Build Resilience Against Ransomware Attacks

  • Buy Link or Shortcode: {j2store}317|cart{/j2store}
  • member rating overall impact: 9.5/10 Overall Impact
  • member rating average dollars saved: $68,467 Average $ Saved
  • member rating average days saved: 21 Average Days Saved
  • Parent Category Name: Threat Intelligence & Incident Response
  • Parent Category Link: /threat-intelligence-incident-response
  • Sophisticated ransomware attacks are on the rise and evolving quickly.
  • Executives want reassurance but are not ready to write a blank check. We need to provide targeted and justified improvements.
  • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in hours, which makes recovery a grueling challenge.

Our Advice

Critical Insight

  • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
  • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
  • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

Impact and Result

  • Conduct a thorough assessment of your current state; identify potential gaps and assess the possible outcomes of an attack.
  • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protections and detection to reduce your attack surface.
  • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

Build Resilience Against Ransomware Attacks Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Build Resilience Against Ransomware Attacks

Use this step-by-step guide to assess your ransomware readiness and implement controls that will improve your ability to prevent incursions and defend against attacks.

  • Build Resilience Against Ransomware Attacks – Phases 1-4

2. Ransomware Resilience Assessment – Complete the ransomware resilience assessment and establish metrics.

Use this assessment tool to assess existing protection, detection, response, and recovery capabilities and identify potential improvements.

  • Ransomware Resilience Assessment

3. Threat Preparedness Workbook – Improve protection and detection capabilities.

Use this threat preparedness workbook to evaluate the threats and tactics in the ransomware kill chain using the MITRE framework and device appropriate countermeasures.

  • Enterprise Threat Preparedness Workbook

4. Tabletop Planning Exercise and Example Results – Improve response and recovery capabilities with a tabletop exercise for your internal IT team.

Adapt this tabletop planning session template to plan and practice the response of your internal IT team to a ransomware scenario.

  • Tabletop Exercise – Internal (Ransomware Template)
  • Ransomware Tabletop Planning Results – Example (Visio)
  • Ransomware Tabletop Planning Results – Example (PDF)

5. Ransomware Response Runbook and Workflow – Document ransomware response steps and key stakeholders.

Adapt these workflow and runbook templates to coordinate the actions of different stakeholders through each stage of the ransomware incident response process.

  • Ransomware Response Runbook Template
  • Ransomware Response Workflow Template (Visio)
  • Ransomware Response Workflow Template (PDF)

6. Extended Tabletop Exercise and Leadership Guide – Run a tabletop test to plan and practice the response of your leadership team.

Adapt this tabletop planning session template to plan leadership contributions to the ransomware response workflow. This second tabletop planning session will focus on communication strategy, business continuity plan, and deciding whether the organization should pay a ransom.

  • Tabletop Exercise – Extended (Ransomware Template)
  • Leadership Guide for Extended Ransomware

7. Ransomware Resilience Summary Presentation – Summarize status and next steps in an executive presentation.

Summarize your current state and present a prioritized project roadmap to improve ransomware resilience over time.

  • Ransomware Resilience Summary Presentation

Infographic

Workshop: Build Resilience Against Ransomware Attacks

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Assess Ransomware Resilience

The Purpose

Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.

Key Benefits Achieved

Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization.

Complete a current state assessment of key security controls in a ransomware context.

Activities

1.1 Review incidents, challenges, and project drivers.

1.2 Diagram critical systems and dependencies and build risk scenario.

1.3 Assess ransomware resilience.

Outputs

Workshop goals

Ransomware Risk Scenario

Ransomware Resilience Assessment

2 Protect and Detect

The Purpose

Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.

Key Benefits Achieved

Identify targeted countermeasures that improve protection and detection capabilities.

Activities

2.1 Assess ransomware threat preparedness.

2.2 Determine the impact of ransomware techniques on your environment.

2.3 Identify countermeasures to improve protection and detection capabilities.

Outputs

Targeted ransomware countermeasures to improve protection and detection capabilities.

Targeted ransomware countermeasures to improve protection and detection capabilities.

Targeted ransomware countermeasures to improve protection and detection capabilities.

3 Respond and Recover

The Purpose

· Improve your organization’s capacity to respond to ransomware attacks and recover effectively.

Key Benefits Achieved

Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.

Activities

3.1 Review the workflow and runbook templates.

3.2 Update/define your threat escalation protocol.

3.3 Define scenarios for a range of incidents.

3.4 Run a tabletop planning exercise (IT).

3.5 Update your ransomware response runbook.

Outputs

Security Incident Response Plan Assessment.

Tabletop Planning Session (IT)

Ransomware Workflow and Runbook.

4 Improve Ransomware Resilience.

The Purpose

Identify prioritized initiatives to improve ransomware resilience.

Key Benefits Achieved

Identify the role of leadership in ransomware response and recovery.

Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.

Activities

4.1 Run a tabletop planning exercise (Leadership).

4.2 Identify initiatives to close gaps and improve resilience.

4.3 Review broader strategies to improve your overall security program.

4.4 Prioritize initiatives based on factors such as effort, cost, and risk.

4.5 Review the dashboard to fine tune your roadmap.

4.6 Summarize status and next steps in an executive presentation.

Outputs

Tabletop Planning Session (Leadership)

Ransomware Resilience Roadmap and Metrics

Ransomware Workflow and Runbook

Further reading

Build Ransomware Resilience

Prevent ransomware incursions and defend against ransomware attacks

EXECUTIVE BRIEF

Executive Summary

Your Challenge

Ransomware is a high-profile threat that demands immediate attention:

  • Sophisticated ransomware attacks are on the rise and evolving quickly.
  • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
  • Executives want reassurance but aren't ready to write a blank check. Improvements must be targeted and justified.

Common Obstacles

Ransomware is more complex than other security threats:

  • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
  • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
  • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

Info-Tech's Approach

To prevent a ransomware attack:

  • Conduct a through assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
  • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce your attack surface.
  • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

Info-Tech Insight

Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.

Analyst Perspective

Ransomware is an opportunity and a challenge.

As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.

The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.

Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.

This is an image of Michael Hébert

Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group

Ransomware attacks are on the rise and evolving quickly.

Three factors contribute to the threat:

  • The rise of ransomware-as-a-service, which facilitates attacks.
  • The rise of crypto-currency, which facilitates anonymous payment.
  • State sponsorship of cybercrime.

Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.

A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.

Total ransom money collected (2015 – 2021): USD 2,592,889,121

This image contains a bubble plot graph showing the total ransom money collected between the years 2015 - 2021.

The frequency and impact of ransomware attacks are increasing

Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.

Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.

The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.

66%
Hit by ransomware in 2021
(up from 37% in 2020)

90%
Ransomware attack affected their ability to operate

$812,360 USD
Average ransom payment

$4.54M
Average remediation cost (not including ransom)

ONE MONTH
Average recovery time

Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.

Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.

While these elements can help recover from an attack, they don't prevent it in the first place.

Source: Sophos, State of Ransomware (2022)
IBM, Cost of A Data Breach (2022)

The 3-step ransomware attack playbook

  • Get in
  • Spread
  • Profit

At each point of the playbook, malicious agents need to achieve something before they can move to the next step.

Resilient organizations look for opportunities to:

  • Learn from incursions
  • Disrupt the playbook
  • Measure effectiveness

Initial access

Execution

Privilege Escalation

Credential Access

Lateral Movement

Collection

Data Exfiltration

Data encryption

Deliver phishing email designed to avoid spam filter.

Launch malware undetected.

Identify user accounts.

Target an admin account.

Use brute force tactics to crack it.

Move through the network and collect data.

Infect as many critical systems and backups as possible to limit recovery options.

Exfiltrate data to gain leverage.

Encrypt data, which triggers alert.

Deliver ransom note.

Ransomware is more complex than other security threats

Ransomware groups thrive through extortion tactics.

  • Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
  • As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying back ups.
  • Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threaten to publish them.

Organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.

Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:

  • Detection and Response – Activities that enable detection, containment, eradication and recovery.
  • Notification – Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
  • Lost Business – Activities that attempt to minimize the loss of customers, business disruption, and revenue.
  • Post Breach Response – Redress activities to victims and regulators, and the implementation of additional controls.

Source: IBM, Cost of a Data Breach (2022)

Disrupt the attack each stage of the attack workflow.

An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.

Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.

Shortening dwell time requires better protection and detection

Ransomware dwell times and average encryption rates are improving dramatically.

Hackers spend less time in your network before they attack, and their attacks are much more effective.

Avg dwell time
3-5 Days

Avg encryption rate
70 GB/h

Avg detection time
11 Days

What is dwell time and why does it matter?

Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.

Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.

Dwell times are dropping, and encryption rates are increasing.

It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.

References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.

Resilience depends in part on response and recovery capabilities

This blueprint will focus on improving your ransomware resilience to:

  • Protect against ransomware.
  • Detect incursions.
  • Respond and recovery effectively.

Response

Recovery

This image depicts the pathway for response and recovery from a ransomware event.

For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery.

Info-Tech's ransomware resilience framework

Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

Prioritize protection

Put controls in place to harden your environment, train savvy end users, and prevent incursions.

Support recovery

Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

Protect Detect Respond

Recover

Threat preparedness

Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

Awareness and training

Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

Perimeter security

Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

Respond and recover

Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

Access management

Review the user access management program, policies and procedures to ensure they are ransomware-ready.

Vulnerability management

Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

This image contains the thought map for Info-Tech's Blueprint: Build Resilience Against Ransomware Attacks.

Info-Tech's ransomware resilience methodology

Assess resilience Protect and detect Respond and recover Improve resilience
Phase steps
  1. Build ransomware risk scenario
  2. Conduct resilience assessment
  1. Assess attack vectors
  2. Identify countermeasures
  1. Review Security Incident Management Plan
  2. Run Tabletop Test (IT)
  3. Document Workflow and Runbook
  1. Run Tabletop Test (Leadership)
  2. Prioritize Resilience Initiatives
Phase outcomes
  • Ransomware Resilience Assessment
  • Risk Scenario
  • Targeted ransomware countermeasures to improve protection and detection capabilities
  • Security Incident Response Plan Assessment
  • Tabletop Test (IT)
  • Ransomware Workflow and Runbook
  • Tabletop Test (Leadership)
  • Ransomware Resilience Roadmap & Metrics

Insight Summary

Shift to a ransomware resilience model

Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.

Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly

Visualize challenges

Build risk scenarios that describe how a ransomware attack would impact organizational goals.

Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.

Prioritize protection

Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

Seize the moment

The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.

Measure ransomware resilience

The anatomy of ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.

Key deliverable

Ransomware resilience roadmap

The resilience roadmap captures the key insights your work will generate, including:

  • An assessment of your current state and a list of initiatives you need to improve your ransomware resilience.
  • The lessons learned from building and testing the ransomware response workflow and runbook.
  • The controls you need to implement to measure and improve your ransomware resilience over time.

Project deliverables

Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

Ransomware Resilience Assessment

Measure ransomware resilience, identify gaps, and draft initiatives.

Enterprise Threat Preparedness Workbook

Analyze common ransomware techniques and develop countermeasures.

Ransomware Response Workflow & Runbook

Capture key process steps for ransomware response and recovery.

Ransomware Tabletop Tests

Run tabletops for your IT team and your leadership team to gather lessons learned.

Ransomware Resilience Roadmap

Capture project insights and measure resilience over time.

Plan now or pay later

Organizations worldwide spent on average USD 4.62M in 2021 to rectify a ransomware attack. These costs include escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of USD 4.69M.

Building better now is less expensive than incurring the same costs in addition to the clean-up and regulatory and business disruption costs associated with successful ransomware attacks.

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.

Source: IBM, Cost of a Data Breach (2022)

See what members have to say about the ransomware resilience blueprint:

  • Overall Impact: 9.8 / 10
  • Average $ Saved: $98,796
  • Average Days Saved: 17

"Our advisor was well-versed and very polished. While the blueprint alone was a good tool to give us direction, his guidance made it significantly faster and easier to accomplish than if we had tried to tackle it on our own."

CIO, Global Manufacturing Organization

Blueprint benefits

IT benefits

Business benefits

  • Provide a structured approach for your organization to identify gaps, quantify the risk, and communicate status to drive executive buy-in.
  • Create a practical ransomware incident response plan that combines a high-level workflow with a detailed runbook to coordinate response and recovery.
  • Present an executive-friendly project roadmap with resilience metrics that summarizes your plan to address gaps and improve your security posture.
  • Enable leadership to make risk-based, informed decisions on resourcing and investments to improve ransomware readiness.
  • Quantify the potential impact of a ransomware attack on your organization to drive risk awareness.
  • Identify existing gaps so they can be addressed, whether by policy, response plans, technology, or a combination of these.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Executive brief case study

SOURCE: Interview with CIO of large enterprise

Organizations who "build back better" after a ransomware attack often wish they had used relevant controls sooner.

Challenge

In February 2020, a large organization found a ransomware note on an admin's workstation. They had downloaded a local copy of the organization's identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.

Complication

Because private information was breached, the organization informed the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.

The organization decided not to pay the ransom because it had a copy on an unaffected server.

Resolution

The organization was praised for its timely and transparent response.

The breach motivated the organization to put more protections in place, including:

  • The implementation of a deny-by-default network.
  • The elimination of remote desktop protocol and secure shell.
  • IT mandating MFA.
  • New endpoint-detection and response systems.

Executive brief case study

SOURCE: Info-Tech Workshop Results
iNDUSTRY: Government

Regional government runs an Info-Tech workshop to fast-track its ransomware incident response planning

The organization was in the middle of developing its security program, rolling out security awareness training for end users, and investing in security solutions to protect the environment and detect incursions. Still, the staff knew they still had holes to fill. They had not yet fully configured and deployed security solutions, key security policies were missing, and they had didn't have a documented ransomware incident response plan.

Workshop results

Info-Tech advisors helped the organization conduct a systematic review of existing processes, policies, and technology, with an eye to identify key gaps in the organization's ransomware readiness. The impact analysis quantified the potential impact of a ransomware attack on critical systems to improve the organizational awareness ransomware risks and improve buy-in for investment in the security program.

Info-Tech's tabletop planning exercise provided a foundation for the organization's actual response plan. The organization used the results to build a ransomware response workflow and the framework for a more detailed runbook. The workshop also helped staff identifies ways to improve the backup strategy and bridge further gaps in their ability to recover.

The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization's desired state of ransomware readiness.

Guided implementation

What kind of analyst experiences do clients have when working through this blueprint?

Scoping Call Phase 1 Phase 2 Phase 3 Phase 4

Call #1:

Discuss context, identify challenges, and scope project requirements.

Identify ransomware resilience metrics.

Call #2:

Build ransomware risk scenario.

Call #4:

Review common ransomware attack vectors.

Identify and assess mitigation controls.

Call #5:

Document ransomware workflow and runbook.

Call #7:

Run tabletop test with leadership.

Call #3:

Assess ransomware resilience.

Call #6:

Run tabletop test with IT.

Call #8:

Build ransomware roadmap.

Measure ransomware resilience metrics.

A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 8 calls over the course of 4 to 6 months.

Workshop overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Day 1 Day 2 Day 3 Day 4 Day 5
Activities

Assess ransomware resilience

Protect and detect

Respond and recover

Improve ransomware resilience

Wrap-up (offsite and offline)

1.1 1 Review incidents, challenges, and project drivers.

1.1.2 Diagram critical systems and dependencies.

1.1.3 Build ransomware risk scenario.

2.1 1. Assess ransomware threat preparedness.

2.2 2. Determine the impact of ransomware techniques on your environment.

2.3 3. Identify countermeasures to improve protection and detection capabilities.

3.1.1 Review the workflow and runbook templates.

3.1.2 Update/define your threat escalation protocol.

3.2.1 Define scenarios for a range of incidents.

3.2.2 Run a tabletop planning exercise (IT).

3.3.1 Update your ransomware response workflow.

4.1.1 Run a tabletop planning exercise (leadership).

4.1.2 Identify initiatives to close gaps and improve resilience.

4.1.3 Review broader strategies to improve your overall security program.

4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk.

4.2.2 Review the dashboard to fine tune your roadmap.

4.3.1 Summarize status and next steps in an executive presentation.

5.1 Complete in-progress deliverables from previous four days.

5.2 Set up review time for workshop deliverables and to discuss next steps.

5.3 Revisit ransomware resilience metrics in three months.

Deliverables
  1. Workshop goals
  2. Ransomware Risk Scenario
  3. Ransomware Resilience Assessment
  1. Targeted ransomware countermeasures to improve protection and detection capabilities.
  1. Security Incident Response Plan Assessment
  2. Tabletop Planning Session (IT)
  3. Ransomware Workflow and Runbook
  1. Tabletop Planning Session (Leadership)
  2. Ransomware Resilience Roadmap and Metrics
  3. Ransomware Summary Presentation
  1. Completed Ransomware Resilience Roadmap
  2. Ransomware Resilience Assessment
  3. Ransomware Resilience Summary Presentation

Phase 1

Assess ransomware resilience

Phase 1 Phase 2 Phase 3 Phase 4

1.1 Build ransomware risk scenario

1.2 Conduct resilience assessment

2.1 Assess attack vectors

2.2 Identify countermeasures

3.1 Review Security Incident Management Plan

3.2 Run Tabletop Test (IT)

3.3 Document Workflow and Runbook

4.1 Run Tabletop Test (Leadership)

4.2 Prioritize resilience initiatives

4.3 Measure resilience metrics

This phase will walk you through the following activities:

  • Conducting a maturity assessment.
  • Reviewing selected systems and dependencies.
  • Assessing a ransomware risk scenario.

This phase involves the following participants:

  • Security Incident Response Team (SIRT)
  • System subject-matter experts (SMEs)

Build Ransomware Resilience

Step 1.1

Build ransomware risk scenario

Activities

1.1.1 Review incidents, challenges and project drivers

1.1.2 Diagram critical systems and dependencies

1.1.3 Build ransomware risk scenario

Assess ransomware resilience

This step will guide you through the following activities:

  • Reviewing incidents, challenges, and drivers.
  • Diagraming critical systems and dependencies.
  • Building a ransomware risk scenario.

This step involves the following participants:

  • Security Incident Response Team (SIRT)
  • Subject-Matter Experts

Outcomes of this step

  • Establish a repeatable process to evaluate and improve ransomware readiness across your environment.
  • Build a ransomware risk scenario to assess the likelihood and impact of an attack.

1.1.1 Review incidents, challenges, and project drivers

1 hour

Brainstorm the challenges you need to address in the project. Avoid producing solutions at this stage, but certainly record suggestions for later. Use the categories below to get the brainstorming session started.

Past incidents and other drivers

  • Past incidents (be specific):
    • Past security incidents (ransomware and other)
    • Close calls (e.g. partial breach detected before damage done)
  • Audit findings
  • Events in the news
  • Other?

Security challenges

  • Absent or weak policies
  • Lack of security awareness
  • Budget limitations
  • Other?

Input

  • Understanding of existing security capability and past incidents.

Output

  • Documentation of past incidents and challenges.
  • Level-setting across the team regarding challenges and drivers.

Materials

  • Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

  • Security Incident Response Team (SIRT)

1.1.2 Diagram critical systems and dependencies (1)

1 hour

Brainstorm critical systems and their dependencies to build a ransomware risk scenario. The scenario will help you socialize ransomware risks with key stakeholders and discuss the importance of ransomware resilience.

Focus on a few key critical systems.

  1. On a whiteboard or flip chart paper, make a list of systems to potentially include in scope. Consider:
    1. Key applications that support critical business operations.
    2. Databases that support multiple key applications.
    3. Systems that hold sensitive data (e.g. data with personally identifiable information [PII]).
  2. Select five to ten systems from the list.
    1. Select systems that support different business operations to provide a broader sampling of potential impacts and recovery challenges.
    2. Include one or two non-critical systems to show how the methodology addresses a range of criticality and context.

Input

  • High-level understanding of critical business operations and data sets.

Output

  • Clarify context, dependencies, and security and recovery challenges for some critical systems.

Materials

  • Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

  • Security Incident Response Team (SIRT)
  • System SMEs (if not covered by SIRT members)

1.1.2 Diagram critical systems and dependencies (2)

1 hour

  1. A high-level topology or architectural diagram is an effective way to identify dependencies and communicate risks to stakeholders.

Start with a WAN diagram, then your production data center, and then each critical
system. Use the next three slides as your guide.

Notes:

  • If you have existing diagrams, you can review those instead. However, if they are too detailed, draw a higher-level diagram to provide context. Even a rough sketch is a useful reference tool for participants.
  • Keep the drawings tidy and high level. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
  • Collaborate with relevant SMEs to identify dependencies.

Input

  • High-level understanding of critical business operations and data sets.

Output

  • Clarify context, dependencies, and security and recovery challenges for some critical systems.

Materials

  • Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

  • Security Incident Response Team (SIRT)
  • System SMEs (if not covered by SIRT members)

For your WAN diagram, focus on data center and business locations

Start with a high-level network diagram like this one, and then dig deeper (see following slides) to provide more context. Below is an example; of course, your sketched diagrams may be rougher.

This image contains a nexample of a High level Network Diagram.

Diagram your production data center to provide context for the systems in scope

Creating a high-level diagram provides context across different IT disciplines involved in creating your DRP. If you have multiple production data centers, focus on the data center(s) relevant to the selected systems. Below is an example.

This image contains a nexample of a high level diagram which focuses on the data centers relevent to the selected system.

Diagram each selected system to identify specific dependencies and redundancies

Diagram the "ecosystem" for each system, identifying server, storage, and network dependencies. There may be overlap with the production data center diagram – but aim to be specific here. Below is an example that illustrates front-end and back-end components.

When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:

  • Existing security (Are these systems protected by your existing security monitoring and threat detection tools?).
  • Security challenges (e.g. public-facing systems).
  • Recovery challenges (e.g. limited or infrequent backups).
This is an example of a diagram of a system ecosystem.

Note the limitations of your security, backup, and DR solutions

Use the diagrams to assess limitations. Gaps you identify here will often apply to other aspects of your environment.

  1. Security limitations
  • Are there any known security vulnerabilities or risks, such as external access (e.g. for a customer portal)? If so, are those risks mitigated? Are existing security solutions being fully used?
  • Backup limitations
    • What steps are taken to ensure the integrity of your backups (e.g. through inline or post-backup scanning, or the use of immutable backups)? Are there multiple restore points to provide more granularity when determining how far back you need to go for a clean backup?
  • Disaster recovery limitations
    • Does your DR solution account for ransomware attacks or is it designed only for one-way failover (i.e. for a smoking hole scenario)?
  • We will review the gaps we identify through the project in phase 4.

    For now, make a note of these gaps and continue with the next step.

    Draft risk scenarios to illustrate ransomware risk

    Risk scenarios help decision-makers understand how adverse events affect business goals.

    • Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
    • Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
      • The asset at risk.
      • The threat that can act against the asset.
      • Their intent or motivation.
      • The circumstances and threat actor model associated with the threat event.
      • The potential effect on the organization.
      • When or how often the event might occur.

    Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

    Risk identification → Risk scenario → Risk statement

    Well-crafted risk scenarios have four components

    The slides walk through how to build a ransomware risk scenario

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    An actor capable of harming an asset

    Anything of value that can be affected and results in loss

    Technique an actor uses to affect an asset

    How loss materializes

    Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors

    Examples: Systems, regulated data, intellectual property, people

    Examples: Credential compromise, privilege escalation, data exfiltration

    Examples: Loss of data confidentiality, integrity, or availability; impact on staff health and safety

    Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events.

    Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address ransomware risks.

    1.1.3 Build ransomware risk scenario (1)

    2 hours

    In a ransomware risk scenario, the threat, their motivations, and their methods are known. Malicious agents are motivated to compromise critical systems, sabotage recovery, and exfiltrate data for financial gain.

    The purpose of building the risk scenario is to highlight the assets at risk and the potential effect of a ransomware attack.

    As a group, consider critical or mission-essential systems identified in step 1.1.2. On a whiteboard, brainstorm the potential adverse effect of a loss of system availability, confidentiality or integrity.

    Consider the impact on:

    • Information systems.
    • Sensitive or regulated data.
    • Staff health and safety.
    • Critical operations and objectives.
    • Organizational finances.
    • Reputation and brand loyalty.

    Input

    • Understanding of critical systems and dependencies.

    Output

    • Ransomware risk scenario to engage guide stakeholders to make informed decisions about addressing risks.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    1.1.3 Build ransomware risk scenario (2)

    2 hours

    1. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.
    2. Bring together the critical risk elements into a single risk scenario.
    3. Distill the risk scenario into a single risk statement that captures the threat, the asset it will exploit, the method it will use, and the impact it will have on the organization.
    4. You can find a sample risk scenario and risk statement on the next slide.

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    Inputs for risk scenario identification

    Risk analysis

    Critical assets

    ERP, CRM, FMS, LMS

    Operational technology

    Sensitive or regulated data

    Threat agents

    Cybercriminals

    Methods

    Compromise end user devices through social engineering attacks,. Compromise networks through external exposures and software vulnerabilities.

    Identify and crack administrative account. Escalate privileges. Move laterally.

    Collect data, destroy backups, exfiltrate data for leverage, encrypt systems,.

    Threaten to publish exfiltrated data and demand ransom.

    Adverse effect

    Serious business disruption

    Financial damage

    Reputational damage

    Potential litigation

    Average downtime: 30 Days

    Average clean-up costs: USD 1.4M

    Sample ransomware risk scenario

    Likelihood: Medium
    Impact: High

    Risk scenario

    Cyber-criminals penetrate the network, exfiltrate critical or sensitive data, encrypt critical systems, and demand a ransom to restore access.

    They threaten to publish sensitive data online to pressure the organization to pay the ransom, and reach out to partners, staff, and students directly to increase the pressure on the organization.

    Network access likely occurs through a phishing attack, credential compromise, or remote desktop protocol session.

    Risk statement

    Cybercriminals penetrate the network, compromise backups, exfiltrate and encrypt data, and disrupt computer systems for financial gain.

    Threat Actor:

    • Cybercriminals

    Assets:

    • Critical systems (ERP, FMS, CRM, LMS)
    • HRIS and payroll
    • Data warehouse
    • Office 365 ecosystem (email, Teams)

    Effect:

    • Loss of system availability
    • Lost of data confidentiality

    Methods:

    • Phishing
    • Credential compromise
    • Compromised remote desktop protocol
    • Privilege escalation
    • Lateral movement
    • Data collection
    • Data exfiltration
    • Data encryption

    Step 1.2

    Conduct resilience assessment

    Activities

    1.2.1 Complete resilience assessment

    1.2.2 Establish resilience metrics

    This step will guide you through the following activities :

    • Completing a ransomware resilience assessment
    • Establishing baseline metrics to measure ransomware resilience.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Subject-matter experts

    .Outcomes of this step

    • Current maturity, targets, and initial gap analysis

    Maturity levels in this blueprint draw on the CMMI framework

    The maturity levels are based on the Capability Maturity Model Integration framework. We outline our modifications below.

    CMMI Maturity Level – Default Descriptions:

    CMMI Maturity Level – Modified for This Assessment:

    • Level 1 – Initial: Unpredictable and reactive. Work gets completed but is often delayed and over budget.
    • Level 2 – Managed: Managed on the project level. Projects are planned, performed, measured, and controlled.
    • Level 3 – Defined: Proactive rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
    • Level 4 – Quantitatively managed: Measured and controlled. Organization is data-driven, with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
    • Level 5 – Optimizing: Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization's stability provides a platform for agility and innovation.
    • Level 1 – Initial/ad hoc: Not well defined and ad hoc in nature.
    • Level 2 – Developing: Established but inconsistent and incomplete.
    • Level 3 – Defined: Formally established, documented, and repeatable.
    • Level 4 – Managed and measurable: Managed using qualitative and quantitative data to ensure alignment with business requirements.
    • Level 5 – Optimizing: Qualitative and quantitative data is used to continually improve.

    (Source: CMMI Institute, CMMI Levels of Capability and Performance)

    Info-Tech's ransomware resilience framework

    Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

    Prioritize protection

    Put controls in place to harden your environment, train savvy end users, and prevent incursions.

    Support recovery

    Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

    Protect Detect Respond

    Recover

    Threat preparedness

    Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

    Awareness and training

    Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

    Perimeter security

    Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

    Respond and recover

    Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

    Access management

    Review the user access management program, policies and procedures to ensure they are ransomware-ready.

    Vulnerability management

    Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

    1.2.1 Complete the resilience assessment

    2-3 hours

    Use the Ransomware Resilience Assessment Tool to assess maturity of existing controls, establish a target state, and identify an initial set of initiatives to improve ransomware resilience.

    Keep the assessment tool on hand to add gap closure initiatives as you proceed through the project.

    Download the Ransomware Resilience Assessment

    Outcomes:

    • Capture baseline resilience metrics to measure progress over time.
      • Low scores are common. Use them to make the case for security investment.
      • Clarify the breadth of security controls.
      • Security controls intersect with a number of key processes and technologies, each of which are critical to ransomware resilience.
    • Key gaps identified.
      • Allocate more time to subsections with lower scores.
      • Repeat the scorecard at least annually to clarify remaining areas to address.

    Input

    • Understanding of current security controls

    Output

    • Current maturity, targets, and gaps

    Materials

    • Ransomware Resilience Assessment Tool

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Ransomeware Resilience Assessment Table from Info-Tech's Ransomware Resilience Assessment Blueprint.

    1.2.2 Establish resilience metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Measure metrics at the start of the project to establish a baseline, as the project nears completion to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Phase 2

    Improve protection and detection capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will walk you through the following activities:

    • Assessing common ransomware attack vectors.
    • Identifying countermeasures to improve protection and detection capabilities.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Build Ransomware Resilience

    Step 2.1

    Assess attack vectors

    Activities

    2.1.1 Assess ransomware threat preparedness

    2.1.2 Determine the impact of ransomware techniques on your environment

    This step involves the following activities:

    • Assessing ransomware threat preparedness.
    • Configuring the threat preparedness tool.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Assess risks associated with common ransomware attack vectors.

    Improve protection and detection capabilities

    Use the MITRE attack framework to prepare

    This phase draws on MITRE to improve ransomware protection and detection capabilities

    • The activities in this phase provide guidance on how to use the MITRE attack framework to protect your organizations against common ransomware techniques and tactics, and detect incursions.
    • You will:
      • Review common ransomware tactics and techniques.
      • Assess their impact on your environment.
      • Identify relevant countermeasures.
    • The Enterprise Threat Preparedness Workbook included with the project blueprint will be set up to deal with common ransomware threats and tactics.

    Download the Enterprise Threat Preparedness Workbook

    Review ransomware tactics and techniques

    Ransomware attack workflow

    Deliver phishing email designed to avoid spam filter.

    Launch malware undetected.

    Identify user accounts.

    Target an admin account.

    Use brute force tactics to crack it.

    Move through the network. Collect data.

    Infect critical systems and backups to limit recovery options.

    Exfiltrate data to gain leverage.

    Encrypt data, which triggers alert.

    Deliver ransom note.

    Associated MITRE tactics and techniques

    • Initial access
    • Execution
    • Privilege escalation
    • Credential access
    • Lateral movement
    • Collection
    • Data Exfiltration
    • Data encryption

    Most common ransomware attack vectors

    • Phishing and social engineering
    • Exploitation of software vulnerabilities
    • Unsecured external exposures
      • e.g. remote desktop protocols
    • Malware infections
      • Email attachments
      • Web pages
      • Pop-ups
      • Removable media

    2.1.1 Assess ransomware threat preparedness

    Estimated Time: 1-4 hours

    1. Read through the instructions in the Enterprise Threat Preparedness Workbook.
    2. Select ransomware attack tactics to analyze. Use the workbook to understand:
      1. Risks associated with each attack vector.
      2. Existing controls that can help you protect the organization and detect an incursion.
    3. This initial analysis is meant to help you understand your risk before you apply additional controls.

    Once you're comfortable, follow the instructions on the following pages to configure the MITRE ransomware analysis and identify how to improve your protection and detection capabilities.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    2.1.2 Determine the impact of techniques

    Estimated Time: 1-4 hours

    1. The Enterprise Threat Preparedness Workbook included with the project blueprint is set up to deal with common ransomware use cases.

    If you would like to change the set-up, go through the following steps.

    • Review the enterprise matrix. Select the right level of granularity for your analysis. If you are new to threat preparedness exercises, the Technique Level is a good starting point.
    • As you move through each tactic, align each sheet to your chosen technique domain to ensure the granularity of your analysis is consistent.
    • Read the tactics sheet from left to right. Determine the impact of the technique on your environment. For each control, indicate current mitigation levels using the dropdown list.

    The following slides walk you through the process with screenshots from the workbook.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Select the domain for the analysis

    • The Tactics Dashboard is a live feed of your overall preparedness for the potential attack vectors that your organization may face. These 14 tactics correspond to the Enterprise Matrix used by the MITRE ATT&CK® framework.
    • The technique domain on the right side of the sheet is split in two main groups:
    • The Technique Level
      • - High-level techniques that an attacker may use to gain entry to your network.
      • - The Technique Level is a great starting point if you are new to threat preparedness.
    • The Sub-Technique Level
      • - Individual sub-techniques found throughout the MITRE ATT&CK® Framework.
      • - More mature organizations will find the Sub-Technique Level generates a deeper and more precise understanding of their current preparedness.

    Info-Tech Insight

    Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

    This is the first screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    Keep an eye on the enterprise matrix

    As you fill out the Tactic tabs with your evaluation, the overall reading will display the average of your overall preparedness for that tactic.

    Choosing the Technique Domain level will increase the accuracy of the reporting at the cost of speed.

    The Technique level is faster but provides less specifics for each control and analyzes them as a group.

    The Sub-Technique level is much more granular, but each tactic and technique has several sub-techniques that you will need to account for.

    Check with the dashboard to see the associated risk level for each of the tactics based on the legend. Tactics that appear white have not yet been assessed or are rated as "N/A" (not applicable).

    This is the second screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    When you select your Technique Domain, you cannot change it again. Changing the domain mid-analysis will introduce inaccuracies in your security preparedness.

    Configure the tactics tabs

    • Each tactic has a corresponding tab at the bottom of the Excel workbook.
      Adjusting the Technique Domain level will change the number of controls shown.
    • Next, align the sheet to the domain you selected on Tab 2 before you continue. As shown in the example to the right,
      • Select "1" for Technique Level.
      • Select "2" for Sub-Technique Level.
    • This will collapse the controls to your chosen level of granularity.

    This is a screenshot showing how you can configure the tactics tab of the Ransomware Threat Preparedness Workbook

    Read tactic sheets from left to right

    This is a screenshot of the tactics tab of the Ransomware Threat Preparedness Workbook

    Technique:

    How an attacker will attempt to achieve their goals through a specific action.

    ID:

    The corresponding ID number on the MITRE ATT&CK® Matrix for quick reference.

    Impact of the Technique(s):

    If an attack of this type is successful on your network, how deep does the damage run?

    Current Mitigations:

    What security protocols do you have in place right now that can help prevent an attacker from successfully executing this attack technique? The rating is based on the CMMI scale.

    Determine the impact of the technique

    • For each control, indicate the current mitigation level using the dropdown list.
    • Only use "N/A" if you are confident that the control is not required in your organization.

    Info-Tech Insight

    We highly recommend that you write comments about your current-state security protocols. First, it's great to have documented your thought processes in the event of a threat modeling session. Second, you can speak to deficits clearly, when asked.

    This is the second screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Review technique preparedness

    • If you have chosen the Technique level, the tool should resemble this image:
      • High-level controls are analyzed, and sub-controls hidden.
      • The sub-techniques under the broader technique show how a successful attack from this vector would impact your network.
    • Each sub-technique has a note for additional context:
      • Under Impact, select the overall impact for the listed controls to represent how damaging you believe the controls to be.
      • Next select your current preparedness maturity in terms of preparedness for the same techniques. Ask yourself "What do I have that contributes to blocking this technique?"

    This is the third screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Info-Tech Insight

    You may discover that you have little to no mitigation actions in place to deal with one or many of these techniques. However, look at this discovery as a positive: You've learned more about the potential vectors and can actively work toward remediating them rather than hoping that a breach never happens through one of these avenues.

    Review sub-technique preparedness

    If you have chosen the Sub-Technique level, the tool should resemble this image.

    • The granular controls are being analyzed. However, the grouped controls will still appear. It is important to not fill the grouped sections, to make sure the calculations run properly.
    • The average of your sub-techniques will be calculated to show your overall preparedness level.
    • Look at the sub-techniques under the broader technique and consider how a successful attack from this vector would impact your network.

    Each sub-technique has a note for additional context and understanding about what the techniques are seeking to do and how they may impact your enterprise.

    • Because of the enhanced granularity, the final risk score is more representative of an enterprise's current mitigation capabilities.
    This is the fourth screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Step 2.2

    Identify countermeasures

    Activities

    2.2.1 Identify countermeasures

    This step involves the following activities:

    • Identifying countermeasures

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Identification of countermeasures to common ransomware techniques, and tactics to improve protection and detection capabilities.

    Improve Protection and Detection Capabilities

    Review technique countermeasures

    As you work through the tool, your dashboard will prioritize your threat preparedness for each of the various attack techniques to give you an overall impression of your preparedness.

    For each action, the tool includes detection and remediation actions for you to consider either for implementation or as table stakes for your next threat modeling sessions.

    Note: Some sheets will have the same controls. However, the context of the attack technique may change your answers. Be sure to read the tactic and technique that you are on when responding to the controls.

    This is an image of the Privilege Escalation Tactic Analysis Table

    This is an image of the Defense Evasion Tactic Analysis Table

    Prioritize the analysis of ransomware tactics and sub-techniques identified on slide 45. If your initial analysis in Activity 2.2.1 determined that you have robust security protocols for some of the attack vectors, set these domains aside.

    2.2.1 Identify countermeasures

    Estimated Time: 1-4 hours

    1. Review the output of the Enterprise Threat Preparedness Workbook. Remediation efforts are on the right side of the sheet. These are categorized as either detection actions or mitigation actions.
      1. Detection actions:
      • What can you do before an attack occurs, and how can you block attacks? Detection actions may thwart an attack before it ever occurs.
    2. Mitigation actions:
      • If an attacker is successful through one of the attack methods, how do you lessen the impact of the technique? Mitigation actions address this function to slow and hinder the potential spread or damage of a successful attack.
  • Detection and mitigation measures are associated with each technique and sub-technique. Not all techniques will be able to be detected properly or mitigated. However, understanding their relationships can better prepare your defensive protocols.
  • Add relevant control actions to the initiative list in the Ransomware Resilience Assessment.
  • Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.
    • Outputs from the Threat Preparedness Workbook.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook
    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Phase 3

    Improve response and recovery capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Documenting your threat escalation protocol.
    • Identify response steps and gaps.
    • Update your response workflow and runbook.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 3.1

    Review security incident management plan

    Activities

    3.1.1 Review the workflow and runbook templates

    3.1.2 Update/define your threat escalation protocol

    This step will walk you through the following activities:

    • Reviewing the example Workflow and Runbook
    • Updating and defining your threat escalation protocol.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Clear escalation path for critical incidents.
    • Common understanding of incident severity that will drive escalation.

    Improve response and recovery capabilities

    3.1.1 Review the workflow and runbook templates

    30 minutes

    This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as a starting points for the steps in Phase 3, including documenting your threat escalation protocol.

    • The Ransomware Response Workflow Template contains an example of a high-level security incident management workflow for a ransomware attack. This provides a structure to follow for the tabletop planning exercise and a starting point for your ransomware response workflow.
      The Workflow is aimed at incident commanders and team leads. It provides an at-a-glance view of the high-level steps and interactions between stakeholders to help leaders coordinate response.
    • The Ransomware Response Runbook Template is an example of a security incident management runbook for a ransomware attack. This includes a section for a threat escalation protocol that you can use as a starting point.
      The Runbook is aimed at the teams executing the response. It provides more specific actions that need to be executed at each phase of the incident response.

    Download the Ransomware Response Workflow Template

    Download the Ransomware Response Runbook Template

    Input

    • No Input Required

    Output

    • Visualize the end goal

    Materials

    • Example workflow and runbook in this blueprint

    Participants

    • Security Incident Response Team (SIRT)

    Two overlapping screenshots are depicted, including the table of contents from the Ransomware Response Runbook.

    3.1.2 Update/define your threat escalation protocol

    1-2 hours

    Document the Threat Escalation Protocol sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:

    Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.

    Severity assessment: Define the severity levels based on impact and scope criteria.

    Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.

    If you need additional guidance, see Info-Tech's Develop and Implement a Security Incident Management Program blueprint, which takes a broader look at security incidents.

    Input

    • Current escalation process (formal or informal).

    Output

    • Define criteria for severity levels and relevant stakeholders.

    Materials

    • Ransomware Response Workflow Template

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Threat Escalation Protocol Criteria and Stakeholders.

    Step 3.2

    Run Tabletop Test (IT)

    Activities

    3.2.1 Define scenarios for a range of incidents

    3.2.2 Run a tabletop planning exercise

    This step will guide you through the following activities:

    • Defining scenarios for a range of incidents.
    • Running a tabletop planning exercise.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Other stakeholders (as relevant)

    Outcomes of this step

    • Current-state incident response workflow, including stakeholders, steps, timeline.
    • Process and technology gaps to be addressed.

    Improve response and recovery capabilities

    3.2.1 Define scenarios for a range of incidents

    30 minutes

    As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:

    • Scenario 1: An isolated attack on one key system. The database for a critical application is compromised. Assume the attack was not detected until files were encrypted, but that you can carry out a repair-in-place by wiping the server and restoring from backups.
    • Scenario 2: A site-wide impact that warrants broader disaster recovery. Several critical systems are compromised. It would take too long to repair in-place, so you need to failover to your DR environment, in addition to executing security response steps. (Note: If you don't have a DRP, see Info-Tech's Create a Right-Sized Disaster Recovery Plan.)
    • Scenario 3: A critical outsourced service or cloud service is compromised. You need to work with the vendor to determine the scope of impact and execute a response. This includes determining if your on-prem systems were also compromised.
    • Scenario 4: One or multiple end-user devices are compromised. Your response to the above scenarios would include assessing end-user devices as a possible source or secondary attack, but this scenario would provide more focus on the containing an attack on end-user devices.

    Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined on the next slide.

    Input

    • No input required

    Output

    • Determine the scope of your tabletop planning exercises

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Optimize the time spent by participants by running a series of focused exercises

    Not all stakeholders need to be present at every tabletop planning exercise. First, run an exercise with IT that focuses on the technical response. Run a second tabletop for non-IT stakeholders that focuses on the non-IT response, such as crisis communications, working with external stakeholders (e.g. law enforcement, cyberinsurance).

    Sample schedule:

    • Q1: Hold two sessions that run Scenarios 1 and 2 with relevant IT participants (see Activity 3.2.1). The focus for these sessions will be primarily on the technical response. For example, include notifying leadership and their role in decision making, but don't expand further on the details of their process. Similarly, don't invite non-IT participants to these sessions so you can focus first on understanding the IT response. Invite executives to the Q2 exercise, where they will have more opportunity to be involved.
    • Q2: Hold one session with the SIRT and non-IT stakeholders. Use the results of the Q1 exercises as a starting point and expand on the non-IT response steps (e.g. notifying external parties, executive decisions on response options).
    • Q3 and Q4: Run other sessions (e.g. for Scenarios 3 and 4) with relevant stakeholders. Ensure your ransomware incident response plan covers a wide range of possible scenarios.
    • Run ongoing exercises at least annually. Once you have a solid ransomware incident response plan, incorporate ransomware-based tabletop planning exercises into your overall security incident management testing and maintenance schedule.

    Info-Tech Insight

    Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.

    3.2.2 Run a tabletop planning exercise

    1-2 hours

    Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:

    1. Select your scenario and invite relevant participants (see the previous slides).
    2. Guide participants through the incident and capture the steps and gaps along the way. Focus on one stakeholder at a time through each phase but be sure to get input from everyone. For example, focus on the Service Desk's steps for detection, then do the same as relevant to other stakeholders. Move on to analysis and do the same. (Tip: The distinction between phases is not always clear, and that's okay. Similarly, eradication and recovery might be the same set of steps. Focus on capturing the detail; you can clarify the relevant phase later.)
    3. Record the results (e.g. capture it in Visio) for reference purposes. (Tip: You can run the exercise directly in Visio. However, there's a risk that the tool may become a distraction. Enlist a scribe who is proficient with Visio so you don't need to wait for information to be captured and plan to save the detailed formatting and revising for later. )

    Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).

    Download the Ransomware Tabletop Planning Results – Example

    Input

    • Baseline ransomware response workflow

    Output

    • Clarify your response workflow, capabilities, and gaps

    Materials

    • Whiteboard or sticky notes or index cards, or a shared screen

    Participants

    • Security Incident Response Team (SIRT)

    This is an example of a Ransomware Response Tabletop Planning Results Page.

    Step 3.3

    Document Workflow and Runbook

    Activities

    3.3.1 Update your ransomware response workflow

    3.3.2 Update your ransomware response runbook

    This step will guide you through the following activities:

    • Updating your ransomware response workflow.
    • Updating your ransomware response runbook.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An updated incident response workflow and runbook based on current capabilities.

    Improve response and recovery capabilities

    3.3.1 Update your ransomware response workflow

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:

    • Update stakeholder swim-lanes: Clarify which stakeholders need a swim lane (e.g. where interactions between groups needs to be clarified). For example, consider an SIRT swim-lane that combines the relevant technical response roles, but have separate swim-lanes for other groups that the SIRT interacts with (e.g. Service Desk, the Executive Team).
    • Update workflow steps: Use the detail from the tabletop exercises to clarify and/or add steps, as well as further define the interactions between swim-lanes.(Tip: Your workflow needs to account for a range of scenarios. It typically won't be as specific as the tabletop planning results, which focus on only one scenario.)
    • Clarify the overall the workflow: Look for and correct any remaining areas of confusion and clutter. For example, consider adding "Go To" connectors to minimize lines crossing each other, adding color-coding to highlight key related steps (e.g. any communication steps), and/or resizing swim-lanes to reduce the overall size of the workflow to make it easier to read.
    • Repeat the above after each exercise: Continue to refine the workflow as needed until you reach the stage where you just need to validate that your workflow is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarify your response workflow

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot from the ransomeware response tabletop planning

    3.3.2 Update your ransomware response runbook

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:

    • Align stakeholder sections with the workflow: Each stakeholder swim-lane in the workflow needs its own section in the runbook.
    • Update incident response steps: Use the detail from the tabletop exercise to clarify instructions for each stakeholder. This can include outlining specific actions, defining which stakeholders to work with, and referencing relevant documentation (e.g. vendor documentation, step-by-step restore procedures). (Tip: As with the workflow, the runbook needs to account for a range of scenarios, so it will include a list of actions that might need to be taken depending on the incident, as illustrated in the example runbook.)
    • Review and update your threat escalation protocol: It's best to define your threat escalation protocol before the tabletop planning exercise to help identify participants and avoid confusion. Now use the exercise results to validate or update that documentation.
    • Repeat the above after each exercise. Continue to refine your runbook as needed until you reach the stage where you just need to validate that your runbook is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarified response runbook

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of the Ransomware Response Runbook

    Phase 4

    Improve ransomware resilience

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Identifying initiatives to improve ransomware resilience.
    • Prioritizing initiatives in a project roadmap.
    • Communicating status and recommendations.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 4.1

    Run Tabletop Test (leadership)

    Activities

    • 4.1.1 Identify initiatives to close gaps and improve resilience
    • 4.1.2 Review broader strategies to improve your overall security program

    This step will walk you through the following activities:

    • Identifying initiatives to close gaps and improve resilience.
    • Reviewing broader strategies to improve your overall security program.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Specific potential initiatives based on a review of the gaps.
    • Broader potential initiatives to improve your overall security program.

    Improve ransomware resilience

    4.1.1 Identify initiatives to close gaps and improve resilience

    1 hour

    1. Use the results from the activities you have completed to identify initiatives to improve your ransomware readiness.
    2. Set up a blank spreadsheet with two columns and label them "Gaps" and "Initiatives." (It will be easier to copy the gaps and initiatives from this spreadsheet to you project roadmap, rather than use the Gap Initiative column in the Ransomware Readiness Maturity Assessment Tool.)
    3. Review your tabletop planning results:
      1. Summarize the gaps in the "Gaps" column in your spreadsheet created for this activity.
      2. For each gap, write down potential initiatives to address the gap.
      3. Where possible, combine similar gaps and initiatives. Similarly, the same initiative might address multiple gaps, so you don't need to identify a distinct initiative for every gap.
    4. Review the results of your maturity assessment completed in Phase 1 to identify additional gaps and initiatives in the spreadsheet created for this activity.

    Input

    • Tabletop planning results
    • Maturity assessment

    Output

    • Identify initiatives to improve ransomware readiness

    Materials

    • Blank spreadsheet

    Participants

    • Security Incident Response Team (SIRT)

    4.1.2 Review broader strategies to improve your overall security program

    1 hour

    1. Review the following considerations as outlined on the next few slides:
      • Implement core elements of an effective security program – strategy, operations, and policies. Leverage the work completed in this blueprint to provide context and address your immediate gaps while developing an overarching security strategy based on business requirements, risk tolerance, and overall security considerations. Security operations and policies are key to executing your overall security strategy and day to day incident management.
      • Update your backup strategy to account for ransomware attacks. Consider what your options would be today if your primary backups were infected? If those options aren't very good, your backup strategy needs a refresh.
      • Consider a zero-trust strategy. Zero trust reduces your reliance on perimeter security and moves controls to where the user accesses resources. However, it takes time to implement. Evaluate your readiness for this approach.
    2. As a team, discuss the merits of these strategies in your organization and identify potential initiatives. Depending on what you already have in place, the project may be to evaluate options (e.g. if you have not already initiated zero trust, assign a project to evaluate your options and readiness).

    Input

    • An understanding of your existing security practices and backup strategy.

    Output

    • Broader initiatives to improve ransomware readiness.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Implement core elements of an effective security program

    There is no silver bullet. Ransomware readiness depends on foundational security best practices. Where budget allows, support that foundation with more advanced AI-based tools that identify abnormal behavior to detect an attack in progress.

    Leverage the following blueprints to implement the foundational elements of an effective security program:

    • Build an Information Security Strategy: Consider the full spectrum of information security, including people, processes, and technologies. Then base your security strategy on the risks facing your organization – not just on best practices – to ensure alignment with business goals and requirements.
    • Develop a Security Operations Strategy: Establish unified security operations that actively monitor security events and threat information, and turn that into appropriate security prevention, detection, analysis, and response processes.
    • Develop and Deploy Security Policies: Improve cybersecurity through effective policies, from acceptable use policies aimed at your end users to system configuration management policies aimed at your IT operations.

    Supplement foundational best practices with AI-based tools to counteract more sophisticated security attacks:

    • The evolution of ransomware gangs and ransomware as a service means the most sophisticated tools designed to bypass perimeter security and endpoint protection are available to a growing number of hackers.
    • Rather than activate the ransomware virus immediately, attackers will traverse the network using legitimate commands to infect as many systems as possible and exfiltrate data without generating alerts, then finally encrypt infected systems.
    • AI-based tools learn what is normal behavior and therefore can recognize unusual traffic (which could be an attack in progress) before it's too late. For example, a "user" accessing a server they've never accessed before.
    • Engage an Info-Tech analyst or consult SoftwareReviews to review products that will add this extra layer of AI-based security.

    Update your backup strategy to account for ransomware attacks

    Apply a defense-in-depth strategy. A daily disk backup that goes offsite once a week isn't good enough.

    In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:

    • Creating multiple restore points. Your most recent backup might be infected. Frequent backups allow you to be more granular when determining how far you need to roll back.
    • Having offsite backups and using different storage media. Reduce the risk of infected backups by using different storage media (e.g. disk, NAS, tape) and backup locations (e.g. offsite). If you can make the attackers jump through more hoops, you have a greater chance of detecting the attack before all backups are infected.
    • Investing in immutable backups. Most leading backup solutions offer options to ensure backups are immutable (cannot be altered after they are written).
    • Using the BIA you completed in Phase 2 to help decide where to prioritize investments. All the above strategies add to your backup costs and might not be feasible for all data. Use your BIA results to decide which data sets require higher levels of protection.

    This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups.

    This is an example of a backup strategy to account for ransomware attacks.

    Refer to Info-Tech's Establish an Effective Data Protection Plan blueprint for additional guidance.

    Explore zero-trust initiatives

    Zero trust is a set of principles, not a set of controls.

    Reduces reliance on perimeter security.

    Zero trust is a strategy that reduces reliance on perimeter security and moves controls to where your user accesses resources. It often consolidates security solutions, reduces operating costs, and enables business mobility.

    Zero trust must benefit the business first.

    IT security needs to determine how zero trust initiatives will affect core business processes. It's not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.

    For more information, see Build a Zero-Trust Roadmap.

    Info-Tech Insight

    A successful zero-trust strategy should evolve. Use an iterative and repeatable process to assess available zero-trust technologies and principles and secure the most relevant protect surfaces. Collaborate with stakeholders to develop a roadmap with targeted solutions and enforceable policies.

    Step 4.2

    Prioritize resilience initiatives

    Activities

    • 4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk
    • 4.2.2 Review the dashboard to fine tune your roadmap

    This step will guide you through the following activities:

    • Prioritizing initiatives based on factors such as effort, cost, and risk.
    • Reviewing the dashboard to fine-tune your roadmap.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An executive-friendly project roadmap dashboard summarizing your initiatives.
    • A visual representation of the priority, effort, and timeline required for suggested initiatives.

    Review the Ransomware Resilience Assessment

    Tabs 2 and 3 list initiatives relevant to your ransomware readiness improvement efforts.

    • At this point in the project, the Ransomware Resilience Assessment should contain a number of initiatives to improve ransomware resilience.
    • Tab 2 is prepopulated with examples of gap closure actions to consider, which are categorized into initiatives listed on Tab 3.
    • Follow the instructions in the Ransomware Resilience Assessment to:
      • Categorize gap control actions into initiatives.
      • Prioritize initiatives based on cost, effort, and benefit.
      • Construct a roadmap for consideration.

    Download the Ransomware Resilience Assessment

    4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk

    1 hour

    Prioritize initiatives in the Ransomware Resilience Assessment.

    1. The initiatives listed on Tab 3 Initiative List will be copied automatically on Tab 5 Prioritization.
    2. On Tab 1 Setup:
      1. Review the weight you want to assign to the cost and effort criteria.
      2. Update the default values for FTE and Roadmap Start as needed.
    3. Go back to Tab 5 Prioritization:
      1. Fill in the cost, effort, and benefit evaluation criteria for each initiative. Hide optional columns you don't plan to use, to avoid confusion.
      2. Use the cost and benefit scores to prioritize waves and schedule initiatives on Tab 6 Gantt Chart.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    4.2.2 Review the dashboard to fine-tune the roadmap

    1 hour

    Review and update the roadmap dashboard in your Ransomware Resilience Assessment.

    1. Review the Gantt chart to ensure:
      1. The timeline is realistic. Avoid scheduling many high-effort projects at the same time.
      2. Higher-priority items are scheduled sooner than low-priority items.
      3. Short-term projects include quick wins (e.g. high-priority, low-effort items).
      4. It supports the story you wish to communicate (e.g. a plan to address gaps, along with the required effort and timeline).
    2. Update the values on the 5 Prioritization and 6 Gantt Chart tabs based on your review.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of a sample roadmap for the years 2022-2023

    Step 4.3

    Measure resilience metrics

    Activities

    4.3.1 Summarize status and next steps in an executive presentation

    This step will guide you through the following activities:

    • Summarizing status and next steps in an executive presentation.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Gain stakeholder buy-in by communicating the risk of the status quo and achievable next steps to improve your organization's ransomware readiness.

    Improve ransomware resilience

    4.3.1 Summarize status and next steps in an executive presentation

    1 hour

    Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:

    • Phase 1: Maturity assessment results, indicating your organization's overall readiness as well as specific areas that need to improve.
    • Phase 2: Business impact results, which objectively quantify the potential impact of downtime and data loss.
    • Phase 3: Current incident response capabilities including steps, timeline, and gaps.
    • Phase 4: Recommended projects to close specific gaps and improve overall ransomware readiness.

    Overall key findings and next steps.

    Download the Ransomware Readiness Summary Presentation Template

    Input

    • Results of all activities in Phases 1-4

    Output

    • Executive presentation

    Materials

    • Ransomware Readiness Summary Presentation Template

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of level 2 of the ransomware readiness maturity tool.

    Revisit metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Revisit metrics as the project nears completion and compare them against your baseline to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Summary of accomplishments

    Project overview

    Project deliverables

    This blueprint helped you create a ransomware incident response plan for your organization, as well as identify ransomware prevention strategies and ransomware prevention best practices.

    • Ransomware Resilience Assessment: Measure your current readiness, then identify people, policy, and technology gaps to address.
    • Ransomware Response Workflow: An at-a-glance summary of the key incident response steps across all relevant stakeholders through each phase of incident management.
    • Ransomware Response Runbook: Includes your threat escalation protocol and detailed response steps to be executed by each stakeholder.
    • Ransomware Tabletop Planning : This deep dive into a ransomware scenario will help you develop a more accurate incident management workflow and runbook, as well as identify gaps to address.
    • Ransomware Project Roadmap: This prioritized list of initiatives will address specific gaps and improve overall ransomware readiness.
    • Ransomware Readiness Summary Presentation: Your executive presentation will communicate the risk of the status quo, present recommended next steps, and drive stakeholder buy-in.

    Project phases

    Phase 1: Assess ransomware resilience

    Phase 2: Protect and detect

    Phase 3: Respond and recover

    Phase 4: Improve ransomware resilience

    Related Info-Tech Research

    Tab 3. Initiative List in the Ransomware Resilience Assessment identifies relevant Info-Tech Research to support common ransomware resilience initiatives.

    Related security blueprints:

    Related disaster recovery blueprints:

    Research Contributors and Experts

    This is an image of Jimmy Tom

    Jimmy Tom
    AVP of Information Technology and Infrastructure
    Financial Horizons

    This is an image of Dan Reisig

    Dan Reisig
    Vice President of Technology
    UV&S

    This is an image of Samuel Sutto

    Samuel Sutton
    Computer Scientist (Retired)
    FBI

    This is an image of Ali Dehghantanha

    Ali Dehghantanha
    Canada Research Chair in Cybersecurity and Threat Intelligence,
    University of Guelph

    This is an image of Gary Rietz

    Gary Rietz
    CIO
    Blommer Chocolate Company

    This is an image of Mark Roman

    Mark Roman
    CIO
    Simon Fraser University

    This is an image of Derrick Whalen

    Derrick Whalen
    Director, IT Services
    Halifax Port Authority

    This is an image of Stuart Gaslonde

    Stuart Gaslonde
    Director of IT & Digital Services
    Falmouth-Exeter Plus

    This is an image of Deborah Curtis

    Deborah Curtis
    CISO
    Placer County

    This is an image of Deuce Sapp

    Deuce Sapp
    VP of IT
    ISCO Industries

    This is an image of Trevor Ward

    Trevor Ward
    Information Security Assurance Manager
    Falmouth-Exeter Plus

    This is an image of Brian Murphy

    Brian Murphy
    IT Manager
    Placer County

    This is an image of Arturo Montalvo

    Arturo Montalvo
    CISO
    Texas General Land Office and Veterans Land Board

    No Image Available

    Mduduzi Dlamini
    IT Systems Manager
    Eswatini Railway

    No Image Available

    Mike Hare
    System Administrator
    18th Circuit Florida Courts

    No Image Available

    Linda Barratt
    Director of Enterprise architecture, IT Security, and Data Analytics, Toronto Community Housing Corporation

    This is an image of Josh Lazar

    Josh Lazar
    CIO
    18th Circuit Florida Courts

    This is an image of Douglas Williamson

    Douglas Williamson
    Director of IT
    Jamaica Civil Aviation Authority

    This is an image of Ira Goldstein

    Ira Goldstein
    Chief Operating Officer
    Herjavec Group

    This is an image of Celine Gravelines

    Celine Gravelines
    Senior Cybersecurity Analyst
    Encryptics

    This is an image of Dan Mathieson

    Dan Mathieson
    Mayor
    City of Stratford

    This is an image of Jacopo Fumagalli

    Jacopo Fumagalli
    CISO
    Omya

    This is an image of Matthew Parker

    Matthew Parker
    Program Manager
    Utah Transit Authority

    Two Additional Anonymous Contributors

    Bibliography

    2019-Data-Breach-Investigations-Report.-Verizon,-May-2019.
    2019-Midyear-Security-Roundup:-Evasive-Threats,-Persistent-Effects.-Trend-Micro,-2019.
    Abrams,-Lawrence.-"Ryuk-Ransomware-Uses-Wake-on-Lan-to-Encrypt-Offline-Devices."-Bleeping-Computer,-14-Jan.-2020.
    Abrams,-Lawrence.-"Sodinokibi-Ransomware-Publishes-Stolen-Data-for-the-First-Time."-Bleeping-Computer,-11-Jan.-2020.
    Canadian-Center-for-Cyber-Security,-"Ransomware-Playbook,"-30-November-2021.-Accessed-21-May-2022.-
    Carnegie-Endowment-for-International-Peace.-"Ransomware:-Prevention-and-Protection."-Accessed-May-2022.-
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-26-Data-Integrity:-Detecting-and-Responding-to-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-25-Data-Integrity:-Identifying-and-Protecting-Assets-Against-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.-
    Cichonski,-P.,-T.-Millar,-T.-Grance,-and-K.-Scarfone.-"Computer-Security-Incident-Handling-Guide."-SP-800-61-Rev.-2.-NIST,-Aug.-2012.
    Cimpanu,-Catalin.-"Company-shuts-down-because-of-ransomware,-leaves-300-without-jobs-just-before-holidays."-ZDNet,-3-Jan.-2020.
    Cimpanu,-Catalin.-"Ransomware-attack-hits-major-US-data-center-provider."-ZDNet,-5-Dec.-2019.
    CISA,-"Stop-Ransomware,"-Accessed-12-May-2022.
    "CMMI-Levels-of-Capability-and-Performance."-CMMI-Institute.-Accessed-May-2022.-
    Connolly,-Lena-Yuryna,-"An-empirical-study-of-ransomware-attacks-on-organizations:-an-assessment-of-severity-and-salient-factors-affecting-vulnerability."-Journal-of-Cybersecurity,-2020,.-1-18.
    "Definitions:-Backup-vs.-Disaster-Recovery-vs.-High-Availability."-CVM-IT-&-Cloud-Services,-12-Jan.-2017.
    "Don't-Become-a-Ransomware-Target-–-Secure-Your-RDP-Access-Responsibly."-Coveware,-2019.-
    Elementus,-"Rise-of-the-Ransomware-Cartels-"(2022).-YouTube.-Accessed-May-2022.-
    Global-Security-Attitude-Survey.-CrowdStrike,-2019.
    Graham,-Andrew.-"September-Cyberattack-cost-Woodstock-nearly-$670,00:-report."-
    Global-News,-10-Dec.-2019.
    Harris,-K.-"California-2016-Data-Breach-Report."-California-Department-of-Justice,-Feb.-2016.
    Hiscox-Cyber-Readiness-Report-2019.-Hiscox-UK,-2019.
    Cost-of-A-Data-Breach-(2022).-IBM.-Accessed-June-2022.--
    Ikeda,-Scott.-"LifeLabs-Data-Breach,-the-Largest-Ever-in-Canada,-May-Cost-the-Company-Over-$1-Billion-in-Class-Action-Lawsuit."-CPO-Magazine,-2020.
    Kessem,-Limor-and-Mitch-Mayne.-"Definitive-Guide-to-Ransomware."-IBM,-May-2022.
    Krebs,-Brian.-"Ransomware-Gangs-Now-Outing-Victim-Businesses-That-Don't-Pay-Up."-Krebson-Security,-16-Dec.-2019.
    Jaquith,-Andrew-and-Barnaby-Clarke,-"Security-metrics-to-help-protect-against-ransomware."-Panaseer,-July-29,-2021,-Accessed-3-June-2022.
    "LifeLabs-pays-ransom-after-cyberattack-exposes-information-of-15-million-customers-in-B.C.-and-Ontario."-CBC-News,-17-Dec.-2019.
    Matthews,-Lee.-"Louisiana-Suffers-Another-Major-Ransomware-Attack."-Forbes,-20-Nov.-2019.
    NISTIR-8374,-"Ransomware-Risk-Management:-A-Cybersecurity-Framework-Profile."-NIST-Computer-Security-Resource-Center.-February-2022.-Accessed-May-2022.-
    "Ransomware-attack-hits-school-district-twice-in-4-months."-Associated-Press,-10-Sept.-2019.
    "Ransomware-Costs-Double-in-Q4-as-Ryuk,-Sodinokibi-Proliferate."-Coveware,-2019.
    Ransomware-Payments-Rise-as-Public-Sector-is-Targeted,-New-Variants-Enter-the-Market."-Coveware,-2019.
    Rector,-Kevin.-"Baltimore-to-purchase-$20M-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware."-The-Baltimore-Sun,-16-Oct.-2019.
    "Report:-Average-time-to-detect-and-contain-a-breach-is-287-days."-VentureBeat,-May-25,-2022.-Accessed-June-2022.-
    "Five-Lessons-Learned-from-over-600-Ransomware-Attacks."-Riskrecon.-Mar-2022.-Accessed-May-2022.-
    Rosenberg,-Matthew,-Nicole-Perlroth,-and-David-E.-Sanger.-"-'Chaos-is-the-Point':-Russian-Hackers-and-Trolls-Grow-Stealthier-in-2020."-The-New-York-Times,-10-Jan.-2020.
    Rouse,-Margaret.-"Data-Archiving."-TechTarget,-2018.
    Siegel,-Rachel.-"Florida-city-will-pay-hackers-$600,000-to-get-its-computer-systems-back."-The-Washington-Post,-20-June-2019.
    Sheridan,-Kelly.-"Global-Dwell-Time-Drops-as-Ransomware-Attacks-Accelerate."-DarkReading,-13-April-2021.-Accessed-May-2022.-
    Smith,-Elliot.-"British-Banks-hit-by-hacking-of-foreign-exchange-firm-Travelex."-CNBC,-9-Jan.-2020.
    "The-State-of-Ransomware-2022."-Sophos.-Feb-2022.-Accessed-May-2022.-
    "The-State-of-Ransomware-in-the-U.S.:-2019-Report-for-Q1-to-Q3."-Emsisoft-Malware-Lab,-1-Oct.2019.
    "The-State-of-Ransomware-in-the-U.S.:-Report-and-Statistics-2019."-Emsisoft-Lab,-12-Dec.-2019.
    "The-State-of-Ransomware-in-2020."-Black-Fog,-Dec.-2020.
    Toulas,-Bill.-"Ten-notorious-ransomware-strains-put-to-the-encryption-speed-test."-Bleeping-Computers,-23-Mar-2022.-Accessed-May-2022.
    Tung,-Liam-"This-is-how-long-hackers-will-hide-in-your-network-before-deploying-ransomware-or-being-spotted."-zdnet.-May-19,-2021.-Accessed-June-2022.-

    Mitigate Machine Bias

    • Buy Link or Shortcode: {j2store}343|cart{/j2store}
    • member rating overall impact: 8.8/10 Overall Impact
    • member rating average dollars saved: $9,549 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy
    • AI is the new electricity. It is fundamentally and radically changing the fabric of our world, from the way we conduct business, to how we work and live, make decisions, and engage with each other, to how we organize our society, and ultimately, to who we are. Organizations are starting to adopt AI to increase efficiency, better engage customers, and make faster, more accurate decisions.
    • Like with any new technology, there is a flip side, a dark side, to AI – machine biases. If unchecked, machine biases replicate, amplify, and systematize societal biases. Biased AI systems may treat some of your customers (or employees) differently, based on their race, gender, identity, age, etc. This is discrimination, and it is against the law. It is also bad for business, including missed opportunities, lost consumer confidence, reputational risk, regulatory sanctions, and lawsuits.

    Our Advice

    Critical Insight

    • Machine biases are not intentional. They reflect the cognitive biases, preconceptions, and judgement of the creators of AI systems and the societal structures encoded in the data sets used for machine learning.
    • Machine biases cannot be prevented or fully eliminated. Early identification and diversity in and by design are key. Like with privacy and security breaches, early identification and intervention – ideally at the ideation phase – is the best strategy. Forewarned is forearmed. Prevention starts with a culture of diversity, inclusivity, openness, and collaboration.
    • Machine bias is enterprise risk. Machine bias is not a technical issue. It is a social, political, and business problem. Integrate it into your enterprise risk management (ERM).

    Impact and Result

    • Just because machine biases are induced by human behavior, which is also captured in data silos, they are not inevitable. By asking the right questions upfront during application design, you can prevent many of them.
    • Biases can be introduced into an AI system at any stage of the development process, from the data you collect, to the way you collect it, to which algorithms are used, to which assumptions are made, etc. Ask your data science team a lot of questions; leave no stone unturned.
    • Don’t wait until “Datasheets for Datasets” and “Model Cards for Model Reporting” (or similar frameworks) become standards. Start creating these documents now to identify and analyze biases in your apps. If using open-source data sets or libraries, you may need to create them yourself for now. If working with partners or using AI/ ML services, demand that they provide such information as part of the engagement. You, not your partners, are ultimately responsible for the AI-powered product or service you deliver to your customers or employees.
    • Build a culture of diversity, transparency, inclusivity, and collaboration – the best mechanism to prevent and address machine biases.
    • Treat machine bias as enterprise risk. Use your ERM to guide all decisions around machine biases and their mitigation.

    Mitigate Machine Bias Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand the dark side of AI: algorithmic (machine) biases, how they emerge, why they are dangerous, and how to mitigate them. Review Info-Tech’s methodology and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand AI biases

    Learn about machine biases, how and where they arise in AI systems, and how they relate to human cognitive and societal biases.

    • Mitigate Machine Bias – Phase 1: Understand AI Biases

    2. Identify data biases

    Learn about data biases and how to mitigate them.

    • Mitigate Machine Bias – Phase 2: Identify Data Biases
    • Datasheets for Data Sets Template
    • Datasheets for Datasets

    3. Identify model biases

    Learn about model biases and how to mitigate them.

    • Mitigate Machine Bias – Phase 3: Identify Model Biases
    • Model Cards for Model Reporting Template
    • Model Cards For Model Reporting

    4. Mitigate machine biases and risk

    Learn about approaches for proactive and effective bias prevention and mitigation.

    • Mitigate Machine Bias – Phase 4: Mitigate Machine Biases and Risk
    [infographic]

    Workshop: Mitigate Machine Bias

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare

    The Purpose

    Understand your organization’s maturity with respect to data and analytics in order to maximize workshop value.

    Key Benefits Achieved

    Workshop content aligned to your organization’s level of maturity and business objectives.

    Activities

    1.1 Execute Data Culture Diagnostic.

    1.2 Review current analytics strategy.

    1.3 Review organization's business and IT strategy.

    1.4 Review other supporting documentation.

    1.5 Confirm participant list for workshop.

    Outputs

    Data Culture Diagnostic report.

    2 Understand Machine Biases

    The Purpose

    Develop a good understanding of machine biases and how they emerge from human cognitive and societal biases. Learn about the machine learning process and how it relates to machine bias.

    Select an ML/AI project and complete a bias risk assessment.

    Key Benefits Achieved

    A solid understanding of algorithmic biases and the need to mitigate them.

    Increased insight into how new technologies such as ML and AI impact organizational risk.

    Customized bias risk assessment template.

    Completed bias risk assessment for selected project.

