    Do: Have responses for likely questions prepared and ready to go.

    Do: Ensure that all leaders are sharing the same messages with their teams.

    Do: Avoid providing irrelevant or confusing information.

    Do: Speak with your team on a regular basis.

    Do: Reinforce the messages of the organization every chance possible.

    Do: Ensure employees feel empowered to do their jobs effectively.

    Do: Engage employees in dialogue. The worst employee experience is when they are only spoken at, not engaged with.

    OUTCOME

    Increased Collaboration

    • Operating in a vacuum or silo is no longer an option. Enable employees to successfully collaborate and deliver holistic results.

    Role Clarity

    • Clear expectations and responsibilities eliminate confusion and blame game. Engage employees and create a positive work culture with role clarity.

    Prevent Rumors

    • Inconsistent communication often leads to information sharing and employees spreading an (in)accurate narrative.

    Organizational Insight

    • Employees trust the organization’s direction because they are aware of the different activities taking place and provided with a rationale about decisions.

    Case Study

    Amazon

    INDUSTRY
    E-Commerce

    SOURCE
    Harvard Business Review

    Jeff Bezos has definitely taken on unorthodox approaches to business and leadership, but one that many might not know about is his approach to communication. Some of the key elements that he focused on in the early 2000s when Amazon was becoming a multi-billion-dollar empire included:

    • Banning PowerPoint for all members of the leadership team. They had to learn to communicate without the crutch of the most commonly used presentation tool.
    • Leveraging memos that included specific action steps and clear nouns
    • Reducing all communication to an eighth-grade reading level, including pitches for new products (e.g. Kindle).

    Results

    While he was creating the Amazon empire, 85% of Jeff Bezos’ communication was written in a way that an eighth grader could read. Communicating in a way that was easy to understand and encouraging his leadership team to do so as well is one of the many reasons this business has grown to an estimated value of over $800B.

    “If you cannot simplify a message and communicate it compellingly, believe me, you cannot get the masses to follow you.”
    – Indra Nooyi, in Harvard Business Review, 2022

    Communication competency expectations

    Communication is a business skill; not a technical skill.

    Demonstrated Communication Behavior
    Level 1: Follow Has sufficient communication skills for effective dialogue with others.
    Level 2: Assist Has sufficient communication skills for effective dialogue with customers, suppliers, and partners.
    Level 3: Apply Demonstrates effective communication skills.
    Level 4: Enable Communicates fluently, orally, and in writing and can present complex information to both technical and non-technical audiences.
    Level 5: Ensure, Advise Communicates effectively both formally and informally.
    Level 6: Initiate, Influence Communicates effectively at all levels to both technical and non-technical audiences.
    Level 7: Set Strategy, Inspire, Mobilize Understands, explains, and presents complex ideas to audiences at all levels in a persuasive and convincing manner.

    Source: Skills Framework for the Information Age, 2021

    Key KPIs for communication with any stakeholder

    Measuring communication is hard; use these to determine effectiveness.

    Goal Key Performance Indicator (KPI) Related Resource
    Obtain board buy-in for IT strategic initiatives X% of IT initiatives that were approved to be funded. Number of times technical initiatives were asked to be explained further. Using our Board Presentation Review service
    Establish stronger relationships with executive leaders X% of business leadership satisfied with the statement “IT communicates with your group effectively.” Using the CIO Business Vision Diagnostic
    Organizationally, people know what products and services IT provides X% of end users who are satisfied with communications around changing services or applications. Using the End-User Satisfaction Survey
    Organizational reach and understanding of the crisis. Number of follow-up tickets or requests related to the crisis after the initial crisis communication was sent. Using templates and tools for crisis communications
    Project stakeholders receive sufficient communication throughout the initiative. X% overall satisfaction with the quality of the project communications. Using the PPM Customer Satisfaction Diagnostic
    Employee feedback is provided, heard, and acted on X% of satisfaction employees have with managers or IT leadership to act on employee feedback. Using the Employee Engagement Diagnostic Program

    Standard workshop communication activities

    Introduction
    Communications overview.

    Plan
    Plan your communications using a strategic tool.

    Compose
    Create your own message.

    Deliver
    Practice delivering your own message.

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Research contributors and experts

    Anuja Agrawal, National Communications Director, PwC

    Anuja Agrawal
    National Communications Director
    PwC

    Anuja is an accomplished global communications professional, with extensive experience in the insurance, banking, financial, and professional services industries in Asia, the US, and Canada. She is currently the National Communications Director at PwC Canada. Her prior work experience includes communication leadership roles at Deutsche Bank, GE, Aviva, and Veritas. Anuja works closely with senior business leaders and key stakeholders to deliver measurable results and effective change and culture building programs. Anuja has experience in both internal and external communications, including strategic leadership communication, employee engagement, PR and media management, digital and social media, and M&A/change and crisis management. Anuja believes in leveraging digital tools and technology-enabled solutions, combined with in-person engagement, to help improve the quality of dialogue and increase interactive communication within the organization to help build an inclusive culture of belonging.

    Nastaran Bisheban, Chief Technology Officer, KFC Canada

    Nastaran Bisheban
    Chief Technology Officer
    KFC Canada

    A passionate technologist, and seasoned transformational leader. A software engineer and computer scientist by education, a certified Project Manager that holds an MBA in Leadership with Honors and Distinction from University of Liverpool. A public speaker on various disciplines of technology and data strategy with a Harvard Business School executive leadership program training to round it all. Challenges status quo and conventional practices; is an advocate for taking calculated risk and following the principle of continuous improvement. With multiple computer software and project management publications she is a strategic mentor and board member on various non-profit organizations. Nastaran sees the world as a better place only when everyone has a seat at the table and is an active advocate for diversity and inclusion.

    Heidi Davidson, Co-Founder & CEO, Galvanize Worldwide and Galvanize On Demand

    Heidi Davidson
    Co-Founder & CEO
    Galvanize Worldwide and Galvanize On Demand

    Dr. Heidi Davidson is the co-founder and CEO of Galvanize Worldwide, the largest distributed network of marketing and communications experts in the world. She also is the co-founder and CEO of Galvanize On Demand, a tech platform that matches marketing and communications freelancers with client projects. Now with 167 active experts, the Galvanize team delivers startup advisory work, outsourced marketing, training, and crisis communications to organizations of all sizes. Before Galvanize, Heidi spent four years as part of the turnaround team at BlackBerry as the Chief Communications Officer and SVP of Corporate Marketing, where she helped the company move from a device manufacturer to a security software provider.

    Eli Gladstone, Co-Founder, Speaker Labs

    Eli Gladstone
    Co-Founder
    Speaker Labs

    Eli is a co-founder of Speaker Labs. He has spent over six years helping countless individuals overcome their public speaking fears and communicate with clarity and confidence. When he’s not coaching others on how to build and deliver the perfect presentation, you’ll probably find him reading some weird books, teaching his kids how to ski or play tennis, or trying to develop a good-enough jumpshot to avoid being a liability on the basketball court.

    Francisco Mahfuz, Keynote Speaker & Storytelling Coach

    Francisco Mahfuz
    Keynote Speaker & Storytelling Coach

    Francisco Mahfuz has been telling stories in front of audiences for a decade and even became a National Champion of public speaking. Today, Francisco is a keynote speaker and storytelling coach and offers communication training to individuals and international organizations and has worked with organizations like Pepsi, HP, the United Nations, Santander, and Cornell University. He’s the author of Bare: A Guide to Brutally Honest Public Speaking and the host of The Storypowers Podcast, and he’s been part of the IESE MBA communications course since 2020. He’s received a BA in English Literature from Birkbeck University in London.

    Sarah Shortreed, EVP & CTO, ATCO Ltd.

    Sarah Shortreed
    EVP & CTO
    ATCO Ltd.

    Sarah Shortreed is ATCO’s Executive Vice President and Chief Technology Officer. Her responsibilities include leading ATCO’s Information Technology (IT) function as it continues to drive agility and collaboration throughout ATCO’s global businesses and expanding and enhancing its enterprise IT strategy, including establishing ATCO’s technology roadmap for the future. Ms. Shortreed’s skill and expertise are drawn from her more than 30-year career that spans many industries and includes executive roles in business consulting, complex multi-stakeholder programs, operations, sales, customer relationship management, and product management. She was recently the Chief Information Officer at Bruce Power and has previously worked at BlackBerry, IBM, and Union Gas. She sits on the Board of Governors for the University of Western Ontario and is the current Chair of the Chief Information Officer (CIO) Committee at the Conference Board of Canada.

    Eric Silverberg, Co-Founder, Speaker Labs

    Eric Silverberg
    Co-Founder
    Speaker Labs

    Eric is a co-founder of Speaker Labs and has helped thousands of people build their public speaking confidence and become more dynamic and engaging communicators. When he’s not running workshops to help people grow in their careers, there’s a good chance you’ll find him with his wife and dog, drinking Diet Coke, and rewatching iconic episodes of the reality TV show Survivor! He’s such a die-hard fan, that you’ll probably see him playing the game one day.

    Stephanie Stewart, Communications Officer & DR Coordinator, Info Security Services Simon Fraser University

    Stephanie Stewart
    Communications Officer & DR Coordinator
    Info Security Services Simon Fraser University

    Steve Strout, President, Miovision Technologies

    Steve Strout
    President
    Miovision Technologies

    Mr. Strout is a recognized and experienced technology leader with extensive experience in delivering value. He has successfully led business and technology transformations by leveraging many dozens of complex global SFDC, Oracle, and SAP projects. He is especially adept at leading what some call “Project Rescues” – saving people’s careers where projects have gone awry; always driving “on-time and on-budget.” Mr. Strout is the current President of Miovision Technologies and the former CEO and board member of the Americas’ SAP Users” Group (ASUG). His wealth of practical knowledge comes from 30 years of extensive experience in many CxO and executive roles at some prestigious organizations such as Vonage, Sabre, BlackBerry, Shred-it, The Thomson Corporation (now Thomson Reuters), and Morris Communications. He has served on boards including Customer Advisory Boards of Apple, AgriSource Data, Dell, Edgewise, EMC, LogiSense, Socrates.ai, Spiro Carbon Group, and Unifi.

    Info-Tech Research Group Contributors:

    Sanchia Benedict, Research Lead
    Antony Chan Executive Counsellor
    Janice Clatterbuck, Executive Counsellor
    Ahmed Jowar, Research Specialist
    Dave Kish, Practice Lead
    Nick Kozlo, Senior Research Analyst
    Heather Leier Murray, Senior Research Analyst
    Amanda Mathieson, Research Director
    Carlene McCubbin, Practice Lead
    Joe Meier, Executive Counsellor
    Andy Neill, AVP Research
    Thomas Randall, Research Director

    Plus an additional two contributors who wish to remain anonymous.

    Related Info-Tech Research

    Boardroom Presentation Review

    • You will come away with a clear, concise, and compelling board presentation that IT leaders can feel confident presenting in front of their board of directors.
    • Add improvements to your current board presentation in terms of visual appeal and logical flow to ensure it resonates with your board of directors.
    • Leverage a best-of-breed presentation template.

    Build a Better Manager

    • Management skills training is needed, but organizations are struggling to provide training that makes a long-term difference in the skills managers actually use in their day to day.
    • Many training programs are ineffective because they offer the wrong content, deliver it in a way that is not memorable, and are not aligned with the IT department’s business objectives.

    Crisis Communication Guides

    During a crisis it is important to communicate to employees through messages that convey calm and are transparent and tailored to your audience. Use the Crisis Communication Guides to:

    • Draft a communication strategy.
    • Tailor messages to your audience.
    • Draft employee crisis communications.
    Use this guide to equip leadership to communicate in times of crisis.

    Bibliography

    “Communication in the Workplace Statistics: Importance and Effectiveness in 2022.” TeamStage, 2022.

    Gallo, Carmine. “How Great Leaders Communicate.” Harvard Business Review, 23 November 2022

    Guthrie, Georgina. “Why Good Internal Communications Matter Now More than Ever.” Nulab, 15 December 2021.

    Lambden, Duncan. “The Importance of Effective Workplace Communication – Statistics for 2022.” Expert Market, 13 June 2022.

    “Mapping SFIA Levels of Responsibilities to Behavioural Factors.” Skills Framework for the Information Age, 2021.

    McCreary, Gale. “How to Measure the Effectiveness of Communication: 14 Steps.” WikiHow, 31 March 2023.

    Nowak, Marcin. “Top 7 Communication Problems in the Workplace.” MIT Enterprise Forum CEE, 2021.

    Nunn, Philip. “Messaging That Works: A Unique Framework to Maximize Communication Success.” iabc, 26 October 2020.

    Picincu, Andra. “How to Measure Effective Communications.” Small Business Chron. 12 January 2021.

    Price. David A. “Pixar Story Rules.” Stories From the Frontiers of Knowledge, 2011.

    Roberts, Dan. “How CIOs Become Visionary Communicators.” CIO, 2019.

    Schlesinger, Mark. “Why building effective communication skill in IT is incredibly important.” Forbes, 2021.

    Stanten, Andrew. “Planning for the Worst: Crisis Communications 101.” CIO, 25 May 2017.

    State of the American Workplace Report. Gallup, 6 February 2020.

    “The CIO Revolution.” IBM, 2021.

    “The State of High Performing Teams in Tech 2022.” Hypercontex, 2022.

    Walters, Katlin. “Top 5 Ways to Measure Internal Communication.” Intranet Connections, 30 May 2019.

    Establish Effective Security Governance & Management

    • Buy Link or Shortcode: {j2store}380|cart{/j2store}
    • member rating overall impact: 9.2/10 Overall Impact
    • member rating average dollars saved: $63,532 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • The security team is unsure of governance needs and how to manage them.
    • There is a lack of alignment between key stakeholder groups
    • There are misunderstandings related to the role of policy and process.

    Our Advice

    Critical Insight

    Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad–hoc decision making that undermines governance.

    Impact and Result

    • The first phase of this project will help you establish or refine your security governance and management by determining the accountabilities, responsibilities, and key interactions of your stake holder groups.
    • In phase two, the project will guide you through the implementation of essential governance processes: setting up a steering committee, determining risk appetite, and developing a policy exception-handling process.

    Establish Effective Security Governance & Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish Effective Security Governance and Management Deck – A step-by-step guide to help you establish or refine the governance model for your security program.

    This storyboard will take you through the steps to develop a security governance and management model and implement essential governance processes.

    • Establish Effective Security Governance & Management – Phases 1-2

    2. Design Your Governance Model – A security governance and management model to track accountabilities, responsibilities, stakeholder interactions, and the implementation of key governance processes.

    This tool will help you determine governance and management accountabilities and responsibilities and use them to build a visual governance and management model.

    • Security Governance Model Templates (Visio)
    • Security Governance Model Templates (PDF)
    • Security Governance Model Tool

    3. Organizational Structure Template – A tool to address structural issues that may affect your new governance and management model.

    This template will help you to implement or revise your organizational structure.

    • Security Governance Organizational Structure Template

    4. Information Security Steering Committee Charter & RACI – Templates to formalize the role of your steering committee and the oversight it will provide.

    These templates will help you determine the role a steering committee will play in your governance and management model.

    • Information Security Steering Committee Charter
    • Information Security Steering Committee RACI Chart

    5. Security Policy Lifecycle Template – A template to help you model your policy lifecycle.

    Once this governing document is customized, ensure the appropriate security policies are developed as well.

    • Security Policy Lifecycle Template

    6. Security Policy Exception Approval Process Templates – Templates to establish an approval process for policy exceptions and bolster policy governance and risk management.

    These templates will serve as the foundation of your security policy exception approval processes.

    • Security Policy Exception Approval Workflow (Visio)
    • Security Policy Exception Approval Workflow (PDF)
    • Policy Exception Tracker
    • Information Security Policy Exception Request Form

    Infographic

    Further reading

    Establish Effective Security Governance & Management

    The key is in stakeholder interactions, not policy and process.

    Analyst Perspective

    It's about stakeholder interactions, not policy and process.

    Many security leaders complain about a lack of governance and management in their organizations. They have policies and processes but find neither have had the expected impact and that the organization is teetering on the edge of lawlessness, with stakeholder groups operating in ways that interfere with each other (usually due to poorly defined accountabilities).

    Among the most common examples is security's relationship to the business. When these groups don't align, they tend to see each other as adversaries and make decisions in line with their respective positions: security endorses one standard, the business adopts another.

    The consequences of this are vast. Such an organization is effectively opposed to itself. No wonder policy and process have not resolved the issue.

    At a practical level, good governance stems from understanding how different stakeholder groups interact, providing inputs and outputs to each other and modeling who is accountable for what. But this implied accountability model needs to be formalized (perhaps even modified) before governance can help all stakeholder groups operate as strategic partners with clearly defined roles, responsibilities, and decision-making power. Only when policies and processes reflect this will they serve as effective tools to support governance.

    Logan Rohde, Senior Research Analyst, Security & Privacy

    Logan Rohde
    Senior Research Analyst, Security & Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Info-Tech's Approach
    Ineffective governance and management processes, if they are adopted at all, can lead to:
    • An organization unsure of governance needs and how to manage them.
    • A lack of alignment between key stakeholder groups.
    • Misunderstandings related to the role of policy and process.
    		Most governance and management initiatives stumble because they do not address governance as a set of interactions and influences that stakeholders have with and over each other, seeing it instead as policy, process, and risk management. Challenges include:
    • Senior management disinterest
    • Stakeholders operating in silos
    • Separating governance from management
    		You will be able to establish a robust governance model to support the current and future state of your organization by accounting for these three essential parts:
    1. Determine governance accountabilities.
    2. Define management responsibilities.
    3. Model stakeholders' interactions, inputs, and outputs as part of business and security operations.

    Info-Tech Insight
    Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad hoc decision making that undermines governance.

    Your challenge

    This research is designed to help organizations who need to:

    • Establish security governance from scratch.
    • Improve security governance despite a lack of cooperation from the business.
    • Determine the accountabilities and responsibilities of each stakeholder group.

    This blueprint will solve the above challenges by helping you model your organization's governance structure and implement processes to support the essential governance areas: policy, risk, and performance metrics.

    Percentage of organizations that have yet to fully advance to a maturity-based approach to security

    70%

    Source: McKinsey, 2021

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • The business does not wish to be governed and does not seek to align with security on the basis of risk.
    • Various stakeholder groups essentially govern themselves, causing business functions to interfere with each other.
    • Security teams struggle to differentiate between governance and management and the purpose of each.

    Early adopter infrastructure

    63%
    Security leaders not reporting to the board about risk or incident detection and prevention.
    Source: LogRhythm, 2021

    46%
    Those who report that senior leadership is confident cybersecurity leaders understand business goals.
    Source: LogRhythm, 2021

    Governance isn't just policy and process

    Governance is often mistaken for an organization's formalized policies and processes. While both are important governance supports, they do not provide governance in and of themselves.

    For governance to work well, an organization needs to understand how stakeholder groups interact with each other. What inputs and outputs do they provide? Who is accountable? Who is responsible? These are the questions one needs to ask before designing a governance structure. Failing to account for any of these three elements tends to result in overlap, inefficiency, and a lack of accountability, creating flawed governance.

    Separate governance from management

    Oversight versus operations

    • COBIT emphasizes the importance of separating governance from management. These are complementary functions, but they refer to different parts of organizational operation.
    • Governance provides a decision-making apparatus based on predetermined requirements to ensure smooth operations. It is used to provide oversight and direction and hinges on established accountabilities
    • Simply put, governance refers to what an organization is and is not willing to permit in day-to-day operations, and it tends to make its presence known via the key areas of risk appetite, formal policy and process, and exception handling.
      • Note: These key areas do not provide governance in and of themselves. Rather, governance emerges in accordance with the decisions an organization has made regarding these areas. Sometimes, however, these "decisions" have not been formally or consciously made and the current state of the organization's operations becomes the default - even when it is not working well.
    • Management, by contrast, is concerned with executing business processes in accordance with the governance model, essentially, governance provides guidance for how to make decisions during daily management.

    "Information security governance is the guiding hand that organizes and directs risk mitigation efforts into a business-aligned strategy for the entire organization."

    Steve Durbin,
    Chief Executive,
    Information Security Forum, Forbes, 2023

    Models for governance and management

    Info-Tech's Governance and Management research uses the logic of COBIT's governance and management framework but distills this guidance into a practical, easy-to-implement series of steps, moving beyond the rudimentary logic of COBIT to provide an actionable and personalized governance model.

    Governance Cycle

    Management Cycle

    Clear accountabilities and responsibilities

    Complementary frameworks to simplify governance and management

    The distinction that COBIT draws between governance and management is roughly equivalent to that of accountability and responsibility, as seen in the RACI* model.

    There can be several stakeholders responsible for something, but only one party can be accountable.

    Use this guidance to help determine the accountabilities and responsibilities of your governance and management model.

    *Responsible, Accountable, Consulted, Informed

    COBIT RACI chart

    Security governance framework

    A security governance framework is a system that will design structures, processes, accountability definitions, and membership assignments that lead the security department toward optimal results for the business.

    Governance is performed in three ways:

    1 Evaluate 2 Direct 3 Monitor
    For governance to be effective it must account for stakeholder interests and business needs. Determining what these are is the vital first step. Governance is used to determine how things should be done within an organization. It sets standards and provides oversight so decisions can be made during day-to-day management. Governance needs change and inefficiencies need to be revised. Therefore, monitoring key performance indicators is an essential step to course correct as organizational needs evolve.

    "Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations."
    - EDUCAUSE

    Establish Effective Security Governance & Management

    SMART metrics

    Suggested targets to measure success

    Specific

    Measurable

    Achievable

    Relevant

    Time-Bound

    Examples
    Security's risk analyses will be included as part of the business decision-making process within three months after completing the governance initiative.
    Increase rate of security risk analysis using risk appetite within three months of project completion.
    Have stakeholder engagement supply input into security risk-management decisions within three months of completing phase one of blueprint.
    Reduce time to approve policy exceptions by 25%.
    Reduce security risk related to policy non-compliance by 50% within one year.
    Develop five KPIs to measure progress of governance and management within three months of completing blueprint.

    Info-Tech's methodology for security governance and management

    1. Design Your Governance Model 2. Implement Essential Governance Processes
    Phase Steps
    1. Evaluate
    2. Direct
    3. Monitor
    1. Implement Oversight
    2. Set Risk Appetite
    3. Implement Policy Lifecycle
    Phase Outcomes
    • Defined governance accountabilities
    • Defined management responsibilities
    • Record of key stakeholder interactions
    • Visual governance model
    • Key performance indicators (KPIs)
    • Established steering committee
    • Qualitative risk-appetite statements
    • Policy lifecycle
    • Policy exceptions-handling process

    Governance starts with mapping stakeholder inputs, outputs, and throughputs

    The key is in stakeholder interactions, not policy and process
    Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad hoc decision making that undermines governance.

    Policy, process, and org. charts support governance but do not produce it on their own
    To be effective, these things need to be developed with the accountabilities and influence of the organizational functions that produce them.

    A lack of business alignment does not mean you're doomed to fail
    While the highest levels of governance maturity depend on strong security-business alignment, there are still tactics one can use to improve governance.

    All organizations have governance
    Sometimes it is poorly defined, ineffective, and occurs in the same place as management, but it exists at some level, acting as the decision-making apparatus for an organization (i.e. what can and cannot occur).

    Risk tolerances are variable across lines of business
    This can lead to misalignments between security and the business, as each may have their own tolerance for particular risks. The remedy is to understand the risk appetite of the business and allow this to inform security risk management decisions.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Security Governance Model Tool

    Security Governance Organizational Structure Template

    Information Security Steering Committee Charter & RACI

    Policy Exceptions-Handling Workflow

    Policy Exception Tracker and Request Form

    Key deliverable:

    Security Governance Model

    By the end of this blueprint, you will have created a personalized governance model to map your stakeholders' accountabilities, responsibilities, and key interactions.

    Blueprint benefits

    IT Benefits Business Benefits
    • Correct any overlapping and mismanaged security processes by assigning accountabilities and responsibilities to each stakeholder group.
    • Improve efficiency and effectiveness of the security program by separating governance from management.
    • Determine necessary inputs and outputs from stakeholder interactions to ensure the governance model functions as intended.
    • Improved support of business goals through security-business alignment.
    • Better risk management by defining risk appetite with security.
    • Increased stakeholder satisfaction via a governance model designed to meet their needs.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2
    Call #1: Scope requirements, objectives, and your specific challenges. Call #2: Determine governance requirements.
    Call #3: Review governance model.    		 Call #4: Determine KPIs.
    Call #5: Stand up steering committee.    		 Call #6: Set risk appetite.
    Call #7: Establish policy lifecycle.    		 Call #8: Revise exception-handing process.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 4 to 8 calls over the course of 2 to 3 months.

    Workshop Overview

    Day 1 Day 2 Day 3 Day 4 Day 5
    Activities Evaluate Direct Monitor Implement Essential Governance Processes Next Steps and Wrap-Up (offsite)
    1.1 Prioritize governance accountabilities
    1.2 Prioritize management responsibilities
    1.3 Evaluate organizational structure    		 2.1 Align with business
    2.2 Build security governance and management model
    2.3 Visualize security governance and management model    		 3.1 Develop governance and management KPIs 4.1 Draft steering committee charter
    4.2 Complete steering committee RACI
    4.3 Draft qualitative risk statements
    4.4 Define policy management lifecycle
    4.5 Establish policy exception approval process    		 5.1 Complete in-progress deliverables from previous four days
    5.2 Set up review time for workshop deliverables and to discuss next steps
    Deliverables
    1. Prioritized list of accountabilities and responsibilities
    2. Revised organizational structure
    1. Security governance and management model
    1. Security Metrics Determination and Tracking Tool
    2. KPI Development Worksheet
    1. Steering committee charter and RACI
    2. Risk-appetite statements
    3. Policy management lifecycle
    4. Policy exception approval process

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Customize your journey

    The security governance and management blueprint pairs well with security design and security strategy.

    • The governance and management model you create in this blueprint will inform efforts to improve security, like revisiting security program design and your security strategy.
    • Work with your member services director, executive advisor, or technical counselor to scope the journey you need. They will work with you to align the subject matter experts to support your roadmap and workshops.

    Workshop Day 1 and Day 2
    Security Governance and Management

    Workshop Day 3 and Day 4
    Security Strategy Gap Analysis or Security Program Design Factors

    Phase 1

    Design Your Governance Model

    Phase 1
    1.1 Evaluate
    1.2 Direct
    1.3 Monitor

    Phase 2
    2.1 Implement Oversight
    2.2 Set Risk Appetite
    2.3 Implement Policy lifecycle

    Establish Security Governance & Management

    This phase will walk you through the following activities:

    • Prioritize governance accountabilities
    • Prioritize management responsibilities
    • Evaluate current organizational structure
    • Align with the business
    • Build security governance and management model
    • Finalize governance and management model
    • Develop governance and management KPIs

    This phase involves the following participants:

    • CISO
    • CIO
    • Business representative

    Step 1.1

    Evaluate

    Activities
    1.1.1 Prioritize governance accountabilities
    1.1.2 Prioritize management responsibilities
    1.1.3 Evaluate current organizational structure

    This step involves the following participants:

    • CISO
    • CIO
    • Business representative

    Outcomes of this step

    • Defined governance accountabilities
    • Defined management responsibilities

    Design Your Governance Model

    Step 1.1 > Step 1.2 > Step 1.3

    Evaluate: Getting started

    Element Questions
    Compliance What voluntary or mandatory standards must be represented in my governance model?
    Legal What laws are the organization accountable to? Who is the accountable party?
    Business needs What does the business need to operate? What sort of informational or operational flows need to be accounted for?
    Culture How does the business operate? Are departments siloed or cooperative? Where does security fit in?
    Decision-making process How are decisions made? Who is involved? What information needs to be available to do so?
    Willingness to be governed Is the organization adverse to formal governance mechanisms? Are there any opportunities to improve alignment with the business?
    Relevant trends Are there recent developments (e.g. new privacy laws) that are likely to affect the organization in the future? Will this complicate or simplify governance modeling efforts?
    Stakeholder interests Who are the internal and external stakeholders that need to be represented in the governance model?

    The above is a summary of COBIT 2019 EDM01.01 Evaluate the governance system, along with Info-Tech-recommended questions to contextualize each element for your organization.

    1.1.1 Prioritize governance accountabilities

    1-2 hours

    Using the example on the next slide, complete the following steps.

    1. Download Info-Tech's Security Governance Model Tool using the link below and customize the stakeholder groups on tab 1 to reflect the makeup of your organization.
    2. Using the previous slide as a guide, evaluate your organization's internal and external pressures and discuss their possible impacts your governance and management model.
    3. Complete tab 2, Governance Prioritization, indicating your response to each prompt using the drop-down menus. The tool will score your responses and provide you with a prioritized list of governance accountabilities based on greatest need on tab 4, Governance Model Builder.
    4. Review the list and make any desired modifications to the prompts on tab 2 and then move on to Activity 1.1.2. (We will return to tab 4 in Step 2.1.) Remember to evaluate the results against the internal/external pressure analysis to ensure these details are reflected.

    Download the Security Governance Model Tool

    Input Output
    • List of governance pressures
  • Prioritized list of governance accountabilities
    		•
    Materials Participants
    • Security Governance Model Tool
    • CISO
    • CIO
    • Security Operations
    • Business representative (optional)

    Security Governance and Management Model Tool

    Tabs 2 and 3

    Security Governance and Management Model Tool

    1.1.2 Prioritize management responsibilities

    1 hours

    Using the examples on the previous slide, complete the following steps.

    1. Complete tab 3, Management Prioritization, indicating your response to each prompt using the drop-down menus. The tool will score your responses and provide you with a prioritized list of governance accountabilities based on greatest need on tab 4, Governance Model Builder.
    2. Review the list and make any desired modifications to the prompts on tab 3 and then move on to Activity 1.1.3. (We will return to tab 4 in Step 2.1.) Remember to evaluate the results against the internal/external pressure analysis to ensure these details are reflected.

    Download Security Governance Model Tool

    InputOutput
    • Pressure analysis
    • Prioritized list of management responsibilities
    MaterialsParticipants
    • Security Governance Model Tool
    • CISO
    • CIO
    • Business representative (optional)

    Security Governance and Management Model Tool

    Tab 4

    Security Governance and Management Model Tool Tab 4

    1.1.3 Evaluate current organizational structure

    1-3 hours

    1. Download and modify Info-Tech's Security Governance Organizational Structure Template to reflect the reporting structure at your organization. If such a document already exists, simply review it and move on to the next step below.
    2. Determine if the current organizational structure will negatively affect your ability to pursue the items in your prioritized lists from governance accountabilities and management responsibilities (e.g. conflicts of interest related to oversight or reporting), and discuss the feasibility of changing the current governance structure.
    3. Record these recommended changes and any other key points you'd like the business or other stakeholders to be aware of. We'll use this information in the business alignment exercise in Step 2.1

    Download the Security Governance Organizational Structure Template

    Input Output
    • Prioritized lists of governance accountabilities and management responsibilities
    • Updated organizational structure
    Materials Participants
    • Security Governance Organizational Structure Template
    • CISO

    Info-Tech resources

    Locate structural problems in advance

    • If you do not already have a diagram of your organization's reporting structure, use this template to create one. Examples are provided for high, medium, and low maturity.
    • The existing reporting structure will likely affect the governance model you create, as it may not be feasible to assign certain governance accountabilities and management responsibilities to certain stakeholders.
      • For example, it may make sense for the head of security to approve the security budget, but if they report to a CIO with greater authority that accountability will likely have to sit with the CIO instead.

    Download the Security Governance Organizational Structure Template

    Security Governance Organizational Structure

    Step 1.2

    Direct

    Activities
    1.2.1 Align with the business
    1.2.2 Build security governance and management model
    1.2.3 Finalize governance and management model

    This step involves the following participants:

    CISO

    CIO

    Business representative

    Outcomes of this step

    • Record of key stakeholder interactions
    • Visual governance model

    Design Your Governance Model

    Step 1.1 > Step 1.2 > Step 1.3

    Direct: Getting started

    Element Questions
    Business alignment Do we have a full understanding of the business's approach to risk and security's role to support business objectives?
    Organizational security process How well do our current processes work? Are we missing any key processes?
    Steering committee Will we use a dedicated steering committee to oversee security governance, or will another stakeholder assume this role?
    Security awareness Does the organization have a strong security culture? Does an effort need to be made to educate stakeholder groups on the role of security in the organization?
    Roles and responsibilities Does the organization use RACI charts or another system to define roles and document duties?
    Communication flows Do we have a good understanding of how information flows between stakeholder groups? Are there any gaps that need to be addressed (e.g. regular board reporting)?

    The above is a summary of COBIT 2019 EDM01.02 Direct the governance system, along with Info-Tech-recommended questions to contextualize each element for your organization.

    Embed security governance within enterprise governance

    Design structures, processes, authority definitions, and steering committee assignments to drive optimal business results.

    Embed security governance within enterprise governance

    1.2.1 Align with the business

    1-3 hours

    1. Request a meeting with the business to present your findings from the previous activities in Step 1.1. As you prepare for the meeting, remember to following points:
    • The goal here is to align, not to command. You want the business to see the security team as a strategic ally that supports the pursuit of business goals.
    • Make recommendations and explain any security risks associated with the direction the business wants to take, but the goal is not to strongarm the business into adopting your perspective.
    • Above all, listen to the business to learn more about how they relate to governance and what their priorities are. This will help you adapt your governance model to better support business needs.

    Info-Tech Insight
    A lack of business participation does not mean your governance initiative is doomed. From this lack, we can still infer their attitudes toward security governance, and we can account for this in our governance model. This may limit the maturity your program can reach, but it doesn't prevent improvements from being made to your current security governance.

    InputOutput
    • Prioritized lists of governance accountabilities and management responsibilities
    • Current organizational structure
    • List of recommendations or proposed changes
    • Security governance and management target state definition
    MaterialsParticipants
    • Means to capture key points of the conversation (e.g. notebook, recorded meeting)
    • CISO
    • CIO
    • Business representative

    1.2.2 Build security governance and management model

    1-2 hours

    Using the example on the next slide, complete the following steps:

    1. On tab 4, review the prioritized lists for governance accountabilities and management responsibilities and begin assigning them to the appropriate stakeholder groups.
    • Remember: Responsibilities can be assigned to up to four stakeholders, but there can be only one party listed as accountable.
  • Use the drop-down menus to record any interactions that occur between the groups (e.g. repots to, appoints, approves, oversees).
    • Documenting these interactions will help you ensure your governance program accounts for inputs and outputs that are required by, or that otherwise affect, your various stakeholder groups.

    Note: You may wish to review Info-Tech's governance model templates before completing this activity to get an idea of what you'll be working toward in this step. See slides 37-38.

    Download Security Governance Model Tool

    InputOutput
    • Prioritized lists of governance accountabilities and management responsibilities
    • Target state from business alignment exercise
    • Summary of governance model
    MaterialsParticipants
    • Security Governance Model Tool
    • CISO
    • CIO
    • Business representative (optional)

    Security Governance and Management Model Tool

    Tab 5

    Security Governance and Management Model Tool Tab 5

    Security Governance and Management Model Tool continued

    Tab 6

    Security Governance and Management Model Tool Tab 6

    1.2.3 Visualize your security governance and management model

    1-2 hours

    1. Download the Security Governance Model Templates using the link below and determine which of the three example models most closely resembles your own.
    2. Once you have chosen an example to work from, begin customizing it to reflect the governance model completed in Activity 1.2.2. See next slide for example.

    Note: You do not have to use these templates. If you prefer, you can use them as inspiration and design your own model.

    Download Security Governance Model Templates

    InputOutput
    • Results of Activity 2.1.2
    • Security governance and management model diagram
    MaterialsParticipants
    • Security Governance Model Templates
    • CISO

    Customize the template

    Customize the template

    Step 1.3

    Monitor

    Activities
    1.3.1 Develop governance and management KPIs

    This step involves the following participants:

    • CISO
    • CIO
    • Security team
    • Business representative

    Outcomes of this step

    Key performance indicators

    Design Your Governance Model

    Step 1.1 > Step 1.2 > Step 1.3

    Monitor: Getting started

    Element Questions
    Metrics Does the organization have a well-developed metrics program or will this need to be taken up as a separate effort? Have we considered what outcomes we are hoping to see as a result of implementing a new governance and management model?
    Existing and emerging threats What has changed or is likely to change in the future that may destabilize our governance program? What do we need to do to mitigate any security risks to our organizational governance and management?

    The above is a summary of COBIT 2019 EDM01.03 Monitor the governance system, along with Info-Tech-recommended questions to contextualize each element for your organization.

    1.3.1 Develop governance and management KPIs

    1-2 hours

    This activity is meant to provide a starting point for key governance metrics. To develop a comprehensive metrics program, see Info-Tech's Build a Security Metrics Program to Drive Maturity blueprint.

    1. Create a list of four to six outcomes you'd like to see as the result of your new governance model. Be as specific as you can; the better defied the outcome, the easier it will be to determine suitable KPI.
    2. For each desired outcome, determine what would best indicate that progress is being made toward that state.
    • Desired outcome: security team is consulted before critical business decisions are made.
    • Success criteria: the business evaluates Security's recommendations before starting new projects
    • Possible KPI: % of critical business decisions made with security consultation
    • See next slide for additional examples

    Note: Try to phrase each KPI using percents, which helps to add context to the metric and will make it easier to explain when reporting metrics in the future.

    Input Output
    • List of desired outcomes after new governance model implemented
    • Set of key performance indicators
    Materials Participants
    • Whiteboard
    • CISO
    • CIO
    • Security team
    • Business representative (optional)

    Example KPIs

    Desired Outcome Success Criteria Possible KPI
    Security team is consulted before critical business decisions are made The business evaluates Security's recommendations before starting new projects % of critical business decisions with Security consultation
    Greater alignment over risk appetite The business does not take on initiatives with excessive security risks % of incidents stemming from not following Security's risk management recommendations
    Reduced number of policy exceptions Policy exceptions are only granted when a clear need is present and a formal process is followed % of incidents stemming from policy exceptions
    Improved policy adherence Policies are understood and followed throughout the organization % of incidents stemming from policy violations

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    1. Improved business alignment
    2. Developing formal process to manage security risks
    3. Separating governance from management
    Metric Current Goal
    % of critical business decisions with Security consultation 20% 100%
    % of incidents stemming from not following Security's risk management recommendations 65% 0%
    % of incidents stemming from policy exceptions 35% 5%
    % of incidents stemming from policy violations 40% 5%
    % of ad hoc decisions made (i.e. not accounted for by governance model 85% 5%
    % of accepted security risks evaluated against risk appetite 50% 100%
    % of deferred steering committee decisions (i.e. decisions not made ASAP after issue arises) 50% 5%
    % of policies approved within target window (e.g. 1 month) 20% 100%

    Phase 2

    Implement Essential Governance Processes

    Phase 1
    1.1 Evaluate
    1.2 Direct
    1.3 Monitor

    Phase 2
    2.1 Implement Oversight
    2.2 Set Risk Appetite
    2.3 Implement Policy Lifecycle

    This phase will walk you through the following activities:

    • Draft Steering Committee Charter
    • Complete Steering Committee RACI
    • Draft qualitative risk statements
    • Model policy lifecycle
    • Establish exceptions-handling process

    This phase involves the following participants:

    • CISO
    • CRO
    • CIO
    • HR
    • Internal Audit
    • Business representative
    • Legal

    Establish Security Governance & Management

    Step 2.1

    Implement Oversight

    Activities
    2.1.1 Draft steering committee charter
    2.1.2 Complete steering committee RACI

    This step involves the following participants:

    • CISO
    • CRO
    • CIO
    • HR
    • Internal Audit
    • Business representative
    • Legal

    Outcomes of this step

    Steering Committee Charter and RACI

    Implement Essential Governance Processes

    Step 2.1 > Step 2.2 > Step 2.3

    2.1.1 Draft steering committee charter

    1-3 hours

    This activity is meant to provide a starting point for your steering committee. If a more comprehensive approach is desired, see Info-Tech's Improve Security Governance With a Security Steering Committee blueprint.

    1. Download the template using the link below and review the various sections of the document
    2. Review slides 50-51 to help determine the scope of your steering committee's role. Discuss with other stakeholder groups, as necessary, to determine the steering committee's duties, how often the group will meet, and what the regular meeting agenda will be.
    3. Customize the template to suit your organization's needs.

    Download Information Security Steering Committee Charter

    Input Output
    • N/A
    • Steering Committee
    Materials Participants
    • Information Security Steering Committee Charter Template
    • CISO
    • CRO
    • CIO
    • HR
    • Internal Audit
    • Business representative
    • Legal

    Steering committee membership

    Representation is key, but don't try to please everyone

    • For your steering committee to be effective, it should include representatives from across the organization. However, it is important not to overextend committee membership, which can interfere with decision making.
    • Participants should be selected based on the identified responsibilities of the security steering committee, and the number of people should be appropriate to the size and complexity of the organization.

    Example steering committee

    CISO
    CRO
    Internal Audit
    CIO
    Business Leaders
    HR
    Legal

    Download Information Security Steering Committee Charter

    Typical steering committee duties

    Strategic Oversight Policy Governance
    • Provide oversight and ensure alignment between information security governance and company objectives.
    • Assess the adequacy of resources and funding to sustain and advance successful security programs and practices for identifying, assessing, and mitigating cybersecurity risks across all business functions.
    • Review control audit reports and resulting remediation plans to ensure business alignment
    • Review the company's cyber insurance policies to ensure appropriate coverage.
    • Provide recommendations, based on security best practices, for significant technology investments.
    • Review policy-exception requests to determine if potential security risks can be accepted or if a workaround exists.
    • Assess the ramifications of updates to policies and standards.
    • Establish standards and procedures for escalating significant security incidents to the board, other steering committees, government agencies, and law enforcement, as appropriate.

    Typical steering committee duties

    Risk Governance Monitoring and Reporting
    • Review and approve the company's information risk governance structure.
    • Assess the company's high-risk information assets and coordinate planning to address information privacy and security needs.
    • Provide input to executive management regarding the enterprise's information security risk tolerance.
    • Review the company's cyber-response preparedness, incident response plans, and disaster recovery capabilities as applicable to the organization's information security strategy.
    • Promote an open discussion regarding information risk and integrate information risk management into the enterprise's objectives.
    • Receive periodic reports and coordinate with management on the metrics used to measure, monitor, and manage cyber risks posed to the company and to review periodic reports on selected security risk topics as the committee deems appropriate.
    • Monitor and evaluate the quality and effectiveness of the company's technology security, capabilities for disaster recovery, data protection, cyber threat detection, and cyber incident response, and management of technology-related compliance risks.

    2.1.2 Complete steering committee RACI

    1-3 hours

    1. Download the RACI template and review the membership roles. Customize the template to match the makeup of your steering committee.
    2. Read through each task in the left-hand column and determine who will be involved:
    • R - responsible: the person doing the action (can be multiple)
    • A - accountable: the owner of the task, usually a department head who delegates the execution of the task (only assigned to one stakeholder)
    • C - consulted: stakeholders that offer some kind of guidance, advice, or recommendation (can be multiple)
    • I - Informed: stakeholders that receive status updates about the task (can be multiple)

    Note: All tasks must have accountability and responsibility assigned (sometimes a single stakeholder is accountable and responsible). However, not all tasks will have someone consulted or informed.

    Download Information Security Steering Committee RACI Chart

    InputOutput
    • N/A
    • Defined roles and responsibilities
    MaterialsParticipants
    • RACI Chart
    • CISO
    • CRO
    • CIO
    • HR
    • Internal Audit
    • Business representative
    • Legal

    Step 2.2

    Set Risk Appetite

    Activities
    2.2.1 Draft qualitative risk statements

    This step involves the following participants:

    • CISO
    • CIO
    • Business representative

    Outcomes of this step

    Qualitative risk appetite

    Implement Essential Governance Processes

    Step 2.1 > Step 2.2 > Step 2.3

    Know your appetite for risk

    What is an organizational risk appetite?

    Setting risk appetite is a key governance function, as it structures how your organization will deal with the risks it will inevitably face - when they can be accepted, when they need to be mitigated, and when they must be rejected entirely.

    It is important to note that risk appetite and risk tolerance are not the same. Risk appetite refers to the amount of risk the organization is willing to accept as part of doing business, whereas risk tolerance has more to do with individual risks affecting one or more lines of business that exceed that appetite. Such risks are often tolerated as individual cases that can be mitigated to an acceptable level of risk even though it exceeds the risk-appetite threshold.

    Chart Risk Appetite

    2.1.2 Draft qualitative risk-appetite statements

    1-3 hours

    This activity is meant to provide a starting point for risk governance. To develop a comprehensive risk-management program, see Info-Tech's Combine Security Risk Management Components Into One Program blueprint.

    1. Draft statements that express your attitudes toward the kinds of risks your organization faces. The point is to set boundaries to better understand when risk mitigation may be necessary.
      2. Examples:
    • We will not accept risks that may cause us to violate SLAs.
    • We will avoid risks that may prevent the organization from operating normally.
    • We will not accept risks that may result in exposure of confidential information.
    • We will not accept risks that may cause significant brand damage.
    • We will not accept risks that pose undue risk to human life or safety.
    InputOutput
    • Definitions for high, medium, low impact and frequency
    • Set of qualitative risk-appetite statements
    MaterialsParticipants
    • Whiteboard
    • CISO
    • CIO
    • Business representative

    Step 2.3

    Implement Policy Lifecycle

    Activities
    2.3.1 Model your policy lifecycle
    2.3.2 Establish exception-approval process

    This step involves the following participants:

    • CISO
    • CIO

    Outcomes of this step

    Policy lifecycle

    Exceptions-handling process

    Implement Essential Governance Processes

    Step 2.1 > Step 2.2 > Step 2.3

    2.3.1 Model your policy lifecycle

    1-3 hours

    This activity is meant to provide a starting point for policy governance. To develop a comprehensive policy-management program, see Info-Tech's Develop and Deploy Security Policies blueprint.

    1. Review the sections within the Security Policy Lifecycle Template and delete any sections or subsections that do not apply to your organization.
    2. As necessary, modify the lifecycle and receive approved sign-off by your organization's leadership.
    3. Solicit feedback from stakeholders, specifically, IT department management and business stakeholders.

    Download the Security Policy Lifecycle Template

    InputOutput
    • N/A
    • Policy lifecycle
    MaterialsParticipants
    • Security Policy Lifecycle Template
    • CISO
    • CIO

    Develop the security policy lifecycle

    The security policy lifecycle is an integral component of the security policy program and adds value by:

    • Setting out a roadmap to define needs, develop required documentation, and implement, communicate, and measure your policy program.
    • Defining roles and responsibilities for the security policy suite.
    • Aligning the business goals, security program goals, and policy objectives.

    Security Policy Lifecycle

    Diagram inspired by: ComplianceBridge, 2021

    2.3.2 Establish exception-approval process

    1-3 hours

    1. Download the Security Policy Exception Approval Template and customize it to match your exception-handling process. Be sure to account for the recommendations on the next slide.
    2. Use the Policy Exception Tracker to record and monitor granted exceptions.

    Download the Security Policy Exception Approval Workflow

    Download the Security Policy Exception Tracker

    Input Output
    • Answers to questions provided
    • Exception-handling process
    Materials Participants
    • Security Policy Exception Approval Workflow
    • Security Policy Exception Tracker
    • CISO
    • CIO

    Determine criteria to grant policy exception

    A key part of security risk and policy governance

    • Not all policies can be complied with all the time. As technology and business needs change, sometimes exceptions must be granted for operations to continue smoothly.
    • Exceptions can be either short or long term.
      • Short-term exceptions are often granted until a particular security gap can be closed, such as allowing staff to temporarily use new laptops that have yet to receive a required VPN for remote access.
      • Long-term exceptions usually occur when closing the gap entirely is not feasible. For example, a legacy system may be unable to meet evolving security standards, but there is no room in the budget to replace it.
    • Having a formal approval process for exceptions and a record of granted exceptions will help you to stay on top of security risk governance.

    Before granting an exception:

    1. Assess security risks associated with doing so: are they acceptable?
    2. Look for another way to resolve the issue: is a suitable workaround possible?
    3. Evaluate mitigating controls: is it possible to provide an equivalent level of security via other means?
    4. Assign risk ownership: who will be accountable if an incident arises from the exception?
    5. Determine appeals process: when disagreements arise, how will the final decision be made?

    Sources: University of Virginia; CIS

    Summary of Accomplishment

    Problem Solved

    You have now established a formal governance model for your organization - congratulations! Building this model and determining stakeholders' accountabilities and responsibilities is a big step.

    Remember to continue to use the evaluate-direct-monitor framework to make sure your governance model evolves as organizational governance matures and priorities shift.

    If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.

    Contact your account representative for more information.
    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Build Governance Model
    Build a customized security governance model for your organization.

    Develop policy lifecycle
    Develop a policy lifecycle and exceptions-handling process.

    Related Info-Tech Research

    Build an Information Security Strategy

    Design a Business-Focused Security Program

    Combine Security Risk Management Components Into One Program

    Research contributors and experts

    Michelle Tran, Consulting Industry

    Michelle Tran
    Consulting Industry

    One anonymous contributor

    Bibliography

    Durbin, Steve. "Achieving The Five Levels Of Information Security Governance." Forbes, 4 Apr. 2023. Accessed 4 Apr. 2023.

    Eiden, Kevin, et al. "Organizational Cyber Maturity: A Survey of Industries." McKinsey & Company, 4 Aug. 2021. Accessed 25 Apr. 2023.

    "Information Security Exception Policy." Center for Internet Security, 2020. Accessed 14 Apr. 2023.

    "Information Security Governance." EDUCAUSE, n.d. Accessed 27 Apr. 2023.

    ISACA. COBIT 2019 Framework: Governance and Management Objectives. GF Books, 2018.

    Policies & Procedures Team. "Your Policy for Policies: Creating a Policy Management Framework." ComplianceBridge, 30 Apr. 2021. Accessed 27 Apr. 2023.

    "Security and the C-Suite: Making Security Priorities Business Priorities." LogRhythm, Feb. 2021. Accessed 25 Apr 2023.

    University of Virginia. "Policy, Standards, and Procedures Exceptions Process." Information Security at UVA, 1 Jun. 2022. Accessed 14 Apr. 2023

    Manage Service Catalogs

    • Buy Link or Shortcode: {j2store}44|cart{/j2store}
    • Related Products: {j2store}44|crosssells{/j2store}
    • member rating overall impact: 9.0/10
    • member rating average dollars saved: $3,956
    • member rating average days saved: 24
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture
    • byline: Design and build a customer-facing service catalog.

    The challenge

    • Your business users may not be aware of the full scope of your services.
    • Typically service information is written in technical jargon. For business users, this means that the information will be tough to understand.
    • Without a service catalog, you have no agreement o what is available, so business will assume that everything is.

    Our advice

    Insight

    • Define your services from a user's or customer perspective.
      • When your service catalog contains too much information that does not apply to most users, they will not use it.
    • Separate the line-of-business services from enterprise services. It simplifies your documentation process and makes the service catalog more comfortable to use.

    Impact and results 

    • Our approach helps you organize your service catalog in a business-friendly way while keeping it manageable for IT.
    • And manageable also means that your service catalog remains a living document. You can update your service records easily.
    • Your service catalog forms a visible bridge between IT and the business. Improve IT's perception by communicating the benefits of the service catalog.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why building a service catalog is a good idea for your company. We'll show you our methodology and the ways we can help you in handling this.

    Minimize the risks from attrition through an effective knowledge transfer process.

    Launch the initiative

    Our launch phase will walk you through the charter template, build help a balanced team, create your change message and communication plan to obtain buy-in from all your organization's stakeholders.

    • Design & Build a User-Facing Service Catalog – Phase 1: Launch the Project (ppt)
    • Service Catalog Project Charter (doc)

    Identify and define the enterprise services

    Group enterprise services which you offer to everyone in the company, logically together.

    • Design & Build a User-Facing Service Catalog – Phase 2: Identify and Define Enterprise Services (ppt)
    • Sample Enterprise Services (ppt)

    Identify and define your line-of-business (LOB) services

    These services apply only to one business line. Other business users should not see them in the catalog.

    • Design & Build a User-Facing Service Catalog – Phase 3: Identify and Define Line of Business Services (ppt)
    • Sample LOB Services – Industry Specific (ppt)
    • Sample LOB Services – Functional Group (ppt)

    Complete your services definition chart

    Complete this chart to allow the business to pick what services to include in the service catalog. It also allows you to extend the catalog with technical services by including IT-facing services. Of course, separated-out only for IT.

    • Design & Build a User-Facing Service Catalog – Phase 4: Complete Service Definitions (ppt)
    • Services Definition Chart (xls)

    Demystify Oracle Licensing and Optimize Spend

    • Buy Link or Shortcode: {j2store}136|cart{/j2store}
    • member rating overall impact: 9.9/10 Overall Impact
    • member rating average dollars saved: $85,754 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • License keys are not needed with optional features accessible upon install. Conducting quarterly checks of the Oracle environment is critical because if products or features are installed, even if they are not actively in use, it constitutes use by Oracle and requires a license.
    • Ambiguous license models and definitions abound: terminology and licensing rules can be vague, making it difficult to purchase licensing even with the best of intentions to keep compliant.
    • Oracle has aggressively started to force new Oracle License and Service Agreements (OLSA) on customers that slightly modify language and remove pre-existing allowances to tilt the contract terms in Oracle's favor.

    Our Advice

    Critical Insight

    • Focus on needs first. Conduct a thorough requirements assessment and document the results. Well-documented license needs will be your core asset in navigating Oracle licensing and negotiating your agreement.
    • Communicate effectively. Be aware that Oracle will reach out to employees at your organization at various levels. Having your executives on the same page will help send a strong message.
    • Manage the relationship. If Oracle is managing you, there is a high probability you are over paying or providing information that may result in an audit.

    Impact and Result

    • Conducting business with Oracle is not typical compared to other vendors. To emerge successfully from a commercial transaction with Oracle, customers must learn the "Oracle way" of conducting business, which includes a best-in-class sales structure, highly unique contracts and license use policies, and a hyper-aggressive compliance function.
    • Map out the process of how to negotiate from a position of strength, examining terms and conditions, discount percentages, and agreement pitfalls.
    • Develop a strategy that leverages and utilizes an experienced Oracle DBA to gather accurate information, and then optimizes it to mitigate and meet the top challenges.

    Demystify Oracle Licensing and Optimize Spend Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you need to understand and document your Oracle licensing strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish licensing requirements

    Begin your proactive Oracle licensing journey by understanding which information to gather and assessing the current state and gaps.

    • Demystify Oracle Licensing and Optimize Spend – Phase 1: Establish Licensing Requirements
    • Oracle Licensing Purchase Reference Guide
    • Oracle Database Inventory Tool
    • Effective Licensing Position Tool
    • RASCI Chart

    2. Evaluate licensing options

    Review current licensing models and determine which licensing models will most appropriately fit your environment.

    • Demystify Oracle Licensing and Optimize Spend – Phase 2: Evaluate Licensing Options

    3. Evaluate agreement options

    Review Oracle’s contract types and assess which best fit the organization’s licensing needs.

    • Demystify Oracle Licensing and Optimize Spend – Phase 3: Evaluate Agreement Options
    • Oracle TCO Calculator

    4. Purchase and manage licenses

    Conduct negotiations, purchase licensing, and finalize a licensing management strategy.

    • Demystify Oracle Licensing and Optimize Spend – Phase 4: Purchase and Manage Licenses
    • Oracle Terms & Conditions Evaluation Tool
    • Controlled Vendor Communications Letter
    • Vendor Communication Management Plan
    [infographic]

    Workshop: Demystify Oracle Licensing and Optimize Spend

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Licensing Requirements

    The Purpose

    Assess current state and align goals; review business feedback

    Interview key stakeholders to define business objectives and drivers

    Key Benefits Achieved

    Have a baseline for requirements

    Assess the current state

    Determine licensing position

    Examine cloud options

    Activities

    1.1 Gather software licensing data

    1.2 Conduct a software inventory

    1.3 Perform manual checks

    1.4 Reconcile licenses

    1.5 Create your Oracle licensing team

    1.6 Meet with stakeholders to discuss the licensing position, cloud offerings, and budget allocation

    Outputs

    Copy of your Oracle License Statement

    Software inventory report from software asset management (SAM) tool

    Oracle Database Inventory Tool

    RASCI Chart

    Oracle Licensing Effective License Position (ELP) Template

    Oracle Licensing Purchase Reference Guide

    2 Evaluate Licensing Options

    The Purpose

    Review licensing options

    Review licensing rules

    Key Benefits Achieved

    Understand how licensing works

    Determine if you need software assurance

    Discuss licensing rules, application to current environment.

    Examine cloud licensing

    Understand the importance of documenting changes

    Meet with desktop product owners to determine product strategies

    Activities

    2.1 Review full, limited, restricted, and AST use licenses

    2.2 Calculate license costs

    2.3 Determine which database platform to use

    2.4 Evaluate moving to the cloud

    2.5 Examine disaster recovery strategies

    2.6 Understand purchasing support

    2.7 Meet with stakeholders to discuss the licensing position, cloud offerings, and budget allocation

    Outputs

    Oracle TCO Calculator

    Oracle Licensing Purchase Reference Guide

    3 Evaluate Agreement Options

    The Purpose

    Review contract option types

    Review vendors

    Key Benefits Achieved

    Understand why a type of contract is best for you

    Determine if ULA or term agreement is best

    The benefits of other types and when you should change

    Activities

    3.1 Prepare to sign or renew your ULA

    3.2 Decide on an agreement type that nets the maximum benefit

    Outputs

    Type of contract to be used

    Oracle TCO Calculator

    Oracle Licensing Purchase Reference Guide

    4 Purchase and Manage Licenses

    The Purpose

    Finalize the contract

    Prepare negotiation points

    Discuss license management

    Evaluate and develop a roadmap for future licensing

    Key Benefits Achieved

    Negotiation strategies

    Licensing management

    Introduction of SAM

    Leverage the work done on Oracle licensing to get started on SAM

    Activities

    4.1 Control the flow of communication terms and conditions

    4.2 Use Info-Tech’s readiness assessment in preparation for the audit

    4.3 Assign the right people to manage the environment

    4.4 Meet with stakeholders to discuss the licensing position, cloud offerings, and budget allocation

    Outputs

    Controlled Vendor Communications Letter

    Vendor Communication Management Plan

    Oracle Terms & Conditions Evaluation Tool

    RASCI Chart

    Oracle Licensing Purchase Reference Guide

    Build a Strategy for Big Data Platforms

    • Buy Link or Shortcode: {j2store}203|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Big Data
    • Parent Category Link: /big-data
    • The immaturity of the big data market means that organizations lack examples and best practices to follow, and they are often left trailblazing their own paths.
    • Experienced and knowledgeable big data professionals are limited and without creative resourcing; IT might struggle to fill big data positions.
    • The term NoSQL has become a catch-all phrase for big data technologies; however, the technologies falling under the umbrella of NoSQL are disparate and often misunderstood. Organizations are at risk of adopting incorrect technologies if they don’t take the time to learn the jargon.

    Our Advice

    Critical Insight

    • NoSQL plays a key role in the emergence of the big data market, but it has not made relational databases outdated. Successful big data strategies can be conducted using SQL, NoSQL, or a combination of the two.
    • Assign a Data Architect to oversee your initiative. Hire or dedicate someone who has the ability to develop both a short-term and long-term vision and that has hands-on experience with data management, mining and modeling. You will still need someone (like a database administrator) who understands the database, the schemas, and the structure.
    • Understand your data before you attempt to use it. Take a master data management approach to ensure there are rules and standards for managing your enterprise’s data, and take extra caution when integrating external sources.

    Impact and Result

    • Assess whether SQL, NoSQL, or a combination of both technologies will provide you with the appropriate capabilities to achieve your business objectives and gain value from your data.
    • Form a Big Data Team to bring together IT and the business in order to leave a successful initiative.
    • Conduct ongoing training with your personnel to ensure up-to-date skills and end-user understanding.
    • Frequently scan the big data market space to identify new technologies and opportunities to help optimize your big data strategy.

    Build a Strategy for Big Data Platforms Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop a big data strategy

    Know where to start and where to focus attention in the implementation of a big data strategy.

    • Storyboard: Build a Strategy for Big Data Platforms

    2. Assess the appropriateness of big data technologies

    Decide the most correct tools to use in order to solve enterprise data management problems.

    • Big Data Diagnostic Tool

    3. Determine the TCO of a scale out implementation

    Compare the TCO of a SQL (scale up) with a NoSQL (scale out) deployment to determine whether NoSQL will save costs.

    • Scale Up vs. Scale Out TCO Tool
    [infographic]

    Build a Platform-Based Organization

    • Buy Link or Shortcode: {j2store}98|cart{/j2store}
    • member rating overall impact: 8.0/10 Overall Impact
    • member rating average dollars saved: $3,420 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • The organization is riddled with bureaucracy. Some even believe that bureaucracy is inevitable and is an outcome of a complex business operating in a complex market and regulatory environment.
    • Time to market for new products and services is excruciatingly long.
    • Digital natives like Facebook, Netflix, and Spotify do not compare well with the organization and cannot be looked to for inspiration.

    Our Advice

    Critical Insight

    • Large corporations often consist of a few operating units, each with its own idiosyncracies about strategies, culture, and capabilities. These tightly integrated operating units make a company prone to bureaucracy.
    • The antidote to this bureaucracy is a platform structure: small, autonomous teams operating as startups within the organization.

    Impact and Result

    • Platforms consist of related activities and associated technologies that deliver on a specific organizational goal. A platform can therefore be run as a business or as a service. This structure of small autonomous teams that are loosely joined will make your employees directly accountable to the customers. In a way, they become entrepreneurs and do not remain just employees.

    Build a Platform-Based Organization Research & Tools

    Build a platform-based organization

    Download our guide to learn how you can get started with a platform structure.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Build a Platform-Based Organization Storyboard
    [infographic]

    Further reading

    Build a Platform-Based Organization

    Use a platform structure to overcome bureaucracy.

    Analyst Perspective

    Build a platform-based organization.

    Bureaucracy saps innovation out of large corporations. Some even believe that bureaucracy is inevitable and is an outcome of a complex business operating in a complex market and regulatory environment.

    So, what is the antidote to bureaucracy? Some look to startups like Uber, Airbnb, Netflix, and Spotify, but they are digital native and don’t compare well to a large monolithic corporation.

    However, all is not lost for large corporations. Inspiration can be drawn from a company in China – Haier, which is not a typical poster child of the digital age like Spotify. In fact, three decades ago, it was a state-owned company with a shoddy product quality.

    Haier uses an intriguing organization structure based on microenterprises and platforms that has proven to be an antidote to bureaucracy.

    Vivek Mehta
    Research Director, Digital & Innovation
    Info-Tech Research Group

    Executive Summary

    The Challenge

    Large corporations are prone to bureaucracies, which sap their organizations of creativity and make them blind to new opportunities. Though many executives express the desire to get rid of it, bureaucracy is thriving in their organizations.

    Why It Happens

    As organizations grow and become more complex over time, they yearn for efficiency and control. Some believe bureaucracy is the natural outcome of running a complex organization in a complex business and regulatory environment.

    Info-Tech’s Approach

    A new organizational form – the platform structure – is challenging the bureaucratic model. The platform structure makes employees directly accountable to customers and organizes them in an ecosystem of autonomous units.

    As a starting point, sketch out a platform structure that works for your organization. Then, establish a governance model and identify and nurture key capabilities for the platform structure.

    Info-Tech Insight

    The antidote to bureaucracy is a platform structure: small, autonomous teams operating as startups within the organization.

    Executive Brief Case Study

    Small pieces, loosely joined

    Haier

    Industry: Manufacturing
    Source: Harvard Business Review November-December 2018

    Haier, based in China, is currently the world’s largest appliance maker. Zhang Ruimin, Haier’s CEO, has built an intriguing organizing structure where every employee is directly accountable to customers – internal and/or external. A large corporation often consists of a few operating units, each with its own idiosyncrasies, which makes it slow to innovate. To avoid that, Haier has divided itself into 4,000 microenterprises (MEs), most of which have ten to 15 employees. There are three types of microenterprises in Haier:

    1. Approximately 200 “transforming” MEs: market-facing units like Zhisheng, which manufactures refrigerators, a legacy Haier product, for today’s young urbanites.
    2. Approximately 50 “incubating” MEs: entirely new businesses like Xinchu that wrap existing products into entirely new business models.
    3. Approximately 3,800 “node” MEs: units that sell component products and services such as design, manufacturing, and human resources support to Haier’s market-facing MEs.

    Each ME operates as an autonomous unit with its own targets – an organizing structure that enables innovation at Haier.

    (Harvard Business Review, 2018)

    The image is a rectangular graphic with the words Refrigeration Platform in the centre. There are six text boxes around the centre, reading (clockwise from top left): Zhisheng Young urbanites; Langdu Premium; Jinchu Mid-priced; Xinchu Internet-connected; Overseas Export markets; Leader Value-priced. There are a series of white boxes bordering the graphic, with the following labels: at top--Sales nodes; at right--Support nodes (R&D, HR, supply chain, etc.); at bottom left---Design nodes; at bottom right--Production nodes.

    Markets disproportionately reward platform structure

    Tech companies like Facebook, Netflix, and Spotify are organized around a set of modular platforms run by accountable platform teams. This modular org structure enables them to experiment, learn, and scale quickly – a key attribute of innovative organizations.

    Facebook ~2,603 million monthly active users

    India ~1,353 million population

    Netflix ~183 million monthly paid subscribers

    Spotify ~130 million premium subscribers

    Canada ~37 million population

    (“Facebook Users Worldwide 2020,” “Number of Netflix Subscribers 2019,” “Spotify Users - Subscribers in 2020,” Statista.)

    1. Sketch Out the Platform Structure

    What is a platform anyway?

    A modular component of an org structure

    Platforms consist of a logical cluster of activities and associated technology that delivers on a specific business goal and can therefore be run as a business, or ‘as a service’ … Platforms focus on business solutions to serve clients (internal or external) and to supply other platforms.” – McKinsey, 2019

    Platforms operate as independent units with their own business, technology, governance, processes, and people management. As an instance, a bank could have payments platform under a joint business and IT leadership. This payments-as-a-service platform could provide know-how, processes, and technology to the bank’s internal customers such as retail and commercial business units.

    Many leading IT organizations are set up in a platform-based structure that allows them to rapidly innovate. It’s an imperative for organizations in other industries that they must pilot and then scale with a platform play.

    What a platform-based org looks like

    It looks like a multicellular organism, where each cell is akin to a platform

    An organism consists of multiple cells of different types, sizes, and shapes. Each cell is independent in its working. Regardless of the type, a cell would have three features –the nucleus, the cell membrane, and, between the two, the cytoplasm.

    Similarly, an organization could be imagined as one consisting of several platforms of different types and sizes. Each platform must be autonomous, but they all share a few common features – have a platform leader, set up and monitor targets, and enable interoperability amongst platforms. Platforms could be of three types (McKinsey, 2019):

    1. Customer-journey platforms enable customer proposition and experience built on reusable code. They provide “journey as a service”; for example, Account Opening in a bank.
    2. Business-solution platforms are modular and run as a business or as a service. They provide “company as a service”; for example, Payments or Fraud Detection in a bank.
    3. Core IT provisioning platforms provide core IT services for the organization, for example, cloud, data, automation.

    There are two images: in the lower part of the graphic shows a multicellular organism, and has text pointing to a single cell. At the top, there is a zoomed in image of that single cell, with its component parts labelled: Cell Membrane, Nucleus, and Cytoplasm.

    Case study: Payments platform in a bank

    Payments as a service to internal business units

    The payments platform is led by an SVP – the platform leader. Business and IT teams are colocated and have joint leadership. The platform team works with a mindset of a startup, serving internal customers of the bank – retail and commercial lines of business.

    A diagram showing Advisory Council in a large grey box on the left. To the right are smaller dark blue boxes labeled 'Real-time peer-to-peer payments,' Wire transfers,' 'Batch payments,' 'Mobile wallets,' and 'International payments (VISA, WU, etc.),' and one light blue box labeled 'Payments innovation.'


    Advisory Council: An Advisory Council is responsible for strategy, business, and IT architecture and for overseeing the work within the team. The Advisory Council prioritizes the work, earmarks project budgets, sets standards such as for APIs and ISO 20022, and leads vendor evaluation.

    International payments (VISA, WU, etc.): Project execution teams are structured around payment modes. Teams collaborate with each other whenever a common functionality is to be developed, like fraud check on a payment or account posting for debits and credits.

    Payments innovation: A think tank keeping track of trends in payments and conducting proof of concepts (POCs) with prospective fintech partners and with new technologies.

    Use a capability map to sketch out a platform-based structure

    Corral your organization’s activities and associated tech into a set of 20 to 40 platforms that cover customer journeys, business capabilities, and core IT. Business and IT teams must jointly work on this activity and could use a capability map as an aid to facilitate the discussion.

    The image is an example of a capability map, shown in more detail in the following section.

    An example of sketching a platform-based org structure for an insurance provider (partial)

    Design Policy Create Policy Issue Policy Service Customers Process Claims Manage Investments
    Defining Market Research & Analysis Underwriting Criteria Selection Customer Targeting Interaction Management First Notice of Loss (FNOL) Investment Strategy
    Actuarial Analysis Product Reserving Needs Assessment & Quotes Payments Claims Investigation Portfolio Management
    Catastrophe Risk Modeling Reinsurance Strategy Contract Issuance Adjustments Claims Adjudication Deposits & Disbursements
    Product Portfolio Strategy Product Prototyping Application Management Renewals Claims Recovery (Subrogation) Cash & Liquidity Management
    Rate Making Product Testing Sales Execution Offboarding Dispute Resolution Capital Allocation
    Policy Definition Product Marketing Contract Change Management

    Customer Retention

    [Servicing a customer request is a customer-journey platform.]

    Claims Inquiry

    [Filing a claim is a customer-journey platform.]

    		Credit Bureau Reporting
    Shared Customer Management

    Account Management

    [Customer and account management is a business-capability platform to enable journeys.]

    		Channel Management Risk Management Regulatory & Compliance Knowledge Management
    Partner Management

    Access and Identity Management

    [Access and identity management is a core IT platform.]

    		Change Management Enterprise Data Management Fraud Detection [Fraud detection is a business-capability platform to enable journeys.] Product Innovation
    Enabling Corporate Governance Strategic Planning Reporting Accounting Enterprise Architecture Human Resources
    Legal Corporate Finance IT Facilities Management

    2. Establish Governance and Nurture Key Capabilities

    Two ingredients of the platform structure

    Establish a governance

    Advisory Council (AC) operates like a conductor at an orchestra, looking across all the activities to understand and manage the individual components.

    Nurture key capabilities

    Team structure, processes and technologies must be thoughtfully orchestrated and nurtured.

    Establish strong governance

    Empowerment does not mean anarchy

    While platforms are distinct units, they must be in sync with each other, like individual musicians in an orchestra. The Advisory Council (AC) must act like a conductor of the orchestra and lead and manage across platforms in three ways.

    1. Prioritize spend and effort. The AC team makes allocation decisions and prioritizes spend and effort on those platforms that can best support organizational goals and/or are in most urgent technical need. The best AC teams have enterprise architects who can understand business and dive deep enough into IT to manage critical interdependencies.
    2. Set and enforce standards. The AC team establishes both business and technology standards for interoperability. For example, the AC team can set the platform and application interfaces standards and the industry standards like ISO 20022 for payments. The AC team can also provide guidance on common apps and tools to use, for example, a reconciliation system for payments.
    3. Facilitate cross-platform work. The AC team has a unique vantage point where it can view and manage interdependencies among programs. As these complexities emerge, the AC team can step in and facilitate the interaction among the involved platform teams. In cases when a common capability is required by multiple platforms, the AC team can facilitate the dialogue to have it built out.

    Nurture the following capabilities:

    Design thinking

    “Zero distance from the customer” is the focus of platform structure. Each platform must operate with a mindset of a startup serving internal and/or external users.

    Agile delivery model

    Platform teams iteratively develop their offerings. With guidance from Advisory Council, they can avoid bottlenecks of formal alignment and approvals.

    Enterprise architecture

    The raison d'être of enterprise architecture discipline is to enable modularity in the architecture, encourage reusability of assets, and simplify design.

    Microservices

    Microservices allow systems to grow with strong cohesion and weak coupling and enable teams to scale components independently.

    APIs

    With their ability to link systems and data, APIs play a crucial role in making IT systems more responsive and adaptable.

    Machine learning

    With the drop in its cost, predictability is becoming the new electricity for business. Platforms use machine learning capability for better predictions.

    Related Info-Tech Research

    Drive Digital Transformation With Platform Strategies
    Innovate and transform your business models with digital platforms.

    Implement Agile Practices That Work
    Guide your organization through its Agile transformation journey.

    Design a Customer-Centric Digital Operating Model
    Putting the customer at the center of digital transformation.

    Bibliography

    Bossert, Oliver, and Jürgen Laartz. “Perpetual Evolution—the Management Approach Required for Digital Transformation.” McKinsey, 5 June 2017. Accessed 21 May 2020.

    Bossert, Oliver, and Driek Desmet. “The Platform Play: How to Operate like a Tech Company.” McKinsey, 28 Feb. 2019. Accessed 21 May 2020.

    “Facebook Users Worldwide 2020.” Statista. Accessed 21 May 2020.

    Hamel, Gary, and Michele Zanini. “The End of Bureaucracy.” Harvard Business Review. Nov.-Dec. 2018. Accessed 21 May 2020.

    “Number of Netflix Subscribers 2019.” Statista. Accessed 21 May 2020.

    “Spotify Users - Subscribers in 2020.” Statista. Accessed 21 May 2020.

    Establish an Effective Data Protection Plan

    • Buy Link or Shortcode: {j2store}504|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $6,850 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • Business requirements can be vague. Not knowing the business needs often results in overspending and overexposure to liability through data hoarding.
    • Backup options are abundant. Disk, tape, or cloud? Each has drawbacks, efficiencies, and cost factors that should be considered.
    • Backup infrastructure is never greenfield. Any organization with a history has been doing backup. Existing software was likely determined by past choices and architecture.

    Our Advice

    Critical Insight

    • Don’t let failure be your metric.
      The past is not an indication of future performance! Quantify the cost of your data being unavailable to demonstrate value to the business.
    • Stop offloading backup to your most junior staff.
      Data protection should not exist in isolation. Get key leadership involved to ensure you can meet organizational requirements.
    • A lot of data is useless. Neglecting to properly tag and classify data will lead to a costly data protection solution that protects redundant, useless, or outdated data

    Impact and Result

    • Determine the current state of your data protection strategy by identifying the pains and gains of the solution and create a business-facing diagram to present to relevant stakeholders.
    • Quantify the value of data to the business to properly understand the requirements for data protection through a business impact analysis.
    • Identify the attributes and necessary requirements for your data tiers to procure a fit-for-purpose solution.

    Establish an Effective Data Protection Plan Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why the business should be involved in your data protection plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define the current state of your data protection plan

    Define the current state of your data protection practices by documenting the backup process and identifying problems and opportunities for the desired state.

    • Establish an Effective Data Protection Plan – Phase 1: Define the Current State of Your Data Protection Plan
    • Data Protection Value Proposition Canvas Template

    2. Conduct a business impact analysis to understand requirements for restoring data

    Understand the business priorities.

    • Establish an Effective Data Protection Plan – Phase 2: Conduct a Business Impact Analysis to Understand Requirements for Restoring Data
    • DRP Business Impact Analysis Tool
    • Legacy DRP Business Impact Analysis Tool
    • Data Protection Recovery Workflow

    3. Propose the future state of your data protection plan

    Determine the desired state.

    • Establish an Effective Data Protection Plan – Phase 3: Propose the Future State of Your Data Protection Plan

    4. Establish proper governance for your data protection plan

    Explore the component of governance required.

    • Establish an Effective Data Protection Plan – Phase 4: Establish Proper Governance for Your Data Protection Plan
    • Data Protection Proposal Template
    [infographic]

    Identify and Manage Financial Risk Impacts on Your Organization

    • Buy Link or Shortcode: {j2store}218|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • As vendors become more prevalent in organizations, organizations increasingly need to understand and manage the potential financial impacts of vendors’ actions.
    • It is only a matter of time until a vendor mistake impacts your organization. Make sure you are prepared to manage the adverse financial consequences.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential financial impact requires multiple people in the organization across several functions – and those people all need educating on the potential risks.
    • Organizational leadership is often unaware of decisions on organizational risk appetite and tolerance, and they assume there are more protections in place against risk impact than there truly are.

    Impact and Result

    • Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

    Identify and Manage Financial Risk Impacts on Your Organization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and Manage Financial Risk Impact on Your Organization Deck – Use the research to better understand the negative financial impacts of vendor actions.

    Use this research to identify and quantify the potential financial impacts of vendors’ poor performance. Use Info-Tech’s approach to look at the financial impact from various perspectives to better prepare for issues that may arise.

    • Identify and Manage Financial Risk Impacts on Your Organization Storyboard

    2. “What If” Financial Risk Impact Tool – Use this tool to help identify and quantify the financial impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Financial Risk Impact Tool
    [infographic]

    Further reading

    Identify and Manage Financial Risk Impacts on Your Organization

    Good vendor management practices help organizations understand the costs of negative vendor actions.

    Analyst Perspective

    Vendor actions can have significant financial consequences for your organization.

    Photo of Frank Sewell, Research Director, Vendor Management, Info-Tech Research Group.

    Vendors are becoming more influential and essential to the operation of organizations. Often the sole risk consideration of a business is whether the vendor meets a security standard, but vendors can negatively impact organizations’ budgets in various ways. Fortunately, though inherent risk is always present, organizations can offset the financial impacts of high-risk vendors by employing due diligence in their vendor management practices to help manage the overall risks.

    Frank Sewell
    Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    As vendors become more prevalent in organizations, organizations increasingly need to understand and manage the potential financial impacts of vendors’ actions.

    It is only a matter of time until a vendor mistake impacts your organization. Make sure you are prepared to manage the adverse financial consequences.

    		 Common Obstacles

    Identifying and managing a vendor’s potential financial impact requires multiple people in the organization across several functions – and those people all need educating on the potential risks.

    Organizational leadership is often unaware of decisions on organizational risk appetite and tolerance, and they assume there are more protections in place against risk impact than there truly are.

    		Info-Tech’s Approach

    Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

    Info-Tech Insight

    Companies without good vendor management risk initiatives will take on more risk than they should. Solid vendor management practices are imperative –organizations must evolve to ensure that vendors deliver services according to performance objectives and that risks are managed accordingly.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.

    Cube with each multiple colors on each face, similar to a Rubix cube, and individual components of vendor risk branching off of it: 'Financial', 'Reputational', 'Operational', 'Strategic', 'Security', and 'Regulatory & Compliance'.

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    Financial risk impact

    Potential losses to the organization due to financial risks

    In this blueprint, we’ll explore financial risks and their impacts.

    Identifying negative actions is paramount to assessing the overall financial impact on your organization, starting in the due diligence phase of the vendor assessment and continuing throughout the vendor lifecycle.

    Cube with each multiple colors on each face, similar to a Rubix cube, and the vendor risk component 'Financial' highlighted.

    Unbudgeted financial risk impact

    The costs of adverse vendor actions, such as a breach or an outage, are increasing. By knowing these potential costs, leaders can calculate how to avoid them throughout the lifecycle of the relationship.

    Loss of business represents the largest share of the breach

    38%

    Avg. $1.59M    		 Global average cost of a vendor breach

    $4.2M

    		 Percentage of breaches in 2020 caused by business associates

    40.2%

    23.2% YoY
    (year over year)
    (Source: “Cost of a Data Breach Report 2021,” IBM, 2021) (Source: “Vendor Risk Management – A Growing Concern,” Stern Security, 2021)

    Example: Hospital IT System Outage

    Hospitals often rely on vendors to manage their data center environments but rarely understand the downstream financial impacts if that vendor fails to perform.

    For example, a vendor implements a patch out of cycle with no notice to the IT group. Suddenly all IT systems are down. It takes 12 hours for the IT teams to return systems to normal. The downstream impacts are substantial.

    • There is no revenue capture during outage (patient registration, payments).
      • The financial loss is significant, impacting cash on hand and jeopardizing future projects.
    • Clinicians cannot access the electronic health record (EHR) system and shift to downtime paper processes.
      • This can cause potential risks to patient health, such as unknown drug interactions.
      • This could also incur lawsuits, fines, and penalties.
    • Staff must manually add the paper records into the EHR after the incident is corrected.
      • Staff time is lost on creating paper records and overtime is required to reintroduce those records into EMR.
    • Staff time and overtime pay on troubleshooting and solving issues take away from normal operations and could cause delays, having downstream effects on the timing of other projects.

    Insight Summary

    Assessing financial impacts is an ongoing, educative, and collaborative multidisciplinary process that vendor management initiatives are uniquely designed to coordinate and manage for organizations.

    Insight 1 Vendors are becoming more and more crucial to organizations’ overall operations, and most organizations have a poor understanding of the potential impacts they represent.

    Is your vendor solvent? Do they have enough staff to accommodate your needs? Has their long-term planning been affected by changes in the market? Are they unique in their space?
    Insight 2 Financial impacts from other risk types deserve just as much focus as security alone, if not more.

    Examples include penalties and fines, loss of revenue due to operational impacts, vendor replacement costs, hidden costs in poorly understood contracts, and lack of contractual protections.
    Insight 3 There is always an inherent risk in working with a vendor, but organizations should financially quantify how much each risk may impact their budget.

    A significant concern for organizations is quantifying different types of risks. When a risk occurs, the financial losses are often poorly understood, with unbudgeted financial impacts.

    Three stages of vendor financial risk assessment

    Assess risk throughout the complete vendor lifecycle

    1. Pre-Relationship Due Diligence: The initial pre-relationship due diligence stage is a crucial point to establish risk management practices. Vendor management practices ensure that a potential vendor’s risk is categorized correctly by facilitating the process of risk assessment.
    2. Monitor & Manage: Once the relationship is in place, organizations should enact ongoing management efforts to ensure they are both getting their value from the vendor and appropriately addressing any newly identified risks.
    3. Termination: When the termination of the relationship arrives, the organization should validate that adequate protections that were established while forming a contract in the pre-relationship stage remain in place.

    Inherent risks from negative actions are pervasive throughout the entire vendor lifecycle. Collaboratively understanding those risks and working together to put proper management in place enables organizations to get the most value out of the relationship with the least amount of risk.

    Flowchart for 'Assessing Financial Risk Impacts', beginning with 'New Vendor' to 'Sourcing' to the six components of 'Vendor Management'. After a gamut of assessments such as ''What If' Game' one can either 'Accept' to move on to 'Pre-Relationship', 'Monitor & Manage', and eventually to 'Termination', or not accept and circle back to 'Sourcing'.

    Stage 1: Pre-relationship assessment

    Do these as part of your due diligence

    • Review and negotiate contract terms and conditions.
      • Ensure that you have the protections to make you whole in the event of an incident, in the event that another entity purchases the vendor, and throughout the entire lifecycle of your relationship with the vendor.
      • Make sure to negotiate your post-termination protections in the initial agreement.
    • Perform a due-diligence financial assessment.
      • Make sure the vendor is positioned in the market to be able to service your organization.
    • Perform an initial risk assessment.
      • Identify and understand all potential factors that may cause financial impacts to your organization.
      • Include total cost of ownership (TCO) and return of investment (ROI) as potential impact offsets.
    • Review case studies – talk to other customers.
      • Research who else has worked with the vendor to get “the good, the bad, and the ugly” stories to form a clear picture of a potential relationship with the vendor.
    • Use proofs of concept.
      • It is essential to know how the vendor and their solutions will work in the environment before committing resources and to incorporate them into organizational strategic plans.
    • Limit vendors’ ability to increase costs over the years. It is not uncommon for a long-term relationship to become more expensive than a new one over time when the increases are unmanaged.
    • Vendor audits can be costly and a significant distraction to your staff. Make sure to contractually limit them.
    • Many vendors enjoy significant revenue from unclear deliverables and vague expectations that lead to change requests at unknown rates – clarifying expectations and deliverables and demanding negotiated rate sheets before engagement will save budget and strengthen the relationship.

    Visit Info-Tech’s VMO ROI Calculator and Tracker

    The “what if” game

    1-3 hours

    Input: List of identified potential risk scenarios scored by likelihood and financial impact, List of potential management of the scenarios to reduce the risk

    Output: Comprehensive financial risk profile on the specific vendor solution

    Materials: Whiteboard/flip charts, Financial Risk Impact Tool to help drive discussion

    Participants: Vendor Management – Coordinator, IT Operations, Legal/Compliance/Risk Manager, Finance/Procurement

    Vendor management professionals are in an excellent position to collaboratively pull together resources across the organization to determine potential risks. By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    1. Break into smaller groups (or if too small, continue as a single group).
    2. Use the Financial Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potential risks but manage the overall process to keep the discussion on track.
    3. Collect the outputs and ask the subject matter experts for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

    Download the Financial Risk Impact Tool

    Stage 2.1: Monitor the financial risk

    Ongoing monitoring activities

    Never underestimate the value of keeping the relationship moving forward.

    Examples of items and activities to monitor include;

    		Stock photo of a worker being trained on a computer.
    • Fines
    • Data leaks
    • Performance
    • Credit monitoring
    • Viability/solvency
    • Resource capacity
    • Operational impacts
    • Regulatory penalties
    • Increases in premiums
    • Security breaches (infrastructure)

    Info-Tech Insight

    Many organizations do not have the resources to dedicate to annual risk assessments of all vendors.

    Consider timing ongoing risk assessments to align with contract renewal, when you have the most leverage with the vendor.

    		Visit Info-Tech’s Risk Register Tool

    Stage 2.2: Manage the financial risk

    During the lifecycle of the vendor relationship

    • Renew risk assessments annually.
    • Focus your efforts on highly ranked risks.
    • Is there a new opportunity to negotiate?
    • Identify and classify individual vendor risk.
    • Are there better existing contracts in place?
    • Review financial health checks at the same time.
    • Monitor and schedule contract renewals and new service/module negotiations.
    • Perform business alignment meetings to reassess the relationship.
    • Ongoing operational meetings should be supplemental, dealing with day-to-day issues.
    • Develop performance metrics and hold vendors accountable to established service levels.
    		 Stock image of a professional walking an uneven line over the words 'Risk Management'.