    Activities

    2.1 Review primer on AI and machine learning (ML).

    2.2 Review primer on human and machine biases.

    2.3 Understand business context and objective for AI in your organization.

    2.4 Discuss selected AI/ML/data science project or use case.

    2.5 Review and modify bias risk assessment.

    2.6 Complete bias risk assessment for selected project.

    Outputs

    Bias risk assessment template customized for your organization.

    Completed bias risk assessment for selected project.

    3 Identify Data Biases

    The Purpose

    Learn about data biases: what they are and where they originate.

    Learn how to address or mitigate data biases.

    Identify data biases in selected project.

    Key Benefits Achieved

    A solid understanding of data biases and how to mitigate them.

    Customized Datasheets for Data Sets Template.

    Completed datasheet for data sets for selected project.

    Activities

    3.1 Review machine learning process.

    3.2 Review examples of data biases and why and how they happen.

    3.3 Identify possible data biases in selected project.

    3.4 Discuss “Datasheets for Datasets” framework.

    3.5 Modify Datasheets for Data Sets Template for your organization.

    3.6 Complete datasheet for data sets for selected project.

    Outputs

    Datasheets for Data Sets Template customized for your organization.

    Completed datasheet for data sets for selected project.

    4 Identify Model Biases

    The Purpose

    Learn about model biases: what they are and where they originate.

    Learn how to address or mitigate model biases.

    Identify model biases in selected project.

    Key Benefits Achieved

    A solid understanding of model biases and how to mitigate them.

    Customized Model Cards for Model Reporting Template.

    Completed model card for selected project.

    Activities

    4.1 Review machine learning process.

    4.2 Review examples of model biases and why and how they happen.

    4.3 Identify potential model biases in selected project.

    4.4 Discuss Model Cards For Model Reporting framework.

    4.5 Modify Model Cards for Model Reporting Template for your organization.

    4.6 Complete model card for selected project.

    Outputs

    Model Cards for Model Reporting Template customized for your organization.

    Completed model card for selected project.

    5 Create Mitigation Plan

    The Purpose

    Review mitigation approach and best practices to control machine bias.

    Create mitigation plan to address machine biases in selected project. Align with enterprise risk management (ERM).

    Key Benefits Achieved

    A solid understanding of the cultural dimension of algorithmic bias prevention and mitigation and best practices.

    Drafted plan to mitigate machine biases in selected project.

    Activities

    5.1 Review and discuss lessons learned.

    5.2 Create mitigation plan to address machine biases in selected project.

    5.3 Review mitigation approach and best practices to control machine bias.

    5.4 Identify gaps and discuss remediation.

    Outputs

    Summary of challenges and recommendations to systematically identify and mitigate machine biases.

    Plan to mitigate machine biases in selected project.

    Master the Art of Stakeholder Management in Small Enterprise Environments

    • Buy Link or Shortcode: {j2store}572|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Stakeholder Management
    • Parent Category Link: /stakeholder-management
    • IT hasn’t taken into account critical stakeholders and their concerns and preferences as they plan projects or operate on daily business.
    • It is difficult to tailor communication and messaging to all of the different personal and professional styles and motivations of stakeholders.
    • Access to stakeholders and getting an accurate understanding of their needs and concerns regarding IT can be difficult to obtain.

    Our Advice

    Critical Insight

    • Small enterprises have an advantage in stakeholder management. Less people and fewer barriers create opportunities for more productive interactions and stronger relationships.
    • The guiding principles for effective stakeholder management are common concepts, but unfortunately not common practice.
    • By stepping back and taking the time to thoughtfully consider the dynamics and needs of important IT stakeholders, you will be better able to position yourself and your department.

    Impact and Result

    • Info-Tech’s guiding principles provide clear and feasible recommendations for how to incorporate stakeholder management into daily interactions.
    • This blueprint’s guidance will enable IT leaders to tailor communication and interactions that will enable them to build stronger and more meaningful relationships with stakeholders.
    • Following this approach and its guiding principles will make IT projects be more successful by reducing their risk of failure due to issues of buy-in, misunderstanding of priorities, or a lack of support from critical stakeholders.

    Master the Art of Stakeholder Management in Small Enterprise Environments Research & Tools

    Executive Overview

    Use Info-Tech’s approach to stakeholder management to guide you in building stronger and more beneficial relationships, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Master the Art of Stakeholder Management in Small Enterprise Environments Storyboard
    • None
    • None

    1. Identify stakeholders

    Determine the stakeholders for an IT department of a singular initiative.

    • Stakeholder Management Analysis Tool

    2. Analyze stakeholders

    Use the guidance of this section to analyze stakeholders on both a professional and personal level.

    3. Manage stakeholders

    Use Info-Tech’s guiding principles of stakeholder management to direct how to best engage key stakeholders.

    4. Review case studies

    Use real-life experiences from Info-Tech’s analysts to understand how to use and apply stakeholder management techniques.

    [infographic]

    Optimize Your SQA Practice Using a Full Lifecycle Approach

    • Buy Link or Shortcode: {j2store}405|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Testing, Deployment & QA
    • Parent Category Link: /testing-deployment-and-qa
    • Your software quality assurance (SQA) program is using the wrong set of metrics to measure how process improvements influence product quality improvements.
    • Roles & responsibilities and quality assurance initiatives are not well defined and need to be allocated to individuals that can be held responsible for quality-related issues.
    • You are finding it hard to determine a causation between SQA process improvements and an improvement in product quality.

    Our Advice

    Critical Insight

    • Your product is only as good as your process. A robust development and SQA process creates artifacts that are highly testable, easily maintained, and strongly traceable across the development lifecycle, ensuring that the product delivered meets expectations set out by the business.
    • A small issue within your development process can have a ripple effect on the level of product quality. Discover what you don’t know and identify areas within your SQA practice that require attention.

    Impact and Result

    • SQA must be viewed as more than defect analysis and testing. Instead, place greater emphasis on preventative measures to ensure application quality across the entire development lifecycle.
    • IT must create a comprehensive SQA plan that delineates roles and responsibilities as they relate to quality assurance. Ensure tasks and procedures improve process efficiency and quality, and formalize metrics that help to implement a continuous improvement cycle for SQA.
    • Our methodology provides simple-to-follow steps to develop an SQA plan that provides clear insight into your current quality assurance practices.
    • Establish a synchronous relationship between the business and IT to help stakeholders understand the importance and relative value of quality assurance tasks to current costs.

    Optimize Your SQA Practice Using a Full Lifecycle Approach Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize your SQA practice using a full lifecycle approach, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess your current SQA capabilities

    Evaluate and understand your current SQA capabilities, as well as the degree to which metric objectives are being met.

    • Optimize Your SQA Practice Using a Full Lifecycle Approach – Phase 1: Assess Your Current SQA Capabilities
    • Software Quality Assurance Current State Assessment Tool
    • Software Quality Assurance Assessment Workbook

    2. Define SQA target state processes

    Identify and define SQA processes and metrics needed to meet quality objectives set by development teams and the business.

    • Optimize Your SQA Practice Using a Full Lifecycle Approach – Phase 2: Define SQA Target State Processes

    3. Determine optimization initiatives for improving your SQA practice

    Build your SQA plan and optimization roadmap.

    • Optimize Your SQA Practice Using a Full Lifecycle Approach – Phase 3: Determine Optimization Initiatives
    • Software Quality Assurance Plan Template
    • Software Quality Assurance Optimization Roadmap Tool
    • Software Quality Assurance Communication Template
    [infographic]

    Workshop: Optimize Your SQA Practice Using a Full Lifecycle Approach

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Your Current SQA Capabilities

    The Purpose

    To help you assess and understand your current SQA capabilities as well as the degree to which metric objectives are being met.

    Key Benefits Achieved

    An analysis of current SQA practices to provide insight into potential inefficiencies, opportunities, and to provide the business with sufficient rationale for improving current quality assurance initiatives.

    Activities

    1.1 Conduct a high-level assessment of where to focus your current state analysis.

    1.2 Document your high-level development process.

    1.3 Create a RACI chart to understand roles and responsibilities.

    1.4 Perform a SIPOC-MC analysis for problem areas identified in your SDLC.

    1.5 Identify the individual control points involved with passing software artifacts through SDLC stages being assessed.

    1.6 Identify problem areas within your SDLC as they relate to SQA.

    Outputs

    Understanding of current overall development process and where it is most weak in the context of quality assurance

    Understanding of assigned roles and responsibilities across development teams, including individuals who are involved with making quality-related decisions for artifact hand-off

    Identification of problem areas within SQA process for further analysis

    2 Define SQA Target State Processes

    The Purpose

    To help you identify and define SQA processes and metrics needed to meet quality objectives set out by development teams and the business.

    Key Benefits Achieved

    A revised list of key SQA tasks along with metrics and associated tolerance limits used universally for all development projects.

    Activities

    2.1 Establish SQA metrics and tolerance limits across your SDLC.

    2.2 Determine your target state for SQA processes within the define/design stage of the SDLC.

    2.3 Determine your target state for SQA processes within the development stage of the SDLC.

    2.4 Determine your target state for SQA processes within the testing stage of the SDLC.

    2.5 Determine your target state for SQA processes within the deploy/release stage of the SDLC.

    Outputs

    Identification of the appropriate metrics and their associated tolerance limits to provide insights into meeting quality goals and objectives during process execution

    Identification of target state SQA processes that are required for ensuring quality across all development projects

    3 Prioritize SQA Optimization Initiatives and Develop Optimization Roadmap

    The Purpose

    Based on discovered inefficiencies, define optimization initiatives required to improve your SQA practice.

    Key Benefits Achieved

    Optimization initiatives and associated tasks required to address gaps and improve SQA capabilities.

    Activities

    3.1 Determine optimization initiatives for improving your SQA process.

    3.2 Gain the full scope of effort required to implement your SQA optimization initiatives.

    3.3 Identify the enablers and blockers of your SQA optimization.

    3.4 Define your SQA optimization roadmap.

    Outputs

    Prioritized list of optimization initiatives for SQA

    Assessment of level of effort for each SQA optimization initiative

    Identification of enablers and blockers for optimization initiatives

    Identification of roadmap timeline for implementing optimization initiatives

    Contact Tymans Group

    We're here to get your IT Operations performant and resilient

    We have the highest respect for your person. We contact you only with responses to your questions. Our company ethics insist on transparency and honesty.

    Continue reading

    Drive Successful Sourcing Outcomes With a Robust RFP Process

    • Buy Link or Shortcode: {j2store}216|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $25,860 Average $ Saved
    • member rating average days saved: 14 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Most IT organizations do not have standard RFP templates and tools.
    • Many RFPs lack sufficient requirements.
    • Most RFP team members are not adequately trained on RFP best practices.
    • Most IT departments underestimate the amount of time that is required to perform an effective RFP.

    Our Advice

    Critical Insight

    • Vendors generally do not like RFPs
      Vendors view RFPs as time consuming and costly to respond to and believe that the decision is already made.
    • Dont ignore the benefits of an RFI
      An RFI is too often overlooked as a tool for collecting information from vendors about their product offerings and services.
    • Leverage a pre-proposal conference to maintain an equal and level playing field
      Pre-proposal conference is a convenient and effective way to respond to vendors’ questions ensuring all vendors have the same information to provide a quality response.

    Impact and Result

    • A bad or incomplete RFP results in confusing and incomplete vendor RFP responses which consume time and resources.
    • Incomplete or misunderstood requirements add cost to your project due to the change orders required to complete the project.

    Drive Successful Sourcing Outcomes With a Robust RFP Process Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Storyboard – Leverage your vendor sourcing process to get better results

    Discover a proven process for your RFPs. Review Info-Tech’s process and understand how you can prevent your organization from leaking negotiation leverage while preventing vendors from taking control of your RFP. Our 7-phase process prevents a bad RFP from taking your time, money, and resources.

    • Drive Successful Sourcing Outcomes With a Robust RFP Process Storyboard

    2. Define your RFP Requirements Tool – A convenient tool to gather your requirements and align them to your negotiation strategy.

    Use this tool to assist you and your team in documenting the requirements for your RFP. Use the results of this tool to populate the requirements section of your RFP.

    • RFP Requirements Worksheet

    3. RFP Development Suite of Tools – Use Info-Tech’s RFP, pricing, and vendor response tools and templates to increase your efficiency in your RFP process.

    Configure this time-saving suite of tools to your organizational culture, needs, and most importantly the desired outcome of your RFP initiative. This suite contains four unique RFP templates. Evaluate which template is appropriate for your RFP. Also included in this suite are a response evaluation guidebook and several evaluation scoring tools along with a template to report the RFP results to stakeholders.

    • RFP Calendar and Key Date Tool
    • Vendor Pricing Tool
    • Lean RFP Template
    • Short-Form RFP Template
    • Long-Form RFP Template
    • Excel Form RFP Tool
    • RFP Evaluation Guidebook
    • RFP Evaluation Tool
    • Vendor TCO Tool
    • Consolidated Vendor RFP Response Evaluation Summary
    • Vendor Recommendation Presentation

    Infographic

    Workshop: Drive Successful Sourcing Outcomes With a Robust RFP Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Foundation for Creating Requirements

    The Purpose

    Problem Identification

    Key Benefits Achieved

    Current process mapped and requirements template configured

    Activities

    1.1 Overview and level-setting

    1.2 Identify needs and drivers

    1.3 Define and prioritize requirements

    1.4 Gain business authorization and ensure internal alignment

    Outputs

    Map Your Process With Gap Identification

    Requirements Template

    Map Your Process With Gap Identification

    Requirements Template

    Map Your Process With Gap Identification

    Requirements Template

    Map Your Process With Gap Identification

    Requirements Template

    2 Creating a Sourcing Process

    The Purpose

    Define Success Target

    Key Benefits Achieved

    Baseline RFP and evaluation templates

    Activities

    2.1 Create and issue RFP

    2.2 Evaluate responses/proposals and negotiate the agreement

    2.3 Purchase goods and services

    Outputs

    RFP Calendar Tool

    RFP Evaluation Guidebook

    RFP Respondent Evaluation Tool

    3 Configure Templates

    The Purpose

    Configure Templates

    Key Benefits Achieved

    Configured Templates

    Activities

    3.1 Assess and measure

    3.2 Review templates

    Outputs

    Long-Form RFP Template

    Short-Form RFP Template

    Excel-Based RFP Template

    Further reading

    Drive Successful Sourcing Outcomes With a Robust RFP Process

    Leverage your vendor sourcing process to get better results.

    EXECUTIVE BRIEF

    Drive Successful Sourcing Outcomes with a Robust RFP Process

    Lack of RFP Process Causes...
    • Stress
    • Confusion
    • Frustration
    • Directionless
    • Exhaustion
    • Uncertainty
    • Disappointment
    Solution: RFP Process
    Steps in an RFP Process, 'Identify Need', 'Define Business Requirements', 'Gain Business Authorization', 'Perform RFI/RFP', 'Negotiate Agreement', 'Purchase Good and Services', and 'Assess and Measure Performance'.
    • Best value solutions
    • Right-sized solutions
    • Competitive Negotiations
    • Better requirements that feed negotiations
    • Internal alignment on requirements and solutions
    • Vendor Management Governance Plan
    Requirements
    • Risk
    • Legal
    • Support
    • Security
    • Technical
    • Commercial
    • Operational
    • Vendor Management Governance
    Templates, Tools, Governance
    • RFP Template
    • Your Contracts
    • RFP Procedures
    • Pricing Template
    • Evaluation Guide
    • Evaluation Matrix
    Vendor Management
    • Scorecards
    • Classification
    • Business Review Meetings
    • Key Performance Indicators
    • Contract Management
    • Satisfaction Survey

    Analyst Perspective

    Consequences of a bad RFP

    Photo of Steven Jeffery, Principal Research Director, Vendor Management, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group

    “A bad request for proposal (RFP) is the gift that keeps on taking – your time, your resources, your energy, and your ability to accomplish your goal. A bad RFP is ineffective and incomplete, it creates more questions than it answers, and, perhaps most importantly, it does not meet your organization’s expectations.”

    Steven Jeffery
    Principal Research Director, Vendor Management
    Co-Author: The Art of Creating a Quality RFP
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Most IT organizations are absent of standard RFP templates, tools, and processes.
    • Many RFPs lack sufficient requirements from across the business (Legal, Finance, Security, Risk, Procurement, VMO).
    • Most RFP team members are not adequately trained on RFP best practices.
    • Most IT departments underestimate the amount of time required to perform an effective RFP.
    • An ad hoc sourcing process is a common recipe for vendor performance failure.

    Common Obstacles

    • Lack of time
    • Lack of resources
    • Right team members not engaged
    • Poorly defined requirements
    • Too difficult to change supplier
    • Lack of a process
    • Lack of adequate tools/processes
    • Lack of a vendor communications plan that includes all business stakeholders.
    • Lack of consensus as to what the ideal result should look like.

    Info-Tech’s Approach

    • Establish a repeatable, consistent RFP process that maintains negotiation leverage and includes all key components.
    • Create reusable templates to expedite the RFP evaluation and selection process.
    • Maximize the competition by creating an equal and level playing field that encourages all the vendors to respond to your RFP.
    • Create a process that is clear and understandable for both the business unit and the vendor to follow.
    • Include Vendor Management concepts in the process.

    Info-Tech Insight

    A well planned and executed sourcing strategy that focuses on solid requirements, evaluation criteria, and vendor management will improve vendor performance.

    Executive Summary

    Your Challenge

    Your challenge is to determine the best sourcing tool to obtain vendor information on capabilities, solution(s), pricing and contracting: RFI, RFP, eRFX.

    Depending on your organization’s knowledge of the market, your available funding, and where you are in the sourcing process, there are several approaches to getting the information you need.

    An additional challenge is to answer the question “What is the purpose of our RFX?”

    If you do not have in-depth knowledge of the market, available solutions, and viable vendors, you may want to perform an RFI to provide available market information to guide your RFP strategy.

    If you have defined requirements, approved funding, and enough time, you can issue a detailed, concise RFP.

    If you have “the basics” about the solution to be acquired and are on a tight timeframe, an “enhanced RFI” may fit your needs.

    This blueprint will provide you with the tools and processes and insights to affect the best possible outcome.

    Executive Summary

    Common Obstacles

    • Lack of process/tools
    • Lack of input from stakeholders
    • Stakeholders circumventing the process to vendors
    • Vendors circumventing the process to key stakeholders
    • Lack of clear, concise, and thoroughly articulated requirements
    • Waiting until the vendor is selected to start contract negotiations
    • Waiting until the RFP responses are back to consider vendor management requirements
    • Lack of clear communication strategy to the vendor community that the team adheres to

    Many organizations underestimate the time commitment for an RFP

    70 Days is the average duration of an IT RFP.

    The average number of evaluators is 5-6

    4 Is the average number of vendor submissions, each requiring an average of two to three hours to review. (Source: Bonfire, 2019. Note: The 2019 Bonfire report on the “State of the RFP” is the most recent published.)

    “IT RFPs take the longest from posting to award and have the most evaluators. This may be because IT is regarded as a complex subject requiring complex evaluation. Certainly, of all categories, IT offers the most alternative solutions. The technology is also changing rapidly, as are the requirements of IT users – the half-life of an IT requirement is less than six months (half the requirements specified now will be invalid six months from now). And when the RFP process takes up two of those months, vendors may be unable to meet changed requirements when the time to implement arrives. This is why IT RFPs should specify the problem to be resolved rather than the solution to be provided. If the problem resolution is the goal, vendors are free to implement the latest technologies to meet that need.” (Bonfire, “2019 State of the RFP”)

    Why Vendors Don’t Like RFPs

    Vendors’ win rate

    44%

    Vendors only win an average of 44% of the RFPs they respond to (Loopio, 2022).
    High cost to respond

    3-5%

    Vendors budget 3-5% of the anticipated contract value to respond (LinkedIn, 2017, Note: LinkedIn source is the latest information available).
    Time spent writing response

    23.8 hours

    Vendors spend on average 23.8 hours to write or respond to your RFP (Marketingprofs, 2021).

    Negative effects on your organization from a lack of RFP process

    Visualization titled 'Lack of RFP Process Causes' with the following seven items listed.

    Stress, because roles and responsibilities aren’t clearly defined and communication is haphazard, resulting in strained relationships.

    Confusion, because you don’t know what the expected or desired results are.

    Directionless, because you don’t know where the team is going.

    Uncertainty, with many questions of your own and many more from other team members.

    Frustration, because of all the questions the vendors ask as a result of unclear or incomplete requirements.

    Exhaustion, because reviewing RFP responses of insufficient quality is tedious.

    Disappointment in the results your company realizes.

    (Source: The Art of Creating a Quality RFP)

    Info-Tech’s approach

    Develop an inclusive and thorough approach to the RFP Process

    Steps in an RFP Process, 'Identify Need', 'Define Business Requirements', 'Gain Business Authorization', 'Perform RFI/RFP', 'Negotiate Agreement', 'Purchase Good and Services', and 'Assess and Measure Performance'.

    The Info-Tech difference:

    1. The secret to managing an RFP is to make it as manageable and as thorough as possible. The RFP process should be like any other aspect of business – by developing a standard process. With a process in place, you are better able to handle whatever comes your way, because you know the steps you need to follow to produce a top-notch RFP.
    2. The business then identifies the need for more information about a product/service or determines that a purchase is required.
    3. A team of stakeholders from each area impacted gather all business, technical, legal, and risk requirements. What are the expectations of the vendor relationship post-RFP? How will the vendors be evaluated?
    4. Based on the predetermined requirements, either an RFI or an RFP is issued to vendors with a predetermined due date.

    Insight Summary

    Overarching insight

    Without a well defined, consistent RFP process, with input from all key stakeholders, the organization will not achieve the best possible results from its sourcing efforts.

    Phase 1 insight

    Vendors are choosing to not respond to RFPs due to their length and lack of complete requirements.

    Phase 2 insight

    Be clear and concise in stating your requirements and include, in addition to IT requirements, procurement, security, legal, and risk requirements.

    Phase 3 insight

    Consider adding vendor management requirements to manage the ongoing relationship post contract.

    Tactical insight

    Consider the RFP Evaluation Process as you draft the RFP, including weighting the RFP components. Don’t underestimate the level of effort required to effectively evaluate responses – write the RFP with this in mind.

    Tactical insight

    Provide strict, prescriptive instructions detailing how the vendor should submit their responses. Controlling vendor responses will increase your team’s efficiency in evaluations while providing ease of reference responses across multiple vendors.

    Key deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverables:

    Info-Tech provides you with the tools you need to go to market in the most efficient manner possible, with guidance on how to achieve your goals.

    Sample of

    Long-Form RFP Template
    For when you have complete requirements and time to develop a thorough RFP.
    Sample of the Long-Form RFP Template deliverable. Short-Form RFP Template
    When the requirements are not as extensive, time is short, and you are familiar with the market.
    Sample of the Short-Form RFP Template deliverable.
    Lean RFP Template
    When you have limited time and some knowledge of the market and wish to include only a few vendors.
    Sample of the Lean RFP Template deliverable. Excel-Form RFP Template
    When there are many requirements, many options, multiple vendors, and a broad evaluation team.
    Sample of the Excel-Form RFP Template deliverable.

    Blueprint benefits

    IT Benefits
    • Side-by-side comparison of vendor capabilities
    • Pricing alternatives
    • No surprises
    • Competitive solutions to deliver the best results
    Mutual IT and Business Benefits
    • Reduced time to implement
    • Improved alignment between IT /Business
    • Improved vendor performance
    • Improved vendor relations
    Business Benefits
    • Budget alignment, reduced cost
    • Best value
    • Risk mitigation
    • Legal and risk protections

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is seven to twelve calls over the course of four to six months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Phase 5

    Phase 6

    Phase 7

    Call #1: Identify the need Call #3: Gain business authorization Call #5: Negotiate agreement strategy Call #7: Assess and measure performance
    Call #2: Define business requirements Call #4: Review and perform the RFX or RFP Call #6: Purchase goods and services

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Day 1 Day 2 Day 3
    Activities
    Answer “What problem do we need to solve?”

    1.1 Overview and level-setting

    1.2 Identify needs and drivers

    1.3 Define and prioritize requirements

    1.4 Gain business authorization and ensure internal alignment

    Define what success looks like?

    2.1 Create and issue RFP

    2.2 Evaluate responses/ proposals and negotiate the agreement.

    2.3 Purchase goods and services

    Configure Templates

    3.1 Assess and measure

    3.2 Review tools

    Deliverables
    1. Map your process with gap identification
    2. RFP Requirements Worksheet
    1. RFP Calendar and Key Date Tool
    2. RFP Evaluation Guidebook
    3. RFP Evaluation Tool
    1. Long-form RFP Template
    2. Short-form RFP Template
    3. Excel-based RFP Tool
    4. Lean RFP Template

    Phase 1

    Identify Need

    Steps

    1.1 Establish the need to either purchase goods/services (RFP) or acquire additional information from the market (RFI).

    Steps in an RFP Process with the first step, 'Identify Need', highlighted.

    This phase involves the following participants:

    • Business stakeholders
    • IT
    • Sourcing/Procurement
    • Finance

    Identify the need based on business requirements, changing technology, increasing vendor costs, expiring contracts, and changing regulatory requirements.

    Outcomes of this phase

    Agreement on the need to go to market to make a purchase (RFP) or to acquire additional information (RFI) along with a high-level agreement on requirements, rough schedule (is there time to do a full blown RFP or are you time constrained, which may result in an eRFP) and the RFP team is identified.

    Identify Need
    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Identify the Need for Your RFP

    • An RFP is issued to the market when you are certain that you intend to purchase a product/service and have identified an adequate vendor base from which to choose as a result of:

      • IT Strategy
      • Changes in technology
      • Marketplace assessment
      • Contract expiration/renewal
      • Changes in regulatory requirements
      • Changes in the business’ requirements
    • An RFI is issued to the market when you are uncertain as to available technologies or supplier capabilities and need budgetary costs for planning purposes.
    • Be sure to choose the right RFx tool for your situation!
    Stock photo of a pen circling the word 'needs' on a printed document.

    Phase 2

    Define Your RFP Requirements

    Steps

    2.1 Define and classify the technical, business, financial, legal, and support and security requirements for your business.

    Steps in an RFP Process with the second step, 'Define Business Requirements', highlighted.

    This phase involves the following participants:

    • IT
    • Legal
    • Finance
    • Risk management
    • Sourcing/Procurement
    • Business stakeholders

    Outcomes of this phase

    A detailed list of required business, technical, legal and procurement requirements classified as to absolute need(s), bargaining and concession need(s), and “nice to haves.”

    Define Business Requirements

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Define RFP Requirements

    Key things to consider when defining requirements

    • Must be inclusive of the needs of all stakeholders: business, technical, financial, and legal
    • Strive for clarity and completeness in each area of consideration.
    • Begin defining your “absolute,” “bargaining,” “concession,” and ‘”dropped/out of scope” requirements to streamline the evaluation process.
    • Keep the requirements identified as “absolute” to a minimum, because vendors that do not meet absolute requirements will be removed from consideration.
    • Do you have a standard contract that can be included or do you want to review the vendor’s contract?
    • Don’t forget Data Security!
    • Begin defining your vendor selection criteria.
    • What do you want the end result to look like?
    • How will you manage the selected vendor after the contract? Include key VM requirements.
    • Defining requirements can’t be rushed or you’ll find yourself answering many questions, which may create confusion.
    • Collect all your current spend and budget considerations regarding the needed product(s) and service(s).

    “Concentrate on the needs of the organization and not the wants of the individuals when creating requirements to avoid scope creep.” (Donna Glidden, ITRG Research Director)

    Leverage the “ABCD” approach found in our Prepare for Negotiations More Effectively blueprint:
    https://tymansgrpup.com/research/ss/prepare-for-negotiations-more-effectively

    2.1 Prioritize your requirements

    1 hr to several days

    Input: List of all requirements from IT and IT Security, Business, Sourcing/Procurement, Risk Management, and Legal

    Output: Prioritized list of RFP requirements approved by the stakeholder team

    Materials: The RFP Requirements Worksheet

    Participants: All stakeholders impacted by the RFP: IT, IT Security, the Business, Sourcing/ Procurement, Risk Management, Legal

    1. Use this tool to assist you and your team in documenting the requirements for your RFP. Leverage it to collect and categorize your requirements in preparation for negotiations. Use the results of this tool to populate the requirements section of your RFP.
    2. As a group, review each of the requirements and determine their priority as they will ultimately relate to the negotiations.
      • Prioritizing your requirements will set up your negotiation strategy and streamline the process.
      • By establishing the priority of each requirement upfront, you will save time and effort in the selection process.
    3. Review RFP requirements with stakeholders for approval.

    Download the RFP Requirements Worksheet

    Phase 3

    Gain Business Authorization

    Steps

    3.1 Obtain business authorization from the business, technology, finance and Sourcing/Procurement

    Steps in an RFP Process with the third step, 'Gain Business Authorization', highlighted.

    This phase involves the following participants:

    • Business stakeholders
    • Technology and finance (depending upon the business)
    • Sourcing/Procurement

    Outcomes of this phase

    Approval by all key stakeholders to proceed with the issuing of the RFP and to make a purchase as a result.

    Gain Business Authorization

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Gain Business Authorization

    Gain authorization for your RFP from all relevant stakeholders
    • Alignment of stakeholders
    • Agreement on final requirements
    • Financial authorization
    • Commitment of resources
    • Agreement on what constitutes vendor qualification
    • Finalization of selection criteria and their prioritization

    Obtaining cross-function alignment will clear the way for contract, SOW, and budget approvals and not waste any of your and your vendor’s resources in performing an RFP that your organization is not ready to implement or invest financial and human resources in.

    Stock photo of the word 'AUTHORIZED' stamped onto a white background with a much smaller stamp laying beside it.

    Phase 4

    Create and Issue

    Steps

    4.1 Build your RFP

    4.2 Decide RFI or not

    4.3 Create your RFP

    4.4 Receive & answer questions

    4.5 Perform Pre-Proposal Conference

    4.6 Evaluate responses

    Steps in an RFP Process with the fourth step, 'Perform RFI/RFP', highlighted.

    This phase involves the following participants:

    • The RFP owner
    • IT
    • Business SMEs/stakeholders

    Outcomes of this phase

    RFP package is issued to vendors and includes the date of the Pre-Proposal Conference, which should be held shortly after RFP release and includes all parties.

    SME’s/stakeholders participate in providing answers to RFP contact for response to vendors.

    Create and Issue Your RFP/RFI

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Build your RFP with evaluation in mind

    Easing evaluation frustrations

    At the beginning of your RFP creation process consider how your requirements will impact the vendor’s response. Concentrate on the instructions you provide the vendors and how you wish to receive their responses. View the RFP through the lens of the vendors and envision how they are going to respond to the proposal.

    Limiting the number of requirements included in the RFP will increase the evaluation team’s speed when reviewing vendors’ responses. This is accomplished by not asking questions for common features and functionality that all vendors provide. Don’t ask multiple questions within a question. Avoid “lifting” vendor-specific language to copy into the RFP as this will signal to vendors who their competition might be and may deter their participation. Concentrate your requirement questions to those areas that are unique to your solution to reduce the amount of time required to evaluate the vendors’ response.

    Things to Consider When Creating Your RFP:

    • Consistency is the foundation for ease of evaluation.
    • Provide templates, such as an Excel worksheet, for the vendor’s pricing submissions and for its responses to close-ended questions.
    • Give detailed instructions on how the vendor should organize their response.
    • Limit the number of open-ended questions requiring a long narrative response to must-have requirements.
    • Organize your requirements and objectives in a numerical outline and have the vendor respond in the same manner, such as the following:
      • 1
      • 1.1
      • 1.1.1

    Increase your response quality

    Inconsistent formatting of vendor responses prevents an apples-to-apples evaluation between vendor responses. Evaluation teams are frequently challenged and are unable to evaluate vendors’ responses equally against each other for the following reasons:

    Challenges
    • Vendor responses are submitted with different and confusing nomenclature
    • Inconsistent format in response
    • Disparate order of sections in the vendors responses
    • Different style of outlining their responses, e.g. 1.1 vs. I.(i)
    • Pricing proposal included throughout their response
    • Responses are comingled with marketing messages
    • Vendor answers to requirements or objectives are not consolidated in a uniform manner
    • Disparate descriptions for response subsections
    Prevention
    • Provide specific instructions as to how the vendor is to organize their response:
      • How to format and outline the response
      • No marketing material
      • No pricing in the body of the response
    • Provide templates for pricing, technical, operational, and legal aspects.

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Perform Request for Information

    Don’t underestimate the importance of the RFI

    As the name implies, a request for information (RFI) is a tool for collecting information from vendors about the companies, their products, and their services. We find RFIs useful when faced with a lot of vendors that we don’t know much about, when we want to benchmark the marketplace for products and services, including budgetary information, and when we have identified more potential vendors than we care to commit a full RFP to.

    RFIs are simpler and less time-consuming than RFPs to prepare and evaluate, so it can make a lot of sense to start with an RFI. Eliminating unqualified vendors from further consideration will save your team from weeding through RFP responses that do not meet your objectives. For their part, your vendors will appreciate your efforts to determine up-front which of them are the best bets before asking them to spend resources and money producing a costly proposal.

    While many organizations rarely use RFIs, they can be an effective tool in the vendor manager’s toolbox when used at the right time in the right way. RFIs can be deployed in competitive targeted negotiations.

    A Lean RFP is a two-stage strategy that speeds up the typical RFP process. The first stage is like an RFI on steroids, and the second stage is targeted competitive negotiation.

    Don’t rely solely on the internet to qualify vendors; use an RFI to acquire additional information before finalizing an RFP.

    4.2.1 In a hurry? Consider a Lean RFP instead of an RFP

    Several days
    1. Create an RFI with all of the normal and customary components. Next, add a few additional RFP-like requirements (e.g. operational, technical, and legal requirements). Make sure you include a request for budgetary pricing and provide any significant features and functionality requirements so that the vendors have enough information to propose solutions. In addition, allow the vendors to ask questions through your single point of coordination and share answers with all of the vendors. Finally, notify the vendors that you will not be doing an RFP.
    2. Review the vendors’ proposals and evaluate their proposals against your requirements along with their notional or budgetary pricing.
    3. Have the evaluators utilize the Lean RFP Template to record their scores accordingly.
    4. After collecting the scores from the evaluators, consolidate the scores together to discuss which vendors – we recommend two or three – you want to present demos.
    5. Based on the vendors’ demos, the team selects at least two vendors to negotiate contract and pricing terms with intent of selecting the best-value vendor.
    6. The Lean RFP shortens the typical RFP process, maintains leverage for your organization, and works great with low- to medium-spend items (however your organization defines them). You’ll get clarification on vendors’ competencies and capabilities, obtain a fair market price, and meet your internal clients’ aggressive timelines while still taking steps to protect your organization.

    Download the Lean RFP Template

    Download the RFP Evaluation Tool

    4.2.1 In a hurry? Consider a Lean RFP instead of an RFP continued

    Input

    • List of technical, operational, business, and legal requirements
    • Budgetary pricing ask

    Output

    • A Lean RFP document that includes the primary components of an RFP
    • Lean RFP vendors response evaluation

    Materials

    • Lean RFP Template
    • RFP Evaluation Tool
    • Contracting requirements
    • Pricing

    Participants

    • IT
    • Business
    • Finance
    • Sourcing/Procurement

    Case Study

    A Lean RFP saves time
    INDUSTRY: Pharmaceutical
    SOURCE: Guided Implementation
    Challenge
    • The vendor manager (VM) was experiencing pressure to shorten the expected five-month duration to perform an RFP for software that planned, coordinated, and submitted regulatory documents to the US Food and Drug Administration.
    • The VM team was not completely familiar with the qualified vendors and their solutions.
    • The organization wanted to capitalize on this opportunity to enhance its current processes with the intent of improving efficiencies in documentation submissions.
    Solution
    • Leveraging the Lean RFP process, the team reduced the 200+ RFP questionnaire into a more manageable list of 34 significant questions to evaluate vendor responses.
    • The team issued the Lean RFP and requested the vendors’ responses in three weeks instead of the five weeks planned for the RFP process.
    • The team modified the scoring process to utilize a simple weighted-scoring methodology, using a scale of 1-5.
    Results
    • The Lean RFP scaled back the complexity of a large RFP.
    • The customer received three vendor responses ranging from 19 to 43 pages and 60-80% shorter than expected if the RFP had been used. This allowed the team to reduce the evaluation period by three weeks.
    • The duration of the RFx process was reduced by more than two months – from five months to just under three months.

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    4.3.1 RFP Calendar

    1 hour

    Input: List duration in days of key activities, RFP Calendar and Key Date Tool, For all vendor-inclusive meetings, include the dates on your RFP calendar and reference them in the RFP

    Output: A timeline to complete the RFP that has the support of each stakeholder involved in the process and that allows for a complete and thorough vendor response.

    Materials: RFP Calendar and Key Date Tool

    Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

    1. As a group, identify the key activities to be accomplished and the amount of time estimated to complete each task:
      1. Identify who is ultimately accountable for the completion of each task
      2. Determine the length of time required to complete each task
    2. Use the RFP Calendar and Key Date Tool to build the calendar specific to your needs.
    3. Include vendor-related dates in the RFP, i.e., Pre-Proposal Conference, deadline for RFP questions as well as response.

    Download the RFP Calendar and Key Date Tool

    Draft your RFP

    Create and issue your RFP, which should contain at least the following:
    • The ability for the vendors to ask clarifying questions (in writing, sent to the predetermined RFP contact)
    • Pre-Proposal/Pre-Bid Conference schedule where vendors can receive the same answer to all clarifying written questions
    • A calendar of events (block the time on stakeholder calendars – see template).
    • Instructions to potential vendors on how they should construct and return their response to enable effective and timely evaluation of each offer.
    • Requirements; for example: Functional, Operational, Technical, and Legal.
    • Specification drawings as if applicable.
    • Consider adding vendor management requirements – how do you want to manage the relationship after the deal is done?
    • A pricing template for vendors to complete that facilitates comparison across multiple vendors.
    • Contract terms required by your legal team (or your standard contract for vendors to redline as part of their response and rated/ranked accordingly).
    • Create your RFP with the evaluation process and team in mind to ensure efficiency and timeliness in the process. Be clear, concise, and complete in the document.
    • Consistency and completeness is the foundation for ease of evaluation.
    • Give vendors detailed instruction on how to structure and organize their response.
    • Limit the number of open-ended questions requiring a long narrative response.
    • Be sure to leverage Info-Tech’s proven and field-tested Short-Form, Long-Form, and Lean RFP Templates provided in this blueprint.

    Create a template for the vendors’ response

    Dictating to the vendors the format of their response will increase your evaluation efficiency
    Narrative Response:

    Create either a Word or Excel document that provides the vendor with an easy vehicle for their response. This template should include the question identifier that ties the response back to the requirement in the RFP. Instruct vendors to include the question number on any ancillary materials they wish to include.

    Pricing Response:

    Create a separate Excel template that the vendors must use to provide their financial offer. This template should include pricing for hardware, software, training, implementation, and professional services, as well as placeholders for any additional fees.

    Always be flexible in accepting alternative proposals after the vendor has responded with the information you requested in the format you require.

    Stock image of a paper checklist in front of a laptop computer's screen.

    4.3.2 Vendor Pricing Tool

    1 hour

    Input: Identify pricing components for hardware, software, training, consulting/services, support, and additional licenses (if needed)

    Output: Vendor Pricing Tool

    Materials: RFP Requirements Worksheet, Pricing template

    Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

    1. Using a good pricing template will prevent vendors from providing pricing offers that create a strategic advantage designed to prevent you from performing an apples-to-apples comparison.
    2. Provide specific instructions as to how the vendor is to organize their pricing response, which should be submitted separate from the RFP response.
    3. Configure and tailor pricing templates that are specific to the product and/or services.
    4. Upon receipt of all the vendor’s responses, simply cut and paste their total response to your base template for an easy side-by-side pricing comparison.
    5. Do not allow vendors to submit financial proposals outside of your template.

    Download the Vendor Pricing Tool

    Three RFP Templates

    Choose the right template for the right sourcing initiative

    • Short-Form
    • Use the Short-Form RFP Template for simple, non-complex solutions that are medium to low dollar amounts that do not require numerous requirements.

    • Long-Form
    • We recommend the Long-Form RFP Template for highly technical and complex solutions that are high dollar and have long implementation duration.

    • Excel-Form
    • Leverage the Excel-Form RFP Tool for requirements that are more specific in nature to evaluate a vendor’s capability for their solution. This template is designed to be complete and inclusive of the RFP process, e.g., requirements, vendor response, and vendor response evaluation scoring.

    Like tools in a carpenters’ tool box or truck, there is no right or wrong template for any job. Take into account your organization culture, resources available, time frame, policies, and procedures to pick the right tool for the job. (Steve Jeffery, Principal Research Director, Vendor Management, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group)

    4.3.3 Short-Form RFP Template

    1-2 hours

    Input: List of technical, legal, business, and data security requirements

    Output: Full set of requirements, prioritized, that all participants agree to

    Materials: Short-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

    Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

    • This is a less complex RFP that has relatively basic requirements and perhaps a small window in which the vendors can respond. As with the long-form RFP, exhibits are placed at the end of the RFP, an arrangement that saves both your team and the vendors time. Of course, the short-form RFP contains less-specific instructions, guidelines, and rules for vendors’ proposal submissions.
    • We find that short-form RFPs are a good choice when you need to use something more than a request for quote (RFQ) but less than an RFP running 20 or more pages. It’s ideal, for example, when you want to send an RFP to only one vendor or to acquire items such as office supplies, contingent labor, or commodity items that don’t require significant vendor risk assessment.

    Download the Short-Form RFP Template

    4.3.4 Long-Form RFP Template

    1-3 hours

    Input: List of technical, legal, business, and data security requirements

    Output: Full set of requirements, prioritized, that all stakeholders agree to

    Materials: Long-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

    Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

    • A long-form or major RFP is an excellent tool for more complex and complicated requirements. This template is for a baseline RFP.
    • It starts with best-in-class RFP terms and conditions that are essential to maintaining your control throughout the RFP process. The specific requirements for the business, functional, technical, legal, and pricing areas should be included in the exhibits at the end of the template. That makes it easier to tailor the RFP for each deal, since you and your team can quickly identify specific areas that need modification. Grouping the exhibits together also makes it convenient for both your team to review and the vendors to respond.
    • You can use this sample RFP as the basis for your template RFP, taking it all as is or picking and choosing the sections that best meet the mission and objectives of the RFP and your organization.

    Download the Long-Form RFP Template

    4.3.5 Excel-Form RFP Tool

    Several weeks

    Input: List of technical, legal, business, and data security requirements

    Output: Full set of requirements, prioritized, that all stakeholders agree to

    Materials: Excel-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

    Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

    • The Excel-Form RFP Tool is used as an alternative to the other RFP toolsets if you have multiple requirements and have multiple vendors to choose from.
    • Requirements are written as a “statement” and the vendor can select from five answers as to their ability to meet the requirements, with the ability to provide additional context and materials to augment their answers, as needed.
    • Requirements are listed separately in each tab, for example, Business, Legal, Technical, Security, Support, Professional Services, etc.

    Download the Excel-Form RFP Template

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Answer Vendor Questions

    Maintaining your equal and level playing field among vendors

    • Provide an adequate amount of time from the RFP issue date to the deadline for vendor questions. There may be multiple vendor staff/departments that need to read the RFP and then discuss their response approach and gather any clarifying questions, so we generally recommend three to five business days.
    • There should be one point of contact for all Q&A, which should be submitted in writing via email only. Be sure to plan for enough time to get the answers back from the RFP stakeholders.
    • After the deadline, collect all Q&A and begin the process of consolidating into one document.
    Large silver question mark.
    • Be sure to anonymize both vendor questions and your responses, so as not to reveal who asked or answered the question.
    • Send the document to all RFP respondents via your sourcing tool or BCC in an email to the point of contact, with read receipt requested. That way, you can track who has received and opened the correspondence.
    • Provide the answers a few days prior to the Pre-Proposal Conference to allow all respondents time to review the document and prepare any additional questions.
    • Begin the preparation for the Pre-Proposal Conference.

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Conduct Pre-Proposal Conference

    Maintain an equal and level playing field

    • Consolidate all Q&A to be presented to all vendors during the Pre-Proposal Conference.
    • If the Pre-Proposal Conference is conducted via conference call, be sure to record the session and advise all participants at the beginning of the call.
    • Be sure to have key stakeholders present on the call to answer questions.
    • Read each question and answer, after which ask if there are any follow up questions. Be sure to capture them and then add them to the Q&A document.
    • Remind respondents that no further questions will be entertained during the remainder of the RFP response period.
    • Send the updated and completed document to all vendors (even if circumstances prevented their attending the Pre-Proposal Conference). Use the same process as when you sent out the initial answers: via email, blind copy the respondents and request read/receipt.

    “Using a Pre-Proposal Conference allows you to reinforce that there is a level playing field for all of the vendors…that each vendor has an equal chance to earn your business. This encourages and maximizes competition, and when that happens, the customer wins.” (Phil Bode, Principal Research Director, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group)

    Pre-Proposal Conference Agenda

    Modify this agenda for your specific organization’s culture
    1. Opening Remarks & Welcome – RFP Manager
      1. Agenda review
      2. Purpose of the Pre-Proposal Conference
    2. Review Agenda
      1. Introduction of your (customer) attendees
    3. Participating Vendor Introduction (company name)
    4. Executive or Sr. Leadership Comments (limit to five minutes)
      1. Importance of the RFP
      2. High-level business objective or definition of success
    5. Review Key Dates in the RFP

    (Source: The Art of Creating a Quality RFP, Jeffery et al., 2019)
    1. Review of any Technical Drawings or Information
      1. Key technical requirements and constraints
      2. Key infrastructure requirements and constraints
    2. Review of any complex RFP Issues
      1. Project scope/out of scope
    3. Question &Answer
      1. Vendors’ questions in alphabetical order
    4. Review of Any Specific Instructions for the Respondents
    5. Conclusion/Closing
      1. Review how to submit additional questions
      2. Remind vendors of the single point of contact

    Allow your executive or leadership sponsor to leave the Pre-Proposal Conference after they provide their comments to allow them to continue their day while demonstrating to the vendors the importance of the project.

    Six Steps to Perform RFI/RFP

    Step 1

    • Build your RFP with evaluation in mind.

    Step 2

    • RFI or no RFI
    • Consider a Lean RFP

    Step 3

    • Create your RFP
    • Establish your RFP dates
    • Decide on RFP template
      • Short
      • Long
      • Excel
    • Create a template for vendors’ response
    • Create your Pricing Template

    Step 4

    • Receive RFP questions from vendors
    • Review and prepare answers to questions for the Pre-Proposal Conference

    Step 5

    • Conduct a Pre-Proposal Conference

    Step 6

    • Receive vendors’ proposals
    • Review for compliance and completion
    • Team evaluates vendors’ proposals.
    • Prepare TCO
    • Draft executive recommendation report

    Evaluate Responses

    Other important information

    • Consider separating the pricing component from the RFP responses before sending them to reviewers to maintain objectivity until after you have received all ratings on the proposals themselves.
    • Each reviewer should set aside focused time to carefully read each vendor’s response
    • Read the entire vendor proposal – they spent a lot time and money responding to your request, so please read everything.
    • Remind reviewers that they should route any questions to the vendor through the RFP manager.
    • Using the predetermined ranking system for each section, rate each section of the response, capturing any notes, questions, or concerns as you proceed through the document(s).
    Stock photo of a 'Rating' meter with values 'Very Bad to 'Excellent'.

    Use a proven evaluation method

    Two proven methods to reviewing vendors’ proposals are by response and by objective

    The first, by response, is when the evaluator reviews each vendor’s response in its entirety.

    The second, reviewing by objective, is when the evaluator reviews each vendor’s response to a single objective before moving on to the next.

    By Response

    Two-way arrow with '+ Pros' in green on the left and 'Cons -' in red on the right.

    By Objective

    Two-way arrow with '+ Pros' in green on the left and 'Cons -' in red on the right.

    • Each response is thoroughly read all the way through.
    • Response inconsistencies are easily noticed.
    • Evaluators obtain a good feel for the vendor's response.
    • Evaluators will lose interest as they move from one response to another.
    • Evaluation will be biased if the beginning of response is subpar, influencing the rest of the evaluation.
    • Deficiencies of the perceived favorite vendor are overlooked.
    • Evaluators concentrate on how each objective is addressed.
    • Evaluators better understand the responses, resulting in identifying the best response for the objective.
    • Evaluators are less susceptible to supplier bias.
    • Electronic format of the response hampers response review per objective.
    • If a hard copy is necessary, converting electronic responses to hard copy is costly and cumbersome.
    • Discipline is required to score each vendor's response as they go.

    Maintain evaluation objectivity by reducing response evaluation biases

    Evaluation teams can be naturally biased during their review of the vendors’ responses.

    You cannot eliminate bias completely – the best you can do is manage it by identifying these biases with the team and mitigating their influence in the evaluation process.

    Vendor

    The evaluator only trusts a certain vendor and is uncomfortable with any other vendor.
    • Evaluate the responses blind of vendor names, if possible.
    Centerpiece for this table, titled 'BIAS' and surrounding by iconized representations of the four types listed.

    Account Representatives

    Relationships extend beyond business, and an evaluator doesn't want to jeopardize them.
    • Craft RFP objectives that are vendor neutral.

    Technical

    A vendor is the only technical solution the evaluator is looking for, and they will not consider anything else.
    • Conduct fair and open solution demonstrations.

    Price

    As humans, we can justify anything at a good price.
    • Evaluate proposals without awareness of price.

    Additional insights when evaluating RFPs

    When your evaluation team includes a member of the C-suite or senior leadership, ensure you give them extra time to sufficiently review the vendor's responses. When your questions require a definitive “Yes”/“True” or “No”/“False” responses, we recommend giving the maximum score for “Yes”/“True” and the minimum score for “No”/“False”.
    Increase your efficiency and speed of evaluation by evaluating the mandatory requirements first. If a vendor's response doesn't meet the minimum requirements, save time by not reviewing the remainder of the response. Group your RFP questions with a high-level qualifying question, then the supporting detailed requirements. The evaluation team can save time by not evaluating a response that does not meet a high-level qualifying requirement.

    Establish your evaluation scoring scale

    Define your ranking scale to ensure consistency in ratings

    Within each section of your RFP are objectives, each of which should be given its own score. Our recommended approach is to award on a scale of 0 to 5. With such a scale, you need to define every level. Below are the recommended definitions for a 0 to 5 scoring scale.

    Score Criteria for Rating
    5 Outstanding – Complete understanding of current and future needs; solution addresses current and future needs
    4 Competent – Complete understanding and adequate solution
    3 Average – Average understanding and adequate solution
    2 Questionable – Average understanding; proposal questionable
    1 Poor – Minimal understanding
    0 Not acceptable – Lacks understanding
    Stock photo of judges holding up their ratings.

    Weigh the sections of your RFP on how important or critical they are to the RFP

    Obtain Alignment on Weighting the Scores of Each Section
    • There are many ways to score responses, ranging from extremely simple to highly complicated. The most important thing is that everyone responsible for completing scorecards is in total agreement about how the scoring system should work. Otherwise, the scorecards will lose their value, since different weighting and scoring templates were used to arrive at their scores.
    • You can start by weighting the scores by section, with all sections adding up to 100%.
    Example RFP Section Weights
    Pie chart of example RFP section weights, 'Operational, 20%', 'Service-Level Agreements, 20%', 'Financial, 20%', 'Legal/Contractual, 15%', 'Technical, 10%' 'Functional, 15%'.
    (Source: The Art of Creating a Quality RFP, Jeffery et al., 2019)

    Protect your negotiation leverage with these best practices

    Protect your organization's reputation within the vendor community with a fair and balanced process.
    • Unless you regularly have the evaluators on your evaluation team, always assume that the team members are not familiar nor experienced with your process and procedures.
    • Do not underestimate the amount of preparations required to ensure that your evaluation team has everything they need to evaluate vendors’ responses without bias.
    • Be very specific about the expectations and time commitment required for the evaluation team to evaluate the responses.
    • Explain to the team members the importance of evaluating responses without conflicts of interest, including the fact that information contained within the responses and all discussions within the team are considered company owned and confidential.
    • Include examples of the evaluation and scoring processes to help the evaluators understand what they should be doing.
    • Finally – don’t forget to the thank the evaluation team and their managers for their time and commitment in contributing to this essential decision.
    Stock photo of a cork board with 'best practice' spelled out by tacked bits of paper, each with a letter in a different font.

    Evaluation teams must balance commercial vs. technical requirements

    Do not alter the evaluation weights after responses are submitted.
    • Evaluation teams are always challenged by weighing the importance of price, budget, and value against the technical requirements of “must-haves” and super cool “nice-to-haves.”
    • Encouraging the evaluation team not to inadvertently convert the nice-to-haves to must-haves will prevent scope creep and budget pressure. The evaluation team must concentrate on the vendors’ responses that drive the best value when balancing both commercial and technical requirements.
    Two blocks labelled 'Commercial Requirements' and 'Technical Requirements' balancing on either end of a flat sheet, which is balancing on a silver ball.

    4.6.1 Evaluation Guidebook

    1 hour

    Input: RFP responses, Weighted Scoring Matrix, Vendor Response Scorecard

    Output: One or two finalists for which negotiations will proceed

    Materials: RFP Evaluation Guidebook

    Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

    1. Info-Tech provides an excellent resource for your evaluation team to better understand the process of evaluating vendor response. The guidebook is designed to be configured to the specifics of your RFP, with guidance and instructions to the team.
    2. Use this guidebook to provide instruction to the evaluation team as to how best to score and rate the RFP responses.
    3. Specific definitions are provided for applying the numerical scores to the RFP objectives will ensure consistency among the appropriate numerical score.

    Download the RFP Evaluation Guidebook

    4.6.2 RFP Vendor Proposal Scoring Tool

    1-4 hours

    Input: Each vendor’s RFP response, A copy of the RFP (less pricing), A list of the weighted criteria incorporated into a vendor response scorecard

    Output: A consolidated ranked and weighted comparison of the vendor responses with pricing

    Materials: Vendor responses, RFP Evaluation Tool

    Participants: Sourcing/Procurement, Vendor management

    1. Using the RFP outline as a base, develop a scorecard to evaluate and rate each section of the vendor response, based on the criteria predetermined by the team.
    2. Provide each stakeholder with the scorecard when you provide the vendor responses for them to review and provide the team with adequate time to review each response thoroughly and completely.
    3. Do not, at this stage, provide the pricing. Allow stakeholders to review the responses based on the technical, business, operational criteria without prejudice as to pricing.
    4. Evaluators should always be reminded that they are evaluating each vendor’s response against the objectives and requirements of the RFP. The evaluators should not be evaluating each vendor’s response against one another.
    5. While the team is reviewing and scoring responses, review and consolidate the vendor pricing submissions into one document for a side-by-side comparison.

    Download the RFP Evaluation Tool

    4.6.3 Total Cost of Owners (TCO)

    1-2 hours

    Input: Consolidated vendor pricing responses, Consolidated vendor RFP responses, Current spend within your organization for the product/service, if available, Budget

    Output: A completed TCO model summarizing the financial results of the RFP showing the anticipated costs over the term of the agreement, taking into consideration the impact of renewals.

    Materials: Vendor TCO Tool, Vendor pricing responses

    Participants: IT, Finance, Business stakeholders, Sourcing/Procurement

    • Use Info-Tech’s Vendor TCO Tool to normalize each vendor’s pricing proposal and account for the lifetime cost of the product.
    • Fill in pricing information (the total of all annual costs) from each vendor's returned Pricing Proposal.
    • The tool will summarize the net present value of the TCO for each vendor proposal.
    • The tool will also provide the rank of each pricing proposal.

    Download the Vendor TCO Tool

    Conduct an evaluation team results meeting

    Follow the checklist below to ensure an effective evaluation results meeting

    • Schedule the evaluation team’s review meeting well in advance to ensure there are no scheduling conflicts.
    • Collect the evaluation team’s scores in advance.
    • Collate scores and provide an initial ranking.
    • Do not reveal the pricing evaluation results until after initial discussions and review of the scoring results.
    • Examine both high and low scores to understand why the team members scored the response as they did.
    • Allow the team to discuss, debate, and arrive at consensus on the ranking.
    • After consensus, reveal the pricing to examine if or how it changes the ranking.
    • Align the team on the next steps with the applicable vendors.

    4.6.4 Consolidated RFP Response Scoring

    1-2 hours

    Input: Vendor Response Scorecard from each stakeholder, Consolidated RFP responses and pricing, Any follow up questions or items requiring further vendor clarification.

    Output: An RFP Response Evaluation Summary that identifies the finalists based on pre-determined criteria.

    Materials: RFP Evaluation Tool from each stakeholder, Consolidated RFP responses and pricing.

    Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

    1. Collect from the evaluation team all scorecards and any associated questions requiring further clarification from the vendor(s). Consolidate the scorecards into one for presentation to the team and key decision makers.
    2. Present the final scores to the team, with the pricing evaluation, to determine, based on your needs, two or three finalists that will move forward to the next steps of negotiations.
    3. Discuss any scores that are have large gaps, e.g., a requirement with a score of one from one evaluator and the same requirement with a score five from different evaluator.
    4. Arrive at a consensus of your top one or two potential vendors.
    5. Determine any required follow-up actions with the vendors and include them in the Evaluation Summary.

    Download the Consolidated Vender RFP Response Evaluation Summary

    4.6.5 Vendor Recommendation Presentation

    1-3 hours
    1. Use the Vendor Recommendation Presentation to present your finalist and obtain final approval to negotiate and execute any agreements.
    2. The Vendor Recommendation Presentation provides leadership with:
      1. An overview of the RFP, its primary goals, and key requirements
      2. A summary of the vendors invited to participate and why
      3. A summary of each component of the RFP
      4. A side-by-side comparison of key vendor responses to each of the key/primary requirements, with ranking/weighting results
      5. A summary of the vendor’s responses to key legal terms
      6. A consolidated summary of the vendors’ pricing, augmented by the TCO calculations for the finalist(s).
      7. The RFP team’s vendor recommendations based on its findings
      8. A summary of next steps with dates
      9. Request approval to proceed to next steps of negotiations with the primary and secondary vendor

    Download the Vendor Recommendation Presentation

    4.6.5 Vendor Recommendation Presentation

    Input

    • Consolidated RFP responses, with a focus on key RFP goals
    • Consolidated pricing responses
    • TCO Model completed, approved by Finance, stakeholders

    Output

    • Presentation deck summarizing the key findings of the RFP results, cost estimates and TCO and the recommendation for approval to move to contract negotiations with the finalists

    Materials

    • Consolidated RFP responses, including legal requirements
    • Consolidated pricing
    • TCO Model
    • Evaluators scoring results

    Participants

    • IT
    • Finance
    • Business stakeholders
    • Legal
    • Sourcing/Procurement

    Caution: Configure templates and tools to align with RFP objectives

    Templates and tools are invaluable assets to any RFP process

    • Leveraging templates and tools saves time and provides consistency to your vendors.
    • Maintain a common repository of your templates and tools with different versions and variations. Include a few sentences with instructions on how to use the template and tools for team members who might not be familiar with them.

    Templates/Tools

    RFP templates and tools are found in a variety of places, such as previous projects, your favorite search engine, or by asking a colleague.

    Sourcing

    Regardless of the source of these documents, you must take great care and consideration to sanitize any reference to another vendor, company, or name of the deal.

    Review

    Then you must carefully examine the components of the deal before creating your final documents.

    Popular RFP templates include:

    • RFP documents
    • Pricing templates
    • Evaluation and scoring templates
    • RFP requirements
    • Info-Tech research

    Phase 5

    Negotiate Agreement(s)

    Steps

    5.1 Perform negotiation process

    Steps in an RFP Process with the fifth step, 'Negotiate Agreement', highlighted.

    This phase involves the following participants:

    • Procurement
    • Vendor management
    • Legal
    • IT stakeholders
    • Finance

    Outcomes of this phase

    A negotiated agreement or agreements that are a result of competitive negotiations.

    Negotiate Agreement(s)

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Negotiate Agreement

    You should evaluate your RFP responses first to see if they are complete and the vendor followed your instructions.


    Then you should:

    • Plan negotiation(s) with one or more vendors based on your questions and opportunities identified during evaluation.
    • Select finalist(s).
    • Apply selection criteria.
    • Resolve vendors’ exceptions.

    Info-Tech Insight

    Be certain to include any commitments made in the RFP, presentations, and proposals in the agreement – dovetails to underperforming vendor.

    Centerpiece of the table, titled 'Negotiation Process'.

    Leverage Info-Tech's negotiation process research for additional information

    Negotiate before you select your vendor:
    • Negotiating with two or more vendors will maintain your competitive leverage while decreasing the time it takes to negotiate the deal.
    • Perform legal reviews as necessary.
    • Use sound competitive negotiations principles.

    Info-Tech Insight

    Providing contract terms in an RFP can dramatically reduce time for this step by understanding the vendor’s initial contractual position for negotiation.

    Phase 6

    Purchase Goods and Services

    Steps

    6.1 Purchase Goods & Services

    Steps in an RFP Process with the sixth step, 'Purchase Goods and Services', highlighted.

    This phase involves the following participants:

    • Procurement
    • Vendor management
    • IT stakeholders

    Outcomes of this phase

    A purchase order that completes the RFP process.

    The beginning of the vendor management process.

    Purchase Goods and Services

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Purchase Goods and Services

    Prepare to purchase goods and services

    Prepare to purchase goods and services by completing all items on your organization’s onboarding checklist.
    • Have the vendor complete applicable tax forms.
    • Set up the vendor in accounts payable for electronic payment (ACH) set-up.
    Then transact day-to-day business:
    • Provide purchasing forecasts.
    • Complete applicable purchase requisition and purchase orders. Be sure to reference the agreement in the PO.
    Stock image of a computer monitor with a full grocery cart shown on the screen.

    Info-Tech Insight

    As a customer, honoring your contractual obligations and commitments will ensure that your organization is not only well respected but considered a customer of choice.

    Phase 7

    Assess and Measure Performance

    Steps

    7.1 Assess and measure performance against the agreement

    Steps in an RFP Process with the seventh step, 'Assess and Measure Performance', highlighted.

    This phase involves the following participants:

    • Vendor management
    • Business stakeholders
    • Senior leadership (as needed)
    • IT stakeholders
    • Vendor representatives & senior management

    Outcomes of this phase

    A list of what went well during the period – it’s important to recognize successes

    A list of areas needing improvement that includes:

    • A timeline for each item to be completed
    • The team member(s) responsible

    Purchase Goods and Services

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7

    Assess and Measure Performance

    Measure to manage: the job doesn’t end when the contract is signed.

    • Classify vendor
    • Assess vendor performance
    • Manage improvement
    • Conduct periodic vendor performance reviews or quarterly business reviews
    • Ensure contract compliance for both the vendor and your organization
    • Build knowledgebase for future
    • Re-evaluate and improve appropriately your RFP processes

    Info-Tech Insight

    To be an objective vendor manager, you should also assess and measure your company’s performance along with the vendor’s performance.

    Summary of Accomplishment

    Problem Solved

    Upon completion of this blueprint, guided implementation, or workshop, your team should have a comprehensive, well-defined end-to-end approach to performing a quality sourcing event. Leverage Info-Tech’s industry-proven tools and templates to provide your organization with an effective approach to maintain your negotiation leverage, improve the ease with which you evaluate vendor proposals, and reduce your risk while obtaining the best market value for your goods and services.

    Additionally, your team will have a foundation to execute your vendor management principles. These principles will assist your organization in ensuring you receive the perceived value from the vendor as a result of your competitive negotiations.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Final Thoughts: RFP Do’s and Don’ts

    DO

    • Leverage your team’s knowledge
    • Document and explain your RFP process to stakeholders and vendors
    • Include contract terms in your RFP
    • Consider vendor management requirements up front
    • Plan to measure and manage performance after contract award leveraging RFP objectives
    • Seek feedback from the RFP team for process improvements

    DON'T

    • Reveal your budget
    • Do an RFP in a vacuum
    • Send an RFP to a vendor your team is not willing to award the business to
    • Hold separate conversations with candidate vendors during your RFP process
    • Skimp on the requirements definition to speed the process
    • Tell the vendor they are selected before negotiating

    Bibliography

    “2022 RFP Response Trends & Benchmarks.” Loopio, 2022. Web.

    Corrigan, Tony. “How Much Does it Cost to Respond to an RFP?” LinkedIn, March 2017. Accessed 10 Dec. 2019

    “Death by RFP:7 Reasons Not to Respond.” Inc. Magazine, 2013. Web.

    Jeffery, Steven, George Bordon, and Phil Bode. The Art of Creating a Quality RFP, 3rd ed. Info-Tech Research Group, 2019.

    “RFP Benchmarks: How Much Time and Staff Firms Devote to Proposals.” MarketingProfs, 2020. Web.

    “State of the RFP 2019.” Bonfire, 2019. Web.

    “What Vendors Want (in RFPs).” Vendorful, 2020. Web.

    Related Info-Tech Research

    Stock photo of two people looking at a tablet. Prepare for Negotiations More Effectively
    • Negotiations are about allocating risk and money – how much risk is a party willing to accept at what price point?
    • Using a cross-functional/cross-insight team structure for negotiation preparation yields better results.
    • Soft skills aren’t enough and theatrical negotiation tactics aren’t effective.
    Stock photo of two people in suits shaking hands. Understand Common IT Contract Provisions to Negotiate More Effectively
    • Focus on the terms and conditions, not just the price. Too often, organizations focus on the price contained within their contracts, neglecting to address core terms and conditions that can end up costing multiples of the initial price.
    • Lawyers can’t ensure you get the best business deal. Lawyers tend to look at general terms and conditions for legal risk and may not understand IT-specific components and business needs.
    Stock photo of three people gathered around a computer. Jump Start Your Vendor Management Initiative
    • Vendor management must be an IT strategy. Solid vendor management is an imperative – IT organizations must develop capabilities to ensure that services are delivered by vendors according to service-level objectives and that risks are mitigated according to the organization's risk tolerance.
    • Visibility into your IT vendor community. Understand how much you spend with each vendor and rank their criticality and risk to focus on the vendors you should be concentrating on for innovative solutions.

    Develop a Plan to Pilot Enterprise Service Management

    • Buy Link or Shortcode: {j2store}279|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Many business groups in the organization are siloed and have disjointed services that lead to a less than ideal customer experience.
    • Service management is too often process-driven and is implemented without a holistic view of customer value.
    • Businesses get caught up in the legacy of their old systems and find it difficult to move with the evolving market.

    Our Advice

    Critical Insight

    • Customer experience is the new battleground. Parity between products is creating the need to differentiate via customer experience.
    • Don’t forget your employees! Enterprise service management (ESM) is also about delivering exceptional experiences to your employees so they can deliver exceptional services to your customers.
    • ESM is not driven by tools and processes. Rather, ESM is about pushing exceptional services to customers by pulling from organizational capabilities.

    Impact and Result

    • Understand ESM concepts and how they can improve customer service.
    • Use Info-Tech’s advice and tools to perform an assessment of your organization’s state for ESM, identify the gaps, and create an action plan to move towards an ESM pilot.
    • Increase business and customer satisfaction by delivering services more efficiently.

    Develop a Plan to Pilot Enterprise Service Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should move towards ESM, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand ESM and get buy-in

    Understand the concepts of ESM, determine the scope of the ESM program, and get buy-in.

    • Develop a Plan to Pilot Enterprise Service Management – Phase 1: Understand ESM and Get Buy-in
    • Enterprise Service Management Executive Buy-in Presentation Template
    • Enterprise Service Management General Communications Presentation Template

    2. Assess the current state for ESM

    Determine the current state for ESM and identify the gaps.

    • Develop a Plan to Pilot Enterprise Service Management – Phase 2: Assess the Current State for ESM
    • Enterprise Service Management Assessment Tool
    • Enterprise Service Management Assessment Tool Action Plan Guide
    • Enterprise Service Management Action Plan Tool

    3. Identify ESM pilot and finalize action plan

    Create customer journey maps, identify an ESM pilot, and finalize the action plan for the pilot.

    • Develop a Plan to Pilot Enterprise Service Management – Phase 3: Identify ESM Pilot and Finalize Action Plan
    • Enterprise Service Management Customer Journey Map Template
    [infographic]

    Workshop: Develop a Plan to Pilot Enterprise Service Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand ESM and Get Buy-In

    The Purpose

    Understand what ESM is and how it can improve customer service.

    Determine the scope of your ESM initiative and identify who the stakeholders are for this program.

    Key Benefits Achieved

    Understanding of ESM concepts.

    Understanding of the scope and stakeholders for your ESM initiative.

    Plan for getting buy-in for the ESM program.

    Activities

    1.1 Understand the concepts and benefits of ESM.

    1.2 Determine the scope of your ESM program.

    1.3 Identify your stakeholders.

    1.4 Develop an executive buy-in presentation.

    1.5 Develop a general communications presentation.

    Outputs

    Executive buy-in presentation

    General communications presentation

    2 Assess the Current State for ESM

    The Purpose

    Assess your current state with respect to culture, governance, skills, and tools.

    Identify your strengths and weaknesses from the ESM assessment scores.

    Key Benefits Achieved

    Understanding of your organization’s current enablers and constraints for ESM.

    Determination and analysis of data needed to identify strengths or weaknesses in culture, governance, skills, and tools.

    Activities

    2.1 Understand your organization’s mission and vision.

    2.2 Assess your organization’s culture, governance, skills, and tools.

    2.3 Identify the gaps and determine the necessary foundational action items.

    Outputs

    ESM assessment score

    Foundational action items

    3 Define Services and Create Custom Journey Maps

    The Purpose

    Define and choose the top services at the organization.

    Create customer journey maps for the chosen services.

    Key Benefits Achieved

    List of prioritized services.

    Customer journey maps for the prioritized services.

    Activities

    3.1 Make a list of your services.

    3.2 Prioritize your services.

    3.3 Build customer journey maps.

    Outputs

    List of services

    Customer journey maps

    Effectively Acquire Infrastructure Services

    • Buy Link or Shortcode: {j2store}467|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $26,627 Average $ Saved
    • member rating average days saved: 12 Average Days Saved
    • Parent Category Name: Data Center & Facilities Optimization
    • Parent Category Link: /data-center-and-facilities-optimization
    • Most organizations are good at procuring IT products, but few are truly good at acquiring infrastructure services.
    • The lack of expertise in acquiring services is problematic – not only is the acquisition process for services more complex, but it also often has high stakes with large deal sizes, long-term contracts, and high switching costs.

    Our Advice

    Critical Insight

    • Don’t treat infrastructure service acquisitions lightly. Not only are failure rates high, but the stakes are high as well.
    • Make sure your RFP strategy aligns with your deal value. Large deals, characterized by high monthly spend, high criticality to the organization, and high switching costs, warrant a more thorough and lengthy planning period and RFP process.
    • Word your RFP carefully and do your due diligence when reviewing SLAs. Make sure your RFP will help you understand what the vendor’s standard offerings are and don’t treat your service level agreements like an open negotiation. The vendor’s standard offerings will be your most reliable options.

    Impact and Result

    • Follow this blueprint to avoid common pitfalls and navigate the tricky business of acquiring infrastructure services.
    • This blueprint will provide step-by-step guidance from assessing your acquisition goals to transitioning your service. Make sure you do the due diligence required to acquire the best service for your needs.

    Effectively Acquire Infrastructure Services Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should follow the blueprint to effectively acquire infrastructure services, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop the procurement strategy and process

    Kick off an acquisition by establishing acquisition goals, validating the decision to acquire a service, and structuring an acquisition approach. There are several RFP approaches and strategies – evaluate the options and develop one that aligns with the nature of the acquisition.

    • Effectively Acquire Infrastructure Services – Phase 1: Develop the Procurement Strategy and Process

    2. Assess requirements and build the RFP

    A solid RFP is critical to the success of this project. Assess the current and future requirements, examine the characteristics of an effective RFP, and develop an RFP.

    • Effectively Acquire Infrastructure Services – Phase 2: Assess Requirements and Build the RFP
    • Infrastructure Service RFP Template

    3. Manage vendor questions and select the vendor

    Manage the activities surrounding vendor questions and score the RFP responses to select the best-fit solution.

    • Effectively Acquire Infrastructure Services – Phase 3: Manage Vendor Questions and Select the Vendor
    • Vendor Question Organizer Template
    • Infrastructure Outsourcing RFP Scoring Tool

    4. Manage the contract, transition, and vendor

    Perform due diligence in reviewing the SLAs and contract before signing. Plan to transition the service into the environment and manage the vendor on an ongoing basis for a successful partnership.

    • Effectively Acquire Infrastructure Services – Phase 4: Manage the Contract, Transition, and Vendor
    • Service Acquisition Planning and Tracking Tool
    • Vendor Management Template
    [infographic]

    Workshop: Effectively Acquire Infrastructure Services

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Develop the Procurement Strategy and Process

    The Purpose

    Establish procurement goals and success metrics.

    Develop a projected acquisition timeline.

    Establish the RFP approach and strategy.

    Key Benefits Achieved

    Defined acquisition approach and timeline.

    Activities

    1.1 Establish your acquisition goals.

    1.2 Establish your success metrics.

    1.3 Develop a projected acquisition timeline.

    1.4 Establish your RFP process and refine your RFP timeline.

    Outputs

    Acquisition goals

    Success metrics

    Acquisition timeline

    RFP strategy and approach

    2 Gather Service Requirements

    The Purpose

    Gather requirements for services to build into the RFP.

    Key Benefits Achieved

    Gathered requirements.

    Activities

    2.1 Assess the current state.

    2.2 Evaluate service requirements and targets.

    2.3 Assess the gap and validate the service acquisition.

    2.4 Define requirements to input into the RFP.

    Outputs

    Current State Assessment

    Service requirements

    Validation of services being acquired and key processes that may need to change

    Requirements to input into the RFP

    3 Develop the RFP

    The Purpose

    Build the RFP.

    Key Benefits Achieved

    RFP development.

    Activities

    3.1 Build the RFP requirement section.

    3.2 Develop the rest of the RFP.

    Outputs

    Service requirements input into the RFP

    Completed RFP

    4 Review RFP Responses and Select a Vendor (Off-Site)

    The Purpose

    Review RFP responses to select the best solution for the acquisition.

    Key Benefits Achieved

    Vendor selected.

    Activities

    4.1 Manage vendor questions regarding the RFP.

    4.2 Review RFP responses and shortlist the vendors.

    4.3 Conduct additional due diligence on the vendors.

    4.4 Select a vendor.

    Outputs

    Managed RFP activities

    Imperceptive scoring of RFP responses and ranking of vendors

    Additional due diligence and further questions for the vendor

    Selected vendor

    Make Prudent Decisions When Increasing Your Salesforce Footprint

    • Buy Link or Shortcode: {j2store}134|cart{/j2store}
    • member rating overall impact: 8.9/10 Overall Impact
    • member rating average dollars saved: $55,224 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Too often, organizations fail to achieve economy of scale. They neglect to negotiate price holds, do not negotiate deeper discounts as volume increases, or do not realize there are already existing contracts within the organization.
    • Understand what to negotiate. Organizations do not know what can and cannot be negotiated, which means value gets left on the table.
    • Integrations with other applications must be addressed from the outset. Many users buy the platform only to realize later on that the functionality they wanted does not exist and may be an extra expense with customization.

    Our Advice

    Critical Insight

    • Buying power dissipates when you sign the contract. Get the right product for the right number of users for the right term and get it right the first time.
    • Getting the best price does not assure a great total cost of ownership or ROI. There are many components as part of the purchasing process that if unaccounted for can lead to dramatic and unbudgeted spend.
    • Avoid buyer’s remorse through due diligence before signing the deal. If you need to customize the software or extend it with a third-party add-in, identify your costs and timelines upfront. Plan for successful adoption.

    Impact and Result

    • Centralize purchasing instead of enabling small deals to maximize discount levels by creating a process to derive a cost-effective methodology when subscribing to Sales Cloud, Service Cloud, and Force.com.
    • Educate your organization on Salesforce’s licensing methods and contract types, enabling informed purchasing decisions. Critical components of every agreement that need to be negotiated are a renewal escalation cap, term protection, and license metrics to document what comes with each. Re-bundling protection is also critical in case a product is no longer desired.
    • Proactively addressing integrations and business requirements will enable project success and enable the regular upgrades the come with a multi-tenant cloud services SaaS solution.

    Make Prudent Decisions When Increasing Your Salesforce Footprint Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you need to understand and document your Salesforce licensing strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish software requirements

    Begin your journey by understanding whether Salesforce is the right CRM. Also proactively approach Salesforce licensing by understanding which information to gather and assessing the current state and gaps.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 1: Establish Software Requirements
    • Salesforce Licensing Purchase Reference Guide
    • RASCI Chart

    2. Evaluate licensing options

    Review current products and licensing models to determine which licensing models will most appropriately fit the organization's environment.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 2: Evaluate Licensing Options
    • Salesforce TCO Calculator
    • Salesforce Discount Calculator

    3. Evaluate agreement options

    Review Salesforce’s contract types and assess which best fits the organization’s licensing needs.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 3: Evaluate Agreement Options
    • Salesforce Terms and Conditions Evaluation Tool

    4. Purchase and manage licenses

    Conduct negotiations, purchase licensing, finalize a licensing management strategy, and enhance your CRM with a Salesforce partner.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 4: Purchase and Manage Licenses
    • Controlled Vendor Communications Letter
    • Vendor Communication Management Plan
    [infographic]

    Workshop: Make Prudent Decisions When Increasing Your Salesforce Footprint

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Software Requirements

    The Purpose

    Assess current state and align goals; review business feedback.

    Interview key stakeholders to define business objectives and drivers.

    Key Benefits Achieved

    Have a baseline for whether Salesforce is the right solution.

    Understand Salesforce as a solution.

    Examine all CRM options.

    Activities

    1.1 Perform requirements gathering to review Salesforce as a potential solution.

    1.2 Gather your documentation before buying or renewing.

    1.3 Confirm or create your Salesforce licensing team.

    1.4 Meet with stakeholders to discuss the licensing options and budget allocation.

    Outputs

    Copy of your Salesforce Master Subscription Agreement

    RASCI Chart

    Salesforce Licensing Purchase Reference Guide

    2 Evaluate Licensing Options

    The Purpose

    Review product editions and licensing options.

    Review add-ons and licensing rules.

    Key Benefits Achieved

    Understand how licensing works.

    Discuss licensing rules and their application to your current environment.

    Determine the product and license mix that is best for your requirements.

    Activities

    2.1 Determine the editions, licenses, and add-ons for your Salesforce CRM solution.

    2.2 Calculate total cost of ownership.

    2.3 Use the Salesforce Discount Calculator to ensure you are getting the discount you deserve.

    2.4 Meet with stakeholders to discuss the licensing options and budget allocation.

    Outputs

    Salesforce CRM Solution

    Salesforce TCO Calculator

    Salesforce Discount Calculator

    Salesforce Licensing Purchase Reference Guide

    3 Evaluate Agreement Options

    The Purpose

    Review terms and conditions of Salesforce contracts.

    Review vendors.

    Key Benefits Achieved

    Determine if MSA or term agreement is best.

    Learn what specific terms to negotiate.

    Activities

    3.1 Perform a T&Cs review and identify key “deal breakers.”

    3.2 Decide on an agreement that nets the maximum benefit.

    Outputs

    Salesforce T&Cs Evaluation Tool

    Salesforce Licensing Purchase Reference Guide

    4 Purchase and Manage Licenses

    The Purpose

    Finalize the contract.

    Discuss negotiation points.

    Discuss license management and future roadmap.

    Discuss Salesforce partner and implementation strategy.

    Key Benefits Achieved

    Discuss negotiation strategies.

    Learn about licensing management best practices.

    Review Salesforce partner options.

    Create an implementation plan.

    Activities

    4.1 Know the what, when, and who to negotiate.

    4.2 Control the flow of communication.

    4.3 Assign the right people to manage the environment.

    4.4 Discuss Salesforce partner options.

    4.5 Discuss implementation strategy.

    4.6 Meet with stakeholders to discuss licensing options and budget allocation.

    Outputs

    Salesforce Negotiation Strategy

    Vendor Communication Management Plan

    RASCI Chart

    Info-Tech’s Core CRM Project Plan

    Salesforce Licensing Purchase Reference Guide

    Enter Into Mobile Development Without Confusion and Frustration

    • Buy Link or Shortcode: {j2store}282|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Mobile Development
    • Parent Category Link: /mobile-development
    • IT managers don’t know where to start when initiating a mobile program.
    • IT has tried mobile development in the past but didn't achieve success.
    • IT must initiate a mobile program quickly based on business priorities and needs a roadmap based on best practices.

    Our Advice

    Critical Insight

    • Form factors and mobile devices won't drive success – business alignment and user experience will. Don't get caught up with the latest features in mobile devices.
    • Software emulation testing is not true testing. Get on the device and run your tests.
    • Cross form-factor testing cannot be optimized to run in parallel. Therefore, anticipate longer testing cycles for cross form-factor testing.

    Impact and Result

    • Prepare your development, testing, and deployment teams for mobile development.
    • Get a realistic assessment of ROI for the launch of a mobile program.

    Enter Into Mobile Development Without Confusion and Frustration Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the Case for a Mobile Program

    Understand the current mobile ecosystem. Use this toolkit to help you initiate a mobile development program.

    • Storyboard: Enter Into Mobile Development Without Confusion and Frustration

    2. Assess Your Dev Process for Readiness

    Review and evaluate your current application development process.

    3. Prepare to Execute Your Mobile Program

    Prioritize your mobile program based on your organization’s prioritization profile.

    • Mobile Program Tool

    4. Communicate with Stakeholders

    Summarize the execution of the mobile program.

    • Project Status Communication Worksheet
    [infographic]

    Workshop: Enter Into Mobile Development Without Confusion and Frustration

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build your Future Mobile Development State

    The Purpose

    Understand the alignment of stakeholder objectives and priorities to mobile dev IT drivers.

    Assess readiness of your organization for mobile dev.

    Understand how to build your ideal mobile dev process.

    Key Benefits Achieved

    Identify and address the gaps in your existing app dev process.

    Build your future mobile dev state.

    Activities

    1.1 Getting started

    1.2 Assess your current state

    1.3 Establish your future state

    Outputs

    List of key stakeholders

    Stakeholder and IT driver mapping and assessment of current app dev process

    List of practices to accommodate mobile dev

    2 Prepare and Execute your Mobile Program

    The Purpose

    Assess the impact of mobile dev on your existing app dev process.

    Prioritize your mobile program.

    Understand the dev practice metrics to gauge success.

    Key Benefits Achieved

    Properly prepare for the execution of your mobile program.

    Calculate the ROI of your mobile program.

    Prioritize your mobile program with dependencies in mind.

    Build a communication plan with stakeholders.

    Activities

    2.1 Conduct an impact analysis

    2.2 Prepare to execute

    2.3 Communicate with stakeholders

    Outputs

    Impact analysis of your mobile program and expected ROI

    Mobile program order of execution and project dependencies mapping

    List of dev practice metrics

    The ESG Imperative and Its Impact on Organizations

    • Buy Link or Shortcode: {j2store}196|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • Global regulatory climate disclosure requirements are still evolving and are not consistent.
    • Sustainability is becoming a corporate imperative, but IT’s role is not fully clear.
    • The environmental, social, and governance (ESG) data challenge is large and continually expanding in scope.
    • Collecting the necessary data and managing ethical issues across supply chains is a daunting task.
    • Communicating long-term value is difficult when customer and employee expectations are shifting.

    Our Advice

    Critical Insight

    • An organization's approach to ESG cannot be static or tactical. It is a moving landscape that requires a flexible, holistic approach across the organization. Cross-functional coordination is essential in order to be ready to respond to changing conditions.
    • Even though the ESG data requirements are large and continually expanding in scope, many organizations have well-established data frameworks and governance practices in place to meet regulatory obligations such as Sarbanes–Oxley that should used as a starting point.

    Impact and Result

    • Organizations will have greater success if they focus their ESG program efforts on the ESG factors that will have a material impact on their company performance and their key stakeholders.
    • Continually evaluating the evolving ESG landscape and its impact on key stakeholders will enable organizations to react quickly to changing conditions.
    • A successful ESG program requires a collaborative and integrated approach across key business stakeholders.
    • Delivering high-quality metrics and performance indicators requires a flexible and digital data approach, where possible, to enable data interoperability.

    The ESG Imperative and Its Impact on Organizations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The ESG Imperative and Its Impact on Organizations Deck – Learn why sustainability is becoming a key measurement of corporate performance and how to set your organization up for success.

    Understand the foundational components and drivers of the broader concept of sustainability: environmental, social, and governance (ESG) and IT’s roles within an organization’s ESG program. Learn about the functional business areas involved, the roles they play and how they interact with each other to drive program success.

    • The ESG Imperative and Its Impact on Organizations Storyboard

    Infographic

    Further reading

    The ESG Imperative and Its Impact on Organizations

    Design to enable an active response to changing conditions.

    Analyst Perspective

    Environmental, social, and governance (ESG) is a corporate imperative that is tied to long-term value creation. An organization's social license to operate and future corporate performance depends on managing ESG factors well.

    Central to an ESG program is having a good understanding of the ESG factors that may have a material impact on enterprise value and key internal and external stakeholders. A comprehensive ESG strategy supported by strong governance and risk management is also essential to success.

    Capturing relevant data and applying it within risk models, metrics, and internal and external reports is necessary for sharing your ESG story and measuring your progress toward meeting ESG commitments. Consequently, the data challenges have received a lot of attention, and IT leaders have a role to play as strategic partner and enabler to help address these challenges. However, ESG is more than a data challenge, and IT leaders need to consider the wider implications in managing third parties, selecting tools, developing supporting IT architecture, and ensuring ethical design.

    For many organizations, the ESG program journey has just begun, and collaboration between IT and risk, procurement, and compliance will be critical in shaping program success.

    This is a picture of Donna Bales, Principal Research Director, Info-Tech Research Group

    Donna Bales
    Principal Research Director
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Global regulatory climate disclosure requirements are still evolving and are not consistent.
    • Sustainability is becoming a corporate imperative, but IT's role is not fully clear.
    • The ESG data challenge is large and continually expanding in scope.
    • Collecting the necessary data and managing ethical issues across supply chains is a daunting task.
    • Communicating long-term value is difficult when customer and employee expectations are shifting.

    Common Obstacles

    • The data necessary for data-driven insights and accurate disclosure is often hampered by inaccurate and incomplete primary data.
    • Other challenges include:
      • Approaching ESG holistically and embedding it into existing governance, risk, and IT capabilities.
      • Building knowledge and adapting culture throughout all levels of the organization.
      • Monitoring stakeholder sentiment and keeping strategy aligned to expectations.

    Info-Tech's Approach

    • Use this blueprint to educate yourself on ESG factors and the broader concept of sustainability.
    • Learn about Info-Tech's ESG program approach and use it as a framework to begin your ESG program journey.
    • Identify changes that may be needed in your organizational operating model, strategy, governance, and risk management approach.
    • Discover areas of IT that may need to be prioritized and resourced.

    Info-Tech Insight

    An organization's approach to ESG cannot be static or tactical. ESG is a moving landscape that requires a flexible, holistic approach across the organization. It must become part of the way you work and enable an active response to changing conditions.

    This is an image of Info-Tech's thoughtmap for eight steps of the ESG Program Journey

    Putting ESG in context

    ESG has moved beyond the tipping point to corporate table stakes

    • In recent years, ESG issues have moved from voluntary initiatives driven by corporate responsibility teams to an enterprise-wide strategic imperative.
    • Organizations are no longer being measured by financial performance but by how they contribute to a sustainable and equitable future, such as how they support sustainable innovation through their business models and their focus on collaboration and inclusion.
    • A corporation's efforts toward sustainability is measured by three components: environmental, social, and governance.

    Sustainability

    The ability of a corporation and broader society to endure and survive over the long term by managing adverse impacts well and promoting positive opportunities.

    This is an image of the United Nation's 17 sustainable goals.

    Source: United Nations

    Putting "E," "S," and "G" in context

    Corporate sustainability depends on managing ESG factors well

    • Environmental, social, and governance are the component pieces of a sustainability framework that is used to understand and measure how an organization impacts or is affected by society as a whole.
    • Human activities, particularly fossil fuel burning since the mid twentieth century, have increased greenhouse gas concentration, resulting in observable changes to the atmosphere, ocean, cryosphere, and biosphere.
    • The E in ESG relates to the positive and negative impacts an organization may have on the environment, such as the energy it takes in and the waste it discharges.
    • The S in ESG is the most ambiguous component in the framework, as social impact relates not only to risks but also prosocial behaviour. It's the most difficult to measure but can have significant financial and reputational impact on corporations if material and poorly managed.
    • The G in ESG is foundational to the realization of S and E. It encompasses how well an organization integrates these considerations into the business and how well the organization engages with key stakeholders, receives feedback, and is transparent with its intentions.

    Common examples of ESG issues include: Environmental: Climate change, greenhouse gas emissions (CHG), deforestation, biodiversity, pollution, water, waste, extended producer responsibility, etc. Social: Customer relations, employee relations, labor, human rights, occupational health and safety, community relations, supply chains, etc. Governance: Board management practices, succession planning, compensation, diversity, equity and inclusion, regulatory compliance, corruption, fraud, data hygiene and security, etc. Source: Getting started with ESG - Sustainalytics

    Understanding the drivers behind ESG

    $30 trillion is expected to be transferred from the baby boomers to Generation Z and millennials over the next decade
    – Accenture

    Drivers

    • The rapid rise of ESG investing
    • The visibility of climate change is driving governments, society, and corporations to act and to initiate and support net zero goals.
    • A younger demographic that has strong convictions and financial influence
    • A growing trend toward mandatory climate and diversity, equity, and inclusion (DEI) disclosures required by global regulators
    • Recent emphasis by regulators on board accountability and fiduciary duty
    • Greater societal awareness of social issues and sustainability
    • A new generation of corporate leadership that is focused on sustainable innovation

    The evolving regulatory landscape

    Global regulators are mobilizing toward mandatory regulatory climate disclosure

    Canada

    • Canadian Securities Administrators (CSA) NI 51-107 Disclosure of Climate-related Matters

    Europe

    • European Commission, Sustainable Finance Disclosure Regulation (SFDR)
    • European Commission, EU Supply Chain Act
    • Germany – The German Supply Chain Act (GSCA)
    • Financial Conduct Authority UK, Proposal (DP 21/4) Sustainability Disclosure Requirements and investment labels
    • UK Modern Slavery Act, 2015

    United States

    • Securities and Exchange Commission (SEC) 33-11042– The Enhancement and Standardization of Climate-Related Disclosures for Investors
    • SEC 33-11038 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
    • Nasdaq Board Diversity Rule (5605(f))

    New Zealand

    • New Zealand, The Financial Sector (Climate-related Disclosures and Other Matters) Amendment Act 2021

    Begin by setting your purpose

    Consider your role as a corporation in society and your impact on key stakeholders

    • The impact of a corporation can no longer be solely measured by financial impact but also its impact on social good. Corporations have become real-world actors that impact and are affected by the environment, people, and society.
    • An ESG program should start with defining your organization's purpose in terms of corporate responsibility, the role it will play, and how it will endure over time through managing adverse impacts and promoting positive impacts.
    • Corporations should look inward and outward to assess the material impact of ESG factors on their organization and key internal and external stakeholders.
    • Once stakeholders are identified, consider how the ESG factors might be perceived by delving into what matters to stakeholders and what drives their behavior.

    Understanding your stakeholder landscape is essential to achieving ESG goals

    Internal Stakeholders: Board; Management; Employees. External Stakeholders: Activists; Regulators; Customers; Lenders; Government; Investors; Stakeholders; Community; Suppliers

    Assess ESG impact

    Materiality assessments help to prioritize your ESG strategy and enable effective reporting

    • The concept of materiality as it relates to ESG is the process of gaining different perspectives on ESG issues and risks that may have significant impact (both positive and negative) on or relevance to company performance.
    • The objective of a materiality assessment is to identify material ESG issues most critical to your organization by looking a broad range of social and environmental factors. Its purpose is to narrow strategic focus and enable an organization to assess the impact of financial and non-financial risks aggregately.
    • It helps to make the case for ESG action and strategy, assess financial impact, get ahead of long-term risks, and inform communication strategies.
    • Organizations can leverage assessment tools from Sustainalytics or SASB Standards to help assess ESG risks or use guidance or benchmarking information from industry associations.

    Info-Tech Insight

    Survey key stakeholders to obtain a more holistic viewpoint of expectations and the industry landscape and gain credibility through the process.

    Use a materiality matrix to understand ESG exposure

    This is an image of a materiality matrix used to understand ESG exposure.

    Example: Beverage Company

    Follow a holistic approach

    To deliver on your purpose, sustainability must be integrated throughout the organization

    • An ESG program cannot be implemented in a silo. It must be anchored on its purpose and supported by a strong governance structure that is intertwined with other functional areas.
    • Effective governance is essential to instill trust, support sound decision making, and manage ESG.
    • Governance extends beyond shareholder rights to include many other factors, such as companies' interactions with competitors, suppliers, and governments. More transparency is sought on:
      • Corporate behavior, executive pay, and oversight of controls.
      • Board diversity, compensation, and skill set.
      • Oversight of risk management, particularly risks related to fraud, product, data, and cybersecurity

    "If ESG is the framework of non-financial risks that may have a material impact on the company's stakeholders, corporate governance is the process by which the company's directors and officers manage those risks."
    – Zurich Insurance

    A pyramid is depicted. The top of the pyramid is labeled Continual Improvement, and the following terms are inside this box. Governance: Strategy; Risk Management; Metrics & Targets. At the bottom of the pyramid is a box with right facing arrows, labeled Transparency and Disclosure. This is Informed by the TCFD Framework

    Governance and organization approach

    There is no one-size-fits-all approach

    47% of companies reported that the full board most commonly oversees climate related risks and opportunities while 20% delegate to an existing board governance committee (EY Research, 2021).

    • The organizational approach to ESG will differ across industry segments and corporations depending on material risks and their upstream and downstream value change. However, the accountability for ESG sits squarely at the CEO and board level.
    • Some organizations have taken the approach of hiring a Chief Sustainability Officer to work alongside the CEO on execution of ESG goals and stakeholder communication, while others use other members of the strategic leadership to drive the desired outcomes.
    Governance Layer Responsibilities
    Board
    • Overall accountability lies with the full board. Some responsibilities may be delegated to newly formed dedicated ESG governance committee.
    Oversight
    Executive leadership
    • Accountable for sustainability program success and will work with CEO to set ESG purpose and goals.
    Oversight and strategic direction
    Management
    • Senior management drives execution; sometimes led by a cross-functional committee.
    Execution

    Strategy alignment

    "74% of finance leaders say that investors increasingly use nonfinancial information in their decision-making."

    – "Aligning nonfinancial reporting..." EY, 2020

    • Like any journey, the ESG journey requires knowing where you are starting from and where you are heading to.
    • Once your purpose is crystalized, identify and surface gaps between where you want to go as an organization (your purpose and goals) and what you need to deliver as an organization to meet the expectations of your internal and external stakeholders (your output).
    • Using the results of the materiality assessment, weigh the risk, opportunities, and financial impact to help prioritize and determine vulnerabilities and where you might excel.
    • Finally, evaluate and make changes to areas of your business that need development to be successful (culture, accountability and board structure, ethics committee, etc.)

    Gap analysis example for delivering reporting requirements

    Organizational Goals

    • Regulatory Disclosure
      • Climate
      • DEI
      • Cyber governance
    • Performance Tracking/Annual Reporting
      • Corporate transparency on ESG performance via social, annual circular
    • Evidence-Based Business Reporting
      • Risk
      • Board
      • Suppliers

    Risk-size your ESG goals

    When integrating ESG risks, stick with a proven approach

    • Managing ESG risks is central to making sound organizational decisions regarding sustainability but also to anticipating future risks.
    • Like any new risk type, ESG risk should be interwoven into your current risk management and control framework via a risk-based approach.
    • Yet ESG presents some new risk challenges, and some risk areas may need new control processes or enhancements.
    NET NEW ENHANCEMENT
    Climate disclosure Data quality management
    Assurance specific to ESG reporting Risk sensing and assessment
    Supply chain transparency tied back to ESG Managing interconnections
    Scenario analysis
    Third-party ratings and monitoring

    Info-Tech Insight

    Integrate ESG risks early, embrace uncertainty by staying flexible, and strive for continual improvement.

    A funnel chart is depicted. The inputs to the funnel are: Strategy - Derive ESG risks from strategy, and Enterprise Risk Appetite. Inside the funnel, are the following terms: ESG; Data; Cyber. The output of the funnel is: Evidence based reporting ESG Insights & Performance metrics

    Managing supplier risks

    Suppliers are a critical input into an organization's ESG footprint

    "The typical consumer company's supply chain ... [accounts] for more than 80% of greenhouse-gas emissions and more than 90% of the impact on air, land, water, biodiversity, and geological resources."
    – McKinsey & Company, 2016

    • Although companies are accustomed to managing third parties via procurement processes, voluntary due-diligence, and contractual provisions, COVID-19 surfaced fragility across global supply chains.
    • The mismanagement of upstream and downstream risks of supply chains can harm the reputation, operations, and financial performance of businesses.
    • To build resiliency to and visibility of supply chain risk, organizations need to adapt current risk management programs, procurement practices, and risk assessment tools and techniques.
    • Procurement departments have an enhanced function, effectively acting as gatekeepers by performing due diligence, evaluating performance, and strengthening the supplier relationship through continual feedback and dialogue.
    • Technologies such as blockchain and IoT are starting to play a more dominant role in supply chain transparency.

    Raw materials are upstream and consumers are downstream.

    "Forty-five percent of survey respondents say that they either have no visibility into their upstream supply chain or that they can see only as far as their first-tier suppliers."
    – "Taking the pulse of shifting supply chains," McKinsey & Company, 2022

    Metrics and targets

    Metrics are key to stakeholder transparency, measuring performance against goals, and surfacing organizational blind spots

    • ESG metrics are qualitative or quantitative insights that measure organizations' performance against ESG goals. Along with traditional business metrics, they assist investors with assessing the long-term performance of companies based on non-financial ESG risks and opportunities.
    • Metrics, key performance indicators (KPIs), and key risk indicators (KRIs) are used to measure how ESG factors affect an organization and how an organization may impact any of the underlying issues related to each ESG factor.
    • There are several reporting standards that offer specific ESG performance metrics, such as the Global Reporting Institute (GRI), Sustainability Accounting Standards Board (SASB), and World Economic Forum (WEF).
    • For climate-related disclosures, global regulators are converging on the Task Force for Climate-related Disclosures (TCFD) and the International Sustainability Standards Board (ISSB).

    Example metrics for ESG factors

    Example metrics for environment include greenhouse gas emissions, water footprint, renewable energy share, and % of recycled material. Example social metrics include rates of injury, proportion of spend on local supplies, and percentage of gender or ethnic groups in management roles. Example governance metrics include annual CEO compensation compared to median, number of PII data breaches, and completed number of supplier assessments.

    The impact of ESG on IT

    IT plays a critical role in achieving ESG goals

    • IT groups have a critical role to play in helping organizations develop strategic plans to meet ESG goals, measure performance, monitor risks, and deliver on disclosure requirements.
    • IT's involvement extends from the CIO providing input at a strategic level to leading the charge within IT to instill new goals and adapt the culture toward one focused on sustainability.
    • To set the tone, CIOs should begin by updating their IT governance structure and setting ESG goals for IT.
    • IT leaders will need to think about resource use and efficiency and incorporate this into their IT strategy.

    Info-Tech Insight

    IT leaders need to work collaboratively with risk management to optimize decision making and continually improve ESG performance and disclosure.

    "A great strategy meeting is a meeting of the minds."
    – Max McKeown

    The data challenge

    The ESG data requirement is large and continually expanding in scope

    • To meet ESG objectives, corporations are challenged with collecting non-financial data from across functional business and geographical locations and from their supplier base and supply chains.
    • One of the biggest impediments to ESG implementation is the lack of high-quality data and of mature processes and tools to support data collection.
    • The data challenge is compounded by the availability and usability of data, immature and fragmented standards that hinder comparability, and workflow integration.

    Info-Tech Insight

    Keep your data model flexible and digital where possible to enable data interoperability.

    A flow chart is depicted. the top box is labeled ESG Program. Below that are Boxes labeled Tactical and Strategic. Below the Tactical Box, is a large X showing a lack of connection to the following points: Duplicative; Inefficient/Costly. Below the box labeled Strategic are the following terms: Data-Driven; Reusable; Digital.

    "You can have data without information, but you cannot have information without data."
    – Daniel Keys Moran

    It's more than a data challenge

    Organizations will rely on IT for execution, and IT leaders will need to be ready

    Data Management: Aggregated Reporting; Supplier Management; Cyber Management; Operational Management; Ethical Design(AI, Blockchain); IT Architecture; Resource Efficiency; Processing & Tooling; Supplier Assessment.

    Top impacts on IT departments

    1. ESG requires corporations to keep track of ESG-related risks of third parties. This will mean more robust assessments and monitoring.
    2. Many areas of ESG are new and will require new processes and tools.
    3. The SEC has upped the ante recently, requiring more rigorous accountability and reporting on cyber incidents.
    4. New IT systems and architecture may be needed to support ESG programs.
    5. Current reporting frameworks may need updating as regulators move to digital.
    6. Ethical design will need to be considered when AI is used to support risk/data management and when it is used as part of product solutions.

    Key takeaways

    • It's critical for organizations to look inward and outward to assess the material impact of ESG factors on their organization and key internal and external stakeholders.
    • ESG requires a flexible, holistic approach across the organization. It must become part of the way you work and enable an active response to changing conditions.
    • ESG introduces new risks that should not be viewed in isolation but interwoven into your current risk management and control framework via a risk-based approach.
    • Identify and integrate risks early, embrace uncertainty by staying flexible, and strive for continual improvement.
    • Metrics are key to telling your ESG story. Place the appropriate importance on the information that will be reported.
    • Recognize that the data challenge is complex and evolving and design your data model to be flexible, interoperable, and digital.
    • IT's role is far reaching, and IT will have a critical part in managing third parties, selecting tools, developing supporting IT architecture, and using ethical design.

    Definitions

    TERM DEFINITON
    Corporate Social Responsibility Management concept whereby organizations integrate social and environmental concerns in their operations and interactions with their stakeholders.
    Chief Sustainability Officer Steers sustainability commitments, helps with compliance, and helps ensure internal commitments are met. Responsibilities may extend to acting as a liaison with government and public affairs, fostering an internal culture, acting as a change agent, and leading delivery.
    ESG An acronym that stands for environment, social, and governance. These are the three components of a sustainability program.
    ESG Standard Contains detailed disclosure criteria including performance measures or metrics. Standards provide clear, consistent criteria and specifications for reporting. Typically created through consultation process.
    ESG Framework A broad contextual model for information that provides guidance and shapes the understanding of a certain topic. It sets direction but does not typically delve into the methodology. Frameworks are often used in conjunction with standards.
    ESG Factors The factors or issues that fall under the three ESG components. Measures the sustainability performance of an organization.
    ESG Rating An aggregated score based on the magnitude of an organization's unmanaged ESG risk. Ratings are provided by third-party rating agencies and are increasingly being used for financing, transparency to investors, etc.
    ESG Questionnaire ESG surveys or questionnaires are administered by third parties and used to assess an organization's sustainability performance. Participation is voluntary.
    Key Risk Indicator (KRI) A measure to indicate the potential presence, level, or trend of a risk.
    Key Performance Indicator (KPI) A measure of deviation from expected outcomes to help a firm see how it is performing.
    Materiality Material topics are topics that have a direct or indirect impact on an organization's ability to create, preserve, or erode economic, environment and social impact for itself and its stakeholder and society as a whole
    Materiality Assessment A materiality assessment is a tool to identify and prioritize the ESG issues most critical to the organization.
    Risk Sensing The range of activities carried out to identify and understand evolving sources of risk that could have a significant impact on the organization (e.g. social listening).
    Sustainability The ability of an organization and broader society to endure and survive over the long term by managing adverse impacts well and promoting positive opportunities.
    Sustainalytics Now part of Morningstar. Sustainalytics provides ESG research, ratings, and data to institutional investors and companies.
    UN Guiding Principles on Business and Human Rights (UNGPs) UN Guiding Principles on Business and Human Rights (UNGPs) provide an essential methodological foundation for how impacts across all dimensions should be assessed.

    Reporting & standard frameworks

    STANDARD DEFINITION AND FOCUS
    CDP CDP has created standards and metrics for comparing sustainability impact. Focuses on environmental data (e.g. carbon, water, and forests) and on data disclosure and benchmarking.
    (Formally Carbon Disclosure Project) Audience: All stakeholders
    Dow Jones Sustainability Indices (DJSI) Heavy on corporate governance and company performance. Equal balance of economic, environmental, and social.
    Audience: All stakeholders
    Global Reporting Initiative (GRI) International standards organization that has a set of standards to help organizations understand and communicate their impacts on climate change and social responsibility. The standard has a strong emphasis on transparency and materiality, especially on social issues.
    Audience: All stakeholders
    International Sustainability Standards Board (ISSB) Standard-setting board that sits within the International Financial Reporting Standards (IFRS) Foundation. The IFRS Foundation is a not-for-profit, public-interest organization established to develop high-quality, understandable, enforceable, and globally accepted accounting and sustainability disclosure standards.
    Audience: Investor-focused
    United Nations Sustainable Development Goals (UNSDG) Global partnership across sectors and industries to achieve sustainable development for all (17 Global Goals)
    Audience: All stakeholders
    Sustainability Accounting Standards Board (SASB) Industry-specific standards to help corporations select topics that may impact their financial performance. Focus on material impacts on financial condition or operating performance.
    Audience: Investor-focused
    Task Force Of Climate-related Disclosures (TCFD; created by the Financial Stability Board) Standards framework focused on the impact of climate risk on financial and operating performance. More broadly the disclosures inform investors of positive and negative measures taken to build climate resilience and make transparent the exposure to climate-related risk.
    Audience: Investors, financial stakeholders

    Bibliography

    Anne-Titia Bove and Steven Swartz, McKinsey, "Starting at the source: Sustainability in supply chains", 11 November 2016

    Accenture, "The Greater Wealth Transfer – Capitalizing on the intergenerational shift in wealth", 2012

    Beth Kaplan, Deloitte, "Preparing for the ESG Landscape, Readiness and reporting ESG strategies through controllership playbook", 15 February 2022

    Bjorn Nilsson et al, McKinsey & Company, "Financial institutions and nonfinancial risk: How corporates build resilience," 28 February 2022

    Bolden, Kyle, Ernst and Young, "Aligning nonfinancial reporting with your ESG strategy to communicate long-term value", 18 Dec. 2020

    Canadian Securities Administrators, "Canadian securities regulators seek comment on climate-related disclosure requirements", 18 October 2021

    Carol A. Adams et al., Global Risk Institute, "The double-materiality concept, Application and issues", May 2021

    Dunstan Allison-Hope et al, BSR, "Impact-Based Materiality, Why Companies Should-Focus Their Assessments on Impacts Rather than Perception", 3 February 2022

    EcoVadis, "The World's Most Trusted Business Sustainability Ratings",

    Ernst and Young, "Four opportunities for enhancing ESG oversight", 29 June 2021

    Federal Ministry of Labour and Social Affairs, The Act on Corporate Due Diligence Obligations in Supply Chains (Gesetz über die unternehmerischen Sorgfaltspflichten in Lieferketten)", Published into Federal Law Gazette, 22, July 2021

    "What Every Company Needs to Know", Sustainalytics

    Global Risk Institute, The GRI Perspective, "The materiality madness: why definitions matter", 22 February 2022

    John P Angkaw "Applying ERM to ESG Risk Management", 1 August 2022

    Hillary Flynn et al., Wellington Management, "A guide to ESG materiality assessments", June 2022

    Katie Kummer and Kyle Lawless, Ernst and Young, "Five priorities to build trust in ESG", 14 July 2022

    Knut Alicke et al., McKinsey & Company, "Taking the pulse of shifting supply chains", 26 August 2022

    Kosmas Papadopoulos and Rodolfo Arauj. The Harvard School Forum on Corporate Governance, "The Seven Sins of ESG Management", 23 September 2020

    KPMG, Sustainable Insight, "The essentials of materiality assessment", 2014

    Lorraine Waters, The Stack, "ESG is not an environmental issue, it's a data one", 20 May 2021

    Marcel Meyer, Deloitte, "What is TCFD and why does it matter? Understanding the various layers and implications of the recommendations",

    Michael W Peregnne et al., "The Harvard Law School Forum on Corporate Governance, The Important Legacy of the Sarbanes Oxley Act," 30 August 2022

    Michael Posner, Forbes, "Business and Human Rights: Looking Ahead To The Challenges Of 2022", 15 December 2021

    Myles Corson and Tony Kilmas, Ernst and Young, "How the CFO can balance competing demands and drive future growth", 3 November 2020

    Novisto, "Navigating Climate Data Disclosure", 2022

    Novisto, "XBRL is coming to corporate sustainability reporting", 17 April 2022

    "Official Journal of the European Union, Regulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability-related disclosures in the financial services sector", 9 December 2019

    Osler, "ESG and the future of sustainability", Podcast, 01 June 2022

    Osler, "The Rapidly Evolving World of ESG Disclosure: ISSB draft standards for sustainability and climate related disclosures", 19 May 2022

    Sarwar Choudhury and Zach Johnston, Ernst and Young "Preparing for Sox-Like ESG Regulation", 7 June 2022

    Securities and Exchange Commission, "The Enhancement and Standardization of Climate-related Disclosures for Investors", 12 May 2022

    "Securities and Exchange Commission, SEC Proposes Rules on Cybersecurity, Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, 9 May 2022

    Sean Brown and Robin Nuttall, McKinsey & Company, "The role of ESG and purpose", 4 January 2022

    Statement by Chair Gary Gensler, "Statement on ESG Disclosure Proposal", 25 May 2022

    Svetlana Zenkin and Peter Hennig, Forbes, "Managing Supply Chain Risk, Reap ESG Rewards", 22 June 2022

    Task Force on Climate Related Financial Disclosures, "Final Report, Recommendations of the Task Force on Climate-related Financial Disclosures", June 2017

    World Economic Forum, "Why sustainable governance and corporate integrity are crucial for ESG", 29 July 2022

    World Economic Forum (in collaboration with PwC) "How to Set Up Effective Climate Governance on Corporate Boards, Guiding Principles and questions", January 2019

    World Economic Forum, "Defining the "G" in ESG Governance Factors at the Heart of Sustainable Business", June 2022

    World Economic Forum, "The Risk and Role of the Chief Integrity Officer: Leadership Imperatives in and ESG-Driven World", December 2021

    World Economic Forum, "How to Set Up Effective Climate Governance on Corporate Boards Guiding principles and questions", January 2019

    Zurich Insurance, "ESG and the new mandate for corporate governance", 2022

    Prepare and Defend Against a Software Audit

    • Buy Link or Shortcode: {j2store}59|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $32,499 Average $ Saved
    • member rating average days saved: 6 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Audit defense starts long before you get audited. Negotiating your vendors’ audit rights and maintaining a documented consolidated licensing position ensure that you are not blindsided by a sudden audit request.
    • Notification of an impending audit can cause panic. Don't panic. While the notification will be full of strong language, your best chance of success is to take control of the situation. Prepare a measured response that buys you enough time to get your house in order before you let the vendor in.
    • If a free software asset review sounds too good to be true, then it probably is. If a vendor or one of its partners offers up a free software asset management engagement, they aren’t doing so out of the goodness of their heart — they expect to recoup their costs (and then some) from identified license discrepancies.

    Our Advice

    Critical Insight

    • The amount of business disruption depends on the scope of the audit, and the size and complexity of the organization coupled with the contractual audit clause in the contract.
    • These highly visible failures can be prevented through effective software asset management practices.
    • As complexity of licensing increases, so do penalties. If the environment is highly complex, prioritize effort by likelihood of audit and spend.
    • Ensure electronic records exist for license documentation to provide fast access for audit and information requests
    • Verify accuracy of discovered data. Ensure all devices on the network are being audited. Without a complete discovery process, data will always be inaccurate.

    Impact and Result

    • Being able to respond quickly with accurate data is critical. When deadlines are tight, and internal resources don’t exist, hire a third party as their experience will allow a faster response.
    • Negotiate terms of the audit such as deadlines, proof of license entitlement, and who will complete the audit.
    • Create a methodology to quickly and efficiently respond to audit requests.
    • Conduct annual internal audits.
    • Have a designated cross-functional IT audit team.
    • Prepare documentation in advance.
    • Manage audit logistics to minimize business disruption.
    • Dispute unwarranted findings.

    Prepare and Defend Against a Software Audit Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should be prepared and ready to defend against a software audit, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prevent an audit

    Begin your proactive audit management journey and leverage value from your software asset management program.

    • Prepare and Defend Against a Software Audit – Phase 1: Prevent an Audit
    • Audit Defense Maturity Assessment Tool
    • Effective Licensing Position Tool
    • Audit Defence RACI Template

    2. Prepare for an audit

    Prepare for an audit by effectively scoping and consolidating organizational response.

    • Prepare and Defend Against a Software Audit – Phase 2: Prepare for an Audit
    • Software Audit Scoping Email Template
    • Audit Defense Readiness Assessment

    3. Conduct the audit

    Execute the audit in a way that preserves valuable relationships while accounting for vendor specific criteria.

    • Prepare and Defend Against a Software Audit – Phase 3: Conduct an Audit
    • Software Audit Launch Email Template

    4. Manage post-audit activities

    Conduct negotiations, settle on remuneration, and close out the audit.

    • Prepare and Defend Against a Software Audit - Phase 4: Manage Post-Audit Activities
    [infographic]

    Workshop: Prepare and Defend Against a Software Audit

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prevent an Audit

    The Purpose

    Kick off the project

    Identify challenges and red flags

    Determine maturity and outline internal audit

    Clarify stakeholder responsibilities

    Build and structure audit team

    Key Benefits Achieved

    Leverage value from your audit management program

    Begin your proactive audit management journey

    A documented consolidated licensing position, which ensures that you are not blindsided by a sudden audit request

    Activities

    1.1 Perform a maturity assessment of the current environment

    1.2 Classify licensing contracts/vendors

    1.3 Conduct a software inventory

    1.4 Meter application usage

    1.5 Manual checks

    1.6 Gather software licensing data

    1.7 Reconcile licenses

    1.8 Create your audit team and assign accountability

    Outputs

    Maturity assessment

    Effective license position/license reconciliation

    Audit team RACI chart

    2 Prepare for an Audit

    The Purpose

    Create a strategy for audit response

    Know the types of requests

    Scope the engagement

    Understand scheduling challenges

    Know roles and responsibilities

    Understand common audit pitfalls

    Define audit goals

    Key Benefits Achieved

    Take control of the situation and prepare a measured response

    A dedicated team responsible for all audit-related activities

    A formalized audit plan containing team responsibilities and audit conduct policies

    Activities

    2.1 Use Info-Tech’s readiness assessment template

    2.2 Define the scope of the audit

    Outputs

    Readiness assessment

    Audit scoping email template

    3 Conduct the Audit

    The Purpose

    Overview of process conducted

    Kick-off and self-assessment

    Identify documentation requirements

    Prepare required documentation

    Data validation process

    Provide resources to enable the auditor

    Tailor audit management to vendor compliance position

    Enforce best-practice audit behaviors

    Key Benefits Achieved

    A successful audit with minimal impact on IT resources

    Reduced severity of audit findings

    Activities

    3.1 Communicate audit commencement to staff

    Outputs

    Audit launch email template

    4 Manage Post-Audit Activities

    The Purpose

    Clarify auditor findings and recommendations

    Access severity of audit findings

    Develop a plan for refuting unwarranted findings

    Disclose findings to management

    Analyze opportunities for remediation

    Provide remediation options and present potential solutions

    Key Benefits Achieved

    Ensure your audit was productive and beneficial

    Improve your ability to manage audits

    Come to a consensus on which findings truly necessitate organizational change

    Activities

    4.1 Don't accept the penalties; negotiate with vendors

    4.2 Close the audit and assess the financial impact

    Outputs

    A consensus on which findings truly necessitate organizational change

    Execute an Emergency Remote Work Plan

    • Buy Link or Shortcode: {j2store}421|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Many organizations do not have developed plans for how to turn on-premises employees into remote workers in an emergency.
    • In an emergency situation, such as a pandemic, sending employees home to work remotely without time to prepare presents daunting challenges, such as trying to comprehend and prioritize the myriad of tasks that need accomplishing for human resources, the business, and IT in a VUCA (volatile, uncertain, complex, and ambiguous) world.
    • Security issues may arise from employees not used to working remotely. Indeed, employees sent home to work remotely in an emergency may not have been eligible otherwise. This creates security risks, including the proliferation of shadow IT.

    Our Advice

    Critical Insight

    • The emergency will restructure the business: make sure it’s done right. While your organization may need quick fixes for day one of an emergency remote work plan, these are not viable long-term solutions. The emergency will vividly reinforce to the business side that more resources need to be directed to IT to enable strong business continuity and employee safety. Make sure the right plan is put in place during the crucial first weeks. The next emergency is just around the corner.
    • Prioritize key business processes. Before getting into the details of a work from home policy, identify which crucial business processes need to continue for the company to survive. Build the remote work policy around supporting those workflows.
    • Where the “carrot” is not possible, emergencies may require the “stick.” To ensure secure endpoints and prevent proliferation of shadow IT, you may need to enforce certain rules through policy. However, disenfranchising employees is not a long-term solution: once the emergency subsides, use this basis to explore end-user requirements properly and ensure employee-driven adoption plans. Where possible, for this latter scenario, always use the carrot.

    Impact and Result

    • A prioritized plan for IT processes through Info-Tech’s cascading responsibility checklists for emergency remote work.
    • A codified emergency remote work policy document to better prepare for future emergencies.

    Execute an Emergency Remote Work Plan Research & Tools

    Start here

    Read our concise Executive Brief for why you need prioritized emergency remote work checklists and an accompanying policy document and review Info-Tech’s methodology.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Execute an Emergency Remote Work Plan Storyboard

    1. Day one preparations

    Prioritize key action items on day one of sending your employees home to remotely work during an emergency.

    • Emergency Remote Work Plan Checklists
    • Home Office Survey
    • Checklist for Securing Remote Workers
    • None
    • Remote Access Policy
    • Equipment Loan Policy
    • None
    • Develop a Security Awareness and Training Program That Empowers End Users – Phases 1-2
    • Remote Work Assignment Log
    • Wiki Collection for Collaboration Tools
    • Pandemic Preparation: The People Playbook

    2. One-to-two weeks preparations

    Address key action items in the one-to-two weeks following an emergency that forced your employees to work remotely.

    • None

    3. Codify an emergency remote work policy

    Turn your emergency remote work checklists into policy.

    • Emergency Remote Work Policy
    • Execute an Emergency Remote Work Plan Executive Presentation
    [infographic]

    Gain Real Insights with a Social Analytics Program

    • Buy Link or Shortcode: {j2store}561|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Social media is wildly popular with consumers and as a result, many businesses are starting to develop a presence on social media services like Facebook and Twitter. However, many businesses still struggle with understanding how to leverage consumer insights from these services to drive business decisions. They’re intimidated by the sheer volume of social data, and aren’t sure what to do about it.
    • Companies that do have an analytics program are often operating it on an ad-hoc basis rather than making an effort to integrate social insights with existing sourcing of consumer data. In doing this, they’re failing to make holistic decisions and missing out on valuable consumer and competitive insights.

    Our Advice

    Critical Insight

    • Social analytics are indispensable in gaining real-time insights across marketing, sales, and customer service. SMBs can use social analytics to gain valuable consumer insights at a significantly lower expense than traditional forms of market research.
    • The greatest value from social analytics comes when organizations marry social data sources with other forms of customer information, such as point-of-sale data, customer surveys, focus groups, and psychographic profiles.
    • Social analytics must be integrated with your broader BI program for maximum effect. Consider creating a Customer Insights Center of Excellence (CICOE) to serve as a one-stop shop for both traditional and social customer analytics.
    • IT has an invaluable role to play in helping to govern and manage the analytics program. A best-of-breed Social Media Management Platform is the key enabling technology for conducting analytics, and IT must assist with selection, implementation and operation of this solution.
    • Internal social analytics is an emerging field that allows you to gauge the sentiment of your employees, while turbocharging ideation and feedback processes. Social networking analysis is particularly valuable for internal analysis.

    Impact and Result

    • Understand the value of a social analytics program and the various departmental use cases – how social analytics improves decision making and boosts critical KPIs like revenue attainment and customer satisfaction.
    • Determine the different social metrics (such as sentiment and frequency analysis) your business should be tracking and how to turn metrics into deep consumer insights.
    • Follow a step-by-step guide for successfully executing a social analytics program across your organization.
    • Roll out an internal analytics program to gauge the sentiment of your employees, improve engagement, and understand informal influencer networks.

    Gain Real Insights with a Social Analytics Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine the organization’s use cases

    Decide which functional areas in the organization will benefit the most from using social data, and create use cases accordingly.

    • Storyboard: Gain Real Insights with a Social Analytics Program

    2. Define and interpret metrics

    Identify and evaluate key social analytics metrics and understand the importance of combining multiple metrics to get the most out of the analytics program.

    • Social Analytics Maturity Assessment

    3. Execute the social analytics program

    Leverage a cross-departmental Social Media Steering Committee and evaluate SMMPs and other social analytics tools.

    • Social Analytics Specialist
    • Social Analytics Business Plan

    4. Leverage internal social analytics

    Identify specific uses of internal social analytics: crowd-sourcing ideation, harvesting employee feedback, and rewarding internal brand advocates.

    [infographic]

    Business Continuity

    • Buy Link or Shortcode: {j2store}36|cart{/j2store}
    • Related Products: {j2store}36|crosssells{/j2store}
    • member rating overall impact: 9.2/10
    • member rating average dollars saved: $30,547
    • member rating average days saved: 37
    • Parent Category Name: Security and Risk
    • Parent Category Link: /security-and-risk

    The challenge

    • Recent crises have put business continuity firmly on the radar with executives. The pressures mount to have a proper BCP in place.

    • You may be required to show regulators and oversight bodies proof of having your business continuity processes under control.
    • Your customers want to know that you can continue to function under adverse circumstances and may require proof of your business continuity practices and plans.
    • While your company may put the BCM function in facility management or within the business, it typically falls upon IT leaders to join the core team to set up the business continuity plans.

    Our advice

    Insight

    • Business continuity plans require the cooperation and input from all departments with often conflicting objectives.
    • For most medium-sized companies, BCP activities do not require a full-time position. 
    • While the set up of a BCP is an epic or project, embed the maintenance and exercises in its regular activities.
    • As an IT leader in your company, you have the skillset and organizational overview to lead a BCP set up. It is the business that must own the plans. They know their processes and know where to prioritize.
    • The traditional approach to creating a BCP is a considerable undertaking. Most companies will hire one or more consultants to guide them. If you want to do this in-house, then carve up the work into discrete tasks to make it more manageable. Our blueprint explains to you how to do that.

    Impact and results 

    • You have a structured and straightforward process that you can apply to one business unit or department at a time.
    • Start with a pilot, and use the results to fine-tune your approach, fill the gaps while at the same time slowly reducing your business continuity exposure. Repeat the process for each department or team.
    • Enable the business to own the plans. Develop templates that they can use.
    • Leverage the BCP project's outcome and refine your disaster recovery plans to ensure alignment with the overall BCP.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why you should develop a sound business continuity practice in your company. We'll show you our methodology and the ways we can help you in completing this.

    Identify your current maturity and document process dependencies.

    Choose a medium-sized department and build a team. Identify that department's processes, dependencies, and alternatives.

    • BCP Maturity Scorecard (xls)
    • BCP Pilot Project Charter Template (doc)
    • BCP Business Process Workflows Example (Visio)
    • BCP Business Process Workflows Example (PDF)

    Conduct a business impact analysis to determine what needs to recover first and how much (if any) data you can afford to lose in a disaster.

    Define an objective impact scoring scale for your company. Have the business estimate the impact of downtime and set your recovery targets.

    • BCP Business Impact Analysis Tool (xls)

    Document the recovery workflow entirely.

    The need for clarity is critical. In times when you need the plans, people will be under much higher stress. Build the workflow for the steps necessary to rebuild. Identify gaps and brainstorm on how to close them. Prioritize solutions that mitigate the remaining risks.

    • BCP Tabletop Planning Template (Visio)
    • BCP Tabletop Planning Template (PDF)
    • BCP Project Roadmap Tool
    • BCP Relocation Checklists

    Report the results of the pilot BCP and implement governance.

    Present the results of the pilot and propose the next steps. Assign BCM teams or people within each department. Update and maintain the overall BCMS documentation.

    • BCP Pilot Results Presentation (ppt)
    • BCP Summary (doc)
    • Business Continuity Teams and Roles Tool (xls)

    Additional business continuity tools and templates

    These can help with the creation of your BCP.

    • BCP Recovery Workflow Example (Visio)
    • BCP Recovery Workflow Example (PDF)
    • BCP Notification, Assessment, and Disaster Declaration Plan (doc)
    • BCP Business Process Workarounds and Recovery Checklists (doc)
    • Business Continuity Management Policy (doc)
    • Business Unit BCP Prioritization Tool (xls)
    • Industry-Specific BIA Guidelines (zip)
    • BCP-DRP Maintenance Checklist (xls)
    • Develop a COVID-19 Pandemic Response Plan Storyboard (ppt)

     

    Security Strategy

    • Buy Link or Shortcode: {j2store}42|cart{/j2store}
    • Related Products: {j2store}42|crosssells{/j2store}
    • member rating overall impact: 9.4/10
    • member rating average dollars saved: $33,431
    • member rating average days saved: 29
    • Parent Category Name: Security and Risk
    • Parent Category Link: /security-and-risk

    The challenge

    You may be experiencing one or more of the following:

    • You may not have sufficient security resources to handle all the challenges.
    • Security threats are prevalent. Yet many businesses struggle to embed systemic security thinking into their culture.
    • The need to move towards strategic planning of your security landscape is evident. How to get there is another matter.

    Our advice

    Insight

    To have a successful information security strategy, take these three factors into account:

    • Holistic: your view must include people, processes, and technology.
    • Risk awareness: Base your strategy on the actual risk profile of your company. And then add the appropriate best practices.
    • Business-aligned: When your strategic security plan demonstrates alignment with the business goals and supports it, embedding will go much more straightforward.

    Impact and results 

    • We have developed a highly effective approach to creating your security strategy. We tested and refined this for more than seven years with hundreds of different organizations.
    • We ensure alignment with business objectives.
    • We assess organizational risk and stakeholder expectations.
    • We enable a comprehensive current state assessment.
    • And we prioritize initiatives and build out a right-sized security roadmap.

     

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get up to speed

    Read up on why you should build your customized information security strategy. Review our methodology and understand the four ways we can support you.

    Assess the security requirements

    It all starts with risk appetite, yes, but security is something you want to get right. Determine your organizations' security pressures and business goals, and then determine your security program's goals.

    • Build an Information Security Strategy – Phase 1: Assess Requirements
    • Information Security Requirements Gathering Tool (xls)
    • Information Security Pressure Analysis Tool (xls)

    Build your gap initiative

    Our best-of-breed security framework makes you perform a gap analysis between where you are and where you want to be (your target state). Once you know that, you can define your goals and duties.

    • Build an Information Security Strategy – Phase 2: Assess Gaps
    • Information Security Program Gap Analysis Tool (xls)

    Plan the implementation of your security strategy 

    With your design at this level, it is time to plan your roadmap.

    • Build an Information Security Strategy – Phase 3: Build the Roadmap

    Let it run and continuously improve. 

    Learn to use our methodology to manage security initiatives as you go. Identify the resources you need to execute the evolving strategy successfully.

    • Build an Information Security Strategy – Phase 4: Execute and Maintain
    • Information Security Strategy Communication Deck (ppt)
    • Information Security Charter (doc)

     

    Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program

    • Buy Link or Shortcode: {j2store}338|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement
    • According to Info-Tech research, 74% of our clients feel that IT quality management is an important process, however, only 15% said they actually had effective quality management.
    • IT is required to deliver high quality projects and services, but if CIOs are ineffective at quality management, how can IT deliver?
    • Rather than disturb the status quo with holistic quality initiatives, heads of IT leave quality in the hands of process owners, functional areas, and other segmented facets of the department.
    • CIOs are facing greater pressures to be innovative, agile, and cost-effective, but cannot do so without stable operations, an accountable staff base, and business support; all of which are achieved by high IT quality.

    Our Advice

    Critical Insight

    • Quality management needs more attention that it’s typically getting. It’s not going to happen randomly; you must take action to see results.
    • Quality must be holistic. Centralized accountability will align inconsistencies in quality and refocus IT towards a common goal.
    • Accountability is the key to quality. Clearly defined roles and responsibilities will put your staff on the hook for quality outcomes.

    Impact and Result

    • Shift your mindset to the positive implications of high quality. Info-Tech’s quality management methodology will promote innovation, agility, lower costs, and improved operations.
    • We will help you develop a fully functional quality management program in four easy steps:
      • Position your program as a group to encourage buy-in and unite IT around a common quality vision. Enact a center of excellence to build, support, and monitor the program.
      • Build flexible program requirements that will be adapted for a fit-to-purpose solution.
      • Implement the program using change management techniques to alleviate challenges and improve adoption.
      • Operate the program with a focus on continual improvement to ensure that your IT department continues to deliver high quality projects and services as stakeholder needs change.

    Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program Research & Tools

    Start here – read the Executive Brief

    Understand why Info-Tech’s unique approach to quality management can fix a variety of IT issues and understand the four ways we can support you in building a quality management program designed just for you.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Position the program

    Hold a positioning working session to focus the program around business needs, create solid targets, and create quality champions to get the job done.

    • Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program – Phase 1: Position the Quality Program
    • Quality Management Program Charter
    • Quality Management Capability Assessment and Planning Tool
    • Quality Management Roadmap

    2. Build the program

    Build program requirements and design standard templates that will unite IT quality.

    • Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program – Phase 2: Build a Quality Program
    • Quality Management Quality Plan Template
    • Quality Management Review Template
    • Quality Management Dashboard Template

    3. Implement the program

    Evaluate the readiness of the department for change and launch the program at the right time and in the right way to transform IT quality.

    • Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program – Phase 3: Implement the Quality Program
    • Quality Management Communication Plan Template
    • Quality Management Readiness Assessment Template

    4. Operate the program

    Facilitate the success of key IT practice areas by operating the Center of Excellence to support the key IT practice areas’ quality initiatives.

    • Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program – Phase 4: Operate the Quality Program
    • Quality Management User Satisfaction Survey
    • Quality Management Practice Area Assessment and Planning Tool
    • Quality Management Capability Improvement Plan
    [infographic]

    Workshop: Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Position Your Program

    The Purpose

    Create a quality center of excellence to lead and support quality initiatives.

    Position your quality program to meet the needs of your business.

    Develop clear targets and create a roadmap to achieve your vision. 

    Key Benefits Achieved

    Defined Center of Excellence roles & responsibilities.

    A firm vision for your program with clearly outlined targets.

    A plan for improvements to show dedication to the program and create accountability. 

    Activities

    1.1 Identify current quality maturity.

    1.2 Craft vision and mission.

    1.3 Define scope.

    1.4 Determine goals and objectives.

    1.5 Specify metrics and critical success factors.

    1.6 Develop quality principles.

    1.7 Create action plan.

    Outputs

    Completed Maturity Assessment

    Completed Project Charter

    Completed Quality Roadmap

    2 Build Your Program

    The Purpose

    Build the requirements for the quality program, including outputs for quality planning, quality assurance, quality control, and quality improvement.

    Key Benefits Achieved

    Defined standards for the quality program.

    General templates to be used to unify quality throughout IT. 

    Activities

    2.1 Define quality policy, procedures, and guidelines.

    2.2 Define your standard Quality Plan.

    2.3 Define your standard Quality Review Document.

    2.4 Develop your Standard Quality Management Dashboard.

    Outputs

    Quality Policy

    Standard Quality Plan Template

    Standard Quality Review Template

    Standard Quality Dashboard

    3 Implement Your Program

    The Purpose

    Launch the program and begin quality improvement.

    Key Benefits Achieved

    Perform a readiness assessment to ensure your organization is ready to launch its quality program.

    Create a communication plan to ensure constant and consistent communication throughout implementation. 

    Activities

    3.1 Assess organizational readiness.

    3.2 Create a communication plan.

    Outputs

    Completed Readiness Assessment

    Completed Communication Plan

    4 Operate Your Program

    The Purpose

    Have the Center of Excellence facilitate the roll-out of the quality program in your key practice areas.

    Initiate ongoing monitoring and reporting processes to enable continuous improvement.  

    Key Benefits Achieved

    Quality plans for each practice area aligned with the overall quality program.

    Periodic quality reviews to ensure plans are being acted upon.

    Methodology for implementing corrective measures to ensure quality expectations are met.

    Activities

    4.1 Perform a quality management satisfaction survey.

    4.2 Complete a practice area assessment.

    4.3 Facilitate the creation of practice area quality plans.

    4.4 Populate quality dashboards.

    4.5 Perform quality review(s).

    4.6 Address issues with corrective and preventative measures.

    4.7 Devise a plan for improvement.

    4.8 Report on quality outcomes.

    Outputs

    Completed Satisfaction Surveys

    Practice Area Assessments

    Quality Plans (for each practice area)

    Quality Reviews (for each practice area)

    Quality Improvement Plan

    Formalize Your Digital Business Strategy

    • Buy Link or Shortcode: {j2store}101|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    Your organization already has a digital strategy, but there is a lack of understanding of what digital means across the enterprise. Digital investments have been made in the past but failed to yield or demonstrate business value. Given the pace of change, the current digital strategy is outdated, and new digital opportunities need to be identified to inform the technology innovation roadmap.

    Our Advice

    Critical Insight

    Turn your digital strategy into a compelling change story that will create a unified vision of how you want to transform your business.

    Impact and Result

    • Identify new digitally enabled growth opportunities.
    • Understand which digital ideas yield the biggest return and the value they generate for the organization.
    • Understand the impact of opportunities on your business capabilities.
    • Map a customer journey to identify opportunities to transform stakeholder experiences.

    Formalize Your Digital Business Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Formalize Your Digital Business Strategy – a document that walks you through a series of activities to help brainstorm and ideate on possible new digital opportunities as an input into building your business case for a new IT innovation roadmap.

    Knowing which digital opportunities create the greatest business value requires a structured approach to ideate, prioritize, and understand the value they create for the business to help inform the creation of your business case for investment approval.

    • Formalize Your Digital Strategy Storyboard

    Infographic

    Further reading

    Formalize Your Digital Business Strategy

    Stay relevant in an evolving digital economy

    Executive Summary

    Your Challenge

    Common Obstacles

    Solution

    • Since 2020, the environment has been volatile, leading many CIOs to rethink their priorities and strategies.
    • The organization already has a digital strategy, but there is a lack of understanding of what digital means across the enterprise.
    • Digital investments have been made but fail to demonstrate the business value.
    • The current digital strategy was developed in isolation and failed to garner consensus on a common understanding of the digital vision from across the business.
    • CIOs struggle to understand what existing capabilities need to transform or what new digital capabilities are needed to support the digital ambitions.
    • The existing Digital Strategy is synonymous with the IT Strategy.
    • Identify new digitally enabled growth opportunities.
    • Understand which digital ideas yield the biggest return and the value they generate for the organization.
    • Understand the impact of opportunities on your business capabilities.
    • Map the customer journey to identify opportunities to transform the stakeholder experience.

    Info-Tech Insight

    Turn your existing digital strategy into a compelling change story that will create a unified vision of how you want to transform your business.

    Info-Tech’s Digital Transformation Journey

    Your journey: An IT roadmap for your Digital Business Strategy

    The image contains a screenshot of Info-Tech's Digital Transformation Journey.

    By now, you understand your current business context and capabilities

    The image contains a screenshot of the IT roadmap for your Digital Business Strategy.

    By this point you have leveraged industry roundtables to better understand the art of the possible, exploring global trends, shifts in market forces, customer needs, emerging technologies, and economic forecasts to establish your business objectives and innovation goals.

    Now you need to formalize digital business strategy.

    Phase 1: Industry Trends Report

    The image contains a screenshot of phase 1 industry trends report.

    Phase 2: Digital Maturity Assessment

    The image contains a screenshot of phase 2 digital maturity assessment.

    Phase 3: Zero-In on Business Objectives

    The image contains a screenshot of phase 3 Zero-in on business objectives.

    Business and innovation goals are established through stakeholder interviews and a heatmap of your current capabilities for transformation.

    Since 2020, market dynamics have forced organizations to reassess their strategies

    The unprecedented pace of global disruptions has become both a curse and a silver lining for many CIOs. The ability to maximize the value of digital will be vital to remain relevant in the new digital economy.

    The image contains a screenshot of an image that demonstrates how market dynamics force organizations to reassess their strategies.

    Formalize your digital strategy to address industry trends and market dynamics

    The goal of this phase is to ensure the scope of the current digital strategy reflects the right opportunities to allocate capital to resources, assets, and capabilities to drive strategic growth and operational efficiency.

    There are three key activities outlined in this deck that that can be undertaken by industry members to help evolve their current digital business strategy.

    1. Identify New Digitally Enabled Growth Opportunities
      • Host an ideation session to identify new leapfrog ideas
      • Discuss assumptions, value drivers, and risks
      • Translate ideas into opportunities and consolidate
    2. Evaluate New Digital Opportunities and Business Capabilities
      • Build an opportunity profile
      • Identify business capabilities for transformation
    3. Transform Stakeholder Journeys
      • Understand the impact of opportunities on value-chains
      • Identify stakeholder personas
      • Build a stakeholder journey map
      • Compile your new list of digital opportunities
    The image contains a screenshot of Formalize your digital business strategy.

    Info-Tech’s approach

    1. Identify New Digital Opportunities
      • Conduct an ideation session
      • Identify leapfrog ideas from trends
      • Evaluate each leapfrog idea to define opportunity
    2. Evaluate Opportunities and Business Capabilities
      • Build Opportunity Profile
      • Understand the impact of opportunities on business capabilities
    3. Transform Stakeholder Journeys
      • Analyze value chains
      • Map your Stakeholder Journey
      • Breakdown opportunities into initiatives

    Overview of Key Activities

    Formalize your digital business strategy

    Methodology

    Members Engaged

    • CIO
    • Business Executives

    Info-Tech

    • Industry Analyst
    • Executive Advisor

    Phase 1: New Digital Opportunities

    Phase 2: Evaluate Opportunities and Business Capabilities

    Phase 3: Transform Stakeholder Journeys

    Content Leveraged

    • Digital Business Strategy blueprint
    • Client’s Business Architecture
    1. Hold an ideation session with business executives.
      • Review relevant reports on industry trends, market shifts, and emerging technologies.
      • Establish guiding principles for digital transformation.
      • Leverage a trend-analysis approach to determine the most impactful and relevant trends.
      • From tends, elicit leapfrog ideas for growth opportunities.
      • For each idea, engage in discussion on assumptions, value drivers, benefits, and risks.
    1. Create opportunity profiles.
      • Evaluate each opportunity to determine if it is important to turn into initiatives
    2. Evaluate the impact of opportunities on your business capabilities.
      • Leverage a value-chain analysis to assess the impact of the opportunity across value chains in order to understand the impact across your business capabilities.
    1. Map stakeholder journey:
      • Identify stakeholder personas
      • Identify one journey scenario
      • Map stakeholder journey
      • Consolidate opportunities
    2. Breakdown opportunities into actional initiatives
      • Brainstorm priority initiatives against opportunities.

    Deliverable:

    Client’s Digital Business Strategy

    Phase 1: Deliverable

    1. Compiled list of leapfrog ideas for new growth opportunities

    Phase 2: Deliverables

    1. Opportunity Profile
    2. Business Capability Impact

    Phase 3: Deliverables

    1. Opportunity Profile
    2. Business Capability Impact

    Glossary of Terms

    LEAPFROG IDEAS

    The concept was originally developed in the area of industrial organizations and economic growth. Leapfrogging is the notion that organizations can identify opportunities to skip one or several stages ahead of their competitors.

    DIGITAL OPPORTUNITIES

    Opening of new possibilities to transform or change your business model and create operational efficiencies and customer experiences through the adoption of digital platforms, solutions, and capabilities.

    INITIATIVES

    Breakdown of opportunities into actionable initiatives that creates value for organizations through new or changes to business models, operational efficiencies, and customer experiences.

    1. LEAPFROG IDEAS:
      • Precision medicine
    2. DIGITAL OPPORTUNITY:
      • Machine Learning to sniff out pre-cancer cells
    3. INITIATIVES:
      1. Define genomic analytics capabilities and recruit
      2. Data quality and cleansing review
      3. Implement Machine Learning SW

    Identify Digitally Enabled Opportunities

    Host an ideation session to turn trends into growth opportunities with new leapfrog ideas.

    Phase 1Phase 2Phase 3

    Identify New Digitally Enabled Opportunities

    Evaluate Opportunities and Business Capabilities

    Transform Stakeholder Journeys

    Phase 1

    Host an Ideation Session to Identify New Digital Opportunities

    1.1

    IDENTIFY AND ASSEMBLE YOUR KEY STAKEHOLDERS

    Build support and eliminate blind spots

    It is important to make sure the right stakeholders participate in this working group. Designing a digital strategy will require debate, insights, and business decisions from a broad perspective across the enterprise. The focus is on the value to be generated from digital.

    Consider:

    • Who are the decision makers and key influencers?
    • Who will impact the business?
    • Who has a vested interest in the success or failure of the practice? Who has the skills and competencies necessary to help you be successful?

    Avoid:

    • Don’t focus on the organizational structure and hierarchy. Often stakeholder groups don’t fit the traditional structure.
    • Don’t ignore subject matter experts on either the business or IT side. You will need to consider both.
    1.2

    ESTABLISH GUIDING PRINCIPLES

    Define the guardrails to focus your ideas

    All ideas are great until you need one that works. Establish guiding principles that will help you establish the perimeters for turning big ideas into opportunities.

    Consider:

    • Focus on the breadth and alignment to support business objectives
    • This should help narrow conceptual ideas into actionable initiatives

    Avoid:

    • Don’t recreate the corporate guiding principles
    • Focus on what will help define strategic growth opportunities and operational efficiencies
    1.3

    LEVERAGE STRATEGIC FORESIGHT TO IDENTIFY LEAPFROG IDEAS

    Create space to elicit “big ideas”

    Leverage industry roundtables and trend reports imagining how digital solutions can help drive strategic growth and operational efficiency. Brainstorm new opportunities and discuss their viability to create value and better experiences for your stakeholders.

    Consider:

    • Accelerate this exercise by leveraging stakeholder insights from:
      • Your corporate strategy and financial plan
      • Outputs from stakeholder interviews
      • Market research

    Avoid:

    • Don’t simply go with the existing documented strategic objectives for the business. Ensure they are up to date and interview the decision makers to validate their perspectives if needed.

    Host an Ideation Session

    Identify digitally enabled opportunities

    Industry Roundtables and Trend Reports

    Industry Trends Report

    The image contains a screenshot of phase 1 industry trends report.