    Stage 3: Termination

    An essential and often overlooked part of the vendor lifecycle is the relationship after termination

    • The risk of a vendor keeping your data for “as long as they want” is high.
      • Data retention becomes a “forever risk” in today’s world of cyber issues if you do not appropriately plan.
    • Ensure that you always know where data resides and where people are allowed to access that data.
      • If there is a regulatory need to house data only in specific locations, ensure that it is explicit in agreements.
    • Protect your data through language in initial agreements that covers what needs to happen when the relationship with the vendor terminates.
      • Typically, all the data that the vendor has retained is returned and/or destroyed at your sole discretion.
    		 Stock image of a sign reading 'Closure'.

    Related Info-Tech Research

    Stock photo of two co-workers laughing. Design and Build an Effective Contract Lifecycle Management Process
    • Achieve measurable savings in contract time processing, financial risk avoidance, and dollar savings
    • Understand how to identify and mitigate risk to save the organization time and money.
    Stock image of reports and file folders. Identify and Reduce Agile Contract Risk
    • Manage Agile contract risk by selecting the appropriate level of protections for an Agile project.
    • Focus on the correct contract clauses to manage Agile risk.
    Stock photo of three co-workers gathered around a computer screen. Jump Start Your Vendor Management Initiative
    • Vendor management must be an IT strategy. Solid vendor management is an imperative – IT organizations must develop capabilities to ensure that services are delivered by vendors according to service level objectives and that risks are mitigated according to the organization's risk tolerance.
    • Gain visibility into your IT vendor community. Understand how much you spend with each vendor and rank their criticality and risk to focus on the vendors you should be concentrating on for innovative solutions.

    Break Open Your DAM With Intuitive Metadata

    • Buy Link or Shortcode: {j2store}389|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Organizations are facing challenges from explosive information growth in both volume and complexity, as well as the need to use more new sources of information for social media just to remain in business.
    • A lot of content can be created quickly, but managing those digital assets properly through metadata tagging that will be used consistently and effectively requires processes to be in place to create standardized and informational metadata at the source of content creation.
    • Putting these processes in place changes the way the organization handles its information, which may generate pushback, and requires socialization and proper management of the metadata strategy.

    Our Advice

    Critical Insight

    • Metadata is an imperative part of the organizations broader information management strategy. Some may believe that metadata is not needed anymore; Google search is not a magic act – it relies on information tagging that reflects cultural sentiment.
    • Metadata should be pliable. It needs to grow with the changing cultural and corporate vernacular and knowledge, and adapt to changing needs.
    • Build a map for your metadata before you dig for buried treasure. Implement metadata standards and processes for current digital assets before chasing after your treasure troves of existing artifacts.

    Impact and Result

    • Create a sustainable and effective digital asset management (DAM) program by understanding Info-Tech’s DAM framework and how the framework fits within your organization for better management of key digital assets.
    • Create an enterprise-wide metadata design principles handbook to keep track of metadata schemas and standards, as well as communicate the standards to the entire organization.
    • Gather requirements for your DAM program, as well as the DAM system and roles, by interviewing key stakeholders and identifying prevalent pains and opportunities. Understand where digital assets are created, used, and stored throughout the enterprise to gain a high-level perspective of DAM requirements.
    • Identify the organization’s current state of metadata management along with the target state, identify the gaps, and then define solutions to fill those gaps. Ensure business initiatives are woven into the mix.
    • Create a comprehensive roadmap to prioritize initiatives and delineate responsibilities.

    Break Open Your DAM With Intuitive Metadata Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a digital asset management program focused on metadata, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a foundation for your DAM project

    Gain an in-depth understanding of what digital asset management is as well as how it is supported by Info-Tech’s DAM framework.

    • Break Open Your DAM With Intuitive Metadata – Phase 1: Build a Foundation for Your DAM Project
    • DAM Design Principles Handbook
    • Where in the World Is My Digital Asset? Tool
    • Digital Asset Inventory Tool
    • DAM Requirements Gathering Tool

    2. Dive into the DAM strategy

    Create a metadata program execution strategy and assess current and target states for the organization’s DAM.

    • Break Open Your DAM With Intuitive Metadata – Phase 2: Dive Into the DAM Strategy
    • DAM Roadmap Tool
    • DAM Metadata Execution Strategy Document

    3. Create intuitive metadata for your DAM

    Design a governance plan for ongoing DAM and metadata management.

    • Break Open Your DAM With Intuitive Metadata – Phase 3: Create Intuitive Metadata for Your Digital Assets
    • Metadata Manager Tool
    [infographic]

    Workshop: Break Open Your DAM With Intuitive Metadata

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Structure the Metadata Project

    The Purpose

    Develop a foundation of knowledge regarding DAM and metadata, as well as the best practices for organizing the organization’s information and digital assets for ideal findability.

    Key Benefits Achieved

    Design standardized processes for metadata creation and digital asset management to help to improve findability of key assets.

    Gain knowledge of how DAM can benefit both IT and the business.

    Activities

    1.1 Build a DAM and metadata knowledge foundation.

    1.2 Kick-start creation of the organization’s DAM design principles handbook.

    1.3 Interview key business units to understand drivers for the program.

    1.4 Develop a DAM framework.

    Outputs

    DAM Design Principles Handbook

    DAM Execution Strategy Document

    2 Assess Requirements for the DAM Program

    The Purpose

    Inventory the organization’s key digital assets and their repositories.

    Gather the organization’s requirements for a full-time digital asset librarian, as well as the DAM system.  

    Key Benefits Achieved

    Determine clear and specific requirements for the organization from the DAM system and the people involved.

    Activities

    2.1 Conduct a digital asset inventory to identify key assets to include in DAM.

    2.2 Prioritize digital assets to determine their risk and value to ensure appropriate support through the information lifecycle.

    2.3 Determine the requirements of the business and IT for the DAM system and its metadata.

    Outputs

    Digital Asset Inventory Tool

    DAM Requirements Gathering Tool

    3 Design Roadmap and Plan Implementation

    The Purpose

    Determine strategic initiatives and create a roadmap outlining key steps required to get the organization to start enabling data-driven insights.

    Determine timing of the initiatives. 

    Key Benefits Achieved

    Establish a clear direction for the DAM program.

    Build a step-by-step outline of how to create effective metadata with true business-IT collaboration.

    Have prioritized initiatives with dependencies mapped out.

    Activities

    3.1 Assess current and target states of DAM in the organization.

    3.2 Brainstorm and document practical initiatives to close the gap.

    3.3 Discuss strategies rooted in business requirements to execute the metadata management program to improve findability of digital assets.

    Outputs

    DAM Roadmap Tool

    4 Establish Metadata Governance

    The Purpose

    Identify the roles required for effective DAM and metadata management.

    Create sample metadata according to established guiding principles and implement a feedback method to create intuitive metadata in the organization. 

    Key Benefits Achieved

    Metadata management is an ongoing project. Implementing it requires user input and feedback, which governance will help to support.

    By integrating metadata governance with larger information or data governance bodies, DAM and metadata management will gain sustainability. 

    Activities

    4.1 Discuss and assign roles and responsibilities for initiatives identified in the roadmap.

    4.2 Review policy requirements for the information assets in the organization and strategies to address enforcement.

    4.3 Integrate the governance of metadata into larger governance committees.

    Outputs

    DAM Execution Strategy

    Build Your Security Operations Program From the Ground Up

    • Buy Link or Shortcode: {j2store}263|cart{/j2store}
    • member rating overall impact: 9.7/10 Overall Impact
    • member rating average dollars saved: $56,299 Average $ Saved
    • member rating average days saved: 43 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • Analysts cannot monitor and track events coming from multiple tools because they have no visibility into the threat environment.
    • Incident management takes away time from problem management because processes are ad hoc and the continuous monitoring, collection, and analysis of massive volumes of security event data is responsive rather than tactical.
    • Organizations are struggling to defend against and prevent threats while juggling business, compliance, and consumer obligations.

    Our Advice

    Critical Insight

    • Security operations is no longer a center but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
    • Raw data without correlation is a waste of time, money, and effort. A SIEM on its own will not provide this contextualization and needs configuration. Prevention, detection, analysis, and response processes must contextualize threat data and supplement one another – true value will only be realized once all four functions operate as a unified process.
    • If you are not communicating, then you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Impact and Result

    • A centralized security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes that address the increasing sophistication of cyberthreats while guiding continuous improvement.
    • This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

    Build Your Security Operations Program From the Ground Up Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a security operations program, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish your foundation

    Determine how to establish the foundation of your security operations.

    • Build Your Security Operations Program From the Ground Up – Phase 1: Establish Your Foundation
    • Information Security Pressure Analysis Tool

    2. Assess your current state

    Assess the maturity of your prevention, detection, analysis, and response processes.

    • Build Your Security Operations Program From the Ground Up – Phase 2: Assess Your Current State
    • Security Operations Roadmap Tool

    3. Design your target state

    Design a target state and improve your governance and policy solutions.

    • Build Your Security Operations Program From the Ground Up – Phase 3: Design Your Target State
    • Security Operations Policy

    4. Develop an implementation roadmap

    Make your case to the board and develop a roadmap for your prioritized security initiatives.

    • Build Your Security Operations Program From the Ground Up – Phase 4: Develop an Implementation Roadmap
    • In-House vs. Outsourcing Decision-Making Tool
    • Security Operations MSSP RFP Template
    • Security Operations Project Charter Template
    • Security Operations RACI Tool
    • Security Operations Metrics Summary Document
    [infographic]

    Workshop: Build Your Security Operations Program From the Ground Up

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Your Foundation

    The Purpose

    Identify security obligations and the security operations program’s pressure posture.

    Assess current people, process, and technology capabilities.

    Determine foundational controls and complete system and asset inventory.

    Key Benefits Achieved

    Identified the foundational elements needed for planning before a security operations program can be built

    Activities

    1.1 Define your security obligations and assess your security pressure posture.

    1.2 Determine current knowledge and skill gaps.

    1.3 Shine a spotlight on services worth monitoring.

    1.4 Assess and document your information system environment.

    Outputs

    Customized security pressure posture

    Current knowledge and skills gaps

    Log register of essential services

    Asset management inventory

    2 Assess Current Security Operations Processes

    The Purpose

    Identify the maturity level of existing security operations program processes.

    Key Benefits Achieved

    Current maturity assessment of security operations processes

    Activities

    2.1 Assess the current maturity level of the existing security operations program processes.

    Outputs

    Current maturity assessment

    3 Design a Target State

    The Purpose

    Design your optimized target state.

    Improve your security operations processes with governance and policy solutions.

    Identify and prioritize gap initiatives.

    Key Benefits Achieved

    A comprehensive list of initiatives to reach ideal target state

    Optimized security operations with repeatable and standardized policies

    Activities

    3.1 Complete standardized policy templates.

    3.2 Map out your ideal target state.

    3.3 Identify gap initiatives.

    Outputs

    Security operations policies

    Gap analysis between current and target states

    List of prioritized initiatives

    4 Develop an Implementation Roadmap

    The Purpose

    Formalize project strategy with a project charter.

    Determine your sourcing strategy for in-house or outsourced security operations processes.

    Assign responsibilities and complete an implementation roadmap.

    Key Benefits Achieved

    An overarching and documented strategy and vision for your security operations

    A thorough rationale for in-house or outsourced security operations processes

    Assigned and documented responsibilities for key projects

    Activities

    4.1 Complete a security operations project charter.

    4.2 Determine in-house vs. outsourcing rationale.

    4.3 Identify dependencies of your initiatives and prioritize initiatives in phases of implementation.

    4.4 Complete a security operations roadmap.

    Outputs

    Security operations project charter

    In-house vs. outsourcing rationale

    Initiatives organized according to phases of development

    Planned and achievable security operations roadmap

    Build an Application Integration Strategy

    • Buy Link or Shortcode: {j2store}198|cart{/j2store}
    • member rating overall impact: 8.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Enterprise Integration
    • Parent Category Link: /enterprise-integration
    • Even though organizations are now planning for Application Integration (AI) in their projects, very few have developed a holistic approach to their integration problems resulting in each project deploying different tactical solutions.
    • Point-to-point and ad hoc integration solutions won’t cut it anymore: the cloud, big data, mobile, social, and new regulations require more sophisticated integration tooling.
    • Loosely defined AI strategies result in point solutions, overlaps in technology capabilities, and increased maintenance costs; the correlation between business drivers and technical solutions is lost.

    Our Advice

    Critical Insight

    • Involving the business in strategy development will keep them engaged and align business drivers with technical initiatives.
    • An architectural approach to AI strategy is critical to making appropriate technology decisions and promoting consistency across AI solutions through the use of common patterns.
    • Get control of your AI environment with an appropriate architecture, including policies and procedures, before end users start adding bring-your-own-integration (BYOI) capabilities to the office.

    Impact and Result

    • Engage in a formal AI strategy and involve the business when aligning business goals with AI value; each double the AI success rate.
    • Benefits from a formal AI strategy largely depend on how gaps will be filled.
    • Create an Integration Center of Competency for maintaining architectural standards and guidelines.
    • AI strategies are continuously updated as new business drivers emerge from changing business environments and/or essential technologies.

    Build an Application Integration Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the Case for AI Strategy

    Obtain organizational buy-in and build a standardized and formal AI blueprint.

    • Storyboard: Build an Application Integration Strategy

    2. Assess the organization's readiness for AI

    Assess your people, process, and technology for AI readiness and realize areas for improvement.

    • Application Integration Readiness Assessment Tool

    3. Develop a Vision

    Fill the required AI-related roles to meet business requirements

    • Application Integration Architect
    • Application Integration Specialist

    4. Perform a Gap Analysis

    Assess the appropriateness of AI in your organization and identify gaps in people, processes, and technology as it relates to AI.

    • Application Integration Appropriateness Assessment Tool

    5. Build an AI Roadmap

    Compile the important information and artifacts to include in the AI blueprint.

    • Application Integration Strategy Template

    6. Build the Integration Blueprint

    Keep a record of services and interfaces to reduce waste.

    • Integration Service Catalog Template

    Infographic

    Workshop: Build an Application Integration Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Make the Case for AI Strategy

    The Purpose

    Uncover current and future AI business drivers, and assess current capabilities.

    Key Benefits Achieved

    Perform a current state assessment and create a future vision.

    Activities

    1.1 Identify Current and Future Business Drivers

    1.2 AI Readiness Assessment

    1.3 Integration Service Catalog Template

    Outputs

    High-level groupings of AI strategy business drivers.

    Determine the organization’s readiness for AI, and identify areas for improvement.

    Create a record of services and interfaces to reduce waste.

    2 Know Current Environment

    The Purpose

    Identify building blocks, common patterns, and decompose them.

    Key Benefits Achieved

    Develop an AI Architecture.

    Activities

    2.1 Integration Principles

    2.2 High-level Patterns

    2.3 Pattern decomposition and recomposition

    Outputs

    Set general AI architecture principles.

    Categorize future and existing interactions by pattern to establish your integration framework.

    Identification of common functional components across patterns.

    3 Perform a Gap Analysis

    The Purpose

    Analyze the gaps between the current and future environment in people, process, and technology.

    Key Benefits Achieved

    Uncover gaps between current and future capabilities and determine if your ideal environment is feasible.

    Activities

    3.1 Gap Analysis

    Outputs

    Identify gaps between the current environment and future AI vision.

    4 Build a Roadmap for Application Integration

    The Purpose

    Define strategic initiatives, know your resource constraints, and use a timeline for planning AI.

    Key Benefits Achieved

    Create a plan of strategic initiatives required to close gaps.

    Activities

    4.1 Identify and prioritize strategic initiatives

    4.2 Distribute initiatives on a timeline

    Outputs

    Use strategic initiatives to build the AI strategy roadmap.

    Establish when initiatives are going to take place.

    Quality Management

    • Buy Link or Shortcode: {j2store}45|cart{/j2store}
    • Related Products: {j2store}45|crosssells{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture
    • byline: Be proactive; it costs exponentially more to fix a problem the longer it goes unnoticed.
    Drive efficiency and agility with right-sized quality management

    Release management

    • Buy Link or Shortcode: {j2store}9|cart{/j2store}
    • Related Products: {j2store}9|crosssells{/j2store}
    • Up-Sell: {j2store}9|upsells{/j2store}
    • member rating overall impact: 10.0/10
    • member rating average dollars saved: $35,731
    • member rating average days saved: 20
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    • byline: Stabilize your deployments via excellent release management.
    Today's world requires frequent and fast deployments. Stay in control with release management.

    Establish Data Governance – APAC Edition

    • Buy Link or Shortcode: {j2store}348|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $172,999 Average $ Saved
    • member rating average days saved: 63 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Organisations are faced with challenges associated with changing data landscapes, evolving business models, industry disruptions, regulatory and compliance obligations, and changing and maturing user landscapes and demands for data.
    • Although the need for a data governance program is often evident, organisations miss the mark when their data governance efforts are not directly aligned to delivering measurable business value by supporting key strategic initiatives, value streams, and their underlying business capabilities.

    Our Advice

    Critical Insight

    • Your organisation’s value streams and the associated business capabilities require effectively governed data. Without this, you face the impact of elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.
    • Ensure your data governance program delivers measurable business value by aligning the associated data governance initiatives with the business architecture.
    • Data governance must continuously align with the organisation’s enterprise governance function. It should not be perceived as an IT pet project, but rather as a business-driven initiative.

    Impact and Result

    Info-Tech’s approach to establishing and sustaining effective data governance is anchored in the strong alignment of organisational value streams and their business capabilities with key data governance dimensions and initiatives.

    • Align with enterprise governance, business strategy and organizational value streams to ensure the program delivers measurable business value.
    • Understand your current data governance capabilities and build out a future state that is right sized and relevant.
    • Define data governance leadership, accountability, and responsibility, supported by an operating model that effectively manages change and communication and fosters a culture of data excellence.

    Establish Data Governance – APAC Edition Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data Governance Research – A step-by-step document to ensure that the people handling the data are involved in the decisions surrounding data usage, data quality, business processes, and change implementation.

    Data governance is a strategic program that will help your organisation control data by managing the people, processes, and information technology needed to ensure that accurate and consistent data policies exist across varying lines of the business, enabling data-driven insight. This research will provide an overview of data governance and its importance to your organization, assist in making the case and securing buy-in for data governance, identify data governance best practices and the challenges associated with them, and provide guidance on how to implement data governance best practices for a successful launch.

    • Establish Data Governance – Phases 1-3 – APAC

    2. Data Governance Planning and Roadmapping Workbook – A structured tool to assist with establishing effective data governance practices.

    This workbook will help your organisation understand the business and user context by leveraging your business capability map and value streams, developing data use cases using Info-Tech's framework for building data use cases, and gauging the current state of your organisation's data culture.

    • Data Governance Planning and Roadmapping Workbook – APAC

    3. Data Use Case Framework Template – An exemplar template to highlight and create relevant use cases around the organisation’s data-related problems and opportunities.

    This business needs gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organisation. This template provides a framework for data requirements and a mapping methodology for creating use cases.

    • Data Use Case Framework Template – APAC

    4. Data Governance Initiative Planning and Roadmap Tool – A visual roadmapping tool to assist with establishing effective data governance practices.

    This tool will help your organisation plan the sequence of activities, capture start dates and expected completion dates, and create a roadmap that can be effectively communicated to the organisation.

    • Data Governance Initiative Planning and Roadmap Tool – APAC

    5. Business Data Catalogue – A comprehensive template to help you to document the key data assets that are to be governed based on in-depth business unit interviews, data risk/value assessments, and a data flow diagram for the organisation.

    Use this template to document information about key data assets such as data definition, source system, possible values, data sensitivity, data steward, and usage of the data.

    • Business Data Catalogue – APAC

    6. Data Governance Program Charter Template – A program charter template to sell the importance of data governance to senior executives.

    This template will help get the backing required to get a data governance project rolling. The program charter will help communicate the project purpose, define the scope, and identify the project team, roles, and responsibilities.

    • Data Governance Program Charter Template – APAC

    7. Data Policies – A set of policy templates to support the data governance framework for the organisation.

    This set of policies supports the organisation's use and management of data to ensure that it efficiently and effectively serves the needs of the organisation.

    • Data Governance Policy – APAC
    • Data Classification Policy, Standard, and Procedure – APAC
    • Data Quality Policy, Standard, and Procedure – APAC
    • Data Management Definitions – APAC
    • Metadata Management Policy, Standard, and Procedure – APAC
    • Data Retention Policy and Procedure – APAC
    [infographic]

    Workshop: Establish Data Governance – APAC Edition

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Context and Value

    The Purpose

    Identify key business data assets that need to be governed.

    Create a unifying vision for the data governance program.

    Key Benefits Achieved

    Understand the value of data governance and how it can help the organisation better leverage its data.

    Gain knowledge of how data governance can benefit both IT and the business.

    Activities

    1.1 Establish business context, value, and scope of data governance at the organisation.

    1.2 Introduction to Info-Tech’s data governance framework.

    1.3 Discuss vision and mission for data governance.

    1.4 Understand your business architecture, including your business capability map and value streams.

    1.5 Build use cases aligned to core business capabilities.

    Outputs

    Sample use cases (tied to the business capability map) and a repeatable use case framework

    Vision and mission for data governance

    2 Understand Current Data Governance Capabilities and Plot Target-State Levels

    The Purpose

    Assess which data contains value and/or risk and determine metrics that will determine how valuable the data is to the organisation.

    Assess where the organisation currently stands in data governance initiatives.

    Determine gaps between the current and future states of the data governance program.

    Key Benefits Achieved

    Gain a holistic understanding of organisational data and how it flows through business units and systems.

    Identify which data should fall under the governance umbrella.

    Determine a practical starting point for the program.

    Activities

    2.1 Understand your current data governance capabilities and maturity.

    2.2 Set target-state data governance capabilities.

    Outputs

    Current state of data governance maturity

    Definition of target state

    3 Build Data Domain to Data Governance Role Mapping

    The Purpose

    Determine strategic initiatives and create a roadmap outlining key steps required to get the organisation to start enabling data-driven insights.

    Determine timing of the initiatives.

    Key Benefits Achieved

    Establish clear direction for the data governance program.

    Step-by-step outline of how to create effective data governance, with true business-IT collaboration.

    Activities

    3.1 Evaluate and prioritise performance gaps.

    3.2 Develop and consolidate data governance target-state initiatives.

    3.3 Define the role of data governance: data domain to data governance role mapping.

    Outputs

    Target-state data governance initiatives

    Data domain to data governance role mapping

    4 Formulate a Plan to Get to Your Target State

    The Purpose

    Consolidate the roadmap and other strategies to determine the plan of action from day one.

    Create the required policies, procedures, and positions for data governance to be sustainable and effective.

    Key Benefits Achieved

    Prioritised initiatives with dependencies mapped out.

    A clearly communicated plan for data governance that will have full business backing.

    Activities

    4.1 Identify and prioritise next steps.

    4.2 Define roles and responsibilities and complete a high-level RACI.

    4.3 Wrap-up and discuss next steps and post-workshop support.

    Outputs

    Initialised roadmap

    Initialised RACI

    Further reading

    Establish Data Governance

    Deliver measurable business value.

    Analyst Perspective

    Establish a data governance program that brings value to your organisation.

    Picture of analyst

    Data governance does not sit as an island on its own in the organisation – it must align with and be driven by your enterprise governance. As you build out data governance in your organisation, it's important to keep in mind that this program is meant to be an enabling framework of oversight and accountabilities for managing, handling, and protecting your company's data assets. It should never be perceived as bureaucratic or inhibiting to your data users. It should deliver agreed-upon models that are conducive to your organisation's operating culture, offering clarity on who can do what with the data and via what means. Data governance is the key enabler for bringing high-quality, trusted, secure, and discoverable data to the right users across your organisation. Promote and drive the responsible and ethical use of data while helping to build and foster an organisational culture of data excellence.

    Crystal Singh

    Director, Research & Advisory, Data & Analytics Practice

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The amount of data within organisations is growing at an exponential rate, creating a need to adopt a formal approach to governing data. However, many organisations remain uninformed on how to effectively govern their data. Comprehensive data governance should define leadership, accountability, and responsibility related to data use and handling and be supported by a well-oiled operating model and relevant policies and procedures. This will help ensure the right data gets to the right people at the right time, using the right mechanisms.

    Common Obstacles

    Organisations are faced with challenges associated with changing data landscapes, evolving business models, industry disruptions, regulatory and compliance obligations, and changing and maturing user landscape and demand for data. Although the need for a data governance program is often evident, organisations miss the mark when their data governance efforts are not directly aligned to delivering measurable business value. Initiatives should support key strategic initiatives, as well as value streams and their underlying business capabilities.

    Info-Tech's Approach

    Info-Tech's approach to establishing and sustaining effective data governance is anchored in the strong alignment of organisational value streams and their business capabilities with key data governance dimensions and initiatives. Organisations should:

    • Align their data governance with enterprise governance, business strategy and value streams to ensure the program delivers measurable business value.
    • Understand their current data governance capabilities so as to build out a future state that is right-sized and relevant.
    • Define data leadership, accountability, and responsibility. Support these with an operating model that effectively manages change and communication and fosters a culture of data excellence.

    Info-Tech Insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face elevated operating costs, missed opportunities, eroded stakeholder satisfaction, and increased business risk.

    Your challenge

    This research is designed to help organisations build and sustain an effective data governance program.

    • Your organisation has recognised the need to treat data as a corporate asset for generating business value and/or managing and mitigating risk.
    • This has brought data governance to the forefront and highlighted the need to build a performance-driven enterprise program for delivering quality, trusted, and readily consumable data to users.
    • An effective data governance program is one that defines leadership, accountability. and responsibility related to data use and handling. It's supported by a well-oiled operating model and relevant policies and procedures, all of which help build and foster a culture of data excellence where the right users get access to the right data at the right time via the right mechanisms.

    As you embark on establishing data governance in your organisation, it's vital to ensure from the get-go that you define the drivers and business context for the program. Data governance should never be attempted without direction on how the program will yield measurable business value.

    'Data processing and cleanup can consume more than half of an analytics team's time, including that of highly paid data scientists, which limits scalability and frustrates employees.' – Petzold, et al., 2020

    Image is a circle graph and 30% of it is coloured with the number 30% in the middle of the graph

    'The productivity of employees across the organisation can suffer.' – Petzold, et al., 2020

    Respondents to McKinsey's 2019 Global Data Transformation Survey reported that an average of 30% of their total enterprise time was spent on non-value-added tasks because of poor data quality and availability. – Petzold, et al., 2020

    Common obstacles

    Some of the barriers that make data governance difficult to address for many organisations include:

    • Gaps in communicating the strategic value of data and data governance to the organisation. This is vital for securing senior leadership buy-in and support, which, in turn, is crucial for sustained success of the data governance program.
    • Misinterpretation or a lack of understanding about data governance, including what it means for the organisation and the individual data user.
    • A perception that data governance is inhibiting or an added layer of bureaucracy or complication rather than an enabling and empowering framework for stakeholders in their use and handling of data.
    • Embarking on data governance without firmly substantiating and understanding the organisational drivers for doing so. How is data governance going to support the organisation's value streams and their various business capabilities?
    • Neglecting to define and measure success and performance. Just as in any other enterprise initiative, you have to be able to demonstrate an ROI for time, resources and funding. These metrics must demonstrate the measurable business value that data governance brings to the organisation.
    • Failure to align data governance with enterprise governance.
    Image is a circle graph and 78% of it is coloured with the number 78% in the middle of the graph

    78% of companies (and 92% of top-tier companies) have a corporate initiative to become more data-driven. – Alation, 2020.

    Image is a circle graph and 58% of it is coloured with the number 58% in the middle of the graph

    But despite these ambitions, there appears to be a 'data culture disconnect' – 58% of leaders overestimate the current data culture of their enterprises, giving a grade higher than the one produced by the study. – Fregoni, 2020.

    The strategic value of data

    Power intelligent and transformative organisational performance through leveraging data.

    Respond to industry disruptors

    Optimise the way you serve your stakeholders and customers

    Develop products and services to meet ever-evolving needs

    Manage operations and mitigate risk

    Harness the value of your data

    The journey to being data-driven

    The journey to declaring that you are a data-driven organisation requires a pit stop at data enablement.

    The Data Economy

    Data Disengaged

    You have a low appetite for data and rarely use data for decision making.

    Data Enabled

    Technology, data architecture, and people and processes are optimised and supported by data governance.

    Data Driven

    You are differentiating and competing on data and analytics; described as a 'data first' organisation. You're collaborating through data. Data is an asset.

    Data governance is essential for any organisation that makes decisions about how it uses its data.

    Data governance is an enabling framework of decision rights, responsibilities, and accountabilities for data assets across the enterprise.

    Data governance is:

    • Executed according to agreed-upon models that describe who can take what actions with what information, when, and using what methods (Olavsrud, 2021).
    • True business-IT collaboration that will lead to increased consistency and confidence in data to support decision making. This, in turn, helps fuel innovation and growth.

    If done correctly, data governance is not:

    • An annoying, finger-waving roadblock in the way of getting things done.
    • Meant to solve all data-related business or IT problems in an organisation.
    • An inhibitor or impediment to using and sharing data.

    Info-Tech's Data Governance Framework

    An image of Info-Tech's Data Governance Framework

    Create impactful data governance by embedding it within enterprise governance

    A model is depicted to show the relationship between enterprise governance and data governance.

    Organisational drivers for data governance

    Data governance personas:

    Conformance: Establishing data governance to meet regulations and compliance requirements.

    Performance: Establishing data governance to fuel data-driven decision making for driving business value and managing and mitigating business risk.

    Two images are depicted that show the difference between conformance and performance.

    Data Governance is not a one-person show

    • Data governance needs a leader and a home. Define who is going to be leading, driving, and steering data governance in your organisation.
    • Senior executive leaders play a crucial role in championing and bringing visibility to the value of data and data governance. This is vital for building and fostering a culture of data excellence.
    • Effective data governance comes with business and IT alignment, collaboration, and formally defined roles around data leadership, ownership, and stewardship.
    Four circles are depicted. There is one person in the circle on the left and is labelled: Data Governance Leadership. The circle beside it has two people in it and labelled: Organisational Champions. The circle beside it has three people in it and labelled: Data Owners, Stewards & Custodians. The last circle has four people in it and labelled: The Organisation & Data Storytellers.

    Traditional data governance organisational structure

    A traditional structure includes committees and roles that span across strategic, tactical, and operational duties. There is no one-size-fits-all data governance structure. However, most organisations follow a similar pattern when establishing committees, councils, and cross-functional groups. Most organisations strive to identify roles and responsibilities at a strategic and operational level. Several factors will influence the structure of the program, such as the focus of the data governance project and the maturity and size of the organisation.

    A triangular model is depicted and is split into three tiers to show the traditional data governance organisational structure.

    A healthy data culture is key to amplifying the power of your data.

    'Albert Einstein is said to have remarked, "The world cannot be changed without changing our thinking." What is clear is that the greatest barrier to data success today is business culture, not lagging technology.' – Randy Bean, 2020

    What does it look like?

    • Everybody knows the data.
    • Everybody trusts the data.
    • Everybody talks about the data.

    'It is not enough for companies to embrace modern data architectures, agile methodologies, and integrated business-data teams, or to establish centres of excellence to accelerate data initiatives, when only about 1 in 4 executives reported that their organisation has successfully forged a data culture.'– Randy Bean, 2020

    Data literacy is an essential part of a data-driven culture

    • In a data-driven culture, decisions are made based on data evidence, not on gut instinct.
    • Data often has untapped potential. A data-driven culture builds tools and skills, builds users' trust in the condition and sources of data, and raises the data skills and understanding among their people on the front lines.
    • Building a data culture takes an ongoing investment of time, effort, and money. This investment will not achieve the transformation you want without data literacy at the grassroots level.

    Data-driven culture = 'data matters to our company'

    Despite investments in data initiative, organisations are carrying high levels of data debt

    Data debt is 'the accumulated cost that is associated with the sub-optimal governance of data assets in an enterprise, like technical debt.'

    Data debt is a problem for 78% of organisations.

    40% of organisations say individuals within the business do not trust data insights.

    66% of organisations say a backlog of data debt is impacting new data management initiatives.

    33% of organisations are not able to get value from a new system or technology investment.

    30% of organisations are unable to become data-driven.

    Source: Experian, 2020

    Absent or sub-optimal data governance leads to data debt

    Only 3% of companies' data meets basic quality standards. (Source: Nagle, et al., 2017)

    Organisations suspect 28% of their customer and prospect data is inaccurate in some way. (Source: Experian, 2020)

    Only 51% of organisations consider the current state of their CRM or ERP data to be clean, allowing them to fully leverage it. (Source: Experian, 2020)

    35% of organisations say they're not able to see a ROI for data management initiatives. (Source: Experian, 2020)

    Embrace the technology

    Make the available data governance tools and technology work for you:

    • Data catalogue
    • Business data glossary
    • Data lineage
    • Metadata management

    While data governance tools and technologies are no panacea, leverage their automated and AI-enabled capabilities to augment your data governance program.

    Logos of data governance tools and technology.

    Measure success to demonstrate tangible business value

    Put data governance into the context of the business:

    • Tie the value of data governance and its initiatives back to the business capabilities that are enabled.
    • Leverage the KPIs of those business capabilities to demonstrate tangible and measurable value. Use terms and language that will resonate with senior leadership.

    Don't let measurement be an afterthought:

    Start substantiating early on how you are going to measure success as your data governance program evolves.

    Build a right-sized roadmap

    Formulate an actionable roadmap that is right-sized to deliver value in your organisation.

    Key considerations:

    • When building your data governance roadmap, ensure you do so through an enterprise lens. Be cognizant of other initiatives that might be coming down the pipeline that may require you to align your data governance milestones accordingly.
    • Apart from doing your planning with consideration for other big projects or launches that might be in-flight and require the time and attention of your data governance partners, also be mindful of the more routine yet still demanding initiatives.
    • When doing your roadmapping, consider factors like the organisation's fiscal cycle, typical or potential year-end demands, and monthly/quarterly reporting periods and audits. Initiatives such as these are likely to monopolise the time and focus of personnel key to delivering on your data governance milestones.

    Sample milestones:

    Data Governance Leadership & Org Structure Definition

    Define the home for data governance and other key roles around ownership and stewardship, as approved by senior leadership.

    Data Governance Charter and Policies

    Create a charter for your program and build/refresh associated policies.

    Data Culture Diagnostic

    Understand the organisation's current data culture, perception of data, value of data, and knowledge gaps.

    Use Case Build and Prioritisation

    Build a use case that is tied to business capabilities. Prioritise accordingly.

    Business Data Glossary

    Build and/or refresh the business' glossary for addressing data definitions and standardisation issues.

    Tools & Technology

    Explore the tools and technology offering in the data governance space that would serve as an enabler to the program. (e.g. RFI, RFP).

    Key takeaways for effective business-driven data governance

    Data governance leadership and sponsorship is key.

    Ensure strategic business alignment.

    Build and foster a culture of data excellence.

    Evolve along the data journey.

    Make data governance an enabler, not a hindrance.

    Insight summary

    Overarching insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face the impact of elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.

    Insight 1

    Data governance should not sit as an island in your organisation. It must continuously align with the organisation's enterprise governance function. It shouldn't be perceived as a pet project of IT, but rather as an enterprise-wide, business-driven initiative.

    Insight 2

    Ensure your data governance program delivers measurable business value by aligning the associated data governance initiatives with the business architecture. Leverage the measures of success or KPIs of the underlying business capabilities to demonstrate the value data governance has yielded for the organisation.

    Insight 3

    Data governance remains the foundation of all forms of reporting and analytics. Advanced capabilities such as AI and machine learning require effectively governed data to fuel their success.

    Tactical insight

    Tailor your data literacy program to meet your organisation's needs, filling your range of knowledge gaps and catering to your different levels of stakeholders. When it comes to rolling out a data literacy program, there is no one-size-fits-all solution. Your data literacy program is intended to fill the knowledge gaps about data, as they exist in your organisation. It should be targeted across the board – from your executive leadership and management through to the subject matter experts across different lines of the business in your organisation.

    Info-Tech's methodology for establishing data governance

    1. Build Business and User Context 2. Understand Your Current Data Governance Capabilities 3. Build a Target State Roadmap and Plan
    Phase Steps
    1. Substantiate Business Drivers
    2. Build High-Value Use Cases for Data Governance
    1. Understand the Key Components of Data Governance
    2. Gauge Your Organisation's Current Data Culture
    1. Formulate an Actionable Roadmap and Right-Sized Plan
    Phase Outcomes
    • Your organisation's business capabilities and value streams
    • A business capability map for your organisation
    • Categorisation of your organisation's key capabilities
    • A strategy map tied to data governance
    • High-value use cases for data governance
    • An understanding of the core components of an effective data governance program
    • An understanding your organisation's current data culture
    • A data governance roadmap and target-state plan comprising of prioritised initiatives

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Screenshot of Info-Tech's Data Governance Planning and Roadmapping Workbook data-verified=

    Data Governance Planning and Roadmapping Workbook

    Use the Data Governance Planning and Roadmapping Workbook as you plan, build, roll out, and scale data governance in your organisation.

    Screenshot of Info-Tech's Data Use Case Framework Template

    Data Use Case Framework Template

    This template takes you through a business needs gathering activity to highlight and create relevant use cases around the organisation's data-related problems and opportunities.

    Screenshot of Info-Tech's Business Data Glossary data-verified=

    Business Data Glossary

    Use this template to document the key data assets that are to be governed and create a data flow diagram for your organisation.

    Screenshot of Info-Tech's Data Culture Diagnostic and Scorecard data-verified=

    Data Culture Diagnostic and Scorecard

    Leverage Info-Tech's Data Culture Diagnostic to understand how your organisation scores across 10 areas relating to data culture.

    Key deliverable:

    Data Governance Planning and Roadmapping Workbook

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Data Governance Initiative Planning and Roadmap Tool

    Leverage this tool to assess your current data governance capabilities and plot your target state accordingly.

    This tool will help you plan the sequence of activities, capture start dates and expected completion dates, and create a roadmap that can be effectively communicated to the organisation.

    Data Governance Program Charter Template

    This template will help get the backing required to get a data governance project rolling. The program charter will help communicate the project purpose, define the scope, and identify the project team, roles, and responsibilities.

    Data Governance Policy

    This policy establishes uniformed data governance standards and identifies the shared responsibilities for assuring the integrity of the data and that it efficiently and effectively serves the needs of your organisation

    Other Deliverables:

    • Data Governance Initiative Planning and Roadmap Tool
    • Data Governance Program Charter Template
    • Data Governance Policy

    Blueprint benefits

    Defined data accountability & responsibility

    Shared knowledge & common understanding of data assets

    Elevated trust & confidence in traceable data

    Improved data ROI & reduced data debt

    Support for ethical use and handling of data in a culture of excellence

    Measure the value of this blueprint

    Leverage this blueprint's approach to ensure your data governance initiatives align and support your key value streams and their business capabilities.

    • Aligning your data governance program and its initiatives to your organisation's business capabilities is vital for tracing and demonstrating measurable business value for the program.
    • This alignment of data governance with value streams and business capabilities enables you to use business-defined KPIs and demonstrate tangible value.
    Screenshot from this blueprint on the Measurable Business Value

    In phases 1 and 2 of this blueprint, we will help you establish the business context, define your business drivers and KPIs, and understand your current data governance capabilities and strengths.

    In phase 3, we will help you develop a plan and a roadmap for addressing any gaps and improving the relevant data governance capabilities so that data is well positioned to deliver on those defined business metrics.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    'Our team, has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.'

    Guided Implementation

    'Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track.'

    Workshop

    'We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.'

    Consulting

    'Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.'

    Diagnostics and consistent frameworks are used throughout all four options.

    Establish Data Governance project overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    1. Build Business and User context2. Understand Your Current Data Governance Capabilities3. Build a Target State Roadmap and Plan
    Best-Practice Toolkit
    1. Substantiate Business Drivers
    2. Build High-Value Use Cases for Data Governance
    1. Understand the Key Components of Data Governance
    2. Gauge Your Organisation's Current Data Culture
    1. Formulate an Actionable Roadmap and Right-Sized Plan
    Guided Implementation
    • Call 1
    • Call 2
    • Call 3
    • Call 4
    • Call 5
    • Call 6
    • Call 7
    • Call 8
    • Call 9
    Phase Outcomes
    • Your organisation's business capabilities and value streams
    • A business capability map for your organisation
    • Categorisation of your organisation's key capabilities
    • A strategy map tied to data governance
    • High-value use cases for data governance
    • An understanding of the core components of an effective data governance program
    • An understanding your organisation's current data culture
    • A data governance roadmap and target-state plan comprising of prioritised initiatives

    Guided Implementation

    What does a typical GI on this topic look like?

    An outline of what guided implementation looks like.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organisation. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Workshop overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4
    Establish Business Context and Value Understand Current Data Governance Capabilities and Plot Target-State Levels Build Data Domain to Data Governance Role Mapping Formulate a Plan to Get to Your Target State
    Activities
    • Establish business context, value, and scope of data governance at the organisation
    • Introduction to Info-Tech's data governance framework
    • Discuss vision and mission for data governance
    • Understand your business architecture, including your business capability map and value streams
    • Build use cases aligned to core business capabilities
    • Understand your current data governance capabilities and maturity
    • Set target state data governance capabilities
    • Evaluate and prioritise performance gaps
    • Develop and consolidate data governance target-state initiatives
    • Define the role of data governance: data domain to data governance role mapping
    • Identify and prioritise next steps
    • Define roles and responsibilities and complete a high-level RACI
    • Wrap-up and discuss next steps and post-workshop support
    Deliverables
    1. Sample use cases (tied to the business capability map) and a repeatable use case framework
    2. Vision and mission for data governance
    1. Current state of data governance maturity
    2. Definition of target state
    1. Target-state data governance initiatives
    2. Data domain to data governance role mapping
    1. Initialised roadmap
    2. Initialised RACI
    3. Completed Business Data Glossary (BDG)

    Phase 1

    Build Business and User Context

    Three circles are in the image that list the three phases and the main steps. Phase 1 is highlighted.

    'When business users are invited to participate in the conversation around data with data users and IT, it adds a fundamental dimension — business context. Without a real understanding of how data ties back to the business, the value of analysis and insights can get lost.' – Jason Lim, Alation

    This phase will guide you through the following activities:

    • Identify Your Business Capabilities
    • Define your Organisation's Key Business Capabilities
    • Develop a Strategy Map that Aligns Business Capabilities to Your Strategic Focus

    This phase involves the following participants:

    • Data Governance Leader/Data Leader (CDO)
    • Senior Business Leaders
    • Business SMEs
    • Data Leadership, Data Owners, Data Stewards and Custodians

    Step 1.1

    Substantiate Business Drivers

    Activities

    1.1.1 Identify Your Business Capabilities

    1.1.2 Categorise Your Organisation's Key Business Capabilities

    1.1.3 Develop a Strategy Map Tied to Data Governance

    This step will guide you through the following activities:

    • Leverage your organisation's existing business capability map or initiate the formulation of a business capability map, guided by Info-Tech's approach
    • Determine which business capabilities are considered high priority by your organisation
    • Map your organisation's strategic objectives to value streams and capabilities to communicate how objectives are realised with the support of data

    Outcomes of this step

    • A foundation for data governance initiative planning that's aligned with the organisation's business architecture: value streams, business capability map, and strategy map

    Info-Tech Insight

    Gaining a sound understanding of your business architecture (value streams and business capabilities) is a critical foundation for establishing and sustaining a data governance program that delivers measurable business value.

    1.1.1 Identify Your Business Capabilities

    Confirm your organisation's existing business capability map or initiate the formulation of a business capability map:

    1. If you have an existing business capability map, meet with the relevant business owners/stakeholders to confirm that the content is accurate and up to date. Confirm the value streams (how your organisation creates and captures value) and their business capabilities are reflective of the organisation's current business environment.
    2. If you do not have an existing business capability map, follow this activity to initiate the formulation of a map (value streams and related business capabilities):
      1. Define the organisation's value streams. Meet with senior leadership and other key business stakeholders to define how your organisation creates and captures value.
      2. Define the relevant business capabilities. Meet with senior leadership and other key business stakeholders to define the business capabilities.

    Note: A business capability defines what a business does to enable value creation. Business capabilities are business terms defined using descriptive nouns such as 'Marketing' or 'Research and Development.' They represent stable business functions, are unique and independent of each other, and typically will have a defined business outcome.

    Input

    • List of confirmed value streams and their related business capabilities

    Output

    • Business capability map with value streams for your organisation

    Materials

    • Your existing business capability map or the template provided in the Data Governance Planning and Roadmapping Workbook accompanying this blueprint

    Participants

    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data Governance Working Group

    For more information, refer to Info-Tech's Document Your Business Architecture.

    Define or validate the organisation's value streams

    Value streams connect business goals to the organisation's value realisation activities. These value realisation activities, in turn, depend on data.

    If the organisation does not have a business architecture function to conduct and guide Activity 1.1.1, you can leverage the following approach:

    • Meet with key stakeholders regarding this topic, then discuss and document your findings.
    • When trying to identify the right stakeholders, consider: Who are the decision makers and key influencers? Who will impact this piece of business architecture related work? Who has the relevant skills, competencies, experience, and knowledge about the organisation?
    • Engage with these stakeholders to define and validate how the organisation creates value.
    • Consider:
      • Who are your main stakeholders? This will depend on the industry in which you operate. For example, customers, residents, citizens, constituents, students, patients.
      • What are your stakeholders looking to accomplish?
      • How does your organisation's products and/or services help them accomplish that?
      • What are the benefits your organisation delivers to them and how does your organisation deliver those benefits?
      • How do your stakeholders receive those benefits?

    Align data governance to the organisation's value realisation activities.

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Info-Tech Insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face the possibilities of elevated operational costs, missed opportunities, eroded stakeholder satisfaction, negative impact to reputation and brand, and/or increased exposure to business risk.

    Example of value streams – Retail Banking

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Retail Banking

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Model example of value streams for retail banking.

    For this value stream, download Info-Tech's Info-Tech's Industry Reference Architecture for Retail Banking.

    Example of value streams – Higher Education

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Higher Education

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Model example of value streams for higher education

    For this value stream, download Info-Tech's Industry Reference Architecture for Higher Education.

    Example of value streams – Local Government

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Local Government

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Model example of value streams for local government

    For this value stream, download Info-Tech's Industry Reference Architecture for Local Government.

    Example of value streams – Manufacturing

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Manufacturing

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    Model example of value streams for manufacturing

    For this value stream, download Info-Tech's Industry Reference Architecture for Manufacturing.

    Example of value streams – Retail

    Value streams connect business goals to the organisation's value realisation activities.

    Example value stream descriptions for: Retail

    Model example of value streams for retail

    Value streams enable the organisation to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

    For this value stream, download Info-Tech's Industry Reference Architecture for Retail.

    Define the organisation's business capabilities in a business capability map

    A business capability defines what a business does to enable value creation. Business capabilities represent stable business functions and typically will have a defined business outcome.

    Business capabilities can be thought of as business terms defined using descriptive nouns such as 'Marketing' or 'Research and Development.'

    If your organisation doesn't already have a business capability map, you can leverage the following approach to build one. This initiative requires a good understanding of the business. By working with the right stakeholders, you can develop a business capability map that speaks a common language and accurately depicts your business.

    Working with the stakeholders as described above:

    • Analyse the value streams to identify and describe the organisation's capabilities that support them.
    • Consider: What is the objective of your value stream? (This can highlight which capabilities support which value stream.)
    • As you initiate your engagement with your stakeholders, don't start a blank page. Leverage the examples on the next slides as a starting point for your business capability map.
    • When using these examples, consider: What are the activities that make up your particular business? Keep the ones that apply to your organisation, remove the ones that don't, and add any needed.

    Align data governance to the organisation's value realisation activities.

    Info-Tech Insight

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    For more information, refer to Info-Tech's Document Your Business Architecture.

    Example business capability map – Retail Banking

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Retail Banking

    Model example business capability map for retail banking

    For this business capability map, download Info-Tech's Industry Reference Architecture for Retail Banking.

    Example business capability map – Higher Education

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Higher Education

    Model example business capability map for higher education

    For this business capability map, download Info-Tech's Industry Reference Architecture for Higher Education.

    Example business capability map – Local Government

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Local Government

    Model example business capability map for local government

    For this business capability map, download Info-Tech's Industry Reference Architecture for Local Government.

    Example business capability map – Manufacturing

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Manufacturing

    Model example business capability map for manufacturing

    For this business capability map, download Info-Tech's Industry Reference Architecture for Manufacturing.

    Example business capability map - Retail

    A business capability map can be thought of as a visual representation of your organisation's business capabilities and hence represents a view of what your data governance program must support.

    Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

    Info-Tech Tip:

    Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realisation capabilities under discussion. This will help to build awareness and visibility of the data governance program.

    Example business capability map for: Retail

    Model example business capability map for retail

    For this business capability map, download Info-Tech's Industry Reference Architecture for Retail.

    1.1.2 Categorise Your Organisation's Key Capabilities

    Determine which capabilities are considered high priority in your organisation.

    1. Categorise or heatmap the organisation's key capabilities. Consult with senior and other key business stakeholders to categorise and prioritise the business' capabilities. This will aid in ensuring your data governance future state planning is aligned with the mandate of the business. One approach to prioritising capabilities with business stakeholders is to examine them through the lens of cost advantage creators, competitive advantage differentiators, and/or by high value/high risk.
    2. Identify cost advantage creators. Focus on capabilities that drive a cost advantage for your organisation. Highlight these capabilities and prioritise programs that support them.
    3. Identify competitive advantage differentiators. Focus on capabilities that give your organisation an edge over rivals or other players in your industry.

    This categorisation/prioritisation exercise helps highlight prime areas of opportunity for building use cases, determining prioritisation, and the overall optimisation of data and data governance.

    Input

    • Strategic insight from senior business stakeholders on the business capabilities that drive value for the organisation

    Output

    • Business capabilities categorised and prioritised (e.g. cost advantage creators, competitive advantage differentiators, high value/high risk)

    Materials

    • Your existing business capability map or the business capability map derived in the previous activity

    Participants

    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data Governance Working Group

    For more information, refer to Info-Tech's Document Your Business Architecture.

    Example of business capabilities categorisation or heatmapping – Retail

    This exercise is useful in ensuring the data governance program is focused and aligned to support the priorities and direction of the business.

    • Depending on the mandate from the business, priority may be on developing cost advantage. Hence the capabilities that deliver efficiency gains are the ones considered to be cost advantage creators.
    • The business' priority may be on maintaining or gaining a competitive advantage over its industry counterparts. Differentiation might be achieved in delivering unique or enhanced products, services, and/or experiences, and the focus will tend to be on the capabilities that are more end-stakeholder-facing (e.g. customer-, student-, patient,- and/or constituent-facing). These are the organisation's competitive advantage creators.

    Example: Retail

    Example of business capabilities categorisation or heatmapping – Retail

    For this business capability map, download Info-Tech's Industry Reference Architecture for Retail.

    1.1.3 Develop a Strategy Map Tied to Data Governance

    Identify the strategic objectives for the business. Knowing the key strategic objectives will drive business-data governance alignment. It's important to make sure the right strategic objectives of the organisation have been identified and are well understood.

    1. Meet with senior business leaders and other relevant stakeholders to help identify and document the key strategic objectives for the business.
    2. Leverage their knowledge of the organisation's business strategy and strategic priorities to visually represent how these map to value streams, business capabilities, and, ultimately, to data and data governance needs and initiatives. Tip: Your map is one way to visually communicate and link the business strategy to other levels of the organisation.
    3. Confirm the strategy mapping with other relevant stakeholders.

    Guide to creating your map: Starting with strategic objectives, map the value streams that will ultimately drive them. Next, link the key capabilities that enable each value stream. Then map the data and data governance to initiatives that support those capabilities. This is one approach to help you prioritise the data initiatives that deliver the most value to the organisation.

    Input

    • Strategic objectives as outlined by the organisation's business strategy and confirmed by senior leaders

    Output

    • A strategy map that maps your organisational strategic objectives to value streams, business capabilities, and, ultimately, to data program

    Materials

    Participants

    • Key business stakeholders
    • Data stewards
    • Data custodians
    • Data Governance Working Group

    Download Info-Tech's Data Governance Planning and Roadmapping Workbook

    Example of a strategy map tied to data governance

    • Strategic objectives are the outcomes that the organisation is looking to achieve.
    • Value streams enable an organisation to create and capture value in the market through interconnected activities that support strategic objectives.
    • Business capabilities define what a business does to enable value creation in value streams.
    • Data capabilities and initiatives are descriptions of action items on the data and data governance roadmap and which will enable one or multiple business capabilities in its desired target state.

    Info-Tech Tip:

    Start with the strategic objectives, then map the value streams that will ultimately drive them. Next, link the key capabilities that enable each value stream. Then map the data and data governance initiatives that support those capabilities. This process will help you prioritise the data initiatives that deliver the most value to the organisation.

    Example: Retail

    Example of a strategy map tied to data governance for retail

    For this strategy map, download Info-Tech's Industry Reference Architecture for Retail.

    Step 1.2

    Build High-Value Use Cases for Data Governance

    Activities

    1.2.1 Build High-Value Use Cases

    This step will guide you through the following activities:

    • Leveraging your categorised business capability map to conduct deep-dive sessions with key business stakeholders for creating high-value uses cases
    • Discussing current challenges, risks, and opportunities associated with the use of data across the lines of business
    • Exploring which other business capabilities, stakeholder groups, and business units will be impacted

    Outcomes of this step

    • Relevant use cases that articulate the data-related challenges, needs, or opportunities that are clear and contained and, if addressed ,will deliver value to the organisation

    Info-Tech Tip

    One of the most important aspects when building use cases is to ensure you include KPIs or measures of success. You have to be able to demonstrate how the use case ties back to the organisational priorities or delivers measurable business value. Leverage the KPIs and success factors of the business capabilities tied to each particular use case.

    1.2.1 Build High-Value Use Cases

    This business needs-gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organisation.

    1. Bring together key business stakeholders (data owner, stewards, SMEs) from a particular line of business as well as the relevant data custodian(s) to build cases for their units. Leverage the business capability map you created for facilitating this act.
    2. Leverage Info-Tech's framework for data requirements and methodology for creating use cases, as outlined in the Data Use Case Framework Template and seen on the next slide.
    3. Have the stakeholders move through each breakout session outlined in the Use Case Worksheet. Use flip charts or a whiteboard to brainstorm and document their thoughts.
    4. Debrief and document results in the Data Use Case Framework Template.
    5. Repeat this exercise with as many lines of the business as possible, leveraging your business capability map to guide your progress and align with business value.

    Tip: Don't conclude these use case discussions without substantiating what measures of success will be used to demonstrate the business value of the effort to produce the desired future state, as relevant to each particular use case.

    This business needs-gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organisation.

    1. Bring together key business stakeholders (data owner, stewards, SMEs) from a particular line of business as well the relevant data custodian(s) to build cases for their units. Leverage the business capability map you created for facilitating this act.
    2. Leverage Info-Tech's framework for data requirements and methodology for creating use cases, as outlined in the Data Use Case Framework Template and seen on the next slide.
    3. Have the stakeholders move through each breakout session outlined in the Use Case Worksheet. Use flip charts or a whiteboard to brainstorm and document their thoughts.
    4. Debrief and document results in the Data Use Case Framework Template
    5. Repeat this exercise with as many lines of the business as possible, leveraging your business capability map to guide your progress and align with business value.

    Tip: Don't conclude these use case discussions without substantiating what measures of success will be used to demonstrate the business value of the effort to produce the desired future state, as relevant to each particular use case.

    Input

    • Value streams and business capabilities as defined by business leaders
    • Business stakeholders' subject area expertise
    • Data custodian systems, integration, and data knowledge

    Output

    • Use cases that articulate data-related challenges, needs or opportunities that are tied to defined business capabilities and hence if addressed will deliver measurable value to the organisation.

    Materials

    • Your business capability map from activity 1.1.1
    • Info-Tech's Data Use Case Framework Template
    • Whiteboard or flip charts (or shared screen if working remotely)
    • Markers/pens

    Participants

    • Key business stakeholders
    • Data stewards and business SMEs
    • Data custodians
    • Data Governance Working Group

    Download Info-Tech's Data Use Case Framework Template

    Info-Tech's Framework for Building Use Cases

    Objective: This business needs-gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organisation.

    Leveraging your business capability map, build use cases that align with the organisation's key business capabilities.

    Consider:

    • Is the business capability a cost advantage creator or an industry differentiator?
    • Is the business capability currently underserved by data?
    • Does this need to be addressed? If so, is this risk- or value-driven?

    Info-Tech's Data Requirements and Mapping Methodology for Creating Use Cases

    1. What business capability (or capabilities) is this use case tied to for your business area(s)?
    2. What are your data-related challenges in performing this today?
    3. What are the steps in this process/activity today?
    4. What are the applications/systems used at each step today?
    5. What data domains are involved, created, used, and/or transformed at each step today?
    6. What does an ideal or improved state look like?
    7. What other business units, business capabilities, activities, and/or processes will be impacted or improved if this issue was solved?
    8. Who are the stakeholders impacted by these changes? Who needs to be consulted?
    9. What are the risks to the organisation (business capability, revenue, reputation, customer loyalty, etc.) if this is not addressed?
    10. What compliance, regulatory, and/or policy concerns do we need to consider in any solution?
    11. What measures of success or change should we use to prove the value of the effort (such as KPIs, ROI)? What is the measurable business value of doing this?

    The resulting use cases are to be prioritised and leveraged for informing the business case and the data governance capabilities optimisation plan.

    Taken from Info-Tech's Data Use Case Framework Template

    Phase 2

    Understand Your Current Data Governance Capabilities

    Three circles are in the image that list the three phases and the main steps. Phase 2 is highlighted.

    This phase will guide you through the following activities:

    • Understand the Key Components of Data Governance
    • Gauge Your Organisation's Current Data Culture

    This phase involves the following participants:

    • Data Leadership
    • Data Ownership & Stewardship
    • Policies & Procedures
    • Data Literacy & Culture
    • Operating Model
    • Data Management
    • Data Privacy & Security
    • Enterprise Projects & Services

    Step 2.1

    Understand the Key Components of Data Governance

    This step will guide you through the following activities:

    • Understanding the core components of an effective data governance program and determining your organisation's current capabilities in these areas:
      • Data Leadership
      • Data Ownership & Stewardship
      • Policies & Procedures
      • Data Literacy & Culture
      • Operating Model
      • Data Management
      • Data Privacy & Security
      • Enterprise Projects & Services

    Outcomes of this step

    • An understanding of the core components of an effective data governance program
    • An understanding your organisation's current data governance capabilities

    Leverage Info-Tech's: Data Governance Initiative Planning and Roadmap Tool to assess your current data governance capabilities and plot your target state accordingly.

    This tool will help your organisation plan the sequence of activities, capture start dates and expected completion dates, and create a roadmap that can be effectively communicated to the organisation.

    Review: Info-Tech's Data Governance Framework

    An image of Info-Tech's Data Governance Framework

    Key components of data governance

    A well-defined data governance program will deliver:

    • Defined accountability and responsibility for data.
    • Improved knowledge and common understanding of the organisation's data assets.
    • Elevated trust and confidence in traceable data.
    • Improved data ROI and reduced data debt.
    • An enabling framework for supporting the ethical use and handling of data.
    • A foundation for building and fostering a data-driven and data-literate organisational culture.

    The key components of establishing sustainable enterprise data governance, taken from Info-Tech's Data Governance Framework:

    • Data Leadership
    • Data Ownership & Stewardship
    • Operating Model
    • Policies & Procedures
    • Data Literacy & Culture
    • Data Management
    • Data Privacy & Security
    • Enterprise Projects & Services

    Data Leadership

    • Data governance needs a dedicated head or leader to steer the organisation's data governance program.
    • For organisations that do have a chief data officer (CDO), their office is the ideal and effective home for data governance.
    • Heads of data governance also have titles such as director of data governance, director of data quality, and director of analytics.
    • The head of your data governance program works with all stakeholders and partners to ensure there is continuous enterprise governance alignment and oversight and to drive the program's direction.
    • While key stakeholders from the business and IT will play vital data governance roles, the head of data governance steers the various components, stakeholders, and initiatives, and provides oversight of the overall program.
    • Vital data governance roles include: data owners, data stewards, data custodians, data governance steering committee (or your organisation's equivalent), and any data governance working group(s).

    The role of the CDO: the voice of data

    The office of the chief data officer (CDO):

    • Has a cross-organisational vision and strategy for data.
    • Owns and drives the data strategy; ensures it supports the overall organisational strategic direction and business goals.
    • Leads the organisational data initiatives, including data governance
    • Is accountable for the policy, strategy, data standards, and data literacy necessary for the organisation to operate effectively.
    • Educates users and leaders about what it means to be 'data-driven.'
    • Builds and fosters a culture of data excellence.

    'Compared to most of their C-suite colleagues, the CDO is faced with a unique set of problems. The role is still being defined. The chief data officer is bringing a new dimension and focus to the organisation: "data." '
    – Carruthers and Jackson, 2020

    Who does the CDO report to?

    Example reporting structure.
    • The CDO should be a true C- level executive.
    • Where the organisation places the CDO role in the structure sends an important signal to the business about how much it values data.

    'The title matters. In my opinion, you can't have a CDO without executive authority. Otherwise no one will listen.'

    – Anonymous European CDO

    'The reporting structure depends on who's the 'glue' that ties together all these uniquely skilled individuals.'

    – John Kemp, Senior Director, Executive Services, Info-Tech Research Group

    Data Ownership & Stewardship

    Who are best suited to be data owners?

    • Wherever they may sit in your organisation, data owners will typically have the highest stake in that data.
    • Data owners needs to be suitably senior and have the necessary decision-making power.
    • They have the highest interest in the related business data domain, whether they are the head of a business unit or the head of a line of business that produces data or consumes data (or both).
    • If they are neither of these, it's unlikely they will have the interest in the data (in terms of its quality, protection, ethical use, and handling, for instance) necessary to undertake and adopt the role effectively.

    Data owners are typically senior business leaders with the following characteristics:

    • Positioned to accept accountability for their data domain.
    • Hold authority and influence to affect change, including across business processes and systems, needed to improve data quality, use, handling, integration, etc.
    • Have access to a budget and resources for data initiatives such as resolving data quality issues, data cleansing initiatives, business data catalogue build, related tools and technology, policy management, etc.
    • Hold the influence needed to drive change in behaviour and culture.
    • Act as ambassadors of data and its value as an organisational strategic asset.

    Right-size your data governance organisational structure

    • Most organisations strive to identify roles and responsibilities at a strategic, and operational level. Several factors will influence the structure of the program such as the focus of the data governance project as well as the maturity and size of the organisation.
    • Your data governance structure has to work for your organisation, and it has to evolve as the organisation evolves.
    • Formulate your blend of data governance roles, committees, councils, and cross-functional groups, that make sense for your organisation.
    • Your data governance organisational structure should not add complexity or bureaucracy to your organisation's data landscape; it should support and enable your principle of treating data as an asset.

    There is no one-size-fits-all data governance organisational structure.

    Example of a Data Governance Organisational Structure

    Critical roles and responsibilities for data governance

    Data Governance Working Groups

    Data governance working groups:

    • Are cross-functional teams
    • Deliver on data governance projects, initiatives, and ad hoc review committees.

    Data Stewards

    Traditionally, data stewards:

    • Serve on an operational level addressing issues related to adherence to standards/procedures, monitoring data quality, raising issues identified, etc.
    • Are responsible for managing access, quality, escalating issues, etc.

    Data Custodians

    • Traditionally, data custodians:
    • Serve on an operational level addressing issues related to data and database administration.
    • Support the management of access, data quality, escalating issues, etc.
    • Are SMEs from IT and database administration.

    Example: Business capabilities to data owner and data stewards mapping for a selected data domain

    Info-Tech Insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.

    Enabling business capabilities with data governance role definitions

    Example: Business capabilities to data owner and data stewards mapping for a selected data domain

    Operating Model

    Your operating model is the key to designing and operationalizing a form of data governance that delivers measurable business value to your organisation.

    'Generate excitement for data: When people are excited and committed to the vision of data enablement, they're more likely to help ensure that data is high quality and safe.' – Petzold, et al., 2020

    Operating Model

    Defining your data governance operating model will help create a well-oiled program that sustainably delivers value to the organisation and manages risks while building and fostering a culture of data excellence along the way. Some organisations are able to establish a formal data governance office, whether independent or attached to the office of the chief data officer. Regardless of how you are organised, data governance requires a home, a leader, and an operating model to ensure its sustainability and evolution.

    Examples of focus areas for your operating model:

    • Delivery: While there are core tenets to every data governance program, there is a level of variability in the implementation of data governance programs across organisations, sectors, and industries. Every organisation has its own particular drivers and mandates, so the level and rigour applied will also vary.

      • The key is to determine what style will work best in your organisation, taking into consideration your organisational culture, executive leadership support (present and ongoing), catalysts such as other enterprise-wide transformative and modernisation initiatives, and/or regulatory and compliances drivers.

    • Communication: Communication is vital across all levels and stakeholder groups. For instance, there needs to be communication from the data governance office up to senior leadership, as well as communication within the data governance organisation, which is typically made up of the data governance steering committee, data governance council, executive sponsor/champion, data stewards, and data custodians and working groups.

      • Furthermore, communication with the wider organisation of data producers, users, and consumers is one of the core elements of the overall data governance communications plan.

    Communication is vital for ensuring acceptance of new processes, rules, guidelines, and technologies by all data producers and users as well as for sharing success stories of the program.

    Operating Model

    Tie the value of data governance and its initiatives back to the business capabilities that are enabled.

    'Leading organisations invest in change management to build data supporters and convert the sceptics. This can be the most difficult part of the program, as it requires motivating employees to use data and encouraging producers to share it (and ideally improve its quality at the source)[.]' – Petzold, et al., 2020

    Operating Model

    Examples of focus areas for your operating model (continued):

    • Change management and issue resolution: Data governance initiatives will very likely bring about a level of organisational disruption, with governance recommendations and future state requiring potentially significant business change. This may include a redesign of a substantial number of data processes affecting various business units, which will require tweaking the organisation's culture, thought processes, and procedures surrounding its data.

      • Preparing people for change well in advance will allow them to take the steps necessary to adapt and reduce potential confrontation. By planning for and efficiently communicating any changes that a data governance initiative may bring, many initial issues can be resolved from the outset.

      Attempting to implement change without an effective communications plan can result in disagreements over data control and stalemates between stakeholder units. The recommendations of the governance group must reflect the needs of all stakeholders or there will be pushback.

    • Performance measuring, monitoring and reporting: Measuring and reporting on performance, successes, and realisation of tangible business value are a must for sustaining, growing, and scaling your data governance program.

      • Aligning your data governance to the organisation's value realisation activities enables you to leverage the KPIs of those business capabilities to demonstrate tangible and measurable value. Use terms and language that will resonate with your senior business leadership.

    Info-Tech Tip:

    Launching a data governance program will bring with it a level of disruption to the culture of the organisation. That disruption doesn't have to be detrimental if you are prepared to manage the change proactively and effectively.

    Policies, Procedures & Standards

    'Data standards are the rules by which data are described and recorded. In order to share, exchange, and understand data, we must standardise the format as well as the meaning.' – U.S. Geological Survey

    Policies, Procedures & Standards

    • When defining, updating, or refreshing your data policies, procedures, and standards, ensure they are relevant, serve a purpose, and/or support the use of data in the organisation.
    • Avoid the common pitfall of building out a host of policies, procedures, and standards that are never used or followed by users and therefore don't bring value or serve to mitigate risk for the organisation.
    • Data policies can be thought of as formal statements and are typically created, approved, and updated by the organisation's data decision-making body (such as a data governance steering committee).
    • Data standards and procedures function as actions, or rules, that support the policies and their statements.
    • Standards and procedures are designed to standardise the processes during the overall data lifecycle. Procedures are instructions to achieve the objectives of the policies. The procedures are iterative and will be updated with approval from your data governance committee as needed.
    • Your organisation's data policies, standards, and procedures should not bog down or inhibit users; rather, they should enable confident data use and handling across the overall data lifecycle. They should support more effective and seamless data capture, integration, aggregation, sharing, and retention of data in the organisation.

    Examples of data policies:

    • Data Classification Policy
    • Data Retention Policy
    • Data Entry Policy
    • Data Backup Policy
    • Data Provenance Policy
    • Data Management Policy

    See Info-Tech's Data Governance Policy Template: This policy establishes uniformed data governance standards and identifies the shared responsibilities for assuring the integrity of the data and that it efficiently and effectively serves the needs of your organisation.

    Data Domain Documentation

    Select the correct granularity for your business need

    Diagram of data domain documentation
    Sources: Dataversity; Atlan; Analytics8

    Data Domain Documentation Examples

    Data Domain Documentation Examples

    Data Culture

    'Organisational culture can accelerate the application of analytics, amplify its power, and steer companies away from risky outcomes.' – Petzold, et al., 2020

    A healthy data culture is key to amplifying the power of your data and to building and sustaining an effective data governance program.

    What does a healthy data culture look like?

    • Everybody knows the data.
    • Everybody trusts the data.
    • Everybody talks about the data.

    Building a culture of data excellence.

    Leverage Info-Tech's Data Culture Diagnostic to understand your organisation's culture around data.

    Screenshot of Data Culture Scorecard

    Contact your Info-Tech Account Representative for more information on the Data Culture Diagnostic

    Cultivating a data-driven culture is not easy

    'People are at the heart of every culture, and one of the biggest challenges to creating a data culture is bringing everyone into the fold.' – Lim, Alation

    It cannot be purchased or manufactured,

    It must be nurtured and developed,

    And it must evolve as the business, user, and data landscapes evolve.

    'Companies that have succeeded in their data-driven efforts understand that forging a data culture is a relentless pursuit, and magic bullets and bromides do not deliver results.' – Randy Bean, 2020

    Hallmarks of a data-driven culture

    There is a trusted, single source of data the whole company can draw from.

    There's a business glossary and data catalogue and users know what the data fields mean.

    Users have access to data and analytics tools. Employees can leverage data immediately to resolve a situation, perform an activity, or make a decision – including frontline workers.

    Data literacy, the ability to collect, manage, evaluate, and apply data in a critical manner, is high.

    Data is used for decision making. The company encourages decisions based on objective data and the intelligent application of it.

    A data-driven culture requires a number of elements:

    • High-quality data
    • Broad access and data literacy
    • Data-driven decision-making processes
    • Effective communication

    Data Literacy

    Data literacy is an essential part of a data-driven culture.

    • Building a data-driven culture takes an ongoing investment of time, effort, and money.
    • This investment will not realise its full return without building up the organisation's data literacy.
    • Data literacy is about filling data knowledge gaps across all levels of the organisation.
    • It's about ensuring all users – senior leadership right through to core users – are equipped with appropriate levels of training, skills, understanding, and awareness around the organisation's data and the use of associated tools and technologies. Data literacy ensures users have the data they need and they know how to interpret and leverage it.
    • Data literacy drives the appetite, demand, and consumption for data.
    • A data-literate culture is one where the users feel confident and skilled in their use of data, leveraging it for making informed or evidence-based decisions and generating insights for the organisation.

    Data Management

    • Data governance serves as an enabler to all of the core components that make up data management:
      • Data quality management
      • Data architecture management
      • Data platform
      • Data integration
      • Data operations management
      • Data risk management
      • Reference and master data management (MDM)
      • Document and content management
      • Metadata management
      • Business intelligence (BI), reporting, analytics and advanced analytics, artificial intelligence (AI), machine learning (ML)
    • Key tools such as the business data glossary and data catalogue are vital for operationalizing data governance and in supporting data management disciplines such as data quality management, metadata management, and MDM as well as BI, reporting, and analytics.

    Enterprise Projects & Services

    • Data governance serves as an enabler to enterprise projects and services that require, use, share, sell, and/or rely on data for their viability and, ultimately, their success.
    • Folding or embedding data governance into the organisation's project management function or project management office (PMO) serves to ensure that, for any initiative, suitable consideration is given to how data is treated.
    • This may include defining parameters, following standards and procedures around bringing in new sources of data, integrating that data into the organisation's data ecosystem, using and sharing that data, and retaining that data post-project completion.
    • The data governance function helps to identify and manage any ethical issues, whether at the start of the project and/or throughout.
    • It provides a foundation for asking relevant questions as it relates to the use or incorporation of data in delivering the specific project or service. Do we know where the data obtained from? Do we have rights to use that data? Are there legislations, policies, or regulations that guide or dictate how that data can be used? What are the positive effects, negative impacts, and/or risks associated with our intended use of that data? Are we positioned to mitigate those risks?
    • Mature data governance creates organisations where the above considerations around data management and the ethical use and handling of data is routinely implemented across the business and in the rollout and delivery of projects and services.

    Data Privacy & Security

    • Data governance supports the organisation's data privacy and security functions.
    • Key tools include the data classification policy and standards and defined roles around data ownership and data stewardship. These are vital for operationalizing data governance and supporting data privacy, security, and the ethical use and handling of data.
    • While some organisations may have a dedicated data security and privacy group, data governance provides an added level of oversight in this regard.
    • Some of the typical checks and balances include ensuring:
      • There are policies and procedures in place to restrict and monitor staff's access to data (one common way this is done is according to job descriptions and responsibilities) and that these comply with relevant laws and regulations.
      • There's a data classification scheme in place where data has been classified on a hierarchy of sensitivity (e.g. top secret, confidential, internal, limited, public).
      • The organisation has a comprehensive data security framework, including administrative, physical, and technical procedures for addressing data security issues (e.g. password management and regular training).
      • Risk assessments are conducted, including an evaluation of risks and vulnerabilities related to intentional and unintentional misuse of data.
      • Policies and procedures are in place to mitigate the risks associated with incidents such as data breaches.
      • The organisation regularly audits and monitors its data security.

    Ethical Use & Handling of Data

    Data governance will support your organisation's ethical use and handling of data by facilitating definition around important factors, such as:

    • What are the various data assets in the organisation and what purpose(s) can they be used for? Are there any limitations?
    • Who is the related data owner? Who holds accountability for that data? Who will be answerable?
    • Where was the data obtained from? What is the intended use of that data? Do you have rights to use that data? Are there legislations, policies, or regulations that guide or dictate how that data can be used?
    • What are the positive effects, negative impacts, and/or risks associated with the use of that data?

    Ethical Use & Handling of Data

    • Data governance serves as an enabler to the ethical use and handling of an organisation's data.
    • The Open Data Institute (ODI) defines data ethics as: 'A branch of ethics that evaluates data practices with the potential to adversely impact on people and society – in data collection, sharing and use.'
    • Data ethics relates to good practice around how data is collected, used and shared. It's especially relevant when data activities have the potential to impact people and society, whether directly or indirectly (Open Data Institute, 2019).
    • A failure to handle and use data ethically can negatively impact an organisation's direct stakeholders and/or the public at large, lead to a loss of trust and confidence in the organisation's products and services, lead to financial loss, and impact the organisation's brand, reputation, and legal standing.
    • Data governance plays a vital role is building and managing your data assets, knowing what data you have, and knowing the limitations of that data. Data ownership, data stewardship, and your data governance decision-making body are key tenets and foundational components of your data governance. They enable an organisation to define, categorise, and confidently make decisions about its data.

    Step 2.2

    Gauge Your Organisation's Current Data Culture

    Activities

    2.2.1 Gauge Your Organisation's Current Data Culture

    This step will guide you through the following activities:

    • Conduct a data culture survey or leverage Info-Tech's Data Culture Diagnostic to increase your understanding of your organisation's data culture

    Outcomes of this step

    • An understanding of your organisational data culture

    2.2.1 Gauge Your Organisation's Current Data Culture

    Conduct a Data Culture Survey or Diagnostic

    The objectives of conducting a data culture survey are to increase the understanding of the organisation's data culture, your users' appetite for data, and their appreciation for data in terms of governance, quality, accessibility, ownership, and stewardship. To perform a data culture survey:

    1. Identify members of the data user base, data consumers, and other key stakeholders for surveying.
    2. Conduct an information session to introduce Info-Tech's Data Culture Diagnostic survey. Explain the objective and importance of the survey and its role in helping to understand the organisation's current data culture and inform the improvement of that culture.
    3. Roll out the Info-Tech Data Culture Diagnostic survey to the identified users and stakeholders.
    4. Debrief and document the results and scorecard in the Data Strategy Stakeholder Interview Guide and Findings document.

    Input

    • Email addresses of participants in your organisation who should receive the survey

    Output

    • Your organisation's Data Culture Scorecard for understanding current data culture as it relates to the use and consumption of data
    • An understanding of whether data is currently perceived to be an asset to the organisation

    Materials

    Screenshot of Data Culture Scorecard

    Participants

    • Participants include those at the senior leadership level through to middle management, as well as other business stakeholders at varying levels across the organisation
    • Data owners, stewards, and custodians
    • Core data users and consumers

    Contact your Info-Tech Account Representative for details on launching a Data Culture Diagnostic.

    Phase 3

    Build a Target State Roadmap and Plan

    Three circles are in the image that list the three phases and the main steps. Phase 3 is highlighted.

    'Achieving data success is a journey, not a sprint. Companies that set a clear course, with reasonable expectations and phased results over a period of time, get to the destination faster.' – Randy Bean, 2020

    This phase will guide you through the following activities:

    • Build your Data Governance Roadmap
    • Develop a target state plan comprising of prioritised initiatives

    This phase involves the following participants:

    • Data Governance Leadership
    • Data Owners/Data Stewards
    • Data Custodians
    • Data Governance Working Group(s)

    Step 3.1

    Formulate an Actionable Roadmap and Right-Sized Plan

    This step will guide you through the following activities:

    • Build your data governance roadmap
    • Develop a target state plan comprising of prioritised initiatives

    Download Info-Tech's Data Governance Planning and Roadmapping Workbook

    See Info-Tech's Data Governance Program Charter Template: A program charter template to sell the importance of data governance to senior executives.

    This template will help get the backing required to get a data governance project rolling. The program charter will help communicate the project purpose, define the scope, and identify the project team, roles, and responsibilities.

    Outcomes of this step

    • A foundation for data governance initiative planning that's aligned with the organisation's business architecture: value streams, business capability map, and strategy map

    Build a right-sized roadmap

    Formulate an actionable roadmap that is right sized to deliver value in your organisation.

    Key considerations:

    • When building your data governance roadmap, ensure you do so through an enterprise lens. Be cognizant of other initiatives that might be coming down the pipeline that may require you to align your data governance milestones accordingly.
    • Apart from doing your planning with consideration for other big projects or launches that might be in-flight and require the time and attention of your data governance partners, also be mindful of the more routine yet still demanding initiatives.
    • When doing your roadmapping, consider factors like the organisation's fiscal cycle, typical or potential year-end demands, and monthly/quarterly reporting periods and audits. Initiatives such as these are likely to monopolise the time and focus of personnel key to delivering on your data governance milestones.

    Sample milestones:

    Data Governance Leadership & Org Structure Definition

    Define the home for data governance and other key roles around ownership and stewardship, as approved by senior leadership.

    Data Governance Charter and Policies

    Create a charter for your program and build/refresh associated policies.

    Data Culture Diagnostic

    Understand the organisation's current data culture, perception of data, value of data, and knowledge gaps.

    Use Case Build and Prioritisation

    Build a use case that is tied to business capabilities. Prioritise accordingly.

    Business Data Glossary/catalogue

    Build and/or refresh the business' glossary for addressing data definitions and standardisation issues.

    Tools & Technology

    Explore the tools and technology offering in the data governance space that would serve as an enabler to the program. (e.g. RFI, RFP).

    Recall: Info-Tech's Data Governance Framework

    An image of Info-Tech's Data Governance Framework

    Build an actionable roadmap

    Data Governance Leadership & Org Structure Division

    Define key roles for getting started.

    Use Case Build & Prioritisation

    Start small and then scale – deliver early wins.

    Literacy Program

    Start understanding data knowledge gaps, building the program, and delivering.

    Tools & Technology

    Make the available data governance tools and technology work for you.

    Key components of your data governance roadmap

    Data Governance Program Charter Template – A program charter template to sell the importance of data governance to senior executives.

    This template will help get the backing required to get a data governance project rolling. The program charter will help communicate the project purpose, define the scope, and identify the project team, roles, and responsibilities.

    By now, you have assessed current data governance environment and capabilities. Use this assessment, coupled with the driving needs of your business, to plot your data Governance roadmap accordingly.

    Sample data governance roadmap milestones:

    • Define data governance leadership.
    • Define and formalise data ownership and stewardship (as well as the role IT/data management will play as data custodians).
    • Build/confirm your business capability map and data domains.
    • Build business data use cases specific to business capabilities.
    • Define business measures/KPIs for the data governance program (i.e. metrics by use case that are relevant to business capabilities).
    • Data management:
      • Build your data glossary or catalogue starting with identified and prioritised terms.
      • Define data domains.
    • Design and define the data governance operating model (oversight model definition, communication plan, internal marketing such as townhalls, formulate change management plan, RFP of data governance tool and technology options for supporting data governance and its administration).
    • Data policies and procedures:
      • Formulate, update, refresh, consolidate, rationalise, and/or retire data policies and procedures.
      • Define policy management and administration framework (i.e. roll-out, maintenance, updates, adherence, system to be used).
    • Conduct Info-Tech's Data Culture Diagnostic or survey (across all levels of the organisation).
    • Define and formalise the data literacy program (build modules, incorporate into LMS, plan lunch and learn sessions).
    • Data privacy and security: build data classification policy, define classification standards.
    • Enterprise projects and services: embed data governance in the organisation's PMO, conduct 'Data Governance 101' for the PMO.

    Defining data governance roles and organisational structure at Organisation

    The approach employed for defining the data governance roles and supporting organisational structure for .

    Key Considerations:

    • The data owner and data steward roles are formally defined and documented within the organisation. Their involvement is clear, well-defined, and repeatable.
    • There are data owners and data stewards for each data domain within the organisation. The data steward role is given to someone with a high degree of subject matter expertise.
    • Data owners and data stewards are effective in their roles by ensuring that their data domain is clean and free of errors and that they protect the organisation against data loss.
    • Data owners and data stewards have the authority to make final decisions on data definitions, formats, and standard processes that apply to their respective data sets. Data owners and data stewards have authority regarding who has access to certain data.
    • Data owners and data stewards are not from the IT side of the organisation. They understand the lifecycle of the data (how it is created, curated, retrieved, used, archived, and destroyed) and they are well-versed in any compliance requirements as it relates to their data.
    • The data custodian role is formally defined and is given to the relevant IT expert. This is an individual with technical administrative and/or operational responsibility over data (e.g. a DBA).
    • A data governance steering committee exists and is comprised of well-defined roles, responsibilities, executive sponsors, business representatives, and IT experts.
    • The data governance steering committee works to provide oversight and enforce policies, procedures, and standards for governing data.
    • The data governance working group has cross-functional representation. This comprises business and IT representation, as well as project management and change management where applicable: data stewards, data custodians, business subject matter experts, PM, etc.).
    • Data governance meetings are coordinated and communicated about. The meeting agenda is always clear and concise, and meetings review pressing data-related issues. Meeting minutes are consistently documented and communicated.

    Sample: Business capabilities to data owner and data stewards mapping for a selected data domain

    Info-Tech Insight

    Your organisation's value streams and the associated business capabilities require effectively governed data. Without this, you face elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.

    Enable business capabilities with data governance role definitions.

    Sample: Business capabilities to data owner and data stewards mapping for a selected data domain

    Consider your technology options:

    Make the available data governance tools and technology work for you:

    • Data catalogue
    • Business data glossary
    • Data lineage
    • Metadata management

    Logos of data governance tools and technology.

    These are some of the data governance tools and technology players. Check out SoftwareReviews for help making better software decisions.

    Make the data steward the catalyst for organisational change and driving data culture

    The data steward must be empowered and backed politically with decision-making authority, or the role becomes stale and powerless.

    Ensuring compliance can be difficult. Data stewards may experience pushback from stakeholders who must deliver on the policies, procedures, and processes that the data steward enforces.

    Because the data steward must enforce data processes and liaise with so many different people and departments within the organisation, the data steward role should be their primary full-time job function – where possible.

    However, in circumstances where budget doesn't allow a full-time data steward role, develop these skills within the organisation by adding data steward responsibilities to individuals who are already managing data sets for their department or line of business.

    Info-Tech Tip

    A stewardship role is generally more about managing the cultural change that data governance brings. This requires the steward to have exceptional interpersonal skills that will assist in building relationships across departmental boundaries and ensuring that all stakeholders within the organisation believe in the initiative, understand the anticipated outcomes, and take some level of responsibility for its success.

    Changes to organisational data processes are inevitable; have a communication plan in place to manage change

    Create awareness of your data governance program. Use knowledge transfer to get as many people on board as possible.

    Data governance initiatives must contain a strong organisational disruption component. A clear and concise communication strategy that conveys milestones and success stories will address the various concerns that business unit stakeholders may have.

    By planning for and efficiently communicating any changes that a data governance initiative may bring, many initial issues can be resolved from the outset.

    Governance recommendations will require significant business change. The redesign of a substantial number of data processes affecting various business units will require an overhaul of the organisation's culture, thought processes, and procedures surrounding its data. Preparing people for change well in advance will allow them to take the necessary steps to adapt and reduce potential confrontation.

    Because a data governance initiative will involve data-driven business units across the organisation, the governance team must present a compelling case for data governance to ensure acceptance of new processes, rules, guidelines, and technologies by all data producers and users.

    Attempting to implement change without an effective communication plan can result in disagreements over data control and stalemates between stakeholder units. The recommendations of the governance group must reflect the needs of all stakeholders or there will be pushback.

    Info-Tech Insight

    Launching a data governance initiative is guaranteed to disrupt the culture of the organisation. That disruption doesn't have to be detrimental if you are prepared to manage the change proactively and effectively.

    Create a common data governance vision that is consistently communicated to the organisation

    A data governance program should be an enterprise-wide initiative.

    To create a strong vision for data governance, there must be participation from the business and IT. A common vision will articulate the state the organisation wishes to achieve and how it will reach that state. Visioning helps to develop long-term goals and direction.

    Once the vision is established, it must be effectively communicated to everyone, especially those who are involved in creating, managing, disposing, or archiving data.