    Business Documents

    The image contains a screenshot of Business Documents.

    Digital Maturity Assessment

    The image contains a screenshot of phase 2 digital maturity assessment.

    Activity: 2-4 hours

    Members Engaged

    • CIO
    • Business Executives

    Info-Tech

    • Industry Analyst
    • Executive Advisor

    Hold a visioning session with key business executives (e.g., CIO, CEO, CFO, CCO, and COO) and others as needed. Here is a proposed agenda of activities for the ideation session:

    1. Leverage current trend reports and relevant emerging trend reports, market analysis, and customer research to envision future possibilities.
    2. Establish guiding principles for defining your digital strategy and scope.
    3. Leverage insights from trend reports and market analysis to generate leapfrog ideas that can be turned into opportunities.
    4. For each leapfrog idea, engage in a discussion on assumptions, value drivers, benefits, and risks.

    Content Leveraged

    • Digital Trends Report
    • Industry roundtables and trend reports
    • Digital Maturity Assessment
    • Digital Business Strategy v1.0

    Deliverable:

    1. Guiding principles
    2. Strategic growth opportunities

    1.1 Executive Stakeholder Engagement

    Assemble Executive Stakeholders

    Set yourself up for success with these three steps.

    CIOs tasked with designing digital strategies must add value to the business. Given the goal of digital is to transform the business, CIOs will need to ensure they have both the mandate and support from the business executives.

    Designing the digital strategy is more than just writing up a document. It is an integrated set of business decisions to create a competitive advantage and financial returns. Establishing a forum for debates, decisions, and dialogue will increase the likelihood of success and support during execution.

    1. Confirm your role

    2. Identify Stakeholders

    3. Diverse Perspective

    The digital strategy aims to transform the business. Given the scope, validate your role and mandate to lead this work. Identify a business executive to co-sponsor.

    Identify key decision-makers and influencers who can help make rapid decisions as well as garner support across the enterprise.

    Don’t be afraid to include contrarians or naysayers. They will help reduce any blind spots but can also become the greatest allies through participation.

    1.2 Guiding Principles

    Set the Guiding Principles

    Guiding principles help define the parameters of your digital strategy. They act as priori decisions that establish the guardrails to limit the scope of opportunities from the perspective of people, assets, capabilities, and budgets that are aligned with the business objectives. Consider these components when brainstorming guiding principles:

    Consider these three components when brainstorming

    Breadth

    Digital strategy should span people, culture, organizational structure, governance, capabilities, assets, and technology. The guiding principle should cover a 3600 view across the entire organization.

    Planning Horizon

    Timing should anchor stakeholders to look to the long-term with an eye on the foreseeable future i.e., business value realization in one, two, and three years.

    Depth

    Needs to encompass more than the enterprise view of lofty opportunities but establish boundaries to help define actionable initiatives (i.e., individual projects).

    1.2 Guiding Principles

    Examples of Guiding Principles

    IT Principle NameIT Principle Statement
    1.Enterprise value focusWe aim to provide maximum long-term benefits to the enterprise as a whole while optimizing total costs of ownership and risks.
    2.Fit for purposeWe maintain capability levels and create solutions that are fit for purpose without over engineering them.
    3.SimplicityWe choose the simplest solutions and aim to reduce operational complexity of the enterprise.
    4.Reuse > buy > buildWe maximize reuse of existing assets. If we can’t reuse, we procure externally. As a last resort, we build custom solutions.
    5.Managed dataWe handle data creation and modification and use it enterprise-wide in compliance with our data governance policy.
    6.Controlled technical diversityWe control the variety of what technology platforms we use.
    7.Managed securityWe manage security enterprise-wide in compliance with our security governance policy.
    8.Compliance to laws and regulationsWe operate in compliance with all applicable laws and regulations.
    9.InnovationWe seek innovative ways to use technology for business advantage.
    10.Customer centricityWe deliver best experiences to our customers with our services and products.
    11.Digital by default We always put digital solutions at the core of our plans for all viable solutions across the organization.
    12.Customer-centricity by designWe design new products and services with the goal to drive greater engagement and experiences with our customers.

    1.3 Trend-Analysis

    Leverage strategic foresight to identify growth opportunities

    What is Strategic Foresight?

    In times of increasing uncertainty, rapid change, market volatility, and complexity, the development of strategies can be difficult. Strategic foresight offers a solution.
    Strategic foresight refers to an approach that uses a range of methodologies, such as scanning the horizon for emerging changes and signals, analyzing megatrends, and developing multiple scenarios to identify opportunities (source: OECD, 2022). However, it cannot predict the future and is distinct from:

    • Forecasting tools
    • Strategic planning
    • Scenario planning (only)
    • Predictive analyses of the future

    Why is Strategic Foresight useful?

    • Reduce uncertainties about the future
    • Better anticipate changes
    • Future-proof to stress test proposed strategies
    • Explore innovation to reveal new products, services, and approaches

    Explore Info-Tech’s Strategic Foresight Process Tool

    “When situations lack analogies to the past, it’s hard to envision the future.”

    - J. Peter Scoblic, HBR, 2020

    1.3 Trend-Analysis

    Leverage industry roundtables and trend reports to understand the art of the possible

    Uncover important business and industry trends that can inform possibilities for technology innovation.

    Explore trends in areas such as:

    • Machine Learning
    • Citizen Dev 2.0
    • Venture Architecture
    • Autonomous Organizations
    • Self-Sovereign Cloud
    • Digital Sustainability

    Market research is critical in identifying factors external to your organization and identifying technology innovation that will provide a competitive edge. It’s important to evaluate the impact each trend or opportunity will have in your organization and market.

    Visit Info-Tech’s Trends & Priorities Research Center

    Visit Info-Tech’s Industry Coverage Research to get started.

    The image contains screenshots from Info-Tech blueprints.

    Images are from Info-Tech’s Rethinking Higher Education Report and 2023 Tech Trends Report

    1.3 Trend-Analysis

    Scan the Horizon

    Understand how the environment is evolving in your industry

    Scan the horizon to detect early signs of future changes or threats.

    Horizon scanning involves scanning, analyzing, and communicating changes in an organization’s environment to prepare for potential threats and opportunities. Much of what we know about the future is based around the interactions and trajectory of macro trends, trends, and drivers. These form the foundations for future intelligence.

    Macro Trends

    A macro trend captures a large-scale transformative trend on a global scale that could impact your addressable market

    Industry Trend

    An industry trend captures specific use cases of the macro trend in relation to your market and industry. Consider this in terms of shifts in your market dynamics i.e., competitors, size, transaction, international trade, supply/demand, etc.

    Driver(s)

    A driver is an underlying force causing the trend to occur. There can be multiple causal forces, or drivers, that influence a trend, and multiple trends can be influenced by the same causal force.

    Identify signals of change in the present and their potential future impacts.

    1.3 Trend-Analysis

    Identify macro trends

    Macro trends capture a global shift that can change the market and the industry. Here are examples of macro-trends to consider when scanning the horizon for your own organization:

    Talent Availability

    Customer Expectations

    Emerging Technologies

    Regulatory System

    Supply Chain Continuity

    Decentralized workforce

    Hybrid workforce

    Diverse workforce

    Skills gap

    Digital workforce

    Multigenerational workforce

    Personalization

    Digital experience

    Data ownership

    Transparency

    Accessibility

    On-demand

    Mobility

    AI & robotics

    Virtual world

    Ubiquitous connectivity

    Genomics (nano, bio, smart….)

    Big data

    Market control

    Economic shifts

    Digital regulation

    Consumer protection

    Global green

    Resource scarcity

    Sustainability

    Supply chain digitization

    Circular supply chains

    Agility

    Outsource

    1.3 Trend-Analysis

    Determine impact and relevance of trends

    Understand which trends create opportunities or risks for your organization.

    Key Concepts:

    Once an organization has uncovered a set of trends that are of potential importance, a judgment must be made on which of the trends should be prioritized to understand their impact on your market and ultimately, the implications for your business or organization. Consider the following criteria to help you prioritize your trends.

    Impact to Industry: The degree of impact the trend will have on your industry and market to create possibilities or risks for your business. Will this trend create opportunities for the business? Or does it pose a risk that we need to mitigate?

    Relevance to Organization. The relevance of the trend to your organization. Does the trend align with the mission, vision, and business objectives of your organization?

    Activity: 2-4hours

    In order to determine which trends will have an impact on your industry and are relevant to your organization, you need to use a gating approach to short-list those that may create opportunities to capitalize on while you need to manage the ones that pose risk.

    Impact

    What does this trend mean for my industry and market?

    • Degree – how broad or narrow is the impact
    • Likelihood – the reality of disrupting an industry or market
    • Timing – when do we expect disruption?

    Relevance

    What opportunity or risk does it pose to my business/organization?

    • Significance – depth and breadth across the enterprise
    • Duration – how long is the anticipated impact?

    1.3 Trend-Analysis

    Prioritize Trends for Exploration

    The image contains a screenshot of a table to demonstrate the trends.The image contains a graph that demonstrates the trends from the table on a graph to show how to prioritze them based on relevance and impact.

    Info-Tech Insight

    While the scorecard may produce a ranking based on weighted metrics, you need to leverage the group discussion to help contextualize and challenge assumptions when validating the priority. The room for debate is important to truly understand whether a trend is a fad or a fact that needs to be addressed.

    1.3 Trend-Analysis

    Discuss the driver(s) behind the trend

    Determining the root cause(s) of a trend is an important precursor to understanding the how, why, and to what extent a trend will impact your industry and market.

    Trend analysis can be a valuable approach to reduce uncertainties about the future and an opportunity to understand the underlying drivers (forces) that may be contributing to a shift in pattern. Understanding the drivers is important to help determine implication on your organization and potential opportunities.

    The image contains a screenshot of a driver diagram.

    1.3 Trend-Analysis

    Examples of driver(s)

    INDUSTRY

    Healthcare Exemplar

    Macro Trends

    (Transformative change)

    Industry Trend

    (A pattern of change…)

    Drivers

    (“Why”….)

    Accessibility

    Increase in wait times

    Aging population leading to global workforce shortage

    New models of care e.g., diversify scope of practice

    Address capacity issues

    Understanding the drivers is not about predicting the future. Don’t get stuck in “analysis paralysis.” The key objective is to determine what opportunities and risks the trend and its underlying driver pose to your business. This will help elicit leapfrog opportunities that can be funneled into actionable initiatives.

    Other examples…

    Dimensions

    Macro-Trends

    Industry Trend

    Driver

    Social

    Demographic shift

    Global shortage of healthcare workers

    Workforce age

    Customer expectations

    Patients as partners

    Customer demographics

    Technology

    AI and robotics

    Early detection of cancer

    Patient outcomes

    Ubiquitous connectivity

    Virtual health

    Capacity

    Economic

    Recession

    Cost-savings

    Sustainability

    Consumer spending

    Value-for-money

    Prioritization

    Environment

    Climate change

    Shift in manufacturers

    ESG compliant vendors

    Pandemic

    Supply chain disruption

    Local production

    Political

    Regulatory

    Consolidation of professional colleges

    Operational efficiency

    De-regulation

    New models of care

    New service (business) model

    1.3 Trend-Analysis

    Case Study

    Industry

    Healthcare

    Artificial Intelligence (AI) in Precision Medicine (Genomics)

    Precision Medicine has become very popular over the recent years fueled by research but also political and patient demands to focus more on better outcomes vs. profits. A cancer care center in Canada wanted to look at what was driving this popularity but more importantly, what this potentially meant to their current service delivery model and operations and what opportunities and risks they needed to address in the foreseeable future. They determined the following drivers:

    • Improve patient outcomes
    • Earlier detection of cancer
    • Better patient experience
    • Ability to compute vast amounts of data to reduce manual effort and errors
    • Accelerate from research to clinical trials to delivery

    The image contains a screenshot of AI in Genomics.

    1.3 Trend-Analysis

    INDUSTRY

    Healthcare Exemplar

    Category

    Macro-Trends

    Industry Trends

    (Use-Case)

    Drivers

    Impact to Industry

    Impact to Business

    Talent Availability

    Diverse workforce

    Aboriginal health

    Systemic inequities

    Brand and legal

    Policies in place

    Hybrid workforce

    Virtual care

    COVID-19 and infectious disease

    New models of care

    New digital talent

    Customer Expectation

    Personalization

    On-demand care

    Patient experience

    Patients as consumers

    New operating model

    Digital experience

    Patient portals

    Democratization of data

    Privacy and security

    Capacity

    Emerging Technologies

    Internet of Things (IoT)

    Smart glucometers

    Greater mobility

    System redesign

    Shift from hospital to home care

    Quantum computing

    Genomic sequencing

    Accelerate analysis

    Improve quality of data analysis

    Faster to clinical trial and delivery

    Regulatory System

    Consumer protection

    Protect access to sensitive patient data

    HIPPA legislation

    Restrict access to health record

    Electronic health records

    Global green

    Green certification for redev. projects

    Political optics

    Higher costs

    Contract management

    Supply Chain

    Supply chain disruptions

    Surgical strategic sourcing

    Preference cards

    Quality

    Organizational change management

    New pharma entrants

    Telco’s move into healthcare

    Demand/supply

    Funding model

    Resource competition

    Sample Output From Trend Analysis

    1.3 Elicit New Opportunities

    Leapfrog into the future

    Turn trends into growth opportunities.

    To thrive in the digital age, organizations must innovate big, leverage internal creativity, and prepare for flexibility.

    In this digital era, organizations are often playing catch up to a rapidly evolving technological landscape and following a strict linear approach to innovation. However, this linear catch-up approach does not help companies get ahead of competitors. Instead, organizations must identify avenues to skip one or several stages of technological development to leapfrog ahead of their competitors.

    “The best way to predict the future is to invent it.”

    – Alan Kay

    Leapfrogging takes place when an organization introduces disruptive innovation into the market and sidesteps competitors, who are unable to mobilize to respond to the opportunities.

    1.3 Elicit New Opportunities

    Funnel trends into leapfrog ideas

    Go from trend insights into ideas for opportunities

    Brainstorm ways to generate leapfrog ideas from trend insights.

    Dealing with trends is one of the most important tasks for innovation. It provides the basis of developing the future orientation of the organization. However, being aware of a trend is one thing, to develop strategies for response is another.

    To identify the impact the trend has on the organization, consider the four areas of growth for the organization:

    1. New Customers: Leverage the trend to target new customers for existing products or services.
    2. New Business Models: Adjust the business model to capture a change in how the organization delivers value.
    3. New Markets: Enter or create new markets by applying existing products or services to different problems.
    4. New Product or Service Offerings: Introduce new products or services to the existing market.

    1.3 Elicit New Opportunities

    INDUSTRY: Healthcare

    SOURCE: Memorial Sloan Kettering Cancer Center

    Case Study

    Machine Learning Sensor to Sniff Out Cancer

    Challenge

    Solution

    Results

    Timely access to diagnostic services is a key indicator of a cancer patient’s prognosis i.e., outcome. Early detection of cancer means the difference between life and death for cancer patients.

    Typically, cancer biomarkers need to be present to detect cancer. Often the presence of these biomarkers is late in the disease state when the cancer cells have likely spread, resulting in suspicions of cancer only when the patient does not feel well or suspects something is wrong.

    Researchers in partnership with IBM Watson at Memorial Sloan Kettering Cancer Center (MSK) have created a tool that can sniff for and identify cancer in a blood sample using machine learning.

    Originally, MSK worked with IBM Watson to identify machine learning as an emerging technology that could drive early cancer detection without the use of cancer biomarkers. But they needed to find specific use cases. After a series of concept prototypes, they were able to use machine learning to detect patterns in blood cells vs. cancer biomarkers to detect cancer disease.

    Machine learning was an emerging trend that researchers at MSK felt held great promise. They needed to turn the trend into tangible opportunities by identifying some key use cases that could be prototyped.

    Computational tools in oncology have the ability to greatly reduce clinician labor, improve the consistency of variant classification, and help accelerate the analytics of vast amounts of clinical data that would be prone to errors and delays when done manually.

    From trends to leapfrog ideas

    Additional Examples in the Appendix

    Example of leapfrog ideas that can generate opportunities for consideration

    Trend

    New Customer

    New Market

    New Business or Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New stakeholder segment

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services and experiences

    Virtualize Registration

    Empower patients as consumers of healthcare partners

    Direct B2C to close gap between providers and patients by removing middle administrative overhead.

    24/7 On-Demand Patient Portal

    Leverage AI to develop chatbots and on-demand

    Phase 1: Deliverable

    Phase 1 Deliverable

    Example of output from phase 1 ideation session

    Business Objectives

    New Customers

    (Customer Experience)

    New Markets

    (Health Outcomes)

    New Business or

    Operating Models

    (Operational Excellence)

    New Service Offering

    (Value for Money)

    Description:

    Focus on improving experiences for patients and providers

    Improve quality and standards of care to continually drive better health outcomes

    Deliver care better, faster, and more efficiently

    Reduce cost per capital of delivery care and increase value for services

    Trends:

    • Global workforce shortage due to ageing demographics
    • Clinicians are burnt-out and unable to practice at the top of their profession
    • On-demand care/mobile/wearables
    • Virtual care
    • Faster access to quality service
    • Help navigating complex medical ecosystem from primary to acute to community
    • Standardize care across regions
    • New models of care to expand capacity
    • Improve medication errors
    • Opportunities to use genomics to design personalized medicine
    • Automate tasks
    • Leverage AI and robotics more effectively
    • Regulatory colleges consolidation mandate
    • Use data and analytics to forecast capacity and health outcomes
    • Upskill vs. virtualize workforce
    • Payment reform i.e., move to value-based care vs. fee-for-service
    • Consolidation of back-office functions like HR, supply chain, IT, etc. to reduce cost i.e., shared services model

    Digital Opportunities:

    1. Virtual health command center
    2. Self-scheduling patient portal
    3. Patient way-finder
    4. Smart glucometer for diabetes
    1. Machine learning for early detection of cancer
    2. Visualization tools for capacity planning and forecasting
    3. Contact tracing apps for public health
    1. Build advanced analytics capabilities with new skills and business intelligence tools
    2. Pharmacy robotics
    3. Automate registration
    1. Automate provider billing solution
    2. Payment gateways – supplier portal in the cloud

    Phase 2

    Evaluate Opportunities and Business Capabilities

    Build a better understanding of the opportunities and their impact on your business.

    Phase 1Phase 2Phase 3

    Identify New Digitally Enabled Opportunities

    Evaluate Opportunities and Business Capabilities

    Transform Stakeholder Journeys

    Phase 2

    Evaluate Opportunities and Business Capabilities

    2.1

    CREATE OPPORTUNITY PROFILES

    Evaluate each opportunity

    Some opportunities will have an immediate and significant impact on your business. Some may have a significant impact but on a longer time scale or some may be unlikely to have a significant impact at all. Understanding these trends is an important context for your digital business strategy.

    Consider:

    • Does this opportunity conform with your guiding principles?
    • Can this opportunity feasibly deliver the anticipated benefits?
    • Is this opportunity desired by your stakeholders?

    Avoid:

    • Overly vague language. Opportunities need to be specific enough to evaluate what impact they will have.
    • Simply following what competitors are doing. Be ambitious and tailor your digital strategy to your organizational values, goals, and priorities.
    2.2

    UNDERSTAND THE IMPACT OF OPPORTUNITIES ON BUSINESS CAPABILITIES

    Understand the impact across your value chains

    Each opportunity has the potential to impact multiple areas of your business. Prioritize where to start acting on new opportunities based on your business objectives and capabilities. You need to assess their impacts across value chains. Does the opportunity impact existing value chain(s) or create a new value chain?

    Consider:

    • How well does this opportunity align with your digital vision, mission, and goals?
    • What will be the overall impact of this opportunity?
    • How urgently must you act?

    Avoid:

    • Guessing. Validate assumptions and use clear, unbiased information to make decisions. Info-Tech has extensive resources to assist in evaluating trends, opportunities, and solutions.
    • Making everything a high priority. Most organizations can only prioritize one to two initiatives at a time.

    2.1 Build an opportunity profile

    Evaluate each opportunity

    Discussion Framework:

    In your discussion, evaluate each opportunity to assess assumptions, value drivers, and benefits.

    Ideas matter, but not all ideas are created equal. Now that you have elicited opportunities, discuss the assumptions, risks, and benefits associated with each new digital opportunity.

    Design Thinking

    Leverage the guiding principles as the guardrails to limit the scope of your new digital opportunities. You may want to consider taking a design-thinking approach to innovation by discussing the merits of each opportunity based on:

    • DesirabilityDesirability: People want it. Does the solution enable the organization to meet the expectations of stakeholders?
    • Feasibility
    • Feasibility: Able to Execute. Do we have the capabilities to deliver e.g., the right skills, partners, technology, and leadership?

    • Viability
    • Viability: Delivers Value. Will this idea meet business goals e.g., cost, revenue, and benefits?

    Source: Adapted from IDEO

    Transform the Business

    Must Prioritize

    Should Plan

    Drive Digital Experiences

    Build Digital Capabilities

    High Value/Low Complexity

    • stakeholders want it
    • easy to implement
    • capabilities exist to deliver
    • creates significant value
    • strategic growth = competitive advantage

    High Value/High Complexity

    • customers want it
    • not easy to implement without carefully planning
    • need to invest in developing capabilities
    • Competitive differentiator

    Low Value/Low Complexity

    • stakeholders don’t want it
    • easy to implement but takes resources away from priority
    • some capabilities exist
    • creates marginal value
    • minimal growth

    Low Value/High Complexity

    • stakeholders don’t want it
    • difficult to implement
    • need to invest in developing capabilities
    • no real strategic growth

    Could Have

    Don’t Need

    Transform Operations

    IMPACT

    COMPLEXITY

    Source: Adapted from MoSCoW prioritization model

    Exemplar: Opportunity Profile

    Example:

    An example of a template to capture the output of discussion.

    Automate the Registration Process Around Admission, Discharge, and Transfer (ADT)

    Description of Opportunity:

    ADT is a critical function of registration that triggers patient identification to support services and billing. Currently, ADT is a heavily manual process with a high degree of errors as a result of human intervention. There is an opportunity to leverage intelligent automation by using RPA and AI.

    Alignment With Business Objectives

    Improve patient outcome

    Drive operational efficiency and effectiveness

    Better experiences for patients

    Business Architecture

    This opportunity may impact the following business capabilities:

    • Referral evaluation
    • Admission, discharge, and transfer management
    • Scheduling management
    • Patient registry management
    • Provider registry management
    • Patient billing
    • Provider billing
    • Finance management
    • EHR/EMR integration management
    • Enterprise data warehouse for reporting
    • Provincial/state quality reporting

    Benefits & Outcomes

    • Reduce errors by manual registration
    • Improve turnaround time for registration
    • Create a consistent customer experience
    • Improve capacity
    • Virtualize low-value work

    Key Risks & Assumptions

    • Need to add skills & knowledge to maintain systems
    • Perception of job loss or change by unions
    • assume documentation of standard work for automation vs. non-standard

    Opportunity Owner

    VP, Health Information Management (HIM)

    Incremental Value

    Reduce errors in patient identity

    • Next Steps
    • Investigate use cases for RPA and AI in registration
    • Build business case for funding

    2.2 Business capabilities impact

    Understand the impact on your business capabilities

    Each opportunity has the potential to impact multiple areas of your business. Prioritize where to start acting on new opportunities based on your business objectives and capabilities.

    You will need:

    Industry Reference Architecture.Industry Reference Architecture

    Activity: 1-2 hours

    1. Using your industry reference architecture, highlight the business capabilities that may be impacted by the opportunity. Use a value chain analysis approach to help with this exercise.
    2. Referring to your Prioritized Opportunities for Transformation, prioritize areas to transform. Priority should be given to low maturity areas that are highly or urgently relevant to your overall strategic goals.
    +
    Prioritized Opportunities for Transformation.Prioritized Opportunities for TransformationPrioritized Business Capability Map.

    2.2 Business capabilities impact

    Start with a value chain analysis

    This will help identify the impact on your business capabilities.

    As we identify and prioritize the opportunities available to us, we need to assess impacts on value chains. Does the opportunity directly impact an existing value chain? Or does it open us to the creation of a new value chain?

    The image contains a screenshot of the value chain analysis.

    The value chain perspective allows an organization to identify how to best minimize or enhance impacts and generate value.

    As we move from opportunity to impact, it is important to break down opportunities into the relevant pieces so we can see a holistic picture of the sources of differentiation.

    Exemplar: Prioritized Business Capability Map

    The image contains a screenshot of the exemplar prioritized business capability map.

    In this example, intelligent automation for referral and admission would create opportunity to virtualize repeatable tasks.

    Phase 3

    ETransform Stakeholder Journeys

    Understand the impact of opportunities across the value chain and possibilities of new or better stakeholder experiences.

    Phase 1Phase 2Phase 3

    Identify New Digitally Enabled Opportunities

    Evaluate Opportunities and Business Capabilities

    Transform Stakeholder Journeys

    Phase 3

    Identify opportunities to transform stakeholder experiences

    3.1 IDENTIFY STAKEHOLDER PERSONA

    Understand WHO gains value from the value chain

    To define a stakeholder scenario, you need to understand whom we are mapping for. Developing stakeholder personas is a great way to understand their needs through a lens of empathy.

    Consider:

    • Keep your stakeholder persona groupings to the core clusters typical of your industry.
    • See it from their perspective not the business’s.

    Avoid:

    • Don’t create a multitude of personas based on discrete nuances.
    3.2 BUILD A STAKEHOLDER JOURNEY

    Identify opportunities to transform the stakeholder experience

    A stakeholder or customer journey helps teams visualize the impact of a given opportunity through a value chain. This exercise uncovers the specific initiatives and features that should be considered in the evolution of the digital strategy.

    Consider:

    • Which stakeholders may be most affected by this opportunity?
    • How might stakeholders feel about a given solution as they move through the journey? What pain points can be solved?

    Avoid:

    • Simply listing steps in a process. Put yourself in the shoes of whoever’s journey you are mapping. What do they care about?
    • Choosing a stakeholder with limited involvement in the process.
    3.3 BREAKDOWN OPPORTUNITIES INTO INITIATIVES ALIGNED TO BUSINESS OBJECTIVES

    Unlock key initiatives to deliver value

    Opportunities need to be broken down into actionable initiatives that can be turned into business cases with clear goals, benefits realization, scope, work plans, and investment ask.

    Consider:

    • Multiple initiatives can be grouped into one opportunity that is similar or in phases.
    • Ensure the initiatives support and enable the business goals.

    Avoid:

    • Creating a laundry list of initiatives.
    • Initiatives that don’t align with business goals.

    Map Stakeholder Journey

    Conduct a journey mapping exercise to further refine and identify value streams to transform.

    Stakeholder Journey Mapping

    Digital Business Strategy Blueprint

    Activity: 4-6 hours

    Our analysts can guide and support you, where needed.

    1. First download the Define Your Digital Business Strategy blueprint to review the Stakeholder Journey Mapping exercise.
    2. Identify a stakeholder persona and a one-journey scenario.
    3. Map a stakeholder journey using a single persona across one-journey scenarios to identify pain points and opportunities to improve experiences and generate value.
    4. Consolidate a list of opportunities for business case prioritization.

    Key Concepts:

    Value Stream: a set of activities to create and capture value for and from the end consumer.

    Value Chain: a string of end-to-end processes that creates value for the consumer.

    Journey Scenario: a specific use case across a value chain (s).

    Members Engaged

    • CIO
    • Business Executives

    Info-Tech

    • Industry Analyst
    • Executive Advisor

    Stakeholder Persona.Stakeholder Persona

    1-Journey Use Case.1-Journey Use Case

    Map Stakeholder Journey 
Map Stakeholder Journey

    Content Leveraged

    • Stakeholder Persona
    • Journey Use Case
    • Map Stakeholder Journey

    Deliverable:

    1. Guiding principles
    2. Strategic growth opportunities

    Download the Define Your Digital Business Strategy blueprint for Customer Journey Mapping Activities

    3.1 Persona identification

    Identify a stakeholder persona and journey scenario

    From value chain to journey scenario.

    Stakeholder personas and scenarios help us build empathy towards our customers. It helps put us into the shoes of a stakeholder and relate to their experience to solve problems or understand how they experience the steps or processes required to accomplish a goal. A user persona is a valuable basis for stakeholder journey mapping.

    A stakeholder persona is a fictitious profile to represent a customer or a user segment. Creating this persona helps us understand who your customers really are and why they are using your service or product.

    A stakeholder scenario describes the situation the journey map addresses. Scenarios can be real (for existing products and services) or anticipated.

    Learn more about applying design thinking methodologies

    3.1 Persona identification

    Identify a stakeholder persona

    Who are you transforming for?

    To define a stakeholder scenario, we need to understand who we are mapping for. In each value chain, we identified a stakeholder who gains value from that value chain. We now need to develop a stakeholder persona: a representation of the end user to gain a strong understanding of who they are, what they need, and their pains and gains.

    One of the best ways to flesh out your stakeholder persona is to engage with the stakeholders directly or to gather the input of those who may engage with them within the organization.

    For example, if we want to define a journey map for a student, we might want to gather the input of students or teaching faculty that have firsthand encounters with different student types and are able to define a common student type.

    Info-Tech Insight

    Run a survey to understand your end users and develop a stronger picture of who they are and what they are seeking to gain from your organization.

    3.1 Persona identification

    Identify stakeholder scenarios to map

    For your digital strategy, leverage the existing and opportunity value chains identified in phases 1 and 2 for journey mapping.

    Identify two existing value chains to be transformed.

    In section 1, we identified existing value chains to be transformed. For example, your stakeholder persona is a registration clerk who is part of the Health Information Management team responsible for registering and adjudicating patient identity.

    The image contains a screenshot example of two existing value chains to be transformed.

    Identify one new value chain.

    In section 2, we identified a new value chain. However, for a new opportunity, the scenario is more complex as it may capture many different areas of a value chain. Subsequently, a journey map for a new opportunity may require mapping all parts of the value chain.

    The image contains a screenshot of one value chain.

    3.1 Persona identification

    Example Stakeholder Persona

    Stakeholder demographics

    Name: Anne

    Age: 35

    Occupation: HIM Clerk

    Location: Unity Hospital System

    Pains

    What are their frustrations, fears, and anxieties?

    • Volume of patients to schedule
    • Too many applications to access
    • Data quality is an error
    • Extensive manual entry of data prone to errors
    • Disruptions with calls from patients, doctors, and FOI requests

    What do they need to do?

    What do they want to get done? How will they know they are successful?

    • Automate some non-valuable tasks that can also reduce human errors. Allow patients to self-schedule online or answer FAQs via a chatbox. Would love to have a virtual triage to alleviate volume of calls and redirects.

    Gains

    What are their wants, needs, hopes, and dreams?

    • Reduce errors in data entry for patient identity (reduce manual look-ups).
    • Have standard requests go through a chatbot.
    • Have physicians automate billing through front-end speech recognition software.

    3.1 Persona identification

    Define a journey statement for mapping

    Now that we understand who we are mapping for, we need to define a journey statement to capture the stakeholder journey.

    Leverage the following format to define the journey statement.

    “As a [stakeholder], I need to [prioritized value chain task], so that I can [desired result or overall goal].”

    The image contains a screenshot of a journey statement for mapping.

    3.2 Stakeholder Journey-Map

    Leverage customer journey mapping to capture value chains to be transformed

    Conduct a journey mapping exercise to identify opportunities for innovation or automation.

    A journey-based approach helps an organization understand how a stakeholder moves through a process and interacts with the organization in the form of touch points, channels, and supporting characters. By identifying pain points in the journey and the activity types, we can identify opportunities for innovation and automation along the journey.

    The image contains a screenshot of an example of journey mapping.

    Embrace design-thinking methodologies to elevate the stakeholder journey and build a competitive advantage for your organization.

    3.2 Stakeholder Journey-Map

    Key Concepts

    0. Name: Annie Smith

    Age: 35

    Occupation: HIM Registration Clerk for Unity Hospital System

    Key Concepts.0.Stakeholder Persona

    A fictitious profile of a representative stakeholder group that shares a common yet discrete set of characteristics that embodies how they think, feel, and act.

    1. Journey (Value Chain)

    Describes the end-to-end steps or processes that a customer takes across the value chain that groups a set of activities, interactions, touch-points, and experiences.

    2. Persona’s Goals

    Exemplifies what the persona is thinking and wanting across each specific step of their journey.

    3. Nature of Activity (see detailed definition in this section)

    This section captures two key components: 1) the description of the action or interaction between the personas to achieve their goals, and 2) the classification of the activity to determine the feasibility for automation. The type is based on four main characteristics: 1) routine cognitive, 2) non-routine cognitive , 3) routine manual, and 4) non-routine manual.

    4. Type of Touch-Point

    The channel by which a persona interacts or touches products, services, the organization, or information.

    5. Key Moments & Pain Points

    Captures the emotional experience and value of the persona across each step and interaction.

    6. Metrics

    This section captures the KPIs used to measure the experience, process or activity today. Future KPIs will need to be developed to measure the opportunities.

    7. Opportunities refer to both the possible initiatives to address the persona’s pain points, and the ability to enable business goals.

    3.2 Stakeholder Journey-Map

    Opportunities for Automation: Nature of Activity

    Example
    We identified opportunities for automation

    Categorize the activity type to identify opportunities for automation. While there is no perfect framework for automation, this 4x4 matrix provides a general guide to identifying automation opportunities for consideration.

    Automation example list.Automation Quadrant Analysis

    Info-Tech Insight

    Automation is more than a 1:1 relationship between the defined task or job and automation. When considering automation, look for opportunities to: 1) streamline across multiple processes, 2) utilize artificial intelligence to augment or virtualize manual tasks, and 3) create more structured data to allow for improved data quality over the long-term.

    3.2 Stakeholder Journey-Map

    Example of stakeholder journey output: Healthcare

    Stakeholder: HIM Clerks

    Journey: Follow-up visit of 80-year-old diabetes patient at diabetic clinic outpatient

    Journey

    (Value Chain)

    AppointmentRegistrationIdentity ReconciliationEligibility VerificationTreatment Consult

    Persona’s Goals

    • Confirm appointment
    • Verify referral through provider registry
    • Request medical insurance or care card
    • Enroll patient into CIS
    • Patient registry validation
    • Secondary identification request
    • Verify eligibility through the patient registry
    • Schedule follow referrals & appointments
    • Coding for billing

    Nature of Activity

    Priority

    Priority

    Investigate – ROI

    Investigate – ROI

    Defer

    Type of Touchpoint

    • Telephone (land/mobile)
    • Email
    • CIS Application
    • Verbal
    • Patient registry system
    • Telephone
    • Patient and provider registry
    • CIS
    • Email, call, verbal
    • Physician billing
    • Hospital ERP
    • CIS
    • Paper appointments

    Pain Points & Gains

    • Volume of calls
    • Manual scheduling
    • Too many applications
    • Data entry errors
    • Limited languages
    • Too many applications
    • Data entry errors
    • Too many applications
    • Limited languages
    • Ask patients to repeat info
    • Data entry errors
    • Too many applications
    • Limited languages
    • Ask patients to repeat info
    • Patient identity not linked to physician billing
    • Manual coding entry

    Metrics

    Time to appointment

    Time to enrollment

    Patient mis-match

    Provider mis-match

    Percentage of errors in billing codes

    Opportunities

    • Patient scheduling portal (24/7)
    • Use of AI and chatbots
    • Automate patient matching index digitalization and integration
    • Automate provider matching index digitalization and integration
    • Natural language processing using front-end speech recognition software for billing

    Break opportunities into a series of initiatives aligned to business objectives

    Opportunity 1

    Virtual Registration

    »

    Business Goals

    Initiatives

    Health Outcomes

    Stakeholder Experience

    New Models of Care

    Operational Efficiency

    • Enterprise master patient index integration with patient registry
    • Intelligent automation for outpatient department
    • Customer service chat box for triage FOI1
    • Front-end speech recognition for billing (FESR)

    Opportunity 2

    Machine Learning Pre-Cancer Diagnosis

    »

    Business Goals

    Initiatives

    Health Outcomes

    Stakeholder Experience

    New Models of Care

    Operational Efficiency

    • Enterprise Datawarehouse architecture (build data lake)
    • Build genomics analytics capabilities e.g., recruitment, data-quality review
    • Implementation of machine learning software
    • Supply chain integration with ERP for medical and research supplies
    FOI = Freedom of Information

    Info-Tech Insight

    Evaluate if an opportunity will require a series of discrete activities to execute and/or if they can be a stand-alone initiative.

    Now you are ready to select and prioritize digital initiatives for business case development

    After completing all three phases of activities in this blueprint, you will have compiled a list of new and planned digital initiatives for prioritization and business case development in the next phase.

    Consolidated List of Digital Initiatives.

    Example: Consolidated List of Digital Initiatives

    The next step will focus on prioritizing and building a business case for your top digital initiatives.

    IT Roadmap for your Digital Business Strategy.

    Appendix: Additional Examples

    From trend to leapfrog ideas

    Every idea is a good one, unless you need one that works.

    Additional Examples
    Examples of leapfrog ideas that can generate opportunities for consideration

    Example 1 Finance

    Trend

    New Customer

    New Market

    New Business or Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New customer segments

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services, and experiences

    Open banking

    Account integrators (AISPs)

    Payment integrators
    (PISPs)

    Data monetization

    Social payments

    Example 2: Retail

    Trend

    New Customer

    New Market

    New Business or Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New customer segments

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services, and experiences

    Virtual cashier

    (RFID Enablement)

    Big-box retailers

    Brick & mortar stores

    Automated stores driving new customer experiences

    Digital cart

    From trend to leapfrog ideas

    Every idea is a good one, unless you need one that works.

    Additional Exemplars in Appendix

    Examples of leapfrog ideas that can generate opportunities for consideration

    Example 3:

    Manufacturing

    Trend

    New Customer

    New Market

    New Business or

    Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New customer segments

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services, and experiences

    IT/OT convergence

    Value-added resellers

    New geographies

    Train quality-control algorithms and sell as a service to other manufacturers

    Quality control as a service

    Case Study: International Airport

    Persona Journey Map: International/Domestic Departure

    Persona: Super Traveler

    Name: Annie Smith

    Age: 35

    Occupation: Engineer, Global Consultant

    Journey Activity Name: Inspired to Travel

    Persona’s Goals

    What Am I Thinking?

    • I am planning on traveling to Copenhagen, Denmark for work.
    • It’s my first time and I need to gather information about the destination, accommodation, costs, departure information, bag weight, etc..

    Nature of Activity

    What Am I Doing?

    • Logging onto airline website
    • Confirming departure gates

    Type of Touchpoint

    • Airport rewards program
    • Airport Website
    • Online hotel eCommerce
    • Social media
    • Transportation services on mobile

    Key moments & pain points

    How Am I Feeling?

    • Frustrated because the airport website is difficult to navigate to get information
    • Annoyed because there is no FAQ online and I have to call; there’s a long wait to speak to someone.
    • Stress & uncertainty (cancellation, logistics, insurance, etc..)

    Metrics

    • Travel dates
    • Trip price & budget

    Opportunities

    • Tailored communication based on search history
    • Specific messaging (e.g., alerts for COVID-19, changes in events, etc.)
    • Interactive VR experience that guides customers through the airport as a navigator

    Related Info-Tech Research

    Tech Trends and Priorities Research Center

    • Access Info-Tech’s Tech Trends reports and research center to learn about current industry trends, shifts in markets, and disruptions that are impacting your industry and sector. This is a great starting place to gain insights into how the ecosystem is changing your business and the impact of these changes on IT.

    Digital Business Strategy

    • Leverage Info-Tech’s Digital Business Strategy to identify opportunities to transform the customer experience.

    Industry Reference Architecture

    • Access Info-Tech’s Industry coverage to accelerate your understanding of your business capabilities and opportunities for automation.

    Contact Your Account Manager

    Research Contributors and Experts

    Joanne Lee

    Joanne Lee

    Principal, Research Director, CIO Strategy

    Info-Tech Research Group

    Kim Osborne-Rodgriguez

    Kim Osborne-Rodgriguez

    Research Director, CIO Strategy

    Info-Tech Research Group

    Joanne is an executive with over 25 years of in digital technology and management consulting across both public and private entities from solution delivery to organizational redesign across Canada and globally.

    Prior to joining Info-Tech Research Group, Joanne was a management consultant within KPMG’s CIO management consulting services and the Western Canada Digital Health Practice lead. She has held several executive roles in the industry with the most recent position as Chief Program Officer for a large $450M EHR implementation. Her expertise spans cloud strategy, organizational design, data and analytics, governance, process redesign, transformation, and PPM. She is passionate about connecting people, concepts, and capital.

    Joanne holds a Master’s in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.

    Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach to digital transformation, with a track record of supporting successful implementations.

    Kim holds a Bachelor’s degree in Mechatronics Engineering from University of Waterloo.

    Research Contributors and Experts

    Jack Hakimian

    Jack Hakimian

    Vice President, Research

    Info-Tech Research Group

    Charl Lombard.

    Charl Lombard

    President, Digital Transformation Consulting

    Info-Tech Research Group

    Jack has more than 25 years of technology and management consulting experience. He has served multi-billion dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served a number of large public sector institutions.

    Prior to joining the Info-Tech Research Group, he worked for leading consulting players such as Accenture, Deloitte, EY, and IBM.

    Jack led digital business strategy engagements as well as corporate strategy and M&A advisory services for clients across North America, Europe, the Middle East, and Africa. He is a seasoned technology consultant who has developed IT strategies and technology roadmaps, led large business transformations, established data governance programs, and managed the deployment of mission-critical CRM and ERP applications.

    He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.

    Charl has more than 20 years of professional services experience, “majoring” in digital transformation and strategic topics. He has led multiple successful Digital Transformation programs across a range of industries like Information technology, hospitality, Advanced Industries, High Tech, Entertainment, Travel and Transport, Insurance & Financial Services, Metals & Mining, Electric Power, Renewable Energy, Telecoms, Manufacturing) across different geographics (i.e., North America, EU, Africa) in both private and public sectors.

    Prior to joining Info-Tech Research Group, Charl was the Vice President of Global Product Management and Strategy (Saber Hospitality Solution), Associate President, McKinsey Transformation Practice, e-Business Practice for PwC, and tech start-up founder and investor.

    Charl is a frequent speaker at innovation and digital transformation conferences and holds an MBA from the University of Cape Town Graduate School of Business, and a bachelor’s degree from the University of Pretoria, South Africa.

    Research Contributors and Experts

    Mike Tweedie

    Mike Tweedie

    Practice Lead, CIO Strategy

    Info-Tech Research Group

    Michael Alemany

    Michael Alemany

    Vice President, Digital Transformation Consulting

    Info-Tech Research Group

    Mike Tweedie brings over 25 years of experience as a technology executive. He’s led several large transformation projects across core infrastructure, application, and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.

    Mike holds a Bachelor’s degree in Architecture from Ryerson University.

    Michael is a leader in Info-Tech’s digital transformation consulting practice. He brings over 10 years of experience working with companies across a range of industries. His work experience includes ~4.5 years at McKinsey & Company where he led large-scale transformations for fortune 500 companies. Prior to joining Info-Tech, he worked for Sabre Corp., an SaaS platform provider for the travel and hospitality sector, leading Product Strategy & Operations. Michael holds an MBA from the Tuck School of Business at Dartmouth and a B.S in Business Strategy from Brigham Young University.

    Research Contributors and Experts

    Duane Cooney

    Duane Cooney

    Executive Counselor, Healthcare

    Info-Tech Research Group

    Denis Goulet

    Denis Goulet

    Senior Workshop Director

    Info-Tech Research Group

    Duane brings over 30 years of experiences a healthcare IT leader with a passion for the transformation of people, processes, and technology. He has led large-scale health technology transformation and operations across the enterprise. Before joining Info-Tech, Duane served as the Deputy CIO, Senior Information Technology Director, and Enterprise Architect for both public not-for-profit and private sectors. He has a Bachelors in Computer Science and is a graduate of EDS Operations. He holds certifications in EHR, LEAN/Agile, ITIL, and PMP.

    Denis is an IAF Certified Professional Facilitator who has helped organizations and technology executives develop IT strategies for small to large global enterprises. He firmly believes in a collaborative value-driven approach. Prior to joining Info-Tech Research Group, Denis held several industry positions as CIO, Chief Administrative Office (City Manager), General Manager, and Vice President of Engineering. Denis holds an MBA from Queen’s University and a Diploma in Technology Engineering and Executive Municipal Management.

    Jay Cappis.

    Jay Cappis

    Executive Advisor, Real-Estate

    Info-Tech Research Group

    Christine Brick.

    Christine Brick

    Executive Advisor, Financial Services
    Info-Tech Research Group

    Jay brings over 30 years of experience in management and technology across small and medium enterprises to large global enterprises including Exxon and Xerox. His cross-industry experience includes professional services, commercial real estate, oil and gas, digital start-ups, insurance, and aerospace. Jay has led business process improvements and change management and has expertise in software development lifecycle management and DevOps practices.

    Christine brings over 20 years in IT transformation across DevOps, infrastructure, operations, supply chain, IT Strategy, modernization, cost optimization, data management, and operational risk. She brings expertise in business transformation, mergers and acquisitions, vendor selection, and contract management.

    Bibliography

    Bhatia, AD. “Transforming through disruptions: A conversation with Dan Antonelli. Transformation Insights.” McKinsey & Company. January 31, 2022. Web
    Bertoletti, Antonella and Peter Eeles. “Use an IT Maturity Model.” IBM Garage Methodology. Web. accessed May 30, 2022.
    Catlin, Tanguy, Jay Scanlan, and Paul Willmott. “Raising your Digital Quotient.” McKinsey Quarterly. June 1, 2015. Article
    Custers, Heidi. “Digital Blueprint. Reference Architecture. Deloitte Digital.Accessed May 15, 2022.
    Coundouris, Anthony. “Reviewed: The Top 5 Digital Transformation Frameworks in 2020.” Run-frictionless Blog. Accessed May 15, 2022. Web.
    Daub, Matthias and Anna Wiesinger. “Acquiring the Capabilities you need to go digital.” Business Technology Office – McKinsey and Company. March 2015. Web.
    De La Boutetiere, Alberto Montagner and Angelika Reich. “Unlocking success in digital transformations.” McKinsey and Company. October 2018. Web.
    “Design Thinking Defined.” IDEO.com. November 21, 2022. Web.
    Dorner, Karle and David Edelman. “What ‘Digital’ really means.” McKinsey Digital. July 2015. Web
    “Everything Changed. Or Did it? Harvey Nash KPMG CIO Survey 2020.” KPMG, 2020
    Kane, Gerald C., Doug Palmer, Ahn Nguyen Phillips, David Kiron, Natasha Buckley. “Aligning the organization for its digital future.” Findings from the 2016 Digital Business Global Executive Study and Research Project. MIT Sloan Management Review. July 26, 2016. Web
    LaBerge, Laura, et al. “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever.” McKinsey, 5 Oct. 2020. Accessed 14 June 2021
    Mindtools Content Team. “Cause and Effect Analysis.” Mindtools.com. November 21, 2022. Web.
    “Strategic Foresight.” OECD.org. November 21, 2022, Web
    Sall, Sherman, Dan Lichtenfeld. “The Digital ME Method. Turning digital opportunities into customer engagement and business growth.” Sygnific. 2017. Web.
    Scoblic, J. Peter. “Learning from the Future. How to make robust strategy in times of deep uncertainty.” Harvard Business Review, August 2020.
    Silva, Bernardo and Schoenwaelder, Tom. ‘Why Good Strategies fail. Addressing the three critical strategic tensions.” Deloitte Monitor Group. 2019.

    Considerations for a Hub and Spoke Model When Deploying Infrastructure in the Cloud

    • Buy Link or Shortcode: {j2store}472|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy
    • The organization is planning to move resources to cloud or devise a networking strategy for their existing cloud infrastructure to harness value from cloud.
    • The right topology needs to be selected to deploy network level isolation, design the cloud for management efficiencies and provide access to shared services on cloud.
    • A perennial challenge for infrastructure on cloud is planning for governance vs flexibility which is often overlooked.

    Our Advice

    Critical Insight

    Don’t wait until the necessity arises to evaluate your networking in the cloud. Get ahead of the curve and choose the topology that optimizes benefits and supports organizational needs in the present and the future.

    Impact and Result

    • Define organizational needs and understand the pros and cons of cloud network topologies to strategize for the networking design.
    • Consider the layered complexities of addressing the governance vs. flexibility spectrum for your domains when designing your networks.

    Considerations for a Hub and Spoke Model When Deploying Infrastructure in the Cloud Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Considerations for a Hub and Spoke Model When Deploying Infrastructure in the Cloud Deck – A document to guide you through designing your network in the cloud.

    What cloud networking topology should you use? How do you provide access to shared resources in the cloud or hybrid infrastructure? What sits in the hub and what sits in the spoke?

    • Considerations for a Hub and Spoke Model When Deploying Infrastructure in the Cloud Storyboard
    [infographic]

    Further reading

    Considerations for a Hub and Spoke Model When Deploying Infrastructure in the Cloud

    Don't revolve around a legacy design; choose a network design that evolves with the organization.

    Analyst Perspective

    Cloud adoption among organizations increases gradually across both the number of services used and the amount those services are used. However, network builders tend to overlook the vulnerabilities of network topologies, which leads to complications down the road, especially since the structures of cloud network topologies are not all of the same quality. A network design that suits current needs may not be the best solution for the future state of the organization.

    Even if on-prem network strategies were retained for ease of migration, it is important to evaluate and identify the cloud network topology that can not only elevate the performance of your infrastructure in the cloud, but also that can make it easier to manage and provision resources.

    An "as the need arises" strategy will not work efficiently since changing network designs will change the way data travels within your network, which will then need to be adopted to existing application architectures. This becomes more complicated as the number of services hosted in the cloud grows.

    Keep a network strategy in place early on and start designing your infrastructure accordingly. This gives you more control over your networks and eliminates the need for huge changes to your infrastructure down the road.

    This is a picture of Nitin Mukesh

    Nitin Mukesh
    Senior Research Analyst, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The organization is planning to move resources to the cloud or devise a networking strategy for their existing cloud infrastructure to harness value from the cloud.

    The right topology needs to be selected to deploy network level isolation, design the cloud for management efficiencies, and provide access to shared services in the cloud.

    A perennial challenge for infrastructure in the cloud is planning for governance vs. flexibility, which is often overlooked.

    Common Obstacles

    The choice of migration method may result in retaining existing networking patterns and only making changes when the need arises.

    Networking in the cloud is still new, and organizations new to the cloud may not be aware of the cloud network designs they can consider for their business needs.

    Info-Tech's Approach

    Define organizational needs and understand the pros and cons of cloud network topologies to strategize for the networking design.

    Consider the layered complexities of addressing the governance vs. flexibility spectrum for your domains when designing your networks.

    Insight Summary

    Don't wait until the necessity arises to evaluate your networking in the cloud. Get ahead of the curve and choose the topology that optimizes benefits and supports organizational needs in the present and future.

    Your challenge

    Selecting the right topology: Many organizations migrate to the cloud retaining a mesh networking topology from their on-prem design, or they choose to implement the mesh design leveraging peering technologies in the cloud without a strategy in place for when business needs change. While there may be many network topologies for on-prem infrastructure, the network design team may not be aware of the best approach in cloud platforms for their requirements, or a cloud networking strategy may even go overlooked during the migration.

    Finding the right cloud networking infrastructure for:

    • Management efficiencies
    • Network-level isolation of resources
    • Access to shared services

    Deciding between governance and flexibility in networking design: In the hub and spoke model, if a domain is in the hub, the greater the governance over it, and if it sits in the spoke, the higher the flexibility. Having a strategy for the most important domains is key. For example, some security belongs in the hub and some security belongs in the spoke. The tradeoff here is if it sits completely in the spoke, you give it a lot of freedom, but it becomes harder to standardize across the organization.

    Mesh network topology

    A mesh is a design where virtual private clouds (VPCs) are connected to each other individually creating a mesh network. The network traffic is fast and can be redirected since the nodes in the network are interconnected. There is no hierarchical relationship between the networks, and any two networks can connect with each other directly.

    In the cloud, this design can be implemented by setting up peering connections between any two VPCs. These VPCs can also be set up to communicate with each other internally through the cloud service provider's network without having to route the traffic via the internet.

    While this topology offers high redundancy, the number of connections grows tremendously as more networks are added, making it harder to scale a network using a mesh topology.

    Mesh Network on AWS

    This is an image of a Mesh Network on AWS

    Source: AWS, 2018

    Constraints

    The disadvantages of peering VPCs into a mesh quickly arise with:

    • Transitive connections: Transitive connections are not supported in the cloud, unlike with on-prem networking. This means that if there are two networks that need to communicate, a single peering link can be set up between them. However, if there are more than two networks and they all need to communicate, they should all be connected to each other with separate individual connections.
    • Cost of operation: The lack of transitive routing requires many connections to be set up, which adds up to a more expensive topology to operate as the number of networks grows. Cloud providers also usually limit the number of peering networks that can be set up, and this limit can be hit with as few as 100 networks.
    • Management: Mesh tends to be very complicated to set up, owing to the large number of different peering links that need to be established. While this may be manageable for small organizations with small operations, for larger organizations with robust cybersecurity practices that require multiple VPCs to be deployed and interconnected for communications, mesh opens you up to multiple points of failure.
    • Redundancy: With multiple points of failure already being a major drawback of this design, you also cannot have more than one peered connection between any two networks at the same time. This makes designing your networking systems for redundancy that much more challenging.
    Number of virtual networks 10 20 50 100
    Peering links required
    [(n-1)*n]/2
    45 190 1225 4950

    Proportional relationship of virtual networks to required peering links in a mesh topology

    Case study

    INDUSTRY: Blockchain
    SOURCE: Microsoft

    An organization with four members wants to deploy a blockchain in the cloud, with each member running their own virtual network. With only four members on the team, a mesh network can be created in the cloud with each of their networks being connected to each other, adding up to a total of 12 peering connections (four members with three connections each). While the members may all be using different cloud accounts, setting up connections between them will still be possible.

    The organization wants to expand to 15 members within the next year, with each new member being connected with their separate virtual networks. Once grown, the organization will have a total of 210 peering connections since each of the virtual networks will then need 14 peering connections. While this may still be possible to deploy, the number of connections makes it harder to manage and would be that much more difficult to deploy if the organization grows to even 30 or 40 members. The new scale of virtual connections calls for an alternative networking strategy that cloud providers offer – the hub and spoke topology.

    This is an image of the connections involved in a mesh network with four participants.

    Source: Microsoft, 2017

    Hub and spoke network topology

    In hub and spoke network design, each network is connected to a central network that facilitates intercommunication between the networks. The central network, also called the hub, can be used by multiple workloads/servers/services for hosting services and for managing external connectivity. Other networks connected to the hub through network peering are called spokes and host workloads.

    Communications between the workloads/servers/services on spokes pass in or out of the hub where they are inspected and routed. The spokes can also be centrally managed from the hub with IT rules and processes.

    A hub and spoke design enable a larger number of virtual networks to be interconnected as each network only needs one peered connection (to the hub) to be able to communicate with any other network in the system.

    Hub and Spoke Network on AWS

    This is an image of the Hub and Spoke Network on AWS

    What hub and spoke networks do better

    1. Ease of connectivity: Hub and spoke decreases the liabilities of scale that come from a growing business by providing a consistent connection that can be scaled easily. As more networks are added to an organization, each will only need to be connected once – to the hub. The number of connections is considerably lower than in a mesh topology and makes it easier to maintain and manage.
    2. Business agility and scalability: It is easier to increase the number of networks than in mesh, making it easier to grow your business into new channels with less time, investment, and risk.
    3. Data collection: With a hub and spoke design, all data flows through the hub – depending on the design, this includes all ingress and egress to and from the system. This makes it an excellent central network to collect all business data.
    4. Network-level isolation: Hub and spoke enables separation of workloads and tiers into different networks. This is particularly useful to ensure an issue affecting a network or a workload does not affect the rest.
    5. Network changes: Changes to a separated network are much easier to carry out knowing the changes made will not affect all the other connected networks. This reduces work-hours significantly when systems or applications need to be altered.
    6. Compliance: Compliance requirements such as SOC 1 and SOC 2 require separate environments for production, development, and testing, which can be done in a hub and spoke model without having to re-create security controls for all networks.

    Hub and spoke constraints

    While there are plenty of benefits to using this topology, there are still a few notable disadvantages with the design.

    Point-to-point peering

    The total number of total peered connections required might be lower than mesh, but the cost of running independent projects is cheaper on mesh as point-to-point data transfers are cheaper.

    Global access speeds with a monolithic design

    With global organizations, implementing a single monolithic hub network for network ingress and egress will slow down access to cloud services that users will require. A distributed network will ramp up the speeds for its users to access these services.

    Costs for a resilient design

    Connectivity between the spokes can fail if the hub site dies or faces major disruptions. While there are redundancy plans for cloud networks, it will be an additional cost to plan and build an environment for it.

    Leverage the hub and spoke strategy for:

    Providing access to shared services: Hub and spoke can be used to give workloads that are deployed on different networks access to shared services by placing the shared service in the hub. For example, DNS servers can be placed in the hub network, and production or host networks can be connected to the hub to access it, or if the central network is set up to host Active Directory services, then servers in other networks can act as spokes and have full access to the central VPC to send requests. This is also a great way to separate workloads that do not need to communicate with each other but all need access to the same services.

    Adding new locations: An expanding organization that needs to add additional global or domestic locations can leverage hub and spoke to connect new network locations to the main system without the need for multiple connections.

    Cost savings: Apart from having fewer connections than mesh that can save costs in the cloud, hub and spoke can also be used to centralize services such as DNS and NAT to be managed in one location rather than having to individually deploy in each network. This can bring down management efforts and costs considerably.

    Centralized security: Enterprises can deploy a center of excellence on the hub for security, and the spokes connected to it can leverage a higher level of security and increase resilience. It will also be easier to control and manage network policies and networking resources from the hub.

    Network management: Since each spoke is peered only once to the hub, detecting connectivity problems or other network issues is made simpler in hub and spoke than on mesh. A network manager deployed on the cloud can give access to network problems faster than on other topologies.

    Hub and spoke – mesh hybrid

    The advantages of using a hub and spoke model far exceed those of using a mesh topology in the cloud and go to show why most organizations ultimately end up using the hub and spoke as their networking strategy.

    However, organizations, especially large ones, are complex entities, and choosing only one model may not serve all business needs. In such cases, a hybrid approach may be the best strategy. The following slides will demonstrate the advantages and use cases for mesh, however limited they might be.

    Where it can be useful:

    An organization can have multiple network topologies where system X is a mesh and system Y is a hub and spoke. A shared system Z can be a part of both systems depending on the needs.

    An organization can have multiple networks interconnected in a mesh and some of the networks in the mesh can be a hub for a hub-spoke network. For example, a business unit that works on data analysis can deploy their services in a spoke that is connected to a central hub that can host shared services such as Active Directory or NAT. The central hub can then be connected to a regional on-prem network where data and other shared services can be hosted.

    Hub and spoke – mesh hybrid network on AWS

    This is an image of the Hub and spoke – mesh hybrid network on AWS

    Why mesh can still be useful

    Benefits Of Mesh

    Use Cases For Mesh

    Security: Setting up a peering connection between two VPCs comes with the benefit of improving security since the connection can be private between the networks and can isolate public traffic from the internet. The traffic between the networks never has to leave the cloud provider's network, which helps reduce a class of risks.

    Reduced network costs: Since the peered networks communicate internally through the cloud's internal networks, the data transfer costs are typically cheaper than over the public internet.

    Communication speed: Improved network latency is a key benefit from using mesh because the peered traffic does not have to go over the public internet but rather the internal network. The network traffic between the connections can also be quickly redirected as needed.

    Higher flexibility for backend services: Mesh networks can be desirable for back-end services if egress traffic needs to be blocked to the public internet from the deployed services/servers. This also helps avoid having to set up public IP or network address translation (NAT) configurations.

    Connecting two or more networks for full access to resources: For example, consider an organization that has separate networks for each department, which don't all need to communicate with each other. Here, a peering network can be set up only between the networks that need to communicate with full or partial access to each other such as finance to HR or accounting to IT.

    Specific security or compliance need: Mesh or VPC peering can also come in handy to serve specific security needs or logging needs that require using a network to connect to other networks directly and in private. For example, global organizations that face regulatory requirements of storing or transferring data domestically with private connections.

    Systems with very few networks that do not need internet access: Workloads deployed in networks that need to communicate with each other but do not require internet access or network address translation (NAT) can be connected using mesh especially when there are security reasons to keep them from being connected to the main system, e.g. backend services such as testing environments, labs, or sandboxes can leverage this design.

    Designing for governance vs. flexibility in hub and spoke

    Governance and flexibility in managing resources in the cloud are inversely proportional: The higher the governance, the less freedom you have to innovate.

    The complexities of designing an organization's networks grow with the organization as it becomes global and takes on more services and lines of business. Organizations that choose to deploy the hub and spoke model face a dilemma in choosing between governance and flexibility for their networks. Organizations need to find that sweet spot to find the right balance between how much they want to govern their systems, mainly for security- and cost-monitoring, and how much flexibility they want to provide for innovation and other operations, since the two usually tend to have an inverse relationship.

    This decision in hub and spoke usually means that the domains chosen for higher governance must be placed in the hub network, and the domains that need more flexibility in a spoke. The key variables in the following slide will help determine the placement of the domain and will depend entirely on the organization's context.

    The two networking patterns in the cloud have layered complexities that need to be systematically addressed.

    Designing for governance vs. flexibility in hub and spoke

    If a network has more flexibility in all or most of these domains, it may be a good candidate for a spoke-heavy design; otherwise, it may be better designed in a hub-centric pattern.

    • Function: The function the domain network is assigned to and the autonomy the function needs to be successful. For example, software R&D usually requires high flexibility to be successful.
    • Regulations: The extent of independence from both internal and external regulatory constraints the domain has. For example, a treasury reporting domain typically has high internal and external regulations to adhere to.
    • Human resources: The freedom a domain has to hire and manage its resources to perform its function. For example, production facilities in a huge organization have the freedom to manage their own resources.
    • Operations: The freedom a domain has to control its operations and manage its own spending to perform its functions. For example, governments usually have different departments and agencies, each with its own budget to perform its functions.
    • Technology: The independence and the ability a domain has to manage its selection and implementation of technology resources in the cloud. For example, you may not want a software testing team to have complete autonomy to deploy resources.

    Optimal placement of services between the hub and spoke

    Shared services and vendor management

    Resources that are shared between multiple projects or departments or even by the entire organization should be hosted on the hub network to simplify sharing these services. For example, e-learning applications that may be used by multiple business units to train their teams, Active Directory accessed by most teams, or even SAAS platforms such as O365 and Salesforce can leverage buying power and drive down the costs for the organization. Shared services should also be standardized across the organization and for that, it needs to have high governance.

    Services that are an individual need for a network and have no preexisting relationship with other networks or buying power and scale can be hosted in a spoke network. For example, specialized accounting software used exclusively by the accounting team or design software used by a single team. Although the services are still a part of the wider network, it helps separate duties from the shared services network and provides flexibility to the teams to customize and manage their services to suit their individual needs.

    Network egress and interaction

    Network connections, be they in the cloud or hybrid-cloud, are used by everyone to either connect to the internet, access cloud services, or access the organization's data center. Since this is a shared service, a centralized networking account must be placed in the hub for greater governance. Interactions between the spokes in a hub and spoke model happens through the hub, and providing internet access to the spokes through the hub can help leverage cost benefits in the cloud. The network account will perform routing duties between the spokes, on-prem assets, and egress out to the internet.

    For example, NAT gateways in the cloud that are managed services are usually charged by the hour, and deploying NAT on each spoke can be harder to manage and expensive to maintain. A NAT gateway deployed in a central networking hub can be accessed by all spokes, so centralizing it is a great option.

    Note that, in some cases, when using edge locations for data transfers, it may be cost effective to deploy a NAT in the spoke, but such cases usually do not apply to most organizational units.

    A centralized network hub can also be useful to configure network policies and network resources while organizational departments can configure non-network resources, which helps separate responsibilities for all the spokes in the system. For example, subnets and routes can be controlled from the central network hub to ensure standardized network policies across the network.

    Security

    While there needs to be security in the hub and the spokes individually, finding the balance of operation can make the systems more robust. Hub and spoke design can be an effective tool for security when a principal security hub is hosted in the hub network. The central security hub can collect data from the spokes as well as non-spoke sources such as regulatory bodies and threat intelligence providers, and then share the information with the spokes.

    Threat information sharing is a major benefit of using this design, and the hub can take actions to analyze and enrich the data before sharing it with spokes. Shared services such as threat intelligence platforms (TIP) can also benefit from being centralized when stationed in the hub. A collective defense approach between the hub and spoke can be very successful in addressing sophisticated threats.

    Compliance and regulatory requirements such as HIPAA can also be placed in the hub, and the spokes connected to it can make use of it instead of having to deploy it in each spoke individually.

    Cloud metering

    The governance vs. flexibility paradigm usually decides the placement of cloud metering, i.e. if the organization wants higher control over cloud costs, it should be in the central hub, whereas if it prioritizes innovation, the spokes should be allowed to control it. Regardless of the placement of the domain, the costs can be monitored from the central hub using cloud-native monitoring tools such as Azure Monitor or any third-party software deployed in the hub.

    For ease of governance and since resources are usually shared at a project level, most cloud service providers suggest that an individual metering service be placed in the spokes. The centralized billing system of the organization, however, can make use of scale and reserved instances to drive down the costs that the spokes can take advantage of. For example, billing and access control resources are placed in the lower levels in GCP to enable users to set up projects and perform their tasks. These billing systems in the lower levels are then controlled by a centralized billing system to decide who pays for the resources provisioned.

    Don't get stuck with your on-prem network design. Design for the cloud.

    1. Peering VPCs into a mesh design can be an easy way to get onto the cloud, but it should not be your networking strategy for the long run.
    2. Hub and spoke network design offers more benefits than any other network strategy to be adopted only when the need arises. Plan for the design early on and keep a strategy in place to deploy it as early as possible.
    3. Hybrid of mesh and hub and spoke will be very useful in connecting multiple large networks especially when they need to access the same resources without having to route the traffic over the internet.
    4. Governance vs. flexibility should be a key consideration when designing for hub and spoke to leverage the best out of your infrastructure.
    5. Distribute domains across the hub or spokes to leverage costs, security, data collection, and economies of scale, and to foster secure interactions between networks.

    Cloud network design strategy

    This is an image of the framework for developing a Cloud Network Design Strategy.

    Bibliography

    Borschel, Brett. "Azure Hub Spoke Virtual Network Design Best Practices." Acendri Solutions, 13 Jan. 2022. Web.
    Singh, Garvit. "Amazon Virtual Private Cloud Connectivity Options." AWS, January 2018. Web.
    "What Is the Hub and Spoke Information Sharing Model?" Cyware, 16 Aug. 2021. Web.
    Youseff, Lamia. "Mesh and Hub-and-Spoke Networks on Azure." Microsoft, Dec. 2017. Web.

    Create a Customized Big Data Architecture and Implementation Plan

    • Buy Link or Shortcode: {j2store}388|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Big data architecture is different from traditional data for several key reasons, including:
      • Big data architecture starts with the data itself, taking a bottom-up approach. Decisions about data influence decisions about components that use data.
      • Big data introduces new data sources such as social media content and streaming data.
      • The enterprise data warehouse (EDW) becomes a source for big data.
      • Master data management (MDM) is used as an index to content in big data about the people, places, and things the organization cares about.
      • The variety of big data and unstructured data requires a new type of persistence.
    • Many data architects have no experience with big data and feel overwhelmed by the number of options available to them (including vendor options, storage options, etc.). They often have little to no comfort with new big data management technologies.
    • If organizations do not architect for big data, there are a couple of main risks:
      • The existing data architecture is unable to handle big data, which will eventually result in a failure that could compromise the entire data environment.
      • Solutions will be selected in an ad hoc manner, which can cause incompatibility issues down the road.

    Our Advice

    Critical Insight

    • Before beginning to make technology decisions regarding the big data architecture, make sure a strategy is in place to document architecture principles and guidelines, the organization’s big data business pattern, and high-level functional and quality of service requirements.
    • The big data business pattern can be used to determine what data sources should be used in your architecture, which will then dictate the data integration capabilities required. By documenting current technologies, and determining what technologies are required, you can uncover gaps to be addressed in an implementation plan.
    • Once you have identified and filled technology gaps, perform an architectural walkthrough to pull decisions and gaps together and provide a fuller picture. After the architectural walkthrough, fill in any uncovered gaps. A proof-of-technology project can be started as soon as you have evaluation copies (or OSS) products and at least one person who understands the technology.

    Impact and Result

    • Save time and energy trying to fix incompatibilities between technology and data.
    • Allow the Data Architect to respond to big data requests from the business more quickly.
    • Provide the organization with valuable insights through the analytics and visualization technologies that are integrated with the other building blocks.

    Create a Customized Big Data Architecture and Implementation Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Recognize the importance of big data architecture

    Big data is centered on the volume, variety, velocity, veracity, and value of data. Achieve a data architecture that can support big data.

    • Storyboard: Create a Customized Big Data Architecture and Implementation Plan

    2. Define architectural principles and guidelines while taking into consideration maturity

    Understand the importance of a big data architecture strategy. Assess big data maturity to assist with creation of your architectural principles.

    • Big Data Maturity Assessment Tool
    • Big Data Architecture Principles & Guidelines Template

    3. Build the big data architecture

    Come to accurate big data architecture decisions.

    • Big Data Architecture Decision Making Tool

    4. Determine common services needs

    What are common services?

    5. Plan a big data architecture implementation

    Gain business satisfaction with big data requests. Determine what steps need to be taken to achieve your big data architecture.

    • Big Data Architecture Initiative Definition Tool
    • Big Data Architecture Initiative Planning Tool

    Infographic

    Workshop: Create a Customized Big Data Architecture and Implementation Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Recognize the Importance of Big Data Architecture

    The Purpose

    Set expectations for the workshop.

    Recognize the importance of doing big data architecture when dealing with big data.

    Key Benefits Achieved

    Big data defined.

    Understanding of why big data architecture is necessary.

    Activities

    1.1 Define the corporate strategy.

    1.2 Define big data and what it means to the organization.

    1.3 Understand why doing big data architecture is necessary.

    1.4 Examine Info-Tech’s Big Data Reference Architecture.

    Outputs

    Defined Corporate Strategy

    Defined Big Data

    Reference Architecture

    2 Design a Big Data Architecture Strategy

    The Purpose

    Identification of architectural principles and guidelines to assist with decisions.

    Identification of big data business pattern to choose required data sources.

    Definition of high-level functional and quality of service requirements to adhere architecture to.

    Key Benefits Achieved

    Key Architectural Principles and Guidelines defined.

    Big data business pattern determined.

    High-level requirements documented.

    Activities

    2.1 Discuss how maturity will influence architectural principles.

    2.2 Determine which solution type is best suited to the organization.

    2.3 Define the business pattern driving big data.

    2.4 Define high-level requirements.

    Outputs

    Architectural Principles & Guidelines

    Big Data Business Pattern

    High-Level Functional and Quality of Service Requirements Exercise

    3 Build a Big Data Architecture

    The Purpose

    Establishment of existing and required data sources to uncover any gaps.

    Identification of necessary data integration requirements to uncover gaps.

    Determination of the best suited data persistence model to the organization’s needs.

    Key Benefits Achieved

    Defined gaps for Data Sources

    Defined gaps for Data Integration capabilities

    Optimal Data Persistence technology determined

    Activities

    3.1 Establish required data sources.

    3.2 Determine data integration requirements.

    3.3 Learn which data persistence model is best suited.

    3.4 Discuss analytics requirements.

    Outputs

    Data Sources Exercise

    Data Integration Exercise

    Data Persistence Decision Making Tool

    4 Plan a Big Data Architecture Implementation

    The Purpose

    Identification of common service needs and how they differ for big data.

    Performance of an architectural walkthrough to test decisions made.

    Group gaps to form initiatives to develop an Initiative Roadmap.

    Key Benefits Achieved

    Common service needs identified.

    Architectural walkthrough completed.

    Initiative Roadmap completed.

    Activities

    4.1 Identify common service needs.

    4.2 Conduct an architectural walkthrough.

    4.3 Group gaps together into initiatives.

    4.4 Document initiatives on an initiative roadmap.

    Outputs

    Architectural Walkthrough

    Initiative Roadmap

    Get the Most Out of Your CRM

    • Buy Link or Shortcode: {j2store}537|cart{/j2store}
    • member rating overall impact: 9.7/10 Overall Impact
    • member rating average dollars saved: $31,749 Average $ Saved
    • member rating average days saved: 22 Average Days Saved
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • Application optimization is essential to stay competitive and productive in today’s digital environment.
    • Enterprise applications often involve large capital outlay, unquantified benefits, and high risk of failure.
    • Customer relationship management (CRM) application portfolios are often messy with multiple integration points, distributed data, and limited ongoing end-user training.
    • User dissatisfaction is common.

    Our Advice

    Critical Insight

    A properly optimized CRM ecosystem will reduce costs and increase productivity.

    Impact and Result

    • Build an ongoing optimization team to conduct application improvements.
    • Assess your CRM application(s) and the environment in which they exist. Take a business-first strategy to prioritize optimization efforts.
    • Validate CRM capabilities, user satisfaction, issues around data, vendor management, and costs to build out an optimization strategy.
    • Pull this all together to develop a prioritized optimization roadmap.

    Get the Most Out of Your CRM Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize your CRM, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Map current-state capabilities

    Gather information around the application:

    • Get the Most Out of Your CRM Workbook

    2. Assess your current state

    Assess CRM and related environment. Perform CRM process assessment. Assess user satisfaction across key processes, applications, and data. Understand vendor satisfaction

    • CRM Application Inventory Tool

    3. Build your optimization roadmap

    Build your optimization roadmap: process improvements, software capability improvements, vendor relationships, and data improvement initiatives.

    Infographic

    Workshop: Get the Most Out of Your CRM

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your CRM Application Vision

    The Purpose

    Define your CRM application vision.

    Key Benefits Achieved

    Develop an ongoing application optimization team.

    Realign CRM and business goals.

    Understand your current system state capabilities.

    Explore CRM and related costs.

    Activities

    1.1 Determine your CRM optimization team.

    1.2 Align organizational goals.

    1.3 Inventory applications and interactions.

    1.4 Define business capabilities.

    1.5 Explore CRM-related costs (optional).

    Outputs

    CRM optimization team

    CRM business model

    CRM optimization goals

    CRM system inventory and data flow

    CRM process list

    CRM and related costs

    2 Map Current-State Capabilities

    The Purpose

    Map current-state capabilities.

    Key Benefits Achieved

    Complete a CRM process gap analysis to understand where the CRM is underperforming.

    Review the CRM application portfolio assessment to understand user satisfaction and data concerns.

    Undertake a software review survey to understand your satisfaction with the vendor and product.

    Activities

    2.1 Conduct gap analysis for CRM processes.

    2.2 Perform an application portfolio assessment.

    2.3 Review vendor satisfaction.

    Outputs

    CRM process gap analysis

    CRM application portfolio assessment

    CRM software reviews survey

    3 Assess CRM

    The Purpose

    Assess CRM.

    Key Benefits Achieved

    Learn which processes you need to focus on.

    Uncover underlying user satisfaction issues to address these areas.

    Understand where data issues are occurring so that you can mitigate this.

    Investigate your relationship with the vendor and product, including that relative to others.

    Identify any areas for cost optimization (optional).

    Activities

    3.1 Explore process gaps.

    3.2 Analyze user satisfaction.

    3.3 Assess data quality.

    3.4 Understand product satisfaction and vendor management.

    3.5 Look for CRM cost optimization opportunities (optional).

    Outputs

    CRM process optimization priorities

    CRM vendor optimization opportunities

    CRM cost optimization

    4 Build the Optimization Roadmap

    The Purpose

    Build the optimization roadmap.

    Key Benefits Achieved

    Understanding where you need to improve is the first step, now understand where to focus your optimization efforts.

    Activities

    4.1 Identify key optimization areas.

    4.2 Build your CRM optimization roadmap and next steps.

    Outputs

    CRM optimization roadmap

    Further reading

    Get the Most Out of Your CRM

    In today’s connected world, continuous optimization of enterprise applications to realize your digital strategy is key.

    Get the Most Out of Your CRM

    In today’s connected world, continuous optimization of enterprise applications to realize your digital strategy is key.

    EXECUTIVE BRIEF

    Analyst Perspective

    Focus optimization on organizational value delivery.

    Customer relationship management (CRM) systems are at the core of a customer-centric strategy to drive business results. They are critical to supporting marketing, sales, and customer service efforts.

    CRM systems are expensive, their benefits are difficult to quantify, and they often suffer from poor user satisfaction. Post implementation, technology evolves, organizational goals change, and the health of the system is not monitored. This is complicated in today’s digital landscape with multiple integration points, siloed data, and competing priorities.

    Too often organizations jump into the selection of replacement systems without understanding the health of their current systems. IT leaders need to stop reacting and take a proactive approach to continually monitor and optimize their enterprise applications. Strategically realign business goals, identify business application capabilities, complete a process assessment, evaluate user adoption, and create an optimization roadmap that will drive a cohesive technology strategy that delivers results.

    This is a picture of Lisa Highfield

    Lisa Highfield
    Research Director,
    Enterprise Applications
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    In today’s connected world, continuous optimization of enterprise applications to realize your digital strategy is key.

    Enterprise applications often involve large capital outlay and unquantified benefits.

    CRM application portfolios are often messy. Add to that poor processes, distributed data, and lack of training – business results and user dissatisfaction is common.

    Technology owners are often distributed across the business. Consolidation of optimization efforts is key.

    Common Obstacles

    Enterprise applications involve large numbers of processes and users. Without a clear focus on organizational needs, decisions about what and how to optimize can become complicated.

    Competing and conflicting priorities may undermine optimization value by focusing on the approaches that would only benefit one line of business rather than the entire organization.

    Teams do not have a framework to illustrate, communicate, and justify the optimization effort in the language your stakeholders understand.

    Info-Tech’s Approach

    Build an ongoing optimization team to conduct application improvements.

    Assess your CRM application(s) and the environment in which they exist. Take a business-first strategy to prioritize optimization efforts.

    Validate CRM capabilities, user satisfaction, issues around data, vendor management, and costs to build out an optimization strategy

    Pull this all together to develop a prioritized optimization roadmap.

    Info-Tech Insight

    CRM implementation should not be a one-and-done exercise. A properly optimized CRM ecosystem will reduce costs and increase productivity.

    This is an image of the thought model: Get the Most Out of Your CRM

    Insight Summary

    Continuous assessment and optimization of customer relationship management (CRM) systems is critical to their success.

    • Applications and the environments in which they live are constantly evolving.
    • Get the Most Out of Your CRM provides business and application managers a method to complete a health assessment on their CRM systems to identify areas for improvement and optimization.
    • Put optimization practices into effect by:
      • Aligning and prioritizing key business and technology drivers.
      • Identifying CRM process classification, and performing a gap analysis.
      • Measuring user satisfaction across key departments.
      • Evaluating vendor relations.
      • Understanding how data fits.
      • Pulling it all together into an optimization roadmap.

    CRM platforms are the applications that provide functional capabilities and data management around the customer experience (CX).

    Marketing, sales, and customer service are enabled through CRM technology.

    CRM technologies facilitate an organization’s relationships with customers, service users, employees, and suppliers.

    CRM technology is critical to managing the lifecycle of these relationships, from lead generation, to sales opportunities, to ongoing support and nurturing of these relationships.

    Customer experience management (CXM)

    CRM platforms sit at the core of a well-rounded customer experience management ecosystem.

    Customer Relationship Management

    • Web Experience Management Platform
    • E-Commerce & Point-of-Sale Solutions
    • Social Media Management Platform
    • Customer Intelligence Platform
    • Customer Service Management Tools
    • Marketing Management Suite

    Customer relationship management suites are one piece of the overall customer experience management ecosystem, alongside tools such as customer intelligence platforms and adjacent point solutions for sales, marketing, and customer service. Review Info-Tech’s CXM blueprint to build a complete, end-to-end customer interaction solution portfolio that encompasses CRM alongside other critical components. The CXM blueprint also allows you to develop strategic requirements for CRM based on customer personas and external market analysis.

    CRM by the numbers

    1/3

    Statistical analysis of CRM projects indicate failures vary from 18% to 69%. Taking an average of those analyst reports, about one-third of CRM projects are considered a failure.
    Source: CIO Magazine, 2017

    85%

    Companies that apply the principles of behavioral economics outperform their peers by 85% in sales growth and more than 25% in gross margin.
    Source: Gallup, 2012

    40%

    In 2019, 40% of executives name customer experience the top priority for their digital transformation.
    Source: CRM Magazine, 2019

    CRM dissatisfaction

    Drivers of Dissatisfaction

    Business Data People and Teams Technology
    • Misaligned objectives
    • Product fit
    • Changing priorities
    • Lack of metrics
    • Access to data
    • Data hygiene
    • Data literacy
    • One view of the customer
    • User adoption
    • Lack of IT support
    • Training (use of data and system)
    • Vendor relations
    • Systems integration
    • Multichannel complexity
    • Capability shortfall
    • Lack of product support

    Info-Tech Insight

    While technology is the key enabler of building strong customer experiences, there are many other drivers of dissatisfaction. IT must stand shoulder to shoulder with the business to develop a technology framework for customer relationship management.

    Marketing, Sales, and Customer Service, along with IT, can only optimize CRM with the full support of each other. The cooperation of the departments is crucial when trying to improve CRM technology capabilities and customer interaction.

    Application optimization is risky without a plan

    Avoid the common pitfalls.

    • Not considering application optimization as a business and IT partnership that requires continuous formal engagement of all participants.
    • Not having a good understanding of current state, including integration points and data.
    • Not adequately accommodating feedback and changes after digital applications are deployed and employed.
    • Not treating digital applications as a motivator for potential future IT optimization effort, and not incorporating digital assets in strategic business planning.
    • Not involving department leads, management, and other subject matter experts to facilitate the organizational change digital applications bring.

    “A successful application optimization strategy starts with the business need in mind and not from a technological point of view. No matter from which angle you look at it, modernizing a legacy application is a considerable undertaking that can’t be taken lightly. Your best approach is to begin the journey with baby steps.”
    – Ernese Norelus, Sreeni Pamidala, and Oliver Senti
    Medium, 2020

    Info-Tech’s methodology for Get the Most Out of Your CRM

    1. Map Current-State Capabilities 2. Assess Your Current State 3. Build Your Optimization Roadmap
    Phase Steps
    1. Identify stakeholders and build your CRM optimization team
    2. Build a CRM strategy model
    3. Inventory current system state
    4. Define business capabilities
    1. Conduct a gap analysis for CRM processes
    2. Assess user satisfaction
    3. Review your satisfaction with the vendor and product
    1. Identify key optimization areas
    2. Compile optimization assessment results
    Phase Outcomes
    1. Stakeholder map
    2. CRM optimization team
    3. CRM business model
    4. Strategy alignment
    5. Systems inventory and diagram
    6. Business capabilities map
    7. Key CRM processes list
    1. Gap analysis for CRM-related processes
    2. Understanding of user satisfaction across applications and processes
    3. Insight into CRM data quality
    4. Quantified satisfaction with the vendor and product
    1. Application optimization plan

    Get the Most Out of Your CRM Workbook

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    Key deliverable:

    CRM Optimization Roadmap (Tab 8)

    This image contains a screenshot from Tab 9 of the Get the most out of your CRM WorkshopThis image contains a screenshot from Tab 9 of the Get the most out of your CRM Workshop

    Complete an assessment of processes, user satisfaction, data quality, and vendor management using the Workbook or the APA diagnostic.

    CRM Business Model (Tab 2)

    This image contains a screenshot from Tab 2 of the Get the most out of your CRM Workshop

    Align your business and technology goals and objectives in the current environment.

    Prioritized CRM Optimization Goals (Tab 3)

    This image contains a screenshot from Tab 3 of the Get the most out of your CRM Workshop

    Identify and prioritize your CRM optimization goals.

    Application Portfolio Assessment (APA)

    This image contains a screenshot of the Application Portfolio Assessment

    Assess IT-enabled user satisfaction across your CRM portfolio.

    Prioritized Process Assessment (Tab 5)

    This image contains a screenshot from Tab 5 of the Get the most out of your CRM Workshop

    Understand areas for improvement.

    Case Study

    Align strategy and technology to meet consumer demand.

    INDUSTRY - Entertainment
    SOURCE - Forbes, 2017

    Challenge

    Beginning as a mail-out service, Netflix offered subscribers a catalog of videos to select from and have mailed to them directly. Customers no longer had to go to a retail store to rent a video. However, the lack of immediacy of direct mail as the distribution channel resulted in slow adoption.

    Blockbuster was the industry leader in video retail but was lagging in its response to industry, consumer, and technology trends around customer experience

    Solution

    In response to the increasing presence of tech-savvy consumers on the internet, Netflix invested in developing its online platform as its primary distribution channel. The benefit of doing so was two-fold: passive brand advertising (by being present on the internet) and meeting customer demands for immediacy and convenience. Netflix also recognized the rising demand for personalized service and created an unprecedented, tailored customer experience.

    Results

    Netflix’s disruptive innovation is built on the foundation of great customer experience management. Netflix is now a $28-billion company, which is tenfold what Blockbuster was worth.

    Netflix used disruptive technologies to innovatively build a customer experience that put it ahead of the long-time, video rental industry leader, Blockbuster.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2:

    Build the CRM team.

    Align organizational goals.

    Call #4:

    Conduct gap analysis for CRM processes.

    Prepare application portfolio assessment.

    Call #5:

    Understand product satisfaction and vendor management.

    Look for CRM cost optimization opportunities (optional).

    Call #7:

    Identify key optimization areas.

    Build out optimization roadmap and next steps.

    Call #3:

    Map current state.

    Inventory CRM processes.

    Explore CRM-related costs.

    Call #6:

    Review APA results.

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Define Your CRM Application Vision Map Current-State Capabilities Assess CRM Build the Optimization Roadmap Next Steps and Wrap-Up (offsite)

    Activities

    1.1 Determine your CRM optimization team

    1.2 Align organizational goals

    1.3 Inventory applications and interactions

    1.4 Define business capabilities

    1.5 Explore CRM-related costs

    2.1 Conduct gap analysis for CRM processes

    2.2 Perform an application portfolio assessment

    2.3 Review vendor satisfaction

    3.1 Explore process gaps

    3.2 Analyze user satisfaction

    3.3 Assess data quality

    3.4 Understand product satisfaction and vendor management

    3.5 Look for CRM cost optimization opportunities (optional)

    4.1 Identify key optimization areas

    4.2 Build your CRM optimization roadmap and next steps

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables
    1. CRM optimization team
    2. CRM business model
    3. CRM optimization goals
    4. CRM system inventory and data flow
    5. CRM process list
    6. CRM and related costs
    1. CRM process gap analysis
    2. CRM application portfolio assessment
    3. CRM software reviews survey
    1. CRM process optimization priorities
    2. CRM vendor optimization opportunities
    3. CRM cost optimization
    1. CRM optimization roadmap

    Phase 1

    Map Current-State Capabilities

    • 1.1 Identify Stakeholders and Build Your Optimization Team
    • 1.2 Build a CRM Strategy Model
    • 1.3 Inventory Current System State
    • 1.4 Define Business Capabilities
    • 1.5 Understand CRM Costs

    Get the Most Out of Your CRM

    This phase will walk you through the following activities:

    • Align your organizational goals
    • Gain a firm understanding of your current state
    • Inventory CRM and related applications
    • Confirm the organization’s capabilities

    This phase involves the following participants:

    • Product Owners
    • CMO
    • Departmental leads – Sales, Marketing, Customer Service, or other
    • Applications Director
    • Senior Business Analyst
    • Senior Developer
    • Procurement Analysts

    Inventory of CRM and related systems

    Develop an integration map to specify which applications will interface with each other.

    This is an image of an integration map, integrating the following Terms to CRM: Telephony Systems; Directory Services; Email; Content Management; Point Solutions; ERP

    Integration is paramount: your CRM application often integrates with other applications within the organization. Create an integration map to reflect a system of record and the exchange of data. To increase customer engagement, channel integration is a must (i.e. with robust links to unified communications solutions, email, and VoIP telephony systems).

    CRM plays a key role in the more holistic customer experience framework. However, it is heavily influenced by and often interacts with many other platforms.

    Data is one key consideration that needs to be considered here. If customer information is fragmented, it will be nearly impossible to build a cohesive view of the customer. Points of integration (POIs) are the junctions between the CRM(s) and other applications where data is flowing to and from. They are essential to creating value, particularly in customer insight-focused and omnichannel-focused deployments.

    Customer expectations are on the rise

    CRM strategy is a critical component of customer experience (CX).

    CUSTOMER EXPERIENCE

    1. Thoughtfulness is in
      Connect with customers on a personal level
    2. Service over products
      The experience is more important than the product
    3. Culture is now number one
      Culture is the most overlooked piece of customer experience strategy
    4. Engineering and service finally join forces
      Companies are combining their technology and service efforts to create
      strong feedback loops
    5. The B2B world is inefficiently served
      B2B needs to step up with more tools and a greater emphasis placed on
      customer experience

    Source: Forbes, 2019

    Build a cohesive CRM strategy that aligns business goals with CRM capabilities.

    Info-Tech Insight

    Customers expect to interact with organizations through the channels of their choice. Now more than ever, you must enable your organization to provide tailored customer experiences.

    IT is critical to the success of your CRM strategy

    Today’s shared digital landscape of the CIO and CMO

    CIO

    • IT Operations
    • Service Delivery and Management
    • IT Support
    • IT Systems and Application
    • IT Strategy and Governance
    • Cybersecurity

    Collaboration and Partnership

    • Digital Strategy = Transformation
      Business Goals | Innovation | Leadership | Rationalization
    • Customer Experience
      Architecture | Design | Omnichannel Delivery | Management
    • Insight (Market Facing)
      Analytics | Business Intelligence | Machine Learning | AI
    • Marketing Integration + Operating Model
      Apps | Channels | Experiences | Data | Command Center
    • Master Data
      Customer | Audience | Industry | Digital Marketing Assets

    CMO

    • PEO Media
    • Brand Management
    • Campaign Management
    • Marketing Tech
    • Marketing Ops
    • Privacy, Trust, and Regulatory Requirements

    Info-Tech Insight

    Technology is the key enabler of building strong customer experiences: IT must stand shoulder to shoulder with the business to develop a technology framework for customer relationship management.

    Step 1.1

    Identify Stakeholders and Build Your Optimization Team

    Activities

    1.1.1 Identify the stakeholders whose support will be critical to success

    1.1.2 Select your CRM optimization team

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Identify CRM drivers and objectives.
    • Explore CRM challenges and pain points.
    • Discover CRM benefits and opportunities.
    • Align the CRM foundation with the corporate strategy.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Stakeholder map
    • CRM optimization team composition

    CRM optimization stakeholders

    Understand the roles necessary to get the most out of your CRM.

    Understand the role of each player within your optimization initiative. Look for listed participants on the activity slides to determine when each player should be involved.

    Info-Tech Insight

    Do not limit input or participation. Include subject matter experts and internal stakeholders at stages within the optimization initiative. Such inputs can be solicited on a one-off basis as needed. This ensures you take a holistic approach to creating your CRM optimization strategy.

    Title

    Roles Within CRM Optimization Initiative

    Optimization Sponsor

    • Owns the project at the management/C-suite level
    • Responsible for breaking down barriers and ensuring alignment with organizational strategy
    • CMO, VP od Marketing, VP of Sales, VP of Customer Care, or similar

    Optimization Initiative Manager

    • Typically IT individual(s) that oversee day-to-day operations
    • Responsible for preparing and managing the project plan and monitoring the project team’s progress
    • Applications Manager or other IT Manager, Business Analyst, Business Process Owner, or similar

    Business Leads/
    Product Owners

    • Works alongside the Optimization Initiative Manager to ensure that the strategy is aligned with business needs
    • In this case, likely to be a marketing, sales, or customer service lead
    • Product Owners
    • Sales Director, Marketing Director, Customer Care Director, or similar

    CRM Optimization Team

    • Comprised of individuals whose knowledge and skills are crucial to optimization success
    • Responsible for driving day-to-day activities, coordinating communication, and making process and design decisions
    • Project Manager, Business Lead, CRM Manager, Integration Manager, Application SMEs, Developers, Business Process Architects, and/or similar SMEs

    Steering Committee

    • Comprised of C-suite/management level individuals that act as the CRM optimization decision makers.
    • Responsible for validating goals and priorities, defining the optimization scope, enabling adequate resourcing, and managing change
    • Project Sponsor, Project Manager, Business Lead, CMO, Business Unit SMEs, or similar

    1.1.1 Identify stakeholders critical to success

    1 hour

    1. Hold a meeting to identify the stakeholders that should be included in the project’s steering committee.
    2. Finalize selection of steering committee members.
    3. Contact members to ensure their willingness to participate.
    4. Document the steering committee members and the milestone/presentation expectations for reporting project progress and results.

    Input

    • Stakeholder interviews
    • Business process owners list

    Output

    • CRM optimization stakeholders
    • Steering committee members

    Materials

    • N/A

    Participants

    • Product Owners
    • CMO
    • Departmental Leads – Sales, Marketing, Customer Service (and others)
    • Applications Director
    • Senior Business Analyst
    • Senior Developer
    • Procurement Analyst

    The CRM optimization team

    Consider the core team functions when composing the CRM optimization team. Form a cross-functional team (i.e. across IT, Marketing, Sales, Service, Operations) to create a well-aligned CRM optimization strategy.

    Don’t let your core team become too large when trying to include all relevant stakeholders. Carefully limiting the size of the optimization team will enable effective decision making while still including functional business units such as Marketing, Sales, Service, and Customer Service.

    Required Skills/Knowledge

    Suggested Optimization Team Members

    Business

    • Understanding of the customer
    • Departmental processes
    • Sales Manager
    • Marketing Manager
    • Customer Service Manager

    IT

    • Product Owner
    • Application developers
    • Enterprise architects
    • CRM Application Manager
    • Business Process Manager
    • Data Stewards
    Other
    • Operations
    • Administrative
    • Change management
    • Operations Manager
    • CFO
    • Change Management Manager

    1.1.2 Select your CRM optimization team

    30 minutes

    1. Have the CMO and other key stakeholders discuss and determine who will be involved in the CRM optimization project.
      • Depending on the initiative and the size of the organization the size of the team will vary.
      • Key business leaders in key areas – Sales, Marketing, Customer Service, and IT – should be involved.
    2. Document the members of your optimization team in the Get the Most Out of Your CRM Workbook, tab “1. Optimization Team.”
      • Depending on your initiative and size of your organization, the size of this team will vary.

    Get the Most Out of Your CRM Workbook

    Input

    • Stakeholders

    Output

    • List of CRM Optimization Team members

    Materials

    • Get the Most Out of Your CRM Workbook

    Participants

    • Product Owners
    • CMO
    • Departmental Leads – Sales, Marketing, Customer Service
    • Applications Director
    • Senior Business Analyst
    • Senior Developer
    • Procurement Analyst

    Step 1.2

    Build a CRM Strategy Model

    Activities

    • 1.2.1 Explore environmental factors and technology drivers
    • 1.2.2 Discuss challenges and pain points
    • 1.2.3 Discuss opportunities and benefits
    • 1.2.4 Align CRM strategy with organizational goals

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Identify CRM drivers and objectives.
    • Explore CRM challenges and pain points.
    • Discover the CRM benefits and opportunities.
    • Align the CRM foundation with the corporate strategy.

    This step involves the following participants:

    • CRM Optimization Team

    Outcomes of this step

    • CRM business model
    • Strategy alignment

    Align the CRM strategy with the corporate strategy

    Corporate Strategy

    Your corporate strategy:

    • Conveys the current state of the organization and the path it wants to take.
    • Identifies future goals and business aspirations.
    • Communicates the initiatives that are critical for getting the organization from its current state to the future state.

    Unified Strategy

    • The CRM optimization can be and should be linked, with metrics, to the corporate strategy and ultimate business objectives.

    CRM Strategy

    Your CRM Strategy:

    • Communicates the organization’s budget and spending on CRM.
    • Identifies IT initiatives that will support the business and key CRM objectives.
    • Outlines staffing and resourcing for CRM initiatives.

    CRM projects are more successful when the management team understands the strategic importance and the criticality of alignment. Time needs to be spent upfront aligning business strategies with CRM capabilities. Effective alignment between Sales, Marketing, Customer Service, Operations, IT, and the business should happen daily. Alignment doesn’t just need to occur at the executive level but at each level of the organization.

    Sample CRM objectives

    Increase Revenue

    Enable lead scoring

    Deploy sales collateral management tools

    Improve average cost per lead via a marketing automation tool

    Enhance Market Share

    Enhance targeting effectiveness with a CRM

    Increase social media presence via an SMMP

    Architect customer intelligence analysis

    Improve Customer Satisfaction

    Reduce time-to-resolution via better routing

    Increase accessibility to customer service with live chat

    Improve first contact resolution with customer KB

    Increase Customer Retention

    Use a loyalty management application

    Improve channel options for existing customers

    Use customer analytics to drive targeted offers

    Create Customer-Centric Culture

    Ensure strong training and user adoption programs

    Use CRM to provide 360-degree view of all customer interactions

    Incorporate the voice of the customer into product development

    Identifying organizational objectives of high priority will assist in breaking down business needs and CRM objectives. This exercise will better align the CRM systems with the overall corporate strategy and achieve buy-in from key stakeholders.

    CRM business model Template

    This image contains a screenshot of the CRM business model template

    Understand objectives for creating a strong CRM strategy

    Business Needs

    Business Drivers

    Technology Drivers

    Environmental Factors

    Definition A business need is a requirement associated with a particular business process. Business drivers can be thought of as business-level goals. These are tangible benefits the business can measure such as employee retention, operation excellence, and financial performance. Technology drivers are technological changes that have created the need for a new CRM enablement strategy. Many organizations turn to technology systems to help them obtain a competitive edge. External considerations are factors taking place outside of the organization that are impacting the way business is conducted inside the organization. These are often outside the control of the business.

    Examples

    • Audit tracking
    • Authorization levels
    • Business rules
    • Data quality
    • Employee engagement
    • Productivity
    • Operational efficiency
    • Deployment model (i.e. SaaS)
    • Integration
    • Reporting capabilities
    • Fragmented technologies
    • Economic and political factors, the labor market
    • Competitive influencers
    • Compliance regulations

    Info-Tech Insight

    One of the biggest drivers for CRM adoption is the ability to make decisions through consolidated data. This driver is a result of external considerations. Many industries today are highly competitive, uncertain, and rapidly changing. To succeed under these pressures, there needs to be timely information and visibility into all components of the organization.

    1.2.1 Explore environmental factors and technology drivers

    30 minutes

    1. Identify business drivers that are contributing to the organization’s need for CRM.
    2. Understand how the company is running today and what the organization’s future will look like. Try to identify the purpose for becoming an integrated organization. Use a whiteboard and markers to capture key findings.
    3. Consider environmental factors: external considerations, organizational drivers, technology drivers, and key functional requirements.
    4. Use the Get the Most Out of Your CRM Workbook, tab “2. Business Model,” to complete this exercise.

    Get the Most Out of Your CRM Workbook

    This is a screenshot of the CRM Business Model the following boxes highlighted in purple boxes.  CRM business Needs; Environmental Factors; Technology Drivers

    External Considerations

    Organizational Drivers

    Technology Considerations

    Functional Requirements

    • Funding Constraints
    • Regulations
    • Compliance
    • Scalability
    • Operational Efficiency
    • Data Accuracy
    • Data Quality
    • Better Reporting
    • Information Availability
    • Integration Between Systems
    • Secure Data

    Create a realistic CRM foundation by identifying the challenges and barriers to the project

    There are several different factors that may stifle the success of an CRM portfolio. Organizations creating an CRM foundation must scan their current environment to identify internal barriers and challenges.

    Common Internal Barriers

    Management Support

    Organizational Culture

    Organizational Structure

    IT Readiness

    Definition The degree of understanding and acceptance towards CRM technology and systems. The collective shared values and beliefs. The functional relationships between people and departments in an organization. The degree to which the organization’s people and processes are prepared for new CRM system(s.)

    Questions

    • Is a CRM project recognized as a top priority?
    • Will management commit time to the project?
    • Are employees resistant to change?
    • Is the organization highly individualized?
    • Is the organization centralized?
    • Is the organization highly formalized?
    • Is there strong technical expertise?
    • Is there strong infrastructure?
    Impact
    • Funding
    • Resources
    • Knowledge sharing
    • User acceptance
    • Flow of knowledge
    • Poor implementation
    • Need for reliance on consultants

    1.2.2 Discuss challenges and pain points

    30 minutes

    1. Identify challenges with current systems and processes.
    2. Brainstorm potential barriers to success. Use a whiteboard and markers to capture key findings.
    3. Consider the project barriers: functional gaps, technical gaps, process gaps, and barriers to CRM success.
    4. Use the Get the Most Out of Your CRM Workbook, tab “2. Business Model,” to complete this exercise.

    Get the Most Out of Your CRM Workbook

    This is a screenshot of the CRM Business Model the following boxes highlighted in purple boxes.  Barriers

    Functional Gaps

    Technical Gaps

    Process Gaps

    Barriers to Success

    • No sales tracking within core CRM
    • Inconsistent reporting – data quality concerns
    • Duplication of data
    • Lack of system integration
    • Cultural mindset
    • Resistance to change
    • Lack of training
    • Funding

    1.2.3 Discuss opportunities and benefits

    30 minutes

    1. Identify opportunities and benefits from an integrated system.
    2. Brainstorm potential enablers for successful CRM enablement and the ideal portfolio.
    3. Consider the project enablers: business benefits, IT benefits, organizational benefits, and enablers of CRM success.
    4. Use the Get the Most Out of Your CRM Workbook, tab “2. Business Model,” to complete this exercise.
    This is a screenshot of the CRM Business Model the following boxes highlighted in purple boxes.  Enablers

    Business Benefits

    IT Benefits

    Organizational Benefits

    Enablers of Success

    • Business-IT alignment
    • Compliance
    • Scalability
    • Operational Efficiency
    • Data Accuracy
    • Data Quality
    • Better Reporting
    • Change Management
    • Training
    • Alignment to Strategic Objectives

    1.2.4 Align CRM strategy with organizational goals

    1 hour

    1. Discuss your corporate objectives (organizational goals). Choose three to five corporate objectives that are a priority for the organization in the current year.
    2. Break into groups and assign each group one corporate objective.
    3. For each objective, produce several ways an optimized CRM system will meet the given objective.
    4. Think about the modules and CRM functions that will help you realize these benefits.
    5. Use the Get the Most Out of Your CRM Workbook, tab “2. Business Model,” to complete this exercise.
    Increase Revenue

    CRM Benefits

    • Increase sales by 5%
    • Expand to new markets
    • Offer new product
    • Identify geographies underperforming
    • Build out global customer strategy
    • Allow for customer segmentation
    • Create targeted marketing campaigns

    Input

    • Organizational goals
    • CRM strategy model

    Output

    • Optimization benefits map

    Materials

    • Get the Most Out of Your CRM Workbook

    Participants

    • Product Owners
    • CMO
    • Departmental Leads – Sales, Marketing, Customer Service
    • Applications Director
    • Senior Business Analyst
    • Senior Developer
    • Procurement Analyst

    Download the Get the Most Out of Your CRM Workbook

    Step 1.3

    Inventory Current System State

    Activities

    1.3.1 Inventory applications and interactions

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Inventory applications
    • Map interactions between systems

    This step involves the following participants:

    • CRM Optimization Team
    • Enterprise Architect
    • Data Architect

    Outcomes of this step

    • Systems inventory
    • Systems diagram

    1.3.1 Inventory applications and interactions

    1-3 hours

    1. Individually list all electronic systems involved in the organization. This includes anything related to customer information and interactions, such as CRM, ERP, e-commerce, finance, email marketing, and social media, etc.
    2. Document data flows into and out of each system to the ERP. Refer to the example on the next slide (CRM data flow).
    3. Review the processes in place (e.g. reporting, marketing, data moving into and out of systems). Document manual processes. Identify integration points. If flowcharts exist for these processes, it may be useful to provide these to the participants.
    4. If possible, diagram the system. Include information direction flow. Use the sample CRM map, if needed.

    This image contains an example of a CRM Data Flow

    CRM data flow

    This image contains an example of a CRM Data Flow

    Be sure to include enterprise applications that are not included in the CRM application portfolio. Popular systems to consider for POIs include billing, directory services, content management, and collaboration tools.

    When assessing the current application portfolio that supports CRM, the tendency will be to focus on the applications under the CRM umbrella, relating mostly to Marketing, Sales, and Customer Service. Be sure to include systems that act as input to, or benefit due to outputs from, the CRM or similar applications.

    Sample CRM map

    This image contains an example of a CRM map

    Step 1.4

    Define Business Capabilities

    Activities

    1.4.1 Define business capabilities

    1.4.2 List your key CRM processes

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Define your business capabilities
    • List your key CRM processes

    This step involves the following participants:

    • CRM Optimization Team
    • Business Architect

    Outcomes of this step

    • Business capabilities map
    • Key CRM processes list

    Business capability map (Level 0)

    This image contains a screenshot of a business capability map.  an Arrow labeled CRM points to the Revenue Generation section. Revenue Generation: Marketing; Sales; Customer Service.

    In business architecture, the primary view of an organization is known as a business capability map.

    A business capability defines what a business does to enable value creation, rather than how.

    Business capabilities:

    • Represent stable business functions.
    • Are unique and independent of each other.
    • Typically will have a defined business outcome.

    A business capability map provides details that help the business architecture practitioner direct attention to a specific area of the business for further assessment.

    Capability vs. process vs. feature

    Understanding the difference

    When examining CRM optimization, it is important we approach this from the appropriate layer.

    Capability:

    • The ability of an entity (e.g. organization or department) to achieve its objectives (APQC, 2017).
    • An ability that an organization, person, or system possesses. Typically expressed in general and high-level terms and typically require a combination of organization, people, processes, and technology to achieve (TOGAF).

    Process:

    • Can be manual or technology enabled. A process is a series of interrelated activities that convert inputs into results (outputs). Processes consume resources, require standards for repeatable performance, and respond to control systems that direct the quality, rate, and cost of performance. The same process can be highly effective in one circumstance and poorly effective in another with different systems, tools, knowledge, and people (APQC, 2017).

    Feature:

    • Is a distinguishing characteristic of a software item (e.g. performance, portability, or functionality) (IEEE, 2005).

    In today’s complex organizations, it can be difficult to understand where inefficiencies stem from and how performance can be enhanced.
    To fix problems and maximize efficiencies business capabilities and processes need to be examined to determine gaps and areas of lagging performance.

    Info-Tech’s CRM framework and industry tools such as the APQC’s Process Classification Framework can help make sense of this.

    1.4.1 Define business capabilities

    1-3 hours

    1. Look at the major functions or processes within the scope of CRM.
    2. Compile an inventory of current systems that interact with the chosen processes. In its simplest form, document your application inventory in a spreadsheet (see tab 3 of the CRM Application Inventory Tool). For large organizations, interview representatives of business domains to help create your list of applications.
    3. Make sure to include any processes that are manual versus automated.
    4. Use your current state drawing from activity 1.3.1 to link processes to applications for further effect.

    CRM Application Inventory Tool

    Input

    • Current systems
    • Key processes
    • APQC Framework
    • Organizational process map

    Output

    • List of key business processes

    Materials

    • CRM Application Inventory Tool
    • CRM APQC Framework
    • Whiteboard, PowerPoint, or flip charts
    • Pens/markers

    Participants

    • CRM Optimization Team

    CRM process mapping

    This image contains two screenshots.  one is of the business capability map seen earlier in this blueprint, and the other includes the following operating model: Objectives; Value Streams; Capabilities; Processes

    The operating model

    An operating model is a framework that drives operating decisions. It helps to set the parameters for the scope of CRM and the processes that will be supported. The operating model will serve to group core operational processes. These groupings represent a set of interrelated, consecutive processes aimed at generating a common output.

    The Value Stream

    Value Stream Defined

    Value Streams

    Design Product

    Produce Product

    Sell Product

    Customer Service

    • Manufacturers work proactively to design products and services that will meet consumer demand.
    • Products are driven by consumer demand and governmental regulations.
    • Production processes and labor costs are constantly analyzed for efficiencies and accuracies.
    • Quality of product and services are highly regulated through all levels of the supply chain.
    • Sales networks and sales staff deliver the product from the organization to the end consumer.
    • Marketing plays a key role throughout the value stream connecting consumers wants and needs to the product and services offered.
    • Relationships with consumers continue after the sale of a product and services.
    • Continued customer support and mining is important to revenue streams.

    Value streams connect business goals to the organization’s value realization activities in the marketplace. Those activities are dependent on the specific industry segment in which an organization operates.

    There are two types of value streams: core value streams and support value streams.

    • Core value streams are mostly externally facing. They deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map.
    • Support value streams are internally facing and provide the foundational support for an organization to operate.

    An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers.

    APQC Framework

    Help define your inventory of sales, marketing, and customer services processes.

    Operating Processes

    1. Develop Vision and Strategy
    2. Develop and Manage Products and Services
    3. Market and Sell Products and Services
    4. Deliver Physical Products
    5. Deliver Services

    Management and Support Processes

    1. Manage Customer Service
    2. Develop and Manage Human Capital
    3. Manage Information Technology (IT)
    4. Manage Financial Resources
    5. Acquire, Construct, and Manage Assets
    6. Manage Enterprise Risk, Compliance, Remediation, and Resiliency
    7. Manage External Relationships
    8. Develop and Manage Business Capabilities

    Source: APQC, 2020

    If you do not have a documented process model, you can use the APQC Framework to help define your inventory of sales business processes.

    APQC’s Process Classification Framework is a taxonomy of cross-functional business processes intended to allow the objective comparison of organizational performance within and among organizations.

    Go to this link

    Process mapping hierarchy

    This image includes explanations for the following PCF levels:  Level 1 - Category; Level 2 - Process Group; Level 3 - Process; Level 4 - Activity; Level 5 - Task

    APQC provides a process classification framework. It allows organizations to effectively define their processes and manage them appropriately.

    THE APQC PROCESS CLASSIFICATION FRAMEWORK (PCF)® was developed by non-profit APQC, a global resource for benchmarking and best practices, and its member companies as an open standard to facilitate improvement through process management and benchmarking, regardless of industry, size, or geography. The PCF organizes operating and management processes into 12 enterprise level categories, including process groups and over 1,000 processes and associated activities. To download the full PCF or industry-specific versions of the PCF as well as associated measures and benchmarking, visit www.apqc.org/pcf.

    Cross-industry classification framework

    Level 1 Level Level 3 Level 4

    Market and sell products and services

    Understand markets, customers, and capabilities Perform customer and market intelligence analysis Conduct customer and market research

    Market and sell products and services

    Develop sales strategy Develop sales forecast Gather current and historic order information

    Deliver services

    Manage service delivery resources Manage service delivery resource demand Develop baseline forecasts
    ? ? ? ?

    Info-Tech Insight

    Focus your initial assessment on the level 1 processes that matter to your organization. This allows you to target your scant resources on the areas of optimization that matter most to the organization and minimize the effort required from your business partners.

    You may need to iterate the assessment as challenges are identified. This allows you to be adaptive and deal with emerging issues more readily and become a more responsive partner to the business.

    1.4.2 List your key CRM processes

    1-3 hours

    1. Reflect on your organization’s CRM capabilities and processes.
    2. Refer to tab 4, “Process Importance,” in your Get the Most Out of Your CRM Workbook. You can use your own processes if you prefer. Consult tab 10. “Framework (Reference)” in the Workbook to explore additional capabilities.
    3. Use your CRM goals as a guide.

    Get the Most Out of Your CRM Workbook

    This is a screenshot from the APQC Cross-Industry Process Classification Framework, adapted to list key CRM processes

    *Adapted from the APQC Cross-Industry Process Classification Framework, 2019.

    Step 1.5

    Understand CRM Costs

    Activities

    1.5.1 List CRM-related costs (optional)

    Map Current-State Capabilities

    This step will walk you through the following activities:

    • Define your business capabilities
    • List your key CRM processes

    This step involves the following participants:

    • Finance Representatives
    • CRM Optimization Team

    Outcomes of this step

    • Current CRM and related operating costs

    1.5.1 List CRM-related costs (optional)

    3+ hours

    Before you can make changes and optimization decisions, you need to understand the high-level costs associated with your current application architecture. This activity will help you identify the types of technology and people costs associated with your current systems.

    1. Identify the types of technology costs associated with each current system:
      1. System Maintenance
      2. Annual Renewal
      3. Licensing
    2. Identify the cost of people associated with each current system:
      1. Full-Time Employees
      2. Application Support Staff
      3. Help Desk Tickets
    3. Use the Get the Most Out of Your CRM Workbook, tab “9. Costs (Optional),” to complete this exercise.

    This is a screenshot of an example of a table which lays out CRM and Associated Costs.

    Get the Most Out of Your CRM Workbook

    Phase 2

    Assess Your Current State

    • 2.1 Conduct a Gap Analysis for CRM Processes
    • 2.2 Assess User Satisfaction
    • 2.3 Review Your Satisfaction With the Vendor and Product

    Get the Most Out of Your CRM

    This phase will guide you through the following activities:

    • Determine process relevance
    • Perform a gap analysis
    • Perform a user satisfaction survey
    • Assess software and vendor satisfaction

    This phase involves the following participants:

    • CRM optimization team
    • Users across functional areas of your CRM and related technologies

    Step 2.1

    Conduct a Gap Analysis for CRM Processes

    Activities

    • 2.1.1 Determine process relevance
    • 2.1.2 Perform process gap analysis

    Assess Your Current State

    This step will walk you through the following activities:

    • Determine process relevance
    • Perform a gap analysis

    This step involves the following participants:

    • CRM optimization team

    Outcomes of this step

    • Gap analysis for CRM-related processes (current vs. desired state)

    2.1.1 Determine process relevance

    1-3 hours

    1. Open tab “4. Process Importance,” in the Get the Most Out of Your CRM Workbook.
    2. Rate each process for level of importance to your organization on the following scale:
      • Crucial
      • Important
      • Secondary
      • Unimportant
      • Not applicable

    This image contains a screenshot of tab 4 of the Get the most out of your CRM Workbook.

    Get the Most Out of Your CRM Workbook

    2.1.2 Perform process gap analysis

    1-3 hours

    1. Open tab “5. Process Assessment,” in the Get the Most Out of Your CRM Workbook.
    2. For each line item, identify your current state and your desired state on the following scale:
      • Not important
      • Poor
      • Moderate
      • Good
      • Excellent

    This is a screenshot of Tab 5 of the Get the Most Out of your CRM Workshop

    Get the Most Out of Your CRM Workbook

    Step 2.2

    Assess User Satisfaction

    Activities

    • 2.2.1 Prepare and complete a user satisfaction survey
    • 2.2.2 Enter user satisfaction

    Assess Your Current State

    This step will walk you through the following activities:

    • Preparation and completion of an application portfolio assessment (APA)
    • Entry of the user satisfaction scores into the workbook

    This step involves the following participants:

    • CRM optimization team
    • Users across functional areas of CRM and related technologies

    Outcomes of this step

    • Understanding of user satisfaction across applications and processes
    • Insight into CRM data quality

    Benefits of the Application Portfolio Assessment

    This is a screenshot of the application  Overview tab

    Assess the health of the application portfolio

    • Get a full 360-degree view of the effectiveness, criticality, and prevalence of all relevant applications to get a comprehensive view of the health of the applications portfolio.
    • Identify opportunities to drive more value from effective applications, retire nonessential applications, and immediately address at-risk applications that are not meeting expectations.

    This is a screenshot of the Finance Overview tab

    Provide targeted department feedback

    • Share end-user satisfaction and importance ratings for core IT services, IT communications, and business enablement to focus on the right end-user groups or lines of business, and ramp up satisfaction and productivity.

    This is a screenshot of the application  Overview tab

    Insight into the state of data quality

    • Data quality is one of the key issues causing poor CRM user satisfaction and business results. This can include the relevance, accuracy, timeliness, or usability of the organization’s data.
    • Targeted, open-ended feedback around data quality will provide insight into where optimization efforts should be focused.

    2.2.1 Prepare and complete a user satisfaction survey

    1 hour

    Option 1: Use Info-Tech’s Application Portfolio Assessment to generate your user satisfaction score. This tool not only measures application satisfaction but also elicits great feedback from users regarding support they receive from the IT team.

    1. Download the CRM Application Inventory Tool.
    2. Complete the “Demographics” tab (tab 2).
    3. Complete the “Inventory” tab (tab 3).
      1. Complete the inventory by treating each process within the organization as a separate row. Use the processes identified in the process gap analysis as a reference.
      2. Treat every department as a separate column in the department section. Feel free to add, remove, or modify department names to match your organization.
      3. Include data quality for all applications applicable.

    Option 2: Use the method of choice to elicit current user satisfaction for each of the processes identified as important to the organization.

    1. List processes identified as important (from the Get the Most Out of Your CRM Workbook, tab 4, “Process Importance”).
    2. Gather user contact information by department.
    3. Ask users to rate satisfaction: Extremely Satisfied, Satisfied, Neutral, Dissatisfied, and Extremely Dissatisfied (on Get the Most Out of Your CRM Workbook, tab 5. “Process Assessment”).

    This image contains a screenshot of the CRM Application Inventory Tool Tab

    Understand user satisfaction across capabilities and departments within your organization.

    Download the CRM Application Inventory Tool

    2.2.2 Enter user satisfaction

    20 minutes

    Using the results from the Application Portfolio Assessment or your own user survey:

    1. Open your Get the Most Out of Your CRM Workbook, tab “5. Process Assessment.”
    2. For each process, record up to three different department responses.
    3. Enter the answers to the survey for each line item using the drop-down options:
      • Extremely Satisfied
      • Satisfied
      • Neutral
      • Dissatisfied
      • Extremely Dissatisfied

    This is a screenshot of Tab 5 of the Get the most out of your CRM Workbook

    Understand user satisfaction across capabilities and departments within your organization.

    Get the Most Out of Your CRM Workbook

    Step 2.3

    Review Your Satisfaction With the Vendor and Product

    Activities

    2.3.1 Rate your vendor and product satisfaction

    2.3.2 Enter SoftwareReviews scores from your CRM Product Scorecard (optional)

    Assess Your Current State

    This step will walk you through the following activities:

    • Rate your vendor and product satisfaction
    • Compare with survey data from SoftwareReviews

    This step involves the following participants:

    • CRM Owner(s)
    • Procurement Representative
    • Vendor Contracts Manager

    Outcomes of this step

    • Quantified satisfaction with vendor and product

    Use a SoftwareReviews Product Scorecard to evaluate your satisfaction compared to other organizations.

    This is a screenshot of the SoftwareReviews Product Scorecard

    Source: SoftwareReviews, March 2019

    Where effective IT leaders spend their time

    This image contains two lists.  One list is where CIOs with  data-verified=80% satisfaction score, and the other list is CIOs with <80% satisfaction score.">

    Info-Tech Insight

    The data shows that effective IT leaders invest a significant amount of time (8%) on vendor management initiatives.

    Be proactive in managing you calendar and block time for these important tasks.

    CIOs who prioritize vendor management see improved results

    Analysis of CIOs’ calendars revealed that how CIOs spend their time has a correlation to both stakeholder IT satisfaction and CEO-CIO alignment.

    Those CIOs that prioritized vendor management were more likely to have a business satisfaction score greater than 80%.

    This image demonstrates that CIOs who spend time with the team members of their direct reports delegate management responsibilities to direct reports and spend less time micromanaging, and CIOs who spend time on vendor management align rapidly changing business needs with updated vendor offerings.

    2.3.1 Rate your vendor and product satisfaction

    30 minutes

    Use Info-Tech’s vendor satisfaction survey to identify optimization areas with your CRM product(s) and vendor(s).

    Option 1 (recommended): Conduct a satisfaction survey using SoftwareReviews. This option allows you to see your results in the context of the vendor landscape.

    Download the Get the Most Out of Your CRM Workbook

    Option 2: Use your Get the Most Out of Your CRM Workbook, tab “6. Vendor Optimization,” to review your satisfaction with your software.

    SoftwareReviews’ Customer Relationship Management

    This is a screenshot of tab 6 of the Get the most out of your CRM Workbook.

    2.3.2 Enter SoftwareReviews scores (optional)

    30 minutes

    1. Download the scorecard for your CRM product from the SoftwareReviews website. (Note: Not all products are represented or have sufficient data, so a scorecard may not be available.)
    2. Use your Get the Most Out of Your CRM Workbook, tab “6. Vendor Optimization,” to record the scorecard results.
    3. Use your Get the Most Out of Your CRM Workbook, tab “6. Vendor Optimization,” to flag areas where your score may be lower than the product scorecard. Brainstorm ideas for optimization.

    Download the Get the Most Out of Your CRM Workbook

    SoftwareReviews’ Customer Relationship Management

    This is a screenshot of the optional vendor optimization scorecard

    Phase 3

    Build Your Optimization Roadmap

    • 3.1 Identify Key Optimization Areas
    • 3.2 Compile Optimization Assessment Results

    Get the Most Out of Your CRM

    This phase will walk you through the following activities:

    • Identify key optimization areas
    • Create an optimization roadmap

    This phase involves the following participants:

    • CRM Optimization Team

    Build your optimization roadmap

    Address process gaps

    • CRM and related technologies are invaluable to sales, marketing, and customer service enablement, but they must have supported processes driven by business goals.
    • Identify areas where capabilities need to be improved and work towards.

    Support user satisfaction

    • The best technology in the world won’t deliver business results if it is not working for the users who need it.
    • Understand concerns, communicate improvements, and support users in all roles.

    Improve data quality

    • Data quality is unique to each business unit and requires tolerance, not perfection.
    • Implement a set of data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself.

    Proactively manage vendors

    • Vendor management is a critical component of technology enablement and IT satisfaction.
    • Assess your current satisfaction against those of your peers and work towards building a process that is best fit for your organization.

    Info-Tech Insight

    Enabling a high-performing, customer-centric sales, marketing, and customer service operations program requires excellent management practices and continuous optimization efforts.

    Technology portfolio and architecture is important, but we must go deeper. Taking a holistic view of CRM technologies in the environments in which they operate allows for the inclusion of people and process improvements – this is key to maximizing business results.

    Using a formal CRM optimization initiative will drive business-IT alignment, identify IT automation priorities, and dig deep into continuous process improvement.

    Step 3.1

    Identify Key Optimization Areas

    Activities

    • 3.1.1 Explore process gaps
    • 3.1.2 Analyze user satisfaction
    • 3.1.3 Assess data quality
    • 3.1.4 Analyze product satisfaction and vendor management

    Build Your Optimization Roadmap

    This step will guide you through the following activities:

    • Explore existing process gaps
    • Identify the impact of processes on user satisfaction
    • Identify the impact of data quality on user satisfaction
    • Review your overall product satisfaction and vendor management

    This step involves the following participants:

    • CRM Optimization Team

    Outcomes of this step

    • Application optimization plan

    3.1.1 Explore process gaps

    1 hour

    1. Review the compiled CRM Process Assessment in the Get the Most Out of Your CRM Workbook, tab “7. Process Prioritization.”
    2. These are processes you should prioritize.
    • The activities in the rest of Step 3.1 help you create optimization strategies for the different areas of improvement these processes relate to: user satisfaction, data quality, product satisfaction, and vendor management.
  • Consolidate your optimization strategies in the Get the Most Out of Your CRM Workbook, tab “8. Optimization Roadmap.” (See next slide for screenshot.)
  • This image consists of the CRM Process Importance Rankings

    Get the Most Out of Your CRM Workbook

    Plan your product optimization strategy for each area of improvement

    This is a screenshot from the Get the most out of your CRM Workbook, with the Areas of Improvement column  highlighted in a red box.

    3.1.2 Analyze user satisfaction

    1 hour

    1. Use the APA survey results from activity 2.2.1 (or your own internal survey) to identify areas where the organization is performing low in user satisfaction across the CRM portfolio.
      1. Understand application portfolio and IT service satisfaction.
      2. Identify cost savings opportunities from unused or unimportant apps.
      3. Build a roadmap for improving user IT services.
      4. Manage needs by department and seniority.
    2. Consolidate your optimization strategies in the Get the Most Out of Your CRM Workbook, tab “8. Optimization Roadmap.” (See next slide for screenshot.)

    this is an image of the Business & IT Communications Overview Tab from the Get the Most Out of Your CRM Workbook

    Get the Most Out of Your CRM Workbook

    Plan your user satisfaction optimization strategy

    This is a screenshot from the Get the most out of your CRM Workbook, with the Optimization Strategies column  highlighted in a red box.

    Next steps in improving your data quality

    Data Quality Management Effective Data Governance Data-Centric Integration Strategy Extensible Data Warehousing
    • Prevention is ten times cheaper than remediation. Stop fixing data quality with band-aid solutions and start fixing it by healing it at the source of the problem.
    • Data governance enables data-driven insight. Think of governance as a structure for making better use of data.
    • Every enterprise application involves data integration. Any change in the application and database ecosystem requires you to solve a data integration problem.
    • A data warehouse is a project; but successful data warehousing is a program. An effective data warehouse requires planning beyond the technology implementation.
    • Data quality is unique to each business unit and requires tolerance, not perfection. If the data allows the business to operate at the desired level, don’t waste time fixing data that may not need to be fixed.
    • Collaboration is critical. The business may own the data, but IT understands the data. Data governance will not work unless the business and IT work together.
    • Data integration is becoming more and more critical for downstream functions of data management and for business operations to be successful. Poor integration holds back these critical functions.
    • Governance, not technology, needs to be the core support system for enabling a data warehouse program.
    • Implement a set of data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself.
    • Data governance powers the organization up the data value chain through policies and procedures, master data management, data quality, and data architecture.
    • Build your data integration practice with a firm foundation in governance and reference architecture. Ensure your process is scalable and sustainable.
    • Leverage an approach that focuses on constructing a data warehouse foundation that can address a combination of operational, tactical, and ad hoc business needs.
    • Develop a prioritized data quality improvement project roadmap and long-term improvement strategy.
    • Create a roadmap to prioritize initiatives and delineate responsibilities among data stewards, data owners, and members of the data governance steering committee.
    • Support the flow of data through the organization and meet the organization’s requirements for data latency, availability, and relevancy.
    • Invest time and effort to put together pre-project governance to inform and provide guidance to your data warehouse implementation.
    • Build related practices with more confidence and less risk after achieving an appropriate level of data quality.
    • Ensure buy-in from the business and IT stakeholders. Communicate initiatives to end users and executives to reduce resistance.
    • Data availability must be frequently reviewed and repositioned to continue to grow with the business.
    • Select the most suitable architecture pattern to ensure the data warehouse is “built right” at the very beginning.

    Build Your Data Quality Program

    Establish Data Governance

    Build a Data Integration Strategy

    Build an Extensible Data Warehouse Foundation

    3.1.3 Assess data quality

    1 hour

    1. Use your APA survey results (if available) to identify areas where the organization is performing low in data quality initiatives. Common areas for improvement include:
      • Overall data quality management
      • Effective data governance
      • Poor data integration
      • The need to implement extensible data warehousing
    2. Consolidate your optimization strategies in the Get the Most Out of Your CRM Workbook, tab “8. Optimization Roadmap.” (See next slide for screenshot.)

    This is an image of the Business & IT Communications Overview tab from the Get the most out of your CRM Workbook

    Get the Most Out of Your CRM Workbook

    Plan your data quality optimization strategy

    This is a screenshot from the Get the most out of your CRM Workbook, with the Optimization Strategies column  highlighted in a red box.

    Use Info-Tech’s vendor management initiative (VMI)

    Create a right-size, right-fit strategy for managing the vendors relevant to your organization.

    A crowd chart is depicted, with quadrants for strategic value, and Vendor spend/switching cost.

    Info-Tech Insight

    A VMI is a formalized process within an organization, responsible for evaluating, selecting, managing, and optimizing third-party providers of goods and services.

    The amount of resources you assign to managing vendors depends on the number and value of your organization’s relationships. Before optimizing your vendor management program around the best practices presented in this blueprint, assess your current maturity and build the process around a model that reflects the needs of your organization.

    Info-Tech uses VMI interchangeably with the terms “vendor management office (VMO),” “vendor management function,” “vendor management process,” and “vendor management program.”

    Jump Start Your Vendor Management Initiative

    3.1.4 Analyze product satisfaction and vendor management

    1 hour

    1. Use the Get the Most Out of Your CRM Workbook, tab “6. Vendor Optimization.”
    2. Download the SoftwareReviews Vendor Scorecard.
    3. Using the scorecards, compare your results with those of your peers.
    4. Consolidate areas of improvement and optimization strategies in the Get the Most Out of Your CRM Workbook, tab “8. Optimization Roadmap.” (See next slide for screenshot.)

    See previous slide for help around implementing a vendor management initiative.

    This is a screenshot from the Get the most out of your CRM Workbook, with the Areas for Optimization column  highlighted in a red box.

    Get the Most Out of Your CRM Workbook

    Plan your vendor management optimization strategy

    This is a screenshot from the Get the most out of your CRM Workbook, with the Optimization Strategies column  highlighted in a red box.

    Step 3.2

    Compile Optimization Assessment Results

    Activities

    • 3.2.1 Identify key optimization areas

    Build Your Optimization Roadmap

    This step will guide you through the following activities:

    • Use your work from previous activities and prioritization to build your list of optimization activities and lay them out on a roadmap

    This step involves the following participants:

    • CRM Optimization Team

    Outcomes of this step

    • Application optimization plan

    3.2.1 Identify key optimization areas

    1-3 hours

    Before you can make changes and optimization decisions, you need to understand the high-level costs associated with your current application architecture. This activity will help you identify the types of technology and people costs associated with your current systems.

    1. Consolidate your findings and identify optimization priorities (Step 3.1).
    2. Prioritize those most critical to the organization, easiest to change, and whose impact will be highest.
    3. Use the information gathered from exercise 1.5.1 on Get the Most Out of Your CRM Workbook, tab “9. Costs (Optional).”
    4. These costs could affect the priority or timeline of the initiatives. Consolidate your thoughts on your Get the Most Out of Your CRM Workbook, tab 8, “Optimization Roadmap.” Note: There is no column specific to costs on tab 8.

    This is meant as a high-level roadmap. For formal, ongoing optimization project management, refer to “Build a Better Backlog” (Phase 2 of the Info-Tech blueprint Deliver on Your Digital Product Vision).

    This is a screenshot from the Get the most out of your CRM Workbook, with the Priority; Owner; and Timeline columns highlighted in a red box.

    Next steps: Manage your technical debt

    Use a holistic assessment of the “interest” paid on technical debt to quantify and prioritize risk and enable the business make better decisions.

    • Technical debt is an IT risk, which in turn is a category of business risk.
    • The business must decide how to manage business risk.
    • At the same time, business decision makers may not be aware of technical debt or be able to translate technical challenges into business risk. IT must help the business make decisions around IT risk by describing the risk of technical debt in business terms and by outlining the options available to address risk.
    • Measure the ongoing business impact (the “interest” paid on technical debt) to establish the business risk of technical debt. Consider a range of possible impacts including direct costs, lost goodwill, lost flexibility and resilience, and health, safety, and compliance impacts.
    • When weighing these impacts, the business may choose to accept the risk of technical debt if the cost of addressing the debt outweighs the benefit. But it’s critically important that the business accepts that risk – not IT.

    Manage Your Technical Debt

    Take it a step further…

    Deliver on Your Digital Product Vision

    Phase 2: Build a Better Product Backlog

    Build a structure for your backlog that supports your product vision.

    Deliver on Your Digital Product Vision

    Build a better backlog

    An ongoing CRM optimization effort is best facilitated through a continuous Agile process. Use info-Tech’s developed tools to build out your backlog.

    The key to a better backlog is a common structure and guiding principles that product owners and product teams can align to.

    Info-Tech Insight

    Exceptional customer value begins with a clearly defined backlog focused on items that will create the greatest human and business benefits.

    Activity Participants

    Backlog Activity

    Quality Filter

    Product Manager

    Product Owner

    Dev Team

    Scrum Master

    Business

    Architects

    Sprint

    Sprint Planning

    “Accepted”

    Ready

    Refine

    “Ready”

    Qualified

    Analysis

    “Qualified”

    Ideas

    Intake

    “Backlogged”

    A product owner and the product backlog are critical to realize the benefits of Agile development

    A product owner is accountable for defining and prioritizing the work that will be of the greatest value to the organization and its customers. The backlog is the key to facilitating this process and accomplishing the most fundamental goals of delivery.

    For more information on the role of a product owner, see Build a Better Product Owner.

    Highly effective Agile teams spend 28% of their time on product backlog management and roadmapping (Quantitative Software Management, 2015).

    1. Manage Stakeholders

    • Stakeholders need to be kept up to speed on what the future holds for a product, or at least they should be heard. This task falls to the product owner.

    2. Inform and Protect the Team

    • The product owner is a servant leader of the team. They need to protect the team from all the noise and give them the time they need to focus on what they do best: develop.

    3. Maximize Value to the Product

    • Sifting through all of these voices and determining what is valuable, or what is most valuable, falls to the product owner.

    A backlog stores and organizes PBIs at various stages of readiness.

    Your backlog must give you a holistic understanding of demand for change in the product

    A well-formed backlog can be thought of as a DEEP backlog:

    Detailed Appropriately: PBIs are broken down and refined as necessary.

    Emergent: The backlog grows and evolves over time as PBIs are added and removed.

    Estimated: The effort a PBI requires is estimated at each tier.

    Prioritized: The PBI’s value and priority are determined at each tier.

    Ideas; Qualified; Ready

    3 - IDEAS

    Composed of raw, vague, and potentially large ideas that have yet to go through any formal valuation.

    2 - QUALIFIED

    Researched and qualified PBIs awaiting refinement.

    1 - READY

    Discrete, refined PBIs that are ready to be placed in your development teams’ sprint plans.

    Summary of Accomplishment

    Get the Most Out of Your CRM

    CRM technology is critical to facilitate an organization’s relationships with customers, service users, employees, and suppliers. CRM implementation should not be a one-and-done exercise. There needs to be an ongoing optimization to enable business processes and optimal organizational results.

    Get the Most Out of Your CRM allows organizations to proactively implement continuous assessment and optimization of a customer relationship management system. This includes:

    • Alignment and prioritization of key business and technology drivers
    • Identification of CRM processes including classification and gap analysis
    • Measurement of user satisfaction across key departments
    • Improved vendor relations
    • Data quality initiatives

    This formal CRM optimization initiative will drive business-IT alignment, identify IT automation priorities, and dig deep into continuous process-improvement.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information

    workshops@infotech.com
    1-866-670-8889

    Research Contributors

    Ben Dickie

    Ben Dickie
    Research Practice Lead
    Info-Tech Research Group

    Ben Dickie is a Research Practice Lead at Info-Tech Research Group. His areas of expertise include customer experience management, CRM platforms, and digital marketing. He has also led projects pertaining to enterprise collaboration and unified communications.

    Scott Bickley

    Scott Bickley
    Practice Lead & Principal Research Director
    Info-Tech Research Group

    Scott Bickley is a Practice Lead & Principal Research Director at Info-Tech Research Group focused on vendor management and contract review. He also has experience in the areas of IT asset management (ITAM), software asset management (SAM), and technology procurement, along with a deep background in operations, engineering, and quality systems management.

    Andy Neil

    Andy Neil
    Practice Lead, Applications
    Info-Tech Research Group

    Andy is Senior Research Director, Data Management and BI, at Info-Tech Research Group. He has over 15 years of experience in managing technical teams, information architecture, data modeling, and enterprise data strategy. He is an expert in enterprise data architecture, data integration, data standards, data strategy, big data, and the development of industry-standard data models.

    Bibliography

    Armel, Kate. “Data-driven Estimation, Management Lead to High Quality.” Quantitative Software Management Inc. 2015. Web.

    Chappuis, Bertil, and Brian Selby. “Looking beyond Technology to Drive Sales Operations.” McKinsey & Company, 24 June 2016. Web.

    Cross-Industry Process Classification Framework (PCF) Version 7.2.1. APQC, 26 Sept. 2019. Web.

    Fleming, John, and Hater, James. “The Next Discipline: Applying Behavioral Economics to Drive Growth and Profitability.” Gallup, 22 Sept. 2012. Accessed 6 Oct. 2020.

    Hinchcliffe, Dion. “The evolving role of the CIO and CMO in customer experience.” ZDNet, 22 Jan. 2020. Web.

    Karlsson, Johan. “Backlog Grooming: Must-Know Tips for High-Value Products.” Perforce. 18 May 2018. Web. Feb. 2019.

    Klie, L. “CRM Still Faces Challenges, Most Speakers Agree: CRM systems have been around for decades, but interoperability and data siloes still have to be overcome.” CRM Magazine, vol. 23, no. 5, 2019, pp. 13-14.

    Kumar, Sanjib, et al. “Improvement of CRM Using Data Mining: A Case Study at Corporate Telecom Sector.” International Journal of Computer Applications, vol. 178, no. 53, 2019, pp. 12-20, doi:10.5120/ijca2019919413.

    Morgan, Blake. “50 Stats That Prove The Value Of Customer Experience.” Forbes, 24 Sept. 2019. Web.

    Norelus, Ernese, et al. “An Approach to Application Modernization: Discovery and Assessment Phase.” IBM Garage, Medium, 24 Feb 2020. Accessed 4 Mar. 2020.

    “Process Frameworks.” APQC, 4 Nov. 2020. Web.

    “Process vs. Capability: Understanding the Difference.” APCQ, 2017. Web.

    Rubin, Kenneth S. "Essential Scrum: A Practical Guide to the Most Popular Agile Process." Pearson Education, 2012.

    Savolainen, Juha, et al. “Transitioning from Product Line Requirements to Product Line Architecture.” 29th Annual International Computer Software and Applications Conference (COMPSAC'05), IEEE, vol. 1, 2005, pp. 186-195, doi: 10.1109/COMPSAC.2005.160

    Smith, Anthony. “How To Create A Customer-Obsessed Company Like Netflix.” Forbes, 12 Dec. 2017. Web.

    “SOA Reference Architecture – Capabilities and the SOA RA.” The Open Group, TOGAF. Web.

    Taber, David. “What to Do When Your CRM Project Fails.” CIO Magazine, 18 Sept. 2017. Web.

    “Taudata Case Study.” Maximizer CRM Software, 17 Jan. 2020. Web.

    Switching Software Vendors Overwhelmingly Drives Increased Satisfaction

    • Buy Link or Shortcode: {j2store}612|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation

    Organizations risk being locked in a circular trap of inertia from auto-renewing their software. With inertia comes complacency, leading to a decrease in overall satisfaction. Indeed, organizations are uniformly choosing to renew their software – even if they don’t like the vendor!

    Our Advice

    Critical Insight

    Renewal is an opportunity cost. Switching poorly performing software substantially drives increased satisfaction, and it potentially lowers vendor costs in the process. To realize maximum gains, it’s essential to have a repeatable process in place.

    Impact and Result

    Realize the benefits of switching by using Info-Tech’s five action steps to optimize your vendor switching processes:

    1. Identify switch opportunities.
    2. Evaluate your software.
    3. Build the business case.
    4. Optimize selection method.
    5. Plan implementation.

    Switching Software Vendors Overwhelmingly Drives Increased Satisfaction Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Why you should consider switching software vendors

    Use this outline of key statistics to help make the business case for switching poorly performing software.

    • Switching Existing Software Vendors Overwhelmingly Drives Increased Satisfaction Storyboard

    2. How to optimize your software vendor switching process

    Optimize your software vendor switching processes with five action steps.

    [infographic]

    Manage Poor Performance While Working From Home

    • Buy Link or Shortcode: {j2store}599|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $1,600 Average $ Saved
    • member rating average days saved: 18 Average Days Saved
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • For many, emergency WFH comes with several new challenges such as additional childcare responsibilities, sudden changes in role expectations, and negative impacts on wellbeing. These new challenges, coupled with previously existing ones, can result in poor performance. Owing to the lack of physical presence and cues, managers may struggle to identify that an employee’s performance is suffering. Even after identifying poor performance, it can be difficult to address remotely when such conversations would ideally be held in person.

    Our Advice

    Critical Insight

    • Poor performance must be managed, despite the pandemic. Evaluating root causes of performance issues is more important than ever now that personal factors such as lack of childcare and eldercare for those working from home are complicating the issue.

    Impact and Result

    • Organizations need to have a clear process for improving performance for employees working remotely during the COVID-19 pandemic. Provide managers with resources to help them identify performance issues and uncover their root causes as part of addressing overall performance. This will allow managers to connect employees with the required support while working with them to improve performance.

    Manage Poor Performance While Working From Home Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Follow the remote performance improvement process

    Determine how managers can identify poor performance remotely and help them navigate the performance improvement process while working from home.

    • Manage Poor Performance While Working From Home Storyboard
    • Manage Poor Performance While Working From Home: Manager Guide
    • Manage Poor Performance While Working From Home: Infographic

    2. Clarify roles and leverage resources

    Clarify roles and responsibilities in the performance improvement process and tailor relevant resources.

    • Wellness and Working From Home
    [infographic]

    Further reading

    Manage Poor Performance While Working From Home

    Assess and improve remote work performance with our ready-to-use tools.

    Executive Summary

    McLean & Company Insight

    Poor performance must be managed, despite the pandemic. Evaluating root causes of performance issues is more important than ever now that personal factors such as lack of childcare and eldercare for those working from home are complicating the issue.

    Situation

    COVID-19 has led to a sudden shift to working from home (WFH), resulting in a 72% decline in in-office work (Ranosa, 2020). While these uncertain times have disrupted traditional work routines, employee performance remains critical, as it plays a role in determining how organizations recover. Managers must not turn a blind eye to performance issues but rather must act quickly to support employees who may be struggling.

    Complication

    For many, emergency WFH comes with several new challenges such as additional childcare responsibilities, sudden changes in role expectations, and negative impacts on wellbeing. These new challenges, coupled with previously existing ones, can result in poor performance. Owing to the lack of physical presence and cues, managers may struggle to identify that an employee’s performance is suffering. Even after identifying poor performance, it can be difficult to address remotely when such conversations would ideally be held in person.

    Solution

    Organizations need to have a clear process for improving performance for employees working remotely during the COVID-19 pandemic. Provide managers with resources to help them identify performance issues and uncover their root causes as part of addressing overall performance. This will allow managers to connect employees with the required support while working with them to improve performance.

    Manage Poor Performance While Working From Home is made up of the following resources:

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Storyboard

    This storyboard is organized by the four steps of the performance improvement process: identify, initiate, deploy, and follow up/decide. These will appear on the left-hand side of the slides as a roadmap.

    The focus is on how HR can design the process for managing poor performance remotely and support managers through it while emergency WFH measures are in place. Key responsibilities, email templates, and relevant resources are included at the end.

    Adapt the process as necessary for your organization.