    The data governance program should be periodically refined. This will ensure the organisation continues to incorporate best methods and practices as the organisation grows and data needs evolve.

    Info-Tech Tips

    • Use information from the stakeholder interviews to derive business goals and objectives.
    • Work to integrate different opinions and perspectives into the overall vision for data governance.
    • Brainstorm guiding principles for data and understand the overall value to the organisation.

    Develop a compelling data governance communications plan to get all departmental lines of business on board

    A data governance program will impact all data-driven business units within the organisation.

    A successful data governance communications plan involves making the initiative visible and promoting staff awareness. Educate the team on how data is collected, distributed, and used, what internal processes use data, and how that data is used across departmental boundaries.

    By demonstrating how data governance will affect staff directly, you create a deeper level of understanding across lines of business, and ultimately, a higher level of acceptance for new processes, rules, and guidelines.

    A clear and concise communications strategy will raise the profile of data governance within the organisation, and staff will understand how the program will benefit them and how they can share in the success of the initiative. This will end up providing support for the initiative across the board.

    A proactive communications plan will:

    • Assist in overcoming issues with data control, stalemates between stakeholder units, and staff resistance.
    • Provide a formalised process for implementing new policies, rules, guidelines, and technologies, and managing organisational data.
    • Detail data ownership and accountability for decision making, and identify and resolve data issues throughout the organisation.
    • Encourage acceptance and support of the initiative.

    Info-Tech Tip

    Focus on literacy and communication: include training in the communication plan. Providing training for data users on the correct procedures for updating and verifying the accuracy of data, data quality, and standardised data policies will help validate how data governance will benefit them and the organisation.

    Leverage the data governance program to communicate and promote the value of data within the organisation

    The data governance program is responsible for continuously promoting the value of data to the organisation. The data governance program should seek a variety of ways to educate the organisation and data stakeholders on the benefit of data management.

    Even if data policies and procedures are created, they will be highly ineffective if they are not properly communicated to the data producers and users alike.

    There needs to be a communication plan that highlights how the data producer and user will be affected, what their new responsibilities are, and the value of that change.

    To learn how to manage organisational change, refer to Info-Tech's Master Organisational Change Management Practices.

    Understand what makes for an effective policy for data governance

    It can be difficult to understand what a policy is, and what it is not. Start by identifying the differences between a policy and standards, guidelines, and procedures.

    Diagram of an effective policy for data governance

    The following are key elements of a good policy:

    Heading Descriptions
    Purpose Describes the factors or circumstances that mandate the existence of the policy. Also states the policy's basic objectives and what the policy is meant to achieve.
    Scope Defines to whom and to what systems this policy applies. Lists the employees required to comply or simply indicates 'all' if all must comply. Also indicates any exclusions or exceptions, i.e. those people, elements, or situations that are not covered by this policy or where special consideration may be made.
    Definitions Define any key terms, acronyms, or concepts that will be used in the policy. A standard glossary approach is sufficient.
    Policy Statements Describe the rules that comprise the policy. This typically takes the form of a series of short prescriptive and proscriptive statements. Sub-dividing this section into sub-sections may be required depending on the length or complexity of the policy.
    Non-Compliance Clearly describe consequences (legal and/or disciplinary) for employee non-compliance with the policy. It may be pertinent to describe the escalation process for repeated non-compliance.
    Agreement Confirms understanding of the policy and provides a designated space to attest to the document.

    Leverage myPolicies, Info-Tech's web-based application for managing your policies and procedures

    Most organisations have problems with policy management. These include:

    1. Policies are absent or out of date
    2. Employees largely unaware of policies in effect
    3. Policies are unmonitored and unenforced
    4. Policies are in multiple locations
    5. Multiple versions of the same policy exist
    6. Policies managed inconsistently across different silos
    7. Policies are written poorly by untrained authors
    8. Inadequate policy training program
    9. Draft policies stall and lose momentum
    10. Weak policy support from senior management

    Technology should be used as a means to solve these problems and effectively monitor, enforce, and communicate policies.

    Product Overview

    myPolicies is a web-based solution to create, distribute, and manage corporate policies, procedures, and forms. Our solution provides policy managers with the tools they need to mitigate the risk of sanctions and reduce the administrative burden of policy management. It also enables employees to find the documents relevant to them and build a culture of compliance.

    Some key success factors for policy management include:

    • Store policies in a central location that is well known and easy to find and access. A key way that technology can help communicate policies is by having them published on a centralised website.
    • Link this repository to other policies' taxonomies of your organisation. E.g. HR policies to provide a single interface for employees to access guidance across the organisation.
    • Reassess policies annually at a minimum. myPolicies can remind you to update the organisation's policies at the appropriate time.
    • Make the repository searchable and easily navigable.
    • myPolicies helps you do all this and more.
    myPolicies logo myPolicies

    Enforce data policies to promote consistency of business processes

    Data policies are short statements that seek to manage the creation, acquisition, integrity, security, compliance, and quality of data. These policies vary amongst organisations, depending on your specific data needs.

    • Policies describe what to do, while standards and procedures describe how to do something.
    • There should be few data policies, and they should be brief and direct. Policies are living documents and should be continuously updated to respond to the organisation's data needs.
    • The data policies should highlight who is responsible for the data under various scenarios and rules around how to manage it effectively.

    Examples of Data Policies

    Trust

    • Data Cleansing and Quality Policy
    • Data Entry Policy

    Availability

    • Acceptable Use Policy
    • Data Backup Policy

    Security

    • Data Security Policy
    • Password Policy Template
    • User Authorisation, Identification, and Authentication Policy Template
    • Data Protection Policy

    Compliance

    • Archiving Policy
    • Data Classification Policy
    • Data Retention Policy

    Leverage data management-related policies to standardise your data management practices

    Info-Tech's Data Management Policy:

    This policy establishes uniform data management standards and identifies the shared responsibilities for assuring the integrity of the data and that it efficiently and effectively serves the needs of the organisation. This policy applies to all critical data and to all staff who may be creators and/or users of such data.

    Info-Tech's Data Entry Policy:

    The integrity and quality of data and evidence used to inform decision making is central to both the short-term and long-term health of an organisation. It is essential that required data be sourced appropriately and entered into databases and applications in an accurate and complete manner to ensure the reliability and validity of the data and decisions made based on the data.

    Info-Tech's Data Provenance Policy:

    Create policies to keep your data's value, such as:

    • Only allow entry of data from reliable sources.
    • Employees entering and accessing data must observe requirements for capturing/maintaining provenance metadata.
    • Provenance metadata will be used to track the lifecycle of data from creation through to disposal.

    Info-Tech's Data Integration and Virtualisation Policy:

    This policy aims to assure the organisation, staff, and other interested parties that data integration, replication, and virtualisation risks are taken seriously. Staff must use the policy (and supporting guidelines) when deciding whether to integrate, replicate, or virtualise data sets.

    Select the right mix of metrics to successfully supervise data policies and processes

    Policies are only as good as your level of compliance. Ensure supervision controls exist to oversee adherence to policies and procedures.

    Although they can be highly subjective, metrics are extremely important to data governance success.

    • Establishing metrics that measure the performance of a specific process or data set will:
      • Create a greater degree of ownership from data stewards and data owners.
      • Help identify underperforming individuals.
      • Allow the steering committee to easily communicate tailored objectives to individual data stewards and owners.
    • Be cautious when establishing metrics. The wrong metrics can have negative repercussions.
      • They will likely draw attention to an aspect of the process that doesn't align with the initial strategy.
      • Employees will work hard and grow frustrated as their successes aren't accurately captured.

    Policies are great to have from a legal perspective, but unless they are followed, they will not benefit the organisation.

    • One of the most useful metrics for policies is currency. This tracks how up to date the policy is and how often employees are informed about the policy. Often, a policy will be introduced and then ignored. Policies must be continuously reviewed by management and employees.
    • Some other metrics include adherence (including performance in tests for adherence) and impacts from non-adherence.

    Review metrics on an ongoing basis with those data owners/stewards who are accountable, the data governance steering committee, and the executive sponsors.

    Establish data standards and procedures for use across all organisational lines of business

    A data governance program will impact all data-driven business units within the organisation.

    • Data management procedures are the methods, techniques, and steps to accomplish a specific data objective. Creating standard data definitions should be one of the first tasks for a data governance steering committee.
    • Data moves across all departmental boundaries and lines of business within the organisation. These definitions must be developed as a common set of standards that can be accepted and used enterprise wide.
    • Consistent data standards and definitions will improve data flow across departmental boundaries and between lines of business.
    • Ensure these standards and definitions are used uniformly throughout the organisation to maintain reliable and useful data.

    Data standards and procedural guidelines will vary from company to company.

    Examples include:

    • Data modelling and architecture standards.
    • Metadata integration and usage procedures.
    • Data security standards and procedures.
    • Business intelligence standards and procedures.

    Info-Tech Tip

    Have a fundamental data definition model for the entire business to adhere to. Those in the positions that generate and produce data must follow the common set of standards developed by the steering committee and be accountable for the creation of valid, clean data.

    Changes to organisational data processes are inevitable; have a communications plan in place to manage change

    Create awareness of your data governance program, using knowledge transfer to get as many people on board as possible.

    By planning for and efficiently communicating any changes that a data governance initiative may bring, many initial issues can be resolved from the outset.

    Governance recommendations will require significant business change. The redesign of a substantial number of data processes affecting various business units will require an overhaul of the organisation's culture, thought processes, and procedures surrounding its data. Preparing people for change well in advance will allow them to take the necessary steps to adapt and reduce potential confrontation.

    Because a data governance initiative will involve data-driven business units across the organisation, the governance team must present a compelling case for data governance to ensure acceptance of new processes, rules, guidelines, and technologies by all data producers and users.

    Attempting to implement change without an effective communications plan can result in disagreements over data control and stalemates between stakeholder units. The recommendations of the governance group must reflect the needs of all stakeholders or there will be pushback.

    Data governance initiatives will very likely bring about a level of organisational disruption. A clear and concise communications strategy that conveys milestones and success stories will address the various concerns that business unit stakeholders may have.

    Info-Tech Tip

    Launching a data governance program will bring with it a level of disruption to the culture of the organisation. That disruption doesn't have to be detrimental if you are prepared to manage the change proactively and effectively.

    Other Deliverables:

    The list of supporting deliverables will help to kick start on some of the Data Governance initiatives

    • Data Classification Policy, Standard, and Procedure
    • Data Quality Policy, Standard, and Procedure
    • Metadata Management Policy, Standard, and Procedure
    • Data Retention Policy and Procurement

    Screenshot from Data Classification Policy, Standard, and Procedure

    Data Classification Policy, Standard, and Procedure

    Screenshot from Data Retention Policy and Procedure

    Data Retention Policy and Procedure

    Screenshot from Metadata Management Policy, Standard, and Procedure

    Metadata Management Policy, Standard, and Procedure

    Screenshot from Data Quality Policy, Standard, and Procedure

    Data Quality Policy, Standard, and Procedure

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Picture of analyst

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Screenshot of example data governance strategy map.

    Build Your Business and User Context

    Work with your core team of stakeholders to build out your data governance strategy map, aligning data governance initiatives with business capabilities, value streams, and, ultimately, your strategic priorities.

    Screenshot of Data governance roadmap

    Formulate a Plan to Get to Your Target State

    Develop a data governance future state roadmap and plan based on an understanding of your current data governance capabilities, your operating environment, and the driving needs of your business.

    Related Info-Tech Research

    Build a Robust and Comprehensive Data Strategy

    Key to building and fostering a data-driven culture.

    Create a Data Management Roadmap

    Streamline your data management program with our simplified framework.

    The First 100 Days as CDO

    Be the voice of data in a time of transformation.

    Research Contributors

    Name Position Company
    David N. Weber Executive Director - Planning, Research and Effectiveness Palm Beach State College
    Izabela Edmunds Information Architect Mott MacDonald
    Andy Neill Practice Lead, Data & Analytics Info-Tech Research Group
    Dirk Coetsee Research Director, Data & Analytics Info-Tech Research Group
    Graham Price Executive Advisor, Advisory Executive Services Info-Tech Research Group
    Igor Ikonnikov Research Director, Data & Analytics Info-Tech Research Group
    Jean Bujold Senior Workshop Delivery Director Info-Tech Research Group
    Rajesh Parab Research Director, Data & Analytics Info-Tech Research Group
    Reddy Doddipalli Senior Workshop Director Info-Tech Research Group
    Valence Howden Principal Research Director, CIO Info-Tech Research Group

    Bibliography

    Alation. “The Alation State of Data Culture Report – Q3 2020.” Alation, 2020. Accessed 25 June 2021.

    Allott, Joseph, et al. “Data: The Next Wave in Forestry Productivity.” McKinsey & Company, 27 Oct. 2020. Accessed 25 June 2021.

    Bean, Randy. “Why Culture Is the Greatest Barrier to Data Success.” MIT Sloan Management Review, 30 Sept. 2020. Accessed 25 June 2021.

    Brence, Thomas. “Overcoming the Operationalization Challenge With Data Governance at New York Life.” Informatica, 18 March 2020. Accessed 25 June 2021.

    Bullmore, Simon, and Stuart Coleman. “ODI Inside Business – A Checklist for Leaders.” Open Data Institute, 19 Oct. 2020. Accessed 25 June 2021.

    Canadian Institute for Health Information. “Developing and Implementing Accurate National Standards for Canadian Health Care Information.” Canadian Institute for Health Information. Accessed 25 June 2021.

    Carruthers, Caroline, and Peter Jackson. “The Secret Ingredients of the Successful CDO.” IRM UK Connects, 23 Feb. 2017.

    Dashboards. “Useful KPIs for Healthy Hospital Quality Management.” Dashboards. Accessed 25 June 2021.

    Dashboards. “Why (and How) You Should Improve Data Literacy in Your Organization Today.” Dashboards. Accessed 25 June 2021.

    Datapine. “Healthcare Key Performance Indicators and Metrics.” Datapine. Accessed 25 June 2021.

    Datapine. “KPI Examples & Templates: Measure what matters the most and really impacts your success.” Datapine. Accessed 25 June 2021.

    Diaz, Alejandro, et al. “Why Data Culture Matters.” McKinsey Quarterly, Sept. 2018. Accessed 25 June 2021.

    Everett, Dan. “Chief Data Officer (CDO): One Job, Four Roles.” Informatica, 9 Sept. 2020. Accessed 25 June 2021.

    Experian. “10 Signs You Are Sitting On A Pile Of Data Debt.” Experian. Accessed 25 June 2021.

    Fregoni, Silvia. “New Research Reveals Why Some Business Leaders Still Ignore the Data.” Silicon Angle, 1 Oct. 2020

    Informatica. Holistic Data Governance: A Framework for Competitive Advantage. Informatica, 2017. Accessed 25 June 2021.

    Knight, Michelle. “What Is a Data Catalog?” Dataversity, 28 Dec. 2017. Web.

    Lim, Jason. “Alation 2020.3: Getting Business Users in the Game.” Alation, 2020. Accessed 25 June 2021.

    McDonagh, Mariann. “Automating Data Governance.” Erwin, 29 Oct. 2020. Accessed 25 June 2021.

    NewVantage Partners. Data-Driven Business Transformation: Connecting Data/AI Investment to Business Outcomes. NewVantage Partners, 2020. Accessed 25 June 2021.

    Olavsrud, Thor. “What Is Data Governance? A Best Practices Framework For Managing Data Assets.” CIO.com, 18 March 2021. Accessed 25 June 2021.

    Open Data Institute. “Introduction to Data Ethics and the Data Ethics Canvas.” Open Data Institute, 2020. Accessed 25 June 2021.

    Open Data Institute. “The UK National Data Strategy 2020: Doing Data Ethically.” Open Data Institute, 17 Nov. 2020. Accessed 25 June 2021.

    Open Data Institute. “What Is the Data Ethics Canvas?” Open Data Institute, 3 July 2019. Accessed 25 June 2021.

    Pathak, Rahul. “Becoming a Data-Driven Enterprise: Meeting the Challenges, Changing the Culture.” MIT Sloan Management Review, 28 Sept. 2020. Accessed 25 June 2021.

    Petzold, Bryan, et al. “Designing Data Governance That Delivers Value.” McKinsey & Company, 26 June 2020. Accessed 25 June 2021.

    Redman, Thomas, et al. “Only 3% of Companies’ Data Meets Basic Quality Standards.” Harvard Business Review. 11 Sept 2017.

    Smaje, Kate. “How Six Companies Are Using Technology and Data To Transform Themselves.” McKinsey & Company, 12 Aug. 2020. Accessed 25 June 2021.

    Talend. “The Definitive Guide to Data Governance.” Talend. Accessed 25 June 2021.

    “The Powerfully Simple Modern Data Catalog.” Atlan, 2021. Web.

    U.S. Geological Survey. “Data Management: Data Standards.” U.S. Geological Survey. Accessed 25 June 2021.

    Waller, David. “10 Steps to Creating a Data-Driven Culture.” Harvard Business Review, 6 Feb. 2020. Accessed 25 June 2021.

    “What Is the Difference Between A Business Glossary, A Data Dictionary, and A Data Catalog, and How Do They Play A Role In Modern Data Management?” Analytics8, 23 June 2021. Web.

    Wikipedia. “RFM (Market Research).” Wikipedia. Accessed 25 June 2021.

    Windheuser, Christoph, and Nina Wainwright. “Data in a Modern Digital Business.” Thoughtworks, 12 May 2020. Accessed 25 June 2021.

    Wright, Tom. “Digital Marketing KPIs - The 12 Key Metrics You Should Be Tracking.” Cascade, 3 March 2021. Accessed 25 June 2021.

    CIO Priorities 2023

    • Buy Link or Shortcode: {j2store}84|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy

    CIOs are facing these challenges in 2023:

    • Trying to understand the implications of external trends.
    • Determining what capabilities are most important to support the organization.
    • Understanding how to help the organization pursue new opportunities.
    • Preparing to mitigate new sources of organizational risk.

    Our Advice

    Critical Insight

    • While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full context awareness. It's up to them to assess their gaps, consider the present scenario, and then make their next move.
    • Each priority carries new opportunities for organizations that pursue them.
    • There are also different risks to mitigate as each priority is explored.

    Impact and Result

    • Inform your IT strategy for the year ahead.
    • Identify which capabilities you need to improve.
    • Add initiatives that support your priorities to your roadmap.

    CIO Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. CIO Priorities 2023 Report – Read about the priorities on IT leaders' agenda.

    Understand the five priorities that will help navigate the opportunities and risks of the year ahead.

    • CIO Priorities 2023 Report

    Infographic

     

    Further reading

    CIO Priorities 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    Analyst Perspective

    Take a full view of the board and use all your pieces to win.

    In our Tech Trends 2023 report, we called on CIOs to think of themselves as chess grandmasters. To view strategy as playing both sides of the board, simultaneously attacking the opponent's king while defending your own. In our CIO Priorities 2023 report, we'll continue with that metaphor as we reflect on IT's capability to respond to trends.

    If the trends report is a study of the board state that CIOs are playing with, the priorities report is about what move they should make next. We must consider all the pieces we have at our disposal and determine which ones we can afford to use to seize on opportunity. Other pieces are best used by staying put to defend their position.

    In examining the different capabilities that CIOs will require to succeed in the year ahead, it's apparent that a siloed view of IT isn't going to work. Just like a chess player in a competitive match would never limit themselves to only using their knights or their rooks, a CIO's responsibility is to deploy each of their pieces to win the day. While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full awareness of the board state.

    It's up to them to assess their gaps, consider the present scenario, and then make their next move.

    This is a picture of Brian Jackson

    Brian Jackson
    Principal Research Director, Research – CIO
    Info-Tech Research Group

    CIO Priorities 2023 is informed by Info-Tech's primary research data of surveys and benchmarks

    Info-Tech's Tech Trends 2023 report and State of Hybrid Work in IT: A Trend Report inform the externalities faced by organizations in the year ahead. They imply opportunities and risks that organizations face. Leadership must determine if they will respond and how to do so. CIOs then determine how to support those responses by creating or improving their IT capabilities. The priorities are the initiatives that will deliver the most value across the capabilities that are most in demand. The CIO Priorities 2023 report draws on data from several different Info-Tech surveys and diagnostic benchmarks.

    2023 Tech Trends and Priorities Survey; N=813 (partial), n=521 (completed)
    Info-Tech's Trends and Priorities 2023 Survey was conducted between August 9 and September 9, 2022. We received 813 total responses with 521 completed surveys. More than 90% of respondents work in IT departments. More than 84% of respondents are at a manager level of seniority or higher.

    2023 The State of Hybrid Work in IT Survey; N=518
    The State of Hybrid Work in IT Survey was conducted between July 11 and July 29 and received 518 responses. Nine in ten respondents were at a manager level of seniority or higher.

    Every organization will have its own custom list of priorities based on its internal context. Organizational goals, IT maturity level, and effectiveness of capabilities are some of the important factors to consider. To provide CIOs with a starting point for their list of priorities for 2023, we used aggregate data collected in our diagnostic benchmark tools between August 1, 2021, and October 31, 2022.

    Info-Tech's CEO-CIO Alignment Program is intended to be completed by CIOs and their supervisors (CEO or other executive position [CxO]) and will provide the average maturity level and budget expectations (N=107). The IT Management and Governance Diagnostic will provide the average capability effectiveness and importance ranking to CIOs (N=271). The CIO Business Vision Diagnostic will provide stakeholder satisfaction feedback (N=259).

    The 2023 CIO priorities are based on that data, internal collaboration sessions at Info-Tech, and external interviews with CIOs and subject matter experts.

    Build IT alignment

    Assess your IT processes

    Determine stakeholder satisfaction

    Most IT departments should aim to drive outcomes that deliver better efficiency and cost savings

    Slightly more than half of CIOs using Info-Tech's CEO-CIO Alignment Program rated themselves at a Support level of maturity in 2022. That aligns with IT professionals' view of their organizations from our Tech Trends and Priorities Survey, where organizations are rated at the Support level on average. At this level, IT departments can provide reliable infrastructure and support a responsive IT service desk that reasonably satisfies stakeholders.

    In the future, CIOs aspire to attain the Transform level of maturity. Nearly half of CIOs select this future state in our diagnostic, indicating a desire to deliver reliable innovation and lead the organization to become a technology-driven firm. However, we see that fewer CxOs aspire for that level of maturity from IT. CxOs are more likely than CIOs to say that IT should aim for the Optimize level of maturity. At this level, IT will help other departments become more efficient and lower costs across the organization.

    Whether a CIO is aiming for the top of the maturity scale in the future or not, IT maturity is achieved one step at a time. Aiming for outcomes at the Optimize level will be a realistic goal for most CIOs in 2023 and will satisfy many stakeholders.

    Current and future state of IT maturity

    This image depicts a table showing the Current and future states of IT maturity.

    Trends indicate a need to focus on leadership and change management

    Trends imply new opportunities and risks that an organization must decide on. Organizational leadership determines if action will be taken to respond to the new external context based on its importance compared to current internal context. To support their organizations, IT must use its capabilities to deliver on initiatives. But if a capability's effectiveness is poor, it could hamper the effort.

    To determine what capabilities IT departments may need to improve or create to support their organizations in 2023, we conducted an analysis of our trends data. Using the opportunities and risks implied by the Tech Trends 2023 report and the State of Hybrid Work in IT: A Trend Report, we've determined the top capabilities IT will need to respond. Capabilities are defined by Info-Tech's IT Management and Governance Framework.

    Tier 1: The Most Important Capabilities In 2023

    Enterprise Application Selection & Implementation

    Manage the selection and implementation of enterprise applications, off-the-shelf software, and software as a service to ensure that IT provides the business with the most appropriate applications at an acceptable cost.

    		 Effectiveness: 6.5; Importance: 8.8

    Leadership, Culture, and Values

    Ensure that the IT department reflects the values of your organization. Improve the leadership skills of your team to generate top performance.

    		 Effectiveness: 6.9; Importance: 9

    Data Architecture

    Manage the business' databases, including the technology, the governance processes, and the people that manage them. Establish the principles, policies, and guidelines relevant to the effective use of data within the organization.

    		 Effectiveness: 6.3; Importance: 8.8

    Organizational Change Management

    Implement or optimize the organization's capabilities for managing the impact of new business processes, new IT systems, and changes in organizational structure or culture.

    		 Effectiveness: 6.1; Importance: 8.8

    External Compliance

    Ensure that IT processes and IT-supported business processes are compliant with laws, regulations, and contractual requirements.

    		 Effectiveness: 7.4; Importance: 8.8

    Info-Tech's Management and Diagnostic Benchmark

    Tier 2: Other Important Capabilities In 2023

    Ten more capabilities surfaced as important compared to others but not as important as the capabilities in tier 1.

    Asset Management

    Track IT assets through their lifecycle to make sure that they deliver value at optimal cost, remain operational, and are accounted for and physically protected. Ensure that the assets are reliable and available as needed.

    		 Effectiveness: 6.4; Importance: 8.5

    Business Intelligence and Reporting

    Develop a set of capabilities, including people, processes, and technology, to enable the transformation of raw data into meaningful and useful information for the purpose of business analysis.

    		 Effectiveness: 6.3; Importance: 8.8

    Business Value

    Secure optimal value from IT-enabled initiatives, services, and assets by delivering cost-efficient solutions and services and by providing a reliable and accurate picture of costs and benefits.

    		 Effectiveness: 6.5; Importance: 8.7

    Cost and Budget Management

    Manage the IT-related financial activities and prioritize spending through the use of formal budgeting practices. Provide transparency and accountability for the cost and business value of IT solutions and services.

    		 Effectiveness: 6.5; Importance: 8.8

    Data Quality

    Put policies, processes, and capabilities in place to ensure that appropriate targets for data quality are set and achieved to match the needs of the business.

    		 Effectiveness: 6.4; Importance: 8.9

    Enterprise Architecture

    Establish a management practice to create and maintain a coherent set of principles, methods, and models that are used in the design and implementation of the enterprise's business processes, information systems, and infrastructure.

    		 Effectiveness: 6.8; Importance: 8.8

    IT Organizational Design

    Set up the structure of IT's people, processes, and technology as well as roles and responsibilities to ensure that it's best meeting the needs of the business.

    		 Effectiveness: 6.8; Importance: 8.8

    Performance Measurement

    Manage IT and process goals and metrics. Monitor and communicate that processes are performing against expectations and provide transparency for performance and conformance.

    		 Effectiveness: 6; Importance: 8.4

    Stakeholder Relations

    Manage the relationship between the business and IT to ensure that the stakeholders are satisfied with the services they need from IT and have visibility into IT processes.

    		 Effectiveness: 6.7; Importance: 9.2

    Vendor Management

    Manage IT-related services provided by all suppliers, including selecting suppliers, managing relationships and contracts, and reviewing and monitoring supplier performance.

    		 Effectiveness: 6.6; Importance: 8.4

    Defining the CIO Priorities for 2023

    Understand the CIO priorities by analyzing both how CIOs respond to trends in general and how a specific CIO responded in the context of their organization.

    This is an image of the four analyses: 1: Implications; 2: Opportunities and risks; 3: Case examples; 4: Priorities to action.

    The Five CIO Priorities for 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    1. Adjust IT operations to manage for inflation
      • Business Value
      • Vendor Management
      • Cost and Budget Management
    2. Prepare your data pipeline to train AI
      • Business Intelligence and Reporting
      • Data Quality
      • Data Architecture
    3. Go all in on zero-trust security
      • Asset Management
      • Stakeholder Relations
      • External Compliance
    4. Engage employees in the digital age
      • Leadership, Culture, and Values
      • Organizational Change Management
      • Enterprise Architecture
    5. Shape the IT organization to improve customer experience
      • Enterprise Application Selection & Implementation
      • Performance Measurement
      • IT Organizational Design

    Adjust IT operations to manage for inflation

    Priority 01

    • APO06 Cost and Budget Management
    • APo10 Vendor Management
    • EDM02 Business Value

    Recognize the relative impact of higher inflation on IT's spending power and adjust accordingly.

    Inflation takes a bite out of the budget

    Two-thirds of IT professionals are expecting their budgets to increase in 2023, according to our survey. But not every increase is keeping up with the pace of inflation. The International Monetary Fund forecasts that global inflation rose to 8.8% in 2022. It projects it will decline to 6.5% in 2023 and 4.1% by 2024 (IMF, 2022).

    CIOs must account for the impact of inflation on their IT budgets and realize that what looks like an increase on paper is effectively a flat budget or worse. Applied to our survey takers, an IT budget increase of more than 6.5% would be required to keep pace with inflation in 2023. Only 40% of survey takers are expecting that level of increase. For the 27% expecting an increase between 1-5%, they are facing an effective decrease in budget after the impact of inflation. Those expecting no change in budget or a decrease will be even worse off.

    Looking ahead to 2023, how do you anticipate your IT spending will change compared to spending in 2022?

    Global inflation estimates by year

    2022 8.8%
    2023 6.5%
    2024 4.1%

    International Monetary Fund, 2022

    CIOs are more optimistic about budgets than their supervisors

    Data from Info-Tech's CEO-CIO Alignment Diagnostic benchmark also shows that CIOs and their supervisors are planning for increases to the budget. This diagnostic is designed for a CIO to use with their direct supervisor, whether it's the CEO or otherwise (CxO). Results show that on average, CIOs are more optimistic than their supervisors that they will receive budget increases and headcount increases in the years ahead.

    While 14% of CxOs estimated the IT budget would see no change or a decrease in the next three to five years, only 3% of CIOs said the same. A larger discrepancy is seen in headcount, where nearly one-quarter of CXOs estimated no change or decrease in the years ahead, versus only 10% of CIOs estimating the same.

    When we account for the impact of inflation in 2023, this misalignment between CIOs and their supervisors increases. When adjusting for inflation, we need to view the responses projecting an increase of between 1-5% as an effective decrease. With the inflation adjustment, 26% of CXOs are predicting IT budgets to stay flat or see a decrease compared to only 10% of CIOs.

    CIOs should consider how inflation has affected their projected spending power over the past year and take into account projected inflation rates over the next couple of years. Given that the past decade has seen inflation rates between 2-3%, the higher rates projected will have more of an impact on organizational budgets than usual.

    Expect headcount to stay flat or decline over 3-5 years

    CIO: 10%; CXO: 24%

    IT budget expectations to stay flat or decrease before inflation

    CIO: 13.6 %; CXO: 3.2%

    IT budget expectations to stay flat or decrease adjusted for inflation

    CIO: 25.8%; CXO: 9.7%

    Info-Tech's CEO-CIO Alignment Program

    Opportunities

    Appoint a "cloud economist"

    Organizations that migrated from on-premises data centers to infrastructure as a service shifted their capital expenditures on server racks to operational expenditures on paying the monthly service bill. Managing that monthly bill so that it is in line with desired performance levels now becomes crucial. The expected benefit of the cloud is that an organization can turn the dial up to meet higher demand and turn it down when demand slows. In practice this is sometimes more difficult to execute than anticipated. Some IT departments realize their cloud-based data flows aren't always connected to the revenue-generating activity seen in the business. As a result, a "cloud economist" is needed to closely monitor cloud usage and adjust it to financial expectations. Especially during any recessionary period, IT departments will want to avoid a "bill shock" incident.

    Partner with technology providers

    Keep your friends close and your vendors closer. Look for opportunities to create leverage with your strategic vendors to unlock new opportunities. Identify if a vendor you work with is not entrenched in your industry and offer them the credibility of working with you in exchange for a favorable contract. Offering up your logo for a website listing clients or giving your own time to speak in a customer session at a conference can go a long way to building up some goodwill with your vendors. That's goodwill you'll need when you ask for a new multi-year contract on your software license without annual increases built into the structure.

    Demonstrate IT projects improve efficiency

    An IT department that operates at the Optimize level of Info-Tech's maturity scale can deliver outcomes that lower costs for other departments. IT can defend its own budget if it's able to demonstrate that its initiatives will automate or augment business activities in a way that improves margins. The argument becomes even more compelling if IT can demonstrate it is supporting a revenue-generating initiative or customer-facing experience. CIOs will need to find business champions to vouch for the important contributions IT is making to their area.

    Risks

    Imposition of non-financial reporting requirements

    In some jurisdictions, the largest companies will be required to start collecting information on carbon emissions emitted as a result of business activities by the end of next year. Smaller sized organizations will be next on the list to determine how to meet new requirements issued by various regulators. Risks of failure include facing fines or being shunned by investors. CIOs will need to support their financial reporting teams in collecting the new required data accurately. This will incur new costs as well.

    Rising asset costs

    Acquiring IT equipment is becoming more expensive due to overall inflation and specific pressures around semiconductor supply chains. As a result, more CIOs are extending their device refresh policies to last another year or two. Still, demands for new devices to support new hybrid work models could put pressure on budgets as IT teams are asked to modernize conferencing rooms. For organizations adopting mixed reality headsets, cutting-edge capabilities will come at a premium. Operating costs of devices may also increase as inflation increases costs of the electricity and bandwidth they depend on.

    CASE STUDY
    Leverage your influence in vendor negotiations

    Denise Cornish, Associate VP of IT and Deputy COO,
    Western University of Health Sciences

    Since taking on the lead IT role at Western University in 2020, Denise Cornish has approached vendor management like an auditable activity. She evaluates the value she gets from each vendor relationship and creates a list of critical vendors that she relies upon to deliver core business services. "The trick is to send a message to the vendor that they also need us as a customer that's willing to act as a reference," she says. Cornish has managed to renegotiate a contract with her ERP vendor, locking in a multi-year contract with a very small escalator in exchange for presenting as a customer at conferences. She's also working with them on developing a new integration to another piece of software popular in the education space.

    Western University even negotiated a partnership approach with Apple for a program run with its College of Osteopathic Medicine of the Pacific (COMP) called the Digital Doctor Bag. The partnership saw Apple agree to pre-package a customer application developed by Western that delivered the curriculum to students and facilitated communications across students and faculty. Apple recognized Western as an Apple Distinguished School, a program that recognizes innovative schools that use Apple products.

    "I like when negotiations are difficult.
    I don't necessarily expect a zero-sum game. We each need to get something out of this and having the conversation and really digging into what's in it for you and what's in it for me, I enjoy that. So usually when I negotiate a vendor contract, it's rare that it doesn't work out."

    CASE STUDY
    Control cloud costs with a simplified approach

    Jim Love, CIO, IT World Canada

    As an online publisher and a digital marketing platform for technology products and services companies, IT World Canada (ITWC) has observed that there are differences in how small and large companies adopt the cloud as their computing infrastructure. For smaller companies, even though adoption is accelerating, there may still be some reluctance to fully embrace cloud platforms and services. While larger companies often have a multi-cloud approach, this might not be practical for smaller IT shops that may struggle to master the skills necessary to effectively manage one cloud platform. While Love acknowledges that the cloud is the future of corporate computing, he also notes that not all applications or workloads may be well suited to run in the cloud. As well, moving data into the cloud is cheap but moving it back out can be more expensive. That is why it is critical to understand your applications and the data you're working with to control costs and have a successful cloud implementation.

    "Standardization is the friend of IT. So, if you can standardize on one platform, you're going to do better in terms of costs."

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Cost and Budget Management

    Take control of your cloud costs by providing central financial oversight on the infrastructure-as-a-service provider your organization uses. Create visibility into your operational costs and define policies to control them. Right-size the use of cloud services to stay within organizational budget expectations.

    Take Control of Cloud Costs on AWS

    Take Control of Cloud Costs on Microsoft Azure

    Improve Business Value

    Reduce the funds allocated to ongoing support and impose tougher discipline around change requests to lighten your maintenance burden and make room for investment in net-new initiatives to support the business.

    Free up funds for new initiatives

    Improve Vendor Management

    Lay the foundation for a vendor management process with long-term benefits. Position yourself as a valuable client with your strategic vendors and leverage your position to improve your contract terms.

    Elevate Your Vendor Management Initiative

    Prepare your data pipeline to train AI

    Priority 02

    • ITRG06 BUSINESS INTELLIGENCE AND REPORTING
    • ITRG07 DATA ARCHITECTURE
    • ITRG08 DATA QUALITY

    Keep pace as the market adopts AI capabilities, and be ready to create competitive advantage.

    Today's innovation is tomorrow's expectation

    During 2022, some compelling examples of generative-AI-based products took the world by storm. Images from AI-generating bots Midjourney and Stable Diffusion went viral, flooding social media and artistic communities with images generated from text prompts. Exchanges with OpenAI's ChatGPT bot also caught attention, as the bot was able to do everything from write poetry, to provide directions on a cooking recipe and then create a shopping list for it, to generate working code in a variety of languages. The foundation models are trained with AI techniques that include generative adversarial networks, transformers, and variational autoencoders. The end result is an algorithm that can produce content that's meaningful to people based on some simple direction. The industry is only beginning to come to grips with how this sort of capability will disrupt the enterprise.

    Slightly more than one-third of IT professionals say their organization has already invested in AI or machine learning. It's the sixth-most popular technology to have already invested in after cloud computing (82%), application programming interfaces (64%), workforce management solutions (44%), data lakes (36%), and next-gen cybersecurity (36%). It's ahead of 12 other technologies that IT is already invested in.

    When we asked what technologies organizations planned to invest in for next year, AI rocketed up the list to second place, as it's selected by 44% of IT professionals. It falls behind only cloud computing. This jump up the list makes AI the fastest growing technology for new investment from organizations.

    Many AI capabilities seem cutting edge now, but organizations are prioritizing it as a technology investment. In a couple of years, access to foundational models that produce images, text, or code will become easy to access with a commercial license and an API integration. AI will become embedded in off-the-shelf software and drive many new features that will quickly become commonplace.

    To stay even with the competition and meet customer expectations, organizations will have to work to at least adopt these AI-enhanced products and services. For those that want to create a competitive advantage, they will have to build a data pipeline that is capable of training their own custom AI models based on their unique data sets.

    Which of the following technology categories has your organization already invested in?

    A bar graph is depicted the percentage of organizations which already had invested in the following Categories: Cloud Computing; Application Programming; Next-Gen Cybersecurity; Workforce Management Solutions; Data Lake/Lakehouse; Artificial Intelligence or Machine Learning.

    Which of those same technologies does your organization plan to invest in by the end of 2023?

    A bar graph is depicted the percentage of organizations which plan to invest in the following categories by the end of 2023: No-Code / Low-Code Platforms; Next-Gen Cybersecurity; Application Programming Interfaces (APIs); Data Lake / Lakehouse; Artificial Intelligence (AI) or Machine Learning; Cloud Computing

    Tech Trends 2023 Survey

    Data quality and governance will be critical to customize generative AI

    Data collection and analysis are on the minds of both CIOs and their supervisors. When asked what technologies the business should adopt in the next three to five years, big data (analytics) ranked as most critical to adopt among CIOs and their supervisors. Big data (collection) ranked fourth out of 11 options.

    Organizations that want to drive a competitive advantage from generative AI will need to train these large, versatile models on their own data sets. But at the same time, IT organizations are struggling to provide clean data. The second-most critical gap for IT organizations on average is data quality, behind only organizational change management. Organizations know that data quality is important to support analytics goals, as algorithms can suffer in their integrity if they don't have reliable data to work with. As they say, garbage in, garbage out.

    Another challenge to overcome is the gap seen in IT governance, the sixth largest gap on average. Using data toward training custom generative models will hold new compliance and ethical implications for IT departments to contend with. How user data can be leveraged is already the subject of privacy legislation in many different jurisdictions, and new AI legislation is being developed in various places around the world that could create further demands. In some cases, users are reacting negatively to AI-generated content.

    Biggest capability gaps between rated importance and effectiveness

    This is a Bar graph showing the capability gaps between rated importance and effectiveness.

    IT Management and Governance Diagnostic

    Most critical technologies to adopt rated by CIOs and their supervisors

    This is a Bar graph showing the most critical technologies to adopt as rated by CIO's and their supervisors

    CEO-CIO Alignment Program

    Opportunities

    Enterprise content discovery

    Many organizations still cobble together knowledgebases in SharePoint or some other shared corporate drive, full of resources that no one quite knows how to find. A generative AI chatbot holds potential to be trained on an organization's content and produce content based on an employee's queries. Trained properly, it could point employees to the right resource they need to answer their question or just provide the answer directly.

    Supply chain forecasts

    After Hurricane Ian shut down a Walmart distribution hub, the retailer used AI to simulate the effects on its supply chain. It rerouted deliveries from other hubs based on the predictions and planned for how to respond to demand for goods and services after the storm. Such forecasts would typically take a team of analysts days to compose, but thanks to AI, Walmart had it done in a matter of hours (The Economist, 2022).

    Reduce the costs of AI projects

    New generative AI models of sufficient scale offer advantages over previous AI models in their versatility. Just as ChatGPT can write poetry or dialogue for a play or perhaps a section of a research report (not this one, this human author promises), large models can be deployed for multiple use cases in the enterprise. One AI researcher says this could reduce the costs of an AI project by 20-30% (The Economist, 2022).

    Risks

    Impending AI regulation

    Multiple jurisdictions around the world are pursuing new legislation that imposes requirements on organizations that use AI, including the US, Europe, and Canada. Some uses of AI will be banned outright, such as the real-time use of facial recognition in public spaces, while in other situations people can opt out of using AI and work with a human instead. Regulations will take the risk of the possible outcomes created by AI into consideration, and organizations will often be required to disclose when and how AI is used to reach decisions (Science | Business, 2022). Questions around whether creators can prevent their content from being used for training AI are being raised, with some efforts already underway to collect a list of those who want to opt out. Organizations that adopt a generative AI model today may find it needs to be amended for copyright reasons in the future.

    Bias in the algorithms

    Organizations using a large AI model trained by a third party to complete their tasks or as a foundation to further customize it with their own data will have to contend with the inherent bias of the algorithm. This can lead to unintended negative experiences for users, as it did for MIT Technology Review journalist Melissa Heikkilä when she uploaded her images to AI avatar app Lensa, only to have it render a collection of sexualized portraits. Heikkilä contends that her Asian heritage overly influenced the algorithm to associate her with video-game characters, anime, and adult content (MIT Technology Review, 2022).

    Convincing nonsense

    Many of the generative AI bots released so far often create very good responses to user queries but sometimes create nonsense that at first glance might seem to be accurate. One example is Meta's Galactica bot – intended to streamline scientific research discovery and aid in text generation – which was taken down only three days after being made available. Scientists found that it generated fake research that sounded convincing or failed to do math correctly (Spiceworks, 2022).

    CASE STUDY
    How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices

    Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

    At the Toronto Raptors practice facility, the OVO Athletic Centre, a new 120-foot custom LG video screen towers over the court. The video board is used to playback game clips so coaches can use them to teach players, but it also displays analytics from algorithmic models that are custom-made for each player. Data on shot-making or defensive deflections are just a couple examples of what might inform the players.

    Vice President of Digital Technology Christian Magsisi leads a functional Digital Labs technical group at MLSE. The in-house team builds the specific data models that support the Raptors in their ongoing efforts to improve. The analytics are fed by Noah Analytics, which uses cognitive vision to provide real-time feedback on shot accuracy. SportsVU is a motion capture system that represents how players are positioned on the court, with detail down to which way they are facing and whether their arms are up or down. The third-party vendors provide the solutions to generate the analytics, but it's up to MLSE's internal team to shape them to be actionable for players during a practice.

    "All the way from making sure that a specific player is achieving the results that they're looking for and showing that through data, or finding opportunities for the coaching staff. This is the manifestation of it in real life. Our ultimate goal with the coaches was to be able to take what was on emails or in a report and sometimes even in text message and actually implement it into practice."

    Read the full story on Spiceworks Insights.

    How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices (cont.)

    Humza Teherany, Chief Technology Officer, MLSE

    MLSE's Digital Labs team architects its data insights pipeline on top of cloud services. Amazon Web Services Rekognition provides cognitive vision analysis from video and Amazon Kinesis provides the video processing capabilities. Beyond the court, MLSE uses data to enhance the fan experience, explains CTO Humza Teherany. It begins with having meaningful business goals about where technology can provide the most value. He starts by engaging the leadership of the organization and considering the "art of the possible" when it comes to using technology to unlock their goals.

    Humza Teherany (left) and Christian Magsisi lead MLSE's digital efforts for the pro sports teams owned by the group, including the Toronto Raptors, Toronto Maple Leafs, and Toronto Argonauts. (Photo by Brian Jackson).

    Read the full story on Spiceworks Insights.

    "Our first goal in the entire buildup of the Digital Labs organization has been to support MLSE and all of our teams. We like to do things first. We leverage our own technology to make things better for our fans and for our teams to complete and find incremental advantages where possible."
    Humza Teherany,
    Chief Technology Officer, MLSE

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Data Quality

    The performance of AI-assisted tools depends on mature IT operations processes and reliable data sets. Standardize service management processes and build a knowledgebase of structured content to prepare for AI-assisted IT operations.

    Prepare for Cognitive Service Management

    Improve Business Intelligence and Reporting

    Explore the enterprise chatbots that are available to not only assist with customer interactions but also help your employees find the resources they need to do their jobs and retrieve data in real time.

    Explore the best chatbots software

    Improve Data Architecture

    Understand if you are ready to embark on the AI journey and what business use cases are appropriate for AI. Plan around the organization's maturity in people, tools, and operations for delivering the correct data, model development, and model deployment and managing the models in the operational areas.

    Create an Architecture for AI

    Go all in on zero-trust security

    Priority 03

    • BAI09 ASSET MANAGEMENT
    • APO08 STAKEHOLDER RELATIONS
    • MEA03 EXTERNAL COMPLIANCE

    Adopt zero-trust architecture as the new security paradigm across your IT stack and from an organizational risk management perspective.

    Putting faith in zero trust

    The push toward a zero-trust security framework is becoming necessary for organizations for several different reasons over the past couple of years. As the pandemic forced workers away from offices and into their homes, perimeter-based approaches to security were challenged by much wider network footprints and the need to identify users external to the firewall. Supply-chain security became more of a concern with notable attacks affecting many thousands of firms, some with severe consequences. Finally, the regulatory pressure to implement zero trust is rising following President Joe Biden's 2021 Executive Order on Improving the Nation's Cybersecurity. It directs federal agencies to implement zero trust. That will impact any company doing business with the federal government, and it's likely that zero trust will propagate through other government agencies in the years ahead. Zero-trust architecture can also help maintain compliance around privacy-focused regulations concerned about personal data (CSO Online, 2022).

    IT professionals are modestly confident that they can meet new government legislation regarding cybersecurity requirements. When asked to rank their confidence on a scale of one to five, the most common answer was 3 out of 5 (38.5%). The next most common answer was 4 out of 5 (33.3%).

    Zero-trust barriers:
    Talent shortage and lack of leadership involvement

    Out of a list of challenges, IT professionals are most concerned with talent shortages leading to capacity constraints in cybersecurity. Fifty-four per cent say they are concerned or very concerned with this issue. Implementing a new zero-trust framework for security will be difficult if capacity only allows for security teams to respond to incidents.

    The next most pressing concern is that cyber risks are not on the radar of executive leaders or the board of directors, with 46% of IT pros saying they are concerned or very concerned. Since zero-trust requires that organizations take an enterprise risk management approach to cybersecurity and involve top decision makers, this reveals another area where organizations may fall short of achieving a zero-trust environment.

    How confident are you that your organization is prepared to meet current and future government legislation regarding cybersecurity requirements? A circle graph is shown with 68.6% colored dark green, and the words: AVG 3.43 written inside the graph.
    a bar graph showing the confidence % for numbers 1-5
    54%

    of IT professionals are concerned with talent shortages leading to capacity constraints in cybersecurity.
    46%

    of IT professionals are concerned that cyber risks are not on the radar of executive leaders or the board of directors.

    Zero trust mitigates risk while removing friction

    A zero-trust approach to security requires organizations to view cybersecurity risk as part of its overall risk framework. Both CIOs and their supervisors agree that IT-related risks are a pain point. When asked to rate the severity of pain points, 58% of CIOs rated IT-related business risk incidents as a minor pain or major pain. Their supervisors were more concerned, with 61% rating it similarly. Enterprises can mitigate this pain point by involving top levels of leadership in cybersecurity planning.

    Organizations can be wary about implementing new security measures out of concern it will put barriers between employees and what they need to work. Through a zero-trust approach that focuses on identity verification, friction can be avoided. Overall, IT organizations did well to provide security without friction for stakeholders over the past 18 months. Results from Info-Tech's CIO Business Vision Diagnostic shows that stakeholders almost all agree friction due to security practices are acceptable. The one area that stands to be improved is remote/mobile device access, where 78.3% of stakeholders view the friction as acceptable.

    A zero-trust approach treats user identity the same regardless of device and whether it is inside or outside of the corporate network. This can remove friction when workers are looking to connect remotely from a mobile device.

    IT-related business risk incidents viewed as a pain point

    CXO 61%
    CIO 58%

    Business stakeholders rate security friction levels as acceptable

    A bar graph is depicted with the following dataset: Regulatory Compliance: 93.80%; Office/Desktop Computing: 86.50%;Data Access/Integrity: 86.10%; Remote/Mobile Device Access: 78.30%;

    CIO Business Vision Diagnostic, N=259

    Opportunities

    Move to identity-driven access control

    Today's approach to access control on the network is to allow every device to exchange data with every other device. User endpoints and servers talk to each other directly without any central governance. In a zero-trust environment, a centralized zero-trust network access broker provides one-to-one connectivity. This allows servers to rest offline until needed by a user with the right access permissions. Users verify their identity more often as they move throughout the network. The user can access the resources and data they need with minimal friction while protecting servers from unauthorized access. Log files are generated for analysis to raise alerts about when an authorized identity has been compromised.

    Protect data with just-in-time authentication

    Many organizations put process in place to make sure data at rest is encrypted, but often when users copy that data to their own devices, it becomes unencrypted, allowing attackers opportunities to exfiltrate sensitive data from user endpoints. Moving to a zero-trust environment where each data access is brokered by a central broker allows for encryption to be preserved. Parties accessing a document must exchange keys to gain access, locking out unauthorized users that don't have both sets of keys to decrypt the data (MIT Lincoln Laboratory, 2022).

    Harness free and open-source tools to deploy zero trust

    IT teams may not be seeing a budget infusion to invest in a new approach to security. By making use of the many free and open-source tools available, they can bootstrap their strategy into reality. Here's a list to get started:

    PingCastle Wrangle your Active Directory and find all the domains that you've long since forgotten about and manage the situation appropriately. Also builds a spoke-and-hub map of your Active Directory.

    OpenZiti Create an overlay network to enable programmable networking that supports zero trust.

    Snyk Developers can automatically find and fix vulnerabilities before they commit their code. This vendor offers a free tier but users that scale up will need to pay.

    sigstore Open-source users and maintainers can use this solution to verify the code they are running is the code the developer intended. Works by stitching together free services to facilitate software signing, verify against a transparent ledger, and provide auditable logs.

    Microsoft's SBOM generation tool A software bill of materials is a requirement in President Biden's Executive Order, intended to provide organizations with more transparency into their software components by providing a comprehensive list. Microsoft's tool will work with Windows, Linux, and Mac and auto-detect a longlist of software components, and it generates a list organized into four sections that will help organizations comprehend their software footprint.

    Risks

    Organizational culture change to accommodate zero trust

    Zero trust requires that top decision makers get involved in cybersecurity by treating it as an equal consideration of overall enterprise risk. Not all boards will have the cybersecurity expertise required, and some executives may not prioritize cybersecurity despite the warnings. Organizations that don't appoint a chief information security officer (CISO) role to drive the cybersecurity agenda from the top will be at risk of cybersecurity remaining an afterthought.

    Talent shortage

    No matter what industry you're in or what type of organization you run, you need cybersecurity. The demand for talent is very high and organizations are finding it difficult to hire in this area. Without the talent needed to mature cybersecurity approaches to a zero-trust model, the focus will remain on foundational principles of patch management to eliminate vulnerabilities and intrusion prevention. Smaller organizations may want to consider a "virtual CISO" that helps shape the organizational strategy on a part-time basis.

    Social engineering

    Many enterprise security postures remain vulnerable to an attack that commandeers an employee's identity to infiltrate the network. Hosted single sign-on models provide low friction and continuity of identity across applications but also offer a single point of failure that hackers can exploit. Phishing scams that are designed to trick an employee into providing their credentials to a fake website or to just click on a link that delivers a malware payload are the most common inroads that criminals take into the corporate network. Being aware of how user behavior influences security is crucial.

    CASE STUDY
    Engage the entire organization with cybersecurity awareness

    Serge Suponitskiy, CIO, Brosnan Risk Consultants

    Brosnan provides private security services to high-profile clients and is staffed by security experts with professional backgrounds in intelligence services and major law enforcement agencies. Safe to say that security is taken seriously in this culture and CIO Serge Suponitskiy makes sure that extends to all back-office staff that support the firm's activities. He's aware that people are often the weakest link in a cybersecurity posture and are prone to being fooled by a phishing email or even a fraudulent phone call. So cybersecurity training is an ongoing activity that takes many forms. He sends out a weekly cybersecurity bulletin that features a threat report and a story about the "scam of the week." He also uses KnowBe4, a tool that simulates phishing attacks and trains employees in security awareness. Suponitskiy advises reaching out to Marketing or HR for help with engaging employees and finding the right learning opportunities.

    "What is financially the best solution to protect yourself? It's to train your employees. … You can buy all of the tools and it's expensive. Some of the prices are going up for no reason. Some by 20%, some by 50%, it's ridiculous. So, the best way is to keep training, to keep educating, and to reimagine the training. It's not just sending this video that no one clicks on or posting a poster no one looks at. … Given the fact we're moving into this recession world, and everyone is questioning why we need to spend more, it's time to reimagine the training approach."

    CASE STUDY
    Focus on micro-segmentation as the foundation of zero trust

    David Senf, National Cybersecurity Strategist, Bell

    As a cybersecurity analyst and advisor that works with Bell's clients, David Senf sees zero-trust security as an opportunity for organizations to put a strong set of mitigating controls in place to defend against the thorny challenge of reducing vulnerabilities in their software supply chain. With major breaches being linked to widely used software in the past couple of years, security teams might find it effective to focus on a different layer of security to prevent certain breaches. With security policy being enforced at a narrow point/perimeter, attacks are in essence blocked from exploiting application vulnerabilities (e.g. you can't exploit what you can see). Organizations must still ensure there is a solid vulnerability management program in place, but surrounding applications with other controls is critical. One aspect of zero trust, micro-segmentation, which is an approach to network management, can limit the damage caused by a breach. The solutions help to map out and protect the different connections between applications that could otherwise be abused for discovery or lateral movement. Senf advises that knowing your inventory of software and the interdependencies between applications is the first step on a zero-trust journey, before putting protection and detection in place.

    "Next year will be a year of a lot more ZTNA, zero-trust network access, being deployed. So, I think that will give organizations more of an understanding of what zero trust is as well, from a really basic perspective. If I can just limit what applications you can see and no one can even see that application, it's undiscoverable because I've got that ZTNA solution in place. … I would see that as a leading area of deployment and coming to understand what zero trust is in 2023."

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Asset Management

    Enable reduced friction in the remote user experience by underpinning it with a hardware asset management program. Creating an inventory of devices and effectively tracking them will aid in maintaining compliance, result in stronger policy enforcement, and reduce the harm of a lost or stolen device.

    Implement Hardware Asset Management

    Improve Stakeholder Relations

    Communicate the transition from a perimeter-based security approach to an "Always Verify" approach with a clear roadmap toward implementation. Map key protect surfaces to business goals to demonstrate the importance of zero-trust security in helping the organization succeed. Help the organization's top leadership build awareness of cybersecurity risk.

    Build a Zero Trust Roadmap

    Improve External Compliance

    Manage the challenge of meeting new government requirements to implement zero-trust security and other data protection and cybersecurity regulations with a compliance program. Create a control environment that aligns multiple compliance regimes, and be prepared for IT audits.

    Build a Security Compliance Program

    Engage employees in the digital age

    Priority 04

    • ITRG02 LEADERSHIP, CULTURE, AND VALUES
    • BAI05 ORGANIZATIONAL CHANGE MANAGEMENT
    • APO03 ENTERPRISE ARCHITECTURE

    Lead a strong culture through digital means to succeed in engaging the hybrid workforce.

    The new deal for employers in a hybrid work world

    Necessity is the mother of innovation.

    The pandemic's disruption for non-essential workers looks to have a long-lasting, if not permanent, effect on the relationship between employer and employee. The new bargain for almost all organizations is a hybrid work reality, with employees splitting time between the office and working remotely, if not working remotely full-time. IT is in a unique position in the organization as it must not only contend with the shift to this new deal with its own employees but facilitate it for the entire organization.

    With 90% of organizations embracing some form of hybrid work, IT leaders have an opportunity to shift from coping with the new work reality to finding opportunities to improve productivity. Organizations that embrace a hybrid model for their IT departments see a more effective IT department. Organizations that offered no remote work for IT rated their IT effectiveness on average 6.2 out of 10, while organizations with at least 10% of IT roles in a hybrid model saw significantly higher effectiveness. At minimum, organizations with between 50%-70% of IT roles in a hybrid model rated their effectiveness at 6.9 out of 10.

    IT achieved this increase in effectiveness during a disruptive time that often saw IT take on a heavier burden. Remote work required IT to support more users and be involved in facilitating more work processes. Thriving through this challenging time is a win that's worth sharing with the rest of the organization.

    90% of organizations are embracing some form of hybrid work.

    IT's effectiveness compared to % working hybrid or remotely

    A bar graph is shown which compares the effectiveness of IT work with hybrid and full remote work, compared to No Remote Work for IT.

    High effectiveness doesn't mean high engagement

    Despite IT's success with hybrid work, CIOs are more concerned about their staff sufficiency, skill, and engagement than their supervisors. Among clients using our CEO-CIO Alignment Diagnostic, 49% of CIOs considered this issue a major pain point compared to only 32% of CXOs. While IT staff are more effective than ever, even while carrying more of a burden in the digital age, CIOs are still looking to improve staff engagement.

    Info-Tech's State of Hybrid Work Survey illuminates further details about where IT leaders are concerned for their employee engagement. About four in ten IT leaders say they are concerned for employee wellbeing, and almost the same amount say they are concerned they are not able to see signs that employees are demotivated (N=518).

    Boosting IT employees' engagement levels to match their effectiveness will require IT leaders to harness all the tools at their disposal. Communicating culture and effectively managing organizational change in the digital age is a real test of leadership.

    Staff sufficiency, skill, and engagement issues as a major pain point

    CXO 32%
    CIO 49%

    CEO-CIO Alignment Diagnostic

    Opportunities

    Drive effectiveness with a hybrid environment

    IT leaders concerned about the erosion of culture and connectedness due to hybrid work can mitigate those effects with increased and improved communication. Among highly effective IT departments, 55% of IT leaders made themselves highly available through instant messaging chat. Another 54% of highly effective leaders increased team meetings (State of Hybrid Work Survey, n=213). The ability to adapt to the team's needs and use a number of tactics to respond is the most important factor. The greater the number of tactics used to overcome communication barriers, the more effective the IT department (State of Hybrid Work Survey, N=518).

    Modernize the office conference room

    A hybrid work approach emphasizes the importance of not only the technology in the office conference room but the process around how meetings are conducted. Creating an equal footing for all participants regardless of how they join is the goal. In pursuit of that, 63% of organizations say they have made changes or upgrades to their conference room technology (n=496). The conferencing experience can influence employee engagement and work culture and enhance collaboration. IT should determine if the business case exists for upgrades and work to decrease the pain of using legacy solutions where possible (State of Hybrid Work in IT: A Trend Report).

    Understand the organizational value chain

    Map out the value chain from the customer perspective and then determine the organizational capabilities involved in delivering on that experience. It is a useful tool for helping IT staff understand how they're connected to the customer experience and organizational mission. It's crucial to identify opportunities to resolve pain points and create more efficiency throughout the organization.

    Risks

    Talent rejects the working model

    Many employees that experienced hybrid work over the past couple of years are finding it's a positive development for work/life balance and aren't interested in a full-time return to the office. Organizations that insist on returning all employees to the office all the time may find that employees choose to leave the organization. Similarly, it could be hard to hire IT talent in a competitive market if the position is required to be onsite every day. Most organizations are providing flexible options to employees and finding ways to manage work in the new digital age.

    Wasted expense on facilities

    Organizations may choose to keep their physical office only to later realize that no one is going to work there. While providing an office space can help foster positive culture through valuable face time, it has to be used intentionally. Managers should plan for specific days that their teams will meet in the office and make sure that work activities take advantage of everyone being in the same place at the same time. Asking everyone to come in so that they can be on a videoconference meeting in their cubicle isn't the point.

    Isolated employees and teams

    Studies on a remote work environment show it has an impact on how many connections each employee maintains within the company. Employees still interact well within their own teams but have fewer interactions across departments. Overall, workers are likely to collaborate just as often as they did when working in the office but with fewer other individuals at the company. Keep the isolating effect of remote work in mind and foster collaboration and networking opportunities across different departments (BBC News, 2022).

    CASE STUDY
    Equal support of in-office and remote work

    Roberto Eberhardt, CIO, Ontario Legislative Assembly

    Working in the legislature of the Ontario provincial government, CIO Roberto Eberhardt's staff went from a fully onsite model to a fully remote model at the outset of the pandemic. Today he's navigating his path to a hybrid model that's somewhere in the middle. His approach is to allow his business colleagues to determine the work model that's needed but to support a technology environment that allows employees to work from home or in the office equally. Every new process that's introduced must meet that paradigm, ensuring it will work in a hybrid environment. For his IT staff, he sees a culture of accountability and commitment to metrics to drive performance measurement as key to the success of this new reality.

    "While it's good in a way, the challenge for us is it became a little more complex because you have to account for all those things in the office environment and in the remote work approach. Everything you do now, you have to say OK well how is this going to work in this world and how will it work in the other world?"

    Creating purpose for IT through strategy

    Mike Russell, Virginia Community College System

    At the Virginia Community College System (VCCS), CIO Mike Russell's IT team supports an organization that governs and delivers services to all community colleges in the state. Russell sees his IT team's purpose as being driven by the organization's mission to ensure success throughout the entire student journey, from enrolment to becoming employed after graduation. That customer-focused mindset starts from the top-level leadership, the chancellor, and the state governor. The VCCS maintains a six-year business plan that informs IT's strategic plan and aligns IT with the mission, and both plans are living documents that get refreshed every two years. Updating the plans provides opportunities for the chancellor to engage the organization and remind everyone of the purpose of their work.

    "The outcome isn't the degree. The outcome we're trying to measure is the job. Did you get the job that you wanted? Whether it's being re-employed or first-time employment, did you get what you were after?"

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Leadership, Culture, and Values

    Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

    Prepare People Leaders for the Hybrid Work Environment

    Improve Organizational Change Management

    Assign accountability for managing the changes that the organization is experiencing in the digital age. Make a people-centric approach that takes human behavior into account and plans to address different needs in different ways. Be proactive about change.

    Master Organizational Change Management Practices

    Improve Enterprise Architecture

    Develop a foundation for aligning IT's activities with business value by creating a right-sized enterprise architecture approach that isn't heavy on bureaucracy. Drive IT's purpose by illustrating how their work contributes to the overall mission and the customer experience.

    Create a Right-Sized Enterprise Architecture Governance Framework

    Shape the IT organization to improve customer experience

    PRIORITY 05

    • BAI03 ENTERPRISE APPLICATION SELECTION & IMPLEMENTATION
    • MEA01 PERFORMANCE MEASUREMENT
    • ITRG01 IT ORGANIZATIONAL DESIGN

    Tightly align the IT organization with the organization's value chain from a customer perspective.

    IT's value is defined by faster, better, bigger

    The pandemic motivated organizations to accelerate their digital transformation efforts, digitalizing more of their tasks and organizing the company's value chain around satisfying the customer experience. Now we see organizations taking their foot off the gas pedal of digitalization and shifting their focus to extracting the value from their investments. They want to execute on the digital transformation in their operations and realize the vision they set out to achieve.

    In our Trends Report we compared the emphasis organizations are putting on digitalization to last year. Overall, we see that most organizations shifted fewer of their processes to digital in the past year.

    We also asked organizations what motivated their push toward automation. The most common drivers are to improve efficiency, with almost seven out of ten organizations looking to increase staff on high-level tasks by automating repetitive tasks, 67% also wanting to increase productivity without increasing headcount, and 59% wanting to reduce errors being made by people. In addition, more than half of organizations pursued automation to improve customer satisfaction.

    What best describes your main motivation to pursue automation, above other considerations?

    A bar graph is depicted showing the following dataset: Increase staff focus on high-level tasks by automating repetitive tasks: 69%; Increase productivity of existing staff to avoid increasing headcount: 67%; Reduce errors made by people: 59%; Improve customer satisfaction: 52%; Achieve cost savings through reduction in headcount: 35%; Increase revenue by enabling higher volume of work: 30%

    Tech Trends 2023 Survey

    To what extent did your organization shift its processes from being manually completed to digitally completed during past year?

    A bar graph is depicted showing the extent to which organizations shifted processes from manual to digital during the past year for 2022 and 2023, from Tech Trends 2023 Survey

    With the shift in focus from implementing new applications to support digital transformation to operating in the new environment, IT must shift its own focus to help realize the value from these systems. At the same time, IT must reorganize itself around the new value chain that's defined by a customer perspective.

    IT struggles to deliver business value or support innovation

    Many current IT departments are structured around legacy processes that hinder their ability to deliver business value. CIOs are trying to grapple with the misalignment between the modern business structure and keep up with the demands for innovation and agility.

    Almost nine in ten CIOs say that business frustration with IT's failure to deliver value is a pain point. Their supervisors have a slightly more favorable opinion, with 76% agreeing that it is a pain point.

    Similarly, nine in ten CIOs say that IT limits affecting business innovation and agility is a pain point, while 81% of their supervisors say the same.

    Supervisors say that IT should "ensure benefits delivery" as the most important process (CEO-CIO Alignment Program). This underlines the need to achieve alignment, optimize service delivery, and facilitate innovation. The pain points identified here will need to be resolved to make this possible.

    IT departments will need to contend with a tight labor market and economic volatility in the year ahead. If this drives down resource capacity, it will be even more critical to tightly align with the organization.

    Views business frustration with IT failure to deliver value as a pain point

    CXO 76%
    CIO 88%

    Views IT limits affecting business innovation and agility as a pain point

    CXO 81%
    CIO

    90%

    CEO-CIO Alignment Program

    Opportunities

    Define IT's value by its contributions to enterprise value

    Communicate the performance of IT to stakeholders by attributing positive changes in enterprise value to IT initiatives. For example, if a digital channel helped increase sales in one area, then IT can claim some portion of that revenue. If optimization of another process resulted in cost savings, then IT can claim that as a contribution toward the bottom line. CIOs should develop their handle on how KPIs influence revenues and costs. Keeping tabs on normalized year-over-year revenue comparisons can help demonstrate that IT contributions are making an impact on driving profitability.

    Go with buy versus build if it's a commodity service

    Most back-office functions common to operating a company can be provided by cloud-based applications accessed through a web browser. There's no value in having IT spend time maintaining on-premises applications that require hosting and ongoing maintenance. Organizations that are still accruing technical debt and are unable to modernize will increasingly find it is negatively impacting employee experience, as users expect their working experience to be similar to their experience with consumer applications. In addition, IT will continue to have capacity challenges as resources will be consumed by maintenance. As they seek to outsource some applications, IT will need to consider the geopolitical risk of certain jurisdictions in selecting a provider.

    Redefine how employee performance is tracked

    The concept of "clocking in" for a shift and spending eight hours a day on the job doesn't help guide IT toward its objectives or create any higher sense of purpose. Leaders must work to create a true sense of accountability by reaching consensus on what key performance indicators are important and tasking staff to improve them. Metrics should clearly link back to business outcomes and IT should understand the role they play in delivering a good customer experience.

    Risks

    Lack of talent available to drive transformation

    CIOs are finding it difficult to hire the talent needed to create the capacity they need as digital demands of their organizations increase. This could slow the pace of change as new positions created in IT go unfilled. CIOs may need to consider reskilling and rebalancing workloads of existing staff in the short term and tap outsourcing providers to help make up shortfalls.

    Resistance to change

    New processes may have been given the official rubber stamp, but that doesn't mean staff are adhering to them. Organizations that reorganize themselves must take steps to audit their processes to ensure they're executed the way they intend. Some employees may feel they are being made obsolete or pushed out of their jobs and become disengaged.

    Short-term increased costs

    Restructuring the organization can come with the need for new tools and more training. It may be necessary to operate with redundant staff for the transitional period. Some additional expenses might be incurred for a brief period as the new structure is being put in place.

    Emphasize the value of IT in driving revenue

    Salman Ali, CIO, McDonald's Germany

    As the new CIO to McDonald's Germany, Salman Ali came on board with an early mandate to reorganize the IT department. The challenge is to merge two organizations together: one that delivers core technology services of infrastructure, security, service desk, and compliance and one that delivers customer-facing technology such as in-store touchscreen kiosks and the mobile app for food delivery. He is looking to organize this new-look department around the technology in the hands of both McDonald's staff and its customers. In conversations with his stakeholders, Ali emphasizes the value that IT is driving rather than discussing the costs that go into it. For example, there was a huge cost in integrating third-party meal delivery apps into the point-of-sales system, but the seamless experience it delivers to customers looking to place an order helps to drive a large volume of sales. He plans to reorganize his department around this value-driven approach. The organization model will be executed with clear accountability in place and key performance indicators to measure success.

    "Technology is no longer just an enabler. It's now a strategic business function. When they talk about digital, they are really talking about what's in the customers' hands and what do they use to interact with the business directly? Digital transformation has given technology a new front seat that's really driving the business."

    CASE STUDY
    Overhauling the "heartbeat" of the organization

    Ernest Solomon, Former CIO, LAWPRO

    LAWPRO is a provider of professional liability insurance and title insurance in Canada. The firm is moving its back-office applications from a build approach to a buy approach and focusing its build efforts on customer-facing systems tied to revenue generation. CIO Ernest Solomon says his team has been developing on a legacy platform for two decades, but it's time to modernize. The firm is replacing its legacy platform and moving to a cloud-based system to address technical debt and improve the experience for staff and customers. The claims and policy management platform, the "heartbeat" of the organization, is moving to a software-as-a-service model. At the same time, the firm's customer-facing Title Plus application is being moved to a cloud-native, serverless architecture. Solomon doesn't see the need for IT to spend time building services for the back office, as that doesn't align with the mission of the organization. Instead, he focuses his build efforts on creating a competitive advantage.

    "We're redefining the customer experience, which is how do we move the needle in a positive direction for all the lawyers that interact with us? How do we generate that value-based proposition and improve their interactions with our organization?"

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Enterprise Application Selection & Implementation

    Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

    Embrace Business-Managed Applications

    Improve Performance Measurement

    Drive the most important IT process in the eyes of supervisors by defining business value and linking IT spend to it. Make benefits realization part of your IT governance.

    Maximize Business Value From IT Through Benefits Realization

    Improve IT Organizational Design

    Showcase IT's value to the business by aligning IT spending and staffing to business functions. Provide transparency into business consumption of IT and compare your spending to your peers'.

    IT Spend & Staffing Benchmarking

    The Five Priorities

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    1. Adjust IT operations to manage for inflation
    2. Prepare your data pipeline to train AI
    3. Go all in on zero-trust security
    4. Engage employees in the digital age
    5. Shape the IT organization to improve customer experience

    Expert Contributors

    In order of appearance

    Denise Cornish, Associate VP of IT and Deputy COO, Western University of Health Sciences

    Jim Love, CIO, IT World Canada

    Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

    Humza Teherany, Chief Technology Officer, MLSE

    Serge Suponitskiy, CIO, Brosnan Risk Consultants

    David Senf, National Cybersecurity Strategist, Bell

    Roberto Eberhardt, CIO, Ontario Legislative Assembly

    Mike Russell, Virginia Community College System

    Salman Ali, CIO, McDonald's Germany

    Ernest Solomon, Former CIO, LAWPRO

    Bibliography

    Anderson, Brad, and Seth Patton. "In a Hybrid World, Your Tech Defines Employee Experience." Harvard Business Review, 18 Feb. 2022. Accessed 12 Dec. 2022.
    "Artificial Intelligence Is Permeating Business at Last." The Economist, 6 Dec. 2022. Accessed 12 Dec. 2022.
    Badlani, Danesh Kumar, and Adrian Diglio. "Microsoft Open Sources Its Software Bill
    of Materials (SBOM) Generation Tool." Engineering@Microsoft, 12 July 2022. Accessed
    12 Dec. 2022.
    Birch, Martin. "Council Post: Equipping Employees To Succeed In Digital Transformation." Forbes, 9 Aug. 2022. Accessed 7 Dec. 2022.
    Bishop, Katie. "Is Remote Work Worse for Wellbeing than People Think?" BBC News,
    17 June 2022. Accessed 7 Dec. 2022.
    Carlson, Brian. "Top 5 Priorities, Challenges For CIOs To Recession-Proof Their Business." The Customer Data Platform Resource, 19 July 2022. Accessed 7 Dec. 2022.
    "CIO Priorities: 2020 vs 2023." IT PRO, 23 Sept. 2022. Accessed 2 Nov. 2022.
    cyberinsiders. "Frictionless Zero Trust Security - How Minimizing Friction Can Lower Risks and Boost ROI." Cybersecurity Insiders, 9 Sept. 2021. Accessed 7 Dec. 2022.
    Garg, Sampak P. "Top 5 Regulatory Reasons for Implementing Zero Trust."
    CSO Online, 27 Oct. 2022. Accessed 7 Dec. 2022.
    Heikkilä, Melissa. "The Viral AI Avatar App Lensa Undressed Me—without My Consent." MIT Technology Review, 12 Dec. 2022. Accessed 12 Dec. 2022.
    Jackson, Brian. "How the Toronto Raptors Operate as the NBA's Most Data-Driven Team." Spiceworks, 1 Dec. 2022. Accessed 12 Dec. 2022.
    Kiss, Michelle. "How the Digital Age Has Transformed Employee Engagement." Spiceworks,16 Dec. 2021. Accessed 7 Dec. 2022.
    Matthews, David. "EU Hopes to Build Aligned Guidelines on Artificial Intelligence with US." Science|Business, 22 Nov. 2022. Accessed 12 Dec. 2022.
    Maxim, Merritt. "New Security & Risk Planning Guide Helps CISOs Set 2023 Priorities." Forrester, 23 Aug. 2022. Accessed 7 Dec. 2022.
    Miller, Michael J. "Gartner Surveys Show Changing CEO and Board Concerns Are Driving a Different CIO Agenda for 2023." PCMag, 20 Oct. 2022. Accessed 2 Nov. 2022.
    MIT Lincoln Laboratory. "Overview of Zero Trust Architectures." YouTube,
    2 March 2022. Accessed 7 Dec. 2022.
    MIT Technology Review Insights. "CIO Vision 2025: Bridging the Gap between BI and AI." MIT Technology Review, 20 Sept. 2022. Accessed 1 Nov. 2022.
    Paramita, Ghosh. "Data Architecture Trends in 2022." DATAVERSITY, 22 Feb. 2022. Accessed 7 Dec. 2022.
    Rosenbush, Steven. "Cybersecurity Tops the CIO Agenda as Threats Continue to Escalate - WSJ." The Wall Street Journal, 17 Oct. 2022. Accessed 2 Nov. 2022.
    Sacolick, Isaac. "What's in the Budget? 7 Investments for CIOs to Prioritize." StarCIO,
    22 Aug. 2022. Accessed 2 Nov. 2022.
    Singh, Yuvika. "Digital Culture-A Hurdle or A Catalyst in Employee Engagement." International Journal of Management Studies, vol. 6, Jan. 2019, pp. 54–60. ResearchGate, https://doi.org/10.18843/ijms/v6i1(8)/08.
    "Talent War Set to Become Top Priority for CIOs in 2023, Study Reveals." CEO.digital,
    8 Sept. 2022. Accessed 7 Dec. 2022.
    Tanaka, Rodney. "WesternU COMP and COMP-Northwest Named Apple Distinguished School." WesternU News. 10 Feb. 2022. Accessed 12 Dec. 2022.
    Wadhwani, Sumeet. "Meta's New Large Language Model Galactica Pulled Down Three Days After Launch." Spiceworks, 22 Nov. 2022. Accessed 12 Dec. 2022.
    "World Economic Outlook." International Monetary Fund (IMF), 11 Oct. 2022. Accessed
    14 Dec. 2022.

    Asset Management

    • Buy Link or Shortcode: {j2store}1|cart{/j2store}
    • Related Products: {j2store}1|crosssells{/j2store}
    • Up-Sell: {j2store}1|upsells{/j2store}
    • Download01-Title: Asset Management Executive Brief
    • Download-01: Visit Link
    • member rating overall impact: 9.1/10
    • member rating average dollars saved: $16,518
    • member rating average days saved: 19
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    • byline: IT Asset management is dynamic by nature. Create your own proactive program.
    Asset management has a clear impact on the financials of your company. Clear insights are essential to keep your spending at the right level.

    Asset Management

    Manage the Active Directory in the Service Desk

    • Buy Link or Shortcode: {j2store}489|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Actively maintaining the Active Directory is a difficult task that only gets more difficult with issues like stale accounts and privilege creep.
    • Adding permissions without removing them in lateral transfers creates access issues, especially when regulatory requirements like HIPAA require tight controls.
    • With the importance of maintaining and granting permissions within the Active Directory, organizations are hesitant to grant domain admin access to Tier 1 of the service desk. However, inundating Tier 2 analysts with requests to grant permissions takes away project time.

    Our Advice

    Critical Insight

    • Do not treat the Active Directory like a black box. Strive for accurate data and be proactive by managing your monitoring and audit schedules.
    • Catch outage problems before they happen by splitting monitoring tasks between daily, weekly, and monthly routines.
    • Shift left to save resourcing by employing workflow automation or scripted authorization for Tier 1 technicians.
    • Design actionable metrics to monitor and manage your Active Directory.

    Impact and Result

    • Consistent and right-sized monitoring and updating of the Active Directory is key to clean data.
    • Split monitoring activities between daily, weekly, and monthly checklists to raise efficiency.
    • If need be, shift-left strategies can be implemented for identity and access management by scripting the process so that it can be done by Tier 1 technicians.

    Manage the Active Directory in the Service Desk Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should manage your Active Directory in the service desk, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Maintain your Active Directory with clean data

    Building and maintaining your Active Directory does not have to be difficult. Standardized organization and monitoring with the proper metrics help you keep your data accurate and up to date.

    • Active Directory Standard Operating Procedure
    • Active Directory Metrics Tool

    2. Structure your service desk Active Directory processes

    Build a comprehensive Active Directory workflow library for service desk technicians to follow.

    • Active Directory Process Workflows (Visio)
    • Active Directory Process Workflows (PDF)
    [infographic]

    Select an EA Tool Based on Business and User Need

    • Buy Link or Shortcode: {j2store}274|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $62,999 Average $ Saved
    • member rating average days saved: 18 Average Days Saved
    • Parent Category Name: Architecture Domains
    • Parent Category Link: /architecture-domains
    • A mature EA function is increasingly becoming an organizational priority to drive innovation, provide insight, and define digital capabilities.
    • Proliferation of digital technology has increased complexity, straining the EA function to deliver insights.
    • An EA tool increases the efficiency with which the EA function can deliver insights, but a large number of organizations have not a selected an EA tool that suits their needs.

    Our Advice

    Critical Insight

    • EA tool value largely comes from tying organizational context and requirements to the selection process.
    • Organizations that have selected an EA tool often fail to have it adopted and show its true value. To ensure successful adoption and value delivery, the EA tool selection process must account for the needs of business stakeholders and tool users.

    Impact and Result

    • Link the need for the EA tool to your organization’s EA value proposition. The connection enables the EA tool to address the future needs of stakeholders and the design style of the EA team.
    • Use Info-Tech’s EA Solution Recommendation Tool to create a shortlist of EA tools that is suited to the preferences of the organization.
    • Gather additional information on the shortlist of EA tool vendors to narrow down the selection using the EA Tool Request for Information Template.

    Select an EA Tool Based on Business and User Need Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should procure an EA tool in the digital age, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Select an EA Tool Based on Business and User Need – Executive Brief
    • Select an EA Tool Based on Business and User Need – Phases 1-3

    1. Make the case

    Decide if an EA tool is needed in your organization and define the requirements of EA tool users.

    • Select an EA Tool Based on Business and User Need – Phase 1: Make the Case
    • EA Value Proposition Template
    • EA Tool User Requirements Template

    2. Shortlist EA tools

    Determine your organization’s preferences in terms of product capabilities and vendor characteristics.

    • Select an EA Tool Based on Business and User Need – Phase 2: Shortlist EA Tools
    • EA Solution Recommendation Tool

    3. Select and communicate the process

    Gather information on shortlisted vendors and make your final decision.

    • Select an EA Tool Based on Business and User Need – Phase 3: Select and Communicate the Process
    • EA Tool Request for Information Template
    • EA Tool Demo Script Template
    • Request for Proposal (RFP) Template
    • EA Tool Selection Process Template
    [infographic]

    Master Contract Review and Negotiation for Software Agreements

    • Buy Link or Shortcode: {j2store}170|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Internal stakeholders usually have different – and often conflicting – needs and expectations that require careful facilitation and management.
    • Vendors have well-honed negotiating strategies. Without understanding your own position and leverage points, it’s difficult to withstand their persuasive – and sometimes pushy – tactics.
    • Software – and software licensing – is constantly changing, making it difficult to acquire and retain subject matter expertise.

    Our Advice

    Critical Insight

    • Conservatively, it’s possible to save 5% of the overall IT budget through comprehensive software contract review.
    • Focus on the terms and conditions, not just the price.
    • Learning to negotiate is crucial.

    Impact and Result

    • Look at your contract holistically to find cost savings.
    • Guide communication between vendors and your organization for the duration of contract negotiations.
    • Redline the terms and conditions of your software contract.
    • Prioritize crucial terms and conditions to negotiate.

    Master Contract Review and Negotiation for Software Agreements Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to redline and negotiate your software agreement, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Gather requirements

    Build and manage your stakeholder team, then document your business use case.

    • Master Contract Review and Negotiation for Software Agreements – Phase 1: Gather Requirements
    • RASCI Chart
    • Vendor Communication Management Plan
    • Software Business Use Case Template
    • SaaS TCO Calculator

    2. Redline contract

    Redline your proposed software contract.

    • Master Contract Review and Negotiation for Software Agreements – Phase 2: Redline Contract
    • Software Terms & Conditions Evaluation Tool
    • Software Buyer's Checklist

    3. Negotiate contract

    Create a thorough negotiation plan.

    • Master Contract Review and Negotiation for Software Agreements – Phase 3: Negotiate Contract
    • Controlled Vendor Communications Letter
    • Key Vendor Fiscal Year End Calendar
    • Contract Negotiation Tactics Playbook
    [infographic]

    Workshop: Master Contract Review and Negotiation for Software Agreements

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Collect and Review Data

    The Purpose

    Assemble documentation.

    Key Benefits Achieved

    Understand current position before going forward.

    Activities

    1.1 Assemble existing contracts.

    1.2 Document their strategic and tactical objectives.

    1.3 Identify current status of the vendor relationship and any historical context.

    1.4 Clarify goals for ideal future state.

    Outputs

    Business Use Case

    2 Define Business Use Case and Build Stakeholder Team

    The Purpose

    Define business use case and build stakeholder team.

    Key Benefits Achieved

    Create business use case to document functional and nonfunctional requirements.

    Build internal cross-functional stakeholder team to negotiate contract.

    Activities

    2.1 Establish negotiation team and define roles.

    2.2 Write communication plan.

    2.3 Complete business use case.

    Outputs

    RASCI Chart

    Vendor Communication Management Plan

    SaaS TCO Calculator

    Software Business Use Case

    3 Redline Contract

    The Purpose

    Examine terms and conditions and prioritize for negotiation.

    Key Benefits Achieved

    Discover cost savings.

    Improve agreement terms.

    Prioritize terms for negotiation.

    Activities

    3.1 Review general terms and conditions.

    3.2 Review license- and application-specific terms and conditions.

    3.3 Match to business and technical requirements.

    3.4 Redline agreement.

    Outputs

    Software Terms & Conditions Evaluation Tool

    Software Buyer’s Checklist

    4 Build Negotiation Strategy

    The Purpose

    Create a negotiation strategy.

    Key Benefits Achieved

    Establish controlled communication.

    Choose negotiation tactics.

    Plot negotiation timeline.

    Activities

    4.1 Review vendor- and application-specific negotiation tactics.

    4.2 Build negotiation strategy.

    Outputs

    Contract Negotiation Tactics Playbook

    Controlled Vendor Communications Letter

    Key Vendor Fiscal Year End Calendar

    COVID-19 Work Status Tracking Guide

    • Buy Link or Shortcode: {j2store}594|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Keeping track of the multiple and frequently changing work arrangements on your team.
    • Ensuring you have a fast and easy way to keep an up-to-date record of where and how employees are working.

    Our Advice

    Critical Insight

    • During these critical times, keeping track of employees’ work status doesn’t have to be complicated – the right tool is one that does the job.
    • Keeping track of your employees is a health and safety issue – deployed well, it is an aid in keeping the business running and an additional communication channel, not a sign of lack of trust.

    Impact and Result

    • An Excel spreadsheet is all you need to ensure you have a way to record work arrangements that can change by the day.
    • An easy-to-use tool means minimal administrative overhead to ensuring you have this critical information at hand.

    COVID-19 Work Status Tracking Guide Research & Tools

    Start here – read the Work Status Tracking Guide

    Read our recommendations and use the accompanying tool to quickly get a handle on your team’s work arrangements.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • COVID-19 Work Status Tracking Guide Storyboard
    • COVID-19 Work Status Tracking Tool
    [infographic]

    Make Your IT Governance Adaptable

    • Buy Link or Shortcode: {j2store}359|cart{/j2store}
    • member rating overall impact: 8.0/10 Overall Impact
    • member rating average dollars saved: $123,499 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • People don’t understand the value of governance, seeing it as a hindrance to productivity and efficiency.
    • Governance is delegated to people and practices that don’t have the ability or authority to make these decisions.
    • Decisions are made within committees that don’t meet frequently enough to support business velocity.
    • It is difficult to allocate time and resources to build or execute governance effectively.