    Manager Guide

    The manager guide contains detailed advice for managers on navigating the process and focuses on the content of remote performance discussions.

    It consists of the following sections:

    • Identifying poor performance.
    • Conducting performance improvement discussions.
    • Uncovering and addressing root causes of poor performance.
    Manager Infographic

    The manager infographic illustrates the high-level steps of the performance improvement process for managers in a visually appealing and easily digestible manner.

    This can be used to easily outline the process, providing managers with a resource to quickly reference as they navigate the process with their direct reports.

    In this blueprint, “WFH” and “remote working” are used interchangeably.

    This blueprint will not cover the performance management framework; it is solely focused on managing performance issues.

    For information on adjusting the regular performance management process during the pandemic, see Performance Management for Emergency Work-From-Home.

    Identify how low performance is normally addressed

    A process for performance improvement is not akin to outlining the steps of a performance improvement plan (PIP). The PIP is a development tool used within a larger process for performance improvement. Guidance on how to structure and use a PIP will be provided later in this blueprint.

    Evaluate how low performance is usually brought to the attention of HR in a non-remote situation:
    • Do managers approach HR for an employee transfer or PIP without having prior performance conversations with the employee?
    • Do managers come to HR when they need support in developing an employee in order to meet expectations?
    • Do managers proactively reach out to HR to discuss appropriate L&D for staff who are struggling?
    • Do some departments engage with the process while others do not?
    Poor performance does not signal the immediate need to terminate an employee. Instead, managers should focus on helping the struggling employee to develop so that they may succeed.
    Evaluate how poor performance is determined:
    • Do managers use performance data or concrete examples?
    • Is it based on a subjective assessment by the manager?
    Keep in mind that “poor performance” now might look different than it did before the pandemic. Employees must be aware of the current expectations placed on them before they can be labeled as underperforming – and the performance expectations must be assessed to ensure they are realistic.

    For information on adjusting performance expectations during the pandemic, see Performance Management for Emergency Work-From-Home.

    The process for non-union and union employees will likely differ. Make sure your process for unionized employees aligns with collective agreements.

    Determine how managers can identify poor performance of staff working remotely

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Identify: Determine how managers can identify poor performance.
    In person, it can be easy to see when an employee is struggling by glancing over at their desk and observing body language. In a remote situation, this can be more difficult, as it is easy to put on a brave face for the half-hour to one-hour check-in. Advise managers on how important frequent one-one-ones and open communication are in helping identify issues when they arise rather than when it’s too late.

    Managers must clearly document and communicate instances where employees aren’t meeting role expectations or are showing other key signs that they are not performing at the level expected of them.

    What to look for:
    • PM data/performance-related assessments
    • Continual absences
    • Decreased quality or quantity of output
    • Frequent excuses (e.g. repeated internet outages)
    • Lack of effort or follow-through
    • Missed deadlines
    • Poor communication or lack of responsiveness
    • Failure to improve
    It’s crucial to acknowledge an employee might have an “off week” or need time to adjust to working from home, which can be addressed with performance management techniques. Managers should move into the process for performance improvement when:
    • Performance fluctuates frequently or significantly.
    • Performance has dropped for an extended period of time.
    • Expectations are consistently not being met.

    While it’s important for managers to keep an eye out for decreased performance, discourage them from over-monitoring employees, as this can lead to a damaging environment of distrust.

    Support managers in initiating performance conversations and uncovering root causes

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Initiate: Require that managers have several conversations about low performance with the employee.
    Before using more formal measures, ensure managers take responsibility for connecting with the employee to have an initial performance conversation where they will make the performance issue known and try to diagnose the root cause of the issue.

    Coach managers to recognize behaviors associated with the following performance inhibitors:

    Personal Factors

    Personal factors, usually outside the workplace, can affect an employee’s performance.

    Lack of clarity

    Employees must be clear on performance expectations before they can be labeled as a poor performer.

    Low motivation

    Lack of motivation to complete work can impact the quality of output and/or amount of work an employee is completing.

    Inability

    Resourcing, technology, organizational change, or lack of skills to do the job can all result in the inability of an employee to perform at their best.

    Poor people skills

    Problematic people skills, externally with clients or internally with colleagues, can affect an employee’s performance or the team’s engagement.

    Personal factors are a common performance inhibitor due to emergency WFH measures. The decreased divide between work and home life and the additional stresses of the pandemic can bring up new cases of poor performance or exacerbate existing ones. Remind managers that all potential root causes should still be investigated rather than assuming personal factors are the problem and emphasize that there can be more than one cause.

    Ensure managers continue to conduct frequent performance conversations

    Once an informal conversation has been initiated, the manager should schedule frequent one-on-one performance conversations (above and beyond performance management check-ins).

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Explain to managers the purpose of these discussions is to:
    • Continue to probe for root causes.
    • Reinforce role expectations and performance targets.
    • Follow up on any improvements.
    • Address the performance issue and share relevant resources (e.g. HR or employee assistance program [EAP]).
    Given these conversations will be remote, require managers to:
    • Use video whenever possible to read physical cues and body language.
    • Bookend the conversation. Starting each meeting by setting the context for the discussion and finishing with the employee reiterating the key takeaways back will ensure there are no misunderstandings.
    • Document the conversation and share with HR. This provides evidence of the conversations and helps hold managers accountable.
    What is HR’s role? HR should ensure that the manager has had multiple conversations with the employee before moving to the next step. Furthermore, HR is responsible for ensuring manages are equipped to have the conversations through coaching, role-playing, etc.

    For more information on the content of these conversations or for material to leverage for training purposes, see Manage Poor Performance While Working From Home: Manager Guide.

    McLean & Company Insight

    Managers are there to be coaches, not therapists. Uncovering the root cause of poor performance will allow managers to pinpoint supports needed, either within their expertise (e.g. coaching, training, providing flexible hours) or by directing the employee to proper external resources such as an EAP.

    Help managers use formal performance improvement tools with remote workers

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Deploy: Use performance improvement tools.
    If initial performance conversations were unsuccessful and performance does not improve, refer managers to performance improvement tools:
    • Suggest any other available support and resources they have not yet recommended (e.g. EAP).
    • Explore options for co-creation of a development plan to increase employee buy-in. If the manager has been diligent about clarifying role expectations, invite the employee to put together their own action plan for meeting performance goals. This can then be reviewed and finalized with the manager.
    • Have the manager use a formal PIP for development and to get the employee back on track. Review the development plan or PIP with the manager before they share it with the employee to ensure it is clear and has time bound, realistic goals for improvement.
    Using a PIP solely to avoid legal trouble and terminate employees isn’t true to its intended purpose. This is what progressive discipline is for.In the case of significant behavior problems, like breaking company rules or safety violations, the manager will likely need to move to progressive discipline. HR should advise managers on the appropriate process.

    When does the issue warrant progressive discipline? If the action needs to stop immediately, (e.g. threatening or inappropriate behavior) and/or as outlined in the collective agreement.

    Clarify remote PIP stages and best practices

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Sample Stages:
    1. Written PIP
    • HR reviews and signs off on PIP
    • Manager holds meeting to provide employee with PIP
    • Employee reviews the PIP
    • Manager and employee provide e-signatures
    • Signed PIP is given to HR
    2. Possible Extension
    3. Final Notice
    • Manager provides employee with final notice if there has been no improvement in agreed time frame
    • Copy of signed final notice letter given to HR

    Who is involved?

    The manager runs the meeting with the employee. HR should act as a support by:

    • Ensuring the PIP is clear, aligned with the performance issue, and focused on development, prior to the meeting.
    • Pointing to resources and making themselves available prior to, during, and after the meeting.
      • When should HR be involved? HR should be present in the meeting if the manager has requested it or if the employee has approached HR beforehand with concerns about the manager. Keep in mind that if the employee sees HR has been unexpectedly invited to the video call, it could add extra stress for them.
    • Reviewing documentation and ensuring expectations and the action plan are reasonable and realistic.

    Determine the length of the PIP

    • The length of the initial PIP will often depend on the complexity of the employee’s role and how long it will reasonably take to see improvements. The minimum (before a potential extension) should be 30-60 days.
    • Ensure the action plan takes sustainment into account. Employees must be able to demonstrate improvement and sustain improved performance in order to successfully complete a PIP.

    Timing of delivery

    Help the manager determine when the PIP meeting will occur (what day, time of day). Take into account the schedule of the employee they will be meeting with (e.g. avoid scheduling right before an important client call).

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide

    Follow up: If the process escalated to step 3 and is successful.

    What does success look like? Performance improvement must be sustained after the PIP is completed. It’s not enough to simply meet performance improvement goals and expectations; the employee must continue to perform.

    Have the manager schedule a final PIP review with the employee. Use video, as this enables the employee and manager to read body language and minimize miscommunication/misinterpretation.

    • If performance expectations have been met, instruct managers to document this in the PIP, inform the employee they are off the PIP, and provide it to HR.

    The manager should also continue check-ins with the employee to ensure sustainment and as part of continued performance management.

    • Set a specific timeline, e.g. every two weeks or every month. Choose a cadence that works best for the manager and employee.

    OR

    Decide: Determine action steps if the process is unsuccessful.

    If at the end of step 3 performance has not sufficiently improved, the organization (HR and the manager) should either determine if the employee could/should be temporarily redeployed while the emergency WFH is still in place, if a permanent transfer to a role that is a better fit is an option, or if the employee should be let go.

    See the Complete Manual for COVID-19 Layoffs blueprint for information on layoffs in remote environments.

    Managers, HR, and employees all have a role to play in performance improvement

    Managers
    • Identify the outcomes the organization is looking for and clearly outline and communicate the expectations for the employee’s performance.
    • Diagnose root cause(s) of the performance issue.
    • Support employee through frequent conversations and feedback.
    • Coach for improved performance.
    • Visibly recognize and broadcast employee achievements.
    Employees
    • Have open and honest conversations with their manager, acknowledge their accountability, and be receptive to feedback.
    • Set performance goals to meet expectations of the role.
    • Prepare for frequent check-ins regarding improvement.
    • Seek support from HR as required.
    HR
    • Provide managers with a process, training, and support to improve employee performance.
    • Coach managers to ensure employees have been made aware of their role expectations and current performance and given specific recommendations on how to improve.
    • Reinforce the process for improving employee performance to ensure that adequate coaching conversations have taken place before the formal PIP.
    • Coach employees on how to approach their manager to discuss challenges in meeting expectations.

    HR should conduct checkpoints with both managers and employees in cases where a formal PIP was initiated to ensure the process for performance improvement is being followed and to support both parties in improving performance.

    Email templates

    Use the templates found on the next slides to draft communications to employees who are underperforming while working from home.

    Customize all templates with relevant information and use them as a guide to further tailor your communication to a specific employee.

    Customization Recommendations

    Review all slides and adjust the language or content as needed to suit the needs of the employee, the complexity of their role, and the performance issue.

    • The pencil icon to the left denotes slides requiring customization of the text. Customize text in grey font and be sure to convert all font to black when you are done.

    Included Templates

    1. Performance Discussion Follow-Up
    2. PIP Cover Letter

    This template is not a substitute for legal advice. Ensure you consult with your legal counsel, labor relations representative, and union representative to align with collective agreements and relevant legislation.

    Sample Performance Discussion Follow-Up

    Hello [name],

    Thank you for the commitment and eagerness in our meeting yesterday.

    I wanted to recap the conversation and expectations for the month of [insert month].

    As discussed, you have been advised about your recent [behavior, performance, attendance, policy, etc.] where you have demonstrated [state specific issue with detail of behavior/performance of concern]. As per our conversation, we’ll be working on improvement in this area in order to meet expectations set out for our employees.

    It is expected that employees [state expectations]. Please do not hesitate to reach out to me if there is further clarification needed or you if you have any questions or concerns. The management team and I are committed to helping you achieve these goals.

    We will do a formal check-in on your progress every [insert day] from [insert time] to review your progress. I will also be available for daily check-ins to support you on the right track. Additionally, you can book me in for desk-side coaching outside of my regular desk-side check-ins. If there is anything else I can do to help support you in hitting these goals, please let me know. Other resources we discussed that may be helpful in meeting these objectives are [summarize available support and resources]. By working together through this process, I have no doubt that you can be successful. I am here to provide support and assist you through this.

    If you’re unable to show improvements set out in our discussion by [date], we will proceed to a formal performance measure that will include a performance improvement plan. Please let me know if you have any questions or concerns; I am here to help.

    Please acknowledge this email and let me know if you have any questions.

    Thank you,

    PIP Cover Letter

    Hello [name] ,

    This is to confirm our meeting on [date] in which we discussed your performance to date and areas that need improvement. Please find the attached performance improvement plan, which contains a detailed action plan that we have agreed upon to help you meet role expectations over the next [XX days]. The aim of this plan is to provide you with a detailed outline of our performance expectations and provide you the opportunity to improve your performance, with our support.

    We will check in every [XX days] to review your progress. At the end of the [XX]-day period, we will review your performance against the role expectations set out in this performance improvement plan. If you don’t meet the performance requirements in the time allotted, further action and consequences will follow.

    Should you have any questions about the performance improvement plan or the process outlined in this document, please do not hesitate to discuss them with me.

    [Employee name], it is my personal objective to help you be a fully productive member of our team. By working together through this performance improvement plan, I have no doubt that you can be successful. I am here to provide support and assist you through the process. At this time, I would also like to remind you about the [additional resources available at your organization, for example, employee assistance program or HR].

    Please acknowledge this email and let me know if you have any questions.

    Thank you,

    Prepare and customize manager guide and resources

    Sample of Manage Poor Performance While Working From Home: Manager Guide. Manage Poor Performance While Working From Home: Manager Guide

    This tool for managers provides advice on navigating the process and focuses on the content of remote performance discussions.

    Sample of Set Meaningful Employee Performance Measures. Set Meaningful Employee Performance Measures

    See this blueprint for information on setting holistic measures to inspire employee performance.

    Sample of Manage Poor Performance While Working From Home: Infographic. Manage Poor Performance While Working From Home: Infographic

    This tool illustrates the high-level steps of the performance improvement process.

    Sample of Wellness and Working From Home: Infographic. Wellness and Working From Home: Infographic

    This tool highlights tips to manage physical and mental health while working from home.

    Sample of Build a Better Manager: Team Essentials. Build a Better Manager: Team Essentials

    See this solution set for more information on kick-starting the effectiveness of first-time IT managers with essential management skills.

    Sample of Leverage Agile Goal Setting for Improved Employee Engagement & Performance. Leverage Agile Goal Setting for Improved Employee Engagement & Performance

    See this blueprint for information on dodging the micromanaging foul and scoring with agile short-term goal setting.

    Bibliography

    Arringdale, Chris. “6 Tips For Managers Trying to Overcome Performance Appraisal Anxiety.” TLNT. 18 September 2015. Accessed 2018.

    Borysenko, Karlyn. “What Was Management Thinking? The High Cost of Employee Turnover.” Talent Management and HR. 22 April 2015. Accessed 2018.

    Cook, Ian. “Curbing Employee Turnover Contagion in the Workplace.” Visier. 20 February 2018. Accessed 2018.

    Cornerstone OnDemand. Toxic Employees in the Workplace. Santa Monica, California: Cornerstone OnDemand, 2015. Web.

    Dewar, Carolyn and Reed Doucette. “6 elements to create a high-performing culture.” McKinsey & Company. 9 April 2018. Accessed 2018.

    Eagle Hill. Eagle Hill National Attrition Survey. Washington, D.C.: Eagle Hill, 2015. Web.

    ERC. “Performance Improvement Plan Checklist.” ERC. 21 June 2017. Accessed 2018.

    Foster, James. “The Impact of Managers on Workplace Engagement and Productivity.” Interact. 16 March 2017. Accessed 2018.

    Godwins Solicitors LLP. “Employment Tribunal Statistics for 2015/2016.” Godwins Solicitors LLP. 8 February 2017. Accessed 2018.

    Mankins, Michael. “How to Manage a Team of All-Stars.” Harvard Business Review. 6 June 2017. Accessed 2018.

    Maxfield, David, et al. The Value of Stress-Free Productivity. Provo, Utah: VitalSmarts, 2017. Web.

    Murphy, Mark. “Skip Your Low Performers When Starting Performance Appraisals.” Forbes. 21 January 2015. Accessed 2018.

    Quint. “Transforming into a High Performance Organization.” Quint Wellington Redwood. 16 November 2017. Accessed 2018.

    Ranosa, Rachel. "COVID -19: Canadian Productivity Booms Despite Social Distancing." Human Resources Director, 14 April 2020. Accessed 2020.

    Reinforce End-User Security Awareness During Your COVID-19 Response

    • Buy Link or Shortcode: {j2store}311|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Endpoint Security
    • Parent Category Link: /endpoint-security

    Without the control over the areas in which employees are working, businesses are opening themselves up to a greater degree of risk during the pandemic. How does a business raise awareness for employees who are going to be working remotely?

    Our Advice

    Critical Insight

    • An expanding remote workforce requires training efforts to evolve to include the unique security threats that face remote end users.
    • By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program.

    Impact and Result

    • Teach remote end users how to recognize current cyberattacks before they fall victim and turn them into active barriers against cyberattacks.
    • Use Info-Tech’s blueprint and materials to build a customized training program that uses best practices.

    Reinforce End-User Security Awareness During Your COVID-19 Response Research & Tools

    Start here

    COVID-19 is forcing many businesses to expand their remote working capabilities further than before. Using this blueprint, see how to augment your existing training or start from scratch during a remote work situation.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Reinforce End-User Security Awareness During Your COVID-19 Response Storyboard
    • Security Awareness and Training Program Development Tool
    • Security Awareness and Training Metrics Tool
    • End-User Security Knowledge Test Template

    1. Training Materials

    Use Info-Tech’s training materials to get you started on remote training and awareness.

    • Training Materials – Phishing
    • Training Materials – Incident Response
    • Training Materials – Cyber Attacks
    • Training Materials – Web Usage
    • Training Materials – Physical Computer Security
    • Training Materials – Mobile Security
    • Training Materials – Passwords
    • Training Materials – Social Engineering
    • Security Training Email Templates
    [infographic]

    The Small Enterprise Guide to People and Resource Management

    • Buy Link or Shortcode: {j2store}602|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Train & Develop
    • Parent Category Link: /train-and-develop
    • 52% of small business owners agree that labor quality is their most important problem, and 76% of executives expect the talent market to get even more challenging.
    • The problem? You can't compete on salary, training budgets are slim, you need people skilled in all areas, and even one resignation represents a large part of your workforce.

    Our Advice

    Critical Insight

    • The usual, reactive approach to workforce management is risky:
      • Optimizing tactics helps you hire faster, train more, and negotiate better contracts.
      • But fulfilling needs as they arise costs more, has greater risk of failure, and leaves you unprepared for future needs.
    • In a small enterprise where every resource counts, in which one hire represents 10% of your workforce, it is essential to get it right.

    Impact and Result

    • Workforce planning helps you anticipate future needs.
    • More lead time means better decisions at lower cost.
    • Small Enterprises benefit most, since every resource counts.

    The Small Enterprise Guide to People and Resource Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The Small Enterprise Guide to People and Resource Management Deck – Find out why workforce planning is critical for small enterprises.

    Use this storyboard to lay the foundation of people and resources management practices in your small enterprise IT department.

    • The Small Enterprise Guide to People and Resource Management – Phases 1-3

    2. Workforce Planning Workbook – Use the tool to successfully complete all of the activities required to define and estimate your workforce needs for the future.

    Use these concise exercises to analyze your department’s talent current and future needs and create a skill sourcing strategy to fill the gaps.

    • Workforce Planning Workbook for Small Enterprises

    3. Knowledge Transfer Tools – Use these templates to identify knowledge to be transferred.

    Work through an activity to discover key knowledge held by an employee and create a plan to transfer that knowledge to a successor.

    • IT Knowledge Identification Interview Guide Template
    • IT Knowledge Transfer Plan Template

    4. Development Planning Tools – Use these tools to determine priority development competencies.

    Assess employees’ development needs and draft a development plan that fits with key organizational priorities.

    • IT Competency Library
    • Leadership Competencies Workbook
    • IT Employee Career Development Workbook
    • Individual Competency Development Plan
    • Learning Methods Catalog for IT Employees

    Infographic

    Workshop: The Small Enterprise Guide to People and Resource Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay Your Foundations

    The Purpose

    Set project direction and analyze workforce needs.

    Key Benefits Achieved

    Planful needs analysis ensures future workforce supports organizational goals.

    Activities

    1.1 Set workforce planning goals and success metrics.

    1.2 Identify key roles and competency gaps.

    1.3 Conduct a risk analysis to identify future needs.

    1.4 Determine readiness of internal successors.

    Outputs

    Work with the leadership team to:

    Extract key business priorities.

    Set your goals.

    Assess workforce needs.

    2 Create Your Workforce Plan

    The Purpose

    Conduct a skill sourcing analysis, and determine competencies to develop internally.

    Key Benefits Achieved

    A careful analysis ensures skills are being sourced in the most efficient way, and internal development is highly aligned with organizational objectives.

    Activities

    2.1 Determine your skill sourcing route.

    2.2 Determine priority competencies for development.

    Outputs

    Create a workforce plan.

    2.Determine guidelines for employee development.

    3 Plan Knowledge Transfer

    The Purpose

    Discover knowledge to be transferred, and build a transfer plan.

    Key Benefits Achieved

    Ensure key knowledge is not lost in the event of a departure.

    Activities

    3.1 Discover knowledge to be transferred.

    3.2 Identify the optimal knowledge transfer methods.

    3.3 Create a knowledge transfer plan.

    Outputs

    Discover tacit and explicit knowledge.

    Create a knowledge transfer roadmap.

    4 Plan Employee Development

    The Purpose

    Create a development plan for all staff.

    Key Benefits Achieved

    A well-structured development plan helps engage and retain employees while driving organizational objectives.

    Activities

    4.1 Identify target competencies & draft development goals

    4.2 Select development activities and schedule check-ins.

    4.3 Build manager coaching skills.

    Outputs

    Assess employees.

    Prioritize development objectives.

    Plan development activities.

    Build management skills.

    Further reading

    The Small Enterprise Guide to People and Resource Management

    Quickly start getting the right people, with the right skills, at the right time

    Is this research right for you?

    Research Navigation

    Managing the people in your department is essential, whether you have three employees or 300. Depending on your available time, resources, and current workforce management maturity, you may choose to focus on the overall essentials, or dive deep into particular areas of talent management. Use the questions below to help guide you to the right Info-Tech resources that best align with your current needs.

    Question If you answered "no" If you answered "yes"

    Does your IT department have fewer than 15 employees, and is your organization's revenue less than $25 million (USD)?

    Review Info-Tech's archive of research for mid-sized and large enterprise clients.

    Follow the guidance in this blueprint.

    Does your organization require a more rigorous and customizable approach to workforce management?

    Follow the guidance in this blueprint.

    Review Info-Tech's archive of research for mid-sized and large enterprise clients.

    Analyst Perspective

    Workforce planning is even more important for small enterprises than large organizations.

    It can be tempting to think of workforce planning as a bureaucratic exercise reserved for the largest and most formal of organizations. But workforce planning is never more important than in small enterprises, where every individual accounts for a significant portion of your overall productivity.

    Without workforce planning, organizations find themselves in reactive mode, hiring new staff as the need arises. They often pay a premium for having to fill a position quickly or suffer productivity losses when a critical role goes unexpectedly vacant.

    A workforce plan helps you anticipate these challenges, come up with solutions to mitigate them, and allocate resources for the most impact, which means a greater return on your workforce investment in the long run.

    This blueprint will help you accomplish this quickly and efficiently. It will also provide you with the essential development and knowledge transfer tools to put your plan into action.

    This is a picture of Jane Kouptsova

    Jane Kouptsova
    Senior Research Analyst, CIO Advisory
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    52% of small business owners agree that labor quality is their most important problem.1

    Almost half of all small businesses face difficulty due to staff turnover.

    76% of executives expect the talent market to get even more challenging.2

    Common Obstacles

    76% of executives expect workforce planning to become a top strategic priority for their organization.2

    But…

    30% of small businesses do not have a formal HR function.3

    Small business leaders are often left at a disadvantage for hiring and retaining the best talent, and they face even more difficulty due to a lack of support from HR.

    Small enterprises must solve the strategic workforce planning problem, but they cannot invest the same time or resources that large enterprises have at their disposal.

    Info-Tech's Approach

    A modular, lightweight approach to workforce planning and talent management, tailored to small enterprises

    Clear activities that guide your team to decisive action

    Founded on your IT strategy, ensuring you have not just good people, but the right people

    Concise yet comprehensive, covering the entire workforce lifecycle from competency planning to development to succession planning and reskilling

    Info-Tech Insight

    Every resource counts. When one hire represents 10% of your workforce, it is essential to get it right.

    1CNBC & SurveyMonkey. 2ADP. 3Clutch.

    Labor quality is small enterprise's biggest challenge

    The key to solving it is strategic workforce planning

    Strategic workforce planning (SWP) is a systematic process designed to identify and address gaps in today's workforce, including pinpointing the human capital needs of the future.

    Linking workforce planning with strategic planning ensures that you have the right people in the right positions, in the right places, at the right time, with the knowledge, skills, and attributes to deliver on strategic business goals.

    SWP helps you understand the makeup of your current workforce and how well prepared it is or isn't (as the case may be) to meet future IT requirements. By identifying capability gaps early, CIOs can prepare to train or develop current staff and minimize the need for severance payouts and hiring costs, while providing clear career paths to retain high performers.

    52%

    of small business owners agree that labor quality is their most important problem.1

    30%

    30% of small businesses have no formal HR function.2

    76%

    of senior leaders expect workforce planning to become the top strategic challenge for their organization.3

    1CNBC & SurveyMonkey. 2Clutch. 3ADP.

    Workforce planning matters more for small enterprises

    You know that staffing mistakes can cost your department dearly. But did you know the costs are greater for small enterprises?

    The price of losing an individual goes beyond the cost of hiring a replacement, which can range from 0.5 to 2 times that employee's salary (Gallup, 2019). Additional costs include loss of productivity, business knowledge, and team morale.

    This is a major challenge for large organizations, but the threat is even greater for small enterprises, where a single individual accounts for a large proportion of IT's productivity. Losing one of a team of 10 means 10% of your total output. If that individual was solely responsible for a critical function, your department now faces a significant gap in its capabilities. And the effect on morale is much greater when everyone is on the same close-knit team.

    And the threat continues when the staffing error causes you not to lose a valuable employee, but to hire the wrong one instead. When a single individual makes up a large percentage of your workforce, as happens on small teams, the effects of talent management errors are magnified.

    A group of 100 triangles is shown above a group of 10 triangles. In each group, one triangle is colored orange, and the rest are colored blue.

    Info-Tech Insight

    One bad hire on a team of 100 is a problem. One bad hire on a team of 10 is a disaster.

    This is an image of Info-Tech's small enterprise guide o people and resource management.

    Blueprint pre-step: Determine your starting point

    People and Resource management is essential for any organization. But depending on your needs, you may want to start at different stages of the process. Use this slide as a quick reference for how the activities in this blueprint fit together, how they relate to other workforce management resources, and the best starting point for you.

    Your IT strategy is an essential input to your workforce plan. It defines your destination, while your workforce is the vessel that carries you there. Ensure you have at least an informal strategy for your department before making major workforce changes, or review Info-Tech's guidance on IT strategy.

    This blueprint covers the parts of workforce management that occur to some extent in every organization:

    • Workforce planning
    • Knowledge transfer
    • Development planning

    You may additionally want to seek guidance on contract and vendor management, if you outsource some part of your workload outside your core IT staff.

    Track metrics

    Consider these example metrics for tracking people and resource management success

    Project Outcome Metric Baseline Target
    Reduced training costs Average cost of training (including facilitation, materials, facilities, equipment, etc.) per IT employee
    Reduced number of overtime hours worked Average hours billed at overtime rate per IT employee
    Reduced length of hiring period Average number of days between job ad posting and new hire start date
    Reduced number of project cancellations due to lack of capacity Total of number of projects cancelled per year
    Increased number of projects completed per year (project throughput) Total number of project completions per year
    Greater net recruitment rate Number of new recruits/Number of terminations and departures
    Reduced turnover and replacement costs Total costs associated with replacing an employee, including position coverage cost, training costs, and productivity loss
    Reduced voluntary turnover rate Number of voluntary departures/Total number of employees
    Reduced productivity loss following a departure or termination Team or role performance metrics (varies by role) vs. one year ago

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1:

    Scope requirements, objectives, and your specific challenges.

    Call #2: Assess current workforce needs.

    Call #4: Determine skill sourcing route.

    Call #6:

    Identify knowledge to be transferred.

    Call #8: Draft development goals and select activities.

    Call #3: Explore internal successor readiness.

    Call #5:Set priority development competencies.

    Call #7: Create a knowledge transfer plan.

    Call #9: Build managers' coaching & feedback skills.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 4 to 6 calls over the course of 3 to 4 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    1.Lay Your Foundations 2. Create Your Workforce Plan 3. Plan Knowledge Transfer 3. Plan Employee Development Next Steps and Wrap-Up (offsite)
    Activities

    1.1 Set workforce planning goals and success metrics

    1.2 Identify key roles and competency gaps

    1.3 Conduct a risk analysis to identify future needs

    1.4 Determine readiness of internal successors

    1.5 Determine your skill sourcing route

    1.6 Determine priority competencies for development

    3.1 Discover knowledge to be transferred

    3.2 Identify the optimal knowledge transfer methods

    3.3 Create a knowledge transfer plan

    4.1 Identify target competencies & draft development goals

    4.2 Select development activities and schedule check-ins

    4.3 Build manager coaching skills

    Outcomes

    Work with the leadership team to:

    1. Extract key business priorities
    2. Set your goals
    3. Assess workforce needs

    Work with the leadership team to:

    1. Create a workforce plan
    2. Determine guidelines for employee development

    Work with staff and managers to:

    1. Discover tacit and explicit knowledge
    2. Create a knowledge transfer roadmap

    Work with staff and managers to:

    1. Assess employees
    2. Prioritize development objectives
    3. Plan development activities
    4. Build management skills

    Info-Tech analysts complete:

    1. Workshop report
    2. Workforce plan record
    3. Action plan

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Each onsite day is structured with group working sessions from 9-11 a.m. and 1:30-3:30 p.m. and includes Open Analyst Timeslots, where our facilitators are available to expand on scheduled activities, capture and compile workshop results, or review additional components from our comprehensive approach.

    This is a calendar showing days 1-4, and times from 8am-5pm

    Phase 1

    Workforce Planning

    Workforce Planning

    Knowledge Transfer

    Development Planning

    Identify needs, goals, metrics, and skill gaps.

    Select a skill sourcing strategy.

    Discover critical knowledge.

    Select knowledge transfer methods.

    Identify priority competencies.

    Assess employees.

    Draft development goals.

    Provide coaching & feedback.

    The Small Enterprise Guide to People and Resource Management

    Phase Participants

    • Leadership team
    • Managers
    • Human resource partner (if applicable)

    Additional Resources

    Workforce Planning Workbook for Small Enterprises

    Phase pre-step: Gather resources and participants

    1. Ensure you have an up-to-date IT strategy. If you don't have a formal strategy in place, ensure you are aware of the main organizational objectives for the next 3-5 years. Connect with executive stakeholders if necessary to confirm this information.
      If you are not sure of the organizational direction for this time frame, we recommend you consult Info-Tech's material on IT strategy first, to ensure your workforce plan is fully positioned to deliver value to the organization.
    2. Consult with your IT team and gather any documentation pertaining to current roles and skills. Examples include an org chart, job descriptions, a list of current tasks performed/required, a list of company competencies, and a list of outsourced projects.
    3. Gather the right participants. Most of the decisions in this section will be made by senior leadership, but you will also need input from front-line managers. Ensure they are available on an as-needed basis. If your organization has an HR partner, it can also be helpful to involve them in your workforce planning process.

    Formal workforce planning benefits even small teams

    Strategic workforce planning (SWP) is a systematic process designed to identify and address gaps in your workforce today and plan for the human capital needs of the future.

    Your workforce plan is an extension of your IT strategy, ensuring that you have the right people in the right positions, in the right places, at the right time, with the knowledge, skills, and attributes to deliver on strategic business goals.

    SWP helps you understand the makeup of your current workforce and how well prepared it is or isn't (as the case may be) to meet future IT requirements. By identifying capability gaps early, CIOs can prepare to train or develop current staff and minimize the need for severance payouts and hiring costs, while providing clear career paths to retain high performers.

    The smaller the business, the more impact each individual's performance has on the overall success of the organization. When a given role is occupied by a single individual, the organization's performance in that function is determined wholly by one employee. Creating a workforce plan for a small team may seem excessive, but it ensures your organization is not unexpectedly hit with a critical competency gap.

    Right-size your workforce planning process to the size of your enterprise

    Small organizations are 2.2 times more likely to have effective workforce planning processes.1 Be mindful of the opportunities and risks for organizations of your size as you execute the project. How you build your workforce plan will not change drastically based on the size of your organization; however, the scope of your initiative, the size of your team, and the tactics you employ may vary.

    Small Organization

    Medium Organization

    Large Organization

    Project Opportunities

    • Project scope is much more manageable.
    • Communication and planning can be more manageable.
    • Fewer roles can clarify prioritization needs and promotability.
    • Project scope is more manageable.
    • Moderate budget for workforce planning initiatives is needed.
    • Communication and enforcement is easier.
    • Larger candidate pool to pull from.
    • Greater career path options for staff.
    • In-house expertise may be available

    Project Risks

    • Limited resources and time to execute the project.
    • In-house expertise is unlikely.
    • Competencies may be informal and not documented.
    • Limited overlap in responsibilities, resulting in fewer redundancies.
    • Limited staff with experience for the project.
    • Workforce planning may be a lower priority and difficult to generate buy-in for.
    • Requires more staff to manage workforce plan and execute initiatives.
    • Less collective knowledge on staff strengths may make career planning difficult.
    • Geographically dispersed business units make collaboration and communication difficult.

    1 McLean & Company Trends Report 2014

    1.1 Set project outcomes and success metrics

    1-3 hours

    1. As a group, brainstorm key pain points that the IT department experiences due to the lack of a workforce plan. Ask them to consider turnover, retention, training, and talent acquisition.
    2. Discuss any key themes that arise and brainstorm your desired project outcomes. Keep a record of these for future reference and to aid in stakeholder communication.
    3. Break into smaller groups (or if too small, continue as a single group):
      1. For each desired outcome, consider what metrics you could use to track progress. Keep your initial list of pain points in mind as you brainstorm metrics.
      2. Write each of the metric suggestions on a whiteboard and agree to track 3-5 metrics. Set targets for each metric. Consider the effort required to obtain and track the metric, as well as its reliability.
      3. Assign one individual for tracking the selected metrics. Following the meeting, that individual will be responsible for identifying the baseline and targets, and reporting on metrics progress.

    Input

    Output

    • List of workforce data available
    • List of workforce metrics to track the workforce plan's impact

    Materials

    Participants

    • Whiteboard/flip charts
    • Leadership team
    • Human resource partner (if applicable)

    1.2 Identify key roles and competency gaps

    1-3 hours

    1. As a group, identify all strategic, core, and supporting roles by reviewing the organizational chart:
      1. Strategic: What are the roles that must be filled by top performers and cannot be left vacant in order to meet strategic objectives?
      2. Core: What roles are important to drive operational excellence?
      3. Supporting: What roles are required for day-to-day work, but are low risk if the role is vacant for a period of time?
    2. Working individually or in small groups, have managers for each identified role define the level of competence required for the job. Consider factors such as:
      1. The difficulty or criticality of the tasks being performed
      2. The impact on job outcomes
      3. The impact on the performance of other employees
      4. The consequence of errors if the competency is not present
      5. How frequently the competency is used on the job
      6. Whether the competency is required when the job starts or can be learned or acquired on the job within the first six months
    3. Continue working individually and rate the level of proficiency of the current incumbent.
    4. As a group, review the assessment and make any adjustments.

    Record this information in the Workforce Planning Workbook for Small Enterprises.

    Download the Workforce Planning Workbook for Small Enterprises

    1.2 Identify key roles and competency gaps

    Input Output
    • Org chart, job descriptions, list of current tasks performed/required, list of company competencies
    • List of competency gaps for key roles
    Materials Participants
    • Leadership team
    • Managers

    Conduct a risk-of-departure analysis

    A risk-of-departure analysis helps you plan for future talent needs by identifying which employees are most likely to leave the organization (or their current role).

    A risk analysis takes into account two factors: an employee's risk for departure and the impact of departure:

    Employees are high risk for departure if they:

    • Have specialized or in-demand skills (tenured employees are more likely to have this than recent hires)
    • Are nearing retirement
    • Have expressed career aspirations that extend outside your organization
    • Have hit a career development ceiling at your organization
    • Are disengaged
    • Are actively job searching
    • Are facing performance issues or dismissal OR promotion into a new role

    Employees are low risk for departure if they:

    • Are a new hire or new to their role
    • Are highly engaged
    • Have high potential
    • Are 5-10 years out from retirement

    If you are not sure where an employee stands with respect to leaving the organization, consider having a development conversation with them. In the meantime, consider them at medium risk for departure.

    To estimate the impact of departure, consider:

    • The effect of losing the employee in the near- and medium-term, including:
      • Impact on the organization, department, unit/team and projects
      • The cost (in time, resources, and productivity loss) to replace the individual
      • The readiness of internal successors for the role

    1.3 Conduct a risk analysis to identify future needs

    1-3 hours

    Preparation: Your estimation of whether key employees are at risk of leaving the organization will depend on what you know of them objectively (skills, age), as well as what you learn from development conversations. Ensure you collect all relevant information prior to conducting this activity. You may need to speak with employees' direct managers beforehand or include them in the discussion.

    • As a group, list all your current employees, and using the previous slide for guidance, rank them on two parameters: risk of departure and impact of departure, on a scale of low to high. Record your conclusions in a chart like the one on the right. (For a more in-depth risk assessment, use the "Risk Assessment Results" tab of the Key Roles Succession Planning Tool.)
    • Employees that fall in the "Mitigate" quadrant represent key at-risk roles with at least moderate risk and moderate impact. These are your succession planning priorities. Add these roles to your list of key roles and competency gaps, and include them in your workforce planning analysis.
    • Employees that fall in the "Manage" quadrants represent secondary priorities, which should be looked at if there is capacity after considering the "Mitigate" roles.

    Record this information in the Workforce Planning Workbook for Small Enterprises.

    This is an image of the Risk analysis for risk of departure to importance of departure.

    Info-Tech Insight

    Don't be afraid to rank most or all your staff as "high impact of departure." In a small enterprise, every player counts, and you must plan accordingly.

    1.3 Conduct a risk analysis to identify future needs

    Input Output
    • Employee data on competencies, skills, certifications, and performance. Input from managers from informal development conversations.
    • A list of first- and second-priority at-risk roles to carry forward into a succession planning analysis
    Materials Participants
    • Leadership team
    • Managers

    Determine your skill sourcing route

    The characteristics of need steer hiring managers to a preferred choice, while the marketplace analysis will tell you the feasibility of each option.

    Sourcing Options

    Preferred Options

    Final Choice

    four blue circles

    A right facing arrow

    Two blue circles A right facing arrow One blue circle
    State of the Marketplace

    State of the Marketplace

    Urgency: How soon do we need this skill? What is the required time-to-value?

    Criticality: How critical, i.e. core to business goals, are the services or systems that this skill will support?

    Novelty: Is this skill brand new to our workforce?

    Availability: How often, and at what hours, will the skill be needed?

    Durability: For how long will this skill be needed? Just once, or indefinitely for regular operations?

    Scarcity: How popular or desirable is this skill? Do we have a large enough talent pool to draw from? What competition are we facing for top talent?

    Cost: How much will it cost to hire vs. contract vs. outsource vs. train this skill?

    Preparedness: Do we have internal resources available to cultivate this skill in house?

    1.4 Determine your skill sourcing route

    1-3 hours

    1. Identify the preferred sourcing method as a group, starting with the most critical or urgent skill need on your list. Use the characteristics of need to guide your discussion. If more than one option seems adequate, carry several over to the next step.
    2. Consider the marketplace factors applicable to the skill in question and use these to narrow down to one final sourcing decision.
      1. If it is not clear whether a suitable internal candidate is available or ready, refer to the next activity for a readiness assessment.
    3. Be sure to document the rationale supporting your decision. This will ensure the decision can be clearly communicated to any stakeholders, and that you can review on your decision-making process down the line.

    Record this information in the Workforce Planning Workbook for Small Enterprises.

    Info-Tech Insight

    Consider developing a pool of successors instead of pinning your hopes on just one person. A single pool of successors can be developed for either one key role that has specialized requirements or even multiple key roles that have generic requirements.

    Input

    Output

    • List of current and upcoming skill gaps
    • A sourcing decision for each skill

    Materials

    Participants

    • Leadership team
    • Human resource partner (if applicable)

    1.5 Determine readiness of internal successors

    1-3 hours

    1. As a group, and ensuring you include the candidates' direct managers, identify potential successors for the first role on your list.
    2. Ask how effectively the potential successor would serve in the role today. Review the competencies for the key role in terms of:
      1. Relationship-building skills
      2. Business skills
      3. Technical skills
      4. Industry-specific skills or knowledge
    3. Determine what competencies the succession candidate currently has and what must be learned. Be sure you know whether the candidate is open to a career change. Don't assume – if this is not clear, have a development conversation to ensure everyone is on the same page.
    4. Finally, determine how difficult it will be for the successor to acquire missing skills or knowledge, whether the resources are available to provide the required development, and how long it will take to provide it.
    5. As a group, decide whether training an internal successor is a viable option for the role in question, considering the successor's readiness and the characteristics of need for the role. If a clear successor is not readily apparent, consider:
      1. If the development of the successor can be fast-tracked, or if some requirements can be deprioritized and the successor provided with temporary support from other employees.
      2. If the role in question is being discussed because the current incumbent is preparing to leave, consider negotiating an arrangement that extends the incumbent's employment tenure.
    6. Record the decision and repeat for the next role on your list.

    Info-Tech Insight

    A readiness assessment helps to define not just development needs, but also any risks around the organization's ability to fill a key role.

    Input

    Output

    • List of roles for which you are considering training internally
    • Job descriptions and competency requirements for the roles
    • List of roles for which internal successors are a viable option

    Materials

    Participants

    • Leadership team
    • Candidates' direct managers, if applicable

    Use alternative work arrangements to gain time to prepare successors

    Alternative work arrangements are critical tools that employers can use to achieve a mutually beneficial solution that mitigates the risk of loss associated with key roles.

    Alternative work arrangements not only support employees who want to keep working, but more importantly, they allow the business to retain employees that are needed in key roles who are departure risks due to retirement.

    Viewing retirement as a gradual process can help you slow down skill loss in your organization and ensure you have sufficient time to train successors. Retiring workers are becoming increasingly open to alternative work arrangements. Among employed workers aged 50-75, more than half planned to continue working part-time after retirement.
    Source: Statistics Canada.

    Flexible work options are the most used form of alternative work arrangement

    A bar graph showing the percent of organizations who implemented alternate work arrangement, for Flexible work options; Contract based work; Part time roles; Graduated retirement programs; Part year jobs or job sharing; Increased PTO for employees over a certain age.

    Source: McLean & Company, N=44

    Choose the alternative work arrangement that works best for you and the employee

    Alternative Work Arrangement Description Ideal Use Caveats
    Flexible work options Employees work the same number of hours but have flexibility in when and where they work (e.g. from home, evenings). Employees who work fairly independently with no or few direct reports. Employee may become isolated or disconnected, impeding knowledge transfer methods that require interaction or one-on-one time.
    Contract-based work Working for a defined period of time on a specific project on a non-salaried or non-wage basis. Project-oriented work that requires specialized knowledge or skills. Available work may be sporadic or specific projects more intensive than the employee wants. Knowledge transfer must be built into the contractual arrangement.
    Part-time roles Half days or a certain number of days per week; indefinite with no end date in mind. Employees whose roles can be readily narrowed and upon whom people and critical processes are not dependent. It may be difficult to break a traditionally full-time job down into a part-time role given the size and nature of associated tasks.
    Graduated retirement Retiring employee has a set retirement date, gradually reducing hours worked per week over time. Roles where a successor has been identified and is available to work alongside the incumbent in an overlapping capacity while he or she learns. The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement.

    Choose the alternative work arrangement that works best for you and the employee

    Alternative Work Arrangement Description Ideal Use Caveats
    Part-year jobs or job sharing Working part of the year and having the rest of the year off, unpaid. Project-oriented work where ongoing external relationships do not need to be maintained. The employee is unavailable for knowledge transfer activities for a large portion of the year. Another risk is that the employee may opt not to return at the end of the extended time off with little notice.
    Increased paid time off Additional vacation days upon reaching a certain age. Best used as recognition or reward for long-term service. This may be a particularly useful retention incentive in organizations that do not offer pension plans. The company may not be able to financially afford to pay for such extensive time off. If the role incumbent is the only one in the role, this may mean crucial work is not being done.
    Altered roles Concentration of a job description on fewer tasks that allows the employee to focus on his or her specific expertise. Roles where a successor has been identified and is available to work alongside the incumbent, with the incumbent's new role highly focused on mentoring. The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement.

    Phase 2

    Knowledge Transfer

    Workforce Planning

    Knowledge Transfer

    Development Planning

    Identify needs, goals, metrics, and skill gaps.

    Select a skill sourcing strategy.

    Discover critical knowledge.

    Select knowledge transfer methods.

    Identify priority competencies.

    Assess employees.

    Draft development goals.

    Provide coaching & feedback.

    The Small Enterprise Guide to People and Resource Management

    Phase Participants

    • Leadership/management team
    • Incumbent & successor

    Additional Resources

    IT Knowledge Identification Interview Guide Template

    Knowledge Transfer Plan Template

    Determine your skill sourcing route

    Knowledge transfer plans have three key components that you need to complete for each knowledge source:

    Define what knowledge needs to be transferred

    Each knowledge source has unique information which needs to be transferred. Chances are you don't know what you don't know. The first step is therefore to interview knowledge sources to find out.

    Identify the knowledge receiver

    Depending on who the information is going to, the knowledge transfer tactic you employ will differ. Before deciding on the knowledge receiver and tactic, consider three key factors:

    • How will this knowledge be used in the future?
    • What is the next career step for the knowledge receiver?
    • Are the receiver and the source going to be in the same location?

    Identify which knowledge transfer tactics you will use for each knowledge asset

    Not all tactics are good in every situation. Always keep the "knowledge type" (information, process, skills, and expertise), knowledge sources' engagement level, and the knowledge receiver in mind as you select tactics.

    Don't miss tacit knowledge

    There are two basic types of knowledge: "explicit" and "tacit." Ensure you capture both to get a well-rounded overview of the role.

    Explicit Tacit
    • "What knowledge" – knowledge can be articulated, codified, and easily communicated.
    • Easily explained and captured – documents, memos, speeches, books, manuals, process diagrams, facts, etc.
    • Learn through reading or being told.
    • "How knowledge" – intangible knowledge from an individual's experience that is more from the process of learning, understanding, and applying information (insights, judgments, and intuition).
    • Hard to verbalize, and difficult to capture and quantify.
    • Learn through observation, imitation, and practice.

    Types of explicit knowledge

    Types of tacit knowledge

    Information Process Skills Expertise

    Specialized technical knowledge.

    Unique design capabilities/methods/models.

    Legacy systems, details, passwords.

    Special formulas/algorithms/ techniques/contacts.

    • Specialized research & development processes.
    • Proprietary production processes.
    • Decision-making processes.
    • Legacy systems.
    • Variations from documented processes.
    • Techniques for executing on processes.
    • Relationship management.
    • Competencies built through deliberate practice enabling someone to act effectively.
    • Company history and values.
    • Relationships with key stakeholders.
    • Tips and tricks.
    • Competitor history and differentiators.

    e.g. Knowing the lyrics to a song, building a bike, knowing the alphabet, watching a YouTube video on karate.

    e.g. Playing the piano, riding a bike, reading or speaking a language, earning a black belt in karate.

    Embed your knowledge transfer methods into day-to-day practice

    Multiple methods should be used to transfer as much of a person's knowledge as possible, and mentoring should always be one of them. Select your method according to the following criteria:

    Info-Tech Insight

    The more integrated knowledge transfer is in day-to-day activities, the more likely it is to be successful, and the lower the time cost. This is because real learning is happening at the same time real work is being accomplished.

    Type of Knowledge

    • Tacit knowledge transfer methods are often informal and interactive:
      • Mentoring
      • Multi-generational work teams
      • Networks and communities
      • Job shadowing
    • Explicit knowledge transfer methods tend to be more formal and one way:
      • Formal documentation of processes and best practices
      • Self-published knowledge bases
      • Formal training sessions
      • Formal interviews

    Incumbent's Preference/Successor's Preference

    Ensure you consult the employees, and their direct manager, on the way they are best prepared to teach and learn. Some examples of preferences include:

    1. Prefer traditional classroom learning, augmented with participation, critical reflection, and feedback.
    2. May get bored during formal training sessions and retain more during job shadowing.
    3. Prefer to be self-directed or self-paced, and highly receptive to e-learning and media.
    4. Prefer informal, incidental learning, tend to go immediately to technology or direct access to people. May have a short attention span and be motivated by instant results.
    5. May be uncomfortable with blogs and wikis, but comfortable with SharePoint.

    Cost

    Consider costs beyond the monetary. Some methods require an investment in time (e.g. mentoring), while others require an investment in technology (e.g. knowledge bases).

    The good news is that many supporting technologies may already exist in your organization or can be acquired for free.

    Methods that cost time may be difficult to get underway since employees may feel they don't have the time or must change the way they work.

    2.1 Create a knowledge transfer plan

    1-3 hours

    1. Working together with the current incumbent, brainstorm the key information pertaining to the role that you want to pass on to the successor. Use the IT Knowledge Identification Interview Guide Template to ensure you don't miss anything.
      • Consider key knowledge areas, including:
        • Specialized technical knowledge.
        • Specialized research and development processes.
        • Unique design capabilities/methods/models.
        • Special formulas/algorithms/techniques.
        • Proprietary production processes.
        • Decision-making criteria.
        • Innovative sales methods.
        • Knowledge about key customers.
        • Relationships with key stakeholders.
        • Company history and values.
      • Ask questions of both sources and receivers of knowledge to help determine the best knowledge transfer methods to use.
        • What is the nature of the knowledge? Explicit or tacit?
        • Why is it important to transfer?
        • How will the knowledge be used?
        • What knowledge is critical for success?
        • How will the users find and access it?
        • How will it be maintained and remain relevant and usable?
        • What are the existing knowledge pathways or networks connecting sources to recipients?
    2. Once the knowledge has been identified, use the information on the following slides to decide on the most appropriate methods. Be sure to consult the incumbent and successor on their preferences.
    3. Prioritize your list of knowledge transfer activities. It's important not to try to do too much too quickly. Focus on some quick wins and leverage the success of these initiatives to drive the project forward. Follow these steps as a guide:
      1. Take an inventory of all the tactics and techniques which you plan to employ. Eliminate redundancies where possible.
      2. Start your implementation with your highest risk role or knowledge item, using explicit knowledge transfer tactics. Interviews, use cases, and process mapping will give you some quick wins and will help gain momentum for the project.
      3. Then move forward to other tactics, the majority of which will require training and process design. Pick 1-2 other key tactics you would like to employ and build those out. For tactics that require resources or monetary investment, start with those that can be reused for multiple roles.

    Record your plan in the IT Knowledge Transfer Plan Template.

    Download the IT Knowledge Identification Interview Guide Template

    Download the Knowledge Transfer Plan Template

    Info-Tech Insight

    Wherever possible, ask employees about their personal learning styles. It's likely that a collaborative compromise will have to be struck for knowledge transfer to work well.

    2.1 Create a knowledge transfer plan

    Input

    Output

    • List of roles for which you need to transfer knowledge
    • Prioritized list of knowledge items and chosen transfer method

    Materials

    Participants

    • Leadership team
    • Incumbent
    • Successor

    Not every transfer method is effective for every type of knowledge

    Knowledge Type
    Tactic Explicit Tacit
    Information Process Skills Expertise
    Interviews Very Strong Strong Strong Strong
    Process Mapping Medium Very Strong Very Weak Very Weak
    Use Cases Medium Very Strong Very Weak Very Weak
    Job Shadow Very Weak Medium Very Strong Very Strong
    Peer Assist Strong Medium Very Strong Very Strong
    Action Review Medium Medium Strong Strong
    Mentoring Weak Weak Strong Very Strong
    Transition Workshop Strong Strong Strong Weak
    Storytelling Weak Weak Strong Very Strong
    Job Share Weak Weak Very Strong Very Strong
    Communities of Practice Strong Weak Very Strong Very Strong

    This table shows the relative strengths and weaknesses of each knowledge transfer tactic compared against four different knowledge types.

    Not all techniques are effective for all types of knowledge; it is important to use a healthy mixture of techniques to optimize effectiveness.

    Employees' engagement can impact knowledge transfer effectiveness

    Level of Engagement
    Tactic Disengaged/ Indifferent Almost Engaged - Engaged
    Interviews Yes Yes
    Process Mapping Yes Yes
    Use Cases Yes Yes
    Job Shadow No Yes
    Peer Assist Yes Yes
    Action Review Yes Yes
    Mentoring No Yes
    Transition Workshop Yes Yes
    Storytelling No Yes
    Job Share Maybe Yes
    Communities of Practice Maybe Yes

    When considering which tactics to employ, it's important to consider the knowledge holder's level of engagement. Employees who you would identify as being disengaged may not make good candidates for job shadowing, mentoring, or other tactics where they are required to do additional work or are asked to influence others.

    Knowledge transfer can be controversial for all employees as it can cause feelings of job insecurity. It's essential that motivations for knowledge transfer are communicated effectively.

    Pay particular attention to your communication style with disengaged and indifferent employees, communicate frequently, and tie communication back to what's in it for them.

    Putting disengaged employees in a position where they are mentoring others can be a risk, as their negativity could influence others not to participate, or it could negate the work you're doing to create a positive knowledge sharing culture.

    Employees' engagement can impact knowledge transfer effectiveness

    Effort by Stakeholder

    Tactic

    Business Analyst

    IT Manager

    Knowledge Holder

    Knowledge Receiver

    Interviews

    These tactics require the least amount of effort, especially for organizations that are already using these tactics for a traditional requirements gathering process.

    Medium

    N/A

    Low

    Low

    Process Mapping

    Medium

    N/A

    Low

    Low

    Use Cases

    Medium

    N/A

    Low

    Low

    Job Shadow

    Medium

    Medium

    Medium

    Medium

    Peer Assist

    Medium

    Medium

    Medium

    Medium

    Action Review

    These tactics generally require more involvement from IT management and the BA in tandem for preparation. They will also require ongoing effort for all stakeholders. It's important to gain stakeholder buy-in as it is key for success.

    Low

    Medium

    Medium

    Low

    Mentoring

    Medium

    High

    High

    Medium

    Transition Workshop

    Medium

    Low

    Medium

    Low

    Storytelling

    Medium

    Medium

    Low

    Low

    Job Share

    Medium

    High

    Medium

    Medium

    Communities of Practice

    High

    Medium

    Medium

    Medium

    Phase 3

    Development Planning

    Workforce Planning

    Knowledge Transfer

    Development Planning

    Identify needs, goals, metrics, and skill gaps.

    Select a skill sourcing strategy.

    Discover critical knowledge.

    Select knowledge transfer methods.

    Identify priority competencies.

    Assess employees.

    Draft development goals.

    Provide coaching & feedback.

    The Small Enterprise Guide to People and Resource Management

    Phase Participants

    • Leadership team
    • Managers
    • Employees

    Additional Resources

    Effective development planning hinges on robust performance management

    Your performance management framework is rooted in organizational goals and defines what it means to do any given role well.

    Your organization's priority competencies are the knowledge, skills and attributes that enable an employee to do the job well.

    Each individual's development goals are then aimed at building these priority competencies.

    Mission Statement

    To be the world's leading manufacturer and distributor of widgets.

    Business Goal

    To increase annual revenue by 10%.

    IT Department Objective

    To ensure reliable communications infrastructure and efficient support for our sales and development teams.

    Individual Role Objective

    To decrease time to resolution of support requests by 10% while maintaining quality.

    Info-Tech Insight

    Without a performance management framework, your employees cannot align their development with the organization's goals. For detailed guidance, see Info-Tech's blueprint Setting Meaningful Employee Performance Measures.

    What is a competency?

    The term "competency" refers to the collection of knowledge, skills, and attributes an employee requires to do a job well.

    Often organizations have competency frameworks that consist of core, leadership, and functional competencies.

    Core competencies apply to every role in the organization. Typically, they are tied to organizational values and business mission and/or vision.

    Functional competencies are at the department, work group, or job role levels. They are a direct reflection of the function or type of work carried out.

    Leadership competencies generally apply only to people managers in the organization. Typically, they are tied to strategic goals in the short to medium term

    Generic Functional
    • Core
    • Leadership
    • IT
    • Finance
    • Sales
    • HR

    Use the SMART model to make sure goals are reasonable and attainable

    S

    Specific: Be specific about what you want to accomplish. Think about who needs to be involved, what you're trying to accomplish, and when the goal should be met.

    M

    Measurable: Set metrics that will help to determine whether the goal has been reached.

    A

    Achievable: Ensure that you have both the organizational resources and employee capability to accomplish the goal.

    R

    Relevant: Goals must align with broader business, department, and development goals in order to be meaningful.

    T

    Time-bound: Provide a target date to ensure the goal is achievable and provide motivation.

    Example goal:

    "Learn Excel this summer."

    Problems:

    Not specific enough, not measurable enough, nor time bound.

    Alternate SMART goal:

    "Consult with our Excel expert and take the lead on creating an Excel tool in August."

    3.2 Identify target competencies & draft development goals

    1 hour

    Pre-work: Employees should come to the career conversation having done some self-reflection. Use Info-Tech's IT Employee Career Development Workbook to help employees identify their career goals.

    1. Pre-work: Managers should gather any data they have on the employee's current proficiency at key competencies. Potential sources include task-based assessments, performance ratings, supervisor or peer feedback, and informal conversation.

      Prioritize competencies. Using your list of priority organizational competencies, work with your employees to help them identify two to four competencies to focus on developing now and in the future. Use the Individual Competency Development Plan template to document your assessment and prioritize competencies for development. Consider the following questions for guidance:
      1. Which competencies are needed in my current role that I do not have full proficiency in?
      2. Which competencies are related to both my career interests and the organization's priorities?
      3. Which competencies are related to each other and could be developed together or simultaneously?
    2. Draft goals. Ask your employee to create a list of multiple simple goals to develop the competencies they have selected to work on developing over the next year. Identifying multiple goals helps to break development down into manageable chunks. Ensure goals are concrete, for example, if the competency is "communication skills," your development goals could be "presentation skills" and "business writing."
    3. Review goals:
      1. Ask why these areas are important to the employee.
      2. Share your ideas and why it is important that the employee develop in the areas identified.
      3. Ensure that the goals are realistic. They should be stretch goals, but they must be achievable. Use the SMART framework on the previous slide for guidance.

    Info-Tech Insight

    Lack of career development is the top reason employees leave organizations. Development activities need to work for both the organization and the employee's own development, and clearly link to advancing employees' careers either at the organization or beyond.

    Download the IT Employee Career Development Workbook

    Download the Individual Competency Development Plan

    3.2 Identify target competencies & draft development goals

    Input

    Output

    • Employee's career aspirations
    • List of priority organizational competencies
    • Assessment of employee's current proficiency
    • A list of concrete development goals

    Materials

    Participants

    • Employee
    • Direct manager

    Apply a blend of learning methods

    • Info-Tech recommends the 70-20-10 principle for learning and development, which places the greatest emphasis on learning by doing. This experiential learning is then supported by feedback from mentoring, training, and self-reflection.
    • Use the 70-20-10 principle as a guideline – the actual breakdown of your learning methods will need to be tailored to best suit your organization and the employee's goals.

    Spend development time and effort wisely:

    70%

    On providing challenging on-the-job opportunities

    20%

    On establishing opportunities for people to develop learning relationships with others, such as coaching and mentoring

    10%

    On formal learning and training programs

    Internal initiatives are a cost-effective development aid

    Internal Initiative

    What Is It?

    When to Use It

    Special Project

    Assignment outside of the scope of the day-to-day job (e.g. work with another team on a short-term initiative).

    As an opportunity to increase exposure and to expand skills beyond those required for the current job.

    Stretch Assignment

    The same projects that would normally be assigned, but in a shorter time frame or with a more challenging component.

    Employee is consistently meeting targets and you need to see what they're capable of.

    Training Others

    Training new or more junior employees on their position or a specific process.

    Employee wants to expand their role and responsibility and is proficient and positive.

    Team Lead On an Assignment

    Team lead for part of a project or new initiative.

    To prepare an employee for future leadership roles by increasing responsibility and developing basic managerial skills.

    Job Rotation

    A planned placement of employees across various roles in a department or organization for a set period of time.

    Employee is successfully meeting and/or exceeding job expectations in their current role.

    Incorporating a development objective into daily tasks

    What do we mean by incorporating into daily tasks?

    The next time you assign a project to an employee, you should also ask the employee to think about a development goal for the project. Try to link it back to their existing goals or have them document a new goal in their development plan.

    For example: A team of employees always divides their work in the same way. Their goal for their next project could be to change up the division of responsibility so they can learn each other's roles.

    Another example:

    "I'd like you to develop your ability to explain technical terms to a non-technical audience. I'd like you to sit down with the new employee who starts tomorrow and explain how to use all our software, getting them up and running."

    Info-Tech Insight

    Employees often don't realize that they are being developed. They either think they are being recognized for good work or they are resentful of the additional workload.

    You need to tell your employees that the activity you are asking them to do is intended to further their development.

    However, be careful not to sell mundane tasks as development opportunities – this is offensive and detrimental to engagement.

    Establish manager and employee accountability for following up

    Ensure that the employee makes progress in developing prioritized competencies by defining accountabilities:

    Tracking Progress

    Checking In

    Development Meetings

    Coaching & Feedback

    Employee accountability:

    • Employees need to keep track of what they learn.
    • Employees should take the time to reflect on their progress.

    Manager accountability:

    • Managers need to make the time for employees to reflect.

    Employee accountability:

    • Employees need to provide managers with updates and ask for help.

    Manager accountability:

    • Managers need to check in with employees to see if they need additional resources.

    Employee accountability:

    • Employees need to complete assessments again to determine whether they have made progress.

    Manager accountability:

    • Managers should schedule monthly meetings to discuss progress and identify next steps.

    Employee accountability:

    • Employees should ask their manager and colleagues for feedback after development activities.

    Manager accountability:

    • Managers can use both scheduled meetings and informal conversations to provide coaching and feedback to employees.

    3.3 Select development activities and schedule check-ins

    1-3 hours

    Pre-work: Employees should research potential development activities and come prepared with a range of suggestions.

    Pre-work: Managers should investigate options for employee development, such as internal training/practice opportunities for the employee's selected competencies and availability of training budget.

    1. Communicate your findings about internal opportunities and external training allowance to the employee. This can also be done prior to the meeting, to help guide the employee's own research. Address any questions or concerns.
    2. Review the employee's proposed list of activities, and identify priority ones based on:
      1. How effectively they support the development of priority competencies.
      2. How closely they match the employee's original goals.
      3. The learning methods they employ, and whether the chosen activities support a mix of different methods.
      4. The degree to which the employee will have a chance to practice new skills hands-on.
      5. The amount of time the activities require, balanced against the employee's work obligations.
    3. Guide the employee in selecting activities for the short and medium term. Establish an understanding that this list is tentative and subject to ongoing revision during future check-ins.
      1. If in doubt about whether the employee is over-committing, err on the side of fewer activities to start.
    4. Schedule a check-in for one month out to review progress and roadblocks, and to reaffirm priorities.
    5. Check-ins should be repeated regularly, typically once a month.

    Download the Learning Methods Catalog

    Info-Tech Insight

    Adopt a blended learning approach using a variety of techniques to effectively develop competencies. This will reinforce learning and accommodate different learning styles. See Info-Tech's Learning Methods Catalog for a description of popular experiential, relational, and formal learning methods.

    3.3 Select development activities and schedule check-ins

    Input

    Output

    • List of potential development activities (from employee)
    • List of organizational resources (from manager)
    • A selection of feasible development activities
    • Next check-in scheduled

    Materials

    Participants

    • Employee
    • Direct manager

    Tips for tricky conversations about development

    What to do if…

    Employees aren't interested in development:

    • They may have low aspiration for advancement.
    • Remind them about the importance of staying current in their role given increasing job requirements.
    • Explain that skill development will make their job easier and make them more successful at it; sell development as a quick and effective way to learn the skill.
    • Indicate your support and respond to concerns.

    Employees have greater aspiration than capability:

    • Explain that there are a number of skills and capabilities that they need to improve in order to move to the next level. If the specific skills were not discussed during the performance appraisal, do not hesitate to explain the improvements that you require.
    • Inform the employee that you want them to succeed and that by pushing too far and too fast they risk failure, which would not be beneficial to anyone.
    • Reinforce that they need to do their current job well before they can be considered for promotion.

    Employees are offended by your suggestions:

    • Try to understand why they are offended. Before moving forward, clarify whether they disagree with the need for development or the method by which you are recommending they be developed.
    • If it is because you told them they had development needs, then reiterate that this is about helping them to become better and that everyone has areas to develop.
    • If it is about the development method, discuss the different options, including the pros and cons of each.

    Coaching and feedback skills help managers guide employee development

    Coaching and providing feedback are often confused. Managers often believe they are coaching when they are just giving feedback. Learn the difference and apply the right approach for the right situation.

    What is coaching?

    A conversation in which a manager asks questions to guide employees to solve problems themselves.

    Coaching is:

    • Future-focused
    • Collaborative
    • Geared toward growth and development

    What is feedback?

    Information conveyed from the manager to the employee about their performance.

    Feedback is:

    • Past-focused
    • Prescriptive
    • Geared toward behavior and performance

    Info-Tech Insight

    Don't forget to develop your managers! Ensure coaching, feedback, and management skills are part of your management team's development plan.

    Understand the foundations of coaching to provide effective development coaching:

    Knowledge Mindset Relationship
    • Understand what coaching is and how to apply it:
    • Identify when to use coaching, feedback, or other people management practices, and how to switch between them.
    • Know what coaching can and cannot accomplish.
    • When focusing on performance, guide an employee to solve problems related to their work. When focusing on development, guide an employee to reach their own development goals.
    • Adopt a coaching mindset by subscribing to the following beliefs:
    • Employees want to achieve higher performance and have the potential to do so.
    • Employees have a unique and valuable perspective to share of the challenges they face as well as the possible solutions.
    • Employees should be empowered to realize solutions themselves to motivate them in achieving goals.
    • Develop a relationship of trust between managers and employees:
    • Create an environment of psychological safety where employees feel safe to be open and honest.
    • Involve employees in decision making and inform employees often.
    • Invest in employees' success.
    • Give and expect candor.
    • Embrace failure.

    Apply the "4A" behavior-focused coaching model

    Using a model allows every manager, even those with little experience, to apply coaching best practices effectively.

    Actively Listen

    Ask

    Action Plan

    Adapt

    Engage with employees and their message, rather than just hearing their message.

    Key active listening behaviors:

    • Provide your undivided attention.
    • Observe both spoken words and body language.
    • Genuinely try to understand what the employee is saying.
    • Listen to what is being said, then paraphrase back what you heard.

    Ask thoughtful, powerful questions to learn more information and guide employees to uncover opportunities and/or solutions.

    Key asking behaviors:

    • Ask open-ended questions.
    • Ask questions to learn something you didn't already know.
    • Ask for reasoning (the why).
    • Ask "what else?"

    Hold employees and managers accountable for progress and results.

    During check-ins, review each development goal to ensure employees are meeting their targets.

    Key action planning behaviors:

    Adapt to individual employees and situations.

    Key adapting behaviors:

    • Recognize employees' unique characteristics.
    • Appreciate the situation at hand and change your behavior and communication in order to best support the individual employee.

    Use the following questions to have meaningful coaching conversations

    Opening Questions

    • What's on your mind?
    • Do you feel you've had a good week/month?
    • What is the ideal situation?
    • What else?

    Problem-Identifying Questions

    • What is most important here?
    • What is the challenge here for you?
    • What is the real challenge here for you?
    • What is getting in the way of you achieving your goal?

    Problem-Solving Questions

    • What are some of the options available?
    • What have you already tried to solve this problem? What worked? What didn't work?
    • Have you considered all the possibilities?
    • How can I help?

    Next-Steps Questions

    • What do you need to do, and when, to achieve your goal?
    • What resources are there to help you achieve your goal? This includes people, tools, or even resources outside our organization.
    • How will you know when you have achieved your goal? What does success look like?

    The purpose of asking questions is to guide the conversation and learn something you didn't already know. Choose the questions you ask based on the flow of the conversation and on what information you would like to uncover. Approach the answers you get with an open mind.

    Info-Tech Insight

    Avoid the trap of "hidden agenda" questions, whose real purpose is to offer your own advice.

    Use the following approach to give effective feedback

    Provide the feedback in a timely manner

    • Plan the message you want to convey.
    • Provide feedback "just-in-time."
    • Ensure recipient is not preoccupied.
    • Try to balance the feedback; refer to successful as well as unsuccessful behavior.

    Communicate clearly, using specific examples and alternative behaviors

    • Feedback must be honest and helpful.
    • Be specific and give a recent example.
    • Be descriptive, not evaluative.
    • Relate feedback to behaviors that can be changed.
    • Give an alternative positive behavior.

    Confirm their agreement and understanding

    • Solicit their thoughts on the feedback.
    • Clarify if not understood; try another example.
    • Confirm recipient understands and accepts the feedback.

    Manager skill is crucial to employee development

    Development is a two-way street. This means that while employees are responsible for putting in the work, managers must enable their development with support and guidance. The latter is a skill, which managers must consciously cultivate.