    Our Advice

    Critical Insight

    • IT governance applies not just to the IT department but to all uses of information and technology.
    • IT governance works against you if it no longer aligns with or supports your organizational direction, goals, and work practices.
    • Governance doesn’t have to be bureaucratic or control based.
    • Your governance model should be able to adapt to changes in the organization’s strategy and goals, your industry, and your ways of working.
    • Governance can be embedded and automated into your practices.

    Impact and Result

    • You will produce more value from IT by developing a governance framework optimized for your current needs and context, with the ability to adapt as your needs shift.
    • You will create the foundation and ability to delegate and empower governance to enable agile delivery.
    • You will identify areas where governance does not require manual oversight and can be embedded into the way you work.

    Make Your IT Governance Adaptable Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make Your IT Governance Adaptable Deck – A document that walks you through how to design and implement governance that fits the context of your organization and can adapt to change.

    Our dynamic, flexible, and embedded approach to governance will help drive organizational success. The three-phase methodology will help you identify your governance needs, select and refine your governance model, and embed and automate governance decisions.

    • Make Your IT Governance Adaptable – Phases 1-3

    2. Adaptive and Controlled Governance Model Templates and Workbook – Documents that gather context information about your organization to identify the best approach for governance.

    Use these templates and workbook to identify the criteria and design factors for your organization and the design triggers to maintain fit. Upon completion this will be your new governance framework model.

    • Controlled Governance Models Template
    • IT Governance Program Overview
    • Governance Workbook

    3. Implementation Plan and Workbook – Tools that help you build and finalize your approach to implement your new or revised governance model.

    Upon completion you will have a finalized implementation plan and a visual roadmap.

    • Governance Implementation Plan
    • Governance Roadmap Workbook

    4. Governance Committee Charter Templates – Base charters that can be adapted for communication.

    Customize these templates to create the committee charters or terms of reference for the committees developed in your governance model.

    • IT PMO Committee Charter
    • IT Risk Committee Charter for Controlled Governance
    • IT Steering Committee Charter for Controlled Governance
    • Program Governance Committee Charter
    • Architecture Review Board Charter
    • Data Governance Committee Charter
    • Digital Governance Committee Charter

    5. Governance Automation Criteria Checklist and Worksheet – Tools that help you determine which governance decisions can be automated and work through the required logic and rules.

    The checklist is a starting point for confirming which activities and decisions should be considered for automation or embedding. Use the worksheet to develop decision logic by defining the steps and information inputs involved in making decisions.

    • Governance Automation Criteria Checklist
    • Governance Automation Worksheet

    Infographic

    Workshop: Make Your IT Governance Adaptable

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Develop Your Guiding Star

    The Purpose

    Establish the context for your governance model.

    Key Benefits Achieved

    Core understanding of the context that will enable us to build an optimal model

    Activities

    1.1 Confirm mission, vision, and goals.

    1.2 Define scope and principles.

    1.3 Adjust for culture and finalize context.

    Outputs

    Governance principles

    Governance context and goals

    2 Define the Governance Model

    The Purpose

    To select and adapt a governance model based on your context.

    Key Benefits Achieved

    A selected and optimized governance model

    Activities

    2.1 Select and refine governance model.

    2.2 Confirm and adjust the structure.

    2.3 Review and adapt governance responsibilities and activities.

    2.4 Validate governance mandates and membership.

    Outputs

    IT governance model and adjustment triggers

    IT governance structure, responsibilities, membership, and cadence

    Governance committee charters

    3 Build Governance Process and Policy

    The Purpose

    Refine your governance practices and associate policies properly.

    Key Benefits Achieved

    A completed governance model that can be implemented with clear update triggers and review timing

    Policy alignment with the right levels of authority

    Activities

    3.1 Update your governance process.

    3.2 Align policies to mandate.

    3.3 Adjust and confirm your model.

    3.4 Identify and document update triggers and embed into review cycle.

    Outputs

    IT governance process and information flow

    IT governance policies

    Finalized governance model

    4 Embed and Automate Governance

    The Purpose

    Identify options to automate and embed governance activities and decisions.

    Key Benefits Achieved

    Simply more consistent governance activities and automate them to enhance speed and support governance delegation and empowerment

    Activities

    4.1 Identify decisions and standards that can be automated. Develop decision logic.

    4.2 Plan verification and validation approach.

    4.3 Build implementation plan.

    4.4 Develop communication strategy and messaging.

    Outputs

    Selected automation options, decision logic, and business rules

    Implementation and communication plan

    Further reading

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    13 Governance Stages

    14 Info-Tech’s IT Governance Thought Model

    19 Info-Tech’s Approach

    23 Insight Summary

    30 Phase 1: Identify Your Governance Needs

    54 Phase 2: Select and Refine Your Governance Model

    76 Phase 3: Embed and Automate

    94 Summary of Accomplishment

    95 Additional Support

    97 Contributors

    98 Bibliography

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    EXECUTIVE BRIEF

    Analyst Perspective

    Governance will always be part of the fabric of your organization. Make it adaptable so it doesn’t constrain your success.

    Photo of Valence Howden, Principal Research Director, Info-Tech Research Group

    Far too often, the purpose of information and technology (I&T) governance is misunderstood. Instead of being seen as a way to align the organization’s vision to its investment in information and technology, it has become so synonymous with compliance and control that even mentioning the word “governance” elicits a negative reaction.

    Success in modern digital organizations depends on their ability to adjust for velocity and uncertainty, requiring a dynamic and responsive approach to governance – one that is embedded and automated in your organization to enable new ways of working, innovation, and change.

    Evolutionary theory describes adaptability as the way an organism adjusts to fit a new environment, or changes to its existing environment, to survive. Applied to organizations, adaptable governance is critical to the ability to survive and succeed.

    If your governance doesn’t adjust to enable your changing business environment and customer needs, it will quickly become misaligned with your goals and drive you to failure.

    It is critical that people build an approach to governance that is effective and relevant today while building in adaptability to keep it relevant tomorrow.

    Valence Howden
    Principal Research Director, Info-Tech Research Group

    Executive Summary

    Your Challenge

    • People don’t understand the value of governance, seeing it as a hindrance to productivity and efficiency.
    • Governance is delegated to people and practices that don’t have the ability or authority to make decisions.
    • Decisions are made within committees that don’t meet frequently enough to support business velocity.
    • It is difficult to allocate time and resources to build or execute governance effectively

    Common Obstacles

    • You are unable to clearly communicate how governance adds value to your organization.
    • Your IT governance approach no longer aligns with or supports your organizational direction, goals, and work practices.
    • Governance is seen and performed as a bureaucratic control-based exercise.
    • Governance activities are not transparent.
    • The governance committee gets too deeply involved with project deep dives and daily management, derailing its effectiveness and ability to produce value.

    Info-Tech’s Approach

    • Use Info-Tech’s IT governance models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.
    • Adjust the model based on industry needs, your principles, regulatory requirements, and your future direction.
    • Identify where to embed or automate decision making and compliance and what is required to do so effectively.
    • Implement your governance model for success.

    Info-Tech Insight

    IT governance must be embedded and automated, where possible, to effectively meet the needs and velocity of digital organizations and modern practices and to drive success and value.

    What is governance?

    IT governance is a critical and embedded practice that ensures that information and technology investments, risks, and resources are aligned in the best interests of the organization and produce business value.

    Effective governance ensures that the right technology investments are made at the right time to support and enable your organization’s mission, vision, and goals.

    5 KEY OUTCOMES OF GOOD GOVERNANCE
    STRATEGIC ALIGNMENT

    Technology investments and portfolios are aligned with the organization's strategic objectives.

    		RISK OPTIMIZATION

    Organizational risks are understood and addressed to minimize impact and optimize opportunities.

    		VALUE DELIVERY

    IT investments and initiatives deliver their expected benefits.

    		RESOURCE OPTIMIZATION

    Resources (people, finances, time) are appropriately allocated across the organization to optimal organizational benefit.

    		PERFORMANCE MEASUREMENT

    The performance of technology investments is monitored and used to determine future courses of action and to confirm achievement of success.

    ‹–EVALUATE–DIRECT–MONITOR–›

    Why is this necessary?

    • Governance is not simply a committee or an activity that you perform at a specific point in time; it is a critical and continuously active practice that drives the success of your organization. It is part of your organization’s DNA and is just as unique, with some attributes common to all (IT governance elements), some specific to your family (industry refinements), and some specific to you (individual organization).
    • Your approach to governance needs to change over time in order to remain relevant and continue to enable value and success, but organizations rarely want to change governance once it’s in place.
    • To meet the speed and flow of practices like Lean, DevOps, and Agile, your IT governance needs to be done differently and become embedded into the way your organization works. You must adjust your governance model based on key moments of change – organizational triggers – to maintain the effectiveness of your model.

    Info-Tech Insight

    Build an optimal model quickly and implement the core elements using an iterative approach to ensure the changes provide the most value.

    The Technology Value Trinity

    Delivery of Business Value & Strategic Needs

    • DIGITAL & TECHNOLOGY STRATEGY
      The identification of objectives and initiatives necessary to achieve business goals.
    • IT OPERATING MODEL
      The model for how IT is organized to deliver on business needs and strategies.
    • INFORMATION & TECHNOLOGY GOVERNANCE
      The governance to ensure the organization and its customers get maximum value from the use of information and technology.

    All three elements of the Technology Value Trinity work in harmony to deliver business value and meet strategic needs. As one changes, the others need to change as well.

    • Digital and IT Strategy tells you what you need to achieve to be successful.
    • IT Operating Model and Organizational Design is the alignment of resources to deliver on your strategy and priorities.
    • Information & Technology Governance is the confirmation that IT’s goals and strategy align with the business’ strategy. It is the mechanism by which you continuously prioritize work to ensure that what you deliver is in line with the strategy. This oversight involves evaluating, directing, and monitoring the delivery of outcomes to ensure that the use of resources results in achieving the organization’s goals.

    Too often strategy, operating model and organizational design, and governance are considered separate practices. As a result, “strategic documents” end up being wish lists, and projects continue to be prioritized based on who shouts the loudest rather than on what is in the best interest of the organization.

    Where information & technology governance fits within an organization

    An infographic illustrating where Governance fits within an organization. The main section is titled 'Enterprise Governance and Strategy' and contains 'Value Outcomes', 'Mission and Vision', 'Goals and Objectives', and 'Guiding Principles'. These all feed into the highlighted 'Information & Technology Governance', which then contributes to 'IT Strategy', which lies outside the main section.

    I&T governance hasn’t achieved its purpose

    Governance is the means by which IT ensures that information and technology delivery and spend is aligned to business goals and delivers business outcomes. However, most CEOs continue to perceive IT as being poorly aligned to the business’ strategic goals, which indicates that governance is not implemented or executed properly.

    For I&T governance to be effective you need a clear understanding of the things that drive your organization and its success. This understanding becomes your guiding star, which is critical for effective governance. It also requires participation by all parts of the organization, not just IT.

    Info-Tech CIO/CEO Alignment Diagnostics (N=124)

    43% of CEOs believe that business goals are going unsupported by IT.

    60% of CEOs believe that improvement is required around IT’s understanding of business goals.

    80% of CIOs/CEOs are misaligned on the target role for IT.

    30% of business stakeholders are supporters (N=32,536) of their IT departments

    Common causes of poor governance

    Key causes of poor or misaligned governance

    1. Governance and its value to your organization is not well understood, often being confused or integrated with more granular management activities.
    2. Business executives fail to understand that IT governance is a function of the business and not the IT department.
    3. Poor past experiences have made “governance” a bad word in the organization. People see it as a constraint and barrier that must be circumvented to get work done.
    4. There is misalignment between accountability and authority throughout the organization, and the wrong people are involved in governance practices.
    5. There is an unwillingness to change a governance approach that has served the organization well in the past, leading to challenges when the organization starts to change practices and speed of delivery.
    6. There is a lack of data and data-related capabilities required to support good decision making and the automation of governance decisions.
    7. The goals and strategy of the organization are not known or understood, leaving nothing for IT governance to orient around.

    Key symptoms of ineffective governance committees

    1. No actions or decisions are generated. The committee produces no value and makes no decisions after it meets. The lack of value output makes the usefulness of the committee questionable.
    2. Resources are overallocated. There is a lack of clear understanding of capacity and value in work to be done, leading to consistent underestimation of required resources and poor resource allocation.
    3. Decisions are changed outside of committee. Decisions made or initiatives approved by the committee are later changed when the proper decision makers are involved or the right information becomes available.
    4. Governance decisions conflict with organizational direction. This shows an obvious lack of alignment and behavioral disconnect that work against organizational success. It is often due to not accounting for where power really exists within the structure.
    5. Consistently poor outcomes are produced from governance direction. Committee members’ lack of business acumen, relevant data, or understanding of organizational goals results in decisions that fail to drive successful measured outcomes.

    Mature your governance by transitioning from ad hoc to automated

    Organizations should look to progress in their governance stages. Ad hoc and controlled governance practices tend to be more rigid, making these a poor fit for organizations requiring higher velocity delivery or using more agile and adaptive practices.

    The goal as you progress through these stages is to delegate governance and empower teams based on your fit and culture, enabling teams where needed to make optimal decisions in real time, ensuring that they are aligned with the best interests of the organization.

    Automate governance for optimal velocity while mitigating risks and driving value.

    This puts your organization in the best position to be adaptive, able to react effectively to volatility and uncertainty.

    A graph illustrating the transition from Ad Hoc to Automated. The y-axis is 'Process Integration' and x-axis is 'Trust & Empowerment'. 'Ad Hoc: Inconsistent Decision Making' lies close to the origin, ranking low on both axes' values. 'Controlled: Authoritarian, Highly Structured' ranks slightly higher on both axes. 'Agile: Distributed & Empowered' ranks 2nd highest on both axes. 'Automated: High Velocity, Embedded & Flexible' ranks highest on both axes.

    Stages of governance

    Adaptive
    Data-Centric

    ˆ


    ˆ


    ˆ


    ˆ


    ˆ
    Traditional
    (People- and Document-Centric)

    4

    		 Automated Governance
    • Entrenched into organizational processes and product/service design
    • Empowered and fully delegated to maintain fit and drive organizational success and survival

    3

    		 Agile Governance
    • Flexible enough to support different needs in the organization and respond quickly to change
    • Driven by principles and delegated throughout the company

    2

    		 Controlled Governance
    • Focused on compliance and hierarchy-based authority
    • Levels of authority defined and often driven by regulatory requirements

    1

    		 Ad Hoc Governance
    • Not well defined or understood within the organization
    • Occurs out of necessity but often not done by the right people or bodies

    Make Governance Adaptable and Automated to Drive Success and Value

    Governance adaptiveness ensures the success of digital organizations and modern practice implementation.

    THE PROBLEM

    • The wrong people are making decisions.
    • Organizations don't understand what governance is or why it's done.
    • Governance scope and design is a bad fit, damaging the organization.
    • People think governance is optional.

    THE SOLUTION

    ESTABLISH YOUR GUIDING PRINCIPLES

    Define and establish the guiding principle that drive your organization toward success.

    • Mission & Vision
    • Business Goals & Success Criteria
    • Operating Model & Work Practices
    • Governance Scope
    • Principles
    SELECT AND REFINE YOUR MODEL

    Use Info-Tech's IT Governance Models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.

    IDENTIFY MODEL UPDATE TRIGGERS

    Adjust the model based on industry needs, your principles, regulatory requirements, and future direction.

    • Principles
      Select principles that allow the organization to be adaptive while still ensuring the governance continues to stay on course with pursuing its guiding star.
    • Responsibilities
      Decide on the governance responsibilities related to Oversight Level, Strategic Alignment, Value Delivery, Risk Optimization, Resource Optimization, and Performance Management.
    • Structure
      Determine at which structured level governance is appropriate: Enterprise, Strategic, Tactical, or Operational.
    • Processes
      Establish processes that will enable governance to occur such as: Embed the processes required for successful governance.
    • Membership
      Identify the Responsibility & Accountability of those who should be involved in governance processes, policies, guidelines, and responsibilities.
    • Policies
      Confirm any governing policies that need to be adhered to and considered to manage risk.
    DETERMINE AUTOMATION OPTIONS AND DECISION RULES

    Identify where to embed or automate decision making and compliance and what is required to do so effectively.

    STAGES OF GOVERNANCE

      Traditional (People- and document-centric)
    1. AD HOC GOVERNANCE
      Governance that is not well defined or understood within the organization. It occurs out of necessity but often not by the right people or bodies.
    2. CONTROLLED GOVERNANCE
      Governance focused on compliance and hierarchy-based, authority-driven control of decisions. Levels of Authority are defined and often driven by regulatory requirements.
      3. Adaptive (Data Centric)
    3. AGILE GOVERNANCE
      Governance that is flexible to support different needs and quick responses in the organization. Driven by principles and delegated throughout the company.
    4. AUTOMATED GOVERNANCE
      Governance that is entrenched and automated into the organizational processes and product/service design. Empowered and fully delegated governance to maintain fit and drive organizational success and survival.

    KEY INSIGHT

    Governance must actively adapt to changes in your organization, environment, and practices or it will drive you to failure.

    Developing governance principles

    Governance principles support the move from controlled to automated governance by providing guardrails that guide your decisions. They provide the ethical boundaries and cultural perspectives that contextualize your decisions and keep you in line with organizational values. Determining principles are global in nature.

    CONTROLLED CHANGE ACTIONS AND RATIONALE AUTOMATED
    Disentangle governance and management Move from governance focused on evaluating, directing, and monitoring strategic decisions around information and technology toward defining and automating rules and principles for decision making into processes and practices, empowering the organization and driving adaptiveness. Delegate and empower
    Govern toward value Move from identifying the organization’s mission, goals, and key drivers toward orienting IT to align with those value outcomes and embedding value outcomes into design and delivery practices. Deliver to defined outcomes
    Make risk-informed decisions Move from governance bodies using risk information to manually make informed decisions based on their defined risk tolerance toward having risk information and attestation baked into decision making across all aspects and layers of the IT organization – from design to sustainment. Embed risk decision making into processes and practices
    Measure to drive improvement Move from static lagging metrics that validate that the work being done is meeting the organization’s needs and guide future decision making toward automated governance with more transparency driven by data-based decision making and real-time data insights. Trust through real-time reporting
    Enforce standards and behavior Move from enforcing standards and behavior and managing exceptions to ensure that there are consistent outcomes and quality toward automating standards and behavioral policies and embedding adherence and changes in behavior into the organization’s natural way of working. Automate standards through automated decision rules, verification, and validation

    Find your guiding star

    MISSION AND VISION –› GOALS AND OBJECTIVES –› GUIDING PRINCIPLES –›

    VALUE
    Why your organization exists and what value it aims to provide. The purpose you build a strategy to achieve. What your organization needs be successful at to fulfill its mission. Key propositions and guardrails that define and guide expected organizational behavior and beliefs.

    Your mission and vision define your goals and objectives. These are reinforced by your guiding principles, including ethical considerations, your culture, and expected behaviors. They provide the boundaries and guardrails for enabling adaptive governance, ensuring you continue to move in the right direction for organizational success.

    To paraphrase Lewis Carroll, “If you don't know where you want to get to, it doesn't much matter which way you go.” Once you know what matters, where value resides, and which considerations are necessary to make decisions, you have consistent directional alignment that allows you to delegate empowered governance throughout the organization, taking you to the places you want to go.

    Understand governance versus management

    Don’t blur the lines between governance and management; each has a unique role to play. Confusing them results in wasted time and confusion around ownership.

    Governance

    I&T governance defines WHAT should be done and sets direction through prioritization and decision making, monitoring overall IT performance.

    Governance aligns with the mission and vision of the organization to guide IT.

    		A cycle of processes split into two halves, 'Governance Processes' and 'Management Processes'. Beginning on the Management side, the processes are 'Plan', 'Build', 'Run', 'Monitor', then to the Governance side, 'Evaluate', 'Direct', 'Monitor', and back to the beginning.

    Management

    Management focuses on HOW to do things to achieve the WHAT. It is responsible for executing on, operating, and monitoring activities as determined by I&T governance.

    Management makes decisions for implementation based on governance direction.

    Data is critical to automating governance

    Documents and subjective/non-transparent decisions do not create sufficient structure to allow for the true automation of governance. Data related to decisions and aggregated risk allow you to define decision logic and rules and algorithmically embed them into your organization.

    People- and Document-Centric

    Governance drives activities through specific actors (individuals/committees) and unstructured data in processes and documents that are manually executed, assessed, and revised. There are often constraints caused by gaps or lack of adequate and integrated information in support of good decisions.

    Data-Centric

    Governance actors provide principles, parameters, and decision logic that enable the creation of code, rulesets, and algorithms that leverage organizational data. Attestation is automatic – validated and managed within the process, product, or service.

    Info-Tech’s Approach

    Define your context and build your model

    ESTABLISH YOUR GUIDING PRINCIPLES

    Define and establish the guiding principle that drive your organization toward success.

    • Mission & Vision
    • Business Goals & Success Criteria
    • Operating Model & Work Practices
    • Governance Scope
    • Principles
    SELECT AND REFINE YOUR MODEL

    Use Info-Tech's IT Governance Models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.

    MODEL UPDATE TRIGGERS

    Adjust the model based on industry needs, your principles, regulatory requirements, and future direction.

    • Principles
      Select principles that allow the organization to be adaptive while still ensuring the governance continues to stay on course with pursuing its guiding star.
    • Responsibilities
      Decide on the governance responsibilities related to Oversight Level, Strategic Alignment, Value Delivery, Risk Optimization, Resource Optimization, and Performance Management.
    • Structure
      Determine at which structured level governance is appropriate: Enterprise, Strategic, Tactical, or Operational.
    • Processes
      Establish processes that will enable governance to occur such as: Embed the processes required for successful governance.
    • Membership
      Identify the Responsibility & Accountability of those who should be involved in governance processes, policies, guidelines, and responsibilities.
    • Policies
      Confirm any governing policies that need to be adhered to and considered to manage risk.
    AUTOMATION OPTIONS AND DECISION RULES

    Identify where to embed or automate decision making and compliance and what is required to do so effectively.

    The Info-Tech Difference

    Define your context and build your model

    1. Quickly identify the organizational needs driving governance and your guiding star.
    2. Select and refine a base governance model based on our templates.
    3. Define and document the key changes in your organization that will trigger a need to update or revise your governance.
    4. Determine where you might be able to automate aspects of your governance.
    5. Design your decision rules where appropriate to support automated and adaptive governance.

    How to use this research

    Where are you in your governance optimization journey?

    MY GOVERNANCE IS AD HOC AND WE’RE STARTING FROM SCRATCH I NEED TO BUILD A NEW GOVERNANCE STRUCTURE OUR GOVERNANCE APPROACH IS INEFFECTIVE AND NEEDS IMPROVEMENT I NEED TO LOOK AT OPTIONS FOR AUTOMATING GOVERNANCE PRACTICES
    Step 1.1: Define Your Governance Context Step 1.2: Structure Your IT Governance Phase 2: Select and Refine Your Model Phase 3: Embed and Automate

    IT governance is about ensuring that the investment decisions made around information and technology drive the optimal organizational value, not about governing the IT department.

    In this section we will clarify your organizational context for governance and define your guiding star to orient your governance design and inform your structure.

    There is no need to start from scratch! Start with Info-Tech’s best-practice IT governance models and customize them based on your organizational context.

    The research in this section will help you to select the right base model to work from and provide guidance on how to refine it.

    Governance practices eventually stop being a good fit for a changing organization, and things that worked before become bottlenecks.

    Governing roles and committees don’t adjust well, don’t have consistent practices, and lack the right information to make good decisions.

    The research in this section will help you improve and realign your governance practices.

    Once your governance is controlled and optimized you are ready to investigate opportunities to automate.

    This phase of the blueprint will help you determine where it’s feasible to automate and embed governance, understand key governance automation practices, and develop governing business rules to move your journey forward.

    Related Research:

    If you are looking for details on specific associated practices, please see our related research:

    1. I need to establish data governance.
    2. I need to manage my project portfolio, from intake to confirmation of value.
    3. I need better risk information to support decision making.
    4. I need to ensure I am getting the expected outcomes and benefits from IT spend.
    5. I need to prioritize my product backlog or service portfolio.

    Info-Tech’s methodology for building and embedding adaptive governance

    1. Identify Your Governance Needs 2. Select and Refine Your Governance Model 3. Embed and Automate
    Phase Steps
    1. Confirm Mission, Vision, and Goals
    2. Define Scope and Principles
    3. Adjust for Culture and Finalize Context
    1. Select and Refine Your Governance Model
    2. Identify and Document Your Governance Triggers
    3. Build Your Implementation Plan
    1. Identify Decisions to Embed and Automate
    2. Plan Validation and Verification
    3. Update Implementation Plan
    Phase Outcomes
    • Governance context, guiding star, and principles
    • Completed governance model with associated decisions and policies
    • Implementation plan
    • List of automation options
    • Decision logic, rules, and rulesets
    • Validation and verification approach
    • Finalized implementation plan

    Insight summary

    Value

    To remain valuable, I&T governance must actively adapt to changes in your organization, environment, and practices, or it will drive you to failure instead of success.

    Focus

    I&T governance does not focus on the IT department. Rather, its intent is to ensure your organization makes sound decisions around investment in and use of information and technology.

    Maturity

    Your governance approach progresses in stages from ad hoc to automated as your organization matures. Your stage depends on your organizational needs and ways of working.

    Good governance

    Good governance does not equate to control and does not stifle innovation.

    Automation

    Automating governance must be done in stages, based on your capabilities, level of maturity, and amount of usable data.

    Strategy

    Establish the least amount of governance required to allow you to achieve your goals.

    Guiding star

    If you don’t establish a guiding star to align the different stakeholders in your organization, governance practices will create conflict and confusion.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key Deliverable:
    Governance Framework Model

    The governance framework model provides the design of your new governance model and the organizational context to retain stakeholder alignment and organizational satisfaction with governance.

    The model includes the structures, practices, and responsibilities to drive effective governance in your organization.

    Sample of the key blueprint deliverable 'Governance Framework Model'.

    Governance Implementation Plan

    This roadmap lays out the changes required to implement the governance model, the cultural items that need to be addressed, and anticipated timing.

    Sample of the blueprint deliverable 'Governance Implementation Plan'.

    Governance Committee Charters

    Develop a detail governance charter or term of reference for each governing body. Outline the mandate, responsibilities, membership, process, and associated policies for each.

    Sample of the blueprint deliverable 'Governance Committee Charters'.

    Blueprint benefits

    IT Benefits

    • Stronger, traceable alignment of IT decisions and initiatives to business needs.
    • Improved ability for IT to meet the changing demands and velocity of the business.
    • Better support and enablement of innovation – removing constraints and barriers.
    • Optimized governance that supports and enables modern work practices.
    • Increased value generation from IT initiatives and optimal use of IT resources.
    • Designed adaptability to ensure you remain in alignment as your business and IT environments change.

    Business Benefits

    • Clear transparent focus of IT initiatives on generating strategic business value.
    • Improved ability to measure the value and contribution of IT to business goals.
    • Alignment and integration of business/IT strategy.
    • Optimized development and use of IT capabilities to meet business needs.
    • Improved integration with corporate/enterprise governance.

    Executive Brief Case Study

    INDUSTRY Manufacturing
    SOURCE Info-Tech analyst experience

    Improving the governance approach and delegating decision making to support a change in business operation

    Challenge

    The large, multi-national organization has locations across the world but has two primary headquarters, in Europe and the United States.

    Market shifts drove an organizational shift in strategy, leading to a change in operating models, a product focus, and new work approaches across the organization.

    Much of the implementation and execution was done in isolation, and effectiveness was slowed by poor integration and conflicting activities that worked against each other.

    The product owner role was not well defined.

    Solution

    After reviewing the organization’s challenges and governance approach, we redefined and realigned its organizational and regional goals and identified outcomes that needed to be driven into their strategies.

    We also reviewed their span of control and integration requirements and properly defined decisions that could be made regionally versus globally, so that decisions could be made to support new work practices.

    We defined the product and service owner roles and the decisions each needed to make.

    Results

    We saw an improvement in the alignment of organizational activities and the right people and bodies making decisions.

    Work and practices were aimed at the same key outcomes and alignment between teams toward organizational goal improved.

    Within one year, the success rate of the organization’s initiatives increased by 22%, and the percentage of product-related decisions made by product owners increased by 50%.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 5 and 8 calls over the course of 2 to 3 months.

    What does a typical GI on this topic look like?

      Phase 1: Identify Your Governance Needs

    • Call #1: Confirm your organization’s mission and vision and review your strategy and goals.
    • Call #2: Identify considerations and governance needs. Develop your guiding star and governing principles.

      • Phase 2: Select and Refine Your Model

    • Call #3: Select your base model and optimize it to meet your governance needs.
    • Call #4: Define your adjustment triggers and develop your implementation plan.

      • Phase 3: Embed and Automate

    • Call #5: Identify decisions and standards you can automate and where to embed them.
    • Call #6: Confirm levels of authority and data requirements. Establish your approach and update the implementation plan.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Session 1 Session 2 Session 3 Session 4 Session 5
    Activities
    Develop Your Guiding Star

    1.1 Confirm mission, vision, and goals

    1.2 Define scope and principles

    1.3 Adjust for culture and finalize context

    Define the Governance Model

    2.1 Select and refine governance model

    2.2 Confirm and adjust the structure

    2.3 Review and adapt governance responsibilities and activities

    2.4 Validate governance mandates and membership

    Build Governance Process and Policy

    3.1 Update your governance process

    3.2 Align policies to mandate

    3.3 Adjust and confirm your governance model

    3.4 Identify and document your update triggers

    3.5 Embed triggers into review cycle

    Embed and Automate Governance

    4.1 Identify decisions and standards to automate

    4.2 Plan verification and validation approach

    4.3 Build implementation plan

    4.4 Develop communication strategy and messaging

    Next Steps and Wrap-Up

    5.1 Complete in-progress outputs from previous four sessions

    5.2 Set up review time for workshop outputs and to discuss next steps

    Outcomes
    1. Governance context and goals
    2. Governance principles
    1. IT governance model and adjustment triggers
    2. IT governance structure, responsibilities, membership, and cadence
    3. Governance committee charters
    1. IT governance process and information flow
    2. IT governance policies
    3. Finalized governance model
    1. Selected automation options, decision logic, and business rules
    2. Implementation and communication plan
    1. Governance context and principles
    2. Finalized governance model and charters
    3. Finalized implementation plan

    Make Your IT Governance Adaptable

    Phase 1

    Identify your Governance Needs

    Phase 1

    • 1.1 Define Your Guiding Star
    • 1.2 Define Scope and Principles
    • 1.3 Adjust for Culture and Finalize Context
      •

    Phase 2

    • 2.1 Choose and Adapt Your Model
    • 2.2. Identify and Document Your Governance Triggers
    • 2.3 Build Your Implementation Approach

    Phase 3

    • 3.1 Identify Decisions to Embed and Automate
    • 3.2 Plan Validation and Verification
    • 3.3 Update Implementation Plan

    This phase will walk you through the following activities:

    Identify the organization’s goals, mission, and vision that will guide governance.

    Define the scope of your governance model and the principles that will guide how it works.

    Account for organizational attitudes, behaviors, and culture related to governance and finalize your context.

    This phase involves the following participants:

    • Senior IT leadership
    • Governance leads

    Step 1.1

    Define Your Guiding Star

    Activities
    • 1.1.1 Document and interpret your strategy, mission, and vision
    • 1.1.2 Document and interpret the business and IT goals and outcomes
    • 1.1.3 Identify your operating model and work processes

    This step will walk you through the following activities:

    Review your business and IT strategy, mission, and vision to ensure understanding of organizational direction.

    Identify the business and IT goals that governance needs to align.

    Confirm your operating model and any work practices that need to be accounted for in your model.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Identified guiding star outcomes to align governance outcomes with

    Defined operating model type and work style that impact governance design

    Identify Your Governance Needs

    Step 1.1 – Define your Guiding Star Step 1.2 – Define Scope and Principles Step 1.3 – Adjust for Culture and Finalize Context

    Govern by intent

    Find the balance for your designed governance approach

    Organic governance occurs during the formation of an organization and shifts with challenges, but it is rarely transparent and understood. It changes your culture in uncontrolled ways. Intentional governance is triggered by changes in organizational needs, working approaches, goals, and structures. It is deliberate and changes your culture to enable success.
    Stock photo of a weight scale.

    Info-Tech Insight

    Your approach to governance needs to be designed, even if your execution of governance is adaptable and delegated.

    What is your guiding star?

    Your guiding star is a combination of your organization’s mission, vision, and strategy and the goals that have been defined to meet them.

    It provides you with a consistent focal point around which I&T-related activities and projects orbit, like planets around a star.

    It generates the gravity that governance uses to keep things from straying too far away from the goal of achieving relevant value.

    1. Mission & Vision
    2. Business Goals & Success Criteria
    3. Operating Model & Work Practices
    4. Governance Scope
    5. Principles

    1.1.1 Document and interpret your strategy, mission, and vision

    30 minutes

    Input: Business strategy, IT strategy, Mission and vision statements

    Output: Updated Governance Workbook, Documented strategic outcomes and organizational aims that governance needs to achieve

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Gather your available business, digital, and IT strategy, mission, and vision information and document everything in your Governance Workbook. It’s ok if you don’t have all of it.
    2. Review and your mission and vision as a group. Discuss and document key points, including:
      • Which activities do you perform as an organization that embody your vision?
      • What key decisions and behaviors are required to ensure that your mission and vision are achievable?
      • What do you require from leadership to enable you to govern effectively?
      • What are the implications of the mission and vision on how the organization needs to work? What are the implications on decisions around opportunities and risks?

    Download the Governance Workbook

    1.1.2 Document and interpret the business and IT goals and outcomes

    60 minutes

    Input: Business strategy, Business and IT goals and related initiatives

    Output: Required success outcomes for goals, Links between IT and business goals that governance needs to align

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Document the business and IT goals that have been created to achieve the mission and vision.
    2. Discuss if there are any gaps between the goals and the mission and vision. Ask yourself – if we accomplish these goals will we have successfully achieved the mission?
    3. For each goal, define what successful achievement of the goal looks like. Starting with one goal or objective, ask:
      • How would I know I am on the right path and how will I know I have gotten there?
      • How would I know if I am not on the right path and what does a bad result look like?
      4. Document your success criteria.
    4. Brainstorm some examples of decisions that support or constrain the achievement of your goals.
    5. Repeat this exercise for your remaining goals.
    6. As a group, map IT goals to business goals.

    What is your operating model and why is it important?

    An IT operating model is a visual representation of the way your IT organization needs to be designed and the capabilities it requires to deliver on the business mission, strategic objectives, and technological ambitions.

    The model is critical in the optimization and alignment of the IT organization’s structure in order to deliver the capabilities required to achieve business goals. It is a key determinant of how governance needs to be designed and where it is implemented.

    Little visualizations of different operating models: 'Centralized', 'Decentralized', and 'Hybrid'.

    1.1.3 Identify your operating model and work practices

    60 minutes

    Input: Organizational structure, Operating model (if available)

    Output: Confirmed operating approach, Defined work practices

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Identify the way your organization functions:
      • How do we currently operate? Are we centralized, decentralized or a hybrid? Are we focused on delivering products and services? Do we provide service ourselves or do we use vendors for delivery?
      • Can we achieve our mission, goals, and strategies, if we continue to operate this way? What would we have to change in how we operate to be successful in the future?
    2. Identify your governance needs. Do we need to be more structured or more flexible to support our future ways of working?
      • If you operate in a more traditional way, consider whether you are implementing or moving toward more modern practices (e.g. Agile, DevOps, enterprise service management). Do you need to make more frequent but lower-risk decisions?
      • Is your organization ready to delegate governance culturally and in terms of business understanding? Is there enough available information to support adaptive decisions and actions?
    3. Document your operating style, expected changes in work style, and cultural readiness. You will need to consider the implications on design.

    Step 1.2

    Define Scope and Principles

    Activities
    • 1.2.1 Determine the proper scope for your governance
    • 1.2.2 Confirm your determining governing principles
    • 1.2.3 Develop your specific governing principles

    This step will walk you through the following activities:

    Identify what is included and excluded within the scope of your governance.

    Develop the determining and specific principles that provide guardrails for governance activities and decisions.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Documented governance scope and principles to apply

    Identify Your Governance Needs

    Step 1.1 – Define your Guiding Star Step 1.2 – Define Scope and Principles Step 1.3 – Adjust for Culture and Finalize Context

    Define the context for governance

    Based on the goals and principles you defined and the operating model you selected, confirm where oversight will be necessary and at what level. Focus on the necessity to expedite and clear barriers to the achievement of goals and on the ownership of risks and compliance. Some key considerations:

    • Where in the organization will you need to decide on work that needs to be done?
    • What type of work will you need to do?
    • In what areas could there be conflicts in prioritization/resource allocation to address?
    • Who is accountable for risks to the organization and its objectives?
    • Where are your regional or business-unit-specific concerns that require focused local attention?
    • Are we using more agile, rapid delivery methods to produce work?

    Understand your governance scope

    Your governance scope helps you define the boundaries of what your governance model and practices will cover. This includes key characteristics of your organization that impact what governance needs to address.

    Sample Considerations

    • Organizational Span
      • The geographical area the organization operates within. Regional laws and requirements will affect governance delegation and standards/policy development.
    • Level of Regulation
      • Higher levels of regulation create more standards and controls for risk and compliance, impacting how authority can be delegated or automated.
    • Sourcing Model
      • Changing technology sourcing introduces additional vendor governance requirements and may impact compliance and audit.
    • Risk Posture
      • The appetite for risk organizationally, and in pockets, impacts the level of uncertainty you are willing to work within and impact decision-making authority positioning.
    • Size
      • The size of your organization impacts the approach to governance, practice implementation, and delegation of authority.
    • What Is Working Today?
      • Which elements of your current governance approach should be retained, and what are the biggest pain points that need to be addressed?
    (Source: COBIT 2019)

    1.2.1 Determine the proper scope for your governance

    60 minutes

    Input: Context information from Activity 1.1, Scoping areas

    Output: Defined scope and span of control

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Determine the scope/span of control required for your governance by:
      • Reviewing your key IT capabilities. Identify the ones where the responsibilities and decisions require oversight to ensure they meet the needs of the organization.
      • Identify what works well or poorly in your current governance approach.
      • Discuss and document the level and type of knowledge and business understanding required.
      • Identify and document any regulations, standards, or laws that apply to your organization/industry and how broadly they have to be applied.
      • Identify the organization’s risk appetite, where known, and areas where acceptable thresholds of risk have been defined. Where are key risk and opportunity decisions made? Who owns risk in your organization?
      • Identify and document the perceived role of the IT group in your organization (e.g. support, innovator, partner) and sourcing model (e.g. insource, outsource).
      • Is there sufficient information and data available in your organization to support effective decision making?

    How should your governance be structured?

    Organizations often have too many governance bodies, creating friction without value. Where that isn’t the case, the bodies are often inefficient, with gaps or overlaps in accountability and authority. Structure your governance to optimize its effectiveness, designing with the intent to have the fewest number of governing bodies to be effective, but no less than is necessary.

    Start with your operating model.

    • Understand what’s different about your governance based on whether your organization in centralized, distributed, or a different model (e.g. hybrid, product).
    • Identify and include governance structures that are mandatory due to regulation or industry.
    • Based on your context, identify how many of your governance activities should be performed together.

    Determine whether your governance should be controlled or adaptive.

    • Do you have the capability to distribute governance and is your organization empowered enough culturally?
    • Do you have sufficient standards and data to leverage? Do you have the tools and capabilities?
    • Identify governance structures that are required due to regulation or industry.

    Info-Tech Insight

    Your approach to governance needs to be designed and structured, even if your execution of governance is adaptable and delegated.

    Identify and Refine your Principles

    Confirm your defining principles based on your selection of controlled or adaptive governance. Create specific principles to clarify boundaries or provide specific guidance for teams within the organization.

    Controlled Adaptive
    Disentangle governance and management Delegate and empower
    Govern toward value Deliver to defined outcomes
    Make risk-informed decisions Embed risk into decision making
    Measure to drive improvement Trust though real-time reporting
    Enforce standards and behavior Automate decision making though established standards

    Determining Principle: Delegate and empower.

    Specific Principle: Decisions should be made at the lowest reasonable level of the organization with clarity.

    Rationale: To govern effectively with the velocity required to address business needs, governance needs to be executed deeper into the organization and organizational goals need to be clearly understood everywhere.

    Implication: Decision making needs to be delegated throughout the organization, so information and data requirements need to be identified, decision-making approach and principles need to be shared, and authority needs to be delegated clearly.

    1.2.2 Confirm your determining governance principles

    30-45 minutes

    Input: Governance Framework Model– Governance Principles

    Output: Governance workbook - Finalized list of determining principles

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Review the IT governance principles in your Governance Workbook.
    2. Within your IT senior leadership team (or IT governance working group) assign one or two principles to teams of two to three participants. Have each team identify what this would mean for your organization. Answering the questions:
      • In what ways do our current governance practices support this?
      • What are some examples of changes that would need to be made to make this a reality?
      • How would applying this principle improve your governance?
    3. Have each team present their results and compile the findings and implications in the Governance Workbook to use for future communication of the change.

    Specific governing principles

    Specific governing principles are refined principles derived from a determining principle, when additional specificity and detail is necessary. It allows you to define an approach for specific behaviors and activities. Multiple specific principles may underpin the determining one.

    A visualization of a staircase with stairs labelled, bottom to top, 'Determining Principle', 'Rationale', 'Implications', 'Specific Principles'.

    Specific Principles – Related principles that may be required to ensure the implications of the determining principal are addressed within the organization. They may be specific to individual areas and may be addressed in policies.

    Implications – The implications of this principle on the organization, specific to how and where governance is executed and the level of information and authority that would be necessary.

    Rationale – The reason(s) driving the determining principle.

    Determining Principle – A core overarching principle – a defining aspect of your governance model.

    1.2.3 Develop your specific governing principles

    30 minutes

    Input: Updated determining principles

    Output: List of specific principles linked to determining principles

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Confirm the determining principles for your governance model based on your previous discussions.
    2. Identify where to apply the principles. This is based on:
      1. Your governance scope (how much is within your span of control)
      2. The amount of data you have available
      3. Your cultural readiness for delegation
    3. Create specific principles to support the determining principles:
      1. Document the rationale driving the determining principles.
      2. Identify the implications.
      3. Create specific principles that will support the success in achieving the goals of each determining principle.
    4. Document all information on the “Governance guiding star” slide in the Governance Workbook.

    Download the Governance Workbook

    Step 1.3

    Adjust for Culture and Finalize Context

    Activities
    • 1.3.1 Identify and address the impact of attitude, behavior, and culture
    • 1.3.2 Finalize your context

    This step will walk you through the following activities:

    Identify your organizational attitude, behavior, and culture related to governance.

    Identify positives that can be leveraged and develop means to address negatives.

    Finalize the context that your model will leverage and align to.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Downloaded tool ready to select the base governance model for your organization

    Identify Your Governance Needs

    Step 1.1 – Define your Guiding Star Step 1.2 – Define Scope and Principles Step 1.3 – Adjust for Culture and Finalize Context

    Understanding attitude, behavior, and culture

    A

    		 ttitude

    What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users. This manifests in the belief that governance is a constraint that needs to be avoided or ignored – often with unintended consequences.

    A stock photo of a lightbulb over a person's head and a blackboard behind them reading 'New Mindset - data-verified= New Results'.">

    Any form of organizational change involves adjusting people’s attitudes to create buy-in and commitment.

    You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive.

    Understanding attitude, behavior, and culture

    B

    		 ehavior

    What people do. This is influenced by attitude and the culture of the organization. In governance, this manifests as people’s willingness to be governed, who pushes back, and who tries to bypass it.

    A stock photo of someone walking up a set of stairs into the distant sunlight.

    To implement change within IT, especially at a tactical and strategic level, organizational behavior needs to change.

    This is relevant because people gravitate toward stability and will resist change in an active or passive way unless you can sell the need, value, and benefit of changing their behavior and way of working.

    Understanding attitude, behavior, and culture

    C

    		 ulture

    The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources. In governance terms, this is how decisions are really made and where responsibility really exists rather than what is identified formally.

    A stock photo of a compass pointing to 'VALUES'.

    The impact of the organizational or corporate “attitude” on employee behavior and attitude is often not fully understood.

    Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed governance models. In the case of automating governance, cultural readiness for automation is a critical success factor.

    1.3.1 Identify and address the impact of attitude, behavior, and culture

    45 minutes

    Input: Senior leadership knowledge

    Output: Updated Governance Workbook

    Materials: Governance Workbook

    Participants: IT senior leadership

    1. Break into three groups. Each group will discuss and document the positive and negative aspects of one of attitude, behavior, or culture related to governance in your organization.
    2. Each group will present and explain their list to the group.
    3. Add any additional suggestions in each area that are identified by the other groups.
    4. Identify the positive elements of attitude, behavior, and culture that would help with changing or implementing your updated governance model.
    5. Identify any challenges that will need to be addressed for the change to be successful.
    6. As a group, brainstorm some mitigations or solutions to these challenges. Document them in the Governance Workbook to be incorporated into the implementation plan.

    Download the Governance Workbook

    Attitude, behavior, and culture

    Evaluate the organization across the three contexts. The positive items represent opportunities for leveraging these characteristics with the implementation of the governance model, while the negative items must be considered and/or mitigated.

    Attitude Behavior Culture
    Positive
    Negative
    Mitigation

    1.3.2 Finalize your governance context

    30 minutes

    Input: Documented governance principles and scope from previous exercises

    Output: Finalized governance context in the Governance Workbook

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Use the information that has been gathered throughout this section to update and finalize your IT governance context.
    2. Document it in your Governance Workbook.

    Download the Governance Workbook

    Make Your IT Governance Adaptable

    Phase 2

    Select and Refine Your Governance Model

    Phase 1

    • 1.1 Define Your Guiding Star
    • 1.2 Define Scope and Principles
    • 1.3 Adjust for Culture and Finalize Context

    Phase 2

    • 2.1 Choose and Adapt Your Model
    • 2.2. Identify and Document Your Governance Triggers
    • 2.3 Build Your Implementation Approach
      •

    Phase 3

    • 3.1 Identify Decisions to Embed and Automate
    • 3.2 Plan Validation and Verification
    • 3.3 Update Implementation Plan

    This phase will walk you through the following activities:

    Select a base governance model and refine it to suit your organization.

    Identify scenarios and changes that will trigger updates to your governance model.

    Build your implementation plan.

    This phase involves the following participants:

    • Senior IT leadership
    • Governance resources

    Step 2.1

    Choose and Adapt Your Model

    Activities
    • 2.1.1 Choose your base governance model
    • 2.1.2 Confirm and adjust the structure of your model
    • 2.1.3 Define the governance responsibilities
    • 2.1.4 Validate the governance mandates and membership
    • 2.1.5 Update your committee processes
    • 2.1.6 Adjust your associated policies
    • 2.1.7 Adjust and confirm your governance model

    This step will walk you through the following activities:

    Review and selecting your base governance model.

    Adjust the structure, responsibilities, policies, mandate, and membership to best support your organization.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Downloaded tool ready to select the base governance model for your organization

    Select and Refine Your Governance Model

    Step 2.1 – Choose and Adapt Your Model Step 2.2 – Identify and Document Your Governance Triggers Step 2.3 – Build Implementation Approach

    Your governance framework has six key components

    GOVERNANCE FRAMEWORK

    • GUIDELINES
      The key behavioral factors that ground your governance framework
    • MEMBERSHIP
      Formalization of who has authority and accountability to make specific governance decisions
    • RESPONSIBILITIES
      The definition of which decisions and outcomes your governance structure and each governance body is accountable for
    • STRUCTURE
      Which governance bodies and roles are in place to articulate where decisions are made in the organization
    • PROCESS
      Identification of the how your governance will be executed, how decisions are made, and the inputs, outputs, and connections to related processes
    • POLICY
      Set of principles established to address risk and drive expected and required behavior

    4 layers of governance bodies

    There are traditionally 4 layers of governance in an enterprise, and organizations have governing bodies or individuals at each level

    RESPONSIBILITIES AND TYPICAL MEMBERSHIP
    ENTERPRISE Defines organizational goals. Directs or regulates the performance and behavior of the enterprise, ensuring it has the structure and capabilities to achieve its goals.

    Membership: Business executives, Board

    STRATEGIC Ensures IT initiatives, products, and services are aligned to organizational goals and strategy and provide expected value. Ensure adherence to key principles.

    Membership: Business executives, CIO, CDO

    TACTICAL Ensures key activities and planning are in place to execute strategic initiatives.

    Membership: Authorized division leadership, related IT leadership

    OPERATIONAL Ensures effective execution of day-to-day functions and practices to meet their key objectives.

    Membership: Service/product owners, process owners, architecture leadership, directors, managers

    2.1.1 Choose your base governance model

    30 minutes

    Input: Governance models templates

    Output: Selected governance model

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Download Info-Tech’s base governance models (Controlled Governance Models Template and IT Governance Program Overview) and review them to find a template that most closely matches your context from Phase 1. You can start with a centralized, decentralized, or product/service hybrid IT organization. Remove unneeded models.
    2. If you do not have documented governance today, start with a controlled model as your foundation. Continue working through this phase if you have a documented governance framework you wish to optimize using our best practices or move to Phase 3 if you are looking to automate or embed your governance activities.

    Controlled Governance Models Template

    Adaptive Governance Models Template

    2.1.2 Confirm and adjust the structure of your model

    30-45 minutes

    Input: Selected base governance model, Governance context/scope

    Output: Updated governance bodies and relationships

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Validate your selected governance body structural model.
      • Are there any governing bodies you must maintain that should replace the ones listed? In part or in full?
      • Are there any missing bodies? Look at alternative committees for examples.
      • Document the adjustments.
    2. Are there any governing bodies that are not required?
      • Based on your size and needs, can they be done within one committee?
      • Is the capability or data not in place to perform the work?
      • Document the required changes.

    There are five key areas of governance responsibility

    A cyclical visualization of the five keys areas of governance responsibility, 'Strategic Alignment', 'Value Delivery', 'Risk Management', 'Resource Management', and 'Performance Measurement'.

    STRATEGIC ALIGNMENT
    Ensures that technology investments and portfolios are aligned with the organization’s needs.

    VALUE DELIVERY
    Reviews the outcomes of technology investments and portfolios to ensure benefits realization.

    RISK MANAGEMENT
    Defines and owns the risk thresholds and register to ensure that decisions made are in line with the posture of the organization.

    RESOURCE MANAGEMENT
    Ensures that people, financial knowledge, and technology resources are appropriately allocated across the organization.

    PERFORMANCE MEASUREMENT
    Monitors and directs the performance or technology investments to determine corrective actions and understand successes.

    2.1.3 Define the governance responsibilities

    Ensure you have the right responsibilities in the right place

    45-60 minutes

    Input: Selected governance base model, Governance context

    Output: Updated responsibilities and activities, Updated activities for selected governance bodies, New or removed governing bodies

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Based on your context and model, review the responsibilities identified for each committee and confirm that they align with the mandate and the stated outcome.
    2. Identify and highlight any responsibilities and activities that would not be involved in informing and enabling the mandate of the committee.
    3. Adjust the wording of confirmed responsibilities and activities to reflect your organizational language.
    4. Review each highlighted “bad fit” activity and move it to a committee whose mandate it would support or remove it if it’s not performed in your organization.
    5. If an additional committee is required, define the mandate and scope, then include any additional responsibilities that might have been a bad fit elsewhere

    2.1.4 Validate the governance mandates and membership

    30 minutes

    Input: Selected governance base model, Updated structure and responsibilities

    Output: Adjusted mandates and refined committee membership

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Review the mandate and membership slides in your selected governance model.
    2. Adjust the mandate to ensure that it aligns to and conveys:
      1. The outcome that the committee is meant to generate for the organization.
      2. Its scope/span of control.
    3. Discuss the type of information members would require for the committee to be successful in achieving its mandate.
    4. Document the member knowledge requirement in the mandate slide of the model template.

    Determine the right membership for your governance

    One of the biggest benefits of governance committees is the perspective provided by people from various parts of the organization, which helps to ensure technology investments are aligned with strategic goals. However, having too many people – or the wrong people – involved prevents the committee from being effective. Avoid this by following these principles.

    Three principles for selecting committee membership

    1. Determine membership based on responsibilities and required knowledge.
      Organizations often make the mistake of creating committees and selecting members before defining what they will do. This results in poor governance because members don’t have the knowledge required to make decisions. Define the mandate of the committee to determine which members are the right fit.
    2. Ensure members are accountable and authorized to make the decisions.
      Effective governance requires the members to have the authority and accountability to make decisions. This ensures meetings achieve their outcome and produce value, which improves the committee’s chances of survival.
    3. Select leaders who see the big picture.
      Often committee decisions and responsibilities become tangled in the web of organizational politics. Include people, often C-level, whose attendance is critical and who have the requisite knowledge, mindset, and understanding to put business needs ahead of their own.

    2.1.5 Update your committee processes

    20 minutes

    Input: Selected governance base model, Updated structure and responsibilities

    Output: Updated committee processes

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Review the committee details based on the changes you have made in goals, mandate, and responsibilities.
    2. Identify and document changes required to the committee outputs (outcomes) and adjust the consumer of the outputs to match.
    3. Review the high-level process steps required to get to the modified output. Add required activities or remove unnecessary ones. Review the process flow. Does it make sense? Are there unnecessary steps?
    4. Review and update inputs required for the process steps and update the information/data sources.
    5. Adjust the detailed process steps to reflect the work that needs to be done to support each high-level process step that changed.

    2.1.6 Adjust your associated policies

    20 minutes

    Input: Selected governance base model, Updated structure and responsibilities

    Output: Adjusted mandates and refined committee membership

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Review the policies associated with the governing bodies in your base model. Identify the policies that apply to your organization, those that are missing, and those that are not necessary.
    2. Confirm the policies that you require.
    3. Make sure the policies and policy purposes (or risks and related behaviors the policy addresses) are matched to the governance committee that has responsibilities in that area. Move policies to the right committee.

    2.1.7 Adjust and confirm your governance model

    1. Confirm the adjustment of governance bodies, structure, and input/output linkages.
    2. Confirm revisions to decisions and responsibilities.
    3. Confirm policy and regulation/standards associations.
    4. Select related governance committee charters from the provided set and revise the charters to reflect the elements defined in your updated model.
    5. Finalize your governance model.

    Samples of slides related to adjusting and confirming governance models in the Governance Workbook.

    Step 2.2

    Identify and Document Your Governance Triggers

    Activities
    • 2.2.1 Identify and document update triggers
    • 2.2.2 Embed triggers into the review cycle

    This step will walk you through the following activities:

    Identify scenarios that will create a need to review or change your governance model.

    Update your review/update approach to receiving trigger notifications.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Downloaded tool ready to select the base governance model for your organization

    Select and Refine Your Governance Model

    Step 2.1 – Choose and Adapt Your Model Step 2.2 – Identify and Document Your Governance Triggers Step 2.3 – Build Implementation Approach

    What are governance triggers

    Governance triggers are organizational or environmental changes within or around an organization that are inflection points that start the review and revision of governance models to maintain their fit with the organization. This is the key to adaptive governance design.

    A target with five arrows sticking out of the bullseye, 'Operating Model', 'Business Strategy', 'Mandate Change', 'Management Practices', and 'Digital Transformation'.

    2.2.1 Identify and document update triggers

    30 minutes

    Input: Governance Workbook

    Output: Updated workbook with defined and documented governance triggers, points of origin, and integration

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Open the Governance Workbook to the “Triggers” slides.
    2. Review the list of governance triggers. Retain the ones that apply to your organization, remove those you feel are unnecessary, and add any change scenarios you feel should be included.
    3. Identify where you would receive notifications of these changes and the related processes or activities that would generate these notifications, if applicable.
    4. Document any points of integration required between governance processes and the source process. Highlight any where the integration is not currently in place.

    Sample of the 'Triggers' slide in the Governance Workbook.

    2.2.2 Embed triggers into the review cycle

    30 minutes

    Input: Governance model

    Output: Review cycle update

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Identify which triggers impact the entire governance model and which impact specific committees.
    2. Add an activity for triggered review of the impacted governance model into your governance committee process.

    Step 2.3

    Build Your Implementation Approach

    Activities
    • 2.3.1 Identify and document your implementation plan
    • 2.3.2 Build your roadmap
    • 2.3.3 Build your sunshine diagram

    This step will walk you through the following activities:

    Transfer changes to the Governance Implementation Plan Template.

    Determine the timing for the implementation phases.

    This step involves the following participants:

    • Senior IT leadership
    • Governance process owner

    Outcomes of this step

    Implementation plan for adaptive governance framework model

    Select and Refine Your Governance Model
    Step 2.1 – Choose and Adapt Your Model Step 2.2 – Identify and Document Your Governance Triggers Step 2.3 – Build Implementation Approach

    2.3.1 Identify and document your implementation plan

    60 minutes

    Input: Governance model, Guiding principles, Update triggers, Cultural factors and mitigations

    Output: Implementation roadmap

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. As a group, discuss the changes required to implement the governance model, the cultural items that need to be addressed, and the anticipated timing.
    2. Document the implementation activities and consolidate them into groupings/themes based on similarities or shared outcomes.
    3. Name the grouped themes for clarity and identify key dependencies between activities in each area and across themes.
    4. Identify and document your approach (e.g. continuous, phased) and high-level timeline for implementation.
    5. Document the themes and initiatives in the Governance Implementation Plan.

    Download the Governance Implementation Plan

    Illustrate the implementation plan using roadmaps

    Info-Tech recommends two different methods to roadmap the initiatives in your Governance Implementation Plan.

    Gantt Chart
    Sample of a Gantt Chart.

    This type of roadmap depicts themes, related initiatives, the associated goals, and exact start and end dates for each initiative. This diagram is useful for outlining a larger number of activities and initiatives and has an easily digestible and repeatable format.

    		Sunshine Diagram
    Sample of a Sunshine Diagram.

    This type of roadmap depicts themes and their associated initiatives. The start and end dates for the initiatives are approximated based on years or phases. This diagram is useful for highlighting key initiatives on one page.

    2.3.2 Build your roadmap

    30 minutes

    Input: Governance themes and initiatives

    Output: roadmap visual

    Materials: Governance Roadmap Workbook, Governance Workbook

    Participants: CIO, IT senior leadership

    1. Open the Governance Implementation Plan and review themes and initiatives.
    2. Open the Governance Roadmap Workbook.
    3. Discuss whether the implementation roadmap should be developed as a Gantt chart, a sunshine diagram, or both.
      For the Gantt chart:
      • Input the roadmap start year and date.
      • Change the months and year in the Gantt chart to reflect the same roadmap start year.
      • Input and populate the planned start and end dates for the list of high-priority initiatives.

    Develop your Gantt chart in the Governance Roadmap Workbook

    2.3.3 Build your sunshine diagram

    30 minutes

    Input: Governance themes and initiatives

    Output: Sunshine diagram visual

    Materials: Whiteboard/flip charts, Markers, Governance Implementation Plan

    Participants: CIO, IT senior leadership

    1. Review your list of themes and initiatives.
    2. Build a model with “rays” radiating out from a central theme or objective.
    3. Using curved arcs, break the grid into timeline periods or phases.
    4. Complete your sunshine diagram in the Governance Implementation Plan.

    Customize your sunshine diagram in the Governance Implementation Plan

    Make Your IT Governance Adaptable

    Phase 3

    Embed and Automate

    Phase 1

    • 1.1 Define Your Guiding Star
    • 1.2 Define Scope and Principles
    • 1.3 Adjust for Culture and Finalize Context

    Phase 2

    • 2.1 Choose and Adapt Your Model
    • 2.2. Identify and Document Your Governance Triggers
    • 2.3 Build Your Implementation Approach

    Phase 3

    • 3.1 Identify Decisions to Embed and Automate
    • 3.2 Plan Validation and Verification
    • 3.3 Update Implementation Plan
      •

    This phase will walk you through the following activities:

    Identify which decisions you are ready to automate.

    Identify standards and policies that can be embedded and automated.

    Identify integration points.

    Confirm data requirements to enable success.

    This phase involves the following participants:

    • IT senior leadership
    • Governance process owner
    • Product and service owners
    • Policy owners

    Step 3.1

    Identify Decisions to Embed and Automate

    Activities
    • 3.1.1 Review governance decisions and standards and the required level of authority
    • 3.1.2 Build your decision logic
    • 3.1.3 identify constraints and mitigation approaches
    • 3.1.4 Develop decision rules and principles

    This step will walk you through the following activities:

    Identify your key decisions.

    Develop your decision logic.

    Confirm decisions that could be automated.

    Identify and address constraints.

    Develop decision rules and principles.

    This step involves the following participants:

    • IT senior leadership

    Outcomes of this step

    Developed decision rules, rulesets, and principles that can be leveraged to automate governance

    Defined integration points

    Embed and Automate

    Step 3.1 – Identify Decisions to Embed and Automate Step 3.2 – Plan Validation and Verification Step 3.3 – Update Implementation Plan

    What is decision automation?

    Decision automation is the codifying of rules that connect the logic of how decisions are made with the data required to make those decisions. This is then embedded and automated into processes and the design of products and services.

    • It is well suited to governance where the same types of decisions are made on a recurring basis, using the same set of data. It requires clean, high-quality data to be effective.
    • Improvements in artificial intelligence (AI) and machine learning (ML) have allowed the creation of scenarios where a hybrid of rules and learning can improve decision outcomes.

    Key Considerations

    • Data Availability
    • Legality
    • Contingencies
    • Decision Transparency
    • Data Quality
    • Auditability

    How complexity impacts decisions

    Decision complexity impacts the type of rule(s) you create and the amount of data required. It also helps define where or if decisions can be automated.

    1. SIMPLE
      Known and repeatable with consistent and familiar outcomes – structured, causal, and easy to standardize and automate.
    2. COMPLICATED
      Less known and outcomes are not consistently repeatable. Expertise can drive standards and guidelines that can be used to automate decisions.
    3. COMPLEX
      Unknown and new, highly uncertain in terms of outcomes, impact, and data. Requires more exploration and data. Difficult to automate but can be built into the design of products and services.
    4. CHAOTIC
      Unstructured and unknown situation. Requires adaptive and immediate action without active data – requires retained human governance
      5. (Based on Dave Snowden’s Cynefin framework)

    Governance Automation Criteria Checklist

    The Governance Automation Criteria Checklist provides a view of key considerations for determining whether a governing activity or decision is a good candidate for automation.

    The criteria identify key qualifiers/disqualifiers to make it easier to identify eligibility.

    Sample of the Governance Automation Criteria Checklist.

    Download the Governance Automation Criteria Checklist

    Governance Automation Worksheet

    Sample of the Governance Automation Worksheet.

    The Governance Automation Worksheet provides a way to document your governance and systematically identify information about the decisions to help determine if automation is possible.

    From there, decision rules, logic, and rulesets can be designed in support of building a structure flow to allow for automation.

    Download the Governance Automation Worksheet

    3.1.1 Review governance decisions and standards and the required level of authority

    30 minutes

    Input: Automation Criteria Checklist, Governance Automation Worksheet, Updated governance model

    Output: Documented decisions and related authority, Selected options for automation, Updated Governance Automation Worksheet

    Materials: Whiteboard/flip charts, Governance Automation Worksheet

    Participants: IT senior leadership

    1. Identify the decisions that are made within each committee in your updated governance model and document them in the Governance Automation Worksheet.
    2. Confirm the level of authority required to make each decision.
    3. Review the automation checklist to confirm whether each decision is positioned well for automation.
    4. Select and document the decisions that are the strongest options for automation/embedding and document them in the Governance Automation Worksheet.

    What are decision rules?

    Decision rules provide specific instructions and constraints that must be considered in making decisions and are critical for automating governance.

    They provide the logical path to assess governance inputs to make effective decisions with positive business outputs.

    Inputs would include key information such as known risks, your defined prioritization matrix, portfolio value scoring, and compliance controls.

    Individual rules can be leveraged in different places.

    Some decision rule types are listed here.

    1. Statement Rules
      Natural expression of logical progression, written through logical elements
    2. Decision Tree Rules
      Decision tree with two axes that overlap to generate a decision
    3. Sequential Rules
      A sequence of decisions that move from one step to the next
    4. Expression Rule
      A particular set of rules triggered by a particular rule condition being met
    5. Truth table rules
      Combines many decision factors into one place; produces different outputs

    What are decision rulesets

    Rulesets are created to make complex decisions. Individual rule types are combined to create rulesets that are applied together to generate effective decisions. One rule will provide contextual information required for additional rules to execute in a Rule-Result-Rule-Result-Rule-Decision flow.

    A visualization of two separate rulesets made up of the decision rules on the previous slide. 'Ruleset 1' contains '1) Statement Rules', '2) Decision Tree Rules', and 5) Truth Table Rules'. 'Ruleset 2' contains '3) Sequential Rules' and '4) Expression Rule'.

    3.1.2 Build your decision logic

    30 minutes

    Input: Governance Automation Worksheet

    Output: Documented decision logic to support selected decision types and data requirements

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. For each selected decision, identify the principles that drive the considerations around the decision.
    2. For each decision, develop the decision logic by defining the steps and information inputs involved in making the decision and documenting the flow from beginning to end.
    3. Determine whether this is one specific decision or a combination of different decisions (in sequence or based on decisions).
    4. Name your decision rule.

    Sample of the Governance Automation Worksheet.

    3.1.3 Identify constraints and mitigation approaches

    60 minutes
    1. Document constraints to automation of decisions related to:
      • Availability of decision automation tools
      • Decision authority change requirements
      • Data constraints
      • Knowledge requirements
      • Process adjustment requirements
      • Product/service design levels
    2. Brainstorm and identify approaches to mitigate constraints and score based on likelihood of success.
    3. Identify mitigation owners and initial timeline expectations.
    4. Document the constraints and mitigations in the Governance Workbook on the constraints and mitigations slide.

    Sample of the 'Constraints and mitigations' slide of the 'Governance Workbook'.

    3.1.4 Develop decision rules and principles

    1.5-2 hours

    Input: Governance Automation Worksheet

    Output: Defined decision integration points, Confirmed data availability sets, Decision rules, rulesets, and principles with control indicators

    Materials: Whiteboard/flip charts, Governance Automation Worksheet

    Participants: IT senior leadership

    1. Review the decision logic for those decisions that you have confirmed for automation. Identify the processes where the decision should be executed.
    2. Associate each decision with specific process steps or stages or how it would be included in software/product design.
    3. For each selected decision, identify the availability of data required to support the decision logic and the level of complexity and apply governing principles.
    4. Create the decision rules and identify data gaps.
    5. Define the decision flow and create rulesets as needed.
    6. Confirm automation requirements and define control indicators.

    Step 3.2

    Plan Validation and Verification

    Activities
    • 3.2.1 Define verification approach for embedded and automated governance
    • 3.2.2 Define validation approach for embedded and automated governance

    This step will walk you through the following activities:

    Define how decision outcomes will be measured.

    Determine how the effectiveness of automated governance will be reported.

    This step involves the following participants:

    • IT senior leadership

    Outcomes of this step

    Tested and verified automation of decisions

    Embed and Automate

    Step 3.1 – Identify Decisions to Embed and Automate Step 3.2 – Plan Validation and Verification Step 3.3 – Update Implementation Plan

    Decision rule relationship through to verification

    1. Rules

    Focus on clear decision logic

    Often represented in simple statement types and supported by data:

    IF – THEN

    IF – AND – THEN

    IF – AND NOT – THEN

    		2. Rulesets

    Aggregate rules for more complex decisions

    Integrated flows between different required rules:
    Rule 1:
    (Output 1) – Rule 2
    (Output 2) – Rule 6
    Rule 6: (Output 1) – Rule 7     		3. Rule Attestation

    Verify success of automated decisions

    Attestation of embedded and automated rules with key control indicators embedded within process and products.

    Principles embedded into automated software controls.

    3.2.1 Define verification approach for embedded and automated governance

    60 minutes

    Input: Governance rules and rulesets as defined in the Governance Automation Worksheet, Defined decision outcomes

    Output: A defined measurement of effective decision outcomes, Approach to automate and/or report the effectiveness of automated governance

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    Verify

    1. Confirm expected outcome of rules.
    2. Select a sampling of new required decisions or recently performed decisions related to areas of automation.
    3. Run the decisions through the decision rules or rule groupings that were developed and compare to parallel decisions made using the traditional approach. (These must be segregated activities.)
    4. Review the outcome of the rules and adjust based on the output. Identify areas of adjustment. Confirm that the automation meets your requirements.

    3.2.2 Define validation approach for embedded and automated governance

    60 minutes

    Input: Governance rules and rulesets as defined in the Governance Automation Worksheet, Defined decision outcomes

    Output: Defined assurance and attestation requirements, Key control indicators that can be automated

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    Validate

    1. Develop an approach to measure automated decisions. Align success criteria to current governance KPIs and metrics.
    2. If no such metrics exist, define expected outcome. Define key risk indicators based on the expected points of automation.
    3. Establish quality assurance checkpoints within the delivery lifecycles to adjust for variance.
    4. Create triggers back to rule owners to drive changes and improvements to rules and rule groupings.

    Step 3.3

    Update Implementation Plan

    Activities
    • 3.3.1 Finalize the implementation plan

    This step will walk you through the following activities:

    Review implications and mitigations to make sure all have been considered.

    Finalize the implementation plan and roadmap.

    This step involves the following participants:

    • Senior IT leadership

    Outcomes of this step

    Completed Governance implementation plan and roadmap

    Embed and Automate

    Step 3.1 – Identify Decisions to Embed and Automate Step 3.2 – Plan Validation and Verification Step 3.3 – Update Implementation Plan

    3.3.1 Finalize the implementation plan

    30 minutes

    Input: Governance workbook, Updated governance model, Draft implementation plan and roadmap

    Output: Finalized implementation plan and roadmap

    Materials: Whiteboard/flip charts, Governance Implementation Plan

    Participants: IT senior leadership

    1. Document automation activities within phases in a governance automation theme in the Governance Implementation Plan.
    2. Review timelines in the implementation plan and where automation fits within the roadmap.
    3. Updated the implementation plan and roadmap.

    Governance Implementation Plan

    Summary of Accomplishment

    Problem Solved

    Through this project we have:

    • Improved your governance model to ensure a better fit for your organization, while creating adaptivity for the future.
    • Ensured your governance operates as an enabler of success with the proper bodies and levels of authority established.
    • Established triggers to ensure your governance model is actively adjusted to maintain its fit.
    • Developed a plan to embed and automate governance.
    • Created decision rules and principles and identified where to embed them within your practices.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Photo of Valence Howden.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Related Info-Tech Research

    Improve IT Governance to Drive Business Results

    Avoid bureaucracy and achieve alignment with a minimalist approach. Align with your organizational context.

    Establish Data Governance

    Establish data trust and accountability with strong governance.

    Maximize Business Value From IT Through Benefits Realization

    Embed value and alignment confirmation into your governance to ensure you optimize IT value achievement for resource spend.

    Build a Better Product Owner

    Strengthen the product/service owner role in your organization by focusing on core capabilities and proper alignment.

    Research contributors and experts

    Photo of Sidney Hodgson, Senior Director, Industry, Info-Tech Research Group. Sidney Hodgson
    Senior Director, Industry
    Info-Tech Research Group
    • Sidney has over 30 years of experience in IT leadership roles as CIO of three organizations in Canada and the US as well as international consulting experience in the US and Asia.
    • Sid has a breadth of knowledge in IT governance, project management, strategic and operational planning, enterprise architecture, business process re-engineering, IT cost reduction, and IT turnaround management.
    		 Photo of David Tomljenovic, Principal Research Advisor, Industry, Info-Tech Research Group. David Tomljenovic
    Principal Research Advisor, Industry
    Info-Tech Research Group
    • David brings extensive experience from the Financial Services sector, having worked 25 years on Bay Street. Most recently he was a Corporate Finance and Strategy Advisor for Infiniti Labs (Toronto/Hong Kong), Automotive, and Smart City Accelerator, where he provided financial and mergers & acquisitions advisory services to accelerator participants with a focus on early-stage fundraising activities.

    Research contributors and experts

    Photo of Cole Cioran, Practice Lead, Applications and Agile Development, Info-Tech Research Group. Cole Cioran
    Practice Lead, Applications and Agile Development
    Info-Tech Research Group
    • Over the past 25 years, Cole has developed software; designed data, infrastructure, and software solutions; defined systems and enterprise architectures; delivered enterprise-wide programs; and managed software development, infrastructure, and business systems analysis practices.
    		 Photo of Crystal Singh, Research Director, Applications – Data and Information Management, Info-Tech Research Group. Crystal Singh
    Research Director, Applications – Data and Information Management
    Info-Tech Research Group
    • Crystal brings a diverse and global perspective to her role, drawing from her professional experiences in various industries and locations. Prior to joining Info-Tech, Crystal led the Enterprise Data Services function at Rogers Communications, one of Canada’s leading telecommunications companies.

    Research contributors and experts

    Photo of Carlene McCubbin, Practice Lead, CIO, Info-Tech Research Group. Carlene McCubbin
    Practice Lead, CIO
    Info-Tech Research Group
    • Carlene covers key topics in organization and leadership and specializes in governance, organizational design, relationship management, and human capital development. She led the development of Info-Tech’s Organization and Leadership practice.
    		 Photo of Denis Goulet, Senior Workshop Director, Info-Tech Research Group. Denis Goulet
    Senior Workshop Director
    Info-Tech Research Group
    • Denis is a transformational leader and experienced strategist who focuses on helping clients communicate, relate, and adapt for success. Having developed Governance Model and IT strategies in organizations ranging from small to billion-dollar multi-nationals, he firmly believes in a collaborative value-driven approach to work.

    Bibliography

    “2020 State of Data Governance and Automation Report.” Erwin.com, 28 Jan. 2020. Web.

    “Adaptive IT Governance.” Google search, 15 Nov. 2020.

    “Adaptive IT Governance Framework.” CIO Index, 3 Nov. 2011. Accessed 15 Nov. 2020.

    “Agile Governance Made Easy.” Agilist, n.d. Accessed 15 Nov. 2020.

    “Automating Governance — Our Work.” Humanising Machine Intelligence, n.d. Accessed 15 Nov. 2020.

    “Automation – Decisions.” IBM, 2020. Accessed 15 Oct. 2020.

    Chang, Charlotte. “Accelerating Agile through effective governance.” Medium, 22 Sept. 2020. Web.

    “COBIT 5: Enabling Processes.” ISACA, 2012. Web. Oct. 2016.

    COBIT 2019. ISACA, Dec. 2018. Web.

    Curtis, Blake. “The Value of IT Governance.” ISACA, 29 June 2020. Accessed 15 Nov. 2020.

    De Smet, Aaron. “Three Keys to Faster, Better Decisions.” McKinsey & Company, 1 May 2019. Accessed 15 Nov. 2020.

    “Decision Rules and Decision Analysis.” Navex Global, 2020. Web.

    “Decisions Automation with Business Rules Management Solution.” Sumerge, 4 Feb. 2020. Accessed 15 Nov. 2020.

    “DevGovOps – Key factors for IT governance for enterprises in a DevOps world.” Capgemini, 27 Sept. 2019. Web.

    Eisenstein, Lena. “IT Governance Checklist.” BoardEffect, 19 Feb. 2020. Accessed 15 Nov. 2020.

    “Establishing Effective IT and Data Governance.” Chartered Professional Accountants Canada, n.d. Accessed 15 Nov. 2020.

    Gandzeichuk, Ilya. “Augmented Analytics: From Decision Support To Intelligent Decision-Making.” Forbes, 8 Jan. 2020. Accessed 15 Nov. 2020.

    Georgescu, Vlad. “What Is IT Governance? Understanding From First Principles.” Plutora, 18 Oct. 2019. Web.

    Goodwin, Bill. “IT Governance in the Era of Shadow IT.” ComputerWeekly, 5 Aug. 2014. Accessed 15 Nov. 2020.

    “Governance of IT, OT and IOT.” ISACA Journal, 2019. Web.

    Gritsenko, Daria, and Matthew Wood. “Algorithmic Governance: A Modes of Governance Approach.” Regulation & Governance, 10 Nov. 2020. Web.

    Hansert, Philipp. “Adaptive IT Governance with Clausmark’s Bee4IT.” Bee360, 25 Oct. 2019. Accessed 15 Nov. 2020.

    Havelock, Kylie. “What Does Good Product Governance Look Like?” Medium. 8 Jan. 2020. Web.

    Haven, Dolf van der. “Governance of IT with ISO 38500 - A More Detailed View” LinkedIn article, 24 Oct. 2016. Accessed 15 Nov. 2020.

    Hong, Sounman, and Sanghyun Lee. “Adaptive Governance and Decentralization: Evidence from Regulation of the Sharing Economy in Multi-Level Governance.” Government Information Quarterly, vol. 35, no. 2, April 2018, pp. 299–305. Web.

    ISACA. “Monthly Seminar & Networking Dinner: CIO Dashboard.” Cvent, Feb. 2012. Accessed 15 Nov. 2020.

    ISO/IEC 38500, ISO, 2018 and ongoing.

    “IT Governance.” Kenway Consulting, n.d. Accessed 15 Nov. 2020.

    “IT Governance in the Age of COVID 19.” Union of Arab Banks Webinar, 19-21 Oct. 2020. Accessed 15 Nov. 2020.

    Jaffe, Dennis T. “Introducing the Seven Pillars of Governance.” Triple Pundit, 15 Nov. 2011. Accessed 15 Nov. 2020.

    Janssen, Marijn, and Haiko van der Voort. “Agile and Adaptive Governance in Crisis Response: Lessons from the COVID-19 Pandemic.” International Journal of Information Management, vol. 55, December 2020. Web.

    Jodya, Tiffany. “Automating Enterprise Governance within Delivery Pipelines.” Harness.io, 14 May 2020. Web.

    Kumar, Sarvesh. “AI-Based Decision-Making Automation.” Singular Intelligence, 17 June 2019. Web.

    “Lean IT Governance.” Disciplined Agile, n.d. Accessed 15 Nov. 2020.

    Lerner, Mark. “Government Tech Projects Fail by Default. It Doesn’t Have to Be This Way.” Belfer Center for Science and International Affairs, 21 Oct. 2020. Accessed 15 Nov. 2020.

    Levstek, Aleš, Tomaž Hovelja, and Andreja Pucihar. “IT Governance Mechanisms and Contingency Factors: Towards an Adaptive IT Governance Model.” Organizacija, vol. 51, no. 4, Nov. 2018. Web.

    Maccani, Giovanni, et al. “An Emerging Typology of IT Governance Structural Mechanisms in Smart Cities.” Government Information Quarterly, vol. 37, no. 4, Oct. 2020. Web.

    Magowan, Kirstie. “IT Governance vs IT Management: Mastering the Differences.” BMC Blogs, 18 May 2020. Accessed 15 Nov. 2020.

    Mazmanian, Adam. “Is It Time to Rethink IT Governance? ” Washington Technology, 26 Oct. 2020. Accessed 15 Nov. 2020.

    Mukherjee, Jayanto. “6 Components of an Automation (DevOps) Governance Model.” Sogeti, n.d. Accessed 15 Nov. 2020.

    Ng, Cindy. “The Difference Between Data Governance and IT Governance.” Inside Out Security, updated 17 June 2020. Web.

    Pearson, Garry. “Agile or Adaptive Governance Required?” Taking Care of the Present (blog), 30 Oct. 2020. Accessed 15 Nov. 2020.

    Peregrine, Michael, et al. “The Long-Term Impact of the Pandemic on Corporate Governance.” Harvard Law School Forum on Corporate Governance, 16 July 2020. Web.

    Raymond, Louis, et al. “Determinants and Outcomes of IT Governance in Manufacturing SMEs: A Strategic IT Management Perspective.” International Journal of Accounting Information Systems, vol. 35, December 2019. Web.

    Rentrop, Christopher. “Adaptive IT Governance – Foundation of a Successful Digitalization.” Business IT Cooperation Coordination Controlling (blog). May 2, 2018. Web.

    Schultz, Lisen, et al. “Adaptive Governance, Ecosystem Management, and Natural Capital.” Proceedings of the National Academy of Sciences, vol. 112, no. 24, 2015, pp. 7369–74. Web.

    Selig, Gad J. Implementing IT Governance: A Practical Guide to Global Best Practices in IT Management. Van Haren Publishing, 2008. Accessed 15 Nov. 2020.

    Sharma, Chiatan. “Rule Governance for Enterprise-Wide Adoption of Business Rules: Why Does a BRMS Implementation Need a Governance Framework?” Business Rules Journal, vol. 13, no. 4, April 2012. Accessed 15 Nov. 2020.

    Smallwood, Robert. “Information Governance, IT Governance, Data Governance – What’s the Difference?” The Data Administration Newsletter, 3 June 2020. Accessed 15 Nov. 2020.

    Snowden, Dave. "Cynefin – weaving sense-making into the fabric of our world", Cognitive Edge, 20 October 2020.

    “The Place of IT Governance in the Enterprise Governance.” Institut de la Gouvernance des Systemes d’Information, 2005. Accessed 15 Nov. 2020.

    Thomas, Mark. “Demystifying IT Governance Roles in a Dynamic Business Environment.” APMG International, 29 Oct. 2020. Webinar. Accessed 15 Nov. 2020.

    “The Four Pillars of Governance Best Practice.” The Institute of Directors in New Zealand, 4 Nov. 2019. Web.

    Wang, Cancan, Rony Medaglia, and Lei Zheng. “Towards a Typology of Adaptive Governance in the Digital Government Context: The Role of Decision-Making and Accountability.” Government Information Quarterly, vol. 35, no. 2, April 2018, pp. 306–22.

    Westland, Jason. “IT Governance: Definitions, Frameworks and Planning.” ProjectManager.com, 17 Dec. 2019. Web.

    Wilkin, Carla L., and Jon Riddett. “IT Governance Challenges in a Large Not-for-Profit Healthcare Organization: The Role of Intranets.” Electronic Commerce Research vol. 9, no. 4, 2009, pp. 351-74. Web.

    Zalnieriute, Monika, et al. “The Rule of Law and Automation of Government Decision Making.” Modern Law Review, 25 Feb. 2019. Web.

    Develop a Security Awareness and Training Program That Empowers End Users

    • Buy Link or Shortcode: {j2store}370|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $12,075 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • The fast evolution of the cybersecurity landscape requires security training and awareness programs that are frequently updated and improved.
    • Security and awareness training programs often fail to engage end users. Lack of engagement can lead to low levels of knowledge retention.
    • Irrelevant or outdated training content does not properly prepare your end users to effectively defend the organization against security threats.

    Our Advice

    Critical Insight

    • One-time, annual training is no longer sufficient for creating an effective security awareness and training program.
    • By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program.

    Impact and Result

    • Create a training program that delivers smaller amounts of information on a more frequent basis to minimize effort, reduce end-user training fatigue, and improve content relevance.
    • Evaluate and improve your security awareness and training program continuously to keep its content up-to-date. Leverage end-user feedback to ensure content remains relevant to those who receive it.

    Develop a Security Awareness and Training Program That Empowers End Users Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a security awareness and training program that empowers end users, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop your training program

    Create or mature a security awareness and training program that is tailored to your organization.

    • Develop a Security Awareness and Training Program That Empowers End Users – Phase 1: Develop Your Training Program
    • Security Awareness and Training Program Development Tool
    • End-User Security Job Description Template
    • Training Materials – Physical Computer Security
    • Training Materials – Cyber Attacks
    • Training Materials – Incident Response
    • Training Materials – Mobile Security
    • Training Materials – Passwords
    • Training Materials – Phishing
    • Training Materials – Social Engineering
    • Training Materials – Web Usage
    • Security Awareness and Training Vendor Evaluation Tool
    • Security Awareness and Training Metrics Tool
    • End-User Security Knowledge Test Template
    • Security Training Campaign Development Tool

    2. Design an effective training delivery plan

    Explore methods of training delivery and select the most effective solutions.

    • Develop a Security Awareness and Training Program That Empowers End Users – Phase 2: Design an Effective Training Delivery Plan
    • Information Security Awareness and Training Policy
    • Security Awareness and Training Gamification Guide
    • Mock Spear Phishing Email Examples
    • Security Training Email Templates
    • Security Awareness and Training Module Builder and Training Schedule
    • Security Training Campaign Development Tool
    • Security Training Program Manual
    • Security Awareness and Training Feedback Template
    • Security Awareness Month Week 1: Staying in Touch
    • Security Awareness Month Week 2: Sharing Special Moments
    • Security Awareness Month Week 3: Working and Networking
    • Security Awareness Month Week 4: Families and Businesses
    [infographic]

    Workshop: Develop a Security Awareness and Training Program That Empowers End Users

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Outline the Plan for Long-term Program Improvement

    The Purpose

    Identify the maturity level of the existing security awareness and training program and set development goals.

    Establish program milestones and outline key initiatives for program development.

    Identify metrics to measure program effectiveness.

    Key Benefits Achieved

    Identified the gaps between the current maturity level of the security awareness and training program and future target states.

    Activities

    1.1 Create a program development plan.

    1.2 Investigate and select metrics to measure program effectiveness.

    1.3 Execute some low-hanging fruit initiatives for collecting metrics: e.g. create a knowledge test, feedback survey, or gamification guide.

    Outputs

    Customized development plan for program.

    Tool for tracking metrics.

    Customized knowledge quiz ready for distribution.

    Customized feedback survey for training.

    Gamification program outline.

    2 Identify and Assess Audience Groups and Security Training Topics

    The Purpose

    Determine the unique audience groups within your organization and evaluate their risks and vulnerabilities.

    Prioritize training topics and audience groups to effectively streamline program development.

    Key Benefits Achieved

    Created a comprehensive list of unique audience groups and the corresponding security training that each group should receive.

    Determined priority ratings for both audience groups and the security topics to be delivered.

    Activities

    2.1 Identify the unique audience groups within your organization and the threats they face.

    2.2 Determine the priority levels of the current security topics.

    2.3 Review audience groups and determine which topics need to be delivered to each group.

    Outputs

    Risk profile for each identified audience group.

    Priority scores for all training topics.

    List of relevant security topics for each identified audience group.

    3 Plan the Training Delivery

    The Purpose

    Identify all feasible delivery channels for security training within your organization.

    Build a vendor evaluation tool and shortlist or harvest materials for in-house content creation.

    Key Benefits Achieved

    List of all potential delivery mechanisms for security awareness and training.

    Built a vendor evaluation tool and discussed a vendor shortlist.

    Harvested a collection of free online materials for in-house training development.

    Activities

    3.1 Discuss potential delivery mechanisms for training, including the purchase and use of a vendor.

    3.2 If selecting a vendor, review vendor selection criteria and discuss potential vendor options.

    3.3 If creating content in-house, review and select available resources on the web.

    Outputs

    List of available delivery mechanisms for training.

    Vendor assessment tool and shortlist.

    Customized security training presentations.

    4 Create a Training Schedule for Content Deployment

    The Purpose

    Create a plan for deploying a pilot program to gather valuable feedback.

    Create an ongoing training schedule.

    Define the end users’ responsibilities towards security within the organization.

    Key Benefits Achieved

    Created a plan to deploy a pilot program.

    Created a schedule for training deployment.

    Defined role of end users in helping protect the organization against security threats.

    Activities

    4.1 Build training modules.

    4.2 Create an ongoing training schedule.

    4.3 Define and document your end users’ responsibilities towards their security.

    Outputs

    Documented modular structure to training content.

    Training schedule.

    Security job description template.

    End-user training policy.

    The State of Black Professionals in Tech

    • Buy Link or Shortcode: {j2store}550|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • The experience of Black professionals in IT differs from their colleagues.
    • Job satisfaction is also lower for Black IT professionals.
    • For organizations to gain from the benefits of diversity, equity, and inclusion, they need to ensure they understand the landscape for many Black professionals.

    Our Advice

    Critical Insight

    • As an IT leader, you can make a positive difference in the working lives of your team; this is not just the domain of HR.
    • Employee goals can vary depending on the barriers that they encounter. IT leaders must ensure they have an understanding of unique employee needs to better support them, increasing their ability to recruit and retain.
    • Improve the experience of Black IT professionals by ensuring your organization has diversity in leadership and supports mentorship and sponsorship.

    Impact and Result

    • Use the data from Info-Tech’s analysis to inform your DEI strategy.
    • Learn about actions that IT leaders can take to improve the satisfaction and career advancement of their Black employees.

    The State of Black Professionals in Tech Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The State of Black Professionals in Tech Report – A report providing you with advice on barriers and solutions for leaders of Black employees.

    IT leaders often realize that there are barriers impacting their employees but don’t know how to address them. This report provides insights on the barriers and actions that can help improve the lives of Black professionals in technology.

    • The State of Black Professionals in Tech Report

    Infographic

    Further reading

    The State of Black Professionals in Tech

    Keep inclusion at the forefront to gain the benefits from diversity.

    Analysts' Perspective

    The experience of Black professionals in technology is unique.

    Diversity in tech is not a new topic, and it's not a secret that technology organizations struggle to attract and retain Black employees. Ever since the early '90s, large tech organizations have been dealing with public critique of their lack of diversity. This topic is close to our hearts, but unfortunately while improvements have been made, progress is quite slow.

    In recent years, current events have once again brought diversity to the forefront for many organizations. In addition, the pandemic along with talent trends such as "the great resignation" and "quiet quitting" and preparations for a recession have not only impacted diversity at large but also Black professionals in technology. Our previous research has focused on the wider topic of Recruiting and Retaining People of Color in Tech, but we've found that the experiences of persons of color are not all the same.

    This study focuses on the unique experience of Black professionals in technology. Over 600 people were surveyed using an online tool; interviews provided additional insights. We're excited to share our findings with you.

    This is a picture of Allison Straker This is an image of Ugbad Farah

    Allison Straker
    Research Director
    Info-Tech Research Group

    Ugbad Farah
    Research Director
    Info-Tech Research Group

    Demographics

    In October 2021, we launched a survey to understand what the Black experience is like for people in technology. We wanted and received a variety of responses which would help us to understand how Black technology professionals experienced their working world. We received responses from 633 professionals, providing us with the data for this report.

    For more information on our survey demographics please see the appendix at this end of this report.

    A pie chart showing 26% black and 74% All Other

    26% of our respondents either identified as Black or felt the world sees them as Black.

    Professionals from various countries responded to the survey:

    • Most respondents were born in the US (52%), Canada (14%), India (14%), or Nigeria (4%).
    • Most respondents live in the US (56%), Canada (25%), Nigeria (2%), or the United Kingdom (2%).

    Companies with more diversity achieve more revenue from innovation

    Organizations do better and are more innovative when they have more diversity, a key ingredient in an organization's secret sauce.
    Organizations also benefit from engaged employees, yet we've seen that organizations struggle with both. Just having a certain number of diverse individuals is not enough. When it comes to reaping the benefits of diversity, organizations can flourish when employees feel safe bringing their whole selves to work.

    45% Innovation Revenue by Companies With Above-Average Diversity Scores
    26%

    Innovation Revenue by Companies With Below-Average Diversity Scores

    (Chart source: McKinsey, 2020)


    Companies with higher employee engagement experience 19.2% higher earnings.

    However, those with lower employee engagement experience 32.7% lower earnings.
    (DecisionWise, 2020)

    If your workforce doesn't reflect the community it serves, your business may be missing out on the chance to find great employees and break into new and growing markets, both locally and globally.
    Diversity makes good business sense.
    (Business Development Canada, 2023)

    A study about Black professionals

    Why is this about Black professionals and not other diverse groups?

    While there are a variety of diversity dimensions, it's important to understand what makes up a "multicultural workforce." There is more to diversity than gender, race, and ethnicity. Organizations need to understand that there is diversity within these groups and Black professionals have their own unique experience when it comes to entering and navigating tech that needs to be addressed.

    This image contains two bar graphs from the Brookfield Institute for Innovation and Entrepreneurship. They show the answers to two questions, sorted by the following categories: Black; Non-White; Asian; White. The questions are as follows: I feel comfortable to voice my opinion, even when it differs from the group opinion; I am part of the decision-making process at work.

    (Brookfield Institute for Innovation and Entrepreneurship, 2019)

    The solutions that apply to Black professionals are not only beneficial for Black employees but for all. While all demographics are unique, the solutions in this report can support many.

    Unsatisfied and underrepresented

    Less Black professionals responded as "satisfied" in their IT careers. The question is: How do we mend the Gap?

    Percentage of IT Professionals Who Reported Being Very Satisfied in Their Current Role

    • All Other Professionals: 34%
    • Black Professionals: 23%

    Black workers are underrepresented in most professional roles, especially computer and math Occupations

    A bar graph showing representation of black workers in the total workforce compared to computer and mathematical science occupations.

    The gap in satisfaction

    What's Important?

    Our research suggests that the differences in satisfaction among ethnic groups are related to differences in value systems. We asked respondents to rank what's important, and we explored why.

    Non-Black professionals rated autonomy and their manager working relationships as most important.

    For Black professionals, while those were important, #1 was promotion and growth opportunities, ranked #7 by all other professionals. This is a significant discrepancy.

    Recognition of my work/accomplishments also was viewed significantly differently, with Black professionals ranking it low on the list at #7 and all other professionals considering it very important at #3.

    All Other Professionals

    Black Professionals

    Two columns, containing metrics of satisfaction rated by Black Professionals, and All Other Professionals.

    Maslow's Hierarchy of Needs applies to job satisfaction

    In Maslow's hierarchy, it is necessary for people to achieve items lower on the hierarchy before they can successfully pursue the higher tiers.

    An image of Maslow's Hierarchy of Needs modified to apply to Job Satisfaction

    Too many Black professionals in tech are busy trying to achieve some of the lower parts of the hierarchy; it is stopping them from achieving elements higher up that can lead to job satisfaction.

    This can stop them from gaining esteem, importance, and ultimately, self-actualization. The barriers that impact safety and social belonging happen on a day-to-day basis, and so the day-to-day lives of Black professionals in tech can look very different from their counterparts.

    There are barriers that hinder and solutions that support employees

    An image showing barriers to success An image showing Actions for Success.
    There are various barriers that increase the likelihood for Black professionals to focus on the lower end of the needs hierarchy:

    These are among some of the solutions that, when layered, can support Black professionals in tech in moving up the needs hierarchy.

    Focusing on these actions can support Black professionals in achieving much needed job satisfaction.

    What does this mean?

    The minority experience is not a monolith

    The barriers that Black professionals encounter aren't limited to the same barriers as their colleagues, and too often this means that they aren't in a position to grow their careers in a way that leads to job satisfaction.

    There is a 11% gap between the satisfaction of Black professionals and their peers.

    Early Steps:
    Take time to understand the Black experience.

    As leaders, it's important to be aware that employee goals vary depending on the barriers they're battling with.

    Intermediate:
    If Black employees don't have strong relationships, networks, and mentorships it becomes increasingly difficult to navigate the path to upward mobility.

    As a leader, you can look for opportunities to bridge the gap on these types of conversations.

    Advanced:
    Black professionals in tech are not advancing like their counterparts.

    Creating clear career paths will not only benefit Black employees but also support your entire organization.

    Key metrics:

    • Engagement
    • Committed Executive Leadership
    • Development Opportunities
    • Organizational Programs

    Black respondents are significantly more likely to report barriers to their career advancement

    Common barriers

    Black professionals, like their colleagues, encounter barriers as they try to advance their careers. The barriers both groups encounter include microaggressions, racism, ageism, accessibility issues, sexual orientation, bias due to religion, lack of a career-supported network, gender bias, family status bias, and discrimination due to language/accents.

    What tops the list

    Microaggressions and racism are at the top of these barriers, but Black professionals also deal with other barriers that their colleagues may experience, such as gender-based bias, accessibility issues, religion, and more.

    One of these barriers alone can be difficult to deal with but when they are compounded it can be very difficult to navigate through the working environment in tech.

    A graph charting the impact of the common barriers

    What are microaggressions?

    Microaggression

    A statement, action, or incident regarded as an instance of indirect, subtle, or unintentional discrimination against members of a marginalized group such as a racial or ethnic minority.

    (Oxford Languages, 2023)

    Why are they significant?

    These things may seem innocent enough but the messaging that is received and the lasting impression is often far from it.

    Our research shows that racism and discrimination contribute to poor mental health among Black professionals.

    Examples

    • You're so articulate!
    • How do you always have different hair, can I touch it?
    • Where are you really from?
    • I don't see color.
    • I believe the most qualified person should get the job; everyone can succeed in this society if they work hard enough.

    "The experience of having to question whether something happened to you because of your race or constantly being on edge because your environment is hostile can often leave people feeling invisible, silenced, angry, and resentful."
    Dr. Joy Bradford,
    clinical Psychologist, qtd. In Pfizer

    It takes some time to get in the door

    For too many Black respondents, It took Longer than their peers to Find Technology Jobs.

    Both groups had some success finding jobs in "no time" – however, there was a difference. Thirty-four percent of "all others" found their jobs quickly, while the numbers were less for Black professionals, at 26%. There was also a difference at the opposite end of the spectrum. For 29% of Black professionals, it took seven months or longer to find their IT job, while that number is only 19% for their peers.

    .a graph showing time taken for respondents sorted by black; and all other.

    This points to the need for improvements in recruitment and career advancement.

    29% of Black respondents said that it took them 7 months or longer to find their technology job.

    Compared to 19% of all other professionals that selected the same response.

    And once they're in, it's difficult to advance

    Black Professionals are not Advancing as Quickly as their Colleagues. Especially when you look at their Experience.

    Our research shows that compared to all other ethnicities; Black participants were 55% more likely to report that they had no career advancement/promotion in their career. There is a bigger percentage of Black professionals who have never received a promotion; there's also a large number of Black professionals who have been working a significant amount time in the same role without a promotion.

    .Career Advancement

    A graph showing career advancement for the categories: Black and All Other.

    Black participants were 55% more likely to report that they had had no career advancement/promotion in their career.

    No advancement

    A graph showing the number of respondents who reported no career advancement over time, for the categories: Black; and All Other.

    There's a high cost to lack of engagement

    When employees feel disillusioned with things like career advancement and microaggressions, they often become disengaged. When you continuously have to steel yourself against microaggressions, racism, and other barriers, it prevents you from bringing your whole self to the office. The barriers can lead to what's been coined as "emotional tax." An emotional tax is the experience of feeling different from colleagues because of your inherent diversity and the associated negative effects on health, wellbeing, and the ability to thrive at work.

    Earnings of companies with higher employee engagement

    		19.2%

    Earnings of companies with lower employee engagement

    		-32.7%

    (DecisionWise, 2020)

    "I've conditioned myself for the corporate world, I don't bring my authentic self to work."
    Anonymous Interview Subject

    Lack of engagement also costs the organization in terms of turnover, something many organizations today are struggling with how to address. Organizations want to increase the ability of the workforce to remain in the organization. For Black employees, this gets harder when they're not engaged and they're the only one. When the emotional tax gets to be too much, this can lead to turnover. Turnover not only costs companies billions in profits, it also negatively impacts leadership diversity. It's difficult to imagine career growth when you don't see anyone that looks like you at the top. It is a challenge to see your future when there aren't others that you can relate to at top levels in the organization, leading to one of our interview subjects to muse, "How long can I last?"

    "Being Black in tech can be hard on your mental health. Your mind is constantly wondering, 'how long can I last?' "
    Anonymous Interview Subject

    Fewer Black professionals feel like they can be their authentic selves at work

    Authentic vs. Successes

    For many Black professionals, "code-switching," or altering the way one speaks and acts depending on context, becomes the norm to make others more comfortable. Many feel that being authentic and succeeding in the workplace are mutually exclusive.

    Programs and Resources

    We asked respondents "What's in place to build an inclusive culture at your company?" Most respondents (51% and 45%) reported that there were employee resource groups at their organizations.

    Do you feel you can be your authentic self at work?

    A bar graph showing 86% for All Other Professions, and 75% for Black Professionals

    A bar graph showing responses to the question What’s in place to build an inclusive culture at your company.

    What can be done?

    An image showing actions for success.

    There are various actions that organizations can take to help address barriers.

    It's important to ensure these are not put in as band-aid solutions but that they are carefully thought out and layered.

    Our findings demonstrate that remote work, career development, and DEI programs along with mentorship and diverse leadership are strong enablers of professional satisfaction. An unfortunate consequence, if professionals are not nurtured, is that we risk losing much needed talent to self-employment or to other organizations.

    There are several solutions

    Respondents were asked to distribute points across potential solutions that could lead to job satisfaction. The ratings showed that there were common solutions that could be leveraged across all groups.

    Respondents were asked what solutions were valuable for their career development.

    All groups were mostly aligned on the order of the solutions that would lead to career satisfaction; however, Black professionals rated the importance of employee resource groups as higher than their colleagues did.

    An image showing how respondents rate a number of categories, sorted into Ratings by Black Professionals, and Ratings by Other Professionals

    Mentorship and sponsorship are seen as key for all employees, as is of course training.

    However, employee resource groups (ERGs) were rated significantly higher for Black professionals and discussions around diversity were higher for their colleagues. This may be because other groups feel a need to learn more about diversity, whereas Black professionals live this experience on a day-to day basis, so it's not as critical for them.

    Double the number of satisfied Black professionals through mentorship and sponsorship

    a bar graph showing the number of very satisfied people with and without mentors/sponsors.

    Mentorship and sponsorship help to close the job satisfaction gap for Black IT professionals. The percentage of satisfied Black employees almost doubles when they have a mentor or sponsorship, moving the satisfaction rate to closer to all other colleagues.

    As leaders, you likely benefit from a few different advisors, and your staff should be able to benefit in the same way.

    They can have their own personal board of advisors, both inside and outside of your organization, helping them to navigate the working world in IT.

    To support your staff, provide guidance and coaching to internal mentors so that they can best support employees, and ensure that your organizational culture supports relationship building and trust.

    While all are critical, coaching, mentoring, and sponsorship are not the same

    Coaching

    Performance-driven guidance geared to support the employee with on-the-job performance. This could be a short-term relationship.

    Mentorship

    A relationship where the mentor provides guidance, information, and expertise to support the long-term career development of the mentee.

    Sponsorship

    The act of advocating on the behalf of another for a position, promotion, development opportunity, etc. over a longer period.

    For more information on setting up a mentorship program, see Optimize the Mentoring Program to Build a High Performing Learning Organization.

    On why mentorship and sponsorship are important:

    "With some degree of mentorship or sponsorship, it means that your ability to thrive or to have a positive experience in organizations increases substantially.

    Mentorship and sponsorship are very often the lynchpin of someone being successful and sticking with an organization.

    Sponsorship is an endorsement to other high-level stakeholders who very often are the gatekeepers of opportunity. Sponsors help to shepherd you through the gate."

    		An Image of Carlos Thomas

    Carlos Thomas
    Executive Councilor, Info-Tech Research Group

    What is an employee resource group?

    IT Professionals rated ERGs as the third top driver of success at work

    Employee resource groups enable employees to connect in their workplace based on shared characteristics or life experiences.

    ERGs generally focus on providing support, enhancing career development, and contributing to personal development in the work environment. Some ERGs provide advice to the organization on how they can support their diverse employees.

    As leaders, you should support and encourage the formation of ERGs in your organization.

    What each ERG does will vary according to the needs of employees in your organization. Your role is to enable the ERGs as they are created and maintained.

    On setting up and leveraging employee resource groups:

    "Employee resource groups, when leveraged in an authentically intentional way, can be the some of the most impactful stakeholders in the development and implementation of the organizational diversity, equity, and inclusion strategy.

    ERGs are essential to the development of policies, programs, and initiatives that address the needs of equity-seeking groups and are key to driving organizational culture and employee wellbeing, in addition to hiring and recruitment.

    ERGs must be set up for success by having adequate resources to do the work, which includes adequate budgets, executive sponsorship, training, support, and capacity to do the work. According to a Great Place To Work survey (2021), 50% of ERGs identified the need for adequate resources as a challenge for carrying out the work.:"

    		An image of Cinnamon Clark

    CINNAMON CLARK
    PRACTICE LEAD, DIVERSITY, EQUITY AND INCLUSION services, MCLEAN & CO

    There is a gap when it comes to diversity in leadership

    Representation at leadership levels is especially stagnant.

    Black Americans comprise 13.6% of the US population
    (2022 data from the US Census Bureau)

    And yet only 5.9% of the country's CEOs are Black, with only 6 (1%) at the top of Fortune 500 companies.
    (2021 data from the Bureau of Labor Statistics and Fortune.com)

    I've never worked for a company that has Black executives. It's difficult to envision long-term growth with an organization when you don't see yourself represented in leadership.
    – Anonymous Interview Subject

    Having diversity in your leadership team doubles satisfaction

    An image of a bar graph showing satisfaction for those who do, and do not see diversity in their company's leadership.

    Our research shows that Black professionals are more satisfied in their role when they see leaders that look like them.

    Satisfaction of other professionals is not as impacted by diversity in leadership as for Black professionals. Satisfaction doubles in organizations that have a diverse leadership team.

    To reap the benefits from diversity, we need to ensure diversity is not just in entry or mid-level positions and provide employees an opportunity to see diversity in their company's leadership.

    On the need for diversity in leadership:

    "As a Black professional leader, it's not lost on me that I have a responsibility. I have to demonstrate authenticity, professionalism, and exemplary behavior that others can mimic. And I must also showcase that there are possibilities for those coming up in their career. I feel very grateful that I can bestow onto others my knowledge, my experience, my journey, and the tips that I've used to help bring me to be where I am.
    (Having Black leaders in an organization) demonstrates that there is talent across the board, that there are all types of women and people with proficiencies. What it brings to the table is a difference in thoughts and experience.
    A person like myself, sitting at the table, can bring a unique perspective on employee behavior and employee impact. CCL is an organization focused on equity, diversity, and inclusion; for sure having me at the table and others that look like me at the table demonstrates to the public an organization that's practicing what it preaches."

    		An image of C. Fara Francis

    C. Fara Francis
    CIO, Center for creative leadership

    Work from home

    While all groups have embraced the work-from-home movement, many Black professionals find it reduces the impact of racial incidents in the workplace.

    Percentage of employees who experienced positive changes in motivation after working remotely.

    Black: 43%; All Other: 43%

    I have to guard and protect myself from experiencing and witnessing racism every day. I am currently working remotely, and I can say for certain my mood and demeanor have improved. Not having to decide if I should address a racist comment or action has made my day easier.
    Source: Slate, 2022

    Remote work significantly led to feelings of better chances for career advancement

    Survey respondents were asked about the positive and negative changes they saw in their interactions and experiences with remote work. Black employees and their colleagues replied similarly, with mostly positive experiences.

    While both groups enjoyed better chances for career advancement, the difference was significantly higher for Black professionals.

    An image of a series of bar graphs showing the effects of remote work on a number of factors.

    Reasons for Self-Employment:

    More Black professionals have chosen self-employment than their colleagues.

    All Other: 26%; Black: 30%.

    A bar graph showing rankings for reasons for self employment, sorted by Black and All Other.

    The biggest reasons for both groups in choosing self-employment were for better pay, career growth, and work/life balance.

    While the desire for better pay was the highest reason for both groups, for engaged employees salary is a lower priority than other concerns (Adecco Group's Global Workforce of the Future report). Consider salary in conjunction with career growth, work/life balance, and the variety in the work that your employees have.

    A bar graph showing rankings for reasons for self employment, sorted by Black and All Other.

    If we don't consider our Black employees, not only do we risk them leaving the organization, but they may decide to just work for themselves.

    Most professionals believe their organizations are committed to diversity, equity, and inclusion

    38% of all respondents believe their organizations are very committed to DEI
    49% believe they are somewhat committed
    9% feel they are not committed
    4% are unsure

    Make sure supports are in place to help your employees grow in their careers:

    Leadership
    IT Leadership Career Planning Research Center

    Diversity and Inclusion Tactics
    IT Diversity & Inclusion Tactics

    Employee Development Planning
    Implement an IT Employee Development Plan

    Belief in your organization's diversity, equity, and inclusion efforts isn't consistent across groups: Make sure actions are seen as genuine

    While organization's efforts are acknowledged, Black professionals aren't as optimistic about the commitment as their peers. Make sure that your programs are reaching the various groups you want to impact, to increase the likelihood of satisfaction in their roles.

    SATISFACTION INCREASES IN BOTH BLACK AND NON-BLACK PROFESSIONALS

    When they believe in their company's commitment to diversity, equity. and inclusion.

    Of those who believe in their organization's commitment, 61% of Black professionals and 67% of non-Black professionals are very satisfied in their roles.

    BELIEVE THEIR ORGANIZATION IS NOT COMMITTED TO DEI

    BELIEVE THEIR ORGANIZATION IS VERY COMMITTED TO DEI

    NON-BLACK PROFESSIONALS

    8%

    41%

    BLACK PROFESSIONALS

    13%

    30%

    Recommendations

    It's important to understand the current landscape:

    • The barriers that Black employees often face.
    • The potential solutions that can help close the gap in employee satisfaction.

    We recognize that resolving this is not easy. Although senior executives are recognizing that a diverse set of experiences, perspectives, and backgrounds is crucial to fostering innovation and competing on the global stage, organizations often don't take the extra step to actively look for racialized talent, and many people still believe that race doesn't play an important part in an individual's ability to access opportunities.

    Look at a variety of solutions that you can implement within your organization; layering solutions is the key to driving business diversity. Always keep in mind that diversity is not a monolith, that the experiences of each demographic varies.

    Info-Tech resources

    Appendix

    About the research

    Diversity in tech survey

    As part of the research process for the State of Black Tech Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from October 2021 to April 2022, collecting 633 responses.

    An image of Page 1 of the Appendix.

    Current Position

    An image of Page 2 of the Appendix.

    Education and Experience

    Education was fairly consistent across both groups, with a few exceptions: more Black professionals had secondary school (9% vs. 4%) and more Black professionals had Doctorate degrees (4% vs. 2%).

    We had more non-Black respondents with 20+ years of experience (31% vs. 19%) and more Black respondents with less than 1 year of experience (8% vs. 5%) – the rest of the years of experience were consistent across the two groups.

    An image of Page 3 of the Appendix.

    It is important to recognize that people are often seen by "the world" as belonging to a different race or set of races than what they personally identify as. Both aspects impact a professional's experience in the workplace.

    An image of Page 4 of the Appendix.

    Bibliography

    Barton, LeRon. “I’m Black. Remote Work Has Been Great for My Mental Health.” Slate, 15 July 2022.

    “Black or African American alone, percent.” U.S. Census Bureau QuickFacts: United States. Accessed 14 February 2023.

    Boyle, Matthew. “More Workers Ready to Quit Over ‘Window Dressing’ Racism Efforts.” Bloomberg.com, 9 June 2022.

    Boyle, Matthew. “Remote Work Has Vastly Improved the Black Worker Experience.” Bloomberg.com, 5 October 2021.

    Cooper, Frank, and Ranjay Gulati. “What Do Black Executives Really Want?” Harvard Business Review, 18 November 2021.

    “Emotional Tax.” Catalyst. Accessed 1 April 2022.

    “Employed Persons by Detailed Occupation, Sex, Race, and Hispanic or Latino Ethnicity” U.S. Bureau of Labor Statistics. Accessed February 14, 2023.

    “Equality in Tech Report - Welcome.” Dice, 9 March 2022. Accessed 23 March 2022.

    Erb, Marcus. "Leaders Are Missing the Promise and Problems of Employee Resource Groups." Great Place To Work, 30 June 2021.

    Gawlak, Emily, et al. “Key Findings - Being Black In Corporate America.” Coqual, Center for Talent Innovation (CTI), 2019.

    “Global Workforce of the Future Research.” Adecco, 2022. Accessed 4 February 2023.

    Gruman, Galen. “The State of Ethnic Minorities in U.S. Tech: 2020.” Computerworld, 21 September 2020. Accessed 31 May 2022.

    Hancock, Bryan, et al. “Black Workers in the US Private Sector.” McKinsey, 21 February 2021. Accessed 1 April 2022.

    “Hierarchy Of Needs Applied To Employee Engagement.” Proactive Insights, 12 February 2020.

    Hobbs, Cecyl. “Shaping the Future of Leadership for Black Tech Talent.” Russell Reynolds Associates, 27 January 2022. Accessed 3 August 2022.

    Hubbard, Lucas. “Race, Not Job, Predicts Economic Outcomes for Black Households.” Duke Today, 16 September 2021. Accessed 30 May 2022.

    Knight, Marcus. “How the Tech Industry Can Be More Inclusive to the Black Community.” Crunchbase, 23 February 2022.

    “Maslow’s Hierarchy of Needs in Employee Engagement (Pre and Post Covid 19).” Vantage Circle HR Blog, 30 May 2022.

    McDonald, Autumn. “The Racism of the ‘Hard-to-Find’ Qualified Black Candidate Trope (SSIR).” Stanford Social Innovation Review, 1 June 2021. Accessed 13 December 2021.

    McGlauflin, Paige. “The Fortune 500 Features 6 Black CEOs—and the First Black Founder Ever.” Fortune, 23 May 2022. Accessed 14 February 2023.

    “Microaggression." Oxford English Dictionary, Oxford Languages, 2023.

    Reed, Jordan. "Understanding Racial Microaggression and Its Effect on Mental Health." Pfizer, 26 August 2020.

    Shemla, Meir “Why Workplace Diversity Is So Important, And Why It’s So Hard To Achieve.” Forbes, 22 August 2018. Accessed 4 February 2023.

    “The State of Black Women in Corporate America.” Lean In and McKinsey & Company, 2020. Accessed 14 January 2022.

    Van Bommel, Tara. “The Power of Empathy in Times of Crisis and Beyond (Report).” Catalyst, 2021. Accessed 1 April 2022.

    Vu, Viet, Creig Lamb, and Asher Zafar. “Who Are Canada’s Tech Workers?” Brookfield Institute for Innovation and Entrepreneurship, January 2019. Accessed on Canadian Electronic Library, 2021. Web.

    Warner, Justin. “The ROI of Employee Engagement: Show Me the Money!” DecisionWise, 1 January 2020. Web.

    White, Sarah K. “5 Revealing Statistics about Career Challenges Black IT Pros Face.” CIO (blog), 9 February 2023. Accessed 5 July 2022.

    Williams, Joan C. “Stop Asking Women of Color to Do Unpaid Diversity Work.” Bloomberg.com, 14 April 2022.

    Williams, Joan C., Rachel Korn, and Asma Ghani. “A New Report Outlines Some of the Barriers Facing Asian Women in Tech.” Fast Company, 13 April 2022.

    Wilson, Valerie, Ethan Miller, and Melat Kassa. “Racial representation in professional occupations.” Economic Policy Institute, 8 June 2021.

    “Workplace Diversity: Why It’s Good for Business.” Business Development Canada (BDC.ca), 6 Feb. 2023. Accessed 4 February 2023.

    The latest burning platform: Exit Plans in a shifting world

    • Large vertical image:
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Byline body: The new geopolitical reality brings the possibility that we will have to execute our exit plans closer to home. In this research, we delve deeper into exit plans and their implementation and execution.

    The current global situation, marked by significant trade tensions and retaliatory measures between major economic powers, has elevated the importance of more detailed, robust, and executable exit plans for businesses in nearly all industries. The current geopolitical headwinds create an unpredictable environment that can severely impact supply chains, technology partnerships, and overall business operations. What was once a prudent measure is now a critical necessity – a “burning platform” – for ensuring business continuity and resilience.

    Here I will delve deeper into the essential components of an effective exit plan, outline the practical steps for its implementation, and explain the crucial role of testing in validating its readiness.

    exit plan

    Continue reading

    Develop Infrastructure & Operations Policies and Procedures

    • Buy Link or Shortcode: {j2store}452|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $46,324 Average $ Saved
    • member rating average days saved: 42 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
    • Standard operating procedures are less effective without a policy to provide a clear mandate and direction.
    • Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
    • Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

    Our Advice

    Critical Insight

    • Document what you need to document and forget the rest. Always check to see if you can use a previously approved policy before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.

    Impact and Result

    • Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
    • Create effective policies that are reasonable, measurable, auditable, and enforceable.
    • Create and document procedures to support policy changes.

    Develop Infrastructure & Operations Policies and Procedures Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should change your approach to developing Infrastructure & Operations policies and procedures, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify policy and procedure gaps

    Create a prioritized action plan for documentation based on business need.

    • Develop Infrastructure & Operations Policies and Procedures – Phase 1: Identify Policy and Procedure Gaps

    2. Develop policies

    Adapt policy templates to meet your business requirements.

    • Develop Infrastructure & Operations Policies and Procedures – Phase 2: Develop Policies
    • Availability and Capacity Management Policy
    • Business Continuity Management Policy
    • Change Control – Freezes & Risk Evaluation Policy
    • Change Management Policy
    • Configuration Management Policy
    • Firewall Policy
    • Hardware Asset Management Policy
    • IT Triage and Support Policy
    • Release Management Policy
    • Software Asset Management Policy
    • System Maintenance Policy – NIST
    • Internet Acceptable Use Policy

    3. Document effective procedures

    Improve policy adherence and service effectiveness through procedure standardization and documentation.

    • Develop Infrastructure & Operations Policies and Procedures – Phase 3: Document Effective Procedures
    • Capacity Plan Template
    • Change Management Standard Operating Procedure
    • Configuration Management Standard Operation Procedures
    • Incident Management and Service Desk SOP
    • DRP Summary Template
    • Service Desk Standard Operating Procedure
    • HAM Standard Operating Procedures
    • SAM Standard Operating Procedures
    [infographic]

    Further reading

    Develop Infrastructure & Operations Policies and Procedures

    Document what you need to document and forget the rest.

    Table of contents

    Project Rationale

    Project Outlines

    • Phase 1: Identify Policy and Procedure Gaps
    • Phase 2: Develop Policies
    • Phase 3: Document Effective Procedures

    Bibliography

    ANALYST PERSPECTIVE

    Document what you need to document now and forget the rest.

    "Most IT organizations struggle to create and maintain effective policies and procedures, despite known improvements to consistency, compliance, knowledge transfer, and transparency.

    The numbers are staggering. Fully three-quarters of IT professionals believe their policies need improvement, and the same proportion of organizations don’t update procedures as required.

    At the same time, organizations that over-document and under-document perform equally poorly on key measures such as policy quality and policy adherence. Take a practical, step-by-step approach that prioritizes the documentation you need now. Leave the rest for later."

    (Andrew Sharp, Research Manager, Infrastructure & Operations Practice, Info-Tech Research Group)

    Our understanding of the problem

    This Research Is Designed For:

    • Infrastructure Managers
    • Chief Technology Officers
    • IT Security Managers

    This Research Will Help You:

    • Address policy gaps
    • Develop effective procedures and procedure documentation to support policy compliance

    This Research Will Also Assist:

    • Chief Information Officers
    • Enterprise Risk and Compliance Officers
    • Chief Human Resources Officers
    • Systems Administrators and Engineers

    This Research Will Help Them:

    • Understand the importance of a coherent approach to policy development
    • Understand the importance of Infrastructure & Operations policies
    • Support Infrastructure & Operations policy development and enforcement

    Info-Tech Best Practice

    This blueprint supports templates for key policies and procedures that help Infrastructure & Operations teams to govern and manage internal operations. For security policies, see the NIST SP 800-171 aligned Info-Tech blueprint, Develop and Deploy Security Policies.

    Executive Summary

    Situation

    • Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
    • Standard operating procedures are less effective without a policy to provide a clear mandate and direction.

    Complication

    • Existing policies were written, approved, signed – and forgotten for years because no one has time to maintain them.
    • Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
    • Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

    Resolution

    • Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
    • Create effective policies that are reasonable, measurable, auditable, and enforceable.
    • Create and document procedures to support policy changes.

    Info-Tech Insight

    1. Document what you need to document and forget the rest.
      Always check if a previously approved policy exists before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.
    2. Support policies with documented procedures.
      Build procedures that embed policy adherence in daily operations. Find opportunities to automate policy adherence (e.g. removing local admin rights from user computers).

    What are policies, procedures, and processes?

    A policy is a governing document that states the long-term goals of the organization and in broad strokes outlines how they will be achieved (e.g. a Data Protection Policy).

    In the context of policies, a procedure is composed of the steps required to complete a task (e.g. a Backup and Restore Procedure). Procedures are informed by required standards and recommended guidelines. Processes, guidelines, and standards are three pillars that support the achievement of policy goals.

    A process is higher level than a procedure – a set of tasks that deliver on an organizational goal.

    Better policies and procedures reduce organizational risk and, by strengthening the ability to execute processes, enhance the organization’s ability to execute on its goals.

    Visualization of policies, procedures, and processes using pillars. Two separate structures, 'Policy A' and 'Policy B', are each held up by three pillars labelled 'Standards', 'Procedures', and 'Guidelines'. Two lines pass through the pillars of both structures and are each labelled 'Value-creating process'.

    Document to improve governance and operational processes

    Deliver value

    Build, deliver, and support Infrastructure assets in a consistent way, which ultimately reduces costs associated with downtime, errors, and rework. A good manual process is the foundation for a good automated process.

    Simplify Training

    Use documentation for knowledge transfer. Routine tasks can be delegated to less-experienced staff.

    Maintain compliance

    Comply with laws and regulations. Policies are often required for compliance, and formally documented and enforced policies help the organization maintain compliance by mandating required due diligence, risk reduction, and reporting activities.

    Provide transparency

    Build an open kitchen. Other areas of the organization may not understand how Infra & Ops works. Your documentation can provide the answer to the perennial question: “Why does that take so long?”

    Info-Tech Best Practice

    Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

    Document what you need to document – and forget the rest

    Half of all organizations believe their policy suite is insufficient. (Info-Tech myPolicies Survey Data (N=59))

    Pie chart with three sections labelled 'Too Many Policies and Procedures 14%', 'Adequate Policies and Procedures 37%', 'Insufficient Policies and Procedures 49%'

    Too much documentation and a lack of documentation are both ineffective. (Info-Tech myPolicies Survey Data (N=59))

    Two bar charts labelled 'Policy Adherence' and 'Policy Quality' each with three bars representing 'Too Many Policies and Procedures', 'Insufficient Policies and Procedures', and 'Adequate Policies and Procedures'. The values shown are an average score out of 5. For Policy Adherence: Too Many is 2.4, Insufficient is 2.1, and Adequate is 3.2. For Policy Quality: Too Many is 2.9, Insufficient is 2.6, and Adequate is 4.1.

    77% of IT professionals believe their policies require improvement. (Kaspersky Lab)

    Presenting: A COBIT-aligned policy suite

    We’ve developed a suite of effective policy templates for every Infra & Ops manager based on Info-Tech’s IT Management & Governance Framework.

    Policy templates and the related aspects of Info-Tech's IT Management & Governance Framework

    Info-Tech Best Practice

    Look for these symbols as you work through the deck. Prioritize and focus on the policies you work on first based on the value of the policy to the enterprise and the existing gaps in your governance structure.

    Project outline

    Phases

    		 1. Identify policy and procedure gaps 2. Develop policies 3. Document effective procedures

    Steps
    • Review and right-size the existing policy set
    • Create an action plan to address policy gaps
    • Modify policy templates and gather feedback
    • Implement, enforce, measure, and maintain new policies
    • Scope and outline procedures
    • Document and maintain procedures

    Outcomes

    		 Action list of policy and procedure gaps New or updated Infrastructure & Operations policies Procedure documentation

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Accelerate policy development with a Guided Implementation

    Your trusted advisor is just a call away.

    • Identify Policy and Procedure Gaps (Calls 1-2)
      Assess current policies, operational challenges, and gaps. Mitigate significant risks first.
    • Create and Review Policies (Calls 2-4)
      Modify and review policy templates with an Info-Tech analyst.
    • Create and Review Procedures (Calls 4-6)
      Workflow procedures, using templates wherever possible. Review documentation best practices.

    Contact Info-Tech to set up a Guided Implementation with a dedicated advisor who will walk you through every stage of your policy development project.

    Develop Infrastructure & Operations Policies and Procedures

    Phase 1

    Identify Policy and Procedure Gaps

    PHASE 1: Identify Policy and Procedure Gaps

    Step 1.1: Review and right-size the existing policy set

    This step will walk you through the following activities:

    • Identify gaps in your existing policy suite
    • Document challenges to core Infrastructure & Operations processes
    • Identify documentation that can close gaps
    • Prioritize your documentation effort

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Infrastructure Supervisors

    Results & Insights

    • Results: A review of the existing policy suite and identification of opportunities for improvement.
    • Insights: Not all gaps necessarily require a fresh policy. Repurpose, refresh, or supplement existing documentation wherever appropriate.

    Conduct a policy review

    Associated Activity icon 1(a) 30 minutes per policy

    You’ve got time to review your policy suite. Make the most of it.

    1. Start with organizational requirements.
      • What initiatives are on the go? What policies or procedures do you have a mandate to create?
    2. Weed out expired and dated policies.
      • Gather your existing policies. Identify when each one was published or last reviewed.
      • Decide whether to retire, merge, or update expired or obviously dated policy.
    3. Review policy statements.
      • Check that the organization is adequately supporting policy statements with SOPs, standards, and guidelines. Ensure role-related information is up to date.
    4. Document and bring any gaps forward to the next activity. If no action is required, indicate that you have completed a review and submit the findings for approval.

    But they just want one policy...

    A review of your policy suite is good practice, especially when it hasn’t been done for a while. Why?
    • Existing policies may address what you’re trying to do with a new policy. Using or modifying an existing policy avoids overlap and contradiction and saves you the effort required to create, communicate, approve, and maintain a new policy.
    • Review the suite to validate that you’re addressing the most important challenges first.

    Brainstorm improvements for core Infrastructure & Operations processes

    Associated Activity icon 1(b) 1 hour

    Supplement the list of gaps from your policy review with process challenges.

    1. Write out key Infra & Ops–related processes – one piece of flipchart paper per process. You can work through all of these processes or cherry-pick the processes you want to improve first.
    2. With participants, write out in point form how you currently execute on these processes (e.g. for Asset Management, you might be tagging hardware, tracking licenses, etc.)
    3. Work through a “Start – Stop – Continue” exercise. Ask participants: What should we start doing? What must we stop doing? What do we do currently that’s valuable and must continue? Write ideas on sticky notes.
    4. Once you’ve worked through the “Start – Stop – Continue” exercise for all processes, group similar suggestions for improvements.

    Asset Management: Manage hardware and software assets across their lifecycle to protect assets and manage costs.

    Availability and Capacity Management: Balance current and future availability, capacity, and performance needs with cost-to-serve.

    Business Continuity Management: Continue operation of critical business processes and IT services.

    Change Management: Deliver technical changes in a controlled manner.

    Configuration Management: Define and maintain relationships between technical components.

    Problem Management: Identify incident root cause.

    Operations Management: Coordinate operations.

    Release and Patch Management: Deliver updates and manage vulnerabilities in a controlled manner.

    Service Desk: Respond to user requests and all incidents.

    PHASE 1: Identify Policy and Procedure Gaps

    Step 1.2: Create an action plan to address policy gaps

    This step will walk you through the following activities:

    • Identify challenges and gaps that can be addressed via documentation
    • Prioritize high-value, high-risk gaps

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Infrastructure Supervisors

    Results & Insights

    • Results: An action plan to tackle policy and procedures gaps, aligned with business requirements and business value.
    • Insights: Not all documentation is equally valuable. Prioritize documentation that delivers value and mitigates risk.

    Support policies with procedures, standards, and guidelines

    Use a working definition for each type of document.

    Policy: Directives, rules, and mandates that support the overarching, long-term goals of the organization.

    • Standards: Prescriptive, uniform requirements.
    • Procedures: Specific, detailed, step-by-step instructions for completing a task.
    • Guidelines: Non-enforceable, recommended best practices.

    Info-Tech Best Practice

    Take advantage of your Info-Tech advisory membership by scheduling review sessions with an analyst. We provide high-level feedback to ensure your documentation is clear, concise, and consistent and aligns with the governance objectives you’ve identified.

    Answer the following questions to decide if governance documentation can help close gaps

    Associated Activity icon 1(c) 30 minutes

    Documentation supports knowledge sharing, process consistency, compliance, and transparency. Ask the following questions:

    1. What is the purpose of the documentation?
      Procedures support task completion. Policies set direction and manage organizational risk.
    2. Should it be enforceable?
      Policies and standards are enforceable; guidelines are not. Procedures are enforceable in that they should support policy enforcement.
    3. What is the scope?
      To document a task, create a procedure. Set overarching rules with policies. Use standards and guidelines to set detailed rules and best practices.
    4. What’s the expected cadence for updates?
      Policies should be revisited and revised less frequently than procedures.

    Info-Tech Best Practice

    Reinvent the wheel? I don’t think so!

    Always check to see if a gap can be addressed with existing tools before drafting a new policy

    • Is there an existing policy that could be supported with new or updated procedures, technical standards, or guidelines?
    • Is there a technical control you can deploy that would enforce the terms of an existing, approved policy?
    • It may be simpler to amend an existing policy instead of creating a new one.

    Some problems can’t be solved by better documentation (or by documentation alone). Consider additional strategies that address people, process, and technology.

    Tackle high-value, high-risk gaps first

    Associated Activity icon 1(d) 30 minutes

    Prioritize your documentation effort.

    1. List each proposed piece of documentation on the board.
    2. Assign a score to the risk posed to the business by the lack of documentation and to the expected benefit of completing the documentation. Use a scoring scale between 1 and 3 such as the one on the right.
    3. Prioritize documentation that mitigates risks and maximizes benefits.
    4. If you need to break ties, consider effort required to develop, implement, and enforce policies or procedures.

    Example Scoring Scale

    Score Business risk of missing documentation Business benefit of value of documentation

    1

    		 Low: Affects ad hoc activities or non-critical data. Low: Minimal impact.

    2

    		 Moderate: Impacts productivity or internal goodwill. Moderate: Required periodically; some cross-training opportunities.

    3

    		 High: Impacts revenue, safety, or external goodwill. High: Save time for common or ongoing processes; extensive improvement to training/knowledge transfer.

    Info-Tech Insight

    Documentation pulls resources away from other important programs and projects, so ultimately it must be a demonstrably higher priority than other work. This exercise is designed to align documentation efforts with business goals.

    Phase 1: Review accomplishments

    Policy pillars: Standards, Procedures, Guidelines

    Summary of Accomplishments

    • Identified gaps in the existing policy suite and identified pain points in existing Infra & Ops processes.
    • Developed a list of policies and procedures that can address existing gaps and prioritized the documentation effort.

    Develop Infrastructure & Operations Policies and Procedures

    Phase 2

    Develop Policies

    PHASE 2: Develop Policies

    Step 2.1: Modify policy templates and gather feedback

    This step will walk you through the following activities:

    • Modify policy templates

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Technical Writer

    Results & Insights

    • Results: Your own COBIT-aligned policies built by modifying Info-Tech templates.
    • Insights: Effective policies are easy to read and navigate.

    Write Good-er: Be Clear, Consistent, and Concise

    Effective policies adhere to the three Cs of documentation.

    1. Be clear. Make it as easy as possible for a user to learn how to comply with your policy.
    2. Be consistent. Write policies that complement each other, not contradict each other.
    3. Be concise. Make it as quick and easy as possible to read and understand your policy.

    Info-Tech Best Practice

    To download the full suite of templates all at once, click the “Download Research” button on the research landing page on the website.

    Use the three Cs: Be Clear

    Understanding makes compliance possible. Create policy with the goal of making compliance as easy as possible. Use positive, simple language to convey your intentions and rationale to your audience. Staff will make an effort adhere to your policy when they understand the need and are able to comply with the terms.

    1. Choose a skilled writer. Select a writer who can write clearly and succinctly.
    2. Default to simple language and define key terms. Define scope and key terms upfront. Avoid using technical terms outside of technical documentation; if they’re necessary be sure to define them as well.
    3. Use active, positive language. Where possible, tell people what they can do, not what they can’t.
    4. Keep the structure simple. Complicated documents are less likely to be understood and read. Use short sentences and paragraphs. Lists are a helpful way to summarize important information. Guide your reader through the document with appropriately named section headers, tables of contents, and numeration.
    5. Add a process for handling exceptions. Refer to procedures, standards, and guidelines documentation. Try to keep these links as static as possible. Also, refer to a process for handling exceptions.
    6. Manage the integrity of electronic documents. When published electronically, the policy should have restricted editing access or should be published in a non-editable format. Access to the procedure and policy storage database for employees should be read-only.

    Info-Tech Insight

    Highly effective policies are easy to navigate. Your policies should be “skimmable.” Very few people will fully read a policy before accepting it. Make it easy to navigate so the reader can easily find the policy statements that apply to them.

    Use the three Cs: Be Consistent

    Ensure that policies are aligned with other organizational policies and procedures. It detracts from compliance if different policies prescribe different behavior in the same situation. Moreover, your policies should reflect the corporate culture and other company standards. Use your policies to communicate rules and get employees aligned with how your company works.

    1. Use standard sentences and paragraphs. Policies are usually expressed in short, standard sentences. Lists should also be used when necessary or appropriate.
    2. Remember the three Ws. When writing a policy, always be sure to clearly state what the rule is, when it should be applied, and who needs to follow it. Policies should clearly define their scope of application and whether directives are mandatory or recommended.
    3. Use an outline format. Using a numbered or outline format will make a document easier to read and will make content easier to look up when referring back to the document at a later time.
    4. Avoid amendments. Avoid the use of information that is quickly outdated and requires regular amendment (e.g. names of people).
    5. Reference a set of supplementary documents. Codify your tactics outside of the policy document, but make reference to them within the text. This makes it easier to ensure consistency in the behavior prescribed by your policies.

    "One of the issues is the perception that policies are rules and regulations. Instead, your policies should be used to say ‘this is the way we do things around here.’" (Mike Hughes CISA CGEIT CRISC, Principal Director, Haines-Watts GRC)

    Use the three Cs: Be Concise

    Reading and understanding policies shouldn’t be challenging, and it shouldn’t significantly detract from productive time. Long policies are more difficult to read and understand, increasing the work required for employees to comply with them. Put it this way: How often do you read the Terms and Conditions of software you’ve installed before accepting them?

    1. Be direct. The quicker you get to the point, the easier it is for the reader to interpret and comply with your policy.
    2. Your policy is a rule, not a recipe. Your policy should outline what needs to be accomplished and why – your standards, guidelines, and SOPs address the how.
    3. Keep policies short. Nobody wants to read a huge policy book, so keep your policies short.
    4. Use additional documentation where needed. In addition to making consistency easier, this shortens the length of your policies, making them easier to read.
    5. Policy still too large? Modularize it. If you have an extremely large policy, it’s likely that it’s too widely scoped or that you’re including statements that should be part of procedure documentation. Consider breaking your policy into smaller, focused, more digestible documents.

    "If the policy’s too large, people aren’t going to read it. Why read something that doesn’t apply to me?" (Carole Fennelly, Owner and Principal, cFennelly Consulting)

    "I always try to strike a good balance between length and prescriptiveness when writing policy. Your policies … should be short and describe the problem and your approach to solving it. Below policies, you write standards, guidelines, and SOPs." (Michael Deskin, Policy and Technical Writer, Canadian Nuclear Safety Commission)

    Customize policy documents

    Associated Activity icon 2(a) 1-2 hours per policy

    Use the policies templates to support key Infrastructure & Operations programs.

    INPUT: List of prioritized policies

    OUTPUT: Written policy drafts ready for review

    Materials: Policy templates

    Participants: Policy writer, Signing authority

    No policy template will be a perfect fit for your organization. Use Info-Tech’s research to develop your organization’s program requirements. Customize the policy templates to support those requirements.

    1. Work through policies from highest to lowest priority as defined in Phase 1.
    2. Follow the instructions written in grey text to customize the policy. Follow the three Cs when you write your policy.
    3. When your draft is finished, prepare to request signoff from your signing authority by reviewing the draft with an Info-Tech analyst.
    4. Complete the highest ranked three or four draft policies. Review all these policies with relevant stakeholders and include all relevant signing authorities in the signoff process.
    5. Rinse and repeat. Iterate until all relevant polices are complete.

    Request, Incident, and Problem Management

    An effective, timely service desk correlates with higher overall end-user satisfaction across all other IT services. (Info-Tech Research Group, 2016 (N=25,998))

    An icon for the 'DSS02 Service Desk' template. An icon for the 'DSS03 Incident and Problem Management' template.

    Use the following template to create a policy that outlines the goals and mandate for your service and support organization:

    • IT Triage and Support Policy

    Support the program and associated policy statements using Info-Tech’s research:

    • Standardize the Service Desk
    • Incident and Problem Management
    • Design & Build a User-Facing Service Catalog

    Embrace Standardization

    • Outline the support and service mandate with the policy. Support the policy with the methodology in Info-Tech’s research.
    • Over time, organizations without standardized processes face confusion, redundancies, and cost overruns. Standardization avoids wasting energy and effort building new solutions to solved issues.
    • Standard processes for IT services define repeatable approaches to work and sandbox creative activities.
    • Create tickets for every task and categorize them using a standard classification system. Use the resulting data to support root-cause analysis and long-term trend management.
    • Create a single point of contact for users for all incidents and requests. Escalate and resolve tickets faster.
    • Empower end users and technicians with knowledge bases that help them solve problems without intervention.

    Change, Release, and Patch Management

    Slow turnaround, unauthorized changes, and change-related incidents are all too familiar to many managers.

    An icon for the 'BAI06 Change Management' template. An icon for the 'BAI07 Release Management' template.

    Use the following templates to create policies that define effective patch, release, and change management:

    • Change Management Policy
    • Release and Patch Management Policy
    • Change Control – Freezes & Risk Evaluation Policy

    Ensure the policy is supported by using the following Info-Tech research:

    • Optimize Change Management

    Embrace Change

    • IT system owners resist change management when they see it as slow and bureaucratic.
    • At the same time, an increasingly interlinked technical environment may cause issues to appear in unexpected places. Configuration management systems are often not kept up to date, so preventable conflicts get missed.
    • No process exists to support the identification and deployment of critical security patches. Tracking down users to find a maintenance window takes significant, dedicated effort and intervention from the management team.
    • Create a unified change management process that reduces risk and is balanced in its approach toward deploying changes, while also maintaining throughput of patches, fixes, enhancements, and innovation.

    IT Asset Management (ITAM)

    A proactive, dynamic ITAM program will pay dividends in support, contract management, appropriate provisioning, and more.

    An icon for the 'BAI09 Asset Management' template.

    Start by outlining the requirements for effective asset management:

    • Hardware Asset Management Policy
    • Software Asset Management Policy

    Support ITAM policies with the following Info-Tech research:

    • Implement IT Asset Management

    Leverage Asset Data

    • Create effective, directional policies for your asset management program that provide a mandate for action. Support the policies with robust procedures, capable staff, and right-fit technology solutions.
    • Poor management of assets generally leads to higher costs due to duplicated purchases, early replacement, loss, and so on.
    • Visibility into asset location and ownership improves security and accountability.
    • A centralized repository of asset data supports request fulfilment and incident management.
    • Asset management is an ongoing program, not a one-off project, and must be resourced accordingly. Organizations often implement an asset management program and let it stagnate.

    "Many of the large data breaches you hear about… nobody told the sysadmin the client data was on that server. So they weren’t protecting and monitoring it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

    Business Continuity Management (BCM)

    Streamline the traditional approach to make BCM practical and repeatable.

    An icon for the 'DSS04 DR and Business Continuity' template.

    Set the direction and requirements for effective BCM:

    • Business Continuity Management Policy

    Support the BCM policy with the following Info-Tech research:

    • Create a Right-Sized Disaster Recovery Plan
    • Develop a Business Continuity Plan

    Build Organizational Resilience

    • Evidence of disaster recovery and business continuity planning is increasingly required to comply with regulations, mitigate business risk, and meet customer demands.
    • IT leaders are often asked to take the lead on business continuity, but overall accountability for business continuity rests with the board of directors, and each business unit must create and maintain its business continuity plan.
    • Set an organizational mandate for BCM with the policy.
    • Divide the business continuity mandate into manageable parcels of work. Follow Info-Tech’s practical methodology to tackle key disaster recovery and business continuity planning activities one at a time.

    Info-Tech Best Practice

    Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

    Availability, Capacity, and Operations Management

    What was old is new again. Use time-tested techniques to manage and plan cloud capacity and costs.

    An icon for the 'BAI04 Availability and Capacity Management' template. An icon for the 'DSS01 Operations Management' template. An icon for the 'BAI10 Configuration Management' template.

    Set the direction and requirements for effective availability and capacity management:

    • Availability and Capacity Management Policy
    • System Maintenance Policy – NIST

    Support the policy with the following Info-Tech research:

    • Develop an Availability and Capacity Management Plan
    • Improve IT Operations Management
    • Develop an IT Infrastructure Services Playbook

    Mature Service Delivery

    • Hybrid IT deployments – managing multiple locations, delivery models, and service providers – are the future of IT. Hybrid deployments significantly complicate capacity planning and operations management.
    • Effective operations management practices develop structured processes to automate activities and increase process consistency across the IT organization, ultimately improving IT efficiency.
    • Trying to add mature service delivery can feel like playing whack-a-mole. Systematically improve your service capabilities using the tactical, iterative approach outlined in Improve IT Operations Management.

    Enhance your overall security posture with a defensible, prescriptive policy suite

    Align your security policy suite with NIST Special Publication 800-171.

    Security policies support the organization’s larger security program. We’ve created a dedicated research blueprint and a set of templates that will help you build security policies around a robust framework.

    • Start with a security charter that aligns the security program with organizational objectives.
    • Prioritize security policies that address significant risks.
    • Work with technical and business stakeholders to adapt Info-Tech’s NIST SP 800-171–aligned policy templates (at right) to reflect your organizational objectives.

    A diagram listing all the different elements in a 'Security Charter': 'Access Control', 'Audit & Acc.', 'Awareness and Training', 'Config. Mgmt.', 'Identification and Auth.', 'Incident Response', 'Maintenance', 'Media Protection', 'Personnel Security', 'Physical Protection', 'Risk Assessment', 'Security Assessment', 'System and Comm. Protection', and 'System and Information Integrity'.

    Review and download Info-Tech's blueprint Develop and Deploy Security Policies.

    Info-Tech Best Practice

    Customize Info-Tech’s policy framework to align your policy suite to NIST SP 800-171. Given NIST’s requirements for the control of confidential information, organizations that align their policies to NIST standards will be in a strong governance position.

    PHASE 2: Develop Policies

    Step 2.2: Implement, enforce, measure, and maintain new policies

    This step will walk you through the following activities:

    • Gather stakeholder feedback
    • Identify preventive and detective controls
    • Identify required supports
    • Seek policy approval
    • Establish roles and responsibilities for policy maintenance

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Infrastructure Supervisors
    • Technical Writer
    • Policy Stakeholders

    Results & Insights

    • Results: Well-supported policies that have received signoff.
    • Insights: If you’re not prepared to enforce the policy, you might not actually need a policy. Use the policy statements as guidelines or standards, create and implement procedures, and build a culture of compliance. Once you can confidently execute on required controls, seek signoff.

    Gather feedback from users to assess the feasibility of the new policies

    Associated Activity icon 2(b) Review period: 1-2 weeks

    Once the policies are drafted, roundtable the drafts with stakeholders.

    INPUT: Draft policies

    OUTPUT: Reviewed policy drafts ready for approval

    Materials: Policy drafts

    Participants: Policy stakeholders

    1. Form a test group of users who will be affected by the policy in different ways. Keep the group to around five staff.
    2. Present new policies to the testers. Allow them to read the documents and attempt to comply with the new policies in their daily routines.
    3. Collect feedback from the group.
      • Consider using interviews, email surveys, chat channels, or group discussions.
      • Solicit ideas on how policy statements could be improved or streamlined.
    4. Make reasonable changes to the first draft of the policies before submitting them for approval. Policies will only be followed if they’re realistic and user friendly.

    Info-Tech Best Practice

    Allow staff the opportunity to provide input on policy development. Giving employees a say in policy development helps avoid obstacles down the road. This is especially true if you’re trying to change behavior rather than lock it in.

    Develop mechanisms for monitoring and enforcement

    Associated Activity icon 2(c) 20 minutes per policy

    Brainstorm preventive and detective controls.

    INPUT: Draft policies

    OUTPUT: Reviewed policy drafts ready for approval

    Materials: Policy drafts

    Participants: Policy stakeholders

    Preventive controls are designed to discourage or pre-empt policy breaches before they occur. Training, approvals processes, and segregation of duties are examples of preventive controls. (Ohio University)

    Detective controls help enforce the policy by identifying breaches after they occur. Forensic analysis and event log auditing are examples of detective controls. (Ohio University)

    Not all policies require the same level of enforcement. Policies that are required by law or regulation generally require stricter enforcement than policies that outline best practices or organizational values.

    Identify controls and enforcement mechanisms that are in line with policy requirements. Build control and enforcement into procedure documentation as needed.

    Suggestions:

    1. Have staff sign off on policies. Disclose any monitoring/surveillance.
    2. Ensure consequences match the severity of the infraction. Document infractions and ensure that enforcement is applied consistently across all infractions.
    3. Automatic controls shouldn’t get in the way of people’s ability to do their jobs. Test controls with users before you roll them out widely.

    Support the policy before seeking approval

    A policy is only as strong as its supporting pillars.

    Create Standards

    Standards are requirements that support policy adherence. Server builds and images, purchase approval criteria, and vulnerability severity definitions can all be examples of standards that improve policy adherence.

    Where reasonable, use automated controls to enforce standards. If you automate the control, consider how you’ll handle exceptions.

    Create Guidelines

    If no standards exist – or best practices can’t be monitored and enforced, as standards require – write guidelines to help users remain in compliance with the policy.

    Create Procedures: We’ll cover procedure development and documentation in Phase 3.

    Info-Tech Insight

    In general, failing to follow or strictly enforce a policy creates a risk for the business. If you’re not confident a policy will be followed or enforced, consider using policy statements as guidelines or standards as an interim measure as you update procedures and communicate and roll out changes that support adherence and enforcement.

    Seek approval and communicate the policy

    Policies ultimately need to be accepted by the business.

    • Once the drafts are completed, identify who is in charge of approving the policies.
    • Ensure all stakeholders understand the importance, context, and repercussions of the policies.
    • The approvals process is about appropriate oversight of the drafted policies. For example:
      • Do the policies satisfy compliance and regulatory requirements?
      • Do the policies work with the corporate culture?
      • Do the policies address the underlying need?

    If the draft is rejected:

    • Acquire feedback and make revisions.
    • Resubmit for approval.

    If the draft is approved:

    • Set the effective date and a review date.
    • Begin communication, training, and implementation.
    • Employees must know that there are new policies and understand the steps they must take to comply with the policies in their work.
    • Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.
    • Employees must be informed on where to get help or ask questions and from whom to request policy exceptions.

    "A lot of board members and executive management teams… don’t understand the technology and the risks posed by it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

    Identify policy management roles and responsibilities

    Associated Activity icon 2(d) 30 minutes

    Discuss and assign roles and responsibilities for ongoing policy management.

    Role

    Responsibilities

    Executive sponsor
  • Supports the program at the highest levels of the business, as needed
    		•

    Program lead
  • Leads the Infrastructure & Operations policy management program
  • Identifies and communicates status updates to the executive sponsor and the project team
  • Coordinates business demands and interviews and organizes stakeholders to identify requirements
  • Manages the work team and coordinates policy rollout
    		•

    Policy writer
  • Authors and updates policies based on requirements
  • Coordinates with outsourced editor for completion of written documents
    		•

    IT infrastructure SMEs
  • Provide technical insight into capabilities and limitations of infrastructure systems
  • Provide advice on possible controls that can aid policy rollout, monitoring, and enforcement
    		•

    Legal expert
  • Provides legal advice on the policy’s legal terms and enforceability
    		•

    "Whether at the level of a government, a department, or a sub-organization: technology and policy expertise complement one another and must be part of the conversation." (Peter Sheingold, Portfolio Manager, Cybersecurity, MITRE Corporation)

    Phase 2: Review accomplishments

    Effective Policies: Clear, Consistent, and Concise

    An icon for the 'DSS02 Service Desk' template.

    An icon for the 'DSS03 Incident and Problem Management' template.

    An icon for the 'BAI06 Change Management' template.

    An icon for the 'BAI07 Release Management' template.

    An icon for the 'BAI09 Asset Management' template.

    An icon for the 'DSS04 DR and Business Continuity' template.

    An icon for the 'BAI04 Availability and Capacity Management' template.

    An icon for the 'DSS01 Operations Management' template.

    An icon for the 'BAI10 Configuration Management' template.

    Summary of Accomplishments

    • Built priority policies based on templates aligned with the IT Management & Governance Framework and COBIT 5.
    • Reviewed controls and policy supports.
    • Assigned roles and responsibilities for ongoing policy maintenance.

    Develop Infrastructure & Operations Policies and Procedures

    Phase 3

    Document Effective Procedures

    PHASE 3: Document Effective Procedures

    Step 3.1: Scope and outline procedures

    This step will walk you through the following activities:

    • Prioritize SOP documentation
    • Draft workflows using a tabletop exercise
    • Modify templates, as applicable

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Technical Writer
    • Infrastructure Supervisors

    Results & Insights

    • Results: An action plan for SOP documentation and an outline of procedure workflows.
    • Insights: Don’t let tools get in the way of documentation – low-tech solutions are often the most effective way to build and analyze workflows.

    Prioritize your SOP documentation effort

    Associated Activity icon 3(a) 1-2 hours

    Build SOP documentation that gets used and doesn’t just check a box.

    1. Review the list of procedure gaps from Phase 1. Are any other procedures needed? Are some of the procedures now redundant?
    2. Establish the scope of the proposed procedures. Who are the stakeholders? What policies do they support?
    3. Run a basic prioritization exercise using a three-point scale. Higher scores mean greater risks or greater benefits. Score the risk of the undocumented procedure to the business (e.g. potential effect on data, productivity, goodwill, health and safety, or compliance). Score the benefit to the business of documenting the procedure (e.g. throughput improvements or knowledge transfer).
    4. Different procedures require different formats. Decide on one or more formats that can help you effectively document the procedure:
      • Flowcharts: Depict workflows and decision points. Provide an at-a-glance view that is easy to follow. Can be supported by checklists and diagrams where more detail is required.
      • Checklists: A reminder of what to do, rather than how to do it. Keep instructions brief.
      • Diagrams: Visualize objects, topologies, and connections for reference purposes.
      • Tables: Establish relationships between related categories.
      • Prose: Use full-text instructions where other documentation strategies are insufficient.

    Modify the following Info-Tech templates for larger SOPs

    Support these processes...

    ...with these blueprints...

    ...to create SOPs using these templates.
    An icon for the 'DSS04 DR and Business Continuity' template. Create a Right-Sized Disaster Recovery Plan DRP Summary
    An icon for the 'BAI09 Asset Management' template. Implement IT Asset Management HAM SOP and SAM SOP
    An icon for the 'BAI06 Change Management' template. An icon for the 'BAI07 Release Management' template. Optimize Change Management Change Management SOP
    An icon for the 'DSS02 Service Desk' template. An icon for the 'DSS03 Incident and Problem Management' template. Standardize the Service Desk Service Desk SOP

    Use tabletop planning or whiteboards to draft workflows

    Associated Activity icon 3(b) 30 minutes

    Tabletop planning is a paper-based exercise in which your team walks through a particular process and maps out what happens at each stage.

    OUTPUT: Steps in the current process for one SOP

    Materials: Tabletop, pen, and cue cards

    Participants: Process owners, SMEs

    1. For this exercise, choose one particular process to document.
    2. Document each step of the process on cue cards, which can be arranged on the table in sequence.
    3. Be sure to include task ownership in your steps.
    4. Map out the process as it currently happens – we’ll think about how to improve it later.
    5. Keep focused. Stay on task and on time.

    Example:

    • Step 3: PM reviews new defects daily
    • Step 4: PM assigns defects to tech leads
    • Step 5: Assigned resource updates status – frequency is based on ticket priority

    Info-Tech Insight

    Don’t get weighed down by tools. Relying on software or other technological tools can detract from the exercise. Use simple tools such as cue cards to record steps so that you can easily rearrange steps or insert steps based on input from the group.

    Collaborate to optimize the SOP

    Associated Activity icon 3(c) 30 minutes

    Review the tabletop exercise. What gaps exist in current processes?
    How can the processes be made better? What are the outputs and checkpoints?

    OUTPUT: Identify steps to optimize the SOP

    Materials: Tabletop, pen, and cue cards

    Participants: Process owners, SMEs

    Example:

    • Step 3: PM reviews new defects daily
    • NEW STEP: Schedule 10-minute daily defect reviews with PM and tech leads to evaluate ticket priority
    • Step 4: PM assigns defects to tech leads
    • Step 5: Assigned resource updates status – frequency is based on ticket priority
      • Step 5 Subprocess: Ticket status update
      • Step 5 Output: Ticket status moved to OPEN by assigned resource – acknowledges receipt by assigned resource

    A note on colors: Use white cards to record steps. Record gaps on yellow cards (e.g. a process step not documented) and risks on red cards (e.g. only one person knows how to execute a step) to highlight your gaps/to-dos and risks to be mitigated or accepted.

    If it’s necessary to clarify complex process flows during the exercise, you can also use green cards for decision diamonds, purple for document/report outputs, and blue for subprocesses.

    PHASE 3: Document Effective Procedures

    Step 3.2: Document effective procedures

    This step will walk you through the following activities:

    • Document workflows, checklists, and diagrams
    • Establish a cadence for document review and updates

    This step involves the following participants:

    • Infrastructure Manager
    • Technical Writer

    Results & Insights

    • Results: Improved SOP documentation and document management practices.
    • Insights: It’s possible to keep up with changes if you put the right cues and accountabilities in place. Include document review in project and change management procedures and hold staff accountable for completion.

    Document workflows with flowcharting software

    Suggestions for workflow documentation

    • Whether you draft the workflow on a whiteboard or using cue cards, the first iteration is usually messy. Clean up the flow as you document the results of the exercise.
    • Make the workflow as simple as possible and no simpler. Eliminate any decision points that aren’t strictly necessary to complete the procedure.
    • Use standard flowchart shapes (see next slide).
    • Use links to connect to related documentation.
    • Review the documented workflow with participants.

    Download the following workflow examples:

    Establish flowcharting standards

    If you don’t have existing flowchart standards, then keep it simple and stick to basic flowcharting conventions as described below.

    Basic flowcharting convention: a circle can be used for 'Start, End, and Connector'. Start, End, and Connector: Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified Modeling Language (UML) also uses the circle for start and end points.
    Basic flowcharting convention: a rounded rectangle can be used for 'Start and End'. Start and End: Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes.
    Basic flowcharting convention: a rectangle can be used for 'Process Step'. Process Step: Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the subprocess symbol and flowchart the subprocess separately.
    Basic flowcharting convention: a rectangle with double-line on the ends can be used for 'Subprocess'. Subprocess: A series of steps. For example, a critical incident SOP might reference a recovery process as one of the possible actions. Marking it as a subprocess, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process).
    Basic flowcharting convention: a diamond can be used for 'Decision'. Decision: Represents decision points, typically with Yes/No branches, but you could have other branches depending on the question (e.g. a “Priority?” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues).
    Basic flowcharting convention: a rectangle with a wavy bottom can be used for 'Document/Report Output'. Document/Report Output: For example, the output from a backup process might include an error log.

    Support workflows with checklists and diagrams

    Diagrams

    • Diagrams are a visual representation of real-world phenomena and the connections between them.
    • Be sure to use standard shapes. Clearly label elements of the diagram. Use standard practices, including titles, dates, authorship, and versioning.
    • IT systems and interconnections are layered. Include physical, logical, protocol, and data flow connections.

    Examples:

    • XMPL Recovery Workflows
    • Workflow Library

    Checklists

    • Checklists are best used as short-form reminders on how to complete a particular task.
    • Remember the audience. If the process will be carried out by technical staff, there’s technical background material you won’t need to spell out in detail.

    Examples:

    • Employee Termination Process Checklist
    • XMPL Systems Recovery Playbook

    Establish a cadence for documentation review and maintenance

    Lock-in the work with strong document management practices.

    • Identify documentation requirements as part of project planning.
    • Require a manager or supervisor to review and approve SOPs.
    • Check documentation status as part of change management.
    • Hold staff accountable for documentation.

    "It isn’t unusual for us to see infrastructure or operations documentation that is wildly out of date. We’re talking months, even years. Often it was produced as one big effort and then not reliably maintained." (Gary Patterson, Consultant, Quorum Resources)

    Only a quarter of organizations update SOPs as needed

    A bar chart representing how often organizations update SOPs. Each option has two bars, one representing 'North America', the other representing 'Europe and Asia'. 'Never or rarely' is 11% in North America and 3% in Europe and Asia. 'Ad-hoc approach' is 38% in North America and 28% in Europe and Asia. 'For audits/annual reviews' is 33% in North America and 45% in Europe and Asia. 'As needed/via change management' is 18% in North America and 25% in Europe and Asia. Source: Info-Tech Research Group (N=104)

    Info-Tech Best Practice

    Use Info-Tech’s research Create Visual SOP Documents to further evaluate document management practices and toolsets.

    Phase 3: Review accomplishments

    Workflow documentation: Cue cards into flowcharts

    Summary of Accomplishments

    • Identified priority procedures for documentation activities.
    • Created procedure documentation in the appropriate format and level of granularity to support Infra & Ops policies.
    • Published and maintained procedure documentation.

    Research contributors and experts

    Carole Fennelly, Owner
    cFennelly Consulting

    Picture of Carole Fennelly, Owner, cFennelly Consulting.

    Carole Fennelly provides pragmatic cyber security expertise to help organizations bridge the gap between technical and business requirements. She authored the Center for Internet Security (CIS) Solaris and Red Hat benchmarks, which are used globally as configuration standards to secure IT systems. As a consultant, Carole has defined security strategies, and developed policies and procedures to implement them, at numerous Fortune 500 clients. Carole is a Certified Information Security Manager (CISM), Certified Security Compliance Specialist (CSCS), and Certified HIPAA Professional (CHP).

    Marko Diepold, IT Audit Manager
    audit2advise

    Picture of Marko Diepold, IT Audit Manager, audit2advise.

    Marko is an IT Audit Manager at audit2advise, where he delivers audit, risk advisory, and project management services. He has worked as a Security Officer, Quality Manager, and Consultant at some of Germany’s largest companies. He is a CISA and is ITIL v3 Intermediate and ITGCP certified.

    Research contributors and experts

    Martin Andenmatten, Founder & Managing Director
    Glenfis AG

    Picture of Martin Andenmatten, Founder and Managing Director, Glenfis AG.

    Martin is a digital transformation enabler who has been involved in various fields of IT for more than 30 years. At Glenfis, he leads large Governance and Service Management projects for various customers. Since 2002, he has been the course manager for ITIL® Foundation, ITIL® Service Management, and COBIT training. He has published two books on ISO 20000 and ITIL.

    Myles F. Suer, CIO Chat Facilitator
    CIO.com/Dell Boomi

    Picture of Myles F. Suer, CIO Chat Facilitator, CIO.com/Dell Boomi.

    Myles Suer, according to LeadTails, is the number 9 influencer of CIOs. He is also the facilitator for the CIOChat, which has executive-level participants from around the world in such industries as banking, insurance, education, and government. Myles is also the Industry Solutions Marketing Manager at Dell Boomi.

    Research contributors and experts

    Peter Sheingold, Portfolio Manager
    Cybersecurity, Homeland Security Center, The MITRE Corporation

    Picture of Peter Sheingold, Portfolio Manager, Cybersecurity, Homeland Security Center, The MITRE Corporation.

    Peter leads tasks that involve collaboration with the Department of Homeland Security (DHS) sponsors and MITRE colleagues and connect strategy, policy, organization, and technology. He brings a deep background in homeland security and strategic analysis to his work with DHS in the immigration, border security, and cyber mission spaces. Peter came to MITRE in 2005 but has worked with DHS from its inception.

    Robert D. Austin, Professor
    Ivey Business School

    Picture of Robert D. Austin, Professor, Ivey Business School.

    Dr. Austin is a professor of Information Systems at Ivey Business School and an affiliated faculty member at Harvard Medical School. Before his appointment at Ivey, he was a professor of Innovation and Digital Transformation at Copenhagen Business School, and, before that, a professor of Technology and Operations Management at the Harvard Business School.

    Research contributors and experts

    Ron Jones, Director of IT Infrastructure and Service Management
    DATA Communications

    Picture of Ron Jones, Director of IT Infrastructure and Service Management, DATA Communications.

    Ron is a senior IT leader with over 20 years of management experiences from engineering to IT Service Management and operations support. He is known for joining organizations and leading enhanced process efficiency and has improved software, hardware, infrastructure, and operations solution delivery and support. Ron has worked for global and Canadian firms including BlackBerry, DoubleClick, Cogeco, Infusion, Info-Tech Research Group, and Data Communications Management.

    Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations
    University of Chicago

    Picture of Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations, University of Chicago.

    Scott is an accomplished IT executive with 26 years of experience in technical and leadership roles. In his current role, Scott provides strategic leadership, vision, and oversight for an IT portfolio supporting 31,000 users consisting of services utilized by campuses located in North America, Asia, and Europe; oversees the University’s Command Center; and chairs the UC Cyberinfrastructure Alliance (UCCA), a group of research IT providers that collectively deliver services to the campus and partners.

    Research contributors and experts

    Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant
    Point B

    Picture of Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant, Point B.

    Steve has 20 years of experience in information security design, implementation, and assessment. He has provided information security services to a wide variety of organizations, including government agencies, hospitals, universities, small businesses, and large enterprises. With his background as a systems administrator, security consultant, security architect, and information security director, Steve has a strong understanding of both the strategic and tactical aspects of information security. Steve has significant hands-on experience with security controls, operating systems, and applications. Steve has a master's degree in Information Science from the University of Washington.

    Tony J. Read, Senior Program/Project Lead & Interim IT Executive
    Read & Associates

    Picture of Tony J. Read, Senior Program/Project Lead and Interim IT Executive, Read and Associates.

    Tony has over 25 years of international IT leadership experience, within high tech, computing, telecommunications, finance, banking, government, and retail industries. Throughout his career, Tony has led and successfully implemented key corporate initiatives, contributing millions of dollars to the top and bottom line. He established Read & Associates in 2002, an international IT management and program/project delivery consultancy practice whose aim is to provide IT value-based solutions, realizing stakeholder economic value and network advantage. These key concepts are presented in his new book: The IT Value Network: From IT Investment to Stakeholder Value, published by J. Wiley, NJ.

    Related Info-Tech research

    • Develop and Deploy Security Policies
    • Develop an Availability and Capacity Management Plan
    • Improve IT Operations Management
    • Develop an IT Infrastructure Services Playbook
    • Create a Right-Sized Disaster Recovery Plan
    • Develop a Business Continuity Plan
    • Implement IT Asset Management
    • Optimize Change Management
    • Standardize the Service Desk
    • Incident and Problem Management
    • Design & Build a User-Facing Service Catalog

    Bibliography

    “About Controls.” Ohio University, ND. Web. 2 Feb 2018.

    England, Rob. “How to implement ITIL for a client?” The IT Skeptic. Two Hills Ltd, 4 Feb. 2010. Web. 2018.

    “Global Corporate IT Security Risks: 2013.” Kaspersky Lab, May 2013. Web. 2018.

    “Information Security and Technology Policies.” City of Chicago, Department of Innovation and Technology, Oct. 2014. Web. 2018.

    ISACA. COBIT 5: Enabling Processes. International Systems Audit and Control Association. Rolling Meadows, IL.: 2012.

    “IT Policy & Governance.” NYC Information Technology & Telecommunications, ND. Web. 2018.

    King, Paula and Kent Wada. “IT Policy: An Essential Element of IT Infrastructure”. EDUCAUSE Review. May-June 2001. Web. 2018.

    Luebbe, Max. “Simplicity.” Site Reliability Engineering. O’Reilly Media. 2017. Web. 2018.

    Swartout, Shawn. “Risk assessment, acceptance, and exception with a process view.” ISACA Charlotte Chapter September Event, 2013. Web. 2018.

    “User Guide to Writing Policies.” Office of Policy and Efficiency, University of Colorado, ND. Web. 2018.

    “The Value of Policies and Procedures.” New Mexico Municipal League, ND. Web. 2018.

    Slash Spending by Optimizing Your Software Maintenance and Support

    • Buy Link or Shortcode: {j2store}217|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Perpetual software maintenance (SW M&S) is an annual budget cost that increases almost yearly. You don’t really know if there is value in it, if its required by the vendor, or if there are opportunities for cost savings.
    • Most organizations never reap the full benefits of software M&S. They blindly send renewal fees to the vendor every year without validating their needs or the value of the maintenance. In addition, your vendor maintenance may be under contract and you aren’t sure what the obligations are for both parties.

    Our Advice

    Critical Insight

    • Analyzing the benefits contained within a vendor’s software M&S will provide the actual cost value of the M&S and whether there are critical support requirements vs. “nice to have” benefits.
    • Understanding the value and your requirement for M&S will allow you to make an informed decision on how best to optimize and reduce your annual software M&S spend.
    • Use a holistic approach when looking to reduce your software M&S spend. Review the entire portfolio for targeted reduction that will result in short- and long-term savings.
    • When targeting vendors to negotiate M&S price or coverage reduction, engaging them three to six months in advance of renewal will provide you with more time to effectively negotiate and not fall to the pressure of time.

    Impact and Result

    • Reduce annual costs for software maintenance and support.
    • Complete a value of investment (VOI) analysis of your software M&S for strategic vendors.
    • Maximize value of the software M&S by using all the benefits being paid for.
    • Right-size support coverage for your requirements.
    • Prioritize software vendors to target for cost reduction and optimization.

    Slash Spending by Optimizing Your Software Maintenance and Support Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to prioritize your software vendors and effectively target M&S for reduction, optimization, or elimination.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evaluate

    Evaluate what software maintenance you are spending money.

    • Slash Spending by Optimizing Your Software Maintenance and Support – Phase 1: Evaluate
    • Software M&S Inventory and Prioritization Tool

    2. Establish

    Establish your software M&S requirements and coverage.

    • Slash Spending by Optimizing Your Software Maintenance and Support – Phase 2: Establish
    • Software Vendor Classification Tool

    3. Optimize

    Optimize your M&S spend, reduce or eliminate, where applicable.

    • Slash Spending by Optimizing Your Software Maintenance and Support – Phase 3: Optimize
    • Software M&S Value of Investment Tool
    • Software M&S Cancellation Decision Guide
    • Software M&S Executive Summary Template
    • Software M&S Cancellation Support Template
    [infographic]

    Build a Reporting and Analytics Strategy

    • Buy Link or Shortcode: {j2store}128|cart{/j2store}
    • member rating overall impact: 9.1/10 Overall Impact
    • member rating average dollars saved: $49,748 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy
    • In respect to business intelligence (BI) matureness, you can’t expect the whole organization to be at the same place at the same time. Your BI strategy needs to recognize this and should strive to align rather than dictate.
    • Technology is just one aspect of your BI and analytics strategy and is not a quick solution or a guarantee for long-term success.

    Our Advice

    Critical Insight

    • The BI strategy drives data warehouse and integration strategies and the data needed to support business decisions.
    • The solution to better BI often lies in improving the BI practice, not acquiring the latest and greatest tool.

    Impact and Result

    • Align BI with corporate vision, mission, goals, and strategic direction.
    • Understand the needs of business partners.
    • BI & analytics informs data warehouse and integration layers for required content, latency, and quality.

    Build a Reporting and Analytics Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create or refresh the BI Strategy and review Info-Tech’s approach to developing a BI strategy that meets business needs.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the business context and BI landscape

    Lay the foundation for the BI strategy by detailing key business information and analyzing current BI usage.

    • Build a Reporting and Analytics Strategy – Phase 1: Understand the Business Context and BI Landscape
    • BI Strategy and Roadmap Template
    • BI End-User Satisfaction Survey Framework

    2. Evaluate the current BI practice

    Assess the maturity level of the current BI practice and envision a future state.

    • Build a Reporting and Analytics Strategy – Phase 2: Evaluate the Current BI Practice
    • BI Practice Assessment Tool

    3. Create a BI roadmap for continuous improvement

    Create BI-focused initiatives to build an improvement roadmap.

    • Build a Reporting and Analytics Strategy – Phase 3: Create a BI Roadmap for Continuous Improvement
    • BI Initiatives and Roadmap Tool
    • BI Strategy and Roadmap Executive Presentation Template
    [infographic]

    Workshop: Build a Reporting and Analytics Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Vision and Understand the Current BI Landscape

    The Purpose

    Document overall business vision, mission, and key objectives; assemble project team.

    Collect in-depth information around current BI usage and BI user perception.

    Create requirements gathering principles and gather requirements for a BI platform.

    Key Benefits Achieved

    Increased IT–business alignment by using the business context as the project starting point

    Identified project sponsor and project team

    Detailed understanding of trends in BI usage and BI perception of consumers

    Refreshed requirements for a BI solution

    Activities

    1.1 Gather key business information (overall mission, goals, objectives, drivers).

    1.2 Establish a high-level ROI.

    1.3 Identify ideal candidates for carrying out a BI project.

    1.4 Undertake BI usage analyses, BI user perception survey, and a BI artifact inventory.

    1.5 Develop requirements gathering principles and approaches.

    1.6 Gather and organize BI requirements

    Outputs

    Articulated business context that will guide BI strategy development

    ROI for refreshing the BI strategy

    BI project team

    Comprehensive summary of current BI usage that has quantitative and qualitative perspectives

    BI requirements are confirmed

    2 Evaluate Current BI Maturity and Identify the BI Patterns for the Future State

    The Purpose

    Define current maturity level of BI practice.

    Envision the future state of your BI practice and identify desired BI patterns.

    Key Benefits Achieved

    Know the correct migration method for Exchange Online.

    Prepare user profiles for the rest of the Office 365 implementation.

    Activities

    2.1 Perform BI SWOT analyses.

    2.2 Assess current state of the BI practice and review results.

    2.3 Create guiding principles for the future BI practice.

    2.4 Identify desired BI patterns and the associated BI functionalities/requirements.

    2.5 Define the future state of the BI practice.

    2.6 Establish the critical success factors for the future BI, identify potential risks, and create a mitigation plan.

    Outputs

    Exchange migration strategy

    Current state of BI practice is documented from multiple perspectives

    Guiding principles for future BI practice are established, along with the desired BI patterns linked to functional requirements

    Future BI practice is defined

    Critical success factors, potential risks, and a risk mitigation plan are defined

    3 Build Improvement Initiatives and Create a BI Development Roadmap

    The Purpose

    Build overall BI improvement initiatives and create a BI improvement roadmap.

    Identify supplementary initiatives for enhancing your BI program.

    Key Benefits Achieved

    Defined roadmap composed of robust improvement initiatives

    Activities

    3.1 Create BI improvement initiatives based on outputs from phase 1 and 2 activities. Build an improvement roadmap.

    3.2 Build an improvement roadmap.

    3.3 Create an Excel governance policy.

    3.4 Create a plan for a BI ambassador network.

    Outputs

    Comprehensive BI initiatives placed on an improvement roadmap

    Excel governance policy is created

    Internal BI ambassadors are identified

    Further reading

    Build a Reporting and Analytics Strategy

    Deliver actionable business insights by creating a business-aligned reporting and analytics strategy.

    Terminology

    As the reporting and analytics space matured over the last decade, software suppliers used different terminology to differentiate their products from others’. This caused a great deal of confusion within the business communities.

    Following are two definitions of the term Business Intelligence:

    Business intelligence (BI) leverages software and services to transform data into actionable insights that inform an organization’s strategic and tactical business decisions. BI tools access and analyze data sets and present analytical findings in reports, summaries, dashboards, graphs, charts, and maps to provide users with detailed intelligence about the state of the business.

    The term business intelligence often also refers to a range of tools that provide quick, easy-to-digest access to insights about an organization's current state, based on available data.

    CIO Magazine

    Business intelligence (BI) comprises the strategies and technologies used by enterprises for the data analysis of business information. BI technologies provide historical, current, and predictive views of business operations.

    Common functions of business intelligence technologies include reporting, online analytical processing, analytics, data mining, process mining, complex event processing, business performance management, benchmarking, text mining, predictive analytics, and prescriptive analytics.

    Wikipedia

    This blueprint will use the terms “BI,” “BI and Analytics,” and “Reporting and Analytics” interchangeably in different contexts, but always in compliance to the above definitions.

    ANALYST PERSPECTIVE

    A fresh analytics & reporting strategy enables new BI opportunities.

    We need data to inform the business of past and current performance and to support strategic decisions. But we can also drown in a flood of data. Without a clear strategy for business intelligence, a promising new solution will produce only noise.