    For more in-depth management skills development, see the Info-Tech "Build a Better Manager" training resources:

    Bibliography

    Anderson, Kelsie. "Is Your IT Department Prepared for the 4 Biggest Challenges of 2017?" 14 June 2017.
    Atkinson, Carol, and Peter Sandiford. "An Exploration of Older Worker Flexible Working Arrangements in Smaller Firms." Human Resource Management Journal, vol. 26, no. 1, 2016, pp. 12–28. Wiley Online Library.
    BasuMallick, Chiradeep. "Top 8 Best Practices for Employee Cross-Training." Spiceworks, 15 June 2020.
    Birol, Andy. "4 Ways You Can Succeed With a Staff That 'Wears Multiple Hats.'" The Business Journals, 26 Nov. 2013.
    Bleich, Corey. "6 Major Benefits To Cross-Training Employees." EdgePoint Learning, 5 Dec. 2018.
    Cancialosi, Chris. "Cross-Training: Your Best Defense Against Indispensable Employees." Forbes, 15 Sept. 2014.
    Cappelli, Peter, and Anna Tavis. "HR Goes Agile." Harvard Business Review, Mar. 2018.
    Chung, Kai Li, and Norma D'Annunzio-Green. "Talent Management Practices of SMEs in the Hospitality Sector: An Entrepreneurial Owner-Manager Perspective." Worldwide Hospitality and Tourism Themes, vol. 10, no. 4, Jan. 2018.
    Clarkson, Mary. Developing IT Staff: A Practical Approach. Springer Science & Business Media, 2012.
    "CNBC and SurveyMonkey Release Latest Small Business Survey Results." Momentive, 2019. Press Release. Accessed 6 Aug. 2020.
    Cselényi, Noémi. "Why Is It Important for Small Business Owners to Focus on Talent Management?" Jumpstart:HR | HR Outsourcing and Consulting for Small Businesses and Startups, 25 Mar. 2013.
    dsparks. "Top 10 IT Concerns for Small Businesses." Stratosphere Networks IT Support Blog - Chicago IT Support Technical Support, 16 May 2017.
    Duff, Jimi. "Why Small to Mid-Sized Businesses Need a System for Talent Management | Talent Management Blog | Saba Software." Saba, 17 Dec. 2018.
    Employment and Social Development Canada. "Age-Friendly Workplaces: Promoting Older Worker Participation." Government of Canada, 3 Oct. 2016.
    Exploring Workforce Planning. Accenture, 23 May 2017.
    "Five Major IT Challenges Facing Small and Medium-Sized Businesses." Advanced Network Systems. Accessed 25 June 2020.
    Harris, Evan. "IT Problems That Small Businesses Face." InhouseIT, 17 Aug. 2016.
    Heathfield, Susan. "What Every Manager Needs to Know About Succession Planning." Liveabout, 8 June 2020.
    ---. "Why Talent Management Is an Important Business Strategy." Liveabout, 29 Dec. 2019.
    Herbert, Chris. "The Top 5 Challenges Facing IT Departments in Mid-Sized Companies." ExpertIP, 25 June 2012.
    How Smaller Organizations Can Use Talent Management to Accelerate Growth. Avilar. Accessed 25 June 2020.
    Krishnan, TN, and Hugh Scullion. "Talent Management and Dynamic View of Talent in Small and Medium Enterprises." Human Resource Management Review, vol. 27, no. 3, Sept. 2017, pp. 431–41.
    Mann Jackson, Nancy. "Strategic Workforce Planning for Midsized Businesses." ADP, 6 Feb. 2017.
    McCandless, Karen. "A Beginner's Guide to Strategic Talent Management (2020)." The Blueprint, 26 Feb. 2020.
    McFeely, Shane, and Ben Wigert. "This Fixable Problem Costs U.S. Businesses $1 Trillion." Gallup.com, 13 Mar. 2019.
    Mihelič, Katarina Katja. Global Talent Management Best Practices for SMEs. Jan. 2020.
    Mohsin, Maryam. 10 Small Business Statistics You Need to Know in 2020 [May 2020]. 4 May 2020.
    Ramadan, Wael H., and B. Eng. The Influence of Talent Management on Sustainable Competitive Advantage of Small and Medium Sized Establishments. 2012, p. 15.
    Ready, Douglas A., et al. "Building a Game-Changing Talent Strategy." Harvard Business Review, no. January–February 2014, Jan. 2014.
    Reh, John. "Cross-Training Employees Strengthens Engagement and Performance." Liveabout, May 2019.
    Rennie, Michael, et al. McKinsey on Organization: Agility and Organization Design. McKinsey, May 2016.
    Roddy, Seamus. "The State of Small Business Employee Benefits in 2019." Clutch, 18 Apr. 2019.
    SHRM. "Developing Employee Career Paths and Ladders." SHRM, 28 Feb. 2020.
    Strandberg, Coro. Sustainability Talent Management: The New Business Imperative. Strandberg Consulting, Apr. 2015.
    Talent Management for Small & Medium-Size Businesses. Success Factors. Accessed 25 June 2020.
    "Top 10 IT Challenges Facing Small Business in 2019." Your IT Department, 8 Jan. 2019.
    "Why You Need Workforce Planning." Workforce.com, 24 Oct. 2022.

    In Case Of Emergency...

    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    1. Get people to safety efficiently by following the floor warden's information and get out if needed
      If there are no floor wardens, YOU take the initiative and alert people. Vacate the premises if you suspect danger.
      Err on the side of caution. Nobody ever got fired over keeping people safe.
    2. Get people to safety (yes! double check this)
    3. Check what is happening
    4. Stop the bleeding
    5. Check what you broke while stopping the bleeding
    6. Check if you need to go into DR mode
    7. Go into DR mode if that is the fastest way to restore the service
    8. Only now start to look deeper

    Notice what is missing in this list?

    • WHY did this happen?
    • WHO did what

    During the first reactions to an event, stick to the facts of what is happening and the symptoms. If the symptoms are bad, attend to people first, no matter the financial losses occurring.
    Remember that financial losses are typically insured. Human life is not. Only loss of income and ability to pay is insured! Not the person's life.

    The WHY, HOW, WHO and other root cause questions are asked in the aftermath of the incident and after you have stabilized the situation.
    In ITIL terms, those are Problem Management and Root Cause Analysis stage questions.

     

     

     

    Management, incident, reaction, emergency

    Satisfy Customer Requirements for Information Security

    • Buy Link or Shortcode: {j2store}259|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $247 Average $ Saved
    • member rating average days saved: 3 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Your customers and potential customers are increasingly demanding assurance that you will meet their information security requirements.
    • Responding to these assurance demands requires ever more effort from the security team, which distracts them from their primary mission of protecting the organization.
    • Every customer seems to have their own custom security questionnaire they want you to complete, increasing the effort you have to expend to respond to them.

    Our Advice

    Critical Insight

    • Your security program can be a differentiator and help win and retain customers.
    • Value rank your customers to right-size the level of effort your security team dedicates to responding to questionnaires.
    • SOC 2 or ISO 27001 certification can be an important part of your security marketing, but only if you make the right business case.

    Impact and Result

    • CISOs need to develop a marketing strategy for their information security program.
    • Ensure that your security team dedicates the appropriate amount of effort to sales by value ranking your potential customers and aligning efforts to value.
    • Develop a business case for SOC 2 or ISO 27001 to determine if certification makes sense for your organization, and to gain support from key stakeholders.

    Satisfy Customer Requirements for Information Security Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should proactively satisfy customer requirements for information security, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage customer expectations for information security

    Identify your customers’ expectations for security and privacy, value rank your customers to right-size your efforts, and learn how to impress them with your information security program.

    • Satisfy Customer Requirements for Information Security – Phase 1: Manage Customer Expectations for Information Security

    2. Select a certification path

    Decide whether to obtain SOC 2 or ISO 27001 certification, and build a business case for certification.

    • Satisfy Customer Requirements for Information Security – Phase 2: Select a Certification Path
    • Security Certification Selection Tool
    • Security Certification Business Case Tool

    3. Obtain and maintain certification

    Develop your certification scope, prepare for the audit, and learn how to maintain your certification over time.

    • Satisfy Customer Requirements for Information Security – Phase 3: Obtain and Maintain Certification
    [infographic]

    2020 CIO Priorities Report

    • Buy Link or Shortcode: {j2store}97|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • The velocity and magnitude of technology changes today has increased dramatically compared to anything that has come before.
    • The velocity and magnitude of advancements in technology has always seemed unprecedented in every wave of technology change we have experienced over the past 40 years. With each new wave of innovation, “unprecedented” is redefined to a new level, and so it remains true that today’s CIO is faced with unprecedented levels of change as a direct result of emerging technologies.
    • What is different today is that we are at the point where the emerging technology itself is now capable of accelerating the pace of change even more through artificial intelligence capabilities.
    • If we are to realize the business value through the adoption of emerging technologies, CIOs must address significant challenges. We believe addressing these challenges lies in the CIO priorities for 2020.

    Our Advice

    Critical Insight

    • First there was IT/business alignment, then there was IT/business integration – both states characterized as IT “getting on the same page” as the business. In the context of emerging technologies, the CIO should no longer be focused on getting on the same page as the CEO.
    • Today it is about the CEO and the CIO collaborating to write a new book about convergence of all things: technology (infrastructure and applications), people (including vendors), process, and data.
    • Digital transformation and adoption of emerging technologies is not a goal, it is a journey – a means to the end, not the end unto itself.

    Impact and Result

    • Use Info-Tech's 2020 CIO Priorities Report to ascertain, based on our research, what areas of focus for 2020 are critical for success in adopting emerging technologies.
    • Adopting these technologies requires careful planning and consideration for what is critical to your business customers.
    • This report provides focus on the business benefits of the technology and not just the capabilities themselves. It puts the CIO in a position to better understand the true value proposition of any of today’s technology advancements.

    2020 CIO Priorities Report Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand the top five priorities for CIOs in 2020 and why these are so critical to success.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Refine and adapt processes

    Learn about how processes can make or break your adoption of emerging technologies.

    • 2020 CIO Priorities Report – Priority 1: Refine and Adapt Processes

    2. Re-invent IT as collaboration engine

    Learn about how IT can transform its role within the organization to optimize business value.

    • 2020 CIO Priorities Report – Priority 2: Re-Invent IT as Collaboration Engine

    3. Acquire and retain talent for roles in emerging technologies

    Learn about how IT can attract and keep employees with the skills and knowledge needed to adopt these technologies for the business.

    • 2020 CIO Priorities Report – Priority 3: Acquire and Retain Talent for Roles in Emerging Technologies

    4. Define and manage cybersecurity and cyber resilience requirements related to emerging technologies

    Understand how the adoption of emerging technologies has created new levels of risk and how cybersecurity and resilience can keep pace.

    • 2020 CIO Priorities Report – Priority 4: Define and Manage Cybersecurity and Cyber Resilience Requirements Related to Emerging Technologies

    5. Leverage emerging technology to create Wow! customer experiences

    Learn how IT can leverage emerging technology for its own customers and those of its business partners.

    • 2020 CIO Priorities Report – Priority 5: Leverage Emerging Technology to Create Wow! Customer Experiences
    [infographic]

    Excel Through COVID-19 With a Focused Business Architecture

    • Buy Link or Shortcode: {j2store}604|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model
    • Business architecture, including value stream and business capability models, is the tool you need to reposition your organization for post-COVID-19 success.
    • Your business architecture model represents your strategic business components. It guides the development of all other architectures to enable new and improved business function.
    • Evaluating your current business architecture, or indeed rebuilding it, creates a foundation for facilitated discussions and target state alignment between IT and the senior C-suite.
    • New projects and initiatives during COVID-19 must evolve business architecture so that your front-line workers and your customers are supported through the resolution of the pandemic. Specifically, your projects and initiatives must be directly traced to evolving your architecture.
    • Business architecture anchors downstream architectural iterations and initiatives. Measure business capability enablement results directly from projects and initiatives using a business architecture model.

    Our Advice

    Critical Insight

    • Focus on your most disruptive, game-changing innovations that have been on the backburner for some time. Here you will find the ingredients for post-pandemic success.

    Impact and Result

    • Craft your business architecture model, aligned to the current climate, to refocus on your highest priority goals and increase your chances of post-COVID-19 excellence.

    Excel Through COVID-19 With a Focused Business Architecture Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create minimum viable business architecture

    Create your minimum viable business architecture.

    • Excel Through COVID-19 With a Focused Business Architecture Storyboard
    • Excel Through COVID-19 With a Focused Business Architecture – Healthcare
    • Excel Through COVID-19 With a Focused Business Architecture – Higher Education
    • Excel Through COVID-19 With a Focused Business Architecture – Manufacturing
    • Business Capability Modeling

    2. Identify COVID-19 critical capabilities for your industry

    If there are a handful of capabilities that your business needs to focus on right now, what are they?

    3. Brainstorm COVID-19 business opportunities

    Identify business opportunities.

    4. Enrich capability model with COVID-19 opportunities

    Enrich your capability model.

    [infographic]

    Safety as a secondary consideration

    • Large vertical image:
    • member rating overall impact: Very High
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A

    This is a story that should make you perk up.

    I know of a department that was eager to launch their new product. The strain was severe. The board was breathing down their necks. Rivals were catching up (or so they thought).

    What did they do?

    "Let's get this thing live, prove the market wants it, then we'll circle back and handle all the security and stability backlog items." For the product owner, at the time, that seemed the right thing to do.

    They were hacked 48 hours after going live.

    Customer information was stolen. The brand's reputation suffered. The decision led to a months-long legal nightmare. And they still had to completely rebuild the system. Making stability and security bolt-on items is never a good idea.

    The true price of "fix it later"

    See, I understand. When the product owner is pressing for user experience enhancements and you're running out of time for launch, it's easy to overlook those "non-functional requirements." Yet, we should avoid blaming the product owner. The PO is under pressure from many stakeholders, and a delayed launch may also come with significant costs.

    Load balancing isn't visible to customers, after all. Penetration testing doesn't excite them. Failure mechanisms don't matter to them. This statement is true until a malfunction impacts a client. Then it suddenly becomes the most important thing in the world.

    However, I know that ignoring non-functional requirements (NFRs) can lead to failed businesses (or business lines). This elevates these issues beyond mere technical inconveniences. NFRs are designed with the client in mind.

    Look at it this way. When your system crashes during periods of high traffic, how does the user experience change? How satisfied are customers when their personal information is stolen? When it takes 30 seconds for your website to load, how does that conversion rate look?

    Let me expose you to some consultant figures. The average cost of IT outages is $5,600 per minute, according to a 2014 Gartner study. That figure can rise to $300,000 per hour for larger businesses. The reality is that in your department, you will rarely reach these numbers. When we look at current (2020-2025) and expected (2026) trends, the typical operational loss numbers in international commercial banking or insurance are closer to 100K for high-impact incidents that are handled within 2–3 hours.

    Obviously, your numbers will vary. And if you don't know what your costs are, now would be a good time to discover that. This does not imply that you should simply accept the risks associated with such situations. You must fix or mitigate such opportunities for hackers to get in. Do so at the appropriate cost for your business.

    Data breaches are a unique phenomenon. According to IBM's Cost of a Data Breach Report 2025, a data breach typically costs $4.44 million, and detecting and containing it takes an average of 241 days. Some preview data from the 2025 report include that 97% of organizations that reported on the study indicated that they lacked access controls for their AI systems. That means that many companies don't even have the basics in order. And AI-related breaches are just going to accelerate. AI security defenses will help lower the cost of such breaches.

    Despite the decreasing cost of these breaches, I anticipate an increase in their frequency in the upcoming years.

    This means that non-functional requirements in terms of security and resilience should take a more prominent place in the prioritizations. Your client depends on your systems being safe, resilient, and performant.

    The blind spot in leadership

    And yet, this is where some leaders make mistakes. I have the impression they believe that client-focused design means more functionality and elegant interfaces. They prioritize user experience enhancements over system reliability.

    I want to share a key fact that distinguishes successful businesses: customers desire more than just a good product. It must always function for them. And that means following certain procedures. They are not there to hamper you; they are there to retain customers.

    88% of online shoppers are less likely to visit a website again after a negative experience, according to research from Forrester. Amazon found that they lose 1% of sales for every 100 ms of latency. That 100 milliseconds adds up to millions of lost profits when billions of dollars are at stake.

    You run the risk of more than just technical difficulties when you deprioritize safety. Customer trust, revenue stability, competitive advantage, adherence to the law, costs, and team morale are all at stake.

    The "happy flow" trap is costing you revenue.

    Allow me to illustrate what I see happening during development cycles.

    The team tests the happy flow. The user successfully logs in. The user navigates with ease. The user makes the purchase without any problems. The user logs off without incident.

    "Excellent! Publish it!"

    However, what occurs if 1000 users attempt to log in at once? What occurs if an attempt is made to insert malicious code into your contact form? During a transaction, what happens if your database connection fails?

    These are not extreme situations. These are real-life occurrences.

    Fifty percent of data center managers and operators reported having an impactful outage in the previous three years, according to the Uptime Institute's 2025 Global Data Center Survey. Note that this is at the infra level. The biggest contributor is power outages. What role does power play in ensuring a smooth flow? Power will not always flow as you want it, so plan for lack of power and for spikes.

    With regard to software failures, the spread of possible causes widens. AI is a big contributor. AI is typically brought in to accelerate development and assist in coding. But it tends to introduce subtle bugs and vulnerabilities that a seasoned developer has to review and solve.

    Another upcoming article will discuss how faster release cycles often lead to a rush in testing. This should not be the case; by spending some time automating your (non-)regression test bank, you will gain speed. But you have to invest time in building the test suite.

    Can your system handle success? This question should keep every executive awake at night.

    I've witnessed businesses invest millions in advertising campaigns to drive traffic to systems that fail due to their success. Consider describing to your board how your greatest marketing victory became your worst operational mishap.

    Managing traffic spikes is only one aspect of load balancing. It is about ensuring that your business can handle opportunities without being overwhelmed.

    The mindset that transforms everything

    Let's now address the most pressing issue: security.

    The majority of leaders consider security to be like insurance, something you hope you never need. The fact that security is more than just protection, however, will alter the way you approach every project. It's approval to develop.

    According to the Ponemon Institute's 2025 Cost of Insider Threats Global Report, the average annualized cost of insider threats, defined as employee negligence, criminal insiders, and credential thieves, has risen to $17.4 million per incident, up from $15.4 million in 2022. The number of discovered and analyzed incidents increased from 3,269 in 2018 to 7,868 in 2025 research studies. 

    Cybersecurity Ventures predicts that cybercrime will cost the global economy $10.5 trillion annually by 2025.

    The most fascinating thing, though, is that companies that invest in proactive security see measurable outcomes. Organizations that allocate over 10% of their IT budget to cybersecurity have a 2.5-fold higher chance of experiencing no security incidents than those that allocate less than 1%, per Deloitte's Future of Cyber Survey.

    By hardening your systems against common attack vectors, you can scale quickly without worrying about the future. You can handle sensitive data with confidence, enter new markets without fear, establish partnerships that require trust, and focus on innovation instead of crisis management.

    The non-functional needs that genuinely generate income

    Allow me to explain this in a way that will satisfy your CFO.

    Retention is equal to reliability. Customers return when a system functions reliably (given you sell items they want). The Harvard Business Review claims that a 5% increase in customer retention rates boosts profits by 25% to 95%. It is five to twenty-five times less expensive to retain customers than to acquire new ones.

    Scalability is equal to security. Secure systems can handle larger client volumes, more sensitive data, and higher-value transactions. 69% of board members and C-suite executives think that privacy and cyber risks could affect their company's ability to grow, according to PwC.

    Profit is equal to performance. You lose conversions for every second of load time. Google discovered that the likelihood of a bounce rises by 32% as page load time increases from 1 to 3 seconds. It increases by 90% from 1 second to 5 seconds. Walmart discovered that every second improvement in page load time led to a 2% increase in conversions.

    Reputation is equal to resilience. Guess which company benefits when your system works while your competitors' systems fail? Failures reduce trust. 71% of consumers will actively advocate against companies they don't trust, and 67% of consumers will stop purchasing from them, according to Edelman's 2023 Trust Barometer. While the 2025 report does not present comparative numbers, distrust impacting consumer behavior is likely to be even more prevalent. 

    The structure that reverses the script

    Reframe this discussion with your executives and team

    • The question we should not ask is, "Can we afford to build this right?" but rather, "Can we afford not to?" This consideration is crucial because we risk losing customers at every obstacle they encounter. 
    • Non-functional requirements should be viewed as competitive advantages rather than obstructions. If it suddenly does not work, the customer walks away.
    • Consider viewing system reliability as a profit center instead of a cost center. When a customer knows it will work, they will order again and refer a friend.

    The numbers support this point. Businesses that invest in operational resilience see three times higher profit margins and 2.5 times higher revenue growth than their counterparts, according to McKinsey's 2023 State of Organizations report. In 2025 we see a focus on AI, but the point remains.

    These metrics will grab the attention when you're presenting them.

    Although the average cost of downtime varies by industry, it is always high. 

    The impact of a security breach on customer lifetime value is equally uncomfortable. Following a data breach, 78% of consumers will cease interacting with a brand online, and 36% will never do so again, according to Ping Identity's 2023 Consumer Identity Breach Report.

    Every second that the system is unavailable results in a rapidly mounting loss of money. That's about $3,170 per minute of full downtime for a business that makes $100 million a year. We're talking about $31,700 per minute for billion-dollar businesses. Again, your experience may differ, but it's important to note that this cost is often unseen yet undeniable. If you want to calculate this more granularly, then I have a calculation method for you that is easy to implement.

    There is a discernible trend in the cost of rebuilding versus building correctly the first time. Resolving a problem in production can cost four to five times as much as fixing it during design, and it can cost up to 100 times as much as fixing it during the requirements and design phase, according to IBM's Systems Sciences Institute.

    The plan of action that truly works

    This is what you should do right away.

    Please begin by reviewing your current primary systems. When they're under stress, what happens? What occurs if they are attacked? What occurs if they don't work? 40% of businesses that suffer a significant system failure never reopen, although only 23% of organizations have tested their disaster recovery plans in the previous year, according to Gartner. Companies we work with test their systems at least once per year. If the results are unsatisfactory, we conduct a retest to ensure they meet our standards.

    Next, please determine the actual cost of addressing issues at a later stage. Add in the costs of customer attrition, security breaches, downtime, and reconstruction. To lend credibility to your calculations, try to work out exact numbers for your company. Industry standards (like in this article) will give you indicators, but you need to know your figures.

    Third, recast your non-functional needs as business needs. Consider focusing on strategies for managing success rather than solely discussing load balancing. Instead of discussing security testing, focus on revenue protection.

    Fourth, consider safety when defining "done." Until a feature is dependable, secure, and scalable, it isn't considered complete. Projects that incorporate non-functional requirements from the outset have a threefold higher chance of success, per the Standish Group's 2023 Chaos Report.

    Fifth, use system dependability as a differentiator in the marketplace. You're up when your rivals are down. You're safe when they're compromised.

    The bottom line

    I understand that resilience isn't sexy. I am aware that UI enhancements are more exciting than infrastructure resilience.

    And yet, I know that businesses that prioritize safety will survive and lead after seeing others thrive and fail based on this one choice. Customers trust them. They are capable of scaling without breaking. Because they are confident that their systems can manage whatever comes next, they are the ones who get a good night's sleep.

    Resilient organizations are twice as likely to surpass customer satisfaction goals and are 2.5 times more likely to achieve revenue growth of 10% or more.

    Resilience represents the most significant competitive advantage. You have a choice. Just keep in mind that your clients are depending on you to do the job correctly.

    Always happy to engage in a conversation.

    Leadership, Culture and Values

    • Buy Link or Shortcode: {j2store}34|cart{/j2store}
    • Related Products: {j2store}34|crosssells{/j2store}
    • member rating overall impact: 9.4/10
    • member rating average dollars saved: $912
    • member rating average days saved: 7
    • Parent Category Name: People and Resources
    • Parent Category Link: /people-and-resources

    The challenge

    • Your talent pool determines IT performance and stakeholder satisfaction. You need to retain talent and continually motivate them to go the extra mile.
    • The market for IT talent is growing, in the sense that talent has many more options these days. Turnover is a serious threat to IT's ability to deliver top-notch service to your company.
    • Engagement is more than HR's responsibility. IT leadership is accountable for the retention of top talent and the overall productivity of IT employees.

    Our advice

    Insight

    • Engagement goes both ways. Your initiatives must address a real need, and employees must actively seek the outcomes. Engagement is not a management edict.
    • Engagement is not about access to the latest perks and gadgets. You must address the right and challenging issues. Use a systematic approach to find what lives among the employees and address these.
    • Your impact on your employees is many times bigger than HR's. Leverage your power to lead your team to success and peak performance.

    Impact and results 

    • Our engagement diagnostic and other tools will help get to the root of disengagement in your team.
    • Our guidance helps you to avoid common errors and engagement program pitfalls. They allow you to take control of your own team's engagement.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why engagement is critical to IT performance in your company. We'll show you our methodology and the ways we can help you in handling this.

    Measure your employee engagement

    You can use our full engagement surveys.

    • Improve Employee Engagement to Drive IT Performance – Phase 1: Measure Employee Engagement (ppt)
    • Engagement Strategy Record (doc)
    • Engagement Communication Template (doc)

    Analyze the results and brainstorm solutions

    Understand your employees' engagement drivers. Involve your team in brainstorming engagement initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 2: Analyze Results and Ideate Solutions (ppt)
    • Engagement Survey Results Interpretation Guide (ppt)
    • Full Engagement Survey Focus Group Facilitation Guide (ppt)
    • Pulse Engagement Survey Focus Group Facilitation Guide (ppt)
    • Focus Group Facilitation Guide Driver Definitions (doc)
    • One-on-One Manager Meeting Worksheet (doc)

    Select and implement engagement initiatives

    Choose those initiatives that show the most promise with the most significant impact. Create your action plan and establish transparent and open, and ongoing communication with your team.

    • IT Knowledge Transfer Plan Template (xls)
    • IT Knowledge Identification Interview Guide Template (doc)

    Build your knowledge transfer roadmap

    Knowledge transfer is an ongoing effort. Prioritize and define your initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 3: Select and Implement Engagement Initiatives (ppt)
    • Summary of Interdepartmental Engagement Initiatives (doc)
    • Engagement Progress One-Pager (ppt)

     

    Build a Reporting and Analytics Strategy

    • Buy Link or Shortcode: {j2store}128|cart{/j2store}
    • member rating overall impact: 9.1/10 Overall Impact
    • member rating average dollars saved: $49,748 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy
    • In respect to business intelligence (BI) matureness, you can’t expect the whole organization to be at the same place at the same time. Your BI strategy needs to recognize this and should strive to align rather than dictate.
    • Technology is just one aspect of your BI and analytics strategy and is not a quick solution or a guarantee for long-term success.

    Our Advice

    Critical Insight

    • The BI strategy drives data warehouse and integration strategies and the data needed to support business decisions.
    • The solution to better BI often lies in improving the BI practice, not acquiring the latest and greatest tool.

    Impact and Result

    • Align BI with corporate vision, mission, goals, and strategic direction.
    • Understand the needs of business partners.
    • BI & analytics informs data warehouse and integration layers for required content, latency, and quality.

    Build a Reporting and Analytics Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create or refresh the BI Strategy and review Info-Tech’s approach to developing a BI strategy that meets business needs.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the business context and BI landscape

    Lay the foundation for the BI strategy by detailing key business information and analyzing current BI usage.

    • Build a Reporting and Analytics Strategy – Phase 1: Understand the Business Context and BI Landscape
    • BI Strategy and Roadmap Template
    • BI End-User Satisfaction Survey Framework

    2. Evaluate the current BI practice

    Assess the maturity level of the current BI practice and envision a future state.

    • Build a Reporting and Analytics Strategy – Phase 2: Evaluate the Current BI Practice
    • BI Practice Assessment Tool

    3. Create a BI roadmap for continuous improvement

    Create BI-focused initiatives to build an improvement roadmap.

    • Build a Reporting and Analytics Strategy – Phase 3: Create a BI Roadmap for Continuous Improvement
    • BI Initiatives and Roadmap Tool
    • BI Strategy and Roadmap Executive Presentation Template
    [infographic]

    Workshop: Build a Reporting and Analytics Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Vision and Understand the Current BI Landscape

    The Purpose

    Document overall business vision, mission, and key objectives; assemble project team.

    Collect in-depth information around current BI usage and BI user perception.

    Create requirements gathering principles and gather requirements for a BI platform.

    Key Benefits Achieved

    Increased IT–business alignment by using the business context as the project starting point

    Identified project sponsor and project team

    Detailed understanding of trends in BI usage and BI perception of consumers

    Refreshed requirements for a BI solution

    Activities

    1.1 Gather key business information (overall mission, goals, objectives, drivers).

    1.2 Establish a high-level ROI.

    1.3 Identify ideal candidates for carrying out a BI project.

    1.4 Undertake BI usage analyses, BI user perception survey, and a BI artifact inventory.

    1.5 Develop requirements gathering principles and approaches.

    1.6 Gather and organize BI requirements

    Outputs

    Articulated business context that will guide BI strategy development

    ROI for refreshing the BI strategy

    BI project team

    Comprehensive summary of current BI usage that has quantitative and qualitative perspectives

    BI requirements are confirmed

    2 Evaluate Current BI Maturity and Identify the BI Patterns for the Future State

    The Purpose

    Define current maturity level of BI practice.

    Envision the future state of your BI practice and identify desired BI patterns.

    Key Benefits Achieved

    Know the correct migration method for Exchange Online.

    Prepare user profiles for the rest of the Office 365 implementation.

    Activities

    2.1 Perform BI SWOT analyses.

    2.2 Assess current state of the BI practice and review results.

    2.3 Create guiding principles for the future BI practice.

    2.4 Identify desired BI patterns and the associated BI functionalities/requirements.

    2.5 Define the future state of the BI practice.

    2.6 Establish the critical success factors for the future BI, identify potential risks, and create a mitigation plan.

    Outputs

    Exchange migration strategy

    Current state of BI practice is documented from multiple perspectives

    Guiding principles for future BI practice are established, along with the desired BI patterns linked to functional requirements

    Future BI practice is defined

    Critical success factors, potential risks, and a risk mitigation plan are defined

    3 Build Improvement Initiatives and Create a BI Development Roadmap

    The Purpose

    Build overall BI improvement initiatives and create a BI improvement roadmap.

    Identify supplementary initiatives for enhancing your BI program.

    Key Benefits Achieved

    Defined roadmap composed of robust improvement initiatives

    Activities

    3.1 Create BI improvement initiatives based on outputs from phase 1 and 2 activities. Build an improvement roadmap.

    3.2 Build an improvement roadmap.

    3.3 Create an Excel governance policy.

    3.4 Create a plan for a BI ambassador network.

    Outputs

    Comprehensive BI initiatives placed on an improvement roadmap

    Excel governance policy is created

    Internal BI ambassadors are identified

    Further reading

    Build a Reporting and Analytics Strategy

    Deliver actionable business insights by creating a business-aligned reporting and analytics strategy.

    Terminology

    As the reporting and analytics space matured over the last decade, software suppliers used different terminology to differentiate their products from others’. This caused a great deal of confusion within the business communities.

    Following are two definitions of the term Business Intelligence:

    Business intelligence (BI) leverages software and services to transform data into actionable insights that inform an organization’s strategic and tactical business decisions. BI tools access and analyze data sets and present analytical findings in reports, summaries, dashboards, graphs, charts, and maps to provide users with detailed intelligence about the state of the business.

    The term business intelligence often also refers to a range of tools that provide quick, easy-to-digest access to insights about an organization's current state, based on available data.

    CIO Magazine

    Business intelligence (BI) comprises the strategies and technologies used by enterprises for the data analysis of business information. BI technologies provide historical, current, and predictive views of business operations.

    Common functions of business intelligence technologies include reporting, online analytical processing, analytics, data mining, process mining, complex event processing, business performance management, benchmarking, text mining, predictive analytics, and prescriptive analytics.

    Wikipedia

    This blueprint will use the terms “BI,” “BI and Analytics,” and “Reporting and Analytics” interchangeably in different contexts, but always in compliance to the above definitions.

    ANALYST PERSPECTIVE

    A fresh analytics & reporting strategy enables new BI opportunities.

    We need data to inform the business of past and current performance and to support strategic decisions. But we can also drown in a flood of data. Without a clear strategy for business intelligence, a promising new solution will produce only noise.

    BI and Analytics teams must provide the right quantitative and qualitative insights for the business to base their decisions on.

    Your Business Intelligence and Analytics strategy must support the organization’s strategy. Your strategy for BI & Analytics provides direction and requirements for data warehousing and data integration, and further paves the way for predictive analytics, big data analytics, market/industry intelligence, and social network analytics.

    Dirk Coetsee,

    Director, Data and Analytics Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • A CIO or Business Unit (BU) Leader looking to improve reporting and analytics, reduce time to information, and embrace fact-based decision making with analytics, reporting, and business intelligence (BI).
    • Application Directors experiencing poor results from an initial BI tool deployment who are looking to improve the outcome.

    This Research Will Also Assist:

    • Project Managers and Business Analysts assigned to a BI project team to collect and analyze requirements.
    • Business units that have their own BI platforms and would like to partner with IT to take their BI to an enterprise level.

    This Research Will Help You:

    • Align your reporting and analytics strategy with the business’ strategic objectives before you rebuild or buy your Business Intelligence platform.
    • Identify reporting and analytics objectives to inform the data warehouse and integration requirements gathering process.
    • Avoid common pitfalls that derail BI and analytic deployments and lower their adoption.
    • Identify Business Intelligence gaps prior to deployment and incorporate remedies within your plans.

    This Research Will Help Them:

    • Recruit the right resources for the program.
    • Align BI with corporate vision, mission, goals, and strategic direction.
    • Understand the needs of business partners.
    • Assess BI maturity and plan for target state.
    • Develop a BI strategy and roadmap.
    • Track the success of the BI initiative.

    Executive summary

    Situation:

    BI drives a new reality. Uber is the world’s largest taxi company and they own no vehicles; Alibaba is the world’s most valuable retailer and they have no inventory; Airbnb is the world’s largest accommodation provider and they own no real estate. How did they disrupt their markets and get past business entry barriers? A deep understanding of their market through impeccable business intelligence!

    Complication:

    • In respect to BI matureness, you can’t expect the whole organization to be at the same place at the same time. Your BI strategy needs to recognize this and should strive to align rather than dictate.
    • Technology is just one aspect of your BI and Analytics strategy and is not a quick solution or a guarantee for long term success.

    Resolution:

    • Drive strategy development by establishing the business context upfront in order to align business intelligence providers with the most important needs of their BI consumers and the strategic priorities of the organization.
    • Revamp or create a BI strategy to update your BI program to make it fit for purpose.
    • Understand your existing BI baggage – e.g. your existing BI program, the artifacts generated from the program, and the users it supports. Those will inform the creation of the strategy and roadmap.
    • Assess current BI maturity and determine your future state BI maturity.
    • BI needs governance to ensure consistent planning, communication, and execution of the BI strategy.
    • Create a network of BI ambassadors across the organization to promote BI.
    • Plan for the future to ensure that required data will be available when the organization needs it.

    Info-Tech Insight

    1. Put the “B” back in BI. Don’t have IT doing BI for IT’s sake; ensure the voice and needs of the business are the primary drivers of your strategy.
    2. The BI strategy drives data warehouse and integration strategies and the data needs to support business decisions.
    3. Go beyond the platform. The solution to better BI often lies in improving the BI practice, not acquiring the latest and greatest tool.

    Metrics to track BI & Analytical program progress

    Goals for BI:

    • Understand business context and needs. Identify business processes that can leverage BI.
    • Define the Reporting & Analytics Roadmap. Develop data initiatives, and create a strategy and roadmap for Business Intelligence.
    • Continuous improvements. Your BI program is evolving and improving over time. The program should allow you to have faster, better, and more comprehensive information.

    Info-Tech’s Suggested Metrics for Tracking the BI Program

    Practice Improvement Metrics Data Collection and Calculation Expected Improvement
    Program Level Metrics Efficiency
    • Time to information
    • Self-service penetration
    • Derive from the ticket management system
    • Derive from the BI platform
    • 10% reduction in time to information
    • Achieve 10-15% self-service penetration
    • Effectiveness
    • BI Usage
    • Data quality
    • Derive from the BI platform
    • Data quality perception
    • Majority of the users use BI on a daily basis
    • 15% increase in data quality perception
    Comprehensiveness
    • # of integrated datasets
    • # of strategic decisions made
    • Derive from the data integration platform
    • Decision-making perception
    • Onboard 2-3 new data domains per year
    • 20% increase in decision-making perception

    Intangible Metrics:

    Tap into the results of Info-Tech’s CIO Business Vision diagnostic to monitor the changes in business-user satisfaction as you implement the initiatives in your BI improvement roadmap.

    Your Enterprise BI and Analytics Strategy is driven by your organization’s Vision and Corporate Strategy

    Formulating an Enterprise Reporting and Analytics Strategy requires the business vision and strategies to first be substantiated. Any optimization to the Data Warehouse, Integration and Source layer is in turn driven by the Enterprise Reporting and Analytics Strategy

    Flow chart showing 'Business Vision Strategies'

    The current state of your Integration and Warehouse platforms determine what data can be utilized for BI and Analytics

    Where we are, and how we got here

    How we got here

    • In the beginning was BI 1.0. Business intelligence began as an IT-driven centralized solution that was highly governed. Business users were typically the consumers of reports and dashboards created by IT, an analytics-trained minority, upon request.
    • In the last five to ten years, we have seen a fundamental shift in the business intelligence and analytics market, moving away from such large-scale, centralized IT-driven solutions focused on basic reporting and administration, towards more advanced user-friendly data discovery and visualization platforms. This has come to be known as BI 2.0.
    • Many incumbent market leaders were disrupted by the demand for more user-friendly business intelligence solutions, allowing “pure-play” BI software vendors to carve out a niche and rapidly expand into more enterprise environments.
    • BI-on-the-cloud has established itself as a solid alternative to in-house implementation and operation.

    Where we are now

    • BI 3.0 has arrived. This involves the democratization of data and analytics and a predominantly app-centric approach to BI, identifiable by an anywhere, anytime, and device-or-platform-independent collaborative methodology. Social workgroups and self-guided content creation, delivery, analysis, and management is prominent.
    • Where the need for reporting and dashboards remains, we’re seeing data discovery platforms fulfilling the needs of non-technical business users by providing easy-to-use interactive solutions to increase adoption across enterprises.
    • With more end users demanding access to data and the tools to extract business insights, IT is looking to meet these needs while continuing to maintain governance and administration over a much larger base of users. The race for governed data discovery is heated and will be a market differentiator.
    • The next kid on the block is Artificial Intelligence that put further demands on data quality and availability.

    RICOH Canada used this methodology to develop their BI strategy in consultation with their business stakeholders

    CASE STUDY

    Industry: Manufacturing and Retail

    Source: RICOH

    Ricoh Canada transforms the way people work with breakthrough technologies that help businesses innovate and grow. Its focus has always been to envision what the future will look like so that it can help its customers prepare for success. Ricoh empowers digital workplaces with a broad portfolio of services, solutions, and technologies – helping customers remove obstacles to sustained growth by optimizing the flow of information and automating antiquated processes to increase workplace productivity. In their commitment towards a customer-centric approach, Ricoh Canada recognized that BI and analytics can be used to inform business leaders in making strategic decisions.

    Enterprise BI and analytics Initiative

    Ricoh Canada enrolled in the ITRG Reporting & Analytics strategy workshop with the aim to create a BI strategy that will allow the business to harvest it strengths and build for the future. The workshop acted as a forum for the different business units to communicate, share ideas, and hear from each other what their pains are and what should be done to provide a full customer 360 view.

    Results

    “This workshop allowed us to collectively identify the various stakeholders and their unique requirements. This is a key factor in the development of an effective BI Analytics tool.” David Farrar

    The Customer 360 Initiative included the following components

    The Customer 360 Initiative includes the components shown in the image

    Improve BI Adoption Rates

    Graph showing Product Adoption Rates

    Sisense

    Reasons for low BI adoption

    • Employees that never used BI tools are slow to adopt new technology.
    • Lack of trust in data leads to lack of trust in the insights.
    • Complex data structures deter usage due to long learning curves and contained nuances.
    • Difficult to translate business requirements into tool linguistics due to lack of training or technical ineptness.
    • Business has not taken ownership of data, which affects access to data.

    How to foster BI adoption

    • Senior management proclaim data as a strategic asset and involved in the promotion of BI
    • Role Requirement that any business decision should be backed up by analytics
    • Communication of internal BI use case studies and successes
    • Exceptional data lineage to act as proof for the numbers
    • A Business Data glossary with clearly defined business terms. Use the Business Data Glossary in conjunction with data lineage and semantic layers to ensure that businesses are clearly defined and traced to sources.
    • Training in business to take ownership of data from inception to analytics.

    Why bother with analytics?

    In today’s ever-changing and global environment, organizations of every size need to effectively leverage their data assets to facilitate three key business drivers: customer intimacy, product/service innovation, and operational excellence. Plus, they need to manage their operational risk efficiently.

    Investing in a comprehensive business intelligence strategy allows for a multidimensional view of your organization’s data assets that can be operationalized to create a competitive edge:

    Historical Data

    Without a BI strategy, creating meaningful reports for business users that highlight trends in past performance and draw relationships between different data sources becomes a more complex task. Also, the ever growing need to identify and assess risks in new ways is driving many companies to BI.

    Data Democracy

    The core purpose of BI is to provide the right data, to the right users, at the right time, and in a format that is easily consumable and actionable. In developing a BI strategy, remember the driver for managed cross-functional access to data assets and features such as interactive dashboards, mobile BI, and self-service BI.

    Predictive and Big Data Analytics

    As the volume, variety, and velocity of data increases rapidly, businesses will need a strategy to outline how they plan to consume the new data in a manner that does not overwhelm their current capabilities and aligns with their desired future state. This same strategy further provides a foundation upon which organizations can transition from ad hoc reporting to using data assets in a codified BI platform for decision support.

    Business intelligence serves as the layer that translates data, information, and organizational knowledge into insights

    As executive decision making shifts to more fact-based, data-driven thinking, there is an urgent need for data assets to be organized and presented in a manner that enables immediate action.

    Typically, business decisions are based on a mix of intuition, opinion, emotion, organizational culture, and data. Though business users may be aware of its potential value in driving operational change, data is often viewed as inaccessible.

    Business intelligence bridges the gap between an organization’s data assets and consumable information that facilitates insight generation and informed decision making.

    Most organizations realize that they need a BI strategy; it’s no longer a nice-to-have, it’s a must-have.

    – Albert Hui, Principal, Data Economist

    A triangle grapg depicting the layers of business itelligence

    Business intelligence and business analytics: what is the difference and should you care

    Ask 100 people and you will get 100 answers. We like the prevailing view that BI looks at today and backward for improving who we are, while BA is forward-looking to support change decisions.

    The image depicts a chart flowing from Time Past to Future. Business Intelligence joins with Business Analytics over the Present
    • Business intelligence is concerned with looking at present and historical data.
    • Use this data to create reports/dashboards to inform a wide variety of information consumers of the past and current state of affairs.
    • Almost all organizations, regardless of size and maturity, use some level of BI even if it’s just very basic reporting.
    • Business analytics, on the other hand, is a forward-facing use of data, concerned with the present to the future.
    • Analytics uses data to both describe the present, and more importantly, predict the future, enabling strategic business decisions.
    • Although adoption is rapidly increasing, many organizations still do not utilize any advanced analytics in their environment.

    However, establishing a strong business intelligence program is a necessary precursor to an organization’s development of its business analytics capabilities.

    Organizations that successfully grow their BI capabilities are reaping the rewards

    Evidence is piling up: if planned well, BI contributes to the organization’s bottom line.

    It’s expected that there will be nearly 45 billion connected devices and a 42% increase in data volume each year posing a high business opportunity for the BI market (BERoE, 2020).

    The global business intelligence market size to grow from US$23.1 billion in 2020 to US$33.3 billion by 2025, at a compound annual growth rate (CAGR) of 7.6% (Global News Wire, 2020)

    In the coming years, 69% of companies plan on increasing their cloud business intelligence usage (BARC Research and Eckerson Group Study, 2017).

    Call to Action

    Small organizations of up to 100 employees had the highest rate of business intelligence penetration last year (Forbes, 2018).

    Graph depicting business value from 0 months to more than 24 months

    Source: IBM Business Value, 2015

    For the New England Patriots, establishing a greater level of customer intimacy was driven by a tactical analytics initiative

    CASE STUDY

    Industry: Professional Sports

    Source Target Marketing

    Problem

    Despite continued success as a franchise with a loyal fan base, the New England Patriots experienced one of their lowest season ticket renewal rates in over a decade for the 2009 season. Given the numerous email addresses that potential and current season-ticket holders used to engage with the organization, it was difficult for Kraft Sports Group to define how to effectively reach customers.

    Turning to a Tactical Analytics Approach

    Kraft Sports Group turned to the customer data that it had been collecting since 2007 and chose to leverage analytics in order to glean insight into season ticket holder behavior. By monitoring and reporting on customer activity online and in attendance at games, Kraft Sports Group was able to establish that customer engagement improved when communication from the organization was specifically tailored to customer preferences and historical behavior.

    Results

    By operationalizing their data assets with the help of analytics, the Patriots were able to achieve a record 97% renewal rate for the 2010 season. KSG was able to take their customer engagement to the next level and proactively look for signs of attrition in season-ticket renewals.

    We're very analytically focused and I consider us to be the voice of the customer within the organization… Ultimately, we should know when renewal might not happen and be able to market and communicate to change that behavior.

    – Jessica Gelman,

    VP Customer Marketing and Strategy, Kraft Sports Group

    A large percentage of all BI projects fail to meet the organization’s needs; avoid falling victim to common pitfalls

    Tool Usage Pitfalls

    • Business units are overwhelmed with the amount and type of data presented.
    • Poor data quality erodes trust, resulting in a decline in usage.
    • Analysis performed for the sake of analysis and doesn’t focus on obtaining relevant business-driven insights.

    Selection Pitfalls

    • Inadequate requirements gathering.
    • No business involvement in the selection process.
    • User experience is not considered.
    • Focus is on license fees and not total cost.

    Implementation Pitfalls

    • Absence of upfront planning
    • Lack of change management to facilitate adoption of the new platform
    • No quick wins that establish the value of the project early on
    • Inadequate initial or ongoing training

    Strategic Pitfalls

    • Poor alignment of BI goals with organization goals
    • Absence of CSFs/KPIs that can measure the qualitative and quantitative success of the project
    • No executive support during or after the project

    BI pitfalls are lurking around every corner, but a comprehensive strategy drafted upfront can help your organization overcome these obstacles. Info-Tech’s approach to BI has involvement from the business units built right into the process from the start and it equips IT to interact with key stakeholders early and often.

    Only 62% of Big Data and AI projects in 2019 provided measurable results.

    Source: NewVantage Partners LLC

    Business and IT have different priorities for a BI tool

    Business executives look for:

    • Ease of use
    • Speed and agility
    • Clear and concise information
    • Sustainability

    IT professionals are concerned about:

    • Solid security
    • Access controls on data
    • Compliance with regulations
    • Ease of integration

    Info-Tech Insight

    Combining these priorities will lead to better tool selection and more synergy.

    Elizabeth Mazenko

    The top-down BI Opportunity Analysis is a tool for senior executives to discover where Business Intelligence can provide value

    The image is of a top-down BI Opportunity Analysis.

    Example: Uncover BI opportunities with an opportunity analysis

    Industry Drivers Private label Rising input prices Retail consolidation
    Company strategies Win at supply chain execution Win at customer service Expand gross margins
    Value disciplines Strategic cost management Operational excellence Customer service
    Core processes Purchasing Inbound logistics Sales, service & distribution
    Enterprise management: Planning, budgeting, control, process improvement, HR
    BI Opportunities Customer service analysis Cost and financial analysis Demand management

    Williams (2016)

    Bridge the gap between business drivers and business intelligence features with a three-tiered framework

    Info-Tech’s approach to formulating a fit-for-purpose BI strategy is focused on making the link between factors that are the most important to the business users and the ways that BI providers can enable those consumers.

    Drivers to Establish Competitive Advantage

    • Operational Excellence
    • Client Intimacy
    • Innovation

    BI and Analytics Spectrum

    • Strategic Analytics
    • Tactical Analytics
    • Operational Analytics

    Info-Tech’s BI Patterns

    • Delivery
    • User Experience
    • Deep Analytics
    • Supporting

    This is the content for Layout H3 Tag

    Though business intelligence is primarily thought of as enabling executives, a comprehensive BI strategy involves a spectrum of analytics that can provide data-driven insight to all levels of an organization.

    Recommended

    Strategic Analytics

    • Typically focused on predictive modeling
    • Leverages data integrated from multiple sources (structured through unstructured)
    • Assists in identifying trends that may shift organizational focus and direction
    • Sample objectives:
      • Drive market share growth
      • Identify new markets, products, services, locations, and acquisitions
      • Build wider and deeper customer relationships earning more wallet share and keeping more customers

    Tactical Analytics

    • Often considered Response Analytics and used to react to situations that arise, or opportunities at a department level.
    • Sample objectives:
      • Staff productivity or cost analysis
      • Heuristics/algorithms for better risk management
      • Product bundling and packaging
      • Customer satisfaction response techniques

    Operational Analytics

    • Analytics that drive business process improvement whether internal, with external partners, or customers.
    • Sample objectives:
      • Process step elimination
      • Best opportunities for automation

    Business Intelligence Terminology

    Styles of BI New age BI New age data Functional Analytics Tools
    Reporting Agile BI Social Media data Performance management analytics Scorecarding dashboarding
    Ad hoc query SaaS BI Unstructured data Financial analytics Query & reporting
    Parameterized queries Pervasive BI Mobile data Supply chain analytics Statistics & data mining
    OLAP Cognitive Business Big data Customer analytics OLAP cubes
    Advanced analytics Self service analytics Sensor data Operations analytics ETL
    Cognitive business techniques Real-time Analytics Machine data HR Analytics Master data management
    Scorecards & dashboards Mobile Reporting & Analytics “fill in the blanks” analytics Data Governance

    Williams (2016)

    "BI can be confusing and overwhelming…"

    – Dirk Coetsee,

    Research Director,

    Info-Tech Research Group

    Business intelligence lies in the Information Dimensions layer of Info-Tech’s Data Management Framework

    The interactions between the information dimensions and overlying data management enablers such as data governance, data architecture, and data quality underscore the importance of building a robust process surrounding the other data practices in order to fully leverage your BI platform.

    Within this framework BI and analytics are grouped as one lens through which data assets at the business information level can be viewed.

    The image is the Information Dimensions layer of Info-Tech’s Data Management Framework

    Use Info-Tech’s three-phase approach to a Reporting & Analytics strategy and roadmap development

    Project Insight

    A BI program is not a static project that is created once and remains unchanged. Your strategy must be treated as a living platform to be revisited and revitalized in order to effectively enable business decision making. Develop a reporting and analytics strategy that propels your organization by building it on business goals and objectives, as well as comprehensive assessments that quantitatively and qualitatively evaluate your current reporting and analytical capabilities.

    Phase 1: Understand the Business Context and BI Landscape Phase 2: Evaluate Your Current BI Practice Phase 3: Create a BI Roadmap for Continuous Improvement
    1.1 Establish the Business Context
    • Business Vision, Goals, Key Drivers
    • Business Case Presentation
    • High-Level ROI
    2.1 Assess Your Current BI Maturity
    • BI Practice Assessment
    • Summary of Current State
    3.1 Construct a BI Initiative Roadmap
    • BI Improvement Initiatives
    • RACI
    • BI Strategy and Roadmap
    1.2 Assess Existing BI Environment
    • BI Perception Survey Framework
    • Usage Analyses
    • BI Report Inventory
    2.2 Envision BI Future State
    • BI Style Requirements
    • BI Practice Assessment
    3.2 Plan for Continuous Improvement
    • Excel/Access Governance Policy
    • BI Ambassador Network Draft
    1.3 Develop BI Solution Requirements
    • Requirements Gathering Principles
    • Overall BI Requirements

    Stand on the shoulders of Information Management giants

    As part of our research process, we leveraged the frameworks of COBIT5, Mike 2.0, and DAMA DMBOK2. Contextualizing business intelligence within these frameworks clarifies its importance and role and ensures that our assessment tool is focused on key priority areas.

    The DMBOK2 Data Management framework by the Data Asset Management Association (DAMA) provided a starting point for our classification of the components in our IM framework.

    Mike 2.0 is a data management framework that helped guide the development of our framework through its core solutions and composite solutions.

    The Cobit 5 framework and its business enablers were used as a starting point for assessing the performance capabilities of the different components of information management, including business intelligence.

    Info-Tech has a series of deliverables to facilitate the evolution of your BI strategy

    BI Strategy Roadmap Template

    BI Practice Assessment Tool

    BI Initiatives and Roadmap Tool

    BI Strategy and Roadmap Executive Presentation Template

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Build a Reporting and Analytics Strategy – Project Overview

    1. Understand the Business Context and BI Landscape 2. Evaluate the Current BI Practice 3. Create a BI Roadmap for Continuous Improvement
    Best-Practice Toolkit

    1.1 Document overall business vision, mission, industry drivers, and key objectives; assemble a project team

    1.2 Collect in-depth information around current BI usage and BI user perception

    1.3 Create requirements gathering principles and gather requirements for a BI platform

    2.1 Define current maturity level of BI practice

    2.2 Envision the future state of your BI practice and identify desired BI patterns

    3.1 Build overall BI improvement initiatives and create a BI improvement roadmap

    3.2 Identify supplementary initiatives for enhancing your BI program

    Guided Implementations
    • Discuss Info-Tech’s approach for using business information to drive BI strategy formation
    • Review business context and discuss approaches for conducting BI usage and user analyses
    • Discuss strategies for BI requirements gathering
    • Discuss BI maturity model
    • Review practice capability gaps and discuss potential BI patterns for future state
    • Discuss initiative building
    • Review completed roadmap and next steps
    Onsite Workshop Module 1:

    Establish Business Vision and Understand the Current BI Landscape

    Module 2:

    Evaluate Current BI Maturity Identify the BI Patterns for the Future State

    Module 3:

    Build Improvement Initiatives and Create a BI Development Roadmap

    Phase 1 Outcome:
    • Business context
    • Project team
    • BI usage information, user perception, and new BI requirements
    Phase 2 Outcome:
    • Current and future state assessment
    • Identified BI patterns
    Phase 3 Outcome:
    • BI improvement strategy and initiative roadmap

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
    Activities

    Understand Business Context and Structure the Project

    1.1 Make the case for a BI strategy refresh.

    1.2 Understand business context.

    1.3 Determine high-level ROI.

    1.4 Structure the BI strategy refresh project.

    Understand Existing BI and Revisit Requirements

    2.1 Understand the usage of your existing BI.

    2.2 Gather perception of the current BI users.

    2.3 Document existing information artifacts.

    2.4 Develop a requirements gathering framework.

    2.5 Gather requirements.

    Revisit Requirements and Current Practice Assessment

    3.1 Gather requirements.

    3.2 Determine BI Maturity Level.

    3.3 Perform a SWOT for your existing BI program.

    3.4 Develop a current state summary.

    Roadmap Develop and Plan for Continuous Improvements

    5.1 Develop BI strategy.

    5.2 Develop a roadmap for the strategy.

    5.3 Plan for continuous improvement opportunities.

    5.4 Develop a re-strategy plan.

    Deliverables
    1. Business and BI Vision, Goals, Key Drivers
    2. Business Case Presentation
    3. High-Level ROI
    4. Project RACI
    1. BI Perception Survey
    2. BI Requirements Gathering Framework
    3. BI User Stories and Requirements
    1. BI User Stories and Requirements
    2. BI SWOT for your Current BI Program
    3. BI Maturity Level
    4. Current State Summary
    1. BI Strategy
    2. Roadmap accompanying the strategy with timeline
    3. A plan for improving BI
    4. Strategy plan

    Phase 2

    Understand the Business Context and BI Landscape

    Build a Reporting and Analytics Strategy

    Phase 1 overview

    Detailed Overview

    Step 1: Establish the business context in terms of business vision, mission, objectives, industry drivers, and business processes that can leverage Business Intelligence

    Step 2: Understand your BI Landscape

    Step 3: Understand business needs

    Outcomes

    • Clearly articulated high-level mission, vision, and key drivers from the business, as well as objectives related to business intelligence.
    • In-depth documentation regarding your organization’s BI usage, user perception, and outputs.
    • Consolidated list of requirements, existing and desired, that will direct the deployment of your BI solution.

    Benefits

    • Align business context and drivers with IT plans for BI and Analytics improvement.
    • Understand your current BI ecosystem’s performance.

    Understand your business context and BI landscape

    Phase 1 Overarching Insight

    The closer you align your new BI platform to real business interests, the stronger the buy-in, realized value, and groundswell of enthusiastic adoption will be. Get this phase right to realize a high ROI on your investment in the people, processes, and technology that will be your next generation BI platform.

    Understand the Business Context to Rationalize Your BI Landscape Evaluate Your Current BI Practice Create a BI Roadmap for Continuous Improvement
    Establish the Business Context
    • Business Vision, Goals, Key Drivers
    • Business Case Presentation
    • High-Level ROI
    Assess Your Current BI Maturity
    • SWOT Analysis
    • BI Practice Assessment
    • Summary of Current State
    Construct a BI Initiative Roadmap
    • BI Improvement Initiatives
    • BI Strategy and Roadmap
    Access Existing BI Environment
    • BI Perception Survey Framework
    • Usage Analyses
    • BI Report Inventory
    Envision BI Future State
    • BI Patterns
    • BI Practice Assessment
    • List of Functions
    Plan for Continuous Improvement
    • Excel Governance Policy
    • BI Ambassador Network Draft
    Undergo Requirements Gathering
    • Requirements Gathering Principles
    • Overall BI Requirements

    Track these metrics to measure your progress through Phase 1

    Goals for Phase 1:

    • Understand the business context. Determine if BI can be used to improve business outcomes by identifying benefits, costs, opportunities, and gaps.
    • Understand your existing BI. Plan your next generation BI based on a solid understanding of your existing BI.
    • Identify business needs. Determine the business processes that can leverage BI and Analytics.

    Info-Tech’s Suggested Metrics for Tracking Phase 1 Goals

    Practice Improvement Metrics Data Collection and Calculation Expected Improvement
    Monetary ROI
    • Quality of the ROI
    • # of user cases, benefits, and costs quantified
    Derive the number of the use cases, benefits, and costs in the scoping. Ask business SMEs to verify the quality. High-quality ROI studies are created for at least three use cases
    Response Rate of the BI Perception Survey Sourced from your survey delivery system Aim for 40% response rate
    # of BI Reworks Sourced from your project management system Reduction of 10% in BI reworks

    Intangible Metrics:

    1. Executives’ understanding of the BI program and what BI can do for the organization.
    2. Improved trust between IT and the business by re-opening the dialogue.
    3. Closer alignment with the organization strategy and business plan leading to higher value delivered.
    4. Increased business engagement and input into the Analytics strategy.

    Use advisory support to accelerate your completion of Phase 1 activities

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of two to three advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Understand the Business Context and BI Landscape

    Proposed Time to Completion: 2-4 weeks

    Step 1.0: Assemble Your Project Team

    Start with an analyst kick-off call:

    • Discuss Info-Tech’s viewpoint and definitions of business intelligence.
    • Discuss the project sponsorship, ideal team members and compositions.

    Then complete these activities…

    • Identify a project sponsor and the project team members.

    Step 1.1: Understand Your Business Context

    Start with an analyst kick-off call:

    • Discuss Info-Tech’s approach to BI strategy development around using business information as the key driver.

    Then complete these activities…

    • Detail the business context (vision, mission, goals, objectives, etc.).
    • Establish business–IT alignment for your BI strategy by detailing the business context.

    Step 1.2: Establish the Current BI Landscape

    Review findings with analyst:

    • Review the business context outputs from Step 1.1 activities.
    • Review Info-Tech’s approach for documenting your current BI landscape.
    • Review the findings of your BI landscape.

    Then complete these activities…

    • Gather information on current BI usage and perform a BI artifact inventory.
    • Construct and conduct a user perception survey.

    With these tools & templates:

    BI Strategy and Roadmap Template

    Step 1.0

    Assemble the Project Team

    Select a BI project sponsor

    Info-Tech recommends you select a senior executive with close ties to BI be the sponsor for this project (e.g. CDO, CFO or CMO). To maximize the chance of success, Info-Tech recommends you start with the CDO, CMO, CFO, or a business unit (BU) leader who represents strategic enterprise portfolios.

    Initial Sponsor

    CFO or Chief Risk Officer (CRO)

    • The CFO is responsible for key business metrics and cost control. BI is on the CFO’s radar as it can be used for both cost optimization and elimination of low-value activity costs.
    • The CRO is tasked with the need to identify, address, and when possible, exploit risk for business security and benefit.
    • Both of these roles are good initial sponsors but aren’t ideal for the long term.

    CDO or a Business Unit (BU) Leader

    • The CDO (Chief Data Officer) is responsible for enterprise-wide governance and utilization of information as an asset via data processing, analysis, data mining, information trading, and other means, and is the ideal sponsor.
    • BU leaders who represent a growth engine for a company look for ways to mine BI to help set direction.

    Ultimate Sponsor

    CEO

    • As a the primary driver of enterprise-wide strategy, the CEO is the ideal evangelist and project sponsor for your BI strategy.
    • Establishing a CEO–CIO partnership helps elevate IT to the level of a strategic partner, as opposed to the traditional view that IT’s only job is to “keep the lights on.”
    • An endorsement from the CEO may make other C-level executives more inclined to work with IT and have their business unit be the starting point for growing a BI program organically.

    "In the energy sector, achieving production KPIs are the key to financial success. The CFO is motivated to work with IT to create BI applications that drive higher revenue, identify operational bottlenecks, and maintain gross margin."

    – Yogi Schulz, Partner, Corvelle Consulting

    Select a BI project team

    Create a project team with the right skills, experience, and perspectives to develop a comprehensive strategy aligned to business needs.

    You may need to involve external experts as well as individuals within the organization who have the needed skills.

    A detailed understanding of what to look for in potential candidates is essential before moving forward with your BI project.

    Leverage several of Info-Tech’s Job Description Templates to aid in the process of selecting the right people to involve in constructing your BI strategy.

    Roles to Consider

    Business Stakeholders

    Business Intelligence Specialist

    Business Analyst

    Data Mining Specialist

    Data Warehouse Architect

    Enterprise Data Architect

    Data Steward

    "In developing the ideal BI team, your key person to have is a strong data architect, but you also need buy-in from the highest levels of the organization. Buy-in from different levels of the organization are indicators of success more than anything else."

    – Rob Anderson, Database Administrator and BI Manager, IT Research and Advisory Firm

    Create a RACI matrix to clearly define the roles and responsibilities for the parties involved

    A common project management pitfall for any endeavour is unclear definition of responsibilities amongst the individuals involved.

    As a business intelligence project requires a significant amount of back and forth between business and IT – bridged by the BI Steering Committee – clear guidelines at the project outset with a RACI chart provide a basic framework for assigning tasks and lines of communication for the later stages.

    Responsible Accountable Consulted Informed

    Obtaining Buy-in Project Charter Requirements Design Development Program Creation
    BI Steering Committee A C I I I C
    Project Sponsor - C I I I C
    Project Manager - R A I I C
    VP of BI R I I I I A
    CIO A I I I I R
    Business Analyst I I R C C C
    Solution Architect - - C A C C
    Data Architect - - C A C C
    BI Developer - - C C R C
    Data Steward - - C R C C
    Business SME C C C C C C

    Note: This RACI is an example of how role expectations would be broken down across the different steps of the project. Develop your own RACI based on project scope and participants.

    STEP 1.1

    Understand Your Business Context and Structure the Project

    Establish business–IT alignment for your BI strategy by detailing the business context

    Step Objectives

    • Engage the business units to find out where users need BI enablement.
    • Ideate preliminary points for improvement that will further business goals and calculate their value.

    Step Activities

    1.1.1 Craft the vision and mission statements for the Analytics program using the vision, mission, and strategies of your organization as basis.

    1.1.2 Articulate program goals and objectives

    1.1.3 Determine business differentiators and key drivers

    1.1.4 Brainstorm BI-specific constraints and improvement objectives

    Outcomes

    • Clearly articulated business context that will provide a starting point for formulating a BI strategy
    • High-level improvement objectives and ROI for the overall project
    • Vision, mission, and objectives of the analytics program

    Research Support

    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    • Project Manager
    • Project Team
    • Relevant Business Stakeholders and Subject Matter Experts

    Transform the way the business makes decisions

    Your BI strategy should enable the business to make fast, effective, and comprehensive decisions.

    Fast Effective Comprehensive
    Reduce time spent on decision-making by designing a BI strategy around information needs of key decision makers. Make the right data available to key decision makers. Make strategic high-value, impactful decisions as well as operational decisions.

    "We can improve BI environments in several ways. First, we can improve the speed with which we create BI objects by insisting that the environments are designed with flexibility and adaptability in mind. Second, we can produce higher quality deliverables by ensuring that IT collaborate with the business on every deliverable. Finally, we can reduce the costs of BI by giving access to the environment to knowledgeable business users and encouraging a self-service function."

    – Claudia Imhoff, Founder, Boulder BI Brain Trust, Intelligent Solutions Inc.

    Assess needs of various stakeholders using personas

    User groups/user personas

    Different users have different consumption and usage patterns. Categorize users into user groups and visualize the usage patterns. The user groups are the connection between the BI capabilities and the users.

    User groups Mindset Usage Pattern Requirements
    Front-line workers Get my job done; perform my job quickly. Reports (standard reports, prompted reports, etc.) Examples:
    • Report bursting
    • Prompted reports
    Analysts I have some ideas; I need data to validate and support my ideas. Dashboards, self-service BI, forecasting/budgeting, collaboration Examples:
    • Self-service datasets
    • Data mashup capability
    Management I need a big-picture view and yet I need to play around with the data to find trends to drive my business. Dashboards, scorecards, mobile BI, forecasting/budgeting Examples:
    • Multi-tab dashboards
    • Scorecard capability
    Data scientists I need to combine existing data, as well as external or new, unexplored data sources and types to find nuggets in the data. Data mashup, connections to data sources Examples:
    • Connectivity to big data
    • Social media analyses

    The pains of inadequate BI are felt across the entire organization – and land squarely on the shoulders of the CIO

    Organization:

    • Insufficient information to make decisions.
    • Unable to measure internal performance.
    • Losses incurred from bad decisions or delayed decisions.
    • Canned reports fail to uncover key insights.
    • Multiple versions of information exist in silos.

    IT Department

    • End users are completely dependent on IT for reports.
    • Ad hoc BI requests take time away from core duties.
    • Spreadsheet-driven BI is overly manual.
    • Business losing trust in IT.

    CIO

    • Under great pressure and has a strong desire to improve BI.
    • Ad hoc BI requests are consuming IT resources and funds.
    • My organization finds value in using data and having decision support to make informed decisions.

    The overarching question that needs to be continually asked to create an effective BI strategy is:

    How do I create an environment that makes information accessible and consumable to users, and facilitates a collaborative dialogue between the business and IT?

    Pre-requisites for success

    Prerequisite #1: Secure Executive Sponsorship

    Sponsorship of BI that is outside of IT and at the highest levels of the organization is essential to the success of your BI strategy. Without it, there is a high chance that your BI program will fail. Note that it may not be an epic fail, but it is a subtle drying out in many cases.

    Prerequisite #2: Understand Business Context

    Providing the right tools for business decision making doesn’t need to be a guessing game if the business context is laid as the project foundation and the most pressing decisions serve as starting points. And business is engaged in formulating and executing the strategy.

    Prerequisite #3: Deliver insights that lead to action

    Start with understanding the business processes and where analytics can improve outcomes. “Think business backwards, not data forward.” (McKinsey)

    11 reasons BI projects fail

    Lack of Executive support

    Old Technology

    Lack of business support

    Too many KPIs

    No methodology for gathering requirements

    Overly long project timeframes

    Bad user experience

    Lack of user adoption

    Bad data

    Lack of proper human resources

    No upfront definition of true ROI

    Mico Yuk, 2019

    Make it clear to the business that IT is committed to building and supporting a BI platform that is intimately tied to enabling changing business objectives.

    Leverage Info-Tech’s BI Strategy and Roadmap Template to accelerate BI planning

    How to accelerate BI planning using the template

    1. Prepopulated text that you can use for your strategy formulation:
    2. Prepopulated text that can be used for your strategy formulation
    3. Sample bullet points that you can pick and choose from:
    4. Sample bullet points to pick and choose from

    Document the BI program planning in Info-Tech’s

    BI Strategy and Roadmap Template.

    Activity: Describe your organization’s vision and mission

    1.1.1

    30-40 minutes

    Compelling vision and mission statements will help guide your internal members toward your company’s target state. These will drive your business intelligence strategy.

    1. Your vision clearly represents where your organization aspires to be in the future and aligns the entire organization. Write down a future-looking, inspirational, and realizable vision in one concise statement. Consider:
    • “Five years from now, our business will be _______.”
    • What do we want to do tomorrow? For whom? What is the benefit?
  • Your mission tells why your organization currently exists and clearly expresses how it will achieve your vision for the future. Write down a mission statement in one clear and concise paragraph consisting of, at most, five sentences. Consider:
    • Why does the business exist? What problems does it solve? Who are its customers?
    • How does the business accomplish strategic tasks or reach its target?
  • Reconvene stakeholders to share ideas and develop one concise vision statement and mission statement. Focus on clarity and message over wording.
  • Input

    • Business vision and mission statements

    Output

    • Alignment and understanding on business vision

    Materials

    Participants

    • BI project lead
    • Executive business stakeholders

    Info-Tech Insight

    Adjust your statements until you feel that you can elicit a firm understanding of both your vision and mission in three minutes or less.

    Formulating an Enterprise BI and Analytics Strategy: Top-down BI Opportunity analysis

    Top-down BI Opportunity analysis

    Example of deriving BI opportunities using BI Opportunity Analysis

    Industry Drivers Private label Rising input prices Retail consolidation
    Company strategies Win at supply chain execution Win at customer service Expand gross margins
    Value disciplines Strategic cost management Operational excellence Customer service
    Core processes Purchasing Inbound logistics Sales, service & distribution
    Enterprise management: Planning, budgeting, control, process improvement, HR
    BI Opportunities Customer service analysis Cost and financial analysis Demand management

    Williams 2016

    Get your organization buzzing about BI – leverage Info-Tech’s Executive Brief as an internal marketing tool

    Two key tasks of a project sponsor are to:

    1. Evangelize the realizable benefits of investing in a business intelligence strategy.
    2. Help to shift the corporate culture to one that places emphasis on data-driven insight.

    Arm your project sponsor with our Executive Brief for this blueprint as a quick way to convey the value of this project to potential stakeholders.

    Bolster this presentation by adding use cases and metrics that are most relevant to your organization.

    Develop a business framework

    Identifying organizational goals and how data can support those goals is key to creating a successful BI & Analytical strategy. Rounding out the business model with technology drivers, environmental factors (as described in previous steps), and internal barriers and enablers creates a holistic view of Business Intelligence within the context of the organization as a whole.

    Through business engagement and contribution, the following holistic model can be created to understand the needs of the business.

    business framework holistic model

    Activity: Describe the Industry Drivers and Organization strategy to mitigate the risk

    1.1.2

    30-45 minutes

    Industry drivers are external influencers that has an effect on a business such as economic conditions, competitor actions, trade relations, climate etc. These drivers can differ significantly by industry and even organizations within the same industry.

    1. List the industry drivers that influences your organization:
    • Public sentiment in regards to energy source
    • Rising cost of raw materials due to increase demand
  • List the company strategies, goals, objectives to counteract the external influencers:
    • Change production process to become more energy efficient
    • Win at customer service
  • Identify the value disciplines :
    • Strategic cost management
    • Operational Excellence
  • List the core process that implements the value disciplines :
    • Purchasing
    • Sales
  • Identify the BI Opportunities:
    • Cost and financial analysis
    • Customer service analysis

    Input

    • Industry drivers

    Output

    • BI Opportunities that business can leverage

    Materials

    • Industry driver section in the BI Strategy and Roadmap Template

    Participants

    • BI project lead
    • Executive business stakeholders

    Understand BI and analytics drivers and organizational objectives

    Environmental Factors Organizational Goals Business Needs Technology Drivers
    Definition External considerations are factors taking place outside the organization that are impacting the way business is conducted inside the organization. These are often outside the control of the business. Organizational drivers can be thought of as business-level metrics. These are tangible benefits the business can measure, such as customer retention, operation excellence, and/or financial performance. A requirement that specifies the behavior and the functions of a system. Technology drivers are technological changes that have created the need for a new BI solution. Many organizations turn to technology systems to help them obtain a competitive edge.
    Examples
    • Economy and politics
    • Laws and regulations
    • Competitive influencers
    • Time to market
    • Quality
    • Delivery reliability
    • Audit tracking
    • Authorization levels
    • Business rules
    • Deployment in the cloud
    • Integration
    • Reporting capabilities

    Activity: Discuss BI/Analytics drivers and organizational objectives

    1.1.3

    30-45 minutes

    1. Use the industry drivers and business goals identified in activity 1.1.2 as a starting point.
    2. Understand how the company runs today and what the organization’s future will look like. Try to identify the purpose for becoming an integrated organization. Use a whiteboard and markers to capture key findings.
    3. Take into account External Considerations, Organizational Drivers, Technology Drivers, and Key Functional Requirements.
    External Considerations Organizational Drivers Technology Considerations Functional Requirements
    • Funding Constraints
    • Regulations
    • Compliance
    • Scalability
    • Operational Efficiency
    • Data Accuracy
    • Data Quality
    • Better Reporting
    • Information Availability
    • Integration Between Systems
    • Secure Data

    Identify challenges and barriers to the BI project

    There are several factors that may stifle the success of a BI implementation. Scan the current environment to identify internal barriers and challenges to identify potential challenges so you can meet them head-on.