    BI and Analytics teams must provide the right quantitative and qualitative insights for the business to base their decisions on.

    Your Business Intelligence and Analytics strategy must support the organization’s strategy. Your strategy for BI & Analytics provides direction and requirements for data warehousing and data integration, and further paves the way for predictive analytics, big data analytics, market/industry intelligence, and social network analytics.

    Dirk Coetsee,

    Director, Data and Analytics Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • A CIO or Business Unit (BU) Leader looking to improve reporting and analytics, reduce time to information, and embrace fact-based decision making with analytics, reporting, and business intelligence (BI).
    • Application Directors experiencing poor results from an initial BI tool deployment who are looking to improve the outcome.

    This Research Will Also Assist:

    • Project Managers and Business Analysts assigned to a BI project team to collect and analyze requirements.
    • Business units that have their own BI platforms and would like to partner with IT to take their BI to an enterprise level.

    This Research Will Help You:

    • Align your reporting and analytics strategy with the business’ strategic objectives before you rebuild or buy your Business Intelligence platform.
    • Identify reporting and analytics objectives to inform the data warehouse and integration requirements gathering process.
    • Avoid common pitfalls that derail BI and analytic deployments and lower their adoption.
    • Identify Business Intelligence gaps prior to deployment and incorporate remedies within your plans.

    This Research Will Help Them:

    • Recruit the right resources for the program.
    • Align BI with corporate vision, mission, goals, and strategic direction.
    • Understand the needs of business partners.
    • Assess BI maturity and plan for target state.
    • Develop a BI strategy and roadmap.
    • Track the success of the BI initiative.

    Executive summary

    Situation:

    BI drives a new reality. Uber is the world’s largest taxi company and they own no vehicles; Alibaba is the world’s most valuable retailer and they have no inventory; Airbnb is the world’s largest accommodation provider and they own no real estate. How did they disrupt their markets and get past business entry barriers? A deep understanding of their market through impeccable business intelligence!

    Complication:

    • In respect to BI matureness, you can’t expect the whole organization to be at the same place at the same time. Your BI strategy needs to recognize this and should strive to align rather than dictate.
    • Technology is just one aspect of your BI and Analytics strategy and is not a quick solution or a guarantee for long term success.

    Resolution:

    • Drive strategy development by establishing the business context upfront in order to align business intelligence providers with the most important needs of their BI consumers and the strategic priorities of the organization.
    • Revamp or create a BI strategy to update your BI program to make it fit for purpose.
    • Understand your existing BI baggage – e.g. your existing BI program, the artifacts generated from the program, and the users it supports. Those will inform the creation of the strategy and roadmap.
    • Assess current BI maturity and determine your future state BI maturity.
    • BI needs governance to ensure consistent planning, communication, and execution of the BI strategy.
    • Create a network of BI ambassadors across the organization to promote BI.
    • Plan for the future to ensure that required data will be available when the organization needs it.

    Info-Tech Insight

    1. Put the “B” back in BI. Don’t have IT doing BI for IT’s sake; ensure the voice and needs of the business are the primary drivers of your strategy.
    2. The BI strategy drives data warehouse and integration strategies and the data needs to support business decisions.
    3. Go beyond the platform. The solution to better BI often lies in improving the BI practice, not acquiring the latest and greatest tool.

    Metrics to track BI & Analytical program progress

    Goals for BI:

    • Understand business context and needs. Identify business processes that can leverage BI.
    • Define the Reporting & Analytics Roadmap. Develop data initiatives, and create a strategy and roadmap for Business Intelligence.
    • Continuous improvements. Your BI program is evolving and improving over time. The program should allow you to have faster, better, and more comprehensive information.

    Info-Tech’s Suggested Metrics for Tracking the BI Program

    Practice Improvement Metrics Data Collection and Calculation Expected Improvement
    Program Level Metrics Efficiency
    • Time to information
    • Self-service penetration
    • Derive from the ticket management system
    • Derive from the BI platform
    • 10% reduction in time to information
    • Achieve 10-15% self-service penetration
    • Effectiveness
    • BI Usage
    • Data quality
    • Derive from the BI platform
    • Data quality perception
    • Majority of the users use BI on a daily basis
    • 15% increase in data quality perception
    Comprehensiveness
    • # of integrated datasets
    • # of strategic decisions made
    • Derive from the data integration platform
    • Decision-making perception
    • Onboard 2-3 new data domains per year
    • 20% increase in decision-making perception

    Intangible Metrics:

    Tap into the results of Info-Tech’s CIO Business Vision diagnostic to monitor the changes in business-user satisfaction as you implement the initiatives in your BI improvement roadmap.

    Your Enterprise BI and Analytics Strategy is driven by your organization’s Vision and Corporate Strategy

    Formulating an Enterprise Reporting and Analytics Strategy requires the business vision and strategies to first be substantiated. Any optimization to the Data Warehouse, Integration and Source layer is in turn driven by the Enterprise Reporting and Analytics Strategy

    Flow chart showing 'Business Vision Strategies'

    The current state of your Integration and Warehouse platforms determine what data can be utilized for BI and Analytics

    Where we are, and how we got here

    How we got here

    • In the beginning was BI 1.0. Business intelligence began as an IT-driven centralized solution that was highly governed. Business users were typically the consumers of reports and dashboards created by IT, an analytics-trained minority, upon request.
    • In the last five to ten years, we have seen a fundamental shift in the business intelligence and analytics market, moving away from such large-scale, centralized IT-driven solutions focused on basic reporting and administration, towards more advanced user-friendly data discovery and visualization platforms. This has come to be known as BI 2.0.
    • Many incumbent market leaders were disrupted by the demand for more user-friendly business intelligence solutions, allowing “pure-play” BI software vendors to carve out a niche and rapidly expand into more enterprise environments.
    • BI-on-the-cloud has established itself as a solid alternative to in-house implementation and operation.

    Where we are now

    • BI 3.0 has arrived. This involves the democratization of data and analytics and a predominantly app-centric approach to BI, identifiable by an anywhere, anytime, and device-or-platform-independent collaborative methodology. Social workgroups and self-guided content creation, delivery, analysis, and management is prominent.
    • Where the need for reporting and dashboards remains, we’re seeing data discovery platforms fulfilling the needs of non-technical business users by providing easy-to-use interactive solutions to increase adoption across enterprises.
    • With more end users demanding access to data and the tools to extract business insights, IT is looking to meet these needs while continuing to maintain governance and administration over a much larger base of users. The race for governed data discovery is heated and will be a market differentiator.
    • The next kid on the block is Artificial Intelligence that put further demands on data quality and availability.

    RICOH Canada used this methodology to develop their BI strategy in consultation with their business stakeholders

    CASE STUDY

    Industry: Manufacturing and Retail

    Source: RICOH

    Ricoh Canada transforms the way people work with breakthrough technologies that help businesses innovate and grow. Its focus has always been to envision what the future will look like so that it can help its customers prepare for success. Ricoh empowers digital workplaces with a broad portfolio of services, solutions, and technologies – helping customers remove obstacles to sustained growth by optimizing the flow of information and automating antiquated processes to increase workplace productivity. In their commitment towards a customer-centric approach, Ricoh Canada recognized that BI and analytics can be used to inform business leaders in making strategic decisions.

    Enterprise BI and analytics Initiative

    Ricoh Canada enrolled in the ITRG Reporting & Analytics strategy workshop with the aim to create a BI strategy that will allow the business to harvest it strengths and build for the future. The workshop acted as a forum for the different business units to communicate, share ideas, and hear from each other what their pains are and what should be done to provide a full customer 360 view.

    Results

    “This workshop allowed us to collectively identify the various stakeholders and their unique requirements. This is a key factor in the development of an effective BI Analytics tool.” David Farrar

    The Customer 360 Initiative included the following components

    The Customer 360 Initiative includes the components shown in the image

    Improve BI Adoption Rates

    Graph showing Product Adoption Rates

    Sisense

    Reasons for low BI adoption

    • Employees that never used BI tools are slow to adopt new technology.
    • Lack of trust in data leads to lack of trust in the insights.
    • Complex data structures deter usage due to long learning curves and contained nuances.
    • Difficult to translate business requirements into tool linguistics due to lack of training or technical ineptness.
    • Business has not taken ownership of data, which affects access to data.

    How to foster BI adoption

    • Senior management proclaim data as a strategic asset and involved in the promotion of BI
    • Role Requirement that any business decision should be backed up by analytics
    • Communication of internal BI use case studies and successes
    • Exceptional data lineage to act as proof for the numbers
    • A Business Data glossary with clearly defined business terms. Use the Business Data Glossary in conjunction with data lineage and semantic layers to ensure that businesses are clearly defined and traced to sources.
    • Training in business to take ownership of data from inception to analytics.

    Why bother with analytics?

    In today’s ever-changing and global environment, organizations of every size need to effectively leverage their data assets to facilitate three key business drivers: customer intimacy, product/service innovation, and operational excellence. Plus, they need to manage their operational risk efficiently.

    Investing in a comprehensive business intelligence strategy allows for a multidimensional view of your organization’s data assets that can be operationalized to create a competitive edge:

    Historical Data

    Without a BI strategy, creating meaningful reports for business users that highlight trends in past performance and draw relationships between different data sources becomes a more complex task. Also, the ever growing need to identify and assess risks in new ways is driving many companies to BI.

    Data Democracy

    The core purpose of BI is to provide the right data, to the right users, at the right time, and in a format that is easily consumable and actionable. In developing a BI strategy, remember the driver for managed cross-functional access to data assets and features such as interactive dashboards, mobile BI, and self-service BI.

    Predictive and Big Data Analytics

    As the volume, variety, and velocity of data increases rapidly, businesses will need a strategy to outline how they plan to consume the new data in a manner that does not overwhelm their current capabilities and aligns with their desired future state. This same strategy further provides a foundation upon which organizations can transition from ad hoc reporting to using data assets in a codified BI platform for decision support.

    Business intelligence serves as the layer that translates data, information, and organizational knowledge into insights

    As executive decision making shifts to more fact-based, data-driven thinking, there is an urgent need for data assets to be organized and presented in a manner that enables immediate action.

    Typically, business decisions are based on a mix of intuition, opinion, emotion, organizational culture, and data. Though business users may be aware of its potential value in driving operational change, data is often viewed as inaccessible.

    Business intelligence bridges the gap between an organization’s data assets and consumable information that facilitates insight generation and informed decision making.

    Most organizations realize that they need a BI strategy; it’s no longer a nice-to-have, it’s a must-have.

    – Albert Hui, Principal, Data Economist

    A triangle grapg depicting the layers of business itelligence

    Business intelligence and business analytics: what is the difference and should you care

    Ask 100 people and you will get 100 answers. We like the prevailing view that BI looks at today and backward for improving who we are, while BA is forward-looking to support change decisions.

    The image depicts a chart flowing from Time Past to Future. Business Intelligence joins with Business Analytics over the Present
    • Business intelligence is concerned with looking at present and historical data.
    • Use this data to create reports/dashboards to inform a wide variety of information consumers of the past and current state of affairs.
    • Almost all organizations, regardless of size and maturity, use some level of BI even if it’s just very basic reporting.
    • Business analytics, on the other hand, is a forward-facing use of data, concerned with the present to the future.
    • Analytics uses data to both describe the present, and more importantly, predict the future, enabling strategic business decisions.
    • Although adoption is rapidly increasing, many organizations still do not utilize any advanced analytics in their environment.

    However, establishing a strong business intelligence program is a necessary precursor to an organization’s development of its business analytics capabilities.

    Organizations that successfully grow their BI capabilities are reaping the rewards

    Evidence is piling up: if planned well, BI contributes to the organization’s bottom line.

    It’s expected that there will be nearly 45 billion connected devices and a 42% increase in data volume each year posing a high business opportunity for the BI market (BERoE, 2020).

    The global business intelligence market size to grow from US$23.1 billion in 2020 to US$33.3 billion by 2025, at a compound annual growth rate (CAGR) of 7.6% (Global News Wire, 2020)

    In the coming years, 69% of companies plan on increasing their cloud business intelligence usage (BARC Research and Eckerson Group Study, 2017).

    Call to Action

    Small organizations of up to 100 employees had the highest rate of business intelligence penetration last year (Forbes, 2018).

    Graph depicting business value from 0 months to more than 24 months

    Source: IBM Business Value, 2015

    For the New England Patriots, establishing a greater level of customer intimacy was driven by a tactical analytics initiative

    CASE STUDY

    Industry: Professional Sports

    Source Target Marketing

    Problem

    Despite continued success as a franchise with a loyal fan base, the New England Patriots experienced one of their lowest season ticket renewal rates in over a decade for the 2009 season. Given the numerous email addresses that potential and current season-ticket holders used to engage with the organization, it was difficult for Kraft Sports Group to define how to effectively reach customers.

    Turning to a Tactical Analytics Approach

    Kraft Sports Group turned to the customer data that it had been collecting since 2007 and chose to leverage analytics in order to glean insight into season ticket holder behavior. By monitoring and reporting on customer activity online and in attendance at games, Kraft Sports Group was able to establish that customer engagement improved when communication from the organization was specifically tailored to customer preferences and historical behavior.

    Results

    By operationalizing their data assets with the help of analytics, the Patriots were able to achieve a record 97% renewal rate for the 2010 season. KSG was able to take their customer engagement to the next level and proactively look for signs of attrition in season-ticket renewals.

    We're very analytically focused and I consider us to be the voice of the customer within the organization… Ultimately, we should know when renewal might not happen and be able to market and communicate to change that behavior.

    – Jessica Gelman,

    VP Customer Marketing and Strategy, Kraft Sports Group

    A large percentage of all BI projects fail to meet the organization’s needs; avoid falling victim to common pitfalls

    Tool Usage Pitfalls

    • Business units are overwhelmed with the amount and type of data presented.
    • Poor data quality erodes trust, resulting in a decline in usage.
    • Analysis performed for the sake of analysis and doesn’t focus on obtaining relevant business-driven insights.

    Selection Pitfalls

    • Inadequate requirements gathering.
    • No business involvement in the selection process.
    • User experience is not considered.
    • Focus is on license fees and not total cost.

    Implementation Pitfalls

    • Absence of upfront planning
    • Lack of change management to facilitate adoption of the new platform
    • No quick wins that establish the value of the project early on
    • Inadequate initial or ongoing training

    Strategic Pitfalls

    • Poor alignment of BI goals with organization goals
    • Absence of CSFs/KPIs that can measure the qualitative and quantitative success of the project
    • No executive support during or after the project

    BI pitfalls are lurking around every corner, but a comprehensive strategy drafted upfront can help your organization overcome these obstacles. Info-Tech’s approach to BI has involvement from the business units built right into the process from the start and it equips IT to interact with key stakeholders early and often.

    Only 62% of Big Data and AI projects in 2019 provided measurable results.

    Source: NewVantage Partners LLC

    Business and IT have different priorities for a BI tool

    Business executives look for:

    • Ease of use
    • Speed and agility
    • Clear and concise information
    • Sustainability

    IT professionals are concerned about:

    • Solid security
    • Access controls on data
    • Compliance with regulations
    • Ease of integration

    Info-Tech Insight

    Combining these priorities will lead to better tool selection and more synergy.

    Elizabeth Mazenko

    The top-down BI Opportunity Analysis is a tool for senior executives to discover where Business Intelligence can provide value

    The image is of a top-down BI Opportunity Analysis.

    Example: Uncover BI opportunities with an opportunity analysis

    Industry Drivers Private label Rising input prices Retail consolidation
    Company strategies Win at supply chain execution Win at customer service Expand gross margins
    Value disciplines Strategic cost management Operational excellence Customer service
    Core processes Purchasing Inbound logistics Sales, service & distribution
    Enterprise management: Planning, budgeting, control, process improvement, HR
    BI Opportunities Customer service analysis Cost and financial analysis Demand management

    Williams (2016)

    Bridge the gap between business drivers and business intelligence features with a three-tiered framework

    Info-Tech’s approach to formulating a fit-for-purpose BI strategy is focused on making the link between factors that are the most important to the business users and the ways that BI providers can enable those consumers.

    Drivers to Establish Competitive Advantage

    • Operational Excellence
    • Client Intimacy
    • Innovation

    BI and Analytics Spectrum

    • Strategic Analytics
    • Tactical Analytics
    • Operational Analytics

    Info-Tech’s BI Patterns

    • Delivery
    • User Experience
    • Deep Analytics
    • Supporting

    This is the content for Layout H3 Tag

    Though business intelligence is primarily thought of as enabling executives, a comprehensive BI strategy involves a spectrum of analytics that can provide data-driven insight to all levels of an organization.

    Recommended

    Strategic Analytics

    • Typically focused on predictive modeling
    • Leverages data integrated from multiple sources (structured through unstructured)
    • Assists in identifying trends that may shift organizational focus and direction
    • Sample objectives:
      • Drive market share growth
      • Identify new markets, products, services, locations, and acquisitions
      • Build wider and deeper customer relationships earning more wallet share and keeping more customers

    Tactical Analytics

    • Often considered Response Analytics and used to react to situations that arise, or opportunities at a department level.
    • Sample objectives:
      • Staff productivity or cost analysis
      • Heuristics/algorithms for better risk management
      • Product bundling and packaging
      • Customer satisfaction response techniques

    Operational Analytics

    • Analytics that drive business process improvement whether internal, with external partners, or customers.
    • Sample objectives:
      • Process step elimination
      • Best opportunities for automation

    Business Intelligence Terminology

    Styles of BI New age BI New age data Functional Analytics Tools
    Reporting Agile BI Social Media data Performance management analytics Scorecarding dashboarding
    Ad hoc query SaaS BI Unstructured data Financial analytics Query & reporting
    Parameterized queries Pervasive BI Mobile data Supply chain analytics Statistics & data mining
    OLAP Cognitive Business Big data Customer analytics OLAP cubes
    Advanced analytics Self service analytics Sensor data Operations analytics ETL
    Cognitive business techniques Real-time Analytics Machine data HR Analytics Master data management
    Scorecards & dashboards Mobile Reporting & Analytics “fill in the blanks” analytics Data Governance

    Williams (2016)

    "BI can be confusing and overwhelming…"

    – Dirk Coetsee,

    Research Director,

    Info-Tech Research Group

    Business intelligence lies in the Information Dimensions layer of Info-Tech’s Data Management Framework

    The interactions between the information dimensions and overlying data management enablers such as data governance, data architecture, and data quality underscore the importance of building a robust process surrounding the other data practices in order to fully leverage your BI platform.

    Within this framework BI and analytics are grouped as one lens through which data assets at the business information level can be viewed.

    The image is the Information Dimensions layer of Info-Tech’s Data Management Framework

    Use Info-Tech’s three-phase approach to a Reporting & Analytics strategy and roadmap development

    Project Insight

    A BI program is not a static project that is created once and remains unchanged. Your strategy must be treated as a living platform to be revisited and revitalized in order to effectively enable business decision making. Develop a reporting and analytics strategy that propels your organization by building it on business goals and objectives, as well as comprehensive assessments that quantitatively and qualitatively evaluate your current reporting and analytical capabilities.

    Phase 1: Understand the Business Context and BI Landscape Phase 2: Evaluate Your Current BI Practice Phase 3: Create a BI Roadmap for Continuous Improvement
    1.1 Establish the Business Context
    • Business Vision, Goals, Key Drivers
    • Business Case Presentation
    • High-Level ROI
    		 2.1 Assess Your Current BI Maturity
    • BI Practice Assessment
    • Summary of Current State
    		 3.1 Construct a BI Initiative Roadmap
    • BI Improvement Initiatives
    • RACI
    • BI Strategy and Roadmap
    1.2 Assess Existing BI Environment
    • BI Perception Survey Framework
    • Usage Analyses
    • BI Report Inventory
    		 2.2 Envision BI Future State
    • BI Style Requirements
    • BI Practice Assessment
    		 3.2 Plan for Continuous Improvement
    • Excel/Access Governance Policy
    • BI Ambassador Network Draft
    1.3 Develop BI Solution Requirements
    • Requirements Gathering Principles
    • Overall BI Requirements

    Stand on the shoulders of Information Management giants

    As part of our research process, we leveraged the frameworks of COBIT5, Mike 2.0, and DAMA DMBOK2. Contextualizing business intelligence within these frameworks clarifies its importance and role and ensures that our assessment tool is focused on key priority areas.

    The DMBOK2 Data Management framework by the Data Asset Management Association (DAMA) provided a starting point for our classification of the components in our IM framework.

    Mike 2.0 is a data management framework that helped guide the development of our framework through its core solutions and composite solutions.

    The Cobit 5 framework and its business enablers were used as a starting point for assessing the performance capabilities of the different components of information management, including business intelligence.

    Info-Tech has a series of deliverables to facilitate the evolution of your BI strategy

    BI Strategy Roadmap Template

    BI Practice Assessment Tool

    BI Initiatives and Roadmap Tool

    BI Strategy and Roadmap Executive Presentation Template

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Build a Reporting and Analytics Strategy – Project Overview

    1. Understand the Business Context and BI Landscape 2. Evaluate the Current BI Practice 3. Create a BI Roadmap for Continuous Improvement
    Best-Practice Toolkit

    1.1 Document overall business vision, mission, industry drivers, and key objectives; assemble a project team

    1.2 Collect in-depth information around current BI usage and BI user perception

    1.3 Create requirements gathering principles and gather requirements for a BI platform

    2.1 Define current maturity level of BI practice

    2.2 Envision the future state of your BI practice and identify desired BI patterns

    3.1 Build overall BI improvement initiatives and create a BI improvement roadmap

    3.2 Identify supplementary initiatives for enhancing your BI program
    Guided Implementations
    • Discuss Info-Tech’s approach for using business information to drive BI strategy formation
    • Review business context and discuss approaches for conducting BI usage and user analyses
    • Discuss strategies for BI requirements gathering
    • Discuss BI maturity model
    • Review practice capability gaps and discuss potential BI patterns for future state
    • Discuss initiative building
    • Review completed roadmap and next steps
    Onsite Workshop Module 1:

    Establish Business Vision and Understand the Current BI Landscape

    		 Module 2:

    Evaluate Current BI Maturity Identify the BI Patterns for the Future State

    		 Module 3:

    Build Improvement Initiatives and Create a BI Development Roadmap
    Phase 1 Outcome:
    • Business context
    • Project team
    • BI usage information, user perception, and new BI requirements
    		 Phase 2 Outcome:
    • Current and future state assessment
    • Identified BI patterns
    		 Phase 3 Outcome:
    • BI improvement strategy and initiative roadmap

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
    Activities

    Understand Business Context and Structure the Project

    1.1 Make the case for a BI strategy refresh.

    1.2 Understand business context.

    1.3 Determine high-level ROI.

    1.4 Structure the BI strategy refresh project.

    Understand Existing BI and Revisit Requirements

    2.1 Understand the usage of your existing BI.

    2.2 Gather perception of the current BI users.

    2.3 Document existing information artifacts.

    2.4 Develop a requirements gathering framework.

    2.5 Gather requirements.

    Revisit Requirements and Current Practice Assessment

    3.1 Gather requirements.

    3.2 Determine BI Maturity Level.

    3.3 Perform a SWOT for your existing BI program.

    3.4 Develop a current state summary.

    Roadmap Develop and Plan for Continuous Improvements

    5.1 Develop BI strategy.

    5.2 Develop a roadmap for the strategy.

    5.3 Plan for continuous improvement opportunities.

    5.4 Develop a re-strategy plan.

    Deliverables
    1. Business and BI Vision, Goals, Key Drivers
    2. Business Case Presentation
    3. High-Level ROI
    4. Project RACI
    1. BI Perception Survey
    2. BI Requirements Gathering Framework
    3. BI User Stories and Requirements
    1. BI User Stories and Requirements
    2. BI SWOT for your Current BI Program
    3. BI Maturity Level
    4. Current State Summary
    1. BI Strategy
    2. Roadmap accompanying the strategy with timeline
    3. A plan for improving BI
    4. Strategy plan

    Phase 2

    Understand the Business Context and BI Landscape

    Build a Reporting and Analytics Strategy

    Phase 1 overview

    Detailed Overview

    Step 1: Establish the business context in terms of business vision, mission, objectives, industry drivers, and business processes that can leverage Business Intelligence

    Step 2: Understand your BI Landscape

    Step 3: Understand business needs

    Outcomes

    • Clearly articulated high-level mission, vision, and key drivers from the business, as well as objectives related to business intelligence.
    • In-depth documentation regarding your organization’s BI usage, user perception, and outputs.
    • Consolidated list of requirements, existing and desired, that will direct the deployment of your BI solution.

    Benefits

    • Align business context and drivers with IT plans for BI and Analytics improvement.
    • Understand your current BI ecosystem’s performance.

    Understand your business context and BI landscape

    Phase 1 Overarching Insight

    The closer you align your new BI platform to real business interests, the stronger the buy-in, realized value, and groundswell of enthusiastic adoption will be. Get this phase right to realize a high ROI on your investment in the people, processes, and technology that will be your next generation BI platform.

    Understand the Business Context to Rationalize Your BI Landscape Evaluate Your Current BI Practice Create a BI Roadmap for Continuous Improvement
    Establish the Business Context
    • Business Vision, Goals, Key Drivers
    • Business Case Presentation
    • High-Level ROI
    		 Assess Your Current BI Maturity
    • SWOT Analysis
    • BI Practice Assessment
    • Summary of Current State
    		 Construct a BI Initiative Roadmap
    • BI Improvement Initiatives
    • BI Strategy and Roadmap
    Access Existing BI Environment
    • BI Perception Survey Framework
    • Usage Analyses
    • BI Report Inventory
    		 Envision BI Future State
    • BI Patterns
    • BI Practice Assessment
    • List of Functions
    		 Plan for Continuous Improvement
    • Excel Governance Policy
    • BI Ambassador Network Draft
    Undergo Requirements Gathering
    • Requirements Gathering Principles
    • Overall BI Requirements

    Track these metrics to measure your progress through Phase 1

    Goals for Phase 1:

    • Understand the business context. Determine if BI can be used to improve business outcomes by identifying benefits, costs, opportunities, and gaps.
    • Understand your existing BI. Plan your next generation BI based on a solid understanding of your existing BI.
    • Identify business needs. Determine the business processes that can leverage BI and Analytics.

    Info-Tech’s Suggested Metrics for Tracking Phase 1 Goals

    Practice Improvement Metrics Data Collection and Calculation Expected Improvement
    Monetary ROI
    • Quality of the ROI
    • # of user cases, benefits, and costs quantified
    		 Derive the number of the use cases, benefits, and costs in the scoping. Ask business SMEs to verify the quality. High-quality ROI studies are created for at least three use cases
    Response Rate of the BI Perception Survey Sourced from your survey delivery system Aim for 40% response rate
    # of BI Reworks Sourced from your project management system Reduction of 10% in BI reworks

    Intangible Metrics:

    1. Executives’ understanding of the BI program and what BI can do for the organization.
    2. Improved trust between IT and the business by re-opening the dialogue.
    3. Closer alignment with the organization strategy and business plan leading to higher value delivered.
    4. Increased business engagement and input into the Analytics strategy.

    Use advisory support to accelerate your completion of Phase 1 activities

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of two to three advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Understand the Business Context and BI Landscape

    Proposed Time to Completion: 2-4 weeks

    Step 1.0: Assemble Your Project Team

    Start with an analyst kick-off call:

    • Discuss Info-Tech’s viewpoint and definitions of business intelligence.
    • Discuss the project sponsorship, ideal team members and compositions.

    Then complete these activities…

    • Identify a project sponsor and the project team members.

    Step 1.1: Understand Your Business Context

    Start with an analyst kick-off call:

    • Discuss Info-Tech’s approach to BI strategy development around using business information as the key driver.

    Then complete these activities…

    • Detail the business context (vision, mission, goals, objectives, etc.).
    • Establish business–IT alignment for your BI strategy by detailing the business context.

    Step 1.2: Establish the Current BI Landscape

    Review findings with analyst:

    • Review the business context outputs from Step 1.1 activities.
    • Review Info-Tech’s approach for documenting your current BI landscape.
    • Review the findings of your BI landscape.

    Then complete these activities…

    • Gather information on current BI usage and perform a BI artifact inventory.
    • Construct and conduct a user perception survey.

    With these tools & templates:

    BI Strategy and Roadmap Template

    Step 1.0

    Assemble the Project Team

    Select a BI project sponsor

    Info-Tech recommends you select a senior executive with close ties to BI be the sponsor for this project (e.g. CDO, CFO or CMO). To maximize the chance of success, Info-Tech recommends you start with the CDO, CMO, CFO, or a business unit (BU) leader who represents strategic enterprise portfolios.

    Initial Sponsor

    CFO or Chief Risk Officer (CRO)

    • The CFO is responsible for key business metrics and cost control. BI is on the CFO’s radar as it can be used for both cost optimization and elimination of low-value activity costs.
    • The CRO is tasked with the need to identify, address, and when possible, exploit risk for business security and benefit.
    • Both of these roles are good initial sponsors but aren’t ideal for the long term.

    CDO or a Business Unit (BU) Leader

    • The CDO (Chief Data Officer) is responsible for enterprise-wide governance and utilization of information as an asset via data processing, analysis, data mining, information trading, and other means, and is the ideal sponsor.
    • BU leaders who represent a growth engine for a company look for ways to mine BI to help set direction.

    Ultimate Sponsor

    CEO

    • As a the primary driver of enterprise-wide strategy, the CEO is the ideal evangelist and project sponsor for your BI strategy.
    • Establishing a CEO–CIO partnership helps elevate IT to the level of a strategic partner, as opposed to the traditional view that IT’s only job is to “keep the lights on.”
    • An endorsement from the CEO may make other C-level executives more inclined to work with IT and have their business unit be the starting point for growing a BI program organically.

    "In the energy sector, achieving production KPIs are the key to financial success. The CFO is motivated to work with IT to create BI applications that drive higher revenue, identify operational bottlenecks, and maintain gross margin."

    – Yogi Schulz, Partner, Corvelle Consulting

    Select a BI project team

    Create a project team with the right skills, experience, and perspectives to develop a comprehensive strategy aligned to business needs.

    You may need to involve external experts as well as individuals within the organization who have the needed skills.

    A detailed understanding of what to look for in potential candidates is essential before moving forward with your BI project.

    Leverage several of Info-Tech’s Job Description Templates to aid in the process of selecting the right people to involve in constructing your BI strategy.

    Roles to Consider

    Business Stakeholders

    Business Intelligence Specialist

    Business Analyst

    Data Mining Specialist

    Data Warehouse Architect

    Enterprise Data Architect

    Data Steward

    "In developing the ideal BI team, your key person to have is a strong data architect, but you also need buy-in from the highest levels of the organization. Buy-in from different levels of the organization are indicators of success more than anything else."

    – Rob Anderson, Database Administrator and BI Manager, IT Research and Advisory Firm

    Create a RACI matrix to clearly define the roles and responsibilities for the parties involved

    A common project management pitfall for any endeavour is unclear definition of responsibilities amongst the individuals involved.

    As a business intelligence project requires a significant amount of back and forth between business and IT – bridged by the BI Steering Committee – clear guidelines at the project outset with a RACI chart provide a basic framework for assigning tasks and lines of communication for the later stages.

    Responsible Accountable Consulted Informed

    Obtaining Buy-in Project Charter Requirements Design Development Program Creation
    BI Steering Committee A C I I I C
    Project Sponsor - C I I I C
    Project Manager - R A I I C
    VP of BI R I I I I A
    CIO A I I I I R
    Business Analyst I I R C C C
    Solution Architect - - C A C C
    Data Architect - - C A C C
    BI Developer - - C C R C
    Data Steward - - C R C C
    Business SME C C C C C C

    Note: This RACI is an example of how role expectations would be broken down across the different steps of the project. Develop your own RACI based on project scope and participants.

    STEP 1.1

    Understand Your Business Context and Structure the Project

    Establish business–IT alignment for your BI strategy by detailing the business context

    Step Objectives

    • Engage the business units to find out where users need BI enablement.
    • Ideate preliminary points for improvement that will further business goals and calculate their value.

    Step Activities

    1.1.1 Craft the vision and mission statements for the Analytics program using the vision, mission, and strategies of your organization as basis.

    1.1.2 Articulate program goals and objectives

    1.1.3 Determine business differentiators and key drivers

    1.1.4 Brainstorm BI-specific constraints and improvement objectives

    Outcomes

    • Clearly articulated business context that will provide a starting point for formulating a BI strategy
    • High-level improvement objectives and ROI for the overall project
    • Vision, mission, and objectives of the analytics program

    Research Support

    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    • Project Manager
    • Project Team
    • Relevant Business Stakeholders and Subject Matter Experts

    Transform the way the business makes decisions

    Your BI strategy should enable the business to make fast, effective, and comprehensive decisions.

    Fast Effective Comprehensive
    Reduce time spent on decision-making by designing a BI strategy around information needs of key decision makers. Make the right data available to key decision makers. Make strategic high-value, impactful decisions as well as operational decisions.

    "We can improve BI environments in several ways. First, we can improve the speed with which we create BI objects by insisting that the environments are designed with flexibility and adaptability in mind. Second, we can produce higher quality deliverables by ensuring that IT collaborate with the business on every deliverable. Finally, we can reduce the costs of BI by giving access to the environment to knowledgeable business users and encouraging a self-service function."

    – Claudia Imhoff, Founder, Boulder BI Brain Trust, Intelligent Solutions Inc.

    Assess needs of various stakeholders using personas

    User groups/user personas

    Different users have different consumption and usage patterns. Categorize users into user groups and visualize the usage patterns. The user groups are the connection between the BI capabilities and the users.

    User groups Mindset Usage Pattern Requirements
    Front-line workers Get my job done; perform my job quickly. Reports (standard reports, prompted reports, etc.) Examples:
    • Report bursting
    • Prompted reports
    Analysts I have some ideas; I need data to validate and support my ideas. Dashboards, self-service BI, forecasting/budgeting, collaboration Examples:
    • Self-service datasets
    • Data mashup capability
    Management I need a big-picture view and yet I need to play around with the data to find trends to drive my business. Dashboards, scorecards, mobile BI, forecasting/budgeting Examples:
    • Multi-tab dashboards
    • Scorecard capability
    Data scientists I need to combine existing data, as well as external or new, unexplored data sources and types to find nuggets in the data. Data mashup, connections to data sources Examples:
    • Connectivity to big data
    • Social media analyses

    The pains of inadequate BI are felt across the entire organization – and land squarely on the shoulders of the CIO

    Organization:

    • Insufficient information to make decisions.
    • Unable to measure internal performance.
    • Losses incurred from bad decisions or delayed decisions.
    • Canned reports fail to uncover key insights.
    • Multiple versions of information exist in silos.

    IT Department

    • End users are completely dependent on IT for reports.
    • Ad hoc BI requests take time away from core duties.
    • Spreadsheet-driven BI is overly manual.
    • Business losing trust in IT.

    CIO

    • Under great pressure and has a strong desire to improve BI.
    • Ad hoc BI requests are consuming IT resources and funds.
    • My organization finds value in using data and having decision support to make informed decisions.

    The overarching question that needs to be continually asked to create an effective BI strategy is:

    How do I create an environment that makes information accessible and consumable to users, and facilitates a collaborative dialogue between the business and IT?

    Pre-requisites for success

    Prerequisite #1: Secure Executive Sponsorship

    Sponsorship of BI that is outside of IT and at the highest levels of the organization is essential to the success of your BI strategy. Without it, there is a high chance that your BI program will fail. Note that it may not be an epic fail, but it is a subtle drying out in many cases.

    Prerequisite #2: Understand Business Context

    Providing the right tools for business decision making doesn’t need to be a guessing game if the business context is laid as the project foundation and the most pressing decisions serve as starting points. And business is engaged in formulating and executing the strategy.

    Prerequisite #3: Deliver insights that lead to action

    Start with understanding the business processes and where analytics can improve outcomes. “Think business backwards, not data forward.” (McKinsey)

    11 reasons BI projects fail

    Lack of Executive support

    Old Technology

    Lack of business support

    Too many KPIs

    No methodology for gathering requirements

    Overly long project timeframes

    Bad user experience

    Lack of user adoption

    Bad data

    Lack of proper human resources

    No upfront definition of true ROI

    Mico Yuk, 2019

    Make it clear to the business that IT is committed to building and supporting a BI platform that is intimately tied to enabling changing business objectives.

    Leverage Info-Tech’s BI Strategy and Roadmap Template to accelerate BI planning

    How to accelerate BI planning using the template

    1. Prepopulated text that you can use for your strategy formulation:
      2. Prepopulated text that can be used for your strategy formulation
    2. Sample bullet points that you can pick and choose from:
      3. Sample bullet points to pick and choose from

    Document the BI program planning in Info-Tech’s

    BI Strategy and Roadmap Template.

    Activity: Describe your organization’s vision and mission

    1.1.1

    30-40 minutes

    Compelling vision and mission statements will help guide your internal members toward your company’s target state. These will drive your business intelligence strategy.

    1. Your vision clearly represents where your organization aspires to be in the future and aligns the entire organization. Write down a future-looking, inspirational, and realizable vision in one concise statement. Consider:
    • “Five years from now, our business will be _______.”
    • What do we want to do tomorrow? For whom? What is the benefit?
  • Your mission tells why your organization currently exists and clearly expresses how it will achieve your vision for the future. Write down a mission statement in one clear and concise paragraph consisting of, at most, five sentences. Consider:
    • Why does the business exist? What problems does it solve? Who are its customers?
    • How does the business accomplish strategic tasks or reach its target?
  • Reconvene stakeholders to share ideas and develop one concise vision statement and mission statement. Focus on clarity and message over wording.

    • Input

    • Business vision and mission statements

    Output

    • Alignment and understanding on business vision

    Materials

    Participants

    • BI project lead
    • Executive business stakeholders

    Info-Tech Insight

    Adjust your statements until you feel that you can elicit a firm understanding of both your vision and mission in three minutes or less.

    Formulating an Enterprise BI and Analytics Strategy: Top-down BI Opportunity analysis

    Top-down BI Opportunity analysis

    Example of deriving BI opportunities using BI Opportunity Analysis

    Industry Drivers Private label Rising input prices Retail consolidation
    Company strategies Win at supply chain execution Win at customer service Expand gross margins
    Value disciplines Strategic cost management Operational excellence Customer service
    Core processes Purchasing Inbound logistics Sales, service & distribution
    Enterprise management: Planning, budgeting, control, process improvement, HR
    BI Opportunities Customer service analysis Cost and financial analysis Demand management

    Williams 2016

    Get your organization buzzing about BI – leverage Info-Tech’s Executive Brief as an internal marketing tool

    Two key tasks of a project sponsor are to:

    1. Evangelize the realizable benefits of investing in a business intelligence strategy.
    2. Help to shift the corporate culture to one that places emphasis on data-driven insight.

    Arm your project sponsor with our Executive Brief for this blueprint as a quick way to convey the value of this project to potential stakeholders.

    Bolster this presentation by adding use cases and metrics that are most relevant to your organization.

    Develop a business framework

    Identifying organizational goals and how data can support those goals is key to creating a successful BI & Analytical strategy. Rounding out the business model with technology drivers, environmental factors (as described in previous steps), and internal barriers and enablers creates a holistic view of Business Intelligence within the context of the organization as a whole.

    Through business engagement and contribution, the following holistic model can be created to understand the needs of the business.

    business framework holistic model

    Activity: Describe the Industry Drivers and Organization strategy to mitigate the risk

    1.1.2

    30-45 minutes

    Industry drivers are external influencers that has an effect on a business such as economic conditions, competitor actions, trade relations, climate etc. These drivers can differ significantly by industry and even organizations within the same industry.

    1. List the industry drivers that influences your organization:
    • Public sentiment in regards to energy source
    • Rising cost of raw materials due to increase demand
  • List the company strategies, goals, objectives to counteract the external influencers:
    • Change production process to become more energy efficient
    • Win at customer service
  • Identify the value disciplines :
    • Strategic cost management
    • Operational Excellence
  • List the core process that implements the value disciplines :
    • Purchasing
    • Sales
  • Identify the BI Opportunities:
    • Cost and financial analysis
    • Customer service analysis

    Input

    • Industry drivers

    Output

    • BI Opportunities that business can leverage

    Materials

    • Industry driver section in the BI Strategy and Roadmap Template

    Participants

    • BI project lead
    • Executive business stakeholders

    Understand BI and analytics drivers and organizational objectives

    Environmental Factors Organizational Goals Business Needs Technology Drivers
    Definition External considerations are factors taking place outside the organization that are impacting the way business is conducted inside the organization. These are often outside the control of the business. Organizational drivers can be thought of as business-level metrics. These are tangible benefits the business can measure, such as customer retention, operation excellence, and/or financial performance. A requirement that specifies the behavior and the functions of a system. Technology drivers are technological changes that have created the need for a new BI solution. Many organizations turn to technology systems to help them obtain a competitive edge.
    Examples
    • Economy and politics
    • Laws and regulations
    • Competitive influencers
    • Time to market
    • Quality
    • Delivery reliability
    • Audit tracking
    • Authorization levels
    • Business rules
    • Deployment in the cloud
    • Integration
    • Reporting capabilities

    Activity: Discuss BI/Analytics drivers and organizational objectives

    1.1.3

    30-45 minutes

    1. Use the industry drivers and business goals identified in activity 1.1.2 as a starting point.
    2. Understand how the company runs today and what the organization’s future will look like. Try to identify the purpose for becoming an integrated organization. Use a whiteboard and markers to capture key findings.
    3. Take into account External Considerations, Organizational Drivers, Technology Drivers, and Key Functional Requirements.
    External Considerations Organizational Drivers Technology Considerations Functional Requirements
    • Funding Constraints
    • Regulations
    • Compliance
    • Scalability
    • Operational Efficiency
    • Data Accuracy
    • Data Quality
    • Better Reporting
    • Information Availability
    • Integration Between Systems
    • Secure Data

    Identify challenges and barriers to the BI project

    There are several factors that may stifle the success of a BI implementation. Scan the current environment to identify internal barriers and challenges to identify potential challenges so you can meet them head-on.

    Common Internal Barriers

    Management Support
    Organizational Culture
    Organizational Structure
    IT Readiness
    Definition The degree of management understanding and acceptance towards BI solutions. The collective shared values and beliefs. The functional relationships between people and departments in an organization. The degree to which the organization’s people and processes are prepared for a new BI solution.
    Questions
    • Is a BI project recognized as a top priority?
    • Will management commit time to the project?
    • Are employees resistant to change?
    • Is the organization highly individualized?
    • Is the organization centralized?
    • Is the organization highly formalized?
    • Is there strong technical expertise?
    • Is there strong infrastructure?
    Impact
    • Funding
    • Resources
    • Knowledge sharing
    • User acceptance
    • Flow of knowledge
    • Poor implementation
    • Reliance on consultants

    Activity: Discuss BI/Analytics challenges and pain points

    1.1.4

    30-45 minutes

    1. Identify challenges with the process identified in step 1.1.2.
    2. Brainstorm potential barriers to successful BI implementation and adoption. Use a whiteboard and marker to capture key findings.
    3. Consider Functional Gaps, Technical Gaps, Process Gaps, and Barriers to BI Success.
    Functional Gaps Technical Gaps Process Gaps Barriers to Success
    • No online purchase order requisition
    • Inconsistent reporting – data quality concerns
    • Duplication of data
    • Lack of system integration
    • Cultural mindset
    • Resistance to change
    • Lack of training
    • Funding

    Activity: Discuss opportunities and benefits

    1.1.5

    30-45 minutes

    1. Identify opportunities and benefits from an integrated system.
    2. Brainstorm potential enablers for successful BI implementation and adoption. Use a whiteboard and markers to capture key findings.
    3. Consider Business Benefits, IT Benefits, Organizational Benefits, and Enablers of BI success.
    Business Benefits IT Benefits Organizational Benefits Enablers of Success
    • Business-IT alignment
    • Compliance
    • Scalability
    • Operational Efficiency
    • Data Accuracy
    • Data Quality
    • Better Reporting
    • Change management
    • Training
    • Alignment to strategic objectives

    Your organization’s framework for Business Intelligence Strategy

    Blank organization framework for Business Intelligence Strategy

    Example: Business Framework for Data & Analytics Strategy

    The following diagram represents [Client]’s business model for BI and data. This holistic view of [Client]’s current environment serves as the basis for the generation of the business-aligned Data & Analytics Strategy.

    The image is an example of Business Framework for Data & Analytics Strategy.

    Info-Tech recommends balancing a top-down approach with bottom up for building your BI strateg

    Taking a top-down approach will ensure senior management’s involvement and support throughout the project. This ensures that the most critical decisions are supported by the right data/information, aligning the entire organization with the BI strategy. Furthermore, the gains from BI will be much more significant and visible to the rest of the organization.

    Two charts showing the top-down and bottom-up approach.

    Far too often, organizations taking a bottom-up approach to BI will fail to generate sufficient buy-in and awareness from senior management. Not only does a lack of senior involvement result in lower adoption from the tactical and operational levels, but more importantly, it also means that the strategic decision makers aren’t taking advantage of BI.

    Estimate the ROI of your BI and analytics strategy to secure executive support

    The value of creating a new strategy – or revamping an existing one – needs to be conveyed effectively to a high-level stakeholder, ideally a C-level executive. That executive buy-in is more likely to be acquired when effort has been made to determine the return on investment for the overall initiative.

    1. Business Impacts
      New revenue
      Cost savings
      Time to market
      Internal Benefits
      Productivity gain
      Process optimization
      Investment
      People – employees’ time, external resources
      Data – cost for new datasets
      Technology – cost for new technologies
    2. QuantifyCan you put a number or a percentage to the impacts and benefits? QuantifyCan you estimate the investments you need to put in?
    3. TranslateTranslate the quantities into dollar value
    4. The image depicts an equation for ROI estimate

    Example

    One percent increase in revenue; three more employees $225,000/yr, $150,000/yr 50%

    Activity: Establish a high-level ROI as part of an overall use case for developing a fit-for-purpose BI strategy

    1.1.6

    1.5 hours

    Communicating an ROI that is impactful and reasonable is essential for locking in executive-level support for any initiative. Use this activity as an initial touchpoint to bring business and IT perspectives as part of building a robust business case for developing your BI strategy.

    1. Revisit the business context detailed in the previous sections of this phase. Use priority objectives to identify use case(s), ideally where there are easily defined revenue generators/cost reductions (e.g. streamlining the process of mailing physical marketing materials to customers).
    2. Assign research tasks around establishing concrete numbers and dollar values.
    • Have a subject matter expert weigh in to validate your figures.
    • When calculating ROI, consider how you might leverage BI to create opportunities for upsell, cross-sell, or increased customer retention.
  • Reconvene the stakeholder group and discuss your findings.
    • This is the point where expectation management is important. Separate the need-to-haves from the nice-to-haves.

    Emphasize that ROI is not fully realized after the first implementation, but comes as the platform is built upon iteratively and in an integrated fashion to mature capabilities over time.

    Input

    • Vision statement
    • Mission statement

    Output

    • Business differentiators and key drivers

    Materials

    • Benefit Cost Analysis section of the BI Strategy and Roadmap Template

    Participants

    • BI project lead
    • Executive IT & business stakeholders

    An effective BI strategy positions business intelligence in the larger data lifecycle

    In an effort to keep users satisfied, many organizations rush into implementing a BI platform and generating reports for their business users. BI is, first and foremost, a presentation layer; there are several stages in the data lifecycle where the data that BI visualizes can be compromised.

    Without paying the appropriate amount of attention to the underlying data architecture and application integration, even the most sophisticated BI platforms will fall short of providing business users with a holistic view of company information.

    Example

    In moving away from single application-level reporting, a strategy around data integration practices and technology is necessary before the resultant data can be passed to the BI platform for additional analyses and visualization.

    BI doesn’t exist in a vacuum – develop an awareness of other key data management practices

    As business intelligence is primarily a presentation layer that allows business users to visualize data and turn information into actionable decisions, there are a number of data management practices that precede BI in the flow of data.

    Data Warehousing

    The data warehouse structures source data in a manner that is more operationally focused. The Reporting & Analytics Strategy must inform the warehouse strategy on data needs and building a data warehouse to meet those needs.

    Data Integration, MDM & RDM

    The data warehouse is built from different sources that must be integrated and normalized to enable Business Intelligence. The Info-Tech integration and MDM blueprints will guide with their implementation.

    Data Quality

    A major roadblock to building an effective BI solution is a lack of accurate, timely, consistent, and relevant data. Use Info-Tech’s blueprint to refine your approach to data quality management.

    Data quality, poor integration/P2P integration, poor data architecture are the primary barriers to truly leveraging BI, and a lot of companies haven’t gotten better in these areas.

    – Shari Lava, Associate Vice-President, IT Research and Advisory Firm

    Building consensus around data definitions across business units is a critical step in carrying out a BI strategy

    Business intelligence is heavily reliant on the ability of an organization to mesh data from different sources together and create a holistic and accurate source of truth for users.

    Useful analytics cannot be conducted if your business units define key business terms differently.

    Example

    Finance may label customers as those who have transactional records with the organization, but Marketing includes leads who have not yet had any transactions as customers. Neglecting to note these seemingly small discrepancies in data definition will undermine efforts to combine data assets from traditionally siloed functional units.

    In the stages prior to implementing any kind of BI platform, a top priority should be establishing common definitions for key business terms (customers, products, accounts, prospects, contacts, product groups, etc.).

    As a preliminary step, document different definitions for the same business terms so that business users are aware of these differences before attempting to combine data to create custom reports.

    Self-Assessment

    Do you have common definitions of business terms?

    • If not, identify common business terms.
    • At the very least, document different definitions of the same business terms so the corporate can compare and contrast them.

    STEP 1.2

    Assess the Current BI Landscape

    Establish an in-depth understanding of your current BI landscape

    Step Objectives

    • Inventory and assess the state of your current BI landscape
    • Document the artifacts of your BI environment

    Step Activities

    1.2.1 Analyze the usage levels of your current BI programs/platform

    1.2.2 Perform a survey to gather user perception of your current BI environment

    1.2.3 Take an inventory of your current BI artifacts

    Outcomes

    • Summarize the qualitative and quantitative performance of your existing BI environment
    • Understand the outputs coming from your BI sources

    Research Support

    • Info-Tech’s BI Strategy and Roadmap Template

    Project Manager

    Data Architect(s) or Enterprise Architect

    Project Team

    Understand your current BI landscape before you rationalize

    Relying too heavily on technology as the sole way to solve BI problems results in a more complex environment that will ultimately frustrate business users. Take the time to thoroughly assess the current state of your business intelligence landscape using a qualitative (user perception) and quantitative (usage statistics) approach. The insights and gaps identified in this step will serve as building blocks for strategy and roadmap development in later phases.

    Phase 1

    Current State Summary of BI Landscape

    1.2.1 1.2.2 1.2.3 1.2.4
    Usage Insights Perception Insights BI Inventory Insights Requirements Insights

    PHASE 2

    Strategy and Roadmap Formulation

    Gather usage insights to pinpoint the hot spots for BI usage amongst your users

    Usage data reflects the consumption patterns of end users. By reviewing usage data, you can identify aspects of your BI program that are popular and those that are underutilized. It may present some opportunities for trimming some of the underutilized content.

    Benefits of analyzing usage data:

    • Usage is a proxy for popularity and usability of the BI artifacts. The popular content should be kept and improved in your next generation BI.
    • Usage information provides insight on what, when, where, and how much users are consuming BI artifacts.
    • Unlike methods such as user interviews and focus groups, usage information is fact based and is not subject to peer pressure or “toning down.”

    Sample Sources of Usage Data:

    1. Usage reports from your BI platform Many BI platforms have out-of-the-box usage reports that log and summarize usage data. This is your ideal source for usage data.
    2. Administrator console in your BI platformBI platforms usually have an administrator console that allows BI administrators to configure settings and to monitor activities that include usage. You may obtain some usage data in the console. Note that the usage data is usually real-time in nature, and you may not have access to a historical view of the BI usage.

    Info-Tech Insight

    Don’t forget some of the power users. They may perform analytics by accessing datasets directly or with the help of a query tool (even straight SQL statements). Their usage information is important. The next generation BI should provide consumption options for them.

    Accelerate the process of gathering user feedback with Info-Tech’s Application Portfolio Assessment (APA)

    In an environment where multiple BI tools are being used, discovering what works for users and what doesn’t is an important first step to rationalizing the BI landscape.

    Info-Tech’s Application Portfolio Assessment allows you to create a custom survey based on your current applications, generate a custom report that will help you visualize user satisfaction levels, and pinpoint areas for improvement.

    Activity: Review and analyze usage data

    1.2.1

    2 hours

    This activity helps you to locate usage data in your existing environment. It also helps you to review and analyze usage data to come up with a few findings.

    1. Get to the usage source. You may obtain usage data from one of the below options. Usage reports are your ideal choice, followed by some alternative options:

      2. a. Administrator console – limited to real-time or daily usage data. You may need to track usage data over for several days to identify patterns.

      b. Info-Tech’s Application Portfolio Assessment (APA).

      c. Other – be creative. Some may use an IT usage monitoring system or web analytics to track time users spent on the BI portal.

    2. Develop categories for classifying the different sources of usage data in your current BI environment. Use the following table as starting point for creating these groups:

    This is the content for Layout H4 Tag

    By Frequency Real Time Daily Weekly Yearly
    By Presentation Format Report Dashboard Alert Scorecard
    By Delivery Web portal Excel PDF Mobile application

    INPUT

    • Usage reports
    • Usage statistics

    OUTPUT

    • Insights pertaining to usage patterns

    Materials

    • Usage Insights of the BI Strategy and Roadmap Template

    Participants

    • BA
    • BI Administrator
    • PM

    Activity: Review and analyze usage (cont.)

    1.2.1

    2 hours

    3. Sort your collection of BI artifacts by usage. Discuss some of the reasons why some content is popular whereas some has no usage at all.

    Popular BI Artifacts – Discuss improvements, opportunities and new artifacts

    Unpopular BI Artifacts – Discuss retirement, improvements, and realigning information needs

    4. Summarize your findings in the Usage Insights section of the BI Strategy and Roadmap Template.

    INPUT

    • Usage reports
    • Usage statistics

    OUTPUT

    • Insights pertaining to usage patterns

    Materials

    • Usage Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • BI Administrator
    • PM

    Gather perception to understand the existing BI users

    In 1.2.1, we gathered the statistics for BI usage; it’s the hard data telling who uses what. However, it does not tell you the rationale, or the why, behind the usage. Gathering user perception and having conversations with your BI consumers is the key to bridging the gap.

    User Perception Survey

    Helps you to:

    1. Get general insights on user perception
    2. Narrow down to selected areas

    User Interviews

    Perception can be gathered by user interviews and surveys. Conducting user interviews takes time so it is a good practice to get some primary insights via survey before doing in-depth interviews in selected areas.

    – Shari Lava, Associate Vice-President, IT Research and Advisory Firm

    Define problem statements to create proof-of-concept initiatives

    Info-Tech’s Four Column Model of Data Flow

    Find a data-related problem or opportunity

    Ask open-ended discovery questions about stakeholder fears, hopes, and frustrations to identify a data-related problem that is clear, contained, and fixable. This is then to be written as a problem/opportunity statement.

    1. Fear: What is the number one risk you need to alleviate?
    2. Hope: What is the number one opportunity you wish to realize?
    3. Frustration: What is the number one annoying pet peeve you wish to scratch?

      4. Next, gather information to support a problem/opportunity statement:

    4. What are your challenges in performing the activity or process today?
    5. What does amazing look like if we solve this perfectly?
    6. What other business activities/processes will be impacted/improved if we solve this?
    7. What compliance/regulatory/policy concerns do we need to consider in any solution?
    8. What measures of success/change should we use to prove value of the effort (KPIs/ROI)?
    9. What are the steps in the process/activity?
    10. What are the applications/systems used at each step and from step to step?
    11. What data elements are created, used, and/or transformed at each step?

    Leverage Info-Tech’s BI survey framework to initiate a 360° perception survey

    Info-Tech has developed a BI survey framework to help existing BI practices gather user perception via survey. The framework is built upon best practices developed by McLean & Company.

    1. Communicate the survey
    2. Create a survey
    3. Conduct the survey
    4. Collect and clean survey data
    5. Analyze survey data
    6. Conduct follow-up interviews
    7. Identify and prioritize improvement initiatives

    The survey takes a comprehensive approach by examining your existing BI practices through the following lenses:

    360° Perception

    Demographics Who are the users? From which department?
    Usage How is the current BI being used?
    People Web portal
    Process How good is your BI team from a user perspective?
    Data How good is the BI data in terms of quality and usability?
    Technology How good are your existing BI/reporting tools?
    Textual Feedback The sky’s the limit. Tell us your comments and ideas via open-ended questions.

    Use Info-Tech’s BI End-User Satisfaction Survey Framework to develop a comprehensive BI survey tailored to your organization.

    Activity: Develop a plan to gather user perception of your current BI program

    1.2.2

    2 hours

    This activity helps you to plan for a BI perception survey and subsequent interviews.

    1. Proper communication while conducting surveys helps to boost response rate. The project team should have a meeting with business executives to decide:
    • The survey goals
    • Which areas to cover
    • Which trends and hypotheses you want to confirm
    • Which pre-, during, and post-survey communications should be sent out
  • Have the project team create the first draft of the survey for subsequent review by select business stakeholders. Several iterations may be needed before finalizing.
  • In planning for the conclusion of the survey, the project team should engage a data analyst to:
    1. Organize the data in a useful format
    2. Clean up the survey data when there are gaps
    3. Summarize the data into a presentable/distributable format

    Collectively, the project team and the BI consuming departments should review the presentation and discuss these items:

    Misalignment

    Opportunities

    Inefficiencies

    Trends

    Need detailed interviews?

    INPUT

    • Usage information and analyses

    OUTPUT

    • User-perception survey

    Materials

    • Perception Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • BI Administrator
    • PM
    • Business SMEs

    Create a comprehensive inventory of your BI artifacts

    Taking an inventory of your BI artifacts allows you to understand what deliverables have been developed over the years. Inventory taking should go beyond the BI content. You may want to include additional information products such as Excel spreadsheets, reports that are coming out of an Access database, and reports that are generated from front-end applications (e.g. Salesforce).

    1. Existing Reports from BI platform

      2. If you are currently using a BI platform, you have some BI artifacts (reports, scorecards, dashboards) that are developed within the platform itself.

    • BI Usage Reports (refer to step 2.1) – if you are getting a comprehensive BI usage reports for all your BI artifacts, there is your inventory report too.
    • BI Inventory Reports – Your BI platform may provide out-of-the-box inventory reports. You can use them as your inventory.
    • If the above options are not feasible, you may need to manually create the BI inventory. You may build that from some of your existing BI documentations to save time.

  • Excel and Access

    • Work with the business units to identify if Excel and Access are used to generate reports.

  • Application Reports

    • Data applications such as Salesforce, CRM, and ERP often provide reports as an out-of-the-box feature.
    • Those reports only include data within their respective applications. However, this may present opportunities for integrating application data with additional data sources.

    Activity: Inventory your BI artifacts

    1.2.3

    2+ hours

    This activity helps you to inventory your BI information artifacts and other related information artifacts.

    1. Define the scope of your inventory. Work with the project sponsor and CIO to define which sources should be captured in the inventory process. Consider: BI inventory, Excel spreadsheets, Access reports, and application reporting.
    2. Define the depth of your inventory. Work with the project sponsor and CIO to define the level of granularity. In some settings, the artifact name and a short description may be sufficient. In other cases, you may need to document users and business logic of the artifacts.
    3. Review the inventory results. Discuss findings and opportunities around the following areas:

    Interpret your Inventory

    Duplicated reports/ dashboards Similar reports/ dashboards that may be able to merge Excel and Access reports that are using undocumented, unconventional business logics Application reports that need to be enhanced by additional data Classify artifacts by BI Type

    INPUT

    • Current BI artifacts and documents
    • BI Type classification

    OUTPUT

    • Summary of BI artifacts

    Materials

    • BI Inventory Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • Data analyst
    • PM
    • Project sponsor

    Project sponsor

    1.2.4

    2+ hours

    This activity helps you to inventory your BI by report type.

    1. Classify BI artifacts by type. Use the BI Type tool to classify Work with the project sponsor and CIO to define which sources should be captured in the inventory process. Consider: BI inventory, Excel spreadsheets, Access reports, and application reporting.
    2. Define the depth of your inventory. Work with the project sponsor and CIO to define the level of granularity. In some settings, the artifact name and a short description may be sufficient. In other cases, you may need to document users and business logic of the artifacts.
    3. Review the inventory results. Discuss findings and opportunities around the following areas:

    Interpretation of your Inventory

    Duplicated reports/dashboards Similar reports/dashboards that may be able to merge Excel and Access reports that are using undocumented, unconventional business logics Application reports that need to be enhanced by additional data

    INPUT

    • The BI Type as used by different business units
    • Business BI requirements

    OUTPUT

    • Summary of BI type usage across the organization

    Materials

    • BI Inventory Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • Data analyst
    • PM
    • Project sponsor

    STEP 1.3

    Undergo BI Requirements Gathering

    Perform requirements gathering for revamping your BI environment

    Step Objectives

    • Create principles that will direct effective requirements gathering
    • Create a list of existing and desired BI requirements

    Step Activities

    1.3.1 Create requirements gathering principles

    1.3.2 Gather appropriate requirements

    1.3.3 Organize and consolidate the outputs of requirements gathering activities

    Outcomes

    • Requirements gathering principles that are flexible and repeatable
    • List of BI requirements

    Research Support

    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    Project Manager

    Data Architect(s) or Enterprise Architect

    Project Team

    Business Users

    Don’t let your new BI platform become a victim of poor requirements gathering

    The challenges in requirements management often have underlying causes; find and eliminate the root causes rather than focusing on the symptoms.

    Root Causes of Poor Requirements Gathering:

    • Requirements gathering procedures exist but aren’t followed.
    • There isn't enough time allocated to the requirements gathering phase.
    • There isn't enough involvement or investment secured from business partners.
    • There is no senior leadership involvement or mandate to fix requirements gathering.
    • There are inadequate efforts put towards obtaining and enforcing sign off.

    Outcomes of Poor Requirements Gathering:

    • Rework due to poor requirements leads to costly overruns.
    • Final deliverables are of poor quality and are implemented late.
    • Predicted gains from deployed applications are not realized.
    • There are low feature utilization rates by end users.
    • Teams are frustrated within IT and the business.

    Info-Tech Insight

    Requirements gathering is the number one failure point for most development or procurement projects that don’t deliver value. This has been, and continues to be, the case as most organizations still don't get requirements gathering right. Overcoming organizational cynicism can be a major obstacle to clear when it is time to optimize the requirements gathering process.

    Define the attributes of a good requirement to help shape your requirements gathering principles

    A good requirement has the following attributes:

    Verifiable It is stated in a way that can be tested.
    Unambiguous It is free of subjective terms and can only be interpreted in one way.
    Complete It contains all relevant information.
    Consistent It does not conflict with other requirements.
    Achievable It is possible to accomplish given the budgetary and technological constraints.
    Traceable It can be tracked from inception to testing.
    Unitary It addresses only one thing and cannot be deconstructed into multiple requirements.
    Accurate It is based on proven facts and correct information.

    Other Considerations

    Organizations can also track a requirement owner, rationale, priority level (must have vs. nice to have), and current status (approved, tested, etc.).

    Info-Tech Insight

    Requirements must be solution agnostic – they should focus on the underlying need rather than the technology required to satisfy the need.

    Activity: Define requirements gathering principles

    1.3.1

    1 hour

    1. Invite representatives from the project management office, project management team, and BA team, as well as some key business stakeholders.
    2. Use the sample categories and principles in the table below as starting points for creating your own requirements gathering principles.
    3. Document the requirements gathering principles in the BI Strategy and Roadmap Template.
    4. Communicate the requirements gathering principles to the affected BI stakeholders.

    Sample Principles to Start With

    Effectiveness Face-to-face interviews are preferred over phone interviews.
    Alignment Clarify any misalignments, even the tiniest ones.
    Validation Rephrase requirements at the end to validate requirements.
    Ideation Use drawings and charts to explain ideas.
    Demonstration Make use of Joint Application Development (JAD) sessions.

    INPUT

    • Existing requirement principles (if any)

    OUTPUT

    • Requirements gathering principles that can be revisited and reused

    Materials

    • Requirements Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA Team
    • PM
    • Business stakeholders
    • PMO

    Info-Tech Insight

    Turn requirements gathering principles into house rules. The house rules should be available in every single requirements gathering session and the participants should revisit them when there are disagreements, confusion, or silence.

    Right-size your approach to BI requirements management

    Info-Tech suggests four requirements management approaches based on project complexity and business significance. BI projects usually require the Strategic Approach in requirements management.

    Requirements Management Process Explanations

    Approach Definition Recommended Strategy
    Strategic Approach High business significance and high project complexity merits a significant investment of time and resources in requirements gathering. Treat the requirements gathering phase as a project within a project. A large amount of time should be dedicated to elicitation, business process mapping, and solution design.
    Fundamental Approach High business significance and low project complexity merits a heavy emphasis on the elicitation phase to ensure that the project bases are covered and business value is realized. Look to achieve quick wins and try to survey a broad cross-section of stakeholders during elicitation and validation. The elicitation phase should be highly iterative. Do not over-complicate the analysis and validation of a straightforward project.
    Calculated Approach Low business significance and high project complexity merits a heavy emphasis on the analysis and validation phases to ensure that the solution meets the needs of users. Allocate a significant amount of time to business process modeling, requirements categorization, prioritization, and solution modeling.
    Elementary Approach Low business significance and low project complexity does not merit a high amount of rigor for requirements gathering. Do not rush or skip steps, but aim to be efficient. Focus on basic elicitation techniques (e.g. unstructured interviews, open-ended surveys) and consider capturing requirements as user stories. Focus on efficiency to prevent project delays and avoid squandering resources.

    Vary the modes used in eliciting requirements from your user base

    Requirements Gathering Modes

    Info-Tech has identified four effective requirements gathering modes. During the requirements gathering process, you may need to switch between the four gathering modes to establish a thorough understanding of the information needs.

    Dream Mode

    • Mentality: Let users’ imaginations go wild. The sky’s the limit.
    • How it works: Ask users to dream up the ideal future state and ask how analytics can support those dreams.
    • Limitations: Not all dreams can be fulfilled. A variety of constraints (budget, personnel, technical skills) may prevent the dreams from becoming reality.

    Pain Mode

    • Mentality: Users are currently experiencing pains related to information needs.
    • How it works: Vent the pains. Allow end users to share their information pains, ask them how their pains can be relieved, then convert those pains to requirements.
    • Limitations: Users are limited by the current situation and aren’t looking to innovate.

    Decode Mode

    • Mentality: Read the hidden messages from users. Speculate as to what the users really want.
    • How it works: Decode the underlying messages. Be innovative to develop hypotheses and then validate with the users.
    • Limitations: Speculations and hypothesis could be invalid. They may direct the users into some pre-determined directions.

    Profile Mode

    • Mentality: “I think you may want XYZ because you fall into that profile.”
    • How it works: The information user may fall into some existing user group profile or their information needs may be similar to some existing users.
    • Limitations: This mode doesn’t address very specific needs.

    Supplement BI requirements with user stories and prototyping to ensure BI is fit for purpose

    BI is a continually evolving program. BI artifacts that were developed in the past may not be relevant to the business anymore due to changes in the business and information usage. Revamping your BI program entails revisiting some of the BI requirements and/or gathering new BI requirements.

    Three-Step Process for Gathering Requirements

    Requirements User Stories Rapid Prototyping
    Gather requirements. Most importantly, understand the business needs and wants. Leverage user stories to organize and make sense of the requirements. Use a prototype to confirm requirements and show the initial draft to end users.

    Pain Mode: “I can’t access and manipulate data on my own...”

    Decode Mode: Dig deeper: could this hint at a self-service use case?

    Dream Mode: E.g. a sandbox area where I can play around with clean, integrated, well-represented data.

    Profile Mode: E.g. another marketing analyst is currently using something similar.

    ExampleMary has a spreadmart that keeps track of all campaigns. Maintaining and executing that spreadmart is time consuming.

    Mary is asking for a mash-up data set that she can pivot on her own…

    Upon reviewing the data and the prototype, Mary decided to use a heat map and included two more data points – tenure and lifetime value.

    Identify which BI styles best meet user requirements

    A spectrum of Business Intelligence solutions styles are available. Use Info-Tech’s BI Styles Tool to assess which business stakeholder will be best served by which style.

    Style Description Strategic Importance (1-5) Popularity (1-5) Effort (1-5)
    Standards Preformatted reports Standard, preformatted information for backward-looking analysis. 5 5 1
    User-defined analyses Pre-staged information where “pick lists” enable business users to filter (select) the information they wish to analyze, such as sales for a selected region during a selected previous timeframe. 5 4 2
    Ad-hoc analyses Power users write their own queries to extract self-selected pre-staged information and then use the information to perform a user-created analysis. 5 4 3
    Scorecards and dashboards Predefined business performance metrics about performance variables that are important to the organization, presented in a tabular or graphical format that enables business users to see at a glance how the organization is performing. 4 4 3
    Multidimensional analysis (OLAP) Multidimensional analysis (also known as on-line analytical processing): Flexible tool-based, user-defined analysis of business performance and the underlying drivers or root causes of that performance. 4 3 3
    Alerts Predefined analyses of key business performance variables, comparison to a performance standard or range, and communication to designated businesspeople when performance is outside the predefined performance standard or range. 4 3 3
    Advanced Analytics Application of long-established statistical and/or operations research methods to historical business information to look backward and characterize a relevant aspect of business performance, typically by using descriptive statistics. 5 3 4
    Predictive Analytics Application of long-established statistical and/or operations research methods and historical business information to predict, model, or simulate future business and/or economic performance and potentially prescribe a favored course of action for the future. 5 3 5

    Activity: Gather BI requirements

    1.3.2

    2-6 hours

    Using the approaches discussed on previous slides, start a dialogue with business users to confirm existing requirements and develop new ones.

    1. Invite business stakeholders to a requirements gathering session.

      2. For existing BI artifacts – Invite existing users of those artifacts.

      For new BI development – Invite stakeholders at the executive level to understand the business operation and their needs and wants. This is especially important if their department is new to BI.

    2. Discuss the business requirements. Systematically switch between the four requirements gathering modes to get a holistic view of the requirements.
    3. Once requirements are gathered, organize them to tell a story. A story usually has these components:
    The Setting The Characters The Venues The Activities The Future
    Example Customers are asking for a bundle discount. CMO and the marketing analysts want to… …the information should be available in the portal, mobile, and Excel. …information is then used in the bi-weekly pricing meeting to discuss… …bundle information should contain historical data in a graphical format to help executives.

    INPUT

    • Existing documentations on BI artifacts

    OUTPUT

    • Preliminary, uncategorized list of BI requirements

    Materials

    • Requirements Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA team
    • Business stakeholders
    • Business SMEs
    • BI developers

    Clarify consumer needs by categorizing BI requirements

    Requirements are too broad in some situations and too detailed in others. In the previous step we developed user stories to provide context. Now you need to define requirement categories and gather detailed requirements.

    Considerations for Requirement Categories

    Category Subcategory Sample Requirements
    Data Granularity Individual transaction
    Transformation Transform activation date to YYYY-MM format
    Selection Criteria Client type: consumer. Exclude SMB and business clients. US only. Recent three years
    Fields Required Consumer band, Region, Submarket…
    Functionality Filters Filters required on the dashboard: date range filter, region filter…
    Drill Down Path Drill down from a summary report to individual transactions
    Analysis Required Cross-tab, time series, pie chart
    Visual Requirements Mock-up See attached drawing
    Section The dashboard will be presented using three sections
    Conditional Formatting Below-average numbers are highlighted
    Security Mobile The dashboard needs to be accessed from mobile devices
    Role Regional managers will get a subset of the dashboard according to the region
    Users John, Mary, Tom, Bob, and Dave
    Export Dashboard data cannot be exported into PDF, text, or Excel formats
    Performance Speed A BI artifact must be loaded in three seconds
    Latency Two seconds response time when a filter is changed
    Capacity Be able to serve 50 concurrent users with the performance expected
    Control Governance Govern by the corporate BI standards
    Regulations Meet HIPPA requirements
    Compliance Meet ISO requirements

    Prioritize requirements to assist with solution modeling

    Prioritization ensures that the development team focuses on the right requirements.

    The MoSCoW Model of Prioritization

    Must Have Requirements that mustbe implemented for the solution to be considered successful.
    Should Have Requirements that are high priority and should be included in the solution if possible.
    Could Have Requirements that are desirable but not necessary and could be included if resources are available.
    Won't Have Requirements that won’t be in the next release but will be considered for the future releases.

    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994.

    Prioritization is the process of ranking each requirement based on its importance to project success. Hold a separate meeting for the domain SMEs, implementation SMEs, project managers, and project sponsors to prioritize the requirements list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation SMEs will use these priority levels to ensure that efforts are targeted towards the proper requirements and the plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order requirements.

    Activity: Finalize the list of BI requirements

    1.3.3

    1-4 hours

    Requirement Category Framework

    Category Subcategory
    Data Granularity
    Transformation
    Selection Criteria
    Fields Required
    Functionality Filters
    Drill Down Path
    Analysis Required
    Visual Requirements Mock-up
    Section
    Conditional Formatting
    Security Mobile
    Role
    Users
    Export
    Performance Speed
    Latency
    Capacity
    Control Governance
    Regulations
    Compliance

    Create requirement buckets and classify requirements.

    1. Define requirement categories according to the framework.
    2. Review the user story and requirements you collected in Step 1.3.2. Classify the requirements within requirement categories.
    3. Review the preliminary list of categorized requirements and look for gaps in this detailed view. You may need to gather additional requirements to fill the gaps.
    4. Prioritize the requirements according to the MoSCoW framework.
    5. Document your final list of requirements in the BI Strategy and Roadmap Template.

    INPUT

    • Existing requirements and new requirements from step 1.3.2

    OUTPUT

    • Prioritized and categorized requirements

    Materials

    • Requirements Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • Business stakeholders
    • PMO

    Translate your findings and ideas into actions that will be integrated into the BI Strategy and Roadmap Template

    As you progress through each phase, document findings and ideas as they arise. At phase end, hold a brainstorming session with the project team focused on documenting findings and ideas and substantiating them into improvement actions.

    Translating findings and ideas into actions that will be integrated into the BI Strategy and Roadmap Template

    Ask yourself how BI or analytics can be used to address the gaps and explore opportunities uncovered in each phase. For example, in Phase 1, how do current BI capabilities impede the realization of the business vision?

    Document and prioritize Phase 1 findings, ideas, and action items

    1.3.4

    1-2 hours

    1. Reconvene as a group to review findings, ideas, and actions harvested in Phase 1. Write the findings, ideas, and actions on sticky notes.
    2. Prioritize the sticky notes to yield those with high business value and low implementation effort. View some sample findings below:
      3. High Business Value, Low Effort High Business Value, High Effort
      Low Business Value, High Effort Low Business Value, High Effort

      Phase 1

      Sample Phase 1 Findings Found two business objectives that are not supported by BI/analytics
      Some executives still think BI is reporting
      Some confusion around operational reporting and BI
      Data quality plays a big role in BI
      Many executives are not sure about the BI ROI or asking for one
    3. Select the top findings and document them in the “Other Phase 1 Findings” section of the BI Strategy and Roadmap Template. The findings will be used again in Phase 3.

    INPUT

    • Phase 1 activities
    • Business context (vision, mission, goals, etc.

    OUTPUT

    • Other Phase 1 Findings section of the BI Strategy and Roadmap Template

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Project manger
    • Project team
    • Business stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.1-1.1.5

    Establish the business context

    To begin the workshop, your project team will be taken through a series of activities to establish the overall business vision, mission, objectives, goals, and key drivers. This information will serve as the foundation for discerning how the revamped BI strategy needs to enable business users.

    1.2.1- 1.2.3

    Create a comprehensive documentation of your current BI environment

    Our analysts will take your project team through a series of activities that will facilitate an assessment of current BI usage and artifacts, and help you design an end-user interview survey to elicit context around BI usage patterns.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-tech analysts

    1.3.1-1.3.3

    Establish new BI requirements

    Our analysts will guide your project team through frameworks for eliciting and organizing requirements from business users, and then use those frameworks in exercises to gather some actual requirements from business stakeholders.

    Phase 2

    Evaluate Your Current BI Practice

    Build a Reporting and Analytics Strategy

    Revisit project metrics to track phase progress

    Goals for Phase 2:

    • Assess your current BI practice. Determine the maturity of your current BI practice from different viewpoints.
    • Develop your BI target state. Plan your next generation BI with Info-Tech’s BI patterns and best practices.
    • Safeguard your target state. Avoid BI pitfalls by proactively monitoring BI risks.

    Info-Tech’s Suggested Metrics for Tracking Phase 2 Goals

    Practice Improvement Metrics Data Collection and Calculation Expected Improvement
    # of groups participated in the current state assessment The number of groups joined the current assessment using Info-Tech’s BI Practice Assessment Tool Varies; the tool can accommodate up to five groups
    # of risks mitigated Derive from your risk register At least two to five risks will be identified and mitigated

    Intangible Metrics:

    • Prototyping approach allows the BI group to understand more about business requirements, and in the meantime, allows the business to understand how to partner with the BI group.
    • The BI group and the business have more confidence in the BI program as risks are monitored and mitigated on an ad hoc basis.

    Evaluate your current BI practice

    Phase 2 Overarching Insight

    BI success is not based solely on the technology it runs on; technology cannot mask gaps in capabilities. You must be capable in your environment, and data management, data quality, and related data practices must be strong. Otherwise, the usefulness of the intelligence suffers. The best BI solution does not only provide a technology platform, but also addresses the elements that surround the platform. Look beyond tools and holistically assess the maturity of your BI practice with input from both the BI consumer and provider perspectives.

    Understand the Business Context to Rationalize Your BI Landscape Evaluate Your Current BI Practice Create a BI Roadmap for Continuous Improvement
    Establish the Business Context
    • Business Vision, Goals, Key Drivers
    • Business Case Presentation
    • High-Level ROI
    		 Assess Your Current BI Maturity
    • SWOT Analysis
    • BI Practice Assessment
    • Summary of Current State
    		 Construct a BI Initiative Roadmap
    • BI Improvement Initiatives
    • BI Strategy and Roadmap
    Access Existing BI Environment
    • BI Perception Survey Framework
    • Usage Analyses
    • BI Report Inventory
    		 Envision BI Future State
    • BI Patterns
    • BI Practice Assessment
    • List of Functions
    		 Plan for Continuous Improvement
    • Excel Governance Policy
    • BI Ambassador Network Draft
    Undergo Requirements Gathering
    • Requirements Gathering Principles
    • Overall BI Requirements

    Phase 2 overview

    Detailed Overview

    Step 1: Assess Your Current BI Practice

    Step 2: Envision a Future State for Your BI Practice

    Outcomes

    • A comprehensive assessment of current BI practice maturity and capabilities.
    • Articulation of your future BI practice.
    • Improvement objectives and activities for developing your current BI program.

    Benefits

    • Identification of clear gaps in BI practice maturity.
    • A current state assessment that includes the perspectives of both BI providers and consumers to highlight alignment and/or discrepancies.
    • A future state is defined to provide a benchmark for your BI program.
    • Gaps between the future and current states are identified; recommendations for the gaps are defined.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Evaluate Your Current BI Practice

    Proposed Time to Completion: 1-2 weeks

    Step 2.1: Assess Your Current BI Practice

    Start with an analyst kick-off call:

    • Detail the benefits of conducting multidimensional assessments that involve BI providers as well as consumers.
    • Review Info-Tech’s BI Maturity Model.

    Then complete these activities…

    • SWOT analyses
    • Identification of BI maturity level through a current state assessment

    With these tools & templates:

    BI Practice Assessment Tool

    BI Strategy and Roadmap Template

    Step 2.2: Envision a Future State for Your BI Practice

    Review findings with an analyst:

    • Discuss overall maturity gaps and patterns in BI perception amongst different units of your organization.
    • Discuss how to translate activity findings into robust initiatives, defining critical success factors for BI development and risk mitigation.

    Then complete these activities…

    • Identify your desired BI patterns and functionalities.
    • Complete a target state assessment for your BI practice.
    • Review capability practice gaps and phase-level metrics.

    With these tools & templates:

    BI Practice Assessment Tool

    BI Strategy and Roadmap Template

    Phase 2 Results & Insights:

    • A comprehensive assessment of the organization’s current BI practice capabilities and gaps
    • Visualization of BI perception from a variety of business users as well as IT
    • A list of tasks and initiatives for constructing a strategic BI improvement roadmap

    STEP 2.1

    Assess the Current State of Your BI Practice

    Assess your organization’s current BI capabilities

    Step Objectives

    • Understand the definitions and roles of each component of BI.
    • Contextualize BI components to your organization’s environment and current practices.

    Step Activities

    2.1.1 Perform multidimensional SWOT analyses

    2.1.2 Assess current BI and analytical capabilities, Document challenges, constraints, opportunities

    2.1.3 Review the results of your current state assessment

    Outcomes

    • Holistic perspective of current BI strengths and weaknesses according to BI users and providers
    • Current maturity in BI and related data management practices

    Research Support

    • Info-Tech’s Data Management Framework
    • Info-Tech’s BI Practice Assessment Tool
    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    Project Manager

    Data Architect(s) or Enterprise Architect

    Project Team

    Gather multiple BI perspectives with comprehensive SWOT analyses

    SWOT analysis is an effective tool that helps establish a high-level context for where your practice stands, where it can improve, and the factors that will influence development.

    Strengths

    Best practices, what is working well

    		 Weaknesses

    Inefficiencies, errors, gaps, shortcomings
    Opportunities

    Review internal and external drivers

    		 Threats

    Market trends, disruptive forces

    While SWOT is not a new concept, you can add value to SWOT by:

    • Conducting a multi-dimensional SWOT to diversify perspectives – involve the existing BI team, BI management, business executives and other business users.
    • SWOT analyses traditionally provide a retrospective view of your environment. Add a future-looking element by creating improvement tasks/activities at the same time as you detail historical and current performance.

    Info-Tech Insight

    Consider a SWOT with two formats: a private SWOT worksheet and a public SWOT session. Participants will be providing suggestions anonymously while solicited suggestions will be discussed in the public SWOT session to further the discussion.

    Activity: Perform a SWOT analysis in groups to get a holistic view

    2.1.1

    1-2 hours

    This activity will take your project team through a holistic SWOT analysis to gather a variety of stakeholder perception of the current BI practice.

    1. Identify individuals to involve in the SWOT activity. Aim for a diverse pool of participants that are part of the BI practice in different capacities and roles. Solution architects, application managers, business analysts, and business functional unit leaders are a good starting point.
    2. Review the findings summary from Phase 1. You may opt to facilitate this activity with insights from the business context. Each group will be performing the SWOT individually.
    3. The group results will be collected and consolidated to pinpoint common ideas and opinions. Individual group results should be represented by a different color. The core program team will be reviewing the consolidated result as a group.
    4. Document the results of these SWOT activities in the appropriate section of the BI Strategy and Roadmap Template.

    SWOT

    Group 1 Provider Group E.g. The BI Team

    Group 2 Consumer Group E.g. Business End Users

    INPUT

    • IT and business stakeholder perception

    OUTPUT

    • Multi-faceted SWOT analyses
    • Potential BI improvement activities/objectives

    Materials

    • SWOT Analysis section of the BI Strategy and Roadmap Template

    Participants

    • Selected individuals in the enterprise (variable)

    Your organization’s BI maturity is determined by several factors and the degree of immersion into your enterprise

    BI Maturity Level

    A way to categorize your analytics maturity to understand where you are currently and what next steps would be best to increase your BI maturity.

    There are several factors used to determine BI maturity:

    Buy-in and Data Culture

    Determines if there is enterprise-wide buy-in for developing business intelligence and if a data-driven culture exists.

    Business–IT Alignment

    Examines if current BI and analytics operations are appropriately enabling the business objectives.

    Governance Structure

    Focuses on whether or not there is adequate governance in place to provide guidance and structure for BI activities.

    Organization Structure and Talent

    Pertains to how BI operations are distributed across the overall organizational structure and the capabilities of the individuals involved.

    Process

    Reviews analytics-related processes and policies and how they are created and enforced throughout the organization.

    Data

    Deals with analytical data in terms of the level of integration, data quality, and usability.

    Technology

    Explores the opportunities in building a fit-for-purpose analytics platform and consolidation opportunities.

    Evaluate Your Current BI Practice with the CMMI model

    To assess BI, Info-Tech uses the CMMI model for rating capabilities in each of the function areas on a scale of 1-5. (“0” and “0.5” values are used for non-existent or emerging capabilities.)

    The image shows an example of a CMMI model

    Use Info-Tech’s BI Maturity Model as a guide for identifying your current analytics competence

    Leverage a BI strategy to revamp your BI program to strive for a high analytics maturity level. In the future you should be doing more than just traditional BI. You will perform self-service BI, predictive analytics, and data science.

    Ad Hoc Developing Defined Managed Trend Setting
    Questions What’s wrong? What happened? What is happening? What happened, is happening, and will happen? What if? So what?
    Scope One business problem at a time One particular functional area Multiple functional areas Multiple functional areas in an integrated fashion Internal plus internet scale data
    Toolset Excel, Access, primitive query tools Reporting tools or BI BI BI, business analytics tools Plus predictive platforms, data science tools
    Delivery Model IT delivers ad hoc reports IT delivers BI reports IT delivers BI reports and some self-service BI Self-service BI and report creation at the business units Plus predictive models and data science projects
    Mindset Firefighting using data Manage using data Analyze using data; shared tooling Data is an asset, shared data Data driven
    BI Org. Structure Data analysts in IT BI BI program BI CoE Data Innovation CoE

    Leverage Info-Tech’s BI Practice Assessment Tool to define your BI current state

    BI Practice Assessment Tool

    1. Assess Current State
    • Eight BI practice areas to assess maturity.
    • Based on CMMI maturity scale.
  • Visualize Current State Results
    • Determine your BI maturity level.
    • Identify areas with outstanding maturity.
    • Uncover areas with low maturity.
    • Visualize the presence of misalignments.
  • Target State
    • Tackle target state from two views: business and IT.
    • Calculate gaps between target and current state.
  • Visualize Target State and Gaps
    • A heat map diagram to compare the target state and the current state.
    • Show both current and target maturity levels.
    • Detailed charts to show results for each area.
    • Detailed list of recommendations.

    Purposes:

    • Assess your BI maturity.
    • Visualize maturity assessment to quickly spot misalignments, gaps, and opportunities.
    • Provide right-sized recommendations.

    Info-Tech Insight

    Assessing current and target states is only the beginning. The real value comes from the interpretation and analysis of the results. Use visualizations of multiple viewpoints and discuss the results in groups to come up with the most effective ideas for your strategy and roadmap.

    Activity: Conduct a current state assessment of your BI practice maturity

    2.1.2

    2-3 hours

    Use the BI Practice Assessment Tool to establish a baseline for your current BI capabilities and maturity.

    1. Navigate to Tab 2. Current State Assessment in the BI Practice Assessment Tool and complete the current state assessment together or in small groups. If running a series of assessments, do not star or scratch every time. Use the previous group’s results to start the conversation with the users.

      2. Info-Tech suggests the following groups participate in the completion of the assessment to holistically assess BI and to uncover misalignment:

      Providers Consumers
      CIO & BI Management BI Work Groups (developers, analysts, modelers) Business Unit #1 Business Unit #2 Business Unit #3
    2. For each assessment question, answer the current level of maturity in terms of:
      1. Initial/Ad hoc – the starting point for use of a new or undocumented repeat process
      2. Developing – the process is documented such that it is repeatable
      3. Defined – the process is defined/confirmed as a standard business process
      4. Managed and Measurable – the process is quantitatively managed in accordance with agreed-upon metrics.
      5. Optimized – the process includes process optimization/improvement.

    INPUT

    • Observations of current maturity

    OUTPUT

    • Comprehensive current state assessment

    Materials

    • BI Practice Assessment Tool
    • Current State Assessment section of the BI Strategy and Roadmap Template

    Participants

    • Selected individuals as suggested by the assessment tool

    Info-Tech Insight

    Discuss the rationale for your answers as a group. Document the comments and observations as they may be helpful in formulating the final strategy and roadmap.

    Activity: Review and analyze the results of the current state assessment

    2.1.3

    2-3 hours

    1. Navigate to Tab 3. Current State Results in the BI Practice Assessment Tool and review the findings:

    The tool provides a brief synopsis of your current BI state. Review the details of your maturity level and see where this description fits your organization and where there may be some discrepancies. Add additional comments to your current state summary in the BI Strategy and Roadmap Document.

    In addition to reviewing the attributes of your maturity level, consider the following:

    1. What are the knowns – The knowns confirm your understanding on the current landscape.
  • What are the unknowns – The unknowns show you the blind spots. They are very important to give you an alternative view of the your current state. The group should discuss those blind spots and determine what to do with them.

    • Activity: Review and analyze the results of the current state assessment (cont.)

    2.1.3

    2-3 hours

    2. Tab 3 will also visualize a breakdown of your maturity by BI practice dimension. Use this graphic as a preliminary method to identify where your organization is excelling and where it may need improvement.

    Better Practices

    Consider: What have you done in the areas where you perform well?

    Candidates for Improvement

    Consider: What can you do to improve these areas? What are potential barriers to improvement?

    STEP 2.2

    Envision a Future State for Your Organization’s BI Practice

    Detail the capabilities of your next generation BI practice

    Step Objectives

    • Create guiding principles that will shape your organization’s ideal BI program.
    • Pinpoint where your organization needs to improve across several BI practice dimensions.
    • Develop approaches to remedy current impediments to BI evolution.

      • Step Activities

      2.2.1 Define guiding principles for the future state

      2.2.2 Define the target state of your BI practice

      2.2.3 Confirm requirements for BI Styles by management group

      2.2.4 Analyze gaps in your BI practice and generate improvement activities and objectives

      2.2.5 Define the critical success factors for future BI

      2.2.6 Identify potential risks for your future state and create a mitigation plan

    Outcomes

    • Defined landscape for future BI capabilities, including desired BI functionalities.
    • Identification of crucial gaps and improvement points to include in a BI roadmap.
    • Updated BI Styles Usage sheet.

    Research Support

    • Info-Tech’s Data Management Framework
    • Info-Tech’s BI Practice Assessment Tool
    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    Project Manager

    Data Architect(s) or Enterprise Architect

    Project Team

    Define guiding principles to drive your future state envisioning

    Envisioning a BI future state is essentially architecting the future for your BI program. It is very similar to enterprise architecture (EA). Guiding principles are widely used in enterprise architecture. This best practice should also be used in BI envisioning.

    Benefits of Guiding Principles in a BI Context

    • BI planning involves a number of business units. Defining high-level future state principles helps to establish a common ground for those different business units.
    • Ensure the next generation BI aligns with the corporate enterprise architecture and data architecture principles.
    • Provide high-level guidance without depicting detailed solutioning by leaving room for innovation.

    Sample Principles for BI Future State

    1. BI should be fit for purpose. BI is a business technology that helps business users.
    2. Business–IT collaboration should be encouraged to ensure deliverables are relevant to the business.
    3. Focus on continuous improvement on data quality.
    4. Explore opportunities to onboard and integrate new datasets to create a holistic view of your data.
    5. Organize and present data in an easy-to-consume, easy-to-digest fashion.
    6. BI should be accessible to everything, as soon as they have a business case.
    7. Do not train just on using the platform. Train on the underlying data and business model as well.
    8. Develop a training platform where trainees can play around with the data without worrying about messing it up.

    Activity: Define future state guiding principles for your BI practice

    2.2.1

    1-2 hours

    Guiding principles are broad statements that are fundamental to how your organization will go about its activities. Use this as an opportunity to gather relevant stakeholders and solidify how your BI practice should perform moving forward.

    1. To ensure holistic and comprehensive future state principles, invite participants from the business, the data management team, and the enterprise architecture team. If you do not have an enterprise architecture practice, invite people that are involved in building the enterprise architecture. Five to ten people is ideal.

      2. BI Future State

      Awareness Buy-in Business-IT Alignment Governance Org. Structure; People Process; Policies; Standards Data Technology
    2. Once the group has some high-level ideas on what the future state looks like, brainstorm guiding principles that will facilitate the achievement of the future state (see above).
    3. Document the future state principles in the Future State Principles for BI section of the BI Strategy and Roadmap Template

    INPUT

    • Existing enterprise architecture guiding principles
    • High-level concept of future state BI

    OUTPUT

    • Guiding principles for prospective BI practice

    Materials

    • Future State Principles section of the BI Strategy and Roadmap Template

    Participants

    • Business representatives
    • IT representatives
    • The EA group

    Leverage prototypes to facilitate a continuous dialogue with end users en route to creating the final deliverable

    At the end of the day, BI makes data and information available to the business communities. It has to be fit for purpose and relevant to the business. Prototypes are an effective way to ensure relevant deliverables are provided to the necessary users. Prototyping makes your future state a lot closer and a lot more business friendly.

    Simple Prototypes

    • Simple paper-based, whiteboard-based prototypes with same notes.
    • The most basic communication tool that facilitates the exchange of ideas.
    • Often used in Joint Application Development (JAD) sessions.
    • Improve business and IT collaboration.
    • Can be used to amend requirements documents.

    Discussion Possibilities

    • Initial ideation at the beginning
    • Align everyone on the same page
    • Explain complex ideas/layouts
    • Improve collaboration

    Elaborated Prototypes

    • Demonstrates the possibilities of BI in a risk-free environment.
    • Creates initial business value with your new BI platform.
    • Validates the benefits of BI to the organization.
    • Generates interest and support for BI from senior management.
    • Prepares BI team for the eventual enterprise-wide deployment.

    Discussion Possibilities

    • Validate and refine requirements
    • Fail fast, succeed fast
    • Acts as checkpoints
    • Proxy for the final working deliverable

    Leverage Info-Tech’s BI Practice Assessment Tool to define your BI target state and visualize capability gaps

    BI Practice Assessment Tool

    1. Assess Current State
    • Eight BI practice areas to assess maturity.
    • Based on CMMI maturity scale.
  • Visualize Current State Results
    • Determine your BI maturity level.
    • Identify areas with outstanding maturity.
    • Uncover areas with low maturity.
    • Visualize the presence of misalignments.
  • Target State
    • Tackle target state from two views: business and IT.
    • Calculate gaps between target and current state.
  • Visualize Target State and Gaps
    • A heat map diagram to compare the target state and the current state.
    • Show both current and target maturity levels.
    • Detailed charts to show results for each area.
    • Detailed list of recommendations.

    Purposes:

    • Assess your BI maturity.
    • Visualize maturity assessment to quickly spot misalignments, gaps, and opportunities.
    • Provide right-sized recommendations.

    Document essential findings in Info-Tech’s BI Strategy and Roadmap Template.

    Info-Tech Insight

    Assessing current and target states is only the beginning. The real value comes from the interpretation and analyses of the results. Use visualizations of multiple viewpoints and discuss the results in groups to come up with the most effective ideas for your strategy and roadmap.

    Activity: Define the target state for your BI practice

    2.2.2

    2 hours

    This exercise takes your team through establishing the future maturity of your BI practice across several dimensions.

    1. Envisioning of the future state will involve input from the business side as well as the IT department.

      2. The business and IT groups should get together separately and determine the target state maturity of each of the BI practice components:

    The image is a screenshot of Tab 4: Target State Evaluation of the BI Practice Assessment Tool

    INPUT

    • Desired future practice capabilities

    OUTPUT

    • Target state assessment

    Materials

    • Tab 4 of the BI Practice Assessment Tool

    Participants

    • Business representatives
    • IT representatives

    Activity: Define the target state for your BI practice (cont.)

    2.2.2

    2 hours

    2. The target state levels from the two groups will be averaged in the column “Target State Level.” The assessment tool will automatically calculate the gaps between future state value and the current state maturity determined in Step 2.1. Significant gaps in practice maturity will be highlighted in red; smaller or non-existent gaps will appear green.

    The image is a screenshot of Tab 4: Target State Evaluation of the BI Practice Assessment Tool with Gap highlighted.

    INPUT

    • Desired future practice capabilities

    OUTPUT

    • Target state assessment

    Materials

    • Tab 4 of the BI Practice Assessment Tool

    Participants

    • Business representatives
    • IT representatives

    Activity: Revisit the BI Style Analysis sheet to define new report and analytical requirements by C-Level

    2.2.3

    1-2 hours

    The information needs for each executive is unique to their requirements and management style. During this exercise you will determine the reporting and analytical needs for an executive in regards to content, presentation and cadence and then select the BI style that suite them best.

    1. To ensure a holistic and comprehensive need assessment, invite participants from the business and BI team. Discuss what data the executive currently use to base decisions on and explore how the different BI styles may assist. Sample reports or mock-ups can be used for this purpose.
    2. Document the type of report and required content using the BI Style Tool.
    3. The BI Style Tool will then guide the BI team in the type of reporting to develop and the level of Self-Service BI that is required. The tool can also be used for product selection.

    INPUT

    • Information requirements for C-Level Executives

    OUTPUT

    • BI style(s) that are appropriate for an executive’s needs

    Materials

    • BI Style Usage sheet from BI Strategy and Roadmap Template
    • Sample Reports

    Participants

    • Business representatives
    • BI representatives

    Visualization tools facilitate a more comprehensive understanding of gaps in your existing BI practice

    Having completed both current and target state assessments, the BI Practice Assessment Tool allows you to compare the results from multiple angles.

    At a higher level, you can look at your maturity level:

    At a detailed level, you can drill down to the dimensional level and item level.

    The image is a screenshots from Tab 4: Target State Evaluation of the BI Practice Assessment Tool

    At a detailed level, you can drill down to the dimensional level and item level.

    Activity: Analyze gaps in BI practice capabilities and generate improvement objectives/activities

    2.2.4

    2 hours

    This interpretation exercise helps you to make sense of the BI practice assessment results to provide valuable inputs for subsequent strategy and roadmap formulation.

    1. IT management and the BI team should be involved in this exercise. Business SMEs should be consulted frequently to obtain clarifications on what their ideal future state entails.

      2. Begin this exercise by reviewing the heat map and identifying:

    • Areas with very large gaps
    • Areas with small gaps

    Areas with large gaps

    Consider: Is the target state feasible and achievable? What are ways we can improve incrementally in this area? What is the priority for addressing this gap?

    Areas with small/no gaps

    Consider: Can we learn from those areas? Are we setting the bar too low for our capabilities?

    INPUT

    • Current and target state visualizations

    OUTPUT

    • Gap analysis (Tab 5)

    Materials

    • Tab 5 of the BI Practice Assessment Tool
    • Future State Assessment Results section of the BI Strategy and Roadmap Template

    Participants

    • Business representatives
    • IT representatives

    Activity: Analyze gaps in BI practice capabilities and generate improvement objectives/activities (cont.)

    2.2.4

    2 hours

    2. Discuss the differences in the current and target state maturity level descriptions. Questions to ask include:

    • What are the prerequisites before we can begin to build the future state?
    • Is the organization ready for that future state? If not, how do we set expectations and vision for the future state?
    • Do we have the necessary competencies, time, and support to achieve our BI vision?

    INPUT

    • Current and target state visualizations

    OUTPUT

    • Gap analysis (Tab 5)

    Materials

    • Tab 5 of the BI Practice Assessment Tool
    • Future State Assessment Results section of the BI Strategy and Roadmap Template

    Participants

    • Business representatives
    • IT representatives

    Activity: Analyze gaps in BI practice capabilities and generate improvement objectives/activities (cont.)

    2.2.4

    2 hours

    3. Have the same group members reconvene and discuss the recommendations at the BI practice dimension level on Tab 5. of the BI Practice Assessment Tool. These recommendations can be used as improvement actions or translated into objectives for building your BI capabilities.

    Example

    The heat map displayed the largest gap between target state and current state in the technology dimension. The detailed drill-down chart will further illustrate which aspect(s) of the technology dimension is/are showing the most room for improvement in order to better direct your objective and initiative creation.

    The image is of an example and recommendations.

    Considerations:

    • What dimension parameters have the largest gaps? And why?
    • Is there a different set of expectations for the future state?

    Define critical success factors to direct your future state

    Critical success factors (CSFs) are the essential factors or elements required for ensuring the success of your BI program. They are used to inform organizations with things they should focus on to be successful.

    Common Provider (IT Department) CSFs

    • BI governance structure and organization is created.
    • Training is provided for the BI users and the BI team.
    • BI standards are in place.
    • BI artifacts rely on quality data.
    • Data is organized and presented in a usable fashion.
    • A hybrid BI delivery model is established.
    • BI on BI; a measuring plan has to be in place.

    Common Consumer (Business) CSFs

    • Measurable business results have been improved.
    • Business targets met/exceeded.
    • Growth plans accelerated.
    • World-class training to empower BI users.
    • Continuous promotion of a data-driven culture.
    • IT–business partnership is established.
    • Collaborative requirements gathering processes.
    • Different BI use cases are supported.

    …a data culture is essential to the success of analytics. Being involved in a lot of Bay Area start-ups has shown me that those entrepreneurs that are born with the data DNA, adopt the data culture and BI naturally. Other companies should learn from these start-ups and grow the data culture to ensure BI adoption.

    – Cameran Hetrick, Senior Director of Data Science & Analytics, thredUP

    Activity: Define provider and consumer critical success factors for your future BI capabilities

    2.2.5

    2 hours

    Create critical success factors that are important to both BI providers and BI consumers.

    1. Divide relevant stakeholders into two groups:
      2. BI Provider (aka IT) BI Consumer (aka Business)
    2. Write two headings on the board: Objective and Critical Success Factors. Write down each of the objectives created in Phase 1.
    3. Divide the group into small teams and assign each team an objective. For each objective, ask the following question:

      4. What needs to be put in place to ensure that this objective is achieved?

      The answer to the question is your candidate CSF. Write CSFs on sticky notes and stick them by the relevant objective.

    4. Rationalize and consolidate CSFs. Evaluate the list of candidate CSFs to find the essential elements for achieving success.
    5. For each CSF, identify at least one key performance indicator that will serve as an appropriate metric for tracking achievement.

    As you evaluate candidate CSFs, you may uncover new objectives for achieving your future state BI.

    INPUT

    • Business objectives

    OUTPUT

    • A list of critical success factors mapped to business objectives

    Materials

    • Whiteboard and colored sticky notes
    • CSFs for the Future State section of the BI Strategy and Roadmap Template

    Participants

    • Business and IT representatives
    • CIO
    • Head of BI

    Round out your strategy for BI growth by evaluating risks and developing mitigation plans

    A risk matrix is a useful tool that allows you to track risks on two dimensions: probability and impact. Use this matrix to help organize and prioritize risk, as well as develop mitigation strategies and contingency plans appropriately.

    Example of a risk matrix using colour coding

    Info-Tech Insight

    Tackling risk mitigation is essentially purchasing insurance. You cannot insure everything – focus your investments on mitigating risks with a reasonably high impact and high probability.

    Be aware of some common barriers that arise in the process of implementing a BI strategy

    These are some of the most common BI risks based on Info-Tech’s research:

    Low Impact Medium Impact High Impact
    High Probability
    • Users revert back to Microsoft Excel to analyze data.
    • BI solution does not satisfy the business need.
    • BI tools become out of sync with new strategic direction.
    • Poor documentation creates confusion and reduces user adoption.
    • Fail to address data issues: quality, integration, definition.
    • Inadequate communication with stakeholders throughout the project.
    • Users find the BI tool interface too confusing.
    Medium Probability
    • Fail to define and monitor KPIs.
    • Poor training results in low user adoption.
    • Organization culture is resistant to the change.
    • Lack of support from the sponsors.
    • No governance over BI.
    • Poor training results in misinformed users.
    Low Probability
    • Business units independently invest in BI as silos.

    Activity: Identify potential risks for your future state and create a mitigation plan

    2.2.6

    1 hour

    As part of developing your improvement actions, use this activity to brainstorm some high-level plans for mitigating risks associated with those actions.

    Example:

    Users find the BI tool interface too confusing.

    1. Use the probability-impact matrix to identify risks systematically. Collectively vote on the probability and impact for each risk.
    2. Risk mitigation. Risk can be mitigated by three approaches:

      3. A. Reducing its probability

      B. Reducing its impact

      C. Reducing both

      Option A: Brainstorm ways to reduce risk probability

      E.g. The probability of the above risk may be reduced by user training. With training, the probability of confused end users will be reduced.

      Option B: Brainstorm ways to reduce risk impact

      E.g. The impact can be reduced by ensuring having two end users validate each other’s reports before making a major decision.

    3. Document your high-level mitigation strategies in the BI Strategy and Roadmap Template.

    INPUT

    • Step 2.2 outputs

    OUTPUT

    • High-level risk mitigation plans

    Materials

    • Risks and Mitigation section of the BI Strategy and Roadmap Template

    Participants

    • BI sponsor
    • CIO
    • Head of BI

    Translate your findings and ideas into actions that will be integrated into the BI strategy and roadmap

    As you progress through each phase, document findings and ideas as they arise. By phase end, hold a brainstorming session with the project team focused on documenting findings and ideas and substantiating them into improvement actions.

    Translated findings and ideas into actions that will be integrated into the BI strategy and roadmap.

    Ask yourself how BI or analytics can be used to address the gaps and explore opportunities uncovered in each phase. For example, in Phase 1, how do current BI capabilities impede the realization of the business vision?

    Document and prioritize Phase 2 findings, ideas, and action items

    2.2.7

    1-2 hours

    1. Reconvene as a group to review the findings, ideas, and actions harvested in Phase 2. Write the findings, ideas, and actions on sticky notes.
    2. Prioritize the sticky notes to yield those with high business value and low implementation effort. View some sample findings below:
      3. High Business Value, Low Effort High Business Value, High Effort
      Low Business Value, High Effort Low Business Value, High Effort

      Phase 2

      Sample Phase 2 Findings Found a gap between the business expectation and the existing BI content they are getting.
      Our current maturity level is “Level 2 – Operational.” Almost everyone thinks we should be at least “Level 3 – Tactical” with some level 4 elements.
      Found an error in a sales report. A quick fix is identified.
      The current BI program is not able to keep up with the demand.
    3. Select the top items and document the findings in the BI Strategy Roadmap Template. The findings will be used to build a Roadmap in Phase 3.

    INPUT

    • Phase 2 activities

    OUTPUT

    • Other Phase 2 Findings section of the BI Strategy and Roadmap Template

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Project manger
    • Project team
    • Business stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.1

    Determine your current BI maturity level

    The analyst will take your project team through Info-Tech’s BI Practice Assessment Tool, which collects perspectives from BI consumer and provider groups on multiple facets of your BI practice in order to establish a current maturity level.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    2.2.1

    Define guiding principles for your target BI state

    Using enterprise architecture principles as a starting point, our analyst will facilitate exercises to help your team establish high-level standards for your future BI practice.

    2.2.2-2.2.3

    Establish your desired BI patterns and matching functionalities

    In developing your BI practice, your project team will have to decide what BI-specific capabilities are most important to your organization. Our analyst will take your team through several BI patterns that Info-Tech has identified and discuss how to bridge the gap between these patterns, linking them to specific functional requirements in a BI solution.

    2.2.4-2.2.5

    Analyze the gaps in your BI practice capabilities

    Our analyst will guide your project team through a number of visualizations and explanations produced by our assessment tool in order to pinpoint the problem areas and generate improvement ideas.

    Phase 3

    Create a BI Roadmap for Continuous Improvement

    Build a Reporting and Analytics Strategy

    Create a BI roadmap for continuous improvement

    Phase 3 Overarching Insight

    The benefit of creating a comprehensive and actionable roadmap is twofold: not only does it keep BI providers accountable and focused on creating incremental improvement, but a roadmap helps to build momentum around the overall project, provides a continuous delivery of success stories, and garners grassroots-level support throughout the organization for BI as a key strategic imperative.

    Understand the Business Context to Rationalize Your BI Landscape Evaluate Your Current BI Practice Create a BI Roadmap for Continuous Improvement
    Establish the Business Context
    • Business Vision, Goals, Key Drivers
    • Business Case Presentation
    • High-Level ROI
    		Assess Your Current BI Maturity
    • SWOT Analysis
    • BI Practice Assessment
    • Summary of Current State
    		Construct a BI Initiative Roadmap
    • BI Improvement Initiatives
    • BI Strategy and Roadmap
    Access Existing BI Environment
    • BI Perception Survey Framework
    • Usage Analyses
    • BI Report Inventory
    		Envision BI Future State
    • BI Patterns
    • BI Practice Assessment
    • List of Functions
    		Plan for Continuous Improvement
    • Excel Governance Policy
    • BI Ambassador Network Draft
    Undergo Requirements Gathering
    • Requirements Gathering Principles
    • Overall BI Requirements

    Phase 3 overview

    Detailed Overview

    Step 1: Establish Your BI Initiative Roadmap

    Step 2: Identify Opportunities to Enhance Your BI Practice

    Step 3: Create Analytics Strategy

    Step 4: Define CSF and metrics to monitor success of BI and analytics

    Outcomes

    • Consolidate business intelligence improvement objectives into robust initiatives.
    • Prioritize improvement initiatives by cost, effort, and urgency.
    • Create a one-year, two-year, or three-year timeline for completion of your BI improvement initiatives.
    • Identify supplementary programs that will facilitate the smooth execution of road-mapped initiatives.

    Benefits

    • Clear characterization of comprehensive initiatives with a detailed timeline to keep team members accountable.

    Revisit project metrics to track phase progress

    Goals for Phase 3:

    • Put everything together. Findings and observations from Phase 1 and 2 are rationalized in this phase to develop data initiatives and create a strategy and roadmap for BI.
    • Continuous improvements. Your BI program is evolving and improving over time. The program should allow you to have faster, better, and more comprehensive information.

    Info-Tech’s Suggested Metrics for Tracking Phase 3 Goals

    Practice Improvement Metrics Data Collection and Calculation Expected Improvement
    Program Level Metrics Efficiency
    • Time to information
    • Self-service penetration
    • Derive from the ticket management system
    • Derive from the BI platform
    • 10% reduction in time to information
    • Achieve 10-15% self-service penetration
    • Effectiveness
    • BI Usage
    • Data quality
    • Derive from the BI platform
    • Data quality perception
    • Majority of the users use BI on a daily basis
    • 15% increase in data quality perception
    Comprehensiveness
    • # of integrated datasets
    • # of strategic decisions made
    • Derive from the data integration platform
    • Decision-making perception
    • Onboard 2-3 new data domains per year
    • 20% increase in decision-making perception

    Learn more about the CIO Business Vision program.

    Intangible Metrics:

    Tap into the results of Info-Tech’s CIO Business Vision diagnostic to monitor the changes in business-user satisfaction as you implement the initiatives in your BI improvement roadmap.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that helps you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Create a BI Roadmap for Continuous Improvement

    Proposed Time to Completion: 1-2 weeks

    Step 3.1: Construct a BI Improvement Initiative Roadmap

    Start with an analyst kick off call:

    • Review findings and insights from completion of activities pertaining to current and future state assessments
    • Discuss challenges around consolidating activities into initiatives

    Then complete these activities…

    • Collect improvement objectives/tasks from previous phases
    • Develop comprehensive improvement initiatives
    • Leverage value-effort matrix activities to prioritize these initiatives and place them along an improvement roadmap

    With these tools & templates:

    BI Initiatives and Roadmap Tool

    BI Strategy and Roadmap Template

    Step 3.2: Continuous Improvement Opportunities for BI

    Review findings with analyst:

    • Review completed BI improvement initiatives and roadmap
    • Discuss guidelines presenting a finalized improvement to the relevant committee or stakeholders
    • Discuss additional policies and programs that can serve to enhance your established BI improvement roadmap

    Then complete these activities…

    • Present BI improvement roadmap to relevant stakeholders
    • Develop Info-Tech’s recommended supplementary policies and programs for BI

    With these tools & templates:

    BI Strategy and Roadmap Executive Presentation Template

    Phase 3 Results & Insights:

    • Comprehensive initiatives with associated tasks/activities consolidated and prioritized in an improvement roadmap

    STEP 3.1

    Construct a BI Improvement Initiative Roadmap

    Build an improvement initiative roadmap to solidify your revamped BI strategy

    Step Objectives

    • Bring together activities and objectives for BI improvement to form initiatives
    • Develop a fit-for-purpose roadmap aligned with your BI strategy

    Step Activities

    3.1.1 Characterize individual improvement objectives and activities ideated in previous phases.

    3.1.2 Synthesize and detail overall BI improvement initiatives.

    3.1.3 Create a plan of action by placing initiatives on a roadmap.

    Outcomes

    • Detailed BI improvement initiatives, prioritized by value and effort
    • Defined roadmap for completion of tasks associated with each initiative and accountability

    Research Support

    • Info-Tech’s BI Initiatives and Roadmap Tool

    Proposed Participants in this Step

    Project Manager

    Project Team

    Create detailed BI strategy initiatives by bringing together the objectives listed in the previous phases

    When developing initiatives, all components of the initiative need to be considered, from its objectives and goals to its benefits, risks, costs, effort required, and relevant stakeholders.

    Use outputs from previous project steps as inputs to the initiative and roadmap building:

    The image shows the previous project steps as inputs to the initiative and roadmap building, with arrow pointing from one to the next.

    Determining the dependencies that exist between objectives will enable the creation of unique initiatives with associated to-do items or tasks.

    • Group objectives into similar buckets with dependencies
    • Select one overarching initiative
    • Adapt remaining objectives into tasks of the main initiative
    • Add any additional tasks

    Leverage Info-Tech’s BI Initiatives and Roadmap Tool to build a fit-for-purpose improvement roadmap

    BI Initiatives and Roadmap Tool

    Overview

    Use the BI Initiatives and Roadmap Tool to develop comprehensive improvement initiatives and add them to a BI strategy improvement roadmap.

    Recommended Participants

    • BI project team

    Tool Guideline

    Tab 1. Instructions Use this tab to get an understanding as to how the tool works.
    Tab 2. Inputs Use this tab to customize the inputs used in the tool.
    Tab 3. Activities Repository Use this tab to list and prioritize activities, to determine dependencies between them, and build comprehensive initiatives with them.
    Tab 4. Improvement Initiatives Use this tab to develop detailed improvement initiatives that will form the basis of the roadmap. Map these initiatives to activities from Tab 3.
    Tab 5. Improvement Roadmap Use this tab to create your BI strategy improvement roadmap, assigning timelines and accountability to initiatives and tasks, and to monitor your project performance over time.

    Activity: Consolidate BI activities into the tool and assign dependencies and priorities

    3.1.1

  • 2 hours
    1. Have one person from the BI project team populate Tab 3. Activities Repository with the BI strategy activities that were compiled in Phases 1 and 2. Use drop-downs to indicate in which phase the objective was originally ideated.
    2. With BI project team executives, discuss and assign dependencies between activities in the Dependencies columns. A dependency exists if:
    • An activity requires consideration of another activity.
    • An activity requires the completion of another activity.
    • Two activities should be part of the same initiative.
    • Two activities are very similar in nature.
  • Then discuss and assign priorities to each activity in the Priority column using input from previous Phases. For example, if an activity was previously indicated as critical to the business, if a similar activity appears multiple times, or if an activity has several dependencies, it should be higher priority.

    • Inputs

    • BI improvement activities created in Phases 1 and 2

    Output

    • Activities with dependencies and priorities

    Materials

    • BI Initiatives and Roadmap Tool

    Participants

    • BI project team

    Activity: Consolidate BI activities into the tool and assign dependencies and priorities (cont’d.)

    3.1.1

    2 hours

    Screenshot of Tab 3. BI Activities Repository, with samples improvement activities, dependencies, statuses, and priorities

    The image is of a screenshot of Tab 3. BI Activities Repository, with samples improvement activities, dependencies, statuses, and priorities.

    Revisit the outputs of your current state assessment and note which activities have already been completed in the “Status” column, to avoid duplication of your efforts.

    When classifying the status of items in your activity repository, distinguish between broader activities (potential initiatives) and granular activities (tasks).

    Activity: Customize project inputs and build out detailed improvement initiatives

    3.1.2

    1.5 hours

    1. Follow instructions on Tab 2. Inputs to customize inputs you would like to use for your project.
    2. Review the activities repository and select up to 12 overarching initiatives based on the activities with extreme or highest priority and your own considerations.
    • Rewording where necessary, transfer the names of your initiatives in the banners provided on Tab 4. Improvement Initiatives.
    • On Tab 3, indicate these activities as “Selected (initiatives)” in the Status column.
  • In Tab 4, develop detailed improvement initiatives by indicating the owner, taxonomy, start and end periods, cost and effort estimates, goal, benefit/value, and risks of each initiative.
  • Use drop-downs to list “Related activities,” which will become tasks under each initiative.
    • activities with dependency to the initiative
    • activities that lead to the same goal or benefit/value of the main initiative

    Screenshot of the Improvement Initiative template, to be used for developing comprehensive initiatives

    <p data-verified=The image is a screenshot of the Improvement Initiative template, to be used for developing comprehensive initiatives.">

    Inputs

    • Tab 3. Activities Repository

    Output

    • Unique and detailed improvement initiatives

    Materials

    • BI Initiatives and Roadmap Tool
    • BI Initiatives section of the BI Strategy and Roadmap Template

    Participants

    • BI project team

    Visual representations of your initiative landscape can aid in prioritizing tasks and executing the roadmap

    Building a comprehensive BI program will be a gradual process involving a variety of stakeholders. Different initiatives in your roadmap will either be completed sequentially or in parallel to one another, given dependencies and available resources. The improvement roadmap should capture and represent this information.

    To determine the order in which main initiatives should be completed, exercises such as a value–effort map can be very useful.

    Example: Value–Effort Map for a BI Project

    Initiatives that are high value–low effort are found in the upper left quadrant and are bolded; These may be your four primary initiatives. In addition, initiative five is valuable to the business and critical to the project’s success, so it too is a priority despite requiring high effort. Note that you need to consider dependencies to prioritize these key initiatives.

    Value–Effort Map for a BI Project
    1. Data profiling techniques training
    2. Improve usage metrics
    3. Communication plan for BI
    4. Staff competency evaluation
    5. Formalize practice capabilities
    6. Competency improvement plan program
    7. Metadata architecture improvements
    8. EDW capability improvements
    9. Formalize oversight for data manipulation

    This exercise is best performed using a white board and sticky notes, and axes can be customized to fit your needs (E.g. cost, risk, time, etc.).

    Activity: Build an overall BI strategy improvement roadmap for the entire project

    3.1.3

    45 minutes

    The BI Strategy Improvement Roadmap (Tab 5 of the BI Initiatives and Roadmap Tool) has been populated with your primary initiatives and related tasks. Read the instructions provided at the top of Tab 5.

    1. Use drop-downs to assign a Start Period and End Period to each initiative (already known) and each task (determined here). As you do so, the roadmap will automatically fill itself in. This is where the value–effort map or other prioritization exercises may help.
    2. Assign Task Owners reporting Managers.
    3. Update the Status and Notes columns on an ongoing basis. Hold meetings with task owners and managers about blocked or overdue items.
    • Updating status should also be an ongoing maintenance requirement for Tab 3 in order to stay up to date on which activities have been selected as initiatives or tasks, are completed, or are not yet acted upon.

    Screenshot of the BI Improvement Roadmap (Gantt chart) showing an example initiative with tasks, and assigned timeframes, owners, and status updates.

    INPUTS

    • Tab 3. Activities Repository
    • Tab 4. Improvement Initiatives

    OUTPUT

    • BI roadmap

    Materials

    • BI Initiatives and Roadmap Tool
    • Roadmap section of the BI Strategy and Roadmap Template

    Participants

    • BI project team

    Obtain approval for your BI strategy roadmap by organizing and presenting project findings

    Use a proprietary presentation template

    Recommended Participants

    • Project sponsor
    • Relevant IT & business executives
    • CIO
    • BI project team

    Materials & Requirements

    Develop your proprietary presentation template with:

    • Results from Phases 1 and 2 and Step 3.1
    • Information from:
      • Info-Tech’s Build a Reporting and Analytics Strategy
    • Screen shots of outputs from the:
      • BI Practice Assessment Tool
      • BI Initiatives and Roadmap Tool

    Next Steps

    Following the approval of your roadmap, begin to plan the implementation of your first initiatives.

    Overall Guidelines

    • Invite recommended participants to an approval meeting.
    • Present your project’s findings with the goal of gaining key stakeholder support for implementing the roadmap.
    1. Set the scene using BI vision & objectives.
    2. Present the results and roadmap next.
    3. Dig deeper into specific issues by touching on the important components of this blueprint to generate a succinct and cohesive presentation.
  • Make the necessary changes and updates stemming from discussion notes during this meeting.
  • Submit a formal summary of findings and roadmap to your governing body for review and approval (e.g. BI steering committee, BI CoE).

    • Info-Tech Insight

    At this point, it is likely that you already have the support to implement a data quality improvement roadmap. This meeting is about the specifics and the ROI.

    Maximize support by articulating the value of the data quality improvement strategy for the organization’s greater information management capabilities. Emphasize the business requirements and objectives that will be enhanced as a result of tackling the recommended initiatives, and note any additional ramifications of not doing so.

    Leverage Info-Tech’s presentation template to present your BI strategy to the executives

    Use the BI Strategy and Roadmap Executive Presentation Template to present your most important findings and brilliant ideas to the business executives and ensure your BI program is endorsed. Business executives can also learn about how the BI strategy empowers them and how they can help in the BI journey.

    Important Messages to Convey

    • Executive summary of the presentation
    • Current challenges faced by the business
    • BI benefits and associated opportunities
    • SWOT analyses of the current BI
    • BI end-user satisfaction survey
    • BI vision, mission, and goals
    • BI initiatives that take you to the future state
    • (Updated) Analytical Strategy
    • Roadmap that depicts the timeline

    STEP 3.2

    Continuous Improvement Opportunities for BI

    Create supplementary policies and programs to augment your BI strategy

    Step Objectives

    • Develop a plan for encouraging users to continue to use Excel, but in a way that does not compromise overall BI effectiveness.
    • Take steps to establish a positive organizational culture around BI.

    Step Activities

    3.2.1 Construct a concrete policy to integrate Excel use with your new BI strategy.

    3.2.2 Map out the foundation for a BI Ambassador network.

    Outcomes

    • Business user understanding of where Excel manipulation should and should not occur
    • Foundation for recognizing exceptional BI users and encouraging development of enterprise-wide business intelligence

    Research Support

    • Info-Tech’s BI Initiatives and Roadmap Tool
    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    Project Manager

    Project Team

    Additional Business Users

    Establish Excel governance to better serve Excel users while making sure they comply with policies

    Excel is the number one BI tool

    • BI applications are developed to support information needs.
    • The reality is that you will never migrate all Excel users to BI. Some Excel users will continue to use it. The key is to support them while imposing governance.
    • The goal is to direct them to use the data in BI or in the data warehouse instead of extracting their own data from various source systems.

    The Tactic: Centralize data extraction and customize delivery

    • Excel users formerly extracted data directly from the production system, cleaned up the data, manipulated the data by including their own business logic, and presented the data in graphs and pivot tables.
    • With BI, the Excel users can still use Excel to look at the information. The only difference is that BI or data warehouse will be the data source of their Excel workbook.

    Top-Down Approach

    • An Excel policy should be created at the enterprise level to outline which Excel use cases are allowed, and which are not.
    • Excel use cases that involve extracting data from source systems and transforming that data using undisclosed business rules should be banned.
    • Excel should be a tool for manipulating, filtering, and presenting data, not a tool for extracting data and running business rules.

    Excel

    Bottom-Up Approach

    • Show empathy to your users. They just want information to get their work done.
    • A sub-optimal information landscape is the root cause, and they are the victims. Excel spreadmarts are the by-products.
    • Make the Excel users aware of the risks associated with Excel, train them in BI, and provide them with better information in the BI platform.

    Activity: Create an Excel governance policy

    3.2.1

    4 hours

    Construct a policy around Excel use to ensure that Excel documents are created and shared in a manner that does not compromise the integrity of your overall BI program.

    1. Review the information artifact list harvested from Step 2.1 and identify all existing Excel-related use cases.
    2. Categorize the Excel use cases into “allowed,” “not allowed,” and “not sure.” For each category define:
      3. Category To Do: Policy Context
      Allowed Discuss what makes these use cases ideal for BI. Document use cases, scenarios, examples, and reasons that allow Excel as an information artifact.
      Not Allowed Discuss why these cases should be avoided. Document forbidden use cases, scenarios, examples, and reasons that use Excel to generate information artifacts.
      Not Sure Discuss the confusions; clarify the gray area. Document clarifications and advise how end users can get help in those “gray area” cases.
    3. Document the findings in the BI Strategy and Roadmap Template in the Manage and Sustain BI Strategy section, or a proprietary template. You may also need to create a separate Excel policy to communicate the Dos and Don’ts.

    Inputs

    • Step 2.1 – A list of information artifacts

    Output

    • Excel-for-BI Use Policy

    Materials

    • BI Strategy Roadmap and Template, or proprietary document

    Participants

    • Business executives
    • CIO
    • Head of BI
    • BI team

    Build a network of ambassadors to promote BI and report to IT with end-user feedback and requests

    The Building of an Insider Network: The BI Ambassador Network

    BI ambassadors are influential individuals in the organization that may be proficient at using BI tools but are passionate about analytics. The network of ambassadors will be IT’s eyes, ears, and even mouth on the frontline with users. Ambassadors will promote BI, communicate any messages IT may have, and keep tabs on user satisfaction.

    Ideal candidate:

    • A good relationship with IT.
    • A large breadth of experience with BI, not just one dashboard.
    • Approachable and well-respected amongst peers.
    • Has a passion for driving organizational change using BI and continually looking for opportunities to innovate.

    Push

    • Key BI Messages
    • Best Practices
    • Training Materials

    Pull

    • Feedback
    • Complaints
    • Thoughts and New Ideas

    Motivate BI ambassadors with perks

    You need to motivate ambassadors to take on this additional responsibility. Make sure the BI ambassadors are recognized in their business units when they go above and beyond in promoting BI.

    Reward Approach Reward Type Description
    Privileges High Priority Requests Given their high usage and high visibility, ambassadors’ BI information requests should be given a higher priority.
    First Look at New BI Development Share the latest BI updates with ambassadors before introducing them to the organization. Ambassadors may even be excited to test out new functionality.
    Recognition Featured in Communications BI ambassadors’ use cases and testimonials can be featured in BI communications. Be sure to create a formal announcement introducing the ambassadors to the organization.
    BI Ambassador Certificate A certificate is a formal way to recognize their efforts. They can also publicly display the certificate in their workspace.
    Rewards Appointed by Senior Executives Have the initial request to be a BI ambassador come from a senior executive to flatter the ambassador and position the role as a reward or an opportunity for success.
    BI Ambassador Awards Award an outstanding BI ambassador for the year. The award should be given by the CEO in a major corporate event.

    Activity: Plan for a BI ambassador network

    3.2.2

    2 hours

    Identify individuals within your organization to act as ambassadors for BI and a bridge between IT and business users.

    1. Obtain a copy of your latest organizational chart. Review your most up-to-date organizational chart and identify key BI consumers across a variety of functional units. In selecting potential BI ambassadors, reflect on the following questions:
    • Does this individual have a good relationship with IT?
    • What is the depth of their experience with developing/consuming business intelligence?
    • Is this individual respected and influential amongst their respective business units?
    • Has this individual shown a passion for innovating within their role?
  • Create a mandate and collateral detailing the roles and responsibilities for the ambassador role, e.g.:
    • Promote BI to members of your group
    • Represent the “voice of the data consumers”
  • Approach the ambassador candidates and explain the responsibilities and perks of the role, with the goal of enlisting about 10-15 ambassadors

    • Inputs

    • An updated organizational chart
    • A list of BI users

    Output

    • Draft framework for BI ambassador network

    Materials

    • BI Strategy and Roadmap Template or proprietary document

    Participants

    • Business executives
    • CIO
    • Head of BI
    • BI team

    Keeping tabs on metadata is essential to creating a data democracy with BI

    A next generation BI not only provides a platform that mirrors business requirements, but also creates a flexible environment that empowers business users to explore data assets without having to go back and forth with IT to complete queries.

    Business users are generally not interested in the underlying architecture or the exact data lineages; they want access to the data that matters most for decision-making purposes.

    Metadata is data about data

    It comes in the form of structural metadata (information about the spaces that contain data) and descriptive metadata (information pertaining to the data elements themselves), in order to answer questions such as:

    • What is the intended purpose of this data?
    • How up-to-date is this information?
    • Who owns this data?
    • Where is this data coming from?
    • How have these data elements been transformed?

    By creating effective metadata, business users are able to make connections between and bring together data sources from multiple areas, creating the opportunity for holistic insight generation.

    Like BI, metadata lies in the Information Dimension layer of our data management framework.

    The metadata needs to be understood before building anything. You need to identify fundamentals of the data, who owns not only that data, but also its metadata. You need to understand where the consolidation is happening and who owns it. Metadata is the core driver and cost saver for building warehouses and requirements gathering.

    – Albert Hui, Principal, Data Economist

    Deliver timely, high quality, and affordable information to enable fast and effective business decisions

    In order to maximize your ROI on business intelligence, it needs to be treated less like a one-time endeavor and more like a practice to be continually improved upon.

    Though the BI strategy provides the overall direction, the BI operating model – which encompasses organization structure, processes, people, and application functionality – is the primary determinant of efficacy with respect to information delivery. The alterations made to the operating model occur in the short term to improve the final deliverables for business users.

    An optimal BI operating model satisfies three core requirements:

    Timeliness

    Effectiveness

  • Affordability

    • Bring tangible benefits of your revamped BI strategy to business users by critically assessing how your organization delivers business intelligence and identifying opportunities for increased operational efficiency.

    Assess and Optimize BI Operations

    Focus on delivering timely, quality, and affordable information to enable fast and effective business decisions

    Implement a fit-for-purpose BI and analytics solution to augment your next generation BI strategy

    Organizations new to business intelligence or with immature BI capabilities are under the impression that simply getting the latest-and-greatest tool will provide the insights business users are looking for.

    BI technology can only be as effective as the processes surrounding it and the people leveraging it. Organizations need to take the time to select and implement a BI suite that aligns with business goals and fosters end-user adoption.

    As an increasing number of companies turn to business intelligence technology, vendors are responding by providing BI and analytics platforms with more and more features.

    Our vendor landscape will simplify the process of selecting a BI and analytics solution by:

    Differentiating between the platforms and features vendors are offering.

    Detailing a robust framework for requirements gathering to pinpoint your organization’s needs.

    Developing a high-level plan for implementation.

    Select and Implement a Business Intelligence and Analytics Solution

    Find the diamond in your data-rough using the right BI & Analytics solution

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-tech analysts with your team:

    3.1.1-3.1.3

    Construct a BI improvement initiative roadmap

    During these activities, your team will consolidate the list of BI initiatives generated from the assessments conducted in previous phases, assign timelines to each action, prioritize them using a value–effort matrix, and finally produce a roadmap for implementing your organization’s BI improvement strategy.

    3.2

    Identify continuous improvement opportunities for BI

    Our analyst team will work with your organization to ideate supplementary programs to support your BI strategy. Defining Excel use cases that are permitted and prohibited in conjunction with your BI strategy, as well as structuring an internal BI ambassador network, are a few extra initiatives that can enhance your BI improvement plans.

    Insight breakdown

    Your BI platform is not a one-and-done initiative.

    A BI program is not a static project that is created once and remains unchanged. Your strategy must be treated as a living platform to be revisited and revitalized in order to provide effective enablement of business decision making. Develop a BI strategy that propels your organization by building it on business goals and objectives, as well as comprehensive assessments that quantitatively and qualitatively evaluate your current BI capabilities.

    Put the “B” back in “BI.”

    The closer you align your new BI platform to real business interests, the stronger will be the buy-in, realized value, and groundswell of enthusiastic adoption. Ultimately, getting this phase right sets the stage to best realize a strong ROI for your investment in the people, processes, and technology that will be your next generation BI platform.

    Go beyond the platform.

    BI success is not based solely on the technology it runs on; technology cannot mask gaps in capabilities. You must be capable in your environment – data management, data quality, and related data practices must be strong, otherwise the usefulness of the intelligence suffers. The best BI solution does not only provide a technology platform, but also addresses the elements that surround the platform. Look beyond tools and holistically assess the maturity of your BI practice with input from both the BI consumer and provider perspectives.

    Appendix

    Detailed list of BI Types

    Style Description Strategic Importance (1-5) Popularity (1-5) Effort (1-5)
    Standards Preformatted reports Standard, preformatted information for backward-looking analysis. 5 5 1
    User-defined analyses Pre-staged information where “pick lists” enable business users to filter (select) the information they wish to analyze, such as sales for a selected region during a selected previous timeframe. 5 4 2
    Ad-hoc analyses Power users write their own queries to extract self-selected pre-staged information and then use the information to perform a user-created analysis. 5 4 3
    Scorecards and dashboards Predefined business performance metrics about performance variables that are important to the organization, presented in a tabular or graphical format that enables business users to see at a glance how the organization is performing. 4 4 3
    Multidimensional analysis (OLAP) Multidimensional analysis (also known as On-line analytical processing): Flexible tool-based user-defined analysis of business performance and the underlying drivers or root causes of that performance. 4 3 3
    Alerts Predefined analyses of key business performance variables, comparison to a performance standard or range, and communication to designated businesspeople when performance is outside the predefined performance standard or range. 4 3 3
    Advanced Analytics Application of long-established statistical and/or operations research methods to historical business information to look backward and characterize a relevant aspect of business performance, typically by using descriptive statistics 5 3 4
    Predictive Analytics Application of long-established statistical and/or operations research methods to historical business information to predict, model, or simulate future business and/or economic performance and potentially prescribe a favored course of action for the future 5 3 5

    Our BI strategy approach follows Info-Tech’s popular IT Strategy Framework

    A comprehensive BI strategy needs to be developed under the umbrella of an overall IT strategy. Specifically, creating a BI strategy is contributing to helping IT mature from a firefighter to a strategic partner that has close ties with business units.

    1. Determine mandate and scope 2. Assess drivers and constraints 3. Evaluate current state of IT 4. Develop a target state vision 5. Analyze gaps and define initiatives 6. Build a roadmap 8. Revamp 7. Execute
    Mandate Business drivers Holistic assessments Vision and mission Initiatives Business-driven priorities
    Scope External drivers Focus-area specific assessments Guiding principles Risks
    Project charter Opportunities to innovate Target state vision Execution schedule
    Implications Objectives and measures

    This BI strategy blueprint is rooted in our road-tested and proven IT strategy framework as a systematic method of tackling strategy development.

    Research contributors

    Internal Contributors

    • Andy Woyzbun, Executive Advisor
    • Natalia Nygren Modjeska, Director, Data & Analytics
    • Crystal Singh, Director, Data & Analytic
    • Andrea Malick, Director, Data & Analytics
    • Raj Parab, Director, Data & Analytics
    • Igor Ikonnikov, Director, Data & Analytics
    • Andy Neill, Practice Lead, Data & Analytics
    • Rob Anderson, Manager Sales Operations
    • Shari Lava, Associate Vice-President, Vendor Advisory Practice

    External Contributors

    • Albert Hui, Principal, DataEconomist
    • Cameran Hetrick, Senior Director of Data Science & Analytics, thredUP
    • David Farrar, Director – Marketing Planning & Operations, Ricoh Canada Inc
    • Emilie Harrington, Manager of Analytics Operations Development, Lowe’s
    • Sharon Blanton, VP and CIO, The College of New Jersey
    • Raul Vomisescu, Independent Consultant

    Research contributors and experts

    Albert Hui

    Consultant, Data Economist

    Albert Hui is a cofounder of Data Economist, a data-consulting firm based in Toronto, Canada. His current assignment is to redesign Scotiabank’s Asset Liability Management for its Basel III liquidity compliance using Big Data technology. Passionate about technology and problem solving, Albert is an entrepreneur and result-oriented IT technology leader with 18 years of experience in consulting and software industry. His area of focus is on data management, specializing in Big Data, business intelligence, and data warehousing. Beside his day job, he also contributes to the IT community by writing blogs and whitepapers, book editing, and speaking at technology conferences. His recent research and speaking engagement is on machine learning on Big Data.

    Albert holds an MBA from the University of Toronto and a master’s degree in Industrial Engineering. He has twin boys and enjoys camping and cycling with them in his spare time.

    Albert Hui Consultant, Data Economist

    Cameran Hetrick

    Senior Director of Analytics and Data Science, thredUP

    Cameran is the Senior Director of Analytics and Data Science at thredUP, a startup inspiring a new generation to think second hand first. There she helps drives top line growth through advanced and predictive analytics. Previously, she served as the Director of Data Science at VMware where she built and led the data team for End User Computing. Before moving to the tech industry, she spent five years at The Disneyland Resort setting ticket and hotel prices and building models to forecast attendance. Cameran holds an undergraduate degree in Economics/Mathematics from UC Santa Barbara and graduated with honors from UC Irvine's MBA program.

    Cameran Hetrick Senior Director of Analytics and Data Science, thredUP

    Bibliography

    Bange, Carsten and Wayne Eckerson. “BI and Data Management in the Cloud: Issues and Trends.” BARC and Eckerson Group, January 2017. Web.

    Business Intelligence: The Strategy Imperative for CIOs. Tech. Information Builders. 2007. Web. 1 Dec. 2015.

    COBIT 5: Enabling Information. Rolling Meadows, IL: ISACA, 2013. Web.

    Dag, Naslund, Emma Sikander, and Sofia Oberg. "Business Intelligence - a Maturity Model Covering Common Challenges." Lund University Publications. Lund University, 2014. Web. 23 Oct. 2015.

    “DAMA Guide to the Data Management Body of Knowledge (DAMA-DMBOK Guide).” First Edition. DAMA International. 2009. Digital. April 2014.

    Davenport, Thomas H. and Bean, Randy. “Big Data and AI Executive Survey 2019.” NewVantage Partners LLC. 2019. Web.

    "Debunking the Business of Analytics." Experian Data Quality. Sept. 2013. Web.

    Bibliography

    Drouin, Sue. "Value Chain." SAP Analytics. February 27, 2015.

    Farrar, David. “BI & Data analytics workshop feedback.” Ricoh Canada. Sept. 2019.

    Fletcher, Heather. "New England Patriots Use Analytics & Trigger Emails to Retain Season Ticket Holders." Target Marketing. 1 Dec. 2011. Web.

    Gonçalves, Alex. "Social Media Analytics Strategy - Using Data to Optimize Business Performance.” Apress. 2017.

    Imhoff, Claudia, and Colin White. "Self Service Business Intelligence: Empowering Users to Generate Insights." SAS Resource Page. The Data Warehouse Institute, 2011. Web.

    Khamassi, Ahmed. "Building An Analytical Roadmap : A Real Life Example." Wipro. 2014.

    Kuntz, Jerry, Pierre Haren, and Rebecca Shockley. IBM Insight 2015 Teleconference Series. Proc. of Analytics: The Upside of Disruption. IBM Institute for Business Value, 19 Oct. 2015. Web.

    Kwan, Anne , Maximillian Schroeck, Jon Kawamura. “Architecting and operating model, A platform for accelerating digital transformation.” Part of a Deliotte Series on Digital Industrial Transformation, 2019. Web.

    Bibliography

    Lebied, Mona. "11 Steps on Your BI Roadmap To Implement A Successful Business Intelligence Strategy." Business Intelligence. July 20, 2018. Web.

    Light, Rob. “Make Business Intelligence a Necessity: How to Drive User Adoption.” Sisense Blog. 30 July 2018.

    Mazenko, Elizabeth. “Avoid the Pitfalls: 3 Reasons 80% of BI Projects Fail.” BetterBuys. October 2015.

    Marr, Bernard. "Why Every Business Needs A Data And Analytics Strategy.” Bernard Marr & Co. 2019.

    Mohr, Niko and Hürtgen, Holger. “Achieving Business Impact with Data.” McKinsey. April 2018.

    MIT Sloan Management

    Quinn, Kevin R. "Worst Practices in Business Intelligence: Why BI Applications Succeed Where BI Tools Fail." (2007): 1-19. BeyeNetwork. Information Builders, 2007. Web. 1 Dec. 2015.

    Ringdal, Kristen. "Learning multilevel Analysis." European social Survey. 2019.

    Bibliography

    Schaefer, Dave, Ajay Chandramouly, Burt Carmak, and Kireeti Kesavamurthy. "Delivering Self-Service BI, Data Visualization, and Big Data Analytics." IT@Intel White Paper (2013): 1-11. June 2013. Web. 30 Nov. 2015.

    Schultz, Yogi. “About.” Corvelle Consulting. 2019.

    "The Current State of Analytics: Where Do We Go From Here?" SAS Resource Page. SAS & Bloomberg Businessweek, 2011. Web.

    "The Four Steps to Defining a Customer Analytics Strategy." CCG Analytics Solutions & Services. Nov 10,2017.

    Traore, Moulaye. "Without a strategic plan, your analytics initiatives are risky." Advisor. March 12, 2018. web.

    Wells, Dave. "Ten Mistakes to Avoid When Gathering BI Requirements." Engineering for Industry. The Data Warehouse Institute, 2008. Web.

    “What is a Business Intelligence Strategy and do you need one?” Hydra. Sept 2019. Web.

    Williams, Steve. “Business Intelligence Strategy and Big Data Analytics.” Morgan Kaufman. 2016.

    Wolpe, Toby. "Case Study: How One Firm Used BI Analytics to Track Staff Performance | ZDNet." ZDNet. 3 May 2013. Web.

    Yuk, Mico. “11 Reasons Why Most Business Intelligence Projects Fail.” Innovative enterprise Channels. May 2019.

    Implement Risk-Based Vulnerability Management

    • Buy Link or Shortcode: {j2store}296|cart{/j2store}
    • member rating overall impact: 9.2/10 Overall Impact
    • member rating average dollars saved: $122,947 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
    • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.

    Our Advice

    Critical Insight

    • Patches are often considered the only answer to vulnerabilities, but these are not always the most suitable solution.
    • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
    • There is more than one way to tackle the problem. Leverage your existing security controls to protect the organization.

    Impact and Result

    • After this blueprint, you will have created a full vulnerability management program that allows you to take a risk-based approach to vulnerability remediation.
    • Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
    • The risk-based approach allows you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
    • With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
    • Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    Implement Risk-Based Vulnerability Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Implement Risk-Based Vulnerability Management – Phases 1-4

    1. Identify vulnerability sources

    Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

    • Vulnerability Management SOP Template

    2. Triage vulnerabilities and assign priorities

    Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

    • Vulnerability Tracking Tool
    • Vulnerability Management Risk Assessment Tool
    • Vulnerability Management Workflow (Visio)
    • Vulnerability Management Workflow (PDF)

    3. Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

     

    4. Measure and formalize

    Evolve the program continually by developing metrics and formalizing a policy.

    • Vulnerability Management Policy Template
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template

    Infographic

    Workshop: Implement Risk-Based Vulnerability Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Vulnerability Sources

    The Purpose

    Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.

    Key Benefits Achieved

    Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.

    Activities

    1.1 Define the scope & boundary of your organization’s security program.

    1.2 Assign responsibility for vulnerability identification and remediation.

    1.3 Develop a monitoring and review process of third-party vulnerability sources.

    1.4 Review incident management and vulnerability management

    Outputs

    Defined scope and boundaries of the IT security program

    Roles and responsibilities defined for member groups

    Process for review of third-party vulnerability sources

    Alignment of vulnerability management program with existing incident management processes

    2 Triage and Prioritize

    The Purpose

    We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.

    Key Benefits Achieved

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Activities

    2.1 Evaluate your identified vulnerabilities.

    2.2 Determine high-level business criticality.

    2.3 Determine your high-level data classifications.

    2.4 Document your defense-in-depth controls.

    2.5 Build a classification scheme to consistently assess impact.

    2.6 Build a classification scheme to consistently assess likelihood.

    Outputs

    Adjusted workflow to reflect your current processes

    List of business operations and their criticality and impact to the business

    Adjusted workflow to reflect your current processes

    List of defense-in-depth controls

    Vulnerability Management Risk Assessment tool formatted to your organization

    Vulnerability Management Risk Assessment tool formatted to your organization

    3 Remediate Vulnerabilities

    The Purpose

    Identifying potential remediation options.

    Developing criteria for each option in regard to when to use and when to avoid.

    Establishing exception procedure for testing and remediation.

    Documenting the implementation of remediation and verification.

    Key Benefits Achieved

    Identifying and selecting the remediation option to be used

    Determining what to do when a patch or update is not available

    Scheduling and executing the remediation activity

    Planning continuous improvement

    Activities

    3.1 Develop risk and remediation action.

    Outputs

    List of remediation options sorted into “when to use” and “when to avoid” lists

    4 Measure and Formalize

    The Purpose

    You will determine what ought to be measured to track the success of your vulnerability management program.

    If you lack a scanning tool this phase will help you determine tool selection.

    Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    Key Benefits Achieved

    Outline of metrics that you can then configure your vulnerability scanning tool to report on.

    Development of an inaugural policy covering vulnerability management.

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Activities

    4.1 Measure your program with metrics, KPIs, and CSFs.

    4.2 Update the vulnerability management policy.

    4.3 Create an RFP for vulnerability scanning tools.

    4.4 Create an RFP for penetration tests.

    Outputs

    List of relevant metrics to track, and the KPIs, CSFs, and business goals for.

    Completed Vulnerability Management Policy

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Further reading

    Implement Risk-Based Vulnerability Management

    Get off the patching merry-go-round and start mitigating risk!

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    6 Common Obstacles

    8 Risk-based approach to vulnerability management

    16 Step 1.1: Vulnerability management defined

    24 Step 1.2: Defining scope and roles

    34 Step 1.3: Cloud considerations for vulnerability management

    33 Step 1.4: Vulnerability detection

    46 Step 2.1: Triage vulnerabilities

    51 Step 2.2: Determine high-level business criticality

    56 Step 2.3: Consider current security posture

    61 Step 2.4: Risk assessment of vulnerabilities

    71 Step 3.1: Assessing remediation options

    Table of Contents

    80 Step 3.2: Scheduling and executing remediation

    85 Step 3.3: Continuous improvement

    89 Step 4.1: Metrics, KPIs, and CSFs

    94 Step 4.2: Vulnerability management policy

    97 Step 4.3: Select & implement a scanning tool

    107 Step 4.4: Penetration testing

    118 Summary of accomplishment

    119 Additional Support

    120 Bibliography

    Analyst Perspective

    Vulnerabilities will always be present. Know the unknowns!

    In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.

    The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.

    A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!

    Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.

    Jimmy Tom, Research Advisor – Security, Privacy, Risk, and Compliance, Info-Tech Research Group. Jimmy Tom
    Research Advisor – Security, Privacy, Risk, and Compliance
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.

    Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option.

    		 Common Obstacles

    Patches are often seen as the answer to vulnerabilities, but these are not always the most suitable solution.

    Some systems deemed vulnerable simply cannot be patched or easily replaced.

    Companies are unaware of the risk implications that come from leaving the vulnerability open and from the remediation option itself.

    		 Info-Tech’s Approach

    Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.

    Understand what needs to be considered when implementing remediation options, including patches, configuration changes, and defense-in-depth controls.

    Build a process that is easy to understand and allows vulnerabilities to be remediated proactively, instead of in an ad hoc fashion.

    Info-Tech Insight

    Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.

    Common obstacles

    These barriers make vulnerability management difficult to address for many organizations:
    • The value of vulnerability management is not well articulated in many organizations. As a result, investment in vulnerability scanning technology is often insufficient.
    • Many organizations feel that a “patch everything” approach is the most effective path.
    • Vulnerability management is commonly misunderstood as being a process that only supports patch management.
    • There is often misalignment between SecOps and ITOps in remediation action and priority, affecting the timeliness of remediation.
    		 CVSS Score Distribution From the National Vulnerability Database: Pie Charts presenting the CVSS Core Distribution for the National Vulnerability Database. The left circle represents 'V3' and the right 'V2', where V3 has an extra option for 'Critical', above 'High', 'Medium', and 'Low', and V2 does not.
    (Source: NIST National Vulnerability Database Dashboard)

    Leverage risk to sort, triage, and prioritize vulnerabilities

    Reduce your risk surface to avoid cost to your business; everything else is table stakes.

    Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.

    Identify vulnerability sources

    An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.

    Triage and prioritize

    Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.

    Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.

    Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    Measure and formalize

    Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.

    Tactical Insight 1

    All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.

    Tactical Insight 2

    Reduce the risk surface down below the risk threshold.

    The industry has shifted to a risk-based approach

    Traditional vulnerability management is no longer viable.

    “For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)

    “Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)

    “Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)

    “A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)

    Why a take risk-based approach?

    Vulnerabilities, by the numbers

    60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.

    74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)

    Info-Tech Insight

    Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.

    The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)

    Vulnerability Management

    A risk-based approach

    Reduce the risk surface to avoid cost to your business, everything else is table stakes

    		 Logo for Info-Tech.
    Logo for #iTRG.

    1

    Identify

    4

    Address
      Mitigate the risk surface by reducing the time across the phases › Mitigate the risk by implementing:
    • patch systems & apps
    • compensating controls
    • systems and apps hardening
    • systems segregation
    Chart presenting an example of 'Risk Surface' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. The area between the line and your organization's risk tolerance is labelled 'Risk Surface'.

    Objective: reduce risk surface by reducing time to address

    Your organization's risk tolerance threshold
      Identify vulnerability management scanning tools & external threat intel sources (Mitre CVE, US-CERT, vendor alerts, etc.) Vulnerability information feeds:
    • scanning tool
    • external threat intel
    • internal threat intel

    2

    Analyze
      Assign actual risk (impact x urgency) to the organization based on current security posture

    Triage based on risk ›

    Your organization's risk tolerance threshold

    		 Risk tolerance threshold map with axes 'Impact' and 'Likelihood'. High levels of one and low levels of the other, or medium levels of both, is 'Medium', High level of one and Medium levels of the other is 'High', and High levels of both is 'Critical'.

    3

    Assess
      Plan risk mitigation strategy › Consider:
    • risk tolerance
    • compensating controls
    • business impact

    Info-Tech’s vulnerability management methodology

    Focus on developing the most efficient processes.

    Vulnerability management isn’t “old school.”

    The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.

    Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.

    Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.

    Equation to find 'Vulnerability Priority'.

    When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.

    Info-Tech Insight

    Vulnerability management is not only patch management. Patching is only one aspect.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Vulnerability Management SOP

    The Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program.

    Sample of the key deliverable, Vulnerability Management SOP.    		 Vulnerability Management Policy

    Template for your vulnerability management policy.

    		 Sample of the Vulnerability Management Policy blueprint. Vulnerability Tracking Tool

    This tool offers a template to track vulnerabilities and how they are remedied.

    		 Sample of the Vulnerability Tracking Tool blueprint.
    Vulnerability Scanning RFP Template

    Request for proposal template for the selection of a vulnerability scanning tool.

    		 Sample of the Vulnerability Scanning RFP Template blueprint. Vulnerability Risk Assessment Tool

    Methodology to assess vulnerability risk by determining impact and likelihood.

    		 Sample of the Vulnerability Risk Assessment Tool blueprint.

    Blueprint benefits

    IT Benefits

    • A standardized, consistent methodology to assess, prioritize, and remediate vulnerabilities.
    • A risk-based approach that aligns with what’s important to the business.
    • A way of dealing with the high volumes of vulnerabilities that your scanning tool is reporting.
    • Identification of “where to start” in terms of vulnerability management.
    • Ability to not lose yourself in the patch madness but rather take a sound approach to scheduling and prioritizing patches and updates.
    • Knowledge of what to do when patching is simply not possible or feasible.

    Business Benefits

    • Alignment with IT in ensuring that business processes are only interrupted when absolutely necessary while maintaining a regular cadence of vulnerability remediation.
    • A consistent program that the business can plan around and predict when interruptions will occur.
    • IT’s new approach being integrated with existing IT operations processes, offering the most efficient yet expedient method of dealing with vulnerabilities.

    Info-Tech’s process can save significant financial resources

    Phase Measured Value
    Phase 1: Identify vulnerability sources
      Define the process, scope, roles, vulnerability sources, and current state
      • Consultant at $100 an hour for 16 hours = $1,600
    Phase 2: Triage vulnerabilities and assign urgencies
      Establish triaging and vulnerability evaluation process
      • Consultant at $100 an hour for 16 hours = $1,600
      Determine high-level business criticality and data classifications
      • Consultant at $100 an hour for 40 hours = $4,000
      Assign urgencies to vulnerabilities
      • Consultant at $100 an hour for 8 hours = $800
    Phase 3: Remediate vulnerabilities
      Prepare documentation for the vulnerability process
      • Consultant at $100 an hour for 8 hours = $800
      Establish defense-in-depth modelling
      • Consultant at $100 an hour for 24 hours = $2,400
      Identify remediation options and establish criteria for use
      • Consultant at $100 an hour for 40 hours = $4,000
      Formalize backup and testing procedures, including exceptions
      • Consultant at $100 an hour for 8 hours = $800
      Remediate vulnerabilities and verify
      • Consultant at $100 an hour for 24 hours = $2,400
    Phase 4: Continually improve the vulnerability management process
      Establish a metrics program for vulnerability management
      • Consultant at $100 an hour for 16 hours = $1,600
      Update vulnerability management policy
      • Consultant at $100 an hour for 8 hours = $800
      Develop a vulnerability scanning tool RFP
      • Consultant at $100 an hour for 40 hours = $4,000
      Develop a penetration test RFP
      • Consultant at $100 an hour for 40 hours = $4,000
    Potential financial savings from using Info-Tech resources Phase 1 ($1,600) + Phase 2 ($6,400) + Phase 3 ($10,400) + Phase 4 ($10,400) = $28,800

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4
    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Discuss current state and vulnerability sources.

    		 Call #3: Identify triage methods and business criticality.

    Call #4:Review current defense-in-depth and discuss risk assessment.

    		 Call #5: Discuss remediation options and scheduling.

    Call #6: Review release and change management and continuous improvement.

    		 Call #7: Identify metrics, KPIs, and CSFs.

    Call #8: Review vulnerability management policy.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

      Day 1 Day 2 Day 3 Day 4 Day 5
    Activities
    Identify vulnerability sources

    1.1 What is vulnerability management?

    1.2 Define scope and roles

    1.3 Cloud considerations for vulnerability management

    1.4 Vulnerability detection
    Triage and prioritize

    2.1 Triage vulnerabilities

    2.2 Determine high-level business criticality

    2.3 Consider current security posture

    2.4 Risk assessment of vulnerabilities
    Remediate vulnerabilities

    3.1 Assess remediation options

    3.2 Schedule and execute remediation

    3.3 Drive continuous improvement
    Measure and formalize

    4.1 Metrics, KPIs & CSFs

    4.2 Vulnerability Management Policy

    4.3 Select & implement a scanning tool

    4.4 Penetration testing
    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps
    Deliverables
    1. Scope and boundary definition of vulnerability management program
    2. Responsibility assignment for vulnerability identification and remediation
    3. Monitoring and review process of third-party vulnerability sources
    4. Incident management and vulnerability convergence
    1. Methodology for evaluating identified vulnerabilities
    2. Identification of high-level business criticality
    3. Defined high-level data classifications
    4. Documented defense-in-depth controls
    5. Risk assessment criteria for impact and likelihood
    1. Documented risk assessment methodology and remediation options
    1. Defined metrics, key performance indicators (KPIs), and critical success factors (CSFs)
    2. Initial draft of vulnerability management policy
    3. Scanning tool selection criteria
    4. Introduction to penetration testing
    1. Completed vulnerability management standard operating procedure
    2. Defined vulnerability management risk assessment criteria
    3. Vulnerability management policy draft

    Implement Risk-Based Vulnerability Management

    Phase 1

    Identify Vulnerability Sources

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    		  

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities
     

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    		  

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.

    This phase involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Step 1.1

    Vulnerability Management Defined

    Activities

    None for this section

    This step will walk you through the following activities:

    Establish a common understanding of vulnerability management and its place in the IT organization.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Foundational knowledge of vulnerability management in your organization.

    Identify vulnerability sources
    Step 1.1 Step 1.2 Step 1.3 Step 1.4

    What is vulnerability management?

    It’s more than just patching.

    • Vulnerability management is the regular and ongoing practice of scanning an operating environment to uncover vulnerabilities. These vulnerabilities can be outdated applications, unpatched operating systems and software, open ports, obsolete hardware, or any combination of these.
    • The scanning and detection of vulnerabilities is the first step. Planning and executing of remediation is next, along with the approach, prioritized sequence of events, and timing.
    • A vendor-supplied software patch or firmware update is often the easy answer, however, this is not always a viable solution. What if you can’t patch in a timely fashion? What if patching is not possible as it will break the application and bring down operations? What if no patch exists due to the age of the application or operating platform?

    “Most organizations do not have a formal process for vulnerability management.” (Morey Haber, VP of Technology, BeyondTrust, 2016)

    Effective vulnerability management

    It’s not easy, but it’s much harder without a process in place.
    • Effective vulnerability management requires a formal process for organizations to follow; without one, vulnerabilities are dealt with in an ad hoc fashion.
    • Patching isn’t the only solution, but it’s the one that often draws focus.
    • Responsibilities for the different aspects of vulnerability management are often unclear, such as for testing, remediation, and implementation.
    • Identifying new threats without proper vulnerability scanning tools can be a near-impossible task.
    • Determining which vulnerabilities are most urgent can be an inconsistent process, increasing the organizational risk.
    • Measuring the effectiveness of your vulnerability remediation activities can help you better manage resources in SecOps and ITOps. Your staff will be spending the appropriate effort on vulnerabilities that warrant that level of attention.

    You’re not just doing this for yourself. It’s also for your auditors.

    Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices.

    Vulnerability management revolves around your asset security services

    Diagram with 'Asset Security Services' at the center. On either side are 'Network Security Services' and 'Identity Security Services', all three of which flow up into 'Security Analytics | Security Incident Response', and all four share a symbiotic flow with 'Management' below and contribute to 'Mega Trend Mapping' above. Management is supported by 'Governance'. Vulnerabilities can be found primarily within your assets but also connect to your information risk management. These must be effectively managed as part of a holistic security program.

    Without management, vulnerabilities left unattended can be easy for attackers to exploit. It becomes difficult to identify the correct remediation option to mitigate against the vulnerabilities.

    Vulnerability management works in tandem with SecOps and ITOps

    Vulnerability Management Process Inputs/Outputs:
    'Vulnerability Management (Process and Tool)' outputs are 'Incident Management', 'Release Management', 'Change Management', 'IT Asset Management', 'Application Security Testing', 'Threat Intelligence', and 'Security Risk Management'; inputs are 'Vulnerability Disclosure', 'Threat Intelligence', and 'Security Risk Management'.

    Arrows denote direction of information feed

    		 Vulnerability management serves as the input into a number of processes for remediation, including:
    • Incident management, to deal with issues
    • Release management, for patch management
    • Change management, for change control
    • IT asset management, to track version information, e.g. for patching
    • Application security testing, for the verification of vulnerabilities

    A two-way data flow exists between vulnerability management and:

    • Security risk management, for the overall risk posture of the organization
    • Threat intelligence, as vulnerability management reveals only one of several threat vectors

    For additional information please refer to Info-Tech’s research for each area:

    • Vulnerability management can leverage your existing processes to gain an operational element for the program.
    • As you strive to mature each of the processes on their own, vulnerability management will benefit accordingly.
    • Review our research for each of these areas and speak to one of our analysts if you wish to improve any of the listed processes.

    Info-Tech’s Information Security Program Framework

    Vulnerability management is a component of the Infrastructure Security section of Security Management

    Information Security Framework with Level 1 and Level 2 capabilities in two main sections, 'Management' and 'Governance'. Level 2 capabilities are grouped within Level 1 capabilities. For more information, review our Build an Information Security Strategy blueprint, or speak to one of our analysts.

    Info-Tech Insight

    Vulnerability management is but one piece of the information security puzzle. Ensure that you have all the pieces!

    Case Study

    		 Logo for Cimpress.
    INDUSTRY: Manufacturing
    SOURCE: Cimpress, 2016

    One organization is seeing immediate benefits by formalizing its vulnerability management program.

    Challenge

    Cimpress was dealing with many challenges in regards to vulnerability management. Vulnerability scanning tools were used, but the reports that were generated often gave multiple vulnerabilities that were seen as critical or high and required many resources to help address them. Scanning was done primarily in an attempt to adhere to PCI compliance rather than to effectively enable security. After re-running some scans, Cimpress saw that some vulnerabilities had existed for an extended time period but were deemed acceptable.

    		 Solution

    The Director of Information Security realized that there was a need to greatly improve this current process. Guidelines and policies were formalized that communicated when scans should occur and what the expectations for remediations should be. Cimpress also built a tiered approach to prioritize vulnerabilities for remediation that is specific to Cimpress instead of relying on scanning tool reports.

    		 Results

    Cimpress found better management of the vulnerabilities within its system. There was no pushback to the adoption of the policies, and across the worldwide offices, business units have been proactively trying to understand if there are vulnerabilities. Vulnerability management has been expanded to vendors and is taken into consideration when doing any mergers and acquisitions. Cimpress continues to expand its program for vulnerability management to include application development and vulnerabilities within any existing legacy systems.

    Step 1.2

    Defining the scope and roles

    Activities
    • 1.2.1 Define the scope and boundary of your organization’s security program
    • 1.2.2 Assign responsibility for vulnerability identification and remediation

    This step will walk you through the following activities:

    Define and understand the scope and boundary of the security program. For example, does it include OT? Define roles and responsibilities for vulnerability identification and remediation

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand how far vulnerability management extends and what role each person in IT plays in the remediation of vulnerabilities

    Identify vulnerability sources
    Step 1.1 Step 1.2 Step 1.3 Step 1.4

    Determine the scope of your security program

    This will help you adjust the depth and breadth of your vulnerability management program.
    • Determining the scope will help you decide how much organizational risk the vulnerability management program will oversee.
    • Scope can be defined along four aspects:
      • Data Scope – What data elements in your organization does your security program cover? How is data classified?
      • Physical Scope – What physical scope, such as geographies, does the security program cover?
      • Organizational Scope – How are business units engaged with security initiatives? Does the scope cover all subsidiary organizations?
      • IT Scope – What parts of the organization does IT cover? Does their coverage include operational technology (OT) and industrial control systems (ICS)?
    		 Stock image of figures standing in connected circles.

    1.2.1 Define the scope and boundary of your organization’s security program

    60 minutes

    Input: List of Data Scope, Physical Scope, Organization Scope, and IT Scope

    Output: Defined scope and boundaries of the IT security program

    Materials: Whiteboard/Flip Charts, Sticky Notes, Markers, Vulnerability Management SOP Template

    Participants: Business stakeholders, IT leaders, Security team members

    1. On a whiteboard, write the headers: Data Scope, Physical Scope, Organizational Scope, and IT Scope.
    2. Give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the four scope buckets.
    3. In a group, discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.

    The goal is to identify what your vulnerability management program is responsible for and document it.

    Consider the following:

    How is data being categorized and classified? How are business units engaged with security initiatives? How are IT systems connected to each other? How are physical locations functioning in terms of information security management?

    Download the Vulnerability Management SOP Template

    Assets are part of the scope definition

    An inventory of IT assets is necessary if there is to be effective vulnerability management.

    • Organizations need an up-to-date and comprehensive asset inventory for vulnerability management. This is due to multiple reasons:
      • When vulnerabilities are announced, they will need to be compared to an inventory to determine if the organization has any relevant systems or versions.
      • It indicates where all IT assets can be found both physically and logically.
      • Asset inventories typically have owners assigned to the assets and systems whose responsibility it is to carry out remediations for vulnerabilities.
    • Furthermore, asset inventories can provide insight into where data can be found within the organization. This is extremely useful within a formal data classification program, which plays a large factor in vulnerability management.
    		 If you need assistance building your asset inventory, review Info-Tech’s Implement Hardware Asset Management and Implement Software Asset Management blueprints.

    Info-Tech Insight

    Create a formal IT asset inventory before continuing with the rest of this project. Otherwise, you risk being at the mercy of a weak vulnerability management program.

    Assign responsibility for vulnerability identification and remediation

    Determine who is critical to effectively detecting and managing vulnerabilities.
    • Some of the remediation steps will involve members of IT management to identify the true organizational risk of a vulnerability.
    • Vulnerability remediation comes in different shapes and sizes. In addition to patching, this can include implementing compensating controls, server and application hardening, or the segregating of vulnerable systems.
      • Who carries out each of these activities? Who coordinates the activities and tracks them to ensure completion?
    • The people involved may be members outside of the security team, such as members from IT operations, infrastructure, and applications. The specific roles that each of these groups play should be clearly identified.
    		 Stock image of many connected profile photos in a cloud network.

    1.2.2 Assign responsibility for vulnerability identification and remediation

    60 minutes

    Input: Sample list of vulnerabilities and requisite actions from each group, High-level organizational chart with area functions

    Output: Defined set of roles and responsibilities for member groups

    Materials: Vulnerability Management SOP Template

    Participants: CIO, CISO, IT Management representatives for each area of IT

    1. Display the table of responsibilities that need to be assigned.
    2. List all the positions within the IT security team.
    3. Map these to the positions that require IT security team members.
    4. List all positions that are part of the IT team.
    5. Map these to the positions that require IT team members.

    If your organization does not have a dedicated IT security team, you can perform this exercise by mapping the relevant IT staff to the different positions shown on the right.

    Download the Vulnerability Management SOP Template Sample of the Roles and Responsibilities table from the Vulnerability Management SOP Template.

    Step 1.3

    Cloud considerations for vulnerability management

    Activities

    None for this section.

    This step will walk you through the following activities:

    Review cloud considerations for vulnerability management

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand the various types of cloud offerings and the implications (and limitations) of vulnerability management in a cloud environment.

    Identify vulnerability sources
    Step 1.1 Step 1.2 Step 1.3 Step 1.4

    Cloud considerations

    Cloud will change your approach to vulnerability management.
    • There will be a heavy dependence on the cloud service provider to ensure that vulnerabilities in their foundational technologies have been addressed.
    • Depending on the level of “as-a-Service,” customers will have varying degrees of control and visibility into the underlying operations.
    • With vendor acquiescence, you can set your tool to scan a given cloud environment, depending on how much visibility you have into their environment based on the service you have purchased.
    • Due to compliance obligations of their customers, there is a growing trend among cloud providers to allow more scanning of cloud environments.
    • In the absence of customer scanning capability, vendors may offer attestation of vulnerability management and remediation.
    		 Table outlining who has control, between the 'Organization' and the 'Vendor', of different cloud capabilities in different cloud strategies.

    For more information, see Info-Tech Research Group’s Document Your Cloud Strategy blueprint.

    Cloud environment scanning

    Cloud scanning is becoming a more common necessity but still requires special consideration.

    An organization’s cloud environment is just an extension of its own environment. As such, cloud environments need to be scanned for vulnerabilities.

    Private Cloud
    If your organization owns a private cloud, these environments can be tested normally.
    Public Cloud
    Performing vulnerability testing against public, third-party cloud environments is an area experiencing rapid growth and general acceptance, although customer visibility will still be limited.

    In many cases, a customer must rely on the vendor’s assurance that vulnerabilities are being addressed in a sufficient manner.

    Security standards’ compliance requirements are driving the need for cloud suppliers to validate and assure that they are appropriately scanning for and remediating vulnerabilities.

    		 Infrastructure- or Platform-as-a-Service (IaaS or PaaS) Environments
    • There is a general trend for PaaS and IaaS vendors to allow testing if given due notice.
    • Your contract with the cloud vendor or the vendor’s terms and conditions will outline the permissibility of customer vulnerability scanning. In some cases, a cloud vendor will deny the ability to do vulnerability scanning if they already provide a solution as part of their service.
    • Always ensure that the vendor is aware of your vulnerability scanning activity so that false positives aren’t triggering their security measures as possible denial-of-service (DoS) attacks.
    Software-as-a-Service (SaaS) Environments
    • SaaS offers very limited visibility to the services behind the software that the customer sees. You therefore cannot test for patch levels or vulnerabilities.
    • SaaS customers must rely exclusively on the provider for the regular scanning and remediation of vulnerabilities in the back-end technologies supporting the SaaS application.
    • You can only test the connection points to SaaS environments. This involves trying to figure out what you can see, e.g. looking for encrypted traffic.

    Certain testing (e.g. DoS or load testing) will be very limited by your cloud vendor. Cloud vendors won’t open themselves to testing that would possibly impact their operations.

    Step 1.4

    Vulnerability detection

    Activities
    • 1.4.1 Develop a monitoring and review process of third-party vulnerability sources
    • 1.4.2 Incident management and vulnerability management

    This step will walk you through the following activities:

    Create an inventory of your vulnerability monitoring capability and third-party vulnerability information sources.

    Determine how incident management and vulnerability management interoperate.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Catalog of vulnerability information data sources. Understanding of the intersection of incident management and vulnerability management.

    Identify vulnerability sources
    Step 1.1 Step 1.2 Step 1.3 Step 1.4

    Vulnerability detection

    Vulnerabilities can be identified through numerous mediums.

    Info-Tech has determined the following to be the four most common ways to identify vulnerabilities.

    Vulnerability Assessment and Scanning Tools
    • Computer programs that function to identify and assess security vulnerabilities and weaknesses within computers, computer systems, applications, or networks.
    • Using a known vulnerability database, the tool scans targeted hosts or systems to identify flaws and generate reports and recommendations based on the results.
    • There are four main types of tools under this category: network and operating system vulnerability scanners, application scanning and testing tools, web application scanners, and exploitation tools.
    		 Penetration Tests
    • The act of identifying vulnerabilities on computers, computer systems, applications, or networks followed by testing of the vulnerability to validate the findings.
    • Penetration tests are considered a service that is offered by third-parties in which a variety of products, tools, and methods are used to exploit systems and gain access to data.
    Open Source Monitoring
    • New vulnerabilities are detected daily with each vulnerability’s information being uploaded to an information-sharing platform to enable other organizations to be able to identify the same vulnerability on their systems.
    • Open source platforms are used to alert and distribute information on newly discovered vulnerabilities to security professionals.
    		 Security Incidents
    • Any time an incident response plan is called into action to mitigate an incident, there should be formal communication with the vulnerability management team.
    • Any IT incident an organization experiences should provide a feed for analysis into your vulnerability management program.

    Automate with a vulnerability scanning tool

    Vulnerabilities are too numerous for manual scanning and detection.
    • Vulnerability management is not only the awareness of the existence of vulnerabilities but that they are actively present in your environment.
    • A vulnerability scanner will usually report dozens, if not hundreds, of vulnerabilities on a regular and recurring basis. Typical IT environments have several dozen, if not hundreds, of servers. We haven’t even considered the amount of network equipment or the hundreds of user workstations in an environment.
    • This tool will give you information of the presence of a vulnerability in your environment and the host on which the vulnerability exists. This includes information on the version of software that contains a vulnerability and whether you are running that version. The tool will also report on the criticality of the vulnerability based on industry criticality ratings.
    • The tools are continually updated by the vendor with the latest definition updates for the latest vulnerabilities out there. This ensures you are always scanning for the greatest number of potential vulnerabilities.
    		 Automation requires oversight.
    1. Vulnerability scanners bring great automation to the task of scanning and detecting vulnerabilities in high numbers.
    2. Vulnerability scanners, however, do not have your level of intelligence. Any compensating controls, network segregation, or other risk mitigation features that you have in place will not be known by the tool.
    3. Determining the risk and urgency of a vulnerability within the context of your specific environment will still require internal review by you or your SecOps team.

    For guidance on tool selection

    Refer to section 4.3 Selecting and Implement a Scanning Tool in this blueprint.

    Vulnerability scanning tool considerations

    Select a vulnerability scanning tool with the features you need to be effective.
    • Vulnerability scanning tool selection can be an exciting and confusing process. You will need to consider what features you desire in a tool and whether you want the tool to go beyond just scanning and reporting.
    • In addition to vulnerability scanning, some tools will integrate with your IT service management (service desk ticketing system) tool and asset, configuration, and change management modules. This can facilitate the necessary workflow that the remediation process follows once a vulnerability is discovered.
    • A number of vulnerability scanning tool vendors have started offering remediation as part of their software features. This includes the automation and orchestration functionality and configuration and asset management to track its remediation activities.
    • A side benefit of the asset discovery feature in vulnerability scanning tools is that it can help enhance an organization’s asset inventory and license compliance, particularly in cases where end users are able to install software on their workstations.
    		 Stock photo of a smartphone scanning a barcode.

    For guidance on tool vendors

    Visit SoftwareReviews for information on vulnerability management tools and vendors.

    Vulnerability scanning tool best practices

    How often should scans be performed?

    One-off scans provide snapshots in time. Repeated scans over time provide tracking for how systems are changing and how well patches are being applied and software is being updated.

    The results of a scan (asset inventory, configuration data, and vulnerability data) are basic information needed to understand your security posture. This data needs to be as up to date as possible.

    ANALYST PERSPECTIVE: Organizations should look for continuous scanning

    Continuous scanning is the concept of providing continual scanning of your systems so any asset, configuration, or vulnerability information is up to date. Most vendors will advertise continuous scanning but you need to be skeptical of how this feature is met.

    Continuous Scanning Methods

    Continuous agent scanning

    Real-time scanning that is completed through agent-based scanning. Provides real-time understanding of system changes.

    		 On-demand scanning

    Cyclical scanning is the method where once you’re done scanning an area, you start it again. This is usually done because doing some scans on some areas of your network take time. How long the scan takes depends on the scan itself. How often you perform a scan depends on how long a scan takes. For example, if a scan takes a day, you perform a daily scan.

    		 Cloud-based scanning

    Cloud-scanning-as-a-Service can provide hands-free continuous monitoring of your systems. This is usually priced as a subscription model.

    Vulnerability scanning tool best practices

    Where to perform a scan.

    What should be scanned How to point a scanner
    The general idea is that you want to scan pretty much everything. Here are considerations for three environments:
    Mobile Devices

    You need to scan mobile devices for vulnerabilities, but the problem is these can be hard to scan and often come and go on your network. There are always going to be some devices that aren’t on the network when scanning occurs.

    Several ways to scan mobile devices:

    • Intercept the device when it remotes into your network using a VPN. You catch the device with a remote scan. This can only be done if a VPN is required.
    • An agent-based approach can be used for mobile devices. Locally installed software gives the information needed to evaluate the security posture of a device. Discernibly, concerns around device processing, memory, and network bandwidth come into play. Ease of installation becomes key for agents.
    Virtualization
    • In a virtual environment, you will have servers being dynamically spun up. Ensure your tool is able to scan these new servers automatically.
    • Often, vulnerability scanning tool providers will restrict scanning to preapproved scanners. Look for tools that are preapproved by the VM vendors.
    Cloud Environments
    • You can set your tool to scan a given cloud environment. The main concern here is who owns the cloud. If it is a private cloud, there is little concern.
    • If it is a third-party cloud (AWS, Azure, etc.) you need to confirm with the cloud service provider that scanning of your cloud environment can occur.
    • There is a trend to allow more scanning of cloud environments.
    • You need to tell the scanner an IP address, a group of IP addresses, an asset group, or a combination of those.
    • You can categorize by functional classifications – internet-facing servers, workstations, network devices, etc., or by organizational structure – Finance, HR, Legal, etc.
    • If you have a strong change management system, you can better hone when and where to perform a scan based on actual changes.
    • You can set the number of concurrent outbound TCP connections that are being made. For example, set the tool so it sends out to 10 ports at a time, rather than pinging at 64k ports on a machine, which would flood the NIC.
    • Side Note: Flooding a host with pings from a scanning tool can be done to find out DoS thresholds on a machine. There are no bandwidth concerns for a network DoS, however, because the packets are so small.

    Vulnerability scanning tool best practices

    Communication and measurement

    Pre-Scan Communication With Users

    • It is always important to inform owners and users of systems that a scan will be happening.
    • Although it is unlikely any performance issues will arise, it is important to notify end users of potential impact.
    • Local admins or system owners may have controls in place that stop vulnerability scans and you need to inform the owners so that they can safelist the scanner you will be using.
    Vulnerability Scanning Tool Tracking Metrics
    • Vulnerability score by operating system, application, or organization division.
      • This provides a look at the widely accepted severity of the vulnerability as it relates across the organization’s systems.
    • Most vulnerable applications and application version.
      • This provides insight into how outdated applications are creating risk exposure for an organization.
      • This will also provide metrics on the effectiveness of your patching program.
    • Number of assets scanned within the last number of days.
      • This provides visibility into how often your assets are being scanned and thus protected.
    • Number of unowned devices or unapproved applications.
      • This metric will track how many unowned devices or unapproved applications may be on your network. Unowned devices may be rogue devices or just consultant/contractor devices.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Proactively identify new vulnerabilities as they are announced.

    By monitoring for vulnerabilities as they are announced through industry alerts and open-source mechanisms, it is possible to identify vulnerabilities beyond your scanning tool’s penetration tests.

    Common sources:
    • Vendor websites and mailing lists
      • Vendors are the trusted sources for vulnerability and patch information on their products, particularly with new industry vulnerability disclosure requirements. Vendors are the most familiar with their products, downloads are most likely malware free, and additional information is often included.
      • There are some issues: vendors won’t announce a vulnerability until a patch is created, which creates a potential unknown risk exposure; numerous vendor sites will have to be monitored continually.
    • Third-party websites
      • A non-vendor site providing information on vulnerabilities. They often will cover a specific technology or an industry section, becoming a potential “one-stop shop” for some. They will often provide vulnerability information that is augmented with different remediation recommendations faster than vendors.
      • However, it’s more likely that malicious code could be downloaded and it will often not be comprehensive information on patching.
    • Third-party mailing lists, newsgroups, live paid subscriptions, and live open-source feeds
      • These are alerting and notification services for the detection and dissemination of vulnerability information. They provide information on the latest and most critical vulnerabilities, e.g. US-CERT Cybersecurity Alerts.
    • Vulnerability databases
      • These usually consist of dedicated databases on vulnerabilities. They perform the hard work of identifying and aggregating vulnerability and patch information into a central repository for end-user consumption. The commentary features on these databases provide excellent insight for practitioners, e.g. National Vulnerability Database (NVD).
    		 Stock photo of a student checking a bulletin board.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Third-party sources for vulnerabilities

    • Open Source Vulnerability Database (OSVDB)
      • An open-source database that is run independently of any vendors.
    • Common Vulnerabilities and Exposures (CVE)
      • Free, international dictionary of publicly known information security vulnerabilities and exposures.
    • National Vulnerability Database (NVD)
      • Through NIST, the NVD is the US government’s repository of vulnerabilities and includes product names, flaws, and any impact metrics.
      • The National Checklist Repository Program (NCRP), also provided by NIST, provides security checklists for configurations of operating systems and applications.
      • The Center for Internet Security, a separate entity unrelated to NIST, provides configuration benchmarks that are often referenced by the NCRP.
    • Open Web Application Security Project (OWASP)
      • OWASP is another free project helping to expose vulnerabilities within software.
    • US-CERT National Cyber Alert System (US-CERT Alerts)
      • Cybersecurity Alerts – Provide timely information about current security issues, vulnerabilities, and exploits.
      • Cybersecurity Tips – Provide advice about common security issues for the general public.
      • Cybersecurity Bulletins – Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
    • US-CERT Vulnerability Notes Database (US-CERT Vulnerability Notes)
      • Database of searchable security vulnerabilities that were deemed not critical enough to be covered under US-CERT Alerts. Note that the NVD covers both US-CERT Alerts and US-CERT Notes.
    • Open Vulnerability Assessment Language (OVAL)
      • Coding language for security professionals to discuss vulnerability checking and configuration issues. Vulnerabilities are identified using tests that are disseminated in OVAL definitions (XML executables that can be used by end users).

    1.4.1 Develop a monitoring and review process for third-party vulnerability sources

    60 minutes

    Input: Third-party resources list

    Output: Process for review of third-party vulnerability sources

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, CISO

    1. Identify what third-party resources are useful and relevant.
    2. Shortlist your third-party sources.
    3. Identify what is the best way to receive information from a third party.
    4. Document the method to receive or check information from the third-party source.
    5. Identify who is responsible for maintaining third-party vulnerability information sources
    6. Capture this information in the Vulnerability Management SOP Template.
    Download the Vulnerability Management SOP Template Sample of the Third Party Vulnerability Monitoring tables from the Vulnerability Management SOP Template.

    Incidents and vulnerability management

    Incidents can also be a sources of vulnerabilities.

    When any incident occurs, for example:

    • A security incident, such as malware detected on a machine
    • An IT incident, such as an application becomes unresponsive
    • A crisis occurs, like a worker accident

    There can be underlying vulnerabilities that need to be processed.

    Three Types of IT Incidents exist:
    1. Information Security Incident
    2. IT Incident and/or Problem
    3. Crisis

    Note: You need to have developed your various incident response plans to develop information feeds to the vulnerability mitigation process.
    If you are missing an incident response plan, take a look at Info-Tech’s Related Resources.

    		 Info-Tech Related Resources:
    If you do not have a formalized information security incident management program, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have a formalized problem management process, take a look at Info-Tech’s blueprint Incident and Problem Management.

    		 If you do not have a formalized IT incident management process, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have formalized crisis management, take a look at Info-Tech’s blueprint Implement Crisis Management Best Practices.

    1.4.2 Incident management and vulnerability management

    60 minutes

    Input: Existing incident response processes, Existing crisis communications plans

    Output: Alignment of vulnerability management program with existing incident management processes

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    1. Inventory what incident response plans the organization has. These include:
      1. Information Security Incident Response Plan
      2. IT Incident Plan
      3. Problem Management Plan
      4. Crisis Management Plan
    2. Identify what part of those plans contains the post-response recap or final analysis.
    3. Formalize a communication process between the incident response plan and the vulnerability mitigation process.

    Note: Most incident processes will cover some sort of root cause analysis and investigation of the incident. If a vulnerability of any kind is detected within this analysis it needs to be reported on and treated as a detected vulnerability, thus warranting the full vulnerability mitigation process.

    Download the Vulnerability Management SOP Template

    Implement Risk-Based Vulnerability Management

    Phase 2

    Triage & prioritize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    		  

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities
     

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    		  

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach, and prepare for remediation options.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Step 2.1

    Triage vulnerabilities

    Activities
    • 2.1.1 Evaluate your identified vulnerabilities

    This step will walk you through the following activities:

    Review your vulnerability information sources and determine a methodology that will be used to consistently evaluate vulnerabilities as your scanning tool alerts you to them.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Triage & prioritize
    Step 2.1 Step 2.2 Step 2.3 Step 2.4

    Triaging vulnerabilities

    Use Info-Tech’s methodology to allocate urgencies to your vulnerabilities to assign the appropriate resources to each one.

    When evaluating numerous vulnerabilities, use the following three factors to help determine the urgency of vulnerabilities:

    • The intrinsic qualities of the vulnerability
    • The business criticality of the affected asset
    • The sensitivity of the data stored on the affected asset

    Intrinsic qualities of the vulnerability — Vulnerabilities need to be examined for the inherent risk they pose specifically to the organization, which includes if an exploit has been identified or if the industry views this as a serious and likely threat.

    Business criticality of the affected asset — Assets with vulnerabilities need to be assessed for their criticality to the business. Vulnerabilities on systems that are critical to business operations or customer interactions are usually top of mind.

    Sensitivity of the data of the affected asset — Beyond just the criticality of the business, there must be consideration of the sensitivity of the data that may be compromised or modified as a result of any vulnerabilities.

    Info-Tech Insight

    This methodology allows you to determine urgency of vulnerabilities, but your remediation approach needs to be risk-based, within the context of your organization.

    Triage your vulnerabilities, filter out the noise

    Triaging enables your vulnerability management program to focus on what it should focus on.

    Use the Info-Tech Vulnerability Mitigation Process Template to define how to triage vulnerabilities as they first appear.

    Triaging is an important step in vulnerability management, whether you are facing ten to tens of thousands of vulnerability notifications.
    Many scanning tools already provide the capability to compare known vulnerabilities against existing assets through integration with the asset inventory.

    There are two major use cases for this process:
    1. For organizations that have identified vulnerabilities but do not know their own systems well enough. This can be due to a lack of a formal asset inventory.
    2. For proactive organizations that are regularly staying up to date with industry announcements regarding vulnerabilities. Once an alert has been made publicly, this process can assist in confirming if the vulnerability is relevant to the organization.
    		 The Info-Tech methodology for initial triaging of vulnerabilities:
    Flowchart of the Info-Tech methodology for initial triaging of vulnerabilities, beginning with 'Vulnerability has been identified' and ending with either 'Vulnerability has been triaged' or 'No action needed'.

    Even if neither of these use cases apply to your organization, triaging still addresses the issues of false positives. Triaging provides a quick way to determine if vulnerabilities are relevant.

    After eliminating the noise, evaluate your vulnerabilities to determine urgency

    Consider the intrinsic risk to the organization.

    Is there an associated, verified exploit?
    • For a vulnerability to become a true threat to the organization, it must be exploited to cause damage. In today’s threat landscape, exploit kits are sold online that allow individuals with low technical knowledge to exploit a vulnerability.
    • Not all vulnerabilities have an associated exploit, but this does not mean that these vulnerabilities can be left alone. In many cases, it is just a matter of time before an exploit is created.
    • Another point to consider is that while exploits can exist theoretically, they may not be verified. Vulnerabilities always pose some level of risk, but if there are no known verified exploits, there is less risk attached.
    Is there a CVSS base score of 7.0 or higher?
    • Common Vulnerability Scoring System (CVSS) is an open-source industry scoring method to assess the potential severity of vulnerabilities.
    • CVSS takes into account: attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
    • Vulnerabilities that have a score of 4.0 or lower are classified as low vulnerabilities, while scores between 4.0 and 6.9 are put in the medium category. Scores of 7 or higher are in the high and critical categories. As we will review in the Risk Assessment section, you will want to immediately deal with high and critical vulnerabilities.
    Is there potential for significant lateral movement?
    • Even though a vulnerability may appear to be part of an inconsequential asset, it is important to consider whether it can be leveraged to gain access to other areas of the network or system by an attacker.
    • Another consideration should be whether the vulnerability can be exploited by remote or local access. Remote exploits pose a greater risk as this can mean that attackers can perform an exploit from any location. Local exploits carry less risk, although the risk of insider threats should be considered here as well.

    2.1.1 Evaluate your identified vulnerabilities

    60 minutes

    Input: Visio workflow of Info-Tech’s vulnerability management process

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    Using the criteria from the previous slide, Info-Tech has created a methodology to evaluate your vulnerabilities by examining their intrinsic qualities.

    The methodology categorizes the vulnerabilities into high, medium, and low risk importance categorizations, before assigning final urgency scores in the later steps.

    1. Review the evaluation process in the Vulnerability Management Workflow library.
    2. Determine if this process makes sense for the organization; otherwise, change the flow to include any other considerations of process flows.
    3. As this process is used to evaluate vulnerabilities, document vulnerabilities to an importance category. This can be done in the Vulnerability Tracking Tool or using a similar internal vulnerability tracking document, if one exists.

    Download the Vulnerability Management SOP Template

    Step 2.2

    Determine high-level business criticality

    Activities
    • 2.2.1 Determine high-level business criticality
    • 2.2.2 Determine your high-level data classifications

    This step will walk you through the following activities:

    Determining high-level business criticality and data classifications will help ensure that IT security is aligned with what is critical to the business. This will be very important when decisions are made around vulnerability risk and the urgency of remediation action.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    Understanding and consistency in how business criticality and business data is assessed by IT in the vulnerability management process.

    Triage & prioritize
    Step 2.1 Step 2.2 Step 2.3 Step 2.4

    Understanding business criticality is key to determining vulnerability urgency

    Prioritize operations that are truly critical to the operation of the business, and understand how they would be impacted by an exploited vulnerability.

    Use the questions below to help assess which operations are critical for the business to continue functioning.

    For example, email is often thought of as a business-critical operation when this is not always the case. It is important to the business, but as regular operations can continue for some time without it, it would not be considered extremely business critical.

    Questions to ask Description
    Is there a hard-dollar impact from downtime? This refers to when revenue or profits are directly impacted by a business disruption. For example, when an online ordering system is compromised and shut down, it impacts sales, and therefore, revenue.
    Is there an impact on goodwill/ customer trust? If downtime means delays in service delivery or otherwise impacts goodwill, there is an intangible impact on revenue that may make the associated systems mission critical.
    Is regulatory compliance a factor? Depending on the circumstances of the vulnerabilities, it can be a violation of regulatory compliance and would cause significant fines.
    Is there a health or safety risk? Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure that individuals’ health and safety are maintained. An exploited vulnerability that prevents these operations can directly impact the lives of these individuals.
    		Don’t start from scratch – your disaster recovery plan (DRP) may have a business impact analysis (BIA) that can provide insight into which applications and operations are considered business critical.

    Analyst Perspective

    When assessing the criticality of business operations, most core business applications may be deemed business critical over the long term.

    Consider instead what the impact is over the first 24 or 48 hours of downtime.

    2.2.1 Determine high-level business criticality

    120 minutes; less time if a Disaster recovery plan business impact analysis exists

    Input: List of business operations, Insight into business operations impacts to the business

    Output: List of business operations and their criticality and impact to the business

    Materials: Vulnerability Management SOP Template

    Participants: Participants from the business, IT Security Manager, CISO, CIO

    1. List your core business operations at a high level.
    2. Use a High, Medium, or Low ranking to prioritize the business operations based on mission-critical criteria and the impact of the vulnerability.
    3. When using the process flow, consider if the vulnerability directly affects any of these business operations and move through the process flow based on the corresponding High, Medium, or Low ranking.
    Example prioritization of business operations for a manufacturing company: Questions to ask:
    1. Is there a hard-dollar impact from downtime?
    2. Is there impact on goodwill or customer trust?
    3. Is regulatory compliance a factor?
    4. Is there a health or safety risk?

    Download the Vulnerability Management SOP Template

    Determine vulnerability urgency by its data classification

    Consider how to classify your data based on if the Confidentiality, Integrity, or Availability (CIA) is compromised.

    To properly classify your data, consider how the confidentiality, integrity, and availability of that data would be affected if it were to be exploited by a vulnerability. Review the table below for an explanation for each objective.
    Confidentiality

    Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

    		 Integrity

    Guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity.

    		 Availability

    Ensuring timely and reliable access to and use of information.
    Each piece of data should be ranked as High, medium, or low across confidentiality, integrity, and availability based on adverse effect. Arrow pointing right. Low — Limited adverse effect

    Moderate — Serious adverse effect

    High — Severe or catastrophic adverse effect

    If you wish to build a whole data classification methodology, refer to our Discover and Classify Your Data blueprint.

    		 How to determine data classification when CIA differs:

    The overall ranking of the data will be impacted by the highest objective’s ranking.

    For example, if confidentiality and availability are low, but integrity is high, the overall impact is high.

    This process was developed in part by Federal Information Processing Standards Publication 199.

    2.2.2 Determine your high-level data classifications

    120 minutes, less time if data classification already exists

    Input: Knowledge of data use and sensitivity

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, CISO, CIO

    If your organization has formal data classification in place, it should be leveraged to determine the high, medium, and low rankings necessary for the process flows. However, if there is no formal data classification in place, the process below can be followed:

    1. List common assets or applications that are prone to vulnerabilities.
    2. Consider the data that is on these devices and provide a high (severe or catastrophic adverse effect), medium (serious adverse effect), or low (limited adverse effect) ranking based on confidentiality, availability, and integrity.
      1. Use the table on the previous slide to assist in providing the ranking.
      2. Remember that it is the highest ranking that dictates the overall ranking of the data.
    3. Document which data belongs in each of the categories to provide contextual evidence.

    Download the Vulnerability Management SOP Template

    This process should be part of your larger data classification program. If you need assistance in building this out, review the Info-Tech research, Discover and Classify Your Data.

    Step 2.3

    Consider current security posture

    Activities
    • 2.3.1 Document your defense-in-depth controls

    This step will walk you through the following activities:

    Your defense-in-depth controls are the existing layers of security technology that protects your environment. These are relevant when considering the urgency and risk of vulnerabilities in your environment, as they will mitigate some of the risk.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Understanding and documentation of your current defense-in-depth controls.

    Triage & prioritize
    Step 2.1 Step 2.2 Step 2.3 Step 2.4

    Review your current security posture

    What you have today matters.
    • In most cases, your vulnerability scanning tool alone will not have the context of your security posture in the results of its scans. This can skew the true urgency of detected vulnerabilities in your environment.
    • What you have in place today is what comprises your organization’s overall security posture. This bears high relevance to the determination of the risk that a vulnerability poses to your environment.
    • Elements such as enterprise architecture and defense in depth mechanisms should be factored into determining the risk of a vulnerability and what kind of immediacy is warranted to address it.
    • Details of your current security posture will also contribute to the assessment and selection of remediation options.
    		 Stock image of toy soldiers split into two colours, facing eachother down.

    Enterprise architecture considerations

    What does your network look like?
    • Most organizations have a network topology that has been put in place with operational needs in mind. These includes specific vLANs or subnets, broadcast domains, or other methods of traffic segregation.
    • The firewall and network ACLs (access control lists) will manage traffic and the routes that data packets follow to traverse a network.
    • Organizations may physically separate data network types, for example, a network for IT services and one for operational technology (OT)(OT is often known as ICS (industrial control systems) or SCADA (supervisory control and data acquisition)) or other types of production technology.
    • The deployment of distribution and access switches across an enterprise can also be a factor, where a flatter network will have fewer network devices within the topology.
    • In a directory services environment such as Windows Active Directory, servers and applications can be segregated by domains and trust relationships, organizational units, and security groups.
    		 What’s the relevance to vulnerability management?

    For a vulnerability to be exploited, a malicious actor must find a way to access the vulnerable system to make use of the vulnerability in question.

    Any enterprise architecture characteristics that you have in place may lessen the probability of a successful vulnerability exploit.

    This may potentially “buy time” for SecOps to address and remediate the vulnerability.

    Defense-in-depth

    Defense-in-depth provides extra layers of protection to the organization.

    • Defense-in-depth refers to the coordination of security controls to add layers of security to the organization.
      • This means that even if attackers are able to get past one control or layer, they are hindered by additional security.
    • Defense-in-depth is distinct from the previous section on enterprise architecture as these are security controls put in place with the purpose of being lines of defense within your security posture.
    • This can be extremely useful in managing vulnerabilities; thus, it is important to establish the existing defense-in-depth controls. By establishing the base model for your defense-in-depth, it will allow you to leverage these controls to manage vulnerabilities.
    • Controls are typically distributed across endpoints, network infrastructure, servers, and physical security.

    Note: Defense-in-depth controls do not entirely mitigate vulnerability risk. They provide a way in which the vulnerability cannot be exploited, but it continues to exist on the application. This must be kept in mind as the controls or applications themselves change, as it can re-open the vulnerability and cause potential problems.

    		 Examples of defense-in-depth controls can consist of any of the following:
    • Antivirus software
    • Authentication security
    • Multi-factor authentication
    • Firewalls
    • Demilitarized zones (DMZ)
    • Sandboxing
    • Network zoning
    • Application whitelisting
    • Access control lists
    • Intrusion detection & prevention systems
    • Airgapping
    • User security awareness training

    2.3.1 Document your defense-in-depth controls

    2 hours, less time if a security services catalog exists

    Input: List of technologies within your environment, List of IT security controls that are in place

    Output: List of defense-in-depth controls

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, Infrastructure Manager, IT Director, CISO

    1. Document the existing defense-in-depth controls within your system.
    2. Review the initial list that has been provided and see if these are controls that currently exist.
    3. Indicate any other controls that are being used by the organization. This may already exist if you have a security services catalog.
    4. Indicate who the owners of the different controls are.
    5. Track the information in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    		 Sample table of security controls within a Defense-in-depth model with column headers 'Defense-in-depth control', 'Description', 'Workflow', and 'Control Owner'.

    Step 2.4

    Risk assessment of vulnerabilities

    Activities
    • 2.4.1 Build a classification scheme to consistently assess impact
    • 2.4.2 Build a classification scheme to consistently assess likelihood

    This step will walk you through the following activities:

    Assessing risk will be the cornerstone of how you evaluate vulnerabilities and what priority you place on remediation. This is actual risk to the organization and not simply what the tool reports without the context of your defense-in-depth controls.

    This step involves the following participants:

    • IT Security Manager
    • IT Operations Management
    • CISO
    • CIO

    Outcomes of this step

    A risk matrix tailored to your organization, based on impact and likelihood. This will provide a consistent, unambiguous way to assess risk across the vulnerability types that is reported by your scanning tool.

    Triage & prioritize
    Step 2.1 Step 2.2 Step 2.3 Step 2.4

    Vulnerabilities and risk

    Vulnerabilities must be addressed to mitigate risk to the business.
    • Vulnerabilities are a concern because they are potential threats to the business. Vulnerabilities that are not addressed can turn from potential threats into actual threats; it is only a matter of time and opportunity.
    • Your organization will already be familiar with risk management, as every decision carries a business risk component. There may even be a senior manager assigned as corporate risk officer to manage organizational risk.
    • The organization likely has a risk tolerance level that defines the organization’s risk appetite. This may be measured in dollars, non-productivity time, or other units of inefficiency.
    • The risk of a vulnerability can be calculated using impact and likelihood. Impact is the effect that the vulnerability will have if it is exploited by a malicious actor. Likelihood is the degree to which a vulnerability exploit can possibly occur.
    		 Stock image of a cartoon character in a tie hanging on the needle of a 'RISK' meter as it sits at 'LOW'.

    Info-Tech Insight

    Risk to the organization is business language that everyone can understand. This is particularly true when the risk is to productivity or to the company’s bottom line.

    A risk-based approach to vulnerability management

    CVSS scores are just the starting point!

    Vulnerabilities are constant.
    • There will always be vulnerabilities in the environment, many of which won’t be reported as they are currently unknown.
    • Don’t focus on trying to resolve all vulnerabilities in your environment. You are neither resourced for it nor can the business tolerate the downtime needed to remediate every single vulnerability.
      • The constant follow of new vulnerabilities will quickly render your efforts useless and it will become a game of “whack-a-mole.”
    • Being able to prioritize which vulnerabilities require appropriate levels of response is crucial to ensuring that an organization stays ahead of the continual flow.
    • Your vulnerability scanning tool will report the severity of a vulnerability, often using an industry Common Vulnerability Scoring System (CVSS) system ranging from 0 to 10. It will then scan your environment for the presence of the vulnerability and report accordingly.
      • Your vulnerability scanning tool will not be aware of any mitigation components in your environment, such as compensating controls, network segregation, server/application hardening, or any other measures that can reduce the risk. That is why determining actual risk is a crucial step.

    Stock image of a whack-a-mole game.

    Info-Tech Insight

    Vulnerability scanning is a valuable function, but it does not tell the full picture. You must determine how urgent a vulnerability truly is, based on your specific environment.

    Prioritize remediation by levels of risk

    Address critical and high risk with high immediacy.

    • Addressing the critical and high-risk vulnerabilities with urgency will ensure that you are addressing a more manageable number of vulnerabilities.
    • An optimized vulnerability management process will address the medium and low risk vulnerabilities within the regular cycle.
    • This may be very similar to what you do today in an ad hoc fashion:
      • Zero-day vulnerabilities tend to warrant a stop in operations and are dealt with immediately (or as soon as a vendor has a fix).
      • The standard remediation process (patching/updating, change of configuration, etc.) happens within a regular controlled time cycle.
    • Formalizing this process will ensure that appropriate attention is given to vulnerabilities that warrant it and that the remaining vulnerabilities are dealt with as a regular, recurring activity.

    Mitigate the risk surface by reducing the time across the phases

    Chart titled 'Mitigate the risk surface by reducing the time across the phases' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. A note on the line reads 'Objective: Reduce risk surface by reducing time to address'. The area between the line and your organization's risk tolerance is labelled 'Risk Surface, to be addressed with high priority'. A bracket around Risk levels 'High' and 'Critical' reads 'Priority focus zone (risk surface)'. Risk lines within levels 'Low' and 'Medium' read 'Follow standard vulnerability management cycles'.

    Risk matrix

    Risk = Impact x Likelihood
    • Info-Tech’s Vulnerability Management Risk Assessment Tool provides a method of calculating the risk of a vulnerability. The risk rating is assigned using the impact of the risk and the likelihood or probability that the event may occur.
    • The tool puts the vulnerability into your organization’s context: How many people will be affected? What service types are vulnerable and how does that impact the business? Is there an anticipated update from the vendor of the system being affected?
    • Urgency of remediation should be based on the business consequences if the vulnerability were to be exploited, relative to the business’ risk tolerance.

    Info-Tech Insight

    Risk determination should be done within the context of your current environment and not simply based on what your vulnerability tool is reporting.

    		 A risk matrix is useful in calculating a risk rating for vulnerabilities. Risk matrix with axes 'Impact' and 'Time' and individual vulnerabilities mapped onto it via their risk rating. The example 'Organizational Risk Tolerance Threshold' line runs diagonally through the 'Medium' squares.

    2.4.1 Build a classification scheme to consistently assess impact

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    		 Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Impact. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', 'Network vulnerability', and 'Vendor patch release'.

    2.4.2 Build a classification scheme to consistently assess likelihood

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability that your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    		 Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Likelihood. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', and 'Network vulnerability'.

    Prioritize based on risk

    Select the best remediation option to minimize risk.

    Through the combination of the identified risk and remediation steps in this phase, the prioritization for vulnerabilities will become clear. Vulnerabilities will be assigned a priority once their intrinsic qualities and threat potential to business function and data have been identified.

    • Remediation options will be identified for the higher urgency vulnerabilities.
    • Options will be assessed for whether they are appropriate.
    • They will be further tested to determine if they can be used adequately prior to full implementation.
    • Based on the assessments, the remediation will be implemented or another option will be considered.
    		 Prioritization
    1. Assignment of risk
    2. Identification of remediation options
    3. Assessment of options
    4. Implementation

    Remediation plays an incredibly important role in the entire program. It plays a large part in wider risk management when you must consider the risk of the vulnerability, the risk of the remediation option, and the risk associated with the overall process.

    Implement Risk-Based Vulnerability Management

    Phase 3

    Remediate vulnerabilities

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    		  

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities
     

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    		  

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • Identifying potential remediation options.
    • Developing criteria for each option with regards to when to use and when to avoid.
    • Establishing exception procedure for testing and remediation.
    • Documenting the implementation of remediations and verification.

    This phase involves the following participants:

    • CISO, or equivalent
    • Security Manager/Analyst
    • Network, Administrator, System, Database Manager
    • Other members of the vulnerability management team
    • Risk managers for the risk-related steps

    Determining how to remediate

    Patching is only one option.

    This phase will allow organizations to build out the specific processes for remediating vulnerabilities. The overall process will be the same but what will be critical is the identification of the correct material. This includes building the processes around:
    • Identifying and selecting the remediation option to be used.
    • Determining what to do when a patch or update is not available.
    • Scheduling and executing the remediation activity.
    • Continuous improvement.

    Each remediation option carries a different level of risk that the organization needs to consider and accept by building out this program.

    It is necessary to be prepared to do this in real time. Careful documentation is needed when dealing with vulnerabilities. Use the Vulnerability Tracking Tool to assist with documentation in real time. This is separate from using the process template but can assist in the documentation of vulnerabilities.

    Step 3.1

    Assessing remediation options

    Activities
    • 3.1.1 Develop risk and remediation action

    This step will walk you through the following activities:

    With the risk assessment from the previous activity, we can now examine remediation options and make a decision. This activity will guide us through that.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    List of remediation options and criteria on when to consider each.

    Remediate vulnerabilities
    Step 3.1 Step 3.2 Step 3.3

    Identify remediation options

    There are four options when it comes to vulnerability remediation.

    Patches and Updates

    Patches are software or pieces of code that are meant to close vulnerabilities or provide fixes to any bugs within existing software. These are typically provided by the vendor to ensure that any deployed software is properly protected after vulnerabilities have been detected.

    		 Configuration Changes

    Configuration changes involve administrators making significant changes to the system or network to remediate against the vulnerability. This can include disabling the vulnerable application or specific element and can even extend to removing the application altogether.

    Remediation
    Compensating Controls

    By leveraging security controls, such as your IDS/IPS, firewalls, or access control, organizations can have an added layer of protection against vulnerabilities beyond the typical patches and configuration changes. This can be used as a measure while waiting to implement another option (if one exists) to reduce the risk of the vulnerability in the short or long term.

    		 Risk Acceptance

    Whenever a vulnerability is not remediated, either indefinitely or for a short period of time, the organization is accepting the associated risk. Segregation of the vulnerable system can occur in this instance. This can occur in cases where a system or application cannot be updated without detrimental effect to the business.

    Patches and updates

    Patches are often the easiest and most common method of remediation.

    Patches are usually the most desirable remediation solution when it comes to vulnerability management. They are typically provided by the vendor of the vulnerable application or system and are meant to eliminate the existing vulnerability.

    When to use

    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching for the affected systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.

    When to avoid

    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches, which is often the case for critical systems.
    When to consider other remediation options
    • For critical systems, it can be difficult to implement a patch as they often require the system to be rebooted or go through some downtime. There must be consideration towards whether there is a change window approaching if a patch is to be implemented on a business-critical system.
      • If there is no opportunity to implement the patch, or no approaching change window, it is wise to leverage another remediation option.
    • When patches are not currently available from the vendor or they are in production, other remediation options are needed.
    • Other remediation options can be used in tandem with the patch. For example, if a patch is being deferred until the change window, it would be wise to use alternate remediation options to close the vulnerability.

    Compensating controls

    Compensating controls can decrease the risk of vulnerabilities that cannot be (immediately) remediated.

    • Compensating controls are measures put in place when direct remediation measures are impractical or non-existent.
    • Similar to the payment card industry’s PCI DSS 1.0 provision of compensating controls, these are meant to meet the intent or rigor of the original requirement; unlike PCI DSS, these measures are to mitigate risk rather than meet compliance.
    • The compensating control should be viewed as only a temporary measure for dealing with a vulnerability, although circumstances may dictate a degree of permanence in the application of the compensating control.
    • Examples where compensating controls may be needed are:
      • The software vendor is developing an update or patch to address a vulnerability.
      • Through your testing process, a patch will adversely affect the performance or operation of the target system and be detrimental to the business.
      • A critical application will only run on a legacy operating system, the latter of which is no longer supported by the vendor.
      • A legacy application is no longer being supported but is critical to your operations. A replacement, if one exists, will take time to implement.
    		 Examples of compensating controls
    • Segregating a vulnerable server or application on the network, physically or logically.
    • Hardening the operating system or application.
    • Restricting user logins to the system or application.
    • Implementing access controls on the network route to the system.
    • Instituting application whitelisting.

    Configuration changes

    Configuration changes involve making changes directly to the application or system in which there is a vulnerability. This can vary from disabling or removing the vulnerable element or, in the case of applications built in-house, changing the coding of the application itself. These are commonly used in network vulnerabilities such as open ports.

    When to use

    • A patch is not available.
    • The vulnerable element can be significantly changed, or even disabled, without significantly disrupting the business.
    • The application is built in-house, as the vulnerability must be closed internally.
    • There is adequate testing to ensure that the configuration change does not affect the business.
    • A configuration change in your network or system can affect numerous endpoints or systems, reducing endpoint patching or use of defense-in-depth controls.

    When to avoid

    • When a suitable patch is available.
    • When the vulnerability is on a business-critical element with no nearby change window or it cannot be disabled.
    • When there is no opportunity in which to perform testing to ensure that there are no unintended consequences.
    When to consider other remediation options
    • Configuration changes require careful documentation as changes are occurring to the system and applications. If there is a need to perform a back-out process and return to the original configuration, this can be extremely difficult without clear documentation of what occurred.
    • If business systems are too critical or important to the regular business function to perform any changes, it is necessary to consider other options.

    Info-Tech Insight

    Remember your existing processes: configuration changes may need to be approved and orchestrated through your organization’s configuration and change management processes.

    Case Study

    Remediation options do not have to be used separately. Use the Shellshock 2014 case as an example.

    		  
    INDUSTRY: All
    SOURCE: Public Domain
    Challenge

    Bashdoor, more commonly known as Shellshock, was announced on September 24, 2014.

    This bug involved the Bash shell, which normally executes user commands, but this vulnerability meant that malicious attackers could exploit it.

    This was rated a 10/10 by CVSS – the highest possible score.

    Within hours of the announcement, hackers began to exploit this vulnerability across many organizations.

    		 Solution

    Organizations had to react quickly and multiple remediation options were identified:

    • Configuration changes – Companies were recommended to use other shells instead of the Bash shell.
    • Defense-in-depth controls – Using HTTP server logs, it could be possible to identify if the vulnerability had been exploited.
    • Patches – Many vendors released patches to close this vulnerability including Debian, Ubuntu, and Red Hat.
    		 Results

    Companies began to protect themselves against these vulnerabilities.

    While many organizations installed patches as quickly as possible, some also wished to test the patch and leveraged defense-in-depth controls in the interim.

    However, even today, many still have the Shellshock vulnerability and exploits continue to occur.

    Accept the risk and do nothing

    By choosing not to remediate vulnerabilities, you must accept the associated risk. This should be your very last option.

    Every time that a vulnerability is not remediated, it continues to pose a risk to the organization. While it may seem that every vulnerability needs to be remediated, this is simply not possible due to limited resources. Further, it can take away resources from other security initiatives as opposed to low-priority vulnerabilities that are extremely unlikely to be exploited.

    Common criteria for vulnerabilities that are not remediated:
    • Affected systems are of extremely low criticality.
    • Affected systems are deemed too critical to take offline to perform adequate remediation.
    • Low urgency is assigned to those vulnerabilities.
    • Cost and time required for the remediation are too high.
    • No adequate solutions exist – the vendor has not released a patch, there are weak defense-in-depth controls, and it is not possible to perform a configuration change.

    Risk acceptance is not uncommon…

    • With an ever-increasing number of vulnerabilities, organizations are struggling to keep up and often, intentionally or unintentionally, accept the risk associated.
    • In the end, non-remediation means full acceptance of the risk and any consequences.

    Enterprise risk management
    Arrow pointing up.
    Risk acceptance of vulnerabilities

    While these are common criteria, they must be aligned to the enterprise risk management framework and approved by management.

    Don’t forget the variables that were assessed in Phase 2. This includes the risk from potential lateral movement or if there is an existing exploit.

    Risk considerations

    When determining if risk acceptance is appropriate, consider the cost of not mitigating vulnerabilities.

    Don’t accept the risk because it seems easy. Consider the financial impact of leaving vulnerabilities open.

    With risk acceptance, it is important to review the financial impact of a security incident resulting from that vulnerability. There is always the possibility of exploitation for vulnerabilities. A simple metric taken from NIST SP800-40 to use for this is:

    Cost not to mitigate = W * T * R

    Where (W) is the number of work stations, (T) is the time spent fixing systems or lost in productivity, and (R) is the hourly rate of the time spent.
    As an example provided by NIST SP800-40 Version 2.0, Creating a Patch and Vulnerability Management Program:

    “For an organization where there are 1,000 computers to be fixed, each taking an average of 8 hours of down time (4 hours for one worker to rebuild a system, plus 4 hours the computer owner is without a computer to do work) at a rate of $70/hour for wages and benefits:

    1,000 computers * 8 hours * $70/hour = $560,000”

    Info-Tech Insight

    Always consider the financial impact that can occur from an exploited vulnerability that was not remediated.

    3.1.1 Develop risk and remediation action

    90 minutes

    Input: List of remediation options

    Output: List of remediation options sorted into “when to use” and “when to avoid” lists

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT Infrastructure Manager, IT Operations Manager, Corporate Risk Officer, CISO

    It is important to define and document your organization-specific criteria for when a remediation option is appropriate and inappropriate.

    1. List each remediation option on a flip chart and create two headings: “When to use” and “When to avoid.”
    2. Each person will list “when to use” criteria on a green sticky note and “when to avoid” criteria on a red one for each option; these will be placed on the appropriate flip chart.
    3. Discuss as a group which criteria are appropriate and which should be removed.
    4. Move on to the next remediation option when completed.
      • Ensure to include when there are remediation options that will be connected. For example, the risk may be accepted until the next available change window, or a defense-in-depth control is used before a patch can be fully installed.
    5. Once the criteria has been established, document this in the Vulnerability Management SOP Template.
    When to use:
    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching, especially for critical systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.
    		 When to avoid:
    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it has caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches.
    (Example from the Vulnerability Management SOP Template for Patches.)

    Download the Vulnerability Management SOP Template

    Step 3.2

    Scheduling and executing remediation

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although there are no specific activities for this section, it will walk you through your existing processes configuration and change management to ensure that you are leveraging those activities in your vulnerability remediation actions.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Gained understanding of how IT operations processes configuration and change management can be leveraged for the vulnerability remediation process. Don’t reinvent the wheel!

    Remediate vulnerabilities
    Step 3.1 Step 3.2 Step 3.3

    Implementing the remediation

    Vulnerability management converges with your IT operations functions.
    • Once a remediation strategy has been formulated, you can leverage your release and change management processes to orchestrate the testing, version tracking, scheduling, approval, and implementation activities.
    • Each of these processes should exist in your environment in some form. Leveraging these will engage the IT operations team to carry out their tasks in the remediation process.
    • There can be a partial or full handoff to these processes, however, the owner of the vulnerability management program is responsible for verifying the application of the remediation measure and that the overall risk has been reduced.
    • Although full blueprints exist that cover each of these processes in great detail, the following slides provide an overview of each of these IT operations processes and how they intersect with vulnerability management.
    		 Stock image of a person on a laptop overlaid by an icon with gears indicating settings.

    Release Management

    Control the quality of deployments and releases of software updates.

    • The release management process exists to ensure that new software releases (such as patches and updates) are properly tested and documented with version control prior to their implementation into the production environment.
    • The process should map out the logistics of the deployment process to ensure that it is consistent and controlled.
    • Testing is an important part of release management and the urgency of a vulnerability remediation operation can expedite this process to ensure minimal delays. Once testing has been completed successfully, the update is then “promoted” to production-ready status and submitted into the change management process.
    • Often a separate release team may not exist, however, release management still occurs.

    For guidance on implementing or improving your release management process, refer to Info-Tech’s Stabilize Release and Deployment Management blueprint or speak to one of our experts.

    Info-Tech Insight

    Many organizations don’t have a separate release team. Rather, whomever is doing the deployment will submit a change request and the testing details are vetted through the organization’s change management process.

    For guidance on the change management process review our Optimize Change Management blueprint.

    Change Management

    Leverage change control, interruption management, approval, and scheduling.
    • Change management likely exists in some shape or form in your organization. There is usually someone or a committee, such as a change advisory board (CAB), that gives approval for a change.
    • Leveraging the change management process will ensure that your vulnerability remediation has undergone the proper review and approval before implementation. There will usually be business sign-off as part of a change management approval process.
    • Communication will also be integrated in the change management process, so the change manager will ensure that appropriate, timely communications are sent to the proper key stakeholders.
    • The change management process will link to release management and configuration management processes if they exist.

    For further guidance on implementing or improving your change management process, refer to Info-Tech’s Optimize Change Management blueprint or speak to one of our experts.

    		 “With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” (VP IT, Federal Credit Union)

    Post-implementation activities

    Vulnerability remediation isn’t a “set it and forget it” activity.
    • Once vulnerability remediation has occurred, it is imperative that the results are reported back to the vulnerability management program manager. This ensures that the loop is closed and the tracking of the remediation activity is done properly.
      • Organizations that are subject to audit by external entities will understand the importance of such documentation.
    • The results of post-implementation review from the change management process will be of great interest, particularly if there was any deviation from the planned activities.
    • Although change execution will usually undergo some form of testing during the maintenance window, there is always the possibility that something has broken as a result of the software update. Be quick to respond to these types of incidents!
      • One example of an issue that is near impossible to test during a maintenance window is one that manifests only when the system or software comes under load. This is what makes for busy Monday mornings after a weekend change window.
    		 A scan with your vulnerability management software after remediation can be a way to verify that the overall risk has been reduced, if remediation was done by way of patching/updates.

    Info-Tech Insight

    After every change completion, whether due to vulnerability remediation or not, it is a good idea to ensure that your infrastructure team increases its monitoring diligence and that your service desk is ready for any sudden influx of end-user calls.

    Step 3.3

    Continuous improvement

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although this section has no activities, it will review the process by which you may continually improve vulnerability management.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    An understanding of the importance of ongoing improvements to the vulnerability management program.

    Remediate vulnerabilities
    Step 3.1 Step 3.2 Step 3.3

    Drive continuous improvement

    • Also known as “Continual Improvement” within the ITIL best practice framework.
    • Your vulnerability management program will not be perfect on first launch. In fact, due to the ever-changing nature of vulnerabilities and the technology designed to detect and combat vulnerabilities, the processes within your vulnerability management program will need to be tweaked from time to time.
    • Continuous improvement is a sustained, proactive approach to process improvement. The practice allows for all process participants to observe and suggest incremental improvements that can help improve the overall process.
    • In many cases, continuous improvement can be triggered by changes in the environment. This makes perfect sense for vulnerability management process improvement as a change in the environment will require vulnerability scanning to ensure that such changes have not introduced new vulnerabilities into the environment, increasing your risk surface.
    • One key method to tracking continuous improvement is through the effective use of metrics, covered in Section 4.1 of this blueprint.
    		 “The success rate for continual improvement efforts is less than 60 percent. A major – if not the biggest – factor affecting the deployment of long-term continual improvement initiatives today is the fundamental change taking place in the way companies manage and execute work.” (Industry analyst at a consulting firm, 2014)

    Continuous Improvement

    Continuously re-evaluate the vulnerability management process.

    As your systems and assets change, your vulnerability management program may need updates in two ways.

    When new assets and systems are introduced:

    • When new systems and assets are introduced, it is important for organizations to recognize how these can affect vulnerability management.
    • It will be necessary to identify the business criticality of the new assets and systems and the sensitivity of the data that can be found on them.
    • Without doing so, these will be considered rogue systems or assets – there is no clear process for assigning urgencies.
    • This will only cause problems as actions may be taken that are not aligned with the organization’s risk management framework.

    Effective systems and asset management are needed to track this. Review Info-Tech’s Implement Systems Management to Improve Availability and Visibility blueprint for more help.

    Document any changes to the vulnerability management program in the Vulnerability Management SOP Template.

    When defense-in-depth capabilities are modified:

    • As you build an effective security program, more controls will be added that can be used to protect the organization.
    • These should be documented and evaluated based on ability to mitigate against vulnerabilities.
    • The defense-in-depth model that was previously established should be updated to include the new capabilities that can be used.
    • Defense-in-depth models are continually evolving as the security landscape evolves, and organizations must be ready for this.

    To assist in building a defense-in-depth model, review Build an Information Security Strategy.

    Implement Risk-Based Vulnerability Management

    Phase 4

    Measure and formalize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    		  

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities
     

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    		  

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • You will determine what ought to be measured to track the success of your vulnerability management program.
    • If you lack a scanning tool this phase will help you determine tool selection.
    • Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • Procurement representatives
    • CISO
    • CIO

    Step 4.1

    Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    Activities
    • 4.1.1 Measure your program with metrics, KPIs, and CSFs

    This step will walk you through the following activities:

    After a review of the differences between raw metrics, key performance indicators (KPI), and critical success factors (CSF), compile a list of what metrics you will be tracking, why, and the business goals for each.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    Outline of metrics you can configure your vulnerability scanning tool to report on.

    Measure and formalize
    Step 4.1 Step 4.2 Step 4.3 Step 4.4

    You can’t manage what you can’t measure

    Metrics provides visibility.

    • Management consultant Peter Drucker introduced the concept of metrics tied to key performance indicators (KPIs), and the concept holds true: without metrics, you lack the visibility to manage or improve a process.
    • Metrics aren’t just a collection of statistics, they have to be meaningful, they have to tell the story, and most importantly, they have to answer the “so what?” question. What is the significance of a metric – do they illustrate a trend or an anomaly? What actions should be carried out when a metric hits a certain threshold?
    • It would be prudent to track several metrics that can be combined to tell the full story. For example, tracking the number of critical vulnerabilities alone does not give a sense of the overall risk to the organization, nor does it offer any information on how quickly they have been remediated or what amount of effort was invested.
    		 Stock image of measuring tape.

    Metrics, KPIs, and CSFs

    Tracking the right information and making the information relevant.
    • There is often confusion between raw metrics, key performance indicators, and critical success factors.
    • Raw metrics are what is trackable from your systems and processes as a set of measurements without any context. Raw metrics in themselves are useful in telling the story of “what are we doing?”
    • KPIs are the specific metric or combination of metrics that help you track or gauge performance. KPIs tell the story of “how are we doing?” or “how well are we doing?”
    • CSFs are the specific KPIs that track the activities that are absolutely critical to accomplish for the business or business unit to be successful.
    		 The activity tracker on your wrist is a wealth of metrics, KPIs, and CSFs.

    If you wear an activity tracker, you are likely already familiar with the differences between metrics, key performance indicators, and critical success factors:

    • The raw metrics are your heart rate, step count, hours of sleep, caloric intake, etc.
    • KPIs are the individual goals that you have set: maintain a heart rate within the appropriate range for your age/activity level, achieve a step count goal per day, get x hours of sleep per night, consume a calorie range of y per day, etc.
    • CSFs are your overall goal: increase your cardiovascular capacity, lose weight, feel more energetic, etc.

    Your security systems can be similarly measured and tracked – transfer this skill!

    Tracking relevant information

    Tell the story in the numbers.

    Below are a number of suggested metrics to track, and why.

    Business Goal

    Critical Success Factor

    Key Performance Indicator

    Metric to track
    Minimize overall risk exposure Reduction of overall risk due to vulnerabilities Decrease in vulnerabilities Track the number of vulnerabilities year after year.
    Appropriate allocation of time and resources Proper prioritization of vulnerability mitigation activities Decrease of critical and high vulnerabilities Track the number of high-urgency vulnerabilities.
    Consistent timely remediation of threats to the business Minimize risk when vulnerabilities are detected Remediate vulnerabilities more quickly Mean time to detect: track the average time between the identification to remediation.
    Track effectiveness of scanning tool Minimize the ratio, indicating that the tool sees everything Ratio between known assets and what the scanner tracks Scanner coverage compared to known assets in the organization.
    Having effective tools to track and address Accuracy of the scanning tool Difference or ratio between reported vulnerabilities and verified ones Number of critical or high vulnerabilities verified, between the scanning tool’s criticality rating and actual criticality.
    Reduction of exceptions to ensure minimal exposure Visibility into persistent vulnerabilities and risk mitigation measures Number of exceptions granted Number of vulnerabilities in which little or no remediation action was taken.

    4.1.1 Measure your program with metrics, KPIs, and CSFs

    60 minutes

    Input: List of metrics current being measured by the vulnerability management tool

    Output: List of relevant metrics to track, and the KPIs, CSFs, and business goals related to the metric

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT operations management, CISO

    Metrics can offer a way to view how the organization is dealing with vulnerabilities and if there is improvement.

    1. Determine the high-level vulnerability management goals for the organization.
    2. Even with a formal process in place, the organization should be considering ways it can improve.
    3. Determine metrics that can help quantify those goals and how they can be measured.
    4. Metrics should always be easy to measure. If it’s a complex process to find the information required, it means that it is not a metric that should be used.
    5. Document your list of metrics in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Step 4.2

    Vulnerability Management Policy

    Activities
    • 4.2.1 Update the vulnerability management program policy

    This step will walk you through the following activities:

    If you have a vulnerability management policy, this activity may help augment it. Otherwise, if you don’t have one, this would be a great starting point.

    This step involves the following participants:

    • IT Security Manager
    • CISO
    • CIO
    • Human resources representative

    Outcomes of this step

    An inaugural policy covering vulnerability management

    Measure and formalize
    Step 4.1 Step 4.2 Step 4.3 Step 4.4

    Vulnerability Management Program Policy

    Policies provide governance and enforcement of processes.
    • Policies offer formal guidance on the “rules” of a program, describing its purpose, scope, detailed program description, and consequences of non-compliance. Often they will have a employee sign-off acknowledging understanding.
    • In many organizations, policies are endorsed by senior executives, which gives the policy its “teeth” across the company. The human resources department will always have input due to the implications of the non-compliance aspect.
    • Policies are written to ensure an outcome of consistent expected behavior and are often written to protect the company from liability.
    • Policies should be easy to understand and unambiguous, reflect the current state, and be enforceable. Enforceability can come in the form of audit, technology, or any other means of determining compliance and enforcing behavior.
    		 Stock image of a judge's gavel.

    4.2.1 Update the vulnerability management policy

    60 minutes

    Input: Vulnerability Management SOP, HR guidance on policy creation and approval

    Output: Completed Vulnerability Management Policy

    Materials: Vulnerability Management SOP, Vulnerability Management Policy Template

    Participants: IT Security Manager, IT operations management, CISO, Human resources representative

    After having built your entire process in this project, formalize it into a vulnerability management policy. This will set the standards and expectations for vulnerability management in the organization, while the process will be around the specific actions that need to be taken around vulnerability management.

    This is separate and distinct from the Vulnerability Management SOP Template, which is a process and procedure document.
    1. Review Info-Tech’s Vulnerability Management Policy and customize it to your organization’s specifications.
    2. Use your Vulnerability Management SOP as a resource when specifying some of the details within the policy.
    		 Sample of Info-Tech's Vulnerability Management Policy Template

    Download the Vulnerability Management Policy Template

    Step 4.3

    Select and implement a scanning tool

    Activities
    • 4.3.1 Create an RFP for vulnerability scanning tools

    This step will walk you through the following activities:

    If you need to select a new vulnerability scanning tool, or replace your existing one, this activity will help set up a request for proposal (RFP).

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    Measure and formalize
    Step 4.1 Step 4.2 Step 4.3 Step 4.4

    Vulnerability management and penetration testing

    Similar in nature, yet provide different security functions.

    Vulnerability Scanning Tools

    Scanning tools focus on the network and operating systems. These tools look for items such as missing patches or open ports. They won’t detect specific application vulnerabilities.

    		 Exploitation Tools

    These tools will look to exploit a detected vulnerability to validate it.

    		 Penetration Tests

    A penetration test simulates the actions of an external or internal cyber attacker that aims to breach the information security of the organization. (Formal definition of penetration test)
    ‹————— What’s the difference again? —————›
    Vulnerability scanning tools are just one type of tool. When you add an exploitation tool to the mix, you move down the spectrum. Penetration tests will use scanning tools, exploitation tools, and people.

    What is the value of each?

    • For vulnerability scans, the person performing the scan provides the value – value comes from the organization itself.
    • For exploitation tools on their own, the value comes from the tool itself being used in a safe environment.
    • For penetration tests, the tester is providing the value. They are the value add.

    What’s the implication for me?

    Info-Tech Recommends:
    • A combination of vulnerability scanning and penetration testing. This will improve your security posture through systematic risk reduction and improve your security program through the testing of prevention, detection, and response capabilities with unique recommendations being generated.
    • Start with as much vulnerability scanning as possible to identify gaps to fix and then move onto a penetration test to do a more robust and validated assessment.
    • For penetration tests, start with a transparent box test first, then move to an opaque box. Ideally, this is done with different third parties.

    Vulnerability scanning software

    All organizations can benefit from having one.

    Scanning tools will benefit areas beyond just vulnerability management

    • Network security: It improves the accuracy and granularity of your network security technologies such as WAFs, NGFWs, IDPS, and SIEM.
    • Asset management: Vulnerability scanning can identify new or unknown assets and provide current status information on assets.
    • System management: Information from a vulnerability scan supports baselining activities and determination of high-value and high-risk assets.

    Vulnerability Detection Use Case

    Most organizations use scanners to identify and assess system vulnerabilities and prioritize efforts.

    Compliance Use Case

    Others will use scanners just for compliance, auditing, or larger GRC reasons.

    Asset Discovery Use Case

    Many organizations will use scanners to perform active host and application identification.

    Scanning Tool Market Trends

    Vulnerability scanning tools have expanded value from conventional checking for vulnerabilities to supporting configuration checking, asset discovery, inventory management, patch management, SSL certificate validation, and malware detection.

    Expect to see network and system vulnerability scanners develop larger vulnerability management functions and develop exploitation tool functionality. This will become a table stakes option enabling organizations to provide higher levels of validation of detected vulnerabilities. Some tools already possess these capabilities:

    • Core Impact is an exploitation tool with vulnerability scanning aspects.
    • Metasploit is an exploitation tool with some new vulnerability scanning aspects.
    • Nessus is mainly a vulnerability scanning tool but has some exploitation aspects.

    Device proliferation (BYOD, IoT, etc.) is increasing the need for stronger vulnerability management and scanners. This is driving the need for numerous device types and platform support and the development of baseline and configuration norms to support system management.

    Increased regulatory or compliance controls are also stipulating the need for vulnerability scanning, especially by a trusted third party.

    Organizations are outsourcing security functions or moving to cloud-based deployment options for any security technology they can. Expect to see massive growth of vulnerability scanning as a service.

    Vulnerability scanning market

    There are several technology types or functional differentiators that divide the market up.

    Vulnerability Exploitation Tools

    • These will actually test defences and better emulate real life than just scanning. These tools include packet manipulation tools (such as hping) and password cracking tools (such as John the Ripper or Cain and Abel).
    • These tools will provide much more granular information on your network, operations systems, and applications.
    • The main limitation of these tools is how to use them. If you do not have development or test environments that mimic your real production environments to run the exploit tools, these tools may not be appropriate. It may work if you can find some downtime on production systems, but only in very specific and careful instances.
    • Lower maturity security programs usually just do network and application vulnerability scanning. Higher maturity programs will also use penetration testing, application testing, and vulnerability exploitation tools.
    • Network vulnerability scanning tools should always be used. Once you identify any servers or ports running web applications, then you run a web application vulnerability scanner.
    • Exploitation tools and application testing tools are used in more specific use cases that are often related to more-demanding security programs.

    Scanning Tool Market Trends

    • These are considered baseline tools and are near commoditization.
    • Vulnerability scanning tools are not granular enough to detect application-level vulnerabilities (thus the need for application scanners and testing tools) and they don’t validate the exploitability of the vulnerability (thus the need for exploit tools).

    Web Application Scanning Tools

    These tools perform dynamic application security testing (DAST) and static application security testing (SAST).

    Application Scanning and Testing Tools

    • These perform a detailed scan against an application to detect any problematic or malicious code and try to break the application using known vulnerabilities.
    • These tools will identify if something is vulnerable to an exploit but won’t actually run the exploit.
    • These tools are evaluated based on their ability to detect application-specific issues and validate them.

    Vulnerability scanning tool features

    Evaluate vulnerability scanning tools on specific features or functions that are the best differentiators.

    Differentiator

    Description
    Deployment Options Do you want a traditional on-premises, cloud-based, or managed service?
    Vulnerability Database Coverage Scanners use a library of known vulnerabilities to test for. Evaluate based on the amount of exploits/vulnerabilities the tool can scan for.
    Scanning Method Evaluate if you want agent-based, authenticated active, unauthenticated active, passive, or some combination of those scanning methods.
    Integration What is the breadth of other security and non-security technologies the tool can integrate with?
    Remediation How detailed are the recommended remediation actions? The more granular, the better.
    		 

    Differentiator

    Description
    Prioritization Does the tool evaluate vulnerabilities based on commonly accepted methods or through a custom-designed prioritization methodology?
    Platform Support What is the breadth of environment, application, and device support in the tool? Consider your need for virtual support, cloud support, device support, and application-specific support. Also consider how often new scanning modules are supported (e.g. how quickly Windows 10 was supported).
    Pricing As with many security controls that have been around for a long time and are commonly used, pricing becomes a main consideration, especially when there are so many open-source options available.

    Common areas people mistake as tool differentiators:

    • Accuracy – Scanning tools are evaluated more on efficiency than effectiveness. Evaluate on the ability to detect, remediate, and manage vulnerabilities rather than real vulnerability detection and the number of false positives. To reduce false positives, you need to use exploitation tools.
    • Performance – Scanning tools have such a small footprint in an environment and the actual scanning itself is such a small impact that evaluation on performance doesn’t matter.

    For more information on vulnerability scanning tools and how they rate, review the Vulnerability Management category on SoftwareReviews.

    Vulnerability scanning deployment options

    Understand the different deployment options to identify which is best for your security program.

    Option

    Description

    Pros

    Cons

    Use Cases
    On-Premises Either an on-premises appliance or an on-premises virtualized machine that performs external and internal scanning.
    • Small resource need, so limited network impact.
    • Strong internal scanning.
    • Easier integration with other technologies.
    • Network footprint and resource usage.
    • Maintenance and support costs.
    • Most common deployment option.
    • Appropriate if you have cloud concerns or strong internal network scanning, or if you require strong integration with other systems.
    Cloud Either hosted on a public cloud infrastructure or hosted by a third party and offered “as a service.”
    • Small network footprint.
    • On-demand scanning as needed.
    • Optimal external scanning capabilities.
    • Can only do edge-related scanning unless authenticated or agent based.
    • No internal network scanning with passive or unauthenticated active scanning methods.
    • Very limited network resources.
    • Compliance obligations that dictate external vulnerability scanning.
    Managed A third party is contracted to manage and maintain your vulnerability scanner so you can dedicate resources elsewhere.
    • Expert management of environment scanning, optimizing tool usage.
    • Most scanning work time is report customization and tuning and remediation efforts; thus, managed doesn’t provide sizable resource alleviation.
    • Third party has and owns the vulnerability information.
    • Limited staff resources or expertise to maintain and manage scanner.

    Vulnerability scanning methods

    Understand the different scanning methods to identify which tool best supports your needs.

    Method

    Description

    Pros

    Cons

    Use Cases
    Agent-Based Scanning Locally installed software gives the information needed to evaluate the security posture of a device.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Device processing, memory, and network bandwidth impact.
    • Asset without an agent is not scanned.
    • Need for continuous scanning.
    • Organization has strong asset management
    Authenticated Active Scanning Tool uses authenticated credentials to log in to a device or application to perform scanning.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Best accuracy for vulnerability detection across a network.
    • Aggregation and centralization of authenticated credentials creates a major risk.
    • All use cases.
    Unauthenticated Active Scanning Scanning of devices without any authentication.
    • Emulates realistic scan by an attacker.
    • Provides limited scope of scanning.
    • Some compliance use cases.
    • Perform after either agent or authenticated scanning.
    Passive Scanning Scanning of network traffic.
    • Lowest resource impact.
    • Not enough information can be provided for true prioritization and remediation.
    • Augmenting scanning technique to agent or authenticated scanning.

    IP Management and IPv6

    IP management and the ability to manage IPv6 is a new area for scanning tool evaluation.

    Scanning on IPv4

    Scanning tools create databases of systems and devices with IP addresses.
    Info-Tech Recommends:

    • It is easier to do discovery by directing the scanner at a set IP address or range of IP addresses; thus, it’s useful to organize your database by IPs.
    • Do discovery by phases: Start with internet-facing systems. Your perimeter usually is well-defined by IP addresses and system owners and is most open to attack.
    • Stipulate a list of your known IP addresses through the DHCP registration and perform a scan on that.
    • Depending on your IP address space, another option is to scan your entire IP address space.

    Current Problem With IP Addresses

    IP addresses are becoming no longer manageable or even owned by organizations. They are often provided by ISPs or other third parties.

    Even if it is your range, chances are you don't do static IP ranges today.

    Info-Tech Recommends:

    • Agent-based scanning or MAC address-based scanning
    • Use your DHCP for scanning

    Scanning on IPv6

    First, you need to know if your organization is moving to IPv6. IPv6 is not strategically routed yet for most organizations.

    If you are moving to IPv6, Info-Tech recommends the following:

    • Because you cannot point a scanner at an IPv6 IP range, any scanning tool needs to have a strategy around how to handle IPv6 and properly scan based on IP ranges.
    • You need to know IPv4 to IPv6 translations.
    • Evaluate vulnerability scanning tools on whether any IPv6 features are on par with IPv4 features.

    If you are already on IPv6, Info-Tech recommends the following:

    • If you are on an IPv6 native network, it is nearly impossible to scan the network. You have to always scan your known addresses from your DHCP.

    4.3.1 Create an RFP for vulnerability scanning tools

    2 hours

    Input: List of key feature requirements for the new tool, List of intersect points with current software, Network topology and layout of servers and applications

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Vulnerability Scanning Tool RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use a request for proposal (RFP) template to convey your desired scanning tool requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your scanning tool RFP, based on people, process, and technology requirements.
    2. Consider items such as the desired capabilities and the scope of the scanning.
    3. Conduct interviews with relevant stakeholders to determine the exact requirements needed.
    4. Use Info-Tech’s Vulnerability Scanning Tool RFP Template. It lists many requirements but can be customized to your organization’s specific needs.

    Download the Vulnerability Scanning Tool RFP Template

    4.3.1 Create an RFP for vulnerability scanning tools (continued)

    Things to Consider:
    • Ensure there is adequate resource dedication to support and maintenance for vulnerability scanning.
    • Consider if you will benefit from an RFP. If there is a more appropriate option for your need and your organization, consider that instead.
    • If you don’t know the product you want, then perform an RFI.
    • In the RFP, you need to express your driving needs for the tool so the vendor can best understand your use case.
    • Identify who should participate in the RFP creation and evaluation. Make sure they have time available and it does not conflict with other items.
    • Determine if you want to send it to a select few or if you want to send it to a lot of vendors.
    • Determine a response date so you can know who is soliciting your business.
    • You need to have a process to handle questions from vendors.
    		 Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Vulnerability Scanning Tool RFP Template

    Step 4.4

    Penetration testing

    Activities
    • 4.1.1 Create an RFP for penetration tests

    This step will walk you through the following activities:

    We will review penetration testing, its distinction from vulnerability management, and why you may want to engage a penetration testing service.

    We provide a request for proposal (RFP) template that we can review if this is an area of interest.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Measure and formalize
    Step 4.1 Step 4.2 Step 4.3 Step 4.4

    Penetration testing

    Penetration tests are critical parts of any strong security program.

    Penetration testing will emulate the methods an attacker would use in the real world to circumvent your security controls and gain access to systems and data.

    Penetration testing is much more than just running a scanner or other automated tools and then generating a report. Penetration testing performs critical exploit validation to create certainty around your vulnerability.

    The primary objective of a penetration test is to identify and validate security weaknesses in an organization’s security systems.

    Reasons to Test:

    • Assess current security control effectiveness
    • Develop an action plan of items
    • Build a business case for a better security program
    • Increased security budget through vulnerability validation
    • Third-party, unbiased validation
    • Adhere to compliance or regulatory requirements
    • Raise security awareness
    • Demonstrate how an attacker can escalate privileges
    • Effective way to test incident response

    Regulatory Considerations:

    • There is a lot of regulatory wording saying that organizations can’t get a system that is managed, integrated, and supported by one vendor and then have it tested by the same vendor.
    • There is the need for separate third-party testing.
    • Penetration testing is required for PCI, cloud providers, and federal entities.

    How and where is the value being generated?

    Penetration testing is a service provided by trained and tested professionals with years of experience. The person behind the test is the most important part of the test. The person is able to emulate a real-life attacker better than any computer. It is just a vulnerability scan if you use tools or executables alone.

    “A penetration test is an audit with validation.” (Joel Shapiro, Vice President Sales, Digital Boundary Group)

    Start by considering the spectrum of penetration tests

    Network Penetration Tests

    Conventional testing of network defences.

    Testing vectors include:

    • Perimeter infrastructure
    • Wireless, WEP/WPA cracking
    • Cloud penetration testing
    • Telephony systems or VoIP
    Types of tests:
    • Denial-of-service testing
    • Out-of-band attacks
    • War dialing
    • Wireless network testing/war driving
    • Spoofing
    • Trojan attacks
    • Brute force attacks
    • Watering hole attacks
    • Honeypots
    • Cloud-penetration testing
    		 Application Penetration Tests

    Core business functions are now being provided through web applications, either to external customers or to internal end users.

    Types: Web apps, non-web apps, mobile apps

    Application penetration and security testing encompasses:

    • Code review – analyzing the application code for sensitive information of vulnerabilities in the code.
    • Authorization testing – testing systems responsible for user session management to see if unauthorized access can be permitted.
    • Authentication process for user testing.
    • Functionality testing – test the application functionality itself.
    • Website pen testing – active analysis of weaknesses or vulnerabilities.
    • Encryption testing – testing things like randomness or key strength.
    • User-session integrity testing.
    		 Human-Centric Testing
    • Penetration testing is developing a people aspect as opposed to just being technology focused.
    • End users and their susceptibility to social engineering attacks (spear phishing, phone calls, physical site testing, etc.) is now a common area to test.
    • Social engineering penetration testing is not only about identifying your human vulnerabilities, but also about proactively training your end users. As well as discovering and fixing potential vulnerabilities, social engineering penetration testing will help to raise security awareness within an organization.

    Info-Tech Insight

    Your pen test should use multiple methods. Demonstrating weakness in one area is good but easy to identify. When you blend techniques, you get better success at breaching and it becomes more life-like. Think about prevention, detection, and response testing to provide full insight into your security defenses.

    Penetration testing types

    Evaluate four variables to determine which type of penetration test is most appropriate for your organization.

    Evaluate these dimensions to determine relevant penetration testing.

    Network, Application, or Human

    Evaluate your need to perform different types of penetration testing.

    Some level of network and application testing is most likely appropriate.

    The more common decision point is to consider to what degree your organization requires human-centric penetration testing.

    External or Internal

    External: Attacking an organization’s perimeter and internet-facing systems. For these, you generally provide some level of information to the tester. The test will begin with publicly available information gathering followed by some kind of network scanning or probing against externally visible servers or devices (DNS server, email server, web server, firewall, etc.)

    Internal: Carried out within the organization’s network. This emulates an attack originating from an internal point (disgruntled employee, authorized user, etc.). The idea is to see what could happen if the perimeter is breached.

    Transparent, Semi-Transparent, or Opaque Box

    Opaque Box: The penetration tester is not provided any information. This emulates a real-life attack. Test team uses publicly available information (corporate website, DNS, USENET, etc.) to start the test. These tests are more time consuming and expensive. They often result in exploitation of the easiest vulnerability.
    Use cases: emulating a real-life attack; testing detection and response capabilities; limited network segmentation.

    Transparent Box: Tester is provided full disclosure of information. The tester will have access to everything they need: building floor plans, data flow designs, network topology, etc. This represents what a credentialed and knowledgeable insider would do.
    Use cases: full assessment of security controls; testing of attacker traversal capabilities.

    Aggressiveness of the Test

    Not Aggressive: Very slow and careful penetration testing. Usually spread out in terms of packets being sent and number of calls to individuals. It attempts to not set off any alarm bells.

    Aggressive: A full DoS attack or something similar. These would be DoS attacks that take down systems or full SQL injection attacks all at once versus small injections over time. Testing options cover anything including physical tests, network tests, social engineering, and data extraction and exfiltration. This is more costly and time consuming.

    Assessing Aggressiveness: How aggressive the test should be is based on the threats you are concerned with. Assess who you are concerned with: random individuals on the internet, state-sponsored attacks, criminals, hacktivists, etc. Who you are concerned with will determine the appropriate aggressiveness of the test.

    Penetration testing scope

    Establish the scope of your penetration test before engaging vendors.

    Determining the scope of what is being tested is the most important part of a penetration test. Organizations need to be as specific as possible so the vendor can actually respond or ask questions.

    Organizations need to define boundaries, objectives, and key success factors.

    For scope:
    • If you go too narrow, the realism of the test suffers.
    • If you go too broad, it is more costly and there’s a possible increase in false positives.
    • Balance scope vs. budget.
    		 Boundaries to scope before a test:
    • IP addresses
    • URLs
    • Applications
    • Who is in scope for social engineering
    • Physical access from roof to dumpsters defined
    • Scope prioritized for high-value assets
    		 Objectives and key success factors to scope:
    • When is the test complete? Is it at the point of validated exploitation?
    • Are you looking for as many holes as possible, or are you looking for how many ways each hole can be exploited?

    What would be out of scope?

    • Are there systems, IP addresses, or other things you want out of scope? These are things you don’t explicitly want any penetration tester to touch.
    • Are there third-party connections to your environment that you don’t want to be tested? These are instances such as cloud providers, supply chain connections, and various services.
    • Are there things that would be awkward to test? For example, determine if you include high-level people in a social engineering test. Do you conduct social engineering for the CEO? If you get their credentials, it could be an awkward moment.

    Ways to break up a penetration test:

    • Location – This is the most common way to break up a penetration test.
    • Division – Self-contained business units are often done as separate tests so you can see how each unit does.
    • IT systems – For example, you put certain security controls in a firewall and want to test its effectiveness.
    • Applications – For example, you are launching a new website or a new portal and you want to test it.

    Penetration testing appropriateness

    Determine your penetration testing appropriateness.

    Usual instances to conduct a penetration test:
    • Setting up a new physical office. Penetration testing will not only test security capabilities but also resource availability and map out network flows.
    • New infrastructure hardware implemented. All new infrastructure needs to be tested.
    • Changes or upgrades to existing infrastructure. Need for testing varies depending on the size of the change.
    • New application deployment. Need to test before being pushed to production environments.
    • Changes or upgrades to existing applications. When fundamental functional changes occur, perform testing:
      • Before upgrades or patching
      • After upgrades or patching
    • Periodic testing. It is a best practice to periodically test your security control effectiveness. Consider at least an annual test.

    Specific timing considerations: Testing should be completed during non-production times of day. Testing should be completed after a backup has been performed.

    		 Assess your threats to determine your appropriate test type:

    Penetration testing is about what threats you are concerned about. Understand your risk profile, risk tolerance level, and specific threats to see how relevant penetration tests are.

    • Are external attackers concerning to you? Are you distressed about how an attacker can use brute force to enter your network? If so, focus on ingress points, such as FWs, routers, and DMZ.
    • Is social engineering a concern for you (i.e. phone-based or email-based)? Then you are concerned about a credentialed hacker.
    • Is it an insider threat, a disgruntled employee, etc.? This also includes an internal system that is under command and control (C&C).

    ANALYST PERSPECTIVE: Do a test only after you take a first pass.
    If you have not done some level of vulnerability assessment on your own (performing a scan, checking third-party sources, etc.) don’t waste your money on a penetration test. Only perform a penetration test after you have done a first pass and identified and remediated all the low-hanging fruit.

    4.4.1 Create an RFP for penetration tests

    2 hours

    Input: List of criteria and scope for the penetration test, Systems and application information if white box

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Penetration Test RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use an RFP template to convey your desired penetration test requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your penetration test RFP based on people, process, and technology requirements.
      • Consider items such as your technology environment and the scope of the penetration tests.
    2. Conduct an interview with relevant stakeholders to determine the exact requirements needed.
    3. Use Info-Tech’s Penetration Test RFP Template, which lists many requirements but can be customized to your organization’s specific needs.

    Download the Penetration Test RFP Template

    4.4.1 Create an RFP for penetration tests (continued)

    Steps of a penetration test:
    1. Determine scope
    2. Gather targeted intelligence
    3. Review exploit attempts, such as access and escalation
    4. Test the collection of sensitive data
    5. Run reporting
    		 Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Penetration Test RFP Template

    Penetration testing considerations – service providers

    Consider what type of penetration testing service provider is best for your organization

    Professional Service Providers

    Professional Services Firms. These firms will often provide a myriad of professional services across auditing, financial, and consulting services. If they offer security-related consulting services, they will most likely offer some level of penetration testing.

    Security Service Firms. These are dedicated security consulting or advisory firms that will offer a wide spectrum of security-related services. Penetration testing may be one aspect of larger security assessments and strategy development services.

    Dedicated Penetration Testing Firms. These are service providers that will often offer the full gamut of penetration testing services.

    Integrators

    Managed Security Service Providers. These providers will offer penetration testing. For example, Dell SecureWorks offers numerous services including penetration testing. For organizations like this, you need to be skeptical of ulterior motives. For example, expect recommendations around outsourcing from Dell SecureWorks.

    Regional or Small Integrators. These are service providers that provide security services of some kind. For example, they would help in the implementation of a firewall and offer penetration testing services as well.

    Info-Tech Recommends:

    • Always be conscientious of who is conducting the testing and what else they offer. Even if you get another party to test rather than your technology provider, they will try to obtain you as a client. Remember that for larger technology vendors, security testing is a small revenue stream for them and it’s a way to find technology clients. They may offer penetration testing for free to obtain other business.
    • Most of the penetration testers were systems administrators (for network testing) or application developers (for application testing) at some point before becoming penetration testers. Remember this when evaluating providers and evaluating remediation recommendations.
    • Evaluate what kind of open-source tools, commercial tools, and proprietary tools are being used. In general, you don’t want to rely on an open-source scanner. For open source, they will have more outdated vulnerability databases, system identification can also be limited compared to commercial, and reporting is often lacking.
    • Above all else, ensure your testers are legally capable, experienced, and abide by non-disclosure agreements.

    Penetration testing best practices – communications

    Communication With Service Provider

    • During testing there should be designated points of contact between the service provider and the client.
    • There needs to be secure channels for communication of information between the tester and the client both during the test and for any results.
    • Results should always be explained to the client by the tester, regardless of the content or audience.
    • There should be a formal debrief with the results report.
    Immediate reporting of issues
    • Before any testing commences, immediate reporting conditions need to be defined. These are instances when you would want immediate notification of something occurring.
    • Stipulate certain systems or data types that if broken into or compromised, you would want to be notified right away.
    • Example:
      • If you are conducting social engineering, require notification for all account credentials that are compromised. Once credentials are compromised, it destroys all accountability for those credentials and the actions associated with those credentials by any user.
      • Require immediate reporting of specific high-critical systems that are compromised or if access is even found.
      • Require immediate reporting when regulated data is discovered or compromised in any way.

    Communication With Internal Staff

    Do you tell your internal staff that this is happening?

    This is sometimes called a “double blind test” when you don’t let your IT team know of the test occurring.

    Pros to notifying:
    • This tests the organization’s security monitoring, incident detection, and response capabilities.
    • Letting the team know they are going to see some activity will make sure they don’t get too worried about it.
    • There may be systems you can’t jeopardize but still need to test so notification beforehand is essential (e.g. you wouldn’t allow ERP testing with notification).
    Cons:
    • It does not give you a real-life example of how you respond if something happens.
    • Potential element of disrespect to IT people.

    Penetration testing best practices – results and remediation

    What to expect from penetration test results report:

    A final results report will state all findings including what was done by the testers, what vulnerabilities or exploitations were detected, how they were compromised, the related risk, and related remediation recommendations.

    Expect four major sections:
    • Introduction. An overview of the penetration test methodology including rating methodology of vulnerabilities.
    • Executive Summary. A management-level description of the test, often including a summary of any recommendations.
    • Technical Review. An overview of each item that was looked at and touched. This area breaks down what was done, how it was done, what was found, and any related remediation recommendations. Expect graphs and visuals in this section.
    • Detailed Findings. An in-depth breakdown of all testing methods used and results. Each vulnerability will be explained regarding how it was detected, what the risk is, and what the remediation recommendation is.
    Two areas that will vary by service provider:

    Prioritization

    • Most providers will boast their unique prioritization methodology.
    • A high, medium, and low rating scale based on some combination of variables (e.g. ease of exploitation, breadth of hole, information accessed resulting in further exploitation).
    • The prioritization won’t take into account asset value or criticality.
    • Keep in mind the penetration test is not an input into ultimate vulnerability prioritization, but it can help determine your urgency.

    Remediation

    • Remediation recommendations will vary across providers.
    • Generally, fairly generic recommendations are provided (e.g. remove your old telnet and input up-to-date SSH).
    • Most of the time, it is along the lines of “we found a hole; close the hole.”

    Summary of Accomplishment

    Problem Solved

    At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.

    Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.

    The risk-based approach will allow you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities while allowing your standard remediation cycle to address the medium to low vulnerabilities.

    With your program defined and developed, you now need to configure your vulnerability scanning tool or acquire one if you don’t already have a tool in place.

    Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Photo of Jimmy Tom.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Sample of the Implement Vulnerability Management storyboard.
    Review of the Implement Vulnerability Management storyboard    		 Sample of the Vulnerability Mitigation SOP template.
    Build your vulnerability management SOP

    Contributors

    Contributors from 2016 version of this project:

    • Morey Haber, Vice President of Technology, BeyondTrust
    • Richard Barretto, Manager, Information Privacy and Security, Cimpress
    • Joel Shapiro, Vice President Sales, Digital Boundary Group

    Contributors from current version of this project:

    • 2 anonymous contributors from the manufacturing sector
    • 1 anonymous contributor from a US government agency
    • 2 anonymous contributors from the financial sector
    • 1 anonymous contributor from the medical technology industry
    • 2 anonymous contributors from higher education
    • 1 anonymous contributor from a Canadian government agency
    • 7 anonymous others; information gathered from advisory calls

    Bibliography

    Arya. “COVID-19 Impact: Vulnerability Management Solution Market | Strategic Industry Evolutionary Analysis Focus on Leading Key Players and Revenue Growth Analysis by Forecast To 2028 – FireMon, Digital Shadows, AlienVault.” Bulletin Line, 6 Aug. 2020. Accessed 6 Aug. 2020.

    Campagna, Rich. “The Lean, Mean Vulnerability Management Machine.” Security Boulevard, 31 Mar. 2020. Accessed 15 Aug. 2020.

    Constantin, Lucian. “What are vulnerability scanners and how do they work?” CSO Online, 10 Apr. 2020. Accessed 1 Sept. 2020.

    “CVE security vulnerabilities published in 2019.” CVE Details. Accessed 22 Sept. 2020.

    Garden, Paul, et al. “2019 Year End Report – Vulnerability QuickView.” Risk Based Security, 2020. Accessed 22 Sept. 2020.

    Keary, Eoin. “2019 Vulnerability Statistics Report.” Edgescan, Feb. 2019. Accessed 22 Sept. 2020.

    Lefkowitz, Josh. ““Risk-Based Vulnerability Management is a Must for Security & Compliance.” SecurityWeek, 1 July 2019. Accessed 1 Nov. 2020.

    Mell, Peter, Tiffany Bergeron, and David Henning. “Creating a Patch and Vulnerability Management Program.” Creating a Patch and Vulnerability Management Program. NIST, Nov. 2005. Web.

    “National Vulnerability Database.” NIST. Accessed 18 Oct. 2020.

    “OpenVAS – Open Vulnerability Assessment Scanner.” OpenVAS. Accessed 14 Sept. 2020.

    “OVAL.” OVAL. Accessed 21 Oct. 2020.

    Paganini, Pierluigi. “Exploiting and Verifying Shellshock: CVE-2014-6271.” INFOSEC, 27 Sept. 2014. Web.

    Pritha. “Top 10 Metrics for your Vulnerability Management Program.” CISO Platform, 28 Nov. 2019. Accessed 25 Oct. 2020.

    “Risk-Based Vulnerability Management: Understanding Vulnerability Risk With Threat Context And Business Impact.” Tenable. Accessed 21 Oct. 2020.

    Stone, Mark. “Shellshock In-Depth: Why This Old Vulnerability Won’t Go Away.” SecurityIntelligence, 6 Aug. 2020. Web.

    “The Role of Threat Intelligence in Vulnerability Management.” NOPSEC, 18 Sept. 2014. Accessed 18 Aug. 2020.

    “Top 15 Paid and Free Vulnerability Scanner Tools in 2020.” DNSstuff, 6 Jan. 2020. Accessed 15 Sept. 2020.

    Truta, Filip. “60% of Breaches in 2019 Involved Unpatched Vulnerabilities.” Security Boulevard, 31 Oct. 2019. Accessed 2 Nov. 2020.

    “Vulnerability Management Program.” Core Security. Accessed 15 Sept. 2020.

    “What is Risk-Based Vulnerability Management?” Balbix. Accessed 15 Sept. 2020.

    White, Monica. “The Cost Savings of Effective Vulnerability Management (Part 1).” Kenna Security, 23 April 2020. Accessed 20 Sept. 2020.

    Wilczek, Marc. “Average Cost of a Data Breach in 2020: $3.86M.” Dark Reading, 24 Aug. 2020. Accessed 5 Nov 2020.

    Implement a Social Media Program

    • Buy Link or Shortcode: {j2store}560|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • IT is being caught in the middle of various business units, all separately attempting to create, staff, implement, and instrument a social media program.
    • Requests for procuring social media tools and integrating with CRM systems are coming from all directions, with no central authority governing a social media program or coordinating business goals.
    • Public Relations and Corporate Communications groups have been acting as the first level of response to social media channels since the company’s first Twitter account went live, but the volume of inquiries received through social channels has become too great for these groups to continue in a first responder role.

    Our Advice

    Critical Insight

    • Social media immaturity is an opportunity for IT leadership. As with so many of the “next new things,” IT has an opportunity to help the business understand social media technologies, trends, and risks, and coordinate efforts to approach social media as a united company.
    • Social media maturity must reach the Social Media Steering Committee stage before major investments in technology can proceed. As with all business initiatives, technology automation decisions cannot be made without respect to organizational and process maturity. Social media strategy stakeholders must join together and form a steering committee to create policies and procedures, govern strategy, develop workflows, and facilitate technology selection processes. IT not only belongs on such a steering committee, but it can also be instrumental in the formation of it.
    • Info-Tech’s research repeatedly indicates that the greatest return from social media investments is in the customer service domain, by reacting to incoming social inquiries and proactively listening to social conversations for product and service inquiry opportunities. This means CRM integration is essential to long-term social media program success.

    Impact and Result

    • Assess your organization’s social maturity to know where to begin and where to go in implementation of a social media program.
    • Form a social media steering committee to bring order to chaos among different business units.
    • Develop comprehensive workflows to categorize and prioritize inquiries, and then route them to the appropriate part of the business for resolution.
    • Consider creating one or more physical social media command centers to process large volumes of social inquiries more efficiently and monitor real-time social media metrics to improve critical response times.

    Implement a Social Media Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess your organization's social maturity

    Know where to begin and where to go in implementation of a social media program.

    • Storyboard: Implement a Social Media Program
    • Social Media Maturity Assessment Tool

    2. Form a social media steering committee

    Bring order to chaos among different business units.

    • Social Media Steering Committee Charter Template
    • Social Media Acceptable Use Policy
    • Blogging and Microblogging Guidelines Template

    3. Consider creating one or more physical social media command centers

    Process large volumes of social inquiries more efficiently, and monitor real-time social media metrics to improve critical response times.

    • Social Media Representative
    • Social Media Manager
    [infographic]

    More Articles …