    Common Internal Barriers

    Management Support
    Organizational Culture
    Organizational Structure
    IT Readiness
    Definition The degree of management understanding and acceptance towards BI solutions. The collective shared values and beliefs. The functional relationships between people and departments in an organization. The degree to which the organization’s people and processes are prepared for a new BI solution.
    Questions
    • Is a BI project recognized as a top priority?
    • Will management commit time to the project?
    • Are employees resistant to change?
    • Is the organization highly individualized?
    • Is the organization centralized?
    • Is the organization highly formalized?
    • Is there strong technical expertise?
    • Is there strong infrastructure?
    Impact
    • Funding
    • Resources
    • Knowledge sharing
    • User acceptance
    • Flow of knowledge
    • Poor implementation
    • Reliance on consultants

    Activity: Discuss BI/Analytics challenges and pain points

    1.1.4

    30-45 minutes

    1. Identify challenges with the process identified in step 1.1.2.
    2. Brainstorm potential barriers to successful BI implementation and adoption. Use a whiteboard and marker to capture key findings.
    3. Consider Functional Gaps, Technical Gaps, Process Gaps, and Barriers to BI Success.
    Functional Gaps Technical Gaps Process Gaps Barriers to Success
    • No online purchase order requisition
    • Inconsistent reporting – data quality concerns
    • Duplication of data
    • Lack of system integration
    • Cultural mindset
    • Resistance to change
    • Lack of training
    • Funding

    Activity: Discuss opportunities and benefits

    1.1.5

    30-45 minutes

    1. Identify opportunities and benefits from an integrated system.
    2. Brainstorm potential enablers for successful BI implementation and adoption. Use a whiteboard and markers to capture key findings.
    3. Consider Business Benefits, IT Benefits, Organizational Benefits, and Enablers of BI success.
    Business Benefits IT Benefits Organizational Benefits Enablers of Success
    • Business-IT alignment
    • Compliance
    • Scalability
    • Operational Efficiency
    • Data Accuracy
    • Data Quality
    • Better Reporting
    • Change management
    • Training
    • Alignment to strategic objectives

    Your organization’s framework for Business Intelligence Strategy

    Blank organization framework for Business Intelligence Strategy

    Example: Business Framework for Data & Analytics Strategy

    The following diagram represents [Client]’s business model for BI and data. This holistic view of [Client]’s current environment serves as the basis for the generation of the business-aligned Data & Analytics Strategy.

    The image is an example of Business Framework for Data & Analytics Strategy.

    Info-Tech recommends balancing a top-down approach with bottom up for building your BI strateg

    Taking a top-down approach will ensure senior management’s involvement and support throughout the project. This ensures that the most critical decisions are supported by the right data/information, aligning the entire organization with the BI strategy. Furthermore, the gains from BI will be much more significant and visible to the rest of the organization.

    Two charts showing the top-down and bottom-up approach.

    Far too often, organizations taking a bottom-up approach to BI will fail to generate sufficient buy-in and awareness from senior management. Not only does a lack of senior involvement result in lower adoption from the tactical and operational levels, but more importantly, it also means that the strategic decision makers aren’t taking advantage of BI.

    Estimate the ROI of your BI and analytics strategy to secure executive support

    The value of creating a new strategy – or revamping an existing one – needs to be conveyed effectively to a high-level stakeholder, ideally a C-level executive. That executive buy-in is more likely to be acquired when effort has been made to determine the return on investment for the overall initiative.

    1. Business Impacts
      New revenue
      Cost savings
      Time to market
      Internal Benefits
      Productivity gain
      Process optimization
      Investment
      People – employees’ time, external resources
      Data – cost for new datasets
      Technology – cost for new technologies
    2. QuantifyCan you put a number or a percentage to the impacts and benefits? QuantifyCan you estimate the investments you need to put in?
    3. TranslateTranslate the quantities into dollar value
    4. The image depicts an equation for ROI estimate

    Example

    One percent increase in revenue; three more employees $225,000/yr, $150,000/yr 50%

    Activity: Establish a high-level ROI as part of an overall use case for developing a fit-for-purpose BI strategy

    1.1.6

    1.5 hours

    Communicating an ROI that is impactful and reasonable is essential for locking in executive-level support for any initiative. Use this activity as an initial touchpoint to bring business and IT perspectives as part of building a robust business case for developing your BI strategy.

    1. Revisit the business context detailed in the previous sections of this phase. Use priority objectives to identify use case(s), ideally where there are easily defined revenue generators/cost reductions (e.g. streamlining the process of mailing physical marketing materials to customers).
    2. Assign research tasks around establishing concrete numbers and dollar values.
    • Have a subject matter expert weigh in to validate your figures.
    • When calculating ROI, consider how you might leverage BI to create opportunities for upsell, cross-sell, or increased customer retention.
  • Reconvene the stakeholder group and discuss your findings.
    • This is the point where expectation management is important. Separate the need-to-haves from the nice-to-haves.

    Emphasize that ROI is not fully realized after the first implementation, but comes as the platform is built upon iteratively and in an integrated fashion to mature capabilities over time.

    Input

    • Vision statement
    • Mission statement

    Output

    • Business differentiators and key drivers

    Materials

    • Benefit Cost Analysis section of the BI Strategy and Roadmap Template

    Participants

    • BI project lead
    • Executive IT & business stakeholders

    An effective BI strategy positions business intelligence in the larger data lifecycle

    In an effort to keep users satisfied, many organizations rush into implementing a BI platform and generating reports for their business users. BI is, first and foremost, a presentation layer; there are several stages in the data lifecycle where the data that BI visualizes can be compromised.

    Without paying the appropriate amount of attention to the underlying data architecture and application integration, even the most sophisticated BI platforms will fall short of providing business users with a holistic view of company information.

    Example

    In moving away from single application-level reporting, a strategy around data integration practices and technology is necessary before the resultant data can be passed to the BI platform for additional analyses and visualization.

    BI doesn’t exist in a vacuum – develop an awareness of other key data management practices

    As business intelligence is primarily a presentation layer that allows business users to visualize data and turn information into actionable decisions, there are a number of data management practices that precede BI in the flow of data.

    Data Warehousing

    The data warehouse structures source data in a manner that is more operationally focused. The Reporting & Analytics Strategy must inform the warehouse strategy on data needs and building a data warehouse to meet those needs.

    Data Integration, MDM & RDM

    The data warehouse is built from different sources that must be integrated and normalized to enable Business Intelligence. The Info-Tech integration and MDM blueprints will guide with their implementation.

    Data Quality

    A major roadblock to building an effective BI solution is a lack of accurate, timely, consistent, and relevant data. Use Info-Tech’s blueprint to refine your approach to data quality management.

    Data quality, poor integration/P2P integration, poor data architecture are the primary barriers to truly leveraging BI, and a lot of companies haven’t gotten better in these areas.

    – Shari Lava, Associate Vice-President, IT Research and Advisory Firm

    Building consensus around data definitions across business units is a critical step in carrying out a BI strategy

    Business intelligence is heavily reliant on the ability of an organization to mesh data from different sources together and create a holistic and accurate source of truth for users.

    Useful analytics cannot be conducted if your business units define key business terms differently.

    Example

    Finance may label customers as those who have transactional records with the organization, but Marketing includes leads who have not yet had any transactions as customers. Neglecting to note these seemingly small discrepancies in data definition will undermine efforts to combine data assets from traditionally siloed functional units.

    In the stages prior to implementing any kind of BI platform, a top priority should be establishing common definitions for key business terms (customers, products, accounts, prospects, contacts, product groups, etc.).

    As a preliminary step, document different definitions for the same business terms so that business users are aware of these differences before attempting to combine data to create custom reports.

    Self-Assessment

    Do you have common definitions of business terms?

    • If not, identify common business terms.
    • At the very least, document different definitions of the same business terms so the corporate can compare and contrast them.

    STEP 1.2

    Assess the Current BI Landscape

    Establish an in-depth understanding of your current BI landscape

    Step Objectives

    • Inventory and assess the state of your current BI landscape
    • Document the artifacts of your BI environment

    Step Activities

    1.2.1 Analyze the usage levels of your current BI programs/platform

    1.2.2 Perform a survey to gather user perception of your current BI environment

    1.2.3 Take an inventory of your current BI artifacts

    Outcomes

    • Summarize the qualitative and quantitative performance of your existing BI environment
    • Understand the outputs coming from your BI sources

    Research Support

    • Info-Tech’s BI Strategy and Roadmap Template

    Project Manager

    Data Architect(s) or Enterprise Architect

    Project Team

    Understand your current BI landscape before you rationalize

    Relying too heavily on technology as the sole way to solve BI problems results in a more complex environment that will ultimately frustrate business users. Take the time to thoroughly assess the current state of your business intelligence landscape using a qualitative (user perception) and quantitative (usage statistics) approach. The insights and gaps identified in this step will serve as building blocks for strategy and roadmap development in later phases.

    Phase 1

    Current State Summary of BI Landscape

    1.2.1 1.2.2 1.2.3 1.2.4
    Usage Insights Perception Insights BI Inventory Insights Requirements Insights

    PHASE 2

    Strategy and Roadmap Formulation

    Gather usage insights to pinpoint the hot spots for BI usage amongst your users

    Usage data reflects the consumption patterns of end users. By reviewing usage data, you can identify aspects of your BI program that are popular and those that are underutilized. It may present some opportunities for trimming some of the underutilized content.

    Benefits of analyzing usage data:

    • Usage is a proxy for popularity and usability of the BI artifacts. The popular content should be kept and improved in your next generation BI.
    • Usage information provides insight on what, when, where, and how much users are consuming BI artifacts.
    • Unlike methods such as user interviews and focus groups, usage information is fact based and is not subject to peer pressure or “toning down.”

    Sample Sources of Usage Data:

    1. Usage reports from your BI platform Many BI platforms have out-of-the-box usage reports that log and summarize usage data. This is your ideal source for usage data.
    2. Administrator console in your BI platformBI platforms usually have an administrator console that allows BI administrators to configure settings and to monitor activities that include usage. You may obtain some usage data in the console. Note that the usage data is usually real-time in nature, and you may not have access to a historical view of the BI usage.

    Info-Tech Insight

    Don’t forget some of the power users. They may perform analytics by accessing datasets directly or with the help of a query tool (even straight SQL statements). Their usage information is important. The next generation BI should provide consumption options for them.

    Accelerate the process of gathering user feedback with Info-Tech’s Application Portfolio Assessment (APA)

    In an environment where multiple BI tools are being used, discovering what works for users and what doesn’t is an important first step to rationalizing the BI landscape.

    Info-Tech’s Application Portfolio Assessment allows you to create a custom survey based on your current applications, generate a custom report that will help you visualize user satisfaction levels, and pinpoint areas for improvement.

    Activity: Review and analyze usage data

    1.2.1

    2 hours

    This activity helps you to locate usage data in your existing environment. It also helps you to review and analyze usage data to come up with a few findings.

    1. Get to the usage source. You may obtain usage data from one of the below options. Usage reports are your ideal choice, followed by some alternative options:
    2. a. Administrator console – limited to real-time or daily usage data. You may need to track usage data over for several days to identify patterns.

      b. Info-Tech’s Application Portfolio Assessment (APA).

      c. Other – be creative. Some may use an IT usage monitoring system or web analytics to track time users spent on the BI portal.

    3. Develop categories for classifying the different sources of usage data in your current BI environment. Use the following table as starting point for creating these groups:

    This is the content for Layout H4 Tag

    By Frequency Real Time Daily Weekly Yearly
    By Presentation Format Report Dashboard Alert Scorecard
    By Delivery Web portal Excel PDF Mobile application

    INPUT

    • Usage reports
    • Usage statistics

    OUTPUT

    • Insights pertaining to usage patterns

    Materials

    • Usage Insights of the BI Strategy and Roadmap Template

    Participants

    • BA
    • BI Administrator
    • PM

    Activity: Review and analyze usage (cont.)

    1.2.1

    2 hours

    3. Sort your collection of BI artifacts by usage. Discuss some of the reasons why some content is popular whereas some has no usage at all.

    Popular BI Artifacts – Discuss improvements, opportunities and new artifacts

    Unpopular BI Artifacts – Discuss retirement, improvements, and realigning information needs

    4. Summarize your findings in the Usage Insights section of the BI Strategy and Roadmap Template.

    INPUT

    • Usage reports
    • Usage statistics

    OUTPUT

    • Insights pertaining to usage patterns

    Materials

    • Usage Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • BI Administrator
    • PM

    Gather perception to understand the existing BI users

    In 1.2.1, we gathered the statistics for BI usage; it’s the hard data telling who uses what. However, it does not tell you the rationale, or the why, behind the usage. Gathering user perception and having conversations with your BI consumers is the key to bridging the gap.

    User Perception Survey

    Helps you to:

    1. Get general insights on user perception
    2. Narrow down to selected areas

    User Interviews

    Perception can be gathered by user interviews and surveys. Conducting user interviews takes time so it is a good practice to get some primary insights via survey before doing in-depth interviews in selected areas.

    – Shari Lava, Associate Vice-President, IT Research and Advisory Firm

    Define problem statements to create proof-of-concept initiatives

    Info-Tech’s Four Column Model of Data Flow

    Find a data-related problem or opportunity

    Ask open-ended discovery questions about stakeholder fears, hopes, and frustrations to identify a data-related problem that is clear, contained, and fixable. This is then to be written as a problem/opportunity statement.

    1. Fear: What is the number one risk you need to alleviate?
    2. Hope: What is the number one opportunity you wish to realize?
    3. Frustration: What is the number one annoying pet peeve you wish to scratch?
    4. Next, gather information to support a problem/opportunity statement:

    5. What are your challenges in performing the activity or process today?
    6. What does amazing look like if we solve this perfectly?
    7. What other business activities/processes will be impacted/improved if we solve this?
    8. What compliance/regulatory/policy concerns do we need to consider in any solution?
    9. What measures of success/change should we use to prove value of the effort (KPIs/ROI)?
    10. What are the steps in the process/activity?
    11. What are the applications/systems used at each step and from step to step?
    12. What data elements are created, used, and/or transformed at each step?

    Leverage Info-Tech’s BI survey framework to initiate a 360° perception survey

    Info-Tech has developed a BI survey framework to help existing BI practices gather user perception via survey. The framework is built upon best practices developed by McLean & Company.

    1. Communicate the survey
    2. Create a survey
    3. Conduct the survey
    4. Collect and clean survey data
    5. Analyze survey data
    6. Conduct follow-up interviews
    7. Identify and prioritize improvement initiatives

    The survey takes a comprehensive approach by examining your existing BI practices through the following lenses:

    360° Perception

    Demographics Who are the users? From which department?
    Usage How is the current BI being used?
    People Web portal
    Process How good is your BI team from a user perspective?
    Data How good is the BI data in terms of quality and usability?
    Technology How good are your existing BI/reporting tools?
    Textual Feedback The sky’s the limit. Tell us your comments and ideas via open-ended questions.

    Use Info-Tech’s BI End-User Satisfaction Survey Framework to develop a comprehensive BI survey tailored to your organization.

    Activity: Develop a plan to gather user perception of your current BI program

    1.2.2

    2 hours

    This activity helps you to plan for a BI perception survey and subsequent interviews.

    1. Proper communication while conducting surveys helps to boost response rate. The project team should have a meeting with business executives to decide:
    • The survey goals
    • Which areas to cover
    • Which trends and hypotheses you want to confirm
    • Which pre-, during, and post-survey communications should be sent out
  • Have the project team create the first draft of the survey for subsequent review by select business stakeholders. Several iterations may be needed before finalizing.
  • In planning for the conclusion of the survey, the project team should engage a data analyst to:
    1. Organize the data in a useful format
    2. Clean up the survey data when there are gaps
    3. Summarize the data into a presentable/distributable format

    Collectively, the project team and the BI consuming departments should review the presentation and discuss these items:

    Misalignment

    Opportunities

    Inefficiencies

    Trends

    Need detailed interviews?

    INPUT

    • Usage information and analyses

    OUTPUT

    • User-perception survey

    Materials

    • Perception Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • BI Administrator
    • PM
    • Business SMEs

    Create a comprehensive inventory of your BI artifacts

    Taking an inventory of your BI artifacts allows you to understand what deliverables have been developed over the years. Inventory taking should go beyond the BI content. You may want to include additional information products such as Excel spreadsheets, reports that are coming out of an Access database, and reports that are generated from front-end applications (e.g. Salesforce).

    1. Existing Reports from BI platform

    2. If you are currently using a BI platform, you have some BI artifacts (reports, scorecards, dashboards) that are developed within the platform itself.

    • BI Usage Reports (refer to step 2.1) – if you are getting a comprehensive BI usage reports for all your BI artifacts, there is your inventory report too.
    • BI Inventory Reports – Your BI platform may provide out-of-the-box inventory reports. You can use them as your inventory.
    • If the above options are not feasible, you may need to manually create the BI inventory. You may build that from some of your existing BI documentations to save time.
  • Excel and Access

    • Work with the business units to identify if Excel and Access are used to generate reports.
  • Application Reports

    • Data applications such as Salesforce, CRM, and ERP often provide reports as an out-of-the-box feature.
    • Those reports only include data within their respective applications. However, this may present opportunities for integrating application data with additional data sources.

    Activity: Inventory your BI artifacts

    1.2.3

    2+ hours

    This activity helps you to inventory your BI information artifacts and other related information artifacts.

    1. Define the scope of your inventory. Work with the project sponsor and CIO to define which sources should be captured in the inventory process. Consider: BI inventory, Excel spreadsheets, Access reports, and application reporting.
    2. Define the depth of your inventory. Work with the project sponsor and CIO to define the level of granularity. In some settings, the artifact name and a short description may be sufficient. In other cases, you may need to document users and business logic of the artifacts.
    3. Review the inventory results. Discuss findings and opportunities around the following areas:

    Interpret your Inventory

    Duplicated reports/ dashboards Similar reports/ dashboards that may be able to merge Excel and Access reports that are using undocumented, unconventional business logics Application reports that need to be enhanced by additional data Classify artifacts by BI Type

    INPUT

    • Current BI artifacts and documents
    • BI Type classification

    OUTPUT

    • Summary of BI artifacts

    Materials

    • BI Inventory Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • Data analyst
    • PM
    • Project sponsor

    Project sponsor

    1.2.4

    2+ hours

    This activity helps you to inventory your BI by report type.

    1. Classify BI artifacts by type. Use the BI Type tool to classify Work with the project sponsor and CIO to define which sources should be captured in the inventory process. Consider: BI inventory, Excel spreadsheets, Access reports, and application reporting.
    2. Define the depth of your inventory. Work with the project sponsor and CIO to define the level of granularity. In some settings, the artifact name and a short description may be sufficient. In other cases, you may need to document users and business logic of the artifacts.
    3. Review the inventory results. Discuss findings and opportunities around the following areas:

    Interpretation of your Inventory

    Duplicated reports/dashboards Similar reports/dashboards that may be able to merge Excel and Access reports that are using undocumented, unconventional business logics Application reports that need to be enhanced by additional data

    INPUT

    • The BI Type as used by different business units
    • Business BI requirements

    OUTPUT

    • Summary of BI type usage across the organization

    Materials

    • BI Inventory Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • Data analyst
    • PM
    • Project sponsor

    STEP 1.3

    Undergo BI Requirements Gathering

    Perform requirements gathering for revamping your BI environment

    Step Objectives

    • Create principles that will direct effective requirements gathering
    • Create a list of existing and desired BI requirements

    Step Activities

    1.3.1 Create requirements gathering principles

    1.3.2 Gather appropriate requirements

    1.3.3 Organize and consolidate the outputs of requirements gathering activities

    Outcomes

    • Requirements gathering principles that are flexible and repeatable
    • List of BI requirements

    Research Support

    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    Project Manager

    Data Architect(s) or Enterprise Architect

    Project Team

    Business Users

    Don’t let your new BI platform become a victim of poor requirements gathering

    The challenges in requirements management often have underlying causes; find and eliminate the root causes rather than focusing on the symptoms.

    Root Causes of Poor Requirements Gathering:

    • Requirements gathering procedures exist but aren’t followed.
    • There isn't enough time allocated to the requirements gathering phase.
    • There isn't enough involvement or investment secured from business partners.
    • There is no senior leadership involvement or mandate to fix requirements gathering.
    • There are inadequate efforts put towards obtaining and enforcing sign off.

    Outcomes of Poor Requirements Gathering:

    • Rework due to poor requirements leads to costly overruns.
    • Final deliverables are of poor quality and are implemented late.
    • Predicted gains from deployed applications are not realized.
    • There are low feature utilization rates by end users.
    • Teams are frustrated within IT and the business.

    Info-Tech Insight

    Requirements gathering is the number one failure point for most development or procurement projects that don’t deliver value. This has been, and continues to be, the case as most organizations still don't get requirements gathering right. Overcoming organizational cynicism can be a major obstacle to clear when it is time to optimize the requirements gathering process.

    Define the attributes of a good requirement to help shape your requirements gathering principles

    A good requirement has the following attributes:

    Verifiable It is stated in a way that can be tested.
    Unambiguous It is free of subjective terms and can only be interpreted in one way.
    Complete It contains all relevant information.
    Consistent It does not conflict with other requirements.
    Achievable It is possible to accomplish given the budgetary and technological constraints.
    Traceable It can be tracked from inception to testing.
    Unitary It addresses only one thing and cannot be deconstructed into multiple requirements.
    Accurate It is based on proven facts and correct information.

    Other Considerations

    Organizations can also track a requirement owner, rationale, priority level (must have vs. nice to have), and current status (approved, tested, etc.).

    Info-Tech Insight

    Requirements must be solution agnostic – they should focus on the underlying need rather than the technology required to satisfy the need.

    Activity: Define requirements gathering principles

    1.3.1

    1 hour

    1. Invite representatives from the project management office, project management team, and BA team, as well as some key business stakeholders.
    2. Use the sample categories and principles in the table below as starting points for creating your own requirements gathering principles.
    3. Document the requirements gathering principles in the BI Strategy and Roadmap Template.
    4. Communicate the requirements gathering principles to the affected BI stakeholders.

    Sample Principles to Start With

    Effectiveness Face-to-face interviews are preferred over phone interviews.
    Alignment Clarify any misalignments, even the tiniest ones.
    Validation Rephrase requirements at the end to validate requirements.
    Ideation Use drawings and charts to explain ideas.
    Demonstration Make use of Joint Application Development (JAD) sessions.

    INPUT

    • Existing requirement principles (if any)

    OUTPUT

    • Requirements gathering principles that can be revisited and reused

    Materials

    • Requirements Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA Team
    • PM
    • Business stakeholders
    • PMO

    Info-Tech Insight

    Turn requirements gathering principles into house rules. The house rules should be available in every single requirements gathering session and the participants should revisit them when there are disagreements, confusion, or silence.

    Right-size your approach to BI requirements management

    Info-Tech suggests four requirements management approaches based on project complexity and business significance. BI projects usually require the Strategic Approach in requirements management.

    Requirements Management Process Explanations

    Approach Definition Recommended Strategy
    Strategic Approach High business significance and high project complexity merits a significant investment of time and resources in requirements gathering. Treat the requirements gathering phase as a project within a project. A large amount of time should be dedicated to elicitation, business process mapping, and solution design.
    Fundamental Approach High business significance and low project complexity merits a heavy emphasis on the elicitation phase to ensure that the project bases are covered and business value is realized. Look to achieve quick wins and try to survey a broad cross-section of stakeholders during elicitation and validation. The elicitation phase should be highly iterative. Do not over-complicate the analysis and validation of a straightforward project.
    Calculated Approach Low business significance and high project complexity merits a heavy emphasis on the analysis and validation phases to ensure that the solution meets the needs of users. Allocate a significant amount of time to business process modeling, requirements categorization, prioritization, and solution modeling.
    Elementary Approach Low business significance and low project complexity does not merit a high amount of rigor for requirements gathering. Do not rush or skip steps, but aim to be efficient. Focus on basic elicitation techniques (e.g. unstructured interviews, open-ended surveys) and consider capturing requirements as user stories. Focus on efficiency to prevent project delays and avoid squandering resources.

    Vary the modes used in eliciting requirements from your user base

    Requirements Gathering Modes

    Info-Tech has identified four effective requirements gathering modes. During the requirements gathering process, you may need to switch between the four gathering modes to establish a thorough understanding of the information needs.

    Dream Mode

    • Mentality: Let users’ imaginations go wild. The sky’s the limit.
    • How it works: Ask users to dream up the ideal future state and ask how analytics can support those dreams.
    • Limitations: Not all dreams can be fulfilled. A variety of constraints (budget, personnel, technical skills) may prevent the dreams from becoming reality.

    Pain Mode

    • Mentality: Users are currently experiencing pains related to information needs.
    • How it works: Vent the pains. Allow end users to share their information pains, ask them how their pains can be relieved, then convert those pains to requirements.
    • Limitations: Users are limited by the current situation and aren’t looking to innovate.

    Decode Mode

    • Mentality: Read the hidden messages from users. Speculate as to what the users really want.
    • How it works: Decode the underlying messages. Be innovative to develop hypotheses and then validate with the users.
    • Limitations: Speculations and hypothesis could be invalid. They may direct the users into some pre-determined directions.

    Profile Mode

    • Mentality: “I think you may want XYZ because you fall into that profile.”
    • How it works: The information user may fall into some existing user group profile or their information needs may be similar to some existing users.
    • Limitations: This mode doesn’t address very specific needs.

    Supplement BI requirements with user stories and prototyping to ensure BI is fit for purpose

    BI is a continually evolving program. BI artifacts that were developed in the past may not be relevant to the business anymore due to changes in the business and information usage. Revamping your BI program entails revisiting some of the BI requirements and/or gathering new BI requirements.

    Three-Step Process for Gathering Requirements

    Requirements User Stories Rapid Prototyping
    Gather requirements. Most importantly, understand the business needs and wants. Leverage user stories to organize and make sense of the requirements. Use a prototype to confirm requirements and show the initial draft to end users.

    Pain Mode: “I can’t access and manipulate data on my own...”

    Decode Mode: Dig deeper: could this hint at a self-service use case?

    Dream Mode: E.g. a sandbox area where I can play around with clean, integrated, well-represented data.

    Profile Mode: E.g. another marketing analyst is currently using something similar.

    ExampleMary has a spreadmart that keeps track of all campaigns. Maintaining and executing that spreadmart is time consuming.

    Mary is asking for a mash-up data set that she can pivot on her own…

    Upon reviewing the data and the prototype, Mary decided to use a heat map and included two more data points – tenure and lifetime value.

    Identify which BI styles best meet user requirements

    A spectrum of Business Intelligence solutions styles are available. Use Info-Tech’s BI Styles Tool to assess which business stakeholder will be best served by which style.

    Style Description Strategic Importance (1-5) Popularity (1-5) Effort (1-5)
    Standards Preformatted reports Standard, preformatted information for backward-looking analysis. 5 5 1
    User-defined analyses Pre-staged information where “pick lists” enable business users to filter (select) the information they wish to analyze, such as sales for a selected region during a selected previous timeframe. 5 4 2
    Ad-hoc analyses Power users write their own queries to extract self-selected pre-staged information and then use the information to perform a user-created analysis. 5 4 3
    Scorecards and dashboards Predefined business performance metrics about performance variables that are important to the organization, presented in a tabular or graphical format that enables business users to see at a glance how the organization is performing. 4 4 3
    Multidimensional analysis (OLAP) Multidimensional analysis (also known as on-line analytical processing): Flexible tool-based, user-defined analysis of business performance and the underlying drivers or root causes of that performance. 4 3 3
    Alerts Predefined analyses of key business performance variables, comparison to a performance standard or range, and communication to designated businesspeople when performance is outside the predefined performance standard or range. 4 3 3
    Advanced Analytics Application of long-established statistical and/or operations research methods to historical business information to look backward and characterize a relevant aspect of business performance, typically by using descriptive statistics. 5 3 4
    Predictive Analytics Application of long-established statistical and/or operations research methods and historical business information to predict, model, or simulate future business and/or economic performance and potentially prescribe a favored course of action for the future. 5 3 5

    Activity: Gather BI requirements

    1.3.2

    2-6 hours

    Using the approaches discussed on previous slides, start a dialogue with business users to confirm existing requirements and develop new ones.

    1. Invite business stakeholders to a requirements gathering session.
    2. For existing BI artifacts – Invite existing users of those artifacts.

      For new BI development – Invite stakeholders at the executive level to understand the business operation and their needs and wants. This is especially important if their department is new to BI.

    3. Discuss the business requirements. Systematically switch between the four requirements gathering modes to get a holistic view of the requirements.
    4. Once requirements are gathered, organize them to tell a story. A story usually has these components:
    The Setting The Characters The Venues The Activities The Future
    Example Customers are asking for a bundle discount. CMO and the marketing analysts want to… …the information should be available in the portal, mobile, and Excel. …information is then used in the bi-weekly pricing meeting to discuss… …bundle information should contain historical data in a graphical format to help executives.

    INPUT

    • Existing documentations on BI artifacts

    OUTPUT

    • Preliminary, uncategorized list of BI requirements

    Materials

    • Requirements Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA team
    • Business stakeholders
    • Business SMEs
    • BI developers

    Clarify consumer needs by categorizing BI requirements

    Requirements are too broad in some situations and too detailed in others. In the previous step we developed user stories to provide context. Now you need to define requirement categories and gather detailed requirements.

    Considerations for Requirement Categories

    Category Subcategory Sample Requirements
    Data Granularity Individual transaction
    Transformation Transform activation date to YYYY-MM format
    Selection Criteria Client type: consumer. Exclude SMB and business clients. US only. Recent three years
    Fields Required Consumer band, Region, Submarket…
    Functionality Filters Filters required on the dashboard: date range filter, region filter…
    Drill Down Path Drill down from a summary report to individual transactions
    Analysis Required Cross-tab, time series, pie chart
    Visual Requirements Mock-up See attached drawing
    Section The dashboard will be presented using three sections
    Conditional Formatting Below-average numbers are highlighted
    Security Mobile The dashboard needs to be accessed from mobile devices
    Role Regional managers will get a subset of the dashboard according to the region
    Users John, Mary, Tom, Bob, and Dave
    Export Dashboard data cannot be exported into PDF, text, or Excel formats
    Performance Speed A BI artifact must be loaded in three seconds
    Latency Two seconds response time when a filter is changed
    Capacity Be able to serve 50 concurrent users with the performance expected
    Control Governance Govern by the corporate BI standards
    Regulations Meet HIPPA requirements
    Compliance Meet ISO requirements

    Prioritize requirements to assist with solution modeling

    Prioritization ensures that the development team focuses on the right requirements.

    The MoSCoW Model of Prioritization

    Must Have Requirements that mustbe implemented for the solution to be considered successful.
    Should Have Requirements that are high priority and should be included in the solution if possible.
    Could Have Requirements that are desirable but not necessary and could be included if resources are available.
    Won't Have Requirements that won’t be in the next release but will be considered for the future releases.

    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994.

    Prioritization is the process of ranking each requirement based on its importance to project success. Hold a separate meeting for the domain SMEs, implementation SMEs, project managers, and project sponsors to prioritize the requirements list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation SMEs will use these priority levels to ensure that efforts are targeted towards the proper requirements and the plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order requirements.

    Activity: Finalize the list of BI requirements

    1.3.3

    1-4 hours

    Requirement Category Framework

    Category Subcategory
    Data Granularity
    Transformation
    Selection Criteria
    Fields Required
    Functionality Filters
    Drill Down Path
    Analysis Required
    Visual Requirements Mock-up
    Section
    Conditional Formatting
    Security Mobile
    Role
    Users
    Export
    Performance Speed
    Latency
    Capacity
    Control Governance
    Regulations
    Compliance

    Create requirement buckets and classify requirements.

    1. Define requirement categories according to the framework.
    2. Review the user story and requirements you collected in Step 1.3.2. Classify the requirements within requirement categories.
    3. Review the preliminary list of categorized requirements and look for gaps in this detailed view. You may need to gather additional requirements to fill the gaps.
    4. Prioritize the requirements according to the MoSCoW framework.
    5. Document your final list of requirements in the BI Strategy and Roadmap Template.

    INPUT

    • Existing requirements and new requirements from step 1.3.2

    OUTPUT

    • Prioritized and categorized requirements

    Materials

    • Requirements Insights section of the BI Strategy and Roadmap Template

    Participants

    • BA
    • Business stakeholders
    • PMO

    Translate your findings and ideas into actions that will be integrated into the BI Strategy and Roadmap Template

    As you progress through each phase, document findings and ideas as they arise. At phase end, hold a brainstorming session with the project team focused on documenting findings and ideas and substantiating them into improvement actions.

    Translating findings and ideas into actions that will be integrated into the BI Strategy and Roadmap Template

    Ask yourself how BI or analytics can be used to address the gaps and explore opportunities uncovered in each phase. For example, in Phase 1, how do current BI capabilities impede the realization of the business vision?

    Document and prioritize Phase 1 findings, ideas, and action items

    1.3.4

    1-2 hours

    1. Reconvene as a group to review findings, ideas, and actions harvested in Phase 1. Write the findings, ideas, and actions on sticky notes.
    2. Prioritize the sticky notes to yield those with high business value and low implementation effort. View some sample findings below:
    3. High Business Value, Low Effort High Business Value, High Effort
      Low Business Value, High Effort Low Business Value, High Effort

      Phase 1

      Sample Phase 1 Findings Found two business objectives that are not supported by BI/analytics
      Some executives still think BI is reporting
      Some confusion around operational reporting and BI
      Data quality plays a big role in BI
      Many executives are not sure about the BI ROI or asking for one
    4. Select the top findings and document them in the “Other Phase 1 Findings” section of the BI Strategy and Roadmap Template. The findings will be used again in Phase 3.

    INPUT

    • Phase 1 activities
    • Business context (vision, mission, goals, etc.

    OUTPUT

    • Other Phase 1 Findings section of the BI Strategy and Roadmap Template

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Project manger
    • Project team
    • Business stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.1-1.1.5

    Establish the business context

    To begin the workshop, your project team will be taken through a series of activities to establish the overall business vision, mission, objectives, goals, and key drivers. This information will serve as the foundation for discerning how the revamped BI strategy needs to enable business users.

    1.2.1- 1.2.3

    Create a comprehensive documentation of your current BI environment

    Our analysts will take your project team through a series of activities that will facilitate an assessment of current BI usage and artifacts, and help you design an end-user interview survey to elicit context around BI usage patterns.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-tech analysts

    1.3.1-1.3.3

    Establish new BI requirements

    Our analysts will guide your project team through frameworks for eliciting and organizing requirements from business users, and then use those frameworks in exercises to gather some actual requirements from business stakeholders.

    Phase 2

    Evaluate Your Current BI Practice

    Build a Reporting and Analytics Strategy

    Revisit project metrics to track phase progress

    Goals for Phase 2:

    • Assess your current BI practice. Determine the maturity of your current BI practice from different viewpoints.
    • Develop your BI target state. Plan your next generation BI with Info-Tech’s BI patterns and best practices.
    • Safeguard your target state. Avoid BI pitfalls by proactively monitoring BI risks.

    Info-Tech’s Suggested Metrics for Tracking Phase 2 Goals

    Practice Improvement Metrics Data Collection and Calculation Expected Improvement
    # of groups participated in the current state assessment The number of groups joined the current assessment using Info-Tech’s BI Practice Assessment Tool Varies; the tool can accommodate up to five groups
    # of risks mitigated Derive from your risk register At least two to five risks will be identified and mitigated

    Intangible Metrics:

    • Prototyping approach allows the BI group to understand more about business requirements, and in the meantime, allows the business to understand how to partner with the BI group.
    • The BI group and the business have more confidence in the BI program as risks are monitored and mitigated on an ad hoc basis.

    Evaluate your current BI practice

    Phase 2 Overarching Insight

    BI success is not based solely on the technology it runs on; technology cannot mask gaps in capabilities. You must be capable in your environment, and data management, data quality, and related data practices must be strong. Otherwise, the usefulness of the intelligence suffers. The best BI solution does not only provide a technology platform, but also addresses the elements that surround the platform. Look beyond tools and holistically assess the maturity of your BI practice with input from both the BI consumer and provider perspectives.

    Understand the Business Context to Rationalize Your BI Landscape Evaluate Your Current BI Practice Create a BI Roadmap for Continuous Improvement
    Establish the Business Context
    • Business Vision, Goals, Key Drivers
    • Business Case Presentation
    • High-Level ROI
    Assess Your Current BI Maturity
    • SWOT Analysis
    • BI Practice Assessment
    • Summary of Current State
    Construct a BI Initiative Roadmap
    • BI Improvement Initiatives
    • BI Strategy and Roadmap
    Access Existing BI Environment
    • BI Perception Survey Framework
    • Usage Analyses
    • BI Report Inventory
    Envision BI Future State
    • BI Patterns
    • BI Practice Assessment
    • List of Functions
    Plan for Continuous Improvement
    • Excel Governance Policy
    • BI Ambassador Network Draft
    Undergo Requirements Gathering
    • Requirements Gathering Principles
    • Overall BI Requirements

    Phase 2 overview

    Detailed Overview

    Step 1: Assess Your Current BI Practice

    Step 2: Envision a Future State for Your BI Practice

    Outcomes

    • A comprehensive assessment of current BI practice maturity and capabilities.
    • Articulation of your future BI practice.
    • Improvement objectives and activities for developing your current BI program.

    Benefits

    • Identification of clear gaps in BI practice maturity.
    • A current state assessment that includes the perspectives of both BI providers and consumers to highlight alignment and/or discrepancies.
    • A future state is defined to provide a benchmark for your BI program.
    • Gaps between the future and current states are identified; recommendations for the gaps are defined.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Evaluate Your Current BI Practice

    Proposed Time to Completion: 1-2 weeks

    Step 2.1: Assess Your Current BI Practice

    Start with an analyst kick-off call:

    • Detail the benefits of conducting multidimensional assessments that involve BI providers as well as consumers.
    • Review Info-Tech’s BI Maturity Model.

    Then complete these activities…

    • SWOT analyses
    • Identification of BI maturity level through a current state assessment

    With these tools & templates:

    BI Practice Assessment Tool

    BI Strategy and Roadmap Template

    Step 2.2: Envision a Future State for Your BI Practice

    Review findings with an analyst:

    • Discuss overall maturity gaps and patterns in BI perception amongst different units of your organization.
    • Discuss how to translate activity findings into robust initiatives, defining critical success factors for BI development and risk mitigation.

    Then complete these activities…

    • Identify your desired BI patterns and functionalities.
    • Complete a target state assessment for your BI practice.
    • Review capability practice gaps and phase-level metrics.

    With these tools & templates:

    BI Practice Assessment Tool

    BI Strategy and Roadmap Template

    Phase 2 Results & Insights:

    • A comprehensive assessment of the organization’s current BI practice capabilities and gaps
    • Visualization of BI perception from a variety of business users as well as IT
    • A list of tasks and initiatives for constructing a strategic BI improvement roadmap

    STEP 2.1

    Assess the Current State of Your BI Practice

    Assess your organization’s current BI capabilities

    Step Objectives

    • Understand the definitions and roles of each component of BI.
    • Contextualize BI components to your organization’s environment and current practices.

    Step Activities

    2.1.1 Perform multidimensional SWOT analyses

    2.1.2 Assess current BI and analytical capabilities, Document challenges, constraints, opportunities

    2.1.3 Review the results of your current state assessment

    Outcomes

    • Holistic perspective of current BI strengths and weaknesses according to BI users and providers
    • Current maturity in BI and related data management practices

    Research Support

    • Info-Tech’s Data Management Framework
    • Info-Tech’s BI Practice Assessment Tool
    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    Project Manager

    Data Architect(s) or Enterprise Architect

    Project Team

    Gather multiple BI perspectives with comprehensive SWOT analyses

    SWOT analysis is an effective tool that helps establish a high-level context for where your practice stands, where it can improve, and the factors that will influence development.

    Strengths

    Best practices, what is working well

    Weaknesses

    Inefficiencies, errors, gaps, shortcomings

    Opportunities

    Review internal and external drivers

    Threats

    Market trends, disruptive forces

    While SWOT is not a new concept, you can add value to SWOT by:

    • Conducting a multi-dimensional SWOT to diversify perspectives – involve the existing BI team, BI management, business executives and other business users.
    • SWOT analyses traditionally provide a retrospective view of your environment. Add a future-looking element by creating improvement tasks/activities at the same time as you detail historical and current performance.

    Info-Tech Insight

    Consider a SWOT with two formats: a private SWOT worksheet and a public SWOT session. Participants will be providing suggestions anonymously while solicited suggestions will be discussed in the public SWOT session to further the discussion.

    Activity: Perform a SWOT analysis in groups to get a holistic view

    2.1.1

    1-2 hours

    This activity will take your project team through a holistic SWOT analysis to gather a variety of stakeholder perception of the current BI practice.

    1. Identify individuals to involve in the SWOT activity. Aim for a diverse pool of participants that are part of the BI practice in different capacities and roles. Solution architects, application managers, business analysts, and business functional unit leaders are a good starting point.
    2. Review the findings summary from Phase 1. You may opt to facilitate this activity with insights from the business context. Each group will be performing the SWOT individually.
    3. The group results will be collected and consolidated to pinpoint common ideas and opinions. Individual group results should be represented by a different color. The core program team will be reviewing the consolidated result as a group.
    4. Document the results of these SWOT activities in the appropriate section of the BI Strategy and Roadmap Template.

    SWOT

    Group 1 Provider Group E.g. The BI Team

    Group 2 Consumer Group E.g. Business End Users

    INPUT

    • IT and business stakeholder perception

    OUTPUT

    • Multi-faceted SWOT analyses
    • Potential BI improvement activities/objectives

    Materials

    • SWOT Analysis section of the BI Strategy and Roadmap Template

    Participants

    • Selected individuals in the enterprise (variable)

    Your organization’s BI maturity is determined by several factors and the degree of immersion into your enterprise

    BI Maturity Level

    A way to categorize your analytics maturity to understand where you are currently and what next steps would be best to increase your BI maturity.

    There are several factors used to determine BI maturity:

    Buy-in and Data Culture

    Determines if there is enterprise-wide buy-in for developing business intelligence and if a data-driven culture exists.

    Business–IT Alignment

    Examines if current BI and analytics operations are appropriately enabling the business objectives.

    Governance Structure

    Focuses on whether or not there is adequate governance in place to provide guidance and structure for BI activities.

    Organization Structure and Talent

    Pertains to how BI operations are distributed across the overall organizational structure and the capabilities of the individuals involved.

    Process

    Reviews analytics-related processes and policies and how they are created and enforced throughout the organization.

    Data

    Deals with analytical data in terms of the level of integration, data quality, and usability.

    Technology

    Explores the opportunities in building a fit-for-purpose analytics platform and consolidation opportunities.

    Evaluate Your Current BI Practice with the CMMI model

    To assess BI, Info-Tech uses the CMMI model for rating capabilities in each of the function areas on a scale of 1-5. (“0” and “0.5” values are used for non-existent or emerging capabilities.)

    The image shows an example of a CMMI model

    Use Info-Tech’s BI Maturity Model as a guide for identifying your current analytics competence

    Leverage a BI strategy to revamp your BI program to strive for a high analytics maturity level. In the future you should be doing more than just traditional BI. You will perform self-service BI, predictive analytics, and data science.

    Ad Hoc Developing Defined Managed Trend Setting
    Questions What’s wrong? What happened? What is happening? What happened, is happening, and will happen? What if? So what?
    Scope One business problem at a time One particular functional area Multiple functional areas Multiple functional areas in an integrated fashion Internal plus internet scale data
    Toolset Excel, Access, primitive query tools Reporting tools or BI BI BI, business analytics tools Plus predictive platforms, data science tools
    Delivery Model IT delivers ad hoc reports IT delivers BI reports IT delivers BI reports and some self-service BI Self-service BI and report creation at the business units Plus predictive models and data science projects
    Mindset Firefighting using data Manage using data Analyze using data; shared tooling Data is an asset, shared data Data driven
    BI Org. Structure Data analysts in IT BI BI program BI CoE Data Innovation CoE

    Leverage Info-Tech’s BI Practice Assessment Tool to define your BI current state

    BI Practice Assessment Tool

    1. Assess Current State
    • Eight BI practice areas to assess maturity.
    • Based on CMMI maturity scale.
  • Visualize Current State Results
    • Determine your BI maturity level.
    • Identify areas with outstanding maturity.
    • Uncover areas with low maturity.
    • Visualize the presence of misalignments.
  • Target State
    • Tackle target state from two views: business and IT.
    • Calculate gaps between target and current state.
  • Visualize Target State and Gaps
    • A heat map diagram to compare the target state and the current state.
    • Show both current and target maturity levels.
    • Detailed charts to show results for each area.
    • Detailed list of recommendations.

    Purposes:

    • Assess your BI maturity.
    • Visualize maturity assessment to quickly spot misalignments, gaps, and opportunities.
    • Provide right-sized recommendations.

    Info-Tech Insight

    Assessing current and target states is only the beginning. The real value comes from the interpretation and analysis of the results. Use visualizations of multiple viewpoints and discuss the results in groups to come up with the most effective ideas for your strategy and roadmap.

    Activity: Conduct a current state assessment of your BI practice maturity

    2.1.2

    2-3 hours

    Use the BI Practice Assessment Tool to establish a baseline for your current BI capabilities and maturity.

    1. Navigate to Tab 2. Current State Assessment in the BI Practice Assessment Tool and complete the current state assessment together or in small groups. If running a series of assessments, do not star or scratch every time. Use the previous group’s results to start the conversation with the users.
    2. Info-Tech suggests the following groups participate in the completion of the assessment to holistically assess BI and to uncover misalignment:

      Providers Consumers
      CIO & BI Management BI Work Groups (developers, analysts, modelers) Business Unit #1 Business Unit #2 Business Unit #3
    3. For each assessment question, answer the current level of maturity in terms of:
      1. Initial/Ad hoc – the starting point for use of a new or undocumented repeat process
      2. Developing – the process is documented such that it is repeatable
      3. Defined – the process is defined/confirmed as a standard business process
      4. Managed and Measurable – the process is quantitatively managed in accordance with agreed-upon metrics.
      5. Optimized – the process includes process optimization/improvement.

    INPUT

    • Observations of current maturity

    OUTPUT

    • Comprehensive current state assessment

    Materials

    • BI Practice Assessment Tool
    • Current State Assessment section of the BI Strategy and Roadmap Template

    Participants

    • Selected individuals as suggested by the assessment tool

    Info-Tech Insight

    Discuss the rationale for your answers as a group. Document the comments and observations as they may be helpful in formulating the final strategy and roadmap.

    Activity: Review and analyze the results of the current state assessment

    2.1.3

    2-3 hours

    1. Navigate to Tab 3. Current State Results in the BI Practice Assessment Tool and review the findings:

    The tool provides a brief synopsis of your current BI state. Review the details of your maturity level and see where this description fits your organization and where there may be some discrepancies. Add additional comments to your current state summary in the BI Strategy and Roadmap Document.

    In addition to reviewing the attributes of your maturity level, consider the following:

    1. What are the knowns – The knowns confirm your understanding on the current landscape.
  • What are the unknowns – The unknowns show you the blind spots. They are very important to give you an alternative view of the your current state. The group should discuss those blind spots and determine what to do with them.
  • Activity: Review and analyze the results of the current state assessment (cont.)

    2.1.3

    2-3 hours

    2. Tab 3 will also visualize a breakdown of your maturity by BI practice dimension. Use this graphic as a preliminary method to identify where your organization is excelling and where it may need improvement.

    Better Practices

    Consider: What have you done in the areas where you perform well?

    Candidates for Improvement

    Consider: What can you do to improve these areas? What are potential barriers to improvement?

    STEP 2.2

    Envision a Future State for Your Organization’s BI Practice

    Detail the capabilities of your next generation BI practice

    Step Objectives

    • Create guiding principles that will shape your organization’s ideal BI program.
    • Pinpoint where your organization needs to improve across several BI practice dimensions.
    • Develop approaches to remedy current impediments to BI evolution.
    • Step Activities

      2.2.1 Define guiding principles for the future state

      2.2.2 Define the target state of your BI practice

      2.2.3 Confirm requirements for BI Styles by management group

      2.2.4 Analyze gaps in your BI practice and generate improvement activities and objectives

      2.2.5 Define the critical success factors for future BI

      2.2.6 Identify potential risks for your future state and create a mitigation plan

    Outcomes

    • Defined landscape for future BI capabilities, including desired BI functionalities.
    • Identification of crucial gaps and improvement points to include in a BI roadmap.
    • Updated BI Styles Usage sheet.

    Research Support

    • Info-Tech’s Data Management Framework
    • Info-Tech’s BI Practice Assessment Tool
    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    Project Manager

    Data Architect(s) or Enterprise Architect

    Project Team

    Define guiding principles to drive your future state envisioning

    Envisioning a BI future state is essentially architecting the future for your BI program. It is very similar to enterprise architecture (EA). Guiding principles are widely used in enterprise architecture. This best practice should also be used in BI envisioning.

    Benefits of Guiding Principles in a BI Context

    • BI planning involves a number of business units. Defining high-level future state principles helps to establish a common ground for those different business units.
    • Ensure the next generation BI aligns with the corporate enterprise architecture and data architecture principles.
    • Provide high-level guidance without depicting detailed solutioning by leaving room for innovation.

    Sample Principles for BI Future State

    1. BI should be fit for purpose. BI is a business technology that helps business users.
    2. Business–IT collaboration should be encouraged to ensure deliverables are relevant to the business.
    3. Focus on continuous improvement on data quality.
    4. Explore opportunities to onboard and integrate new datasets to create a holistic view of your data.
    5. Organize and present data in an easy-to-consume, easy-to-digest fashion.
    6. BI should be accessible to everything, as soon as they have a business case.
    7. Do not train just on using the platform. Train on the underlying data and business model as well.
    8. Develop a training platform where trainees can play around with the data without worrying about messing it up.

    Activity: Define future state guiding principles for your BI practice

    2.2.1

    1-2 hours

    Guiding principles are broad statements that are fundamental to how your organization will go about its activities. Use this as an opportunity to gather relevant stakeholders and solidify how your BI practice should perform moving forward.

    1. To ensure holistic and comprehensive future state principles, invite participants from the business, the data management team, and the enterprise architecture team. If you do not have an enterprise architecture practice, invite people that are involved in building the enterprise architecture. Five to ten people is ideal.
    2. BI Future State

      Awareness Buy-in Business-IT Alignment Governance Org. Structure; People Process; Policies; Standards Data Technology
    3. Once the group has some high-level ideas on what the future state looks like, brainstorm guiding principles that will facilitate the achievement of the future state (see above).
    4. Document the future state principles in the Future State Principles for BI section of the BI Strategy and Roadmap Template

    INPUT

    • Existing enterprise architecture guiding principles
    • High-level concept of future state BI

    OUTPUT

    • Guiding principles for prospective BI practice

    Materials

    • Future State Principles section of the BI Strategy and Roadmap Template

    Participants

    • Business representatives
    • IT representatives
    • The EA group

    Leverage prototypes to facilitate a continuous dialogue with end users en route to creating the final deliverable

    At the end of the day, BI makes data and information available to the business communities. It has to be fit for purpose and relevant to the business. Prototypes are an effective way to ensure relevant deliverables are provided to the necessary users. Prototyping makes your future state a lot closer and a lot more business friendly.

    Simple Prototypes

    • Simple paper-based, whiteboard-based prototypes with same notes.
    • The most basic communication tool that facilitates the exchange of ideas.
    • Often used in Joint Application Development (JAD) sessions.
    • Improve business and IT collaboration.
    • Can be used to amend requirements documents.

    Discussion Possibilities

    • Initial ideation at the beginning
    • Align everyone on the same page
    • Explain complex ideas/layouts
    • Improve collaboration

    Elaborated Prototypes

    • Demonstrates the possibilities of BI in a risk-free environment.
    • Creates initial business value with your new BI platform.
    • Validates the benefits of BI to the organization.
    • Generates interest and support for BI from senior management.
    • Prepares BI team for the eventual enterprise-wide deployment.

    Discussion Possibilities

    • Validate and refine requirements
    • Fail fast, succeed fast
    • Acts as checkpoints
    • Proxy for the final working deliverable

    Leverage Info-Tech’s BI Practice Assessment Tool to define your BI target state and visualize capability gaps

    BI Practice Assessment Tool

    1. Assess Current State
    • Eight BI practice areas to assess maturity.
    • Based on CMMI maturity scale.
  • Visualize Current State Results
    • Determine your BI maturity level.
    • Identify areas with outstanding maturity.
    • Uncover areas with low maturity.
    • Visualize the presence of misalignments.
  • Target State
    • Tackle target state from two views: business and IT.
    • Calculate gaps between target and current state.
  • Visualize Target State and Gaps
    • A heat map diagram to compare the target state and the current state.
    • Show both current and target maturity levels.
    • Detailed charts to show results for each area.
    • Detailed list of recommendations.

    Purposes:

    • Assess your BI maturity.
    • Visualize maturity assessment to quickly spot misalignments, gaps, and opportunities.
    • Provide right-sized recommendations.

    Document essential findings in Info-Tech’s BI Strategy and Roadmap Template.

    Info-Tech Insight

    Assessing current and target states is only the beginning. The real value comes from the interpretation and analyses of the results. Use visualizations of multiple viewpoints and discuss the results in groups to come up with the most effective ideas for your strategy and roadmap.

    Activity: Define the target state for your BI practice

    2.2.2

    2 hours

    This exercise takes your team through establishing the future maturity of your BI practice across several dimensions.

    1. Envisioning of the future state will involve input from the business side as well as the IT department.
    2. The business and IT groups should get together separately and determine the target state maturity of each of the BI practice components:

    The image is a screenshot of Tab 4: Target State Evaluation of the BI Practice Assessment Tool

    INPUT

    • Desired future practice capabilities

    OUTPUT

    • Target state assessment

    Materials

    • Tab 4 of the BI Practice Assessment Tool

    Participants

    • Business representatives
    • IT representatives

    Activity: Define the target state for your BI practice (cont.)

    2.2.2

    2 hours

    2. The target state levels from the two groups will be averaged in the column “Target State Level.” The assessment tool will automatically calculate the gaps between future state value and the current state maturity determined in Step 2.1. Significant gaps in practice maturity will be highlighted in red; smaller or non-existent gaps will appear green.

    The image is a screenshot of Tab 4: Target State Evaluation of the BI Practice Assessment Tool with Gap highlighted.

    INPUT

    • Desired future practice capabilities

    OUTPUT

    • Target state assessment

    Materials

    • Tab 4 of the BI Practice Assessment Tool

    Participants

    • Business representatives
    • IT representatives

    Activity: Revisit the BI Style Analysis sheet to define new report and analytical requirements by C-Level

    2.2.3

    1-2 hours

    The information needs for each executive is unique to their requirements and management style. During this exercise you will determine the reporting and analytical needs for an executive in regards to content, presentation and cadence and then select the BI style that suite them best.

    1. To ensure a holistic and comprehensive need assessment, invite participants from the business and BI team. Discuss what data the executive currently use to base decisions on and explore how the different BI styles may assist. Sample reports or mock-ups can be used for this purpose.
    2. Document the type of report and required content using the BI Style Tool.
    3. The BI Style Tool will then guide the BI team in the type of reporting to develop and the level of Self-Service BI that is required. The tool can also be used for product selection.

    INPUT

    • Information requirements for C-Level Executives

    OUTPUT

    • BI style(s) that are appropriate for an executive’s needs

    Materials

    • BI Style Usage sheet from BI Strategy and Roadmap Template
    • Sample Reports

    Participants

    • Business representatives
    • BI representatives

    Visualization tools facilitate a more comprehensive understanding of gaps in your existing BI practice

    Having completed both current and target state assessments, the BI Practice Assessment Tool allows you to compare the results from multiple angles.

    At a higher level, you can look at your maturity level:

    At a detailed level, you can drill down to the dimensional level and item level.

    The image is a screenshots from Tab 4: Target State Evaluation of the BI Practice Assessment Tool

    At a detailed level, you can drill down to the dimensional level and item level.

    Activity: Analyze gaps in BI practice capabilities and generate improvement objectives/activities

    2.2.4

    2 hours

    This interpretation exercise helps you to make sense of the BI practice assessment results to provide valuable inputs for subsequent strategy and roadmap formulation.

    1. IT management and the BI team should be involved in this exercise. Business SMEs should be consulted frequently to obtain clarifications on what their ideal future state entails.
    2. Begin this exercise by reviewing the heat map and identifying:

    • Areas with very large gaps
    • Areas with small gaps

    Areas with large gaps

    Consider: Is the target state feasible and achievable? What are ways we can improve incrementally in this area? What is the priority for addressing this gap?

    Areas with small/no gaps

    Consider: Can we learn from those areas? Are we setting the bar too low for our capabilities?

    INPUT

    • Current and target state visualizations

    OUTPUT

    • Gap analysis (Tab 5)

    Materials

    • Tab 5 of the BI Practice Assessment Tool
    • Future State Assessment Results section of the BI Strategy and Roadmap Template

    Participants

    • Business representatives
    • IT representatives

    Activity: Analyze gaps in BI practice capabilities and generate improvement objectives/activities (cont.)

    2.2.4

    2 hours

    2. Discuss the differences in the current and target state maturity level descriptions. Questions to ask include:

    • What are the prerequisites before we can begin to build the future state?
    • Is the organization ready for that future state? If not, how do we set expectations and vision for the future state?
    • Do we have the necessary competencies, time, and support to achieve our BI vision?

    INPUT

    • Current and target state visualizations

    OUTPUT

    • Gap analysis (Tab 5)

    Materials

    • Tab 5 of the BI Practice Assessment Tool
    • Future State Assessment Results section of the BI Strategy and Roadmap Template

    Participants

    • Business representatives
    • IT representatives

    Activity: Analyze gaps in BI practice capabilities and generate improvement objectives/activities (cont.)

    2.2.4

    2 hours

    3. Have the same group members reconvene and discuss the recommendations at the BI practice dimension level on Tab 5. of the BI Practice Assessment Tool. These recommendations can be used as improvement actions or translated into objectives for building your BI capabilities.

    Example

    The heat map displayed the largest gap between target state and current state in the technology dimension. The detailed drill-down chart will further illustrate which aspect(s) of the technology dimension is/are showing the most room for improvement in order to better direct your objective and initiative creation.

    The image is of an example and recommendations.

    Considerations:

    • What dimension parameters have the largest gaps? And why?
    • Is there a different set of expectations for the future state?

    Define critical success factors to direct your future state

    Critical success factors (CSFs) are the essential factors or elements required for ensuring the success of your BI program. They are used to inform organizations with things they should focus on to be successful.

    Common Provider (IT Department) CSFs

    • BI governance structure and organization is created.
    • Training is provided for the BI users and the BI team.
    • BI standards are in place.
    • BI artifacts rely on quality data.
    • Data is organized and presented in a usable fashion.
    • A hybrid BI delivery model is established.
    • BI on BI; a measuring plan has to be in place.

    Common Consumer (Business) CSFs

    • Measurable business results have been improved.
    • Business targets met/exceeded.
    • Growth plans accelerated.
    • World-class training to empower BI users.
    • Continuous promotion of a data-driven culture.
    • IT–business partnership is established.
    • Collaborative requirements gathering processes.
    • Different BI use cases are supported.

    …a data culture is essential to the success of analytics. Being involved in a lot of Bay Area start-ups has shown me that those entrepreneurs that are born with the data DNA, adopt the data culture and BI naturally. Other companies should learn from these start-ups and grow the data culture to ensure BI adoption.

    – Cameran Hetrick, Senior Director of Data Science & Analytics, thredUP

    Activity: Define provider and consumer critical success factors for your future BI capabilities

    2.2.5

    2 hours

    Create critical success factors that are important to both BI providers and BI consumers.

    1. Divide relevant stakeholders into two groups:
    2. BI Provider (aka IT) BI Consumer (aka Business)
    3. Write two headings on the board: Objective and Critical Success Factors. Write down each of the objectives created in Phase 1.
    4. Divide the group into small teams and assign each team an objective. For each objective, ask the following question:
    5. What needs to be put in place to ensure that this objective is achieved?

      The answer to the question is your candidate CSF. Write CSFs on sticky notes and stick them by the relevant objective.

    6. Rationalize and consolidate CSFs. Evaluate the list of candidate CSFs to find the essential elements for achieving success.
    7. For each CSF, identify at least one key performance indicator that will serve as an appropriate metric for tracking achievement.

    As you evaluate candidate CSFs, you may uncover new objectives for achieving your future state BI.

    INPUT

    • Business objectives

    OUTPUT

    • A list of critical success factors mapped to business objectives

    Materials

    • Whiteboard and colored sticky notes
    • CSFs for the Future State section of the BI Strategy and Roadmap Template

    Participants

    • Business and IT representatives
    • CIO
    • Head of BI

    Round out your strategy for BI growth by evaluating risks and developing mitigation plans

    A risk matrix is a useful tool that allows you to track risks on two dimensions: probability and impact. Use this matrix to help organize and prioritize risk, as well as develop mitigation strategies and contingency plans appropriately.

    Example of a risk matrix using colour coding

    Info-Tech Insight

    Tackling risk mitigation is essentially purchasing insurance. You cannot insure everything – focus your investments on mitigating risks with a reasonably high impact and high probability.

    Be aware of some common barriers that arise in the process of implementing a BI strategy

    These are some of the most common BI risks based on Info-Tech’s research:

    Low Impact Medium Impact High Impact
    High Probability
    • Users revert back to Microsoft Excel to analyze data.
    • BI solution does not satisfy the business need.
    • BI tools become out of sync with new strategic direction.
    • Poor documentation creates confusion and reduces user adoption.
    • Fail to address data issues: quality, integration, definition.
    • Inadequate communication with stakeholders throughout the project.
    • Users find the BI tool interface too confusing.
    Medium Probability
    • Fail to define and monitor KPIs.
    • Poor training results in low user adoption.
    • Organization culture is resistant to the change.
    • Lack of support from the sponsors.
    • No governance over BI.
    • Poor training results in misinformed users.
    Low Probability
    • Business units independently invest in BI as silos.

    Activity: Identify potential risks for your future state and create a mitigation plan

    2.2.6

    1 hour

    As part of developing your improvement actions, use this activity to brainstorm some high-level plans for mitigating risks associated with those actions.

    Example:

    Users find the BI tool interface too confusing.

    1. Use the probability-impact matrix to identify risks systematically. Collectively vote on the probability and impact for each risk.
    2. Risk mitigation. Risk can be mitigated by three approaches:
    3. A. Reducing its probability

      B. Reducing its impact

      C. Reducing both

      Option A: Brainstorm ways to reduce risk probability

      E.g. The probability of the above risk may be reduced by user training. With training, the probability of confused end users will be reduced.

      Option B: Brainstorm ways to reduce risk impact

      E.g. The impact can be reduced by ensuring having two end users validate each other’s reports before making a major decision.

    4. Document your high-level mitigation strategies in the BI Strategy and Roadmap Template.

    INPUT

    • Step 2.2 outputs

    OUTPUT

    • High-level risk mitigation plans

    Materials

    • Risks and Mitigation section of the BI Strategy and Roadmap Template

    Participants

    • BI sponsor
    • CIO
    • Head of BI

    Translate your findings and ideas into actions that will be integrated into the BI strategy and roadmap

    As you progress through each phase, document findings and ideas as they arise. By phase end, hold a brainstorming session with the project team focused on documenting findings and ideas and substantiating them into improvement actions.

    Translated findings and ideas into actions that will be integrated into the BI strategy and roadmap.

    Ask yourself how BI or analytics can be used to address the gaps and explore opportunities uncovered in each phase. For example, in Phase 1, how do current BI capabilities impede the realization of the business vision?

    Document and prioritize Phase 2 findings, ideas, and action items

    2.2.7

    1-2 hours

    1. Reconvene as a group to review the findings, ideas, and actions harvested in Phase 2. Write the findings, ideas, and actions on sticky notes.
    2. Prioritize the sticky notes to yield those with high business value and low implementation effort. View some sample findings below:
    3. High Business Value, Low Effort High Business Value, High Effort
      Low Business Value, High Effort Low Business Value, High Effort

      Phase 2

      Sample Phase 2 Findings Found a gap between the business expectation and the existing BI content they are getting.
      Our current maturity level is “Level 2 – Operational.” Almost everyone thinks we should be at least “Level 3 – Tactical” with some level 4 elements.
      Found an error in a sales report. A quick fix is identified.
      The current BI program is not able to keep up with the demand.
    4. Select the top items and document the findings in the BI Strategy Roadmap Template. The findings will be used to build a Roadmap in Phase 3.

    INPUT

    • Phase 2 activities

    OUTPUT

    • Other Phase 2 Findings section of the BI Strategy and Roadmap Template

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Project manger
    • Project team
    • Business stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.1

    Determine your current BI maturity level

    The analyst will take your project team through Info-Tech’s BI Practice Assessment Tool, which collects perspectives from BI consumer and provider groups on multiple facets of your BI practice in order to establish a current maturity level.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    2.2.1

    Define guiding principles for your target BI state

    Using enterprise architecture principles as a starting point, our analyst will facilitate exercises to help your team establish high-level standards for your future BI practice.

    2.2.2-2.2.3

    Establish your desired BI patterns and matching functionalities

    In developing your BI practice, your project team will have to decide what BI-specific capabilities are most important to your organization. Our analyst will take your team through several BI patterns that Info-Tech has identified and discuss how to bridge the gap between these patterns, linking them to specific functional requirements in a BI solution.

    2.2.4-2.2.5

    Analyze the gaps in your BI practice capabilities

    Our analyst will guide your project team through a number of visualizations and explanations produced by our assessment tool in order to pinpoint the problem areas and generate improvement ideas.

    Phase 3

    Create a BI Roadmap for Continuous Improvement

    Build a Reporting and Analytics Strategy

    Create a BI roadmap for continuous improvement

    Phase 3 Overarching Insight

    The benefit of creating a comprehensive and actionable roadmap is twofold: not only does it keep BI providers accountable and focused on creating incremental improvement, but a roadmap helps to build momentum around the overall project, provides a continuous delivery of success stories, and garners grassroots-level support throughout the organization for BI as a key strategic imperative.

    Understand the Business Context to Rationalize Your BI Landscape Evaluate Your Current BI Practice Create a BI Roadmap for Continuous Improvement
    Establish the Business Context
    • Business Vision, Goals, Key Drivers
    • Business Case Presentation
    • High-Level ROI
    Assess Your Current BI Maturity
    • SWOT Analysis
    • BI Practice Assessment
    • Summary of Current State
    Construct a BI Initiative Roadmap
    • BI Improvement Initiatives
    • BI Strategy and Roadmap
    Access Existing BI Environment
    • BI Perception Survey Framework
    • Usage Analyses
    • BI Report Inventory
    Envision BI Future State
    • BI Patterns
    • BI Practice Assessment
    • List of Functions
    Plan for Continuous Improvement
    • Excel Governance Policy
    • BI Ambassador Network Draft
    Undergo Requirements Gathering
    • Requirements Gathering Principles
    • Overall BI Requirements

    Phase 3 overview

    Detailed Overview

    Step 1: Establish Your BI Initiative Roadmap

    Step 2: Identify Opportunities to Enhance Your BI Practice

    Step 3: Create Analytics Strategy

    Step 4: Define CSF and metrics to monitor success of BI and analytics

    Outcomes

    • Consolidate business intelligence improvement objectives into robust initiatives.
    • Prioritize improvement initiatives by cost, effort, and urgency.
    • Create a one-year, two-year, or three-year timeline for completion of your BI improvement initiatives.
    • Identify supplementary programs that will facilitate the smooth execution of road-mapped initiatives.

    Benefits

    • Clear characterization of comprehensive initiatives with a detailed timeline to keep team members accountable.

    Revisit project metrics to track phase progress

    Goals for Phase 3:

    • Put everything together. Findings and observations from Phase 1 and 2 are rationalized in this phase to develop data initiatives and create a strategy and roadmap for BI.
    • Continuous improvements. Your BI program is evolving and improving over time. The program should allow you to have faster, better, and more comprehensive information.

    Info-Tech’s Suggested Metrics for Tracking Phase 3 Goals

    Practice Improvement Metrics Data Collection and Calculation Expected Improvement
    Program Level Metrics Efficiency
    • Time to information
    • Self-service penetration
    • Derive from the ticket management system
    • Derive from the BI platform
    • 10% reduction in time to information
    • Achieve 10-15% self-service penetration
    • Effectiveness
    • BI Usage
    • Data quality
    • Derive from the BI platform
    • Data quality perception
    • Majority of the users use BI on a daily basis
    • 15% increase in data quality perception
    Comprehensiveness
    • # of integrated datasets
    • # of strategic decisions made
    • Derive from the data integration platform
    • Decision-making perception
    • Onboard 2-3 new data domains per year
    • 20% increase in decision-making perception

    Learn more about the CIO Business Vision program.

    Intangible Metrics:

    Tap into the results of Info-Tech’s CIO Business Vision diagnostic to monitor the changes in business-user satisfaction as you implement the initiatives in your BI improvement roadmap.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that helps you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Create a BI Roadmap for Continuous Improvement

    Proposed Time to Completion: 1-2 weeks

    Step 3.1: Construct a BI Improvement Initiative Roadmap

    Start with an analyst kick off call:

    • Review findings and insights from completion of activities pertaining to current and future state assessments
    • Discuss challenges around consolidating activities into initiatives

    Then complete these activities…

    • Collect improvement objectives/tasks from previous phases
    • Develop comprehensive improvement initiatives
    • Leverage value-effort matrix activities to prioritize these initiatives and place them along an improvement roadmap

    With these tools & templates:

    BI Initiatives and Roadmap Tool

    BI Strategy and Roadmap Template

    Step 3.2: Continuous Improvement Opportunities for BI

    Review findings with analyst:

    • Review completed BI improvement initiatives and roadmap
    • Discuss guidelines presenting a finalized improvement to the relevant committee or stakeholders
    • Discuss additional policies and programs that can serve to enhance your established BI improvement roadmap

    Then complete these activities…

    • Present BI improvement roadmap to relevant stakeholders
    • Develop Info-Tech’s recommended supplementary policies and programs for BI

    With these tools & templates:

    BI Strategy and Roadmap Executive Presentation Template

    Phase 3 Results & Insights:

    • Comprehensive initiatives with associated tasks/activities consolidated and prioritized in an improvement roadmap

    STEP 3.1

    Construct a BI Improvement Initiative Roadmap

    Build an improvement initiative roadmap to solidify your revamped BI strategy

    Step Objectives

    • Bring together activities and objectives for BI improvement to form initiatives
    • Develop a fit-for-purpose roadmap aligned with your BI strategy

    Step Activities

    3.1.1 Characterize individual improvement objectives and activities ideated in previous phases.

    3.1.2 Synthesize and detail overall BI improvement initiatives.

    3.1.3 Create a plan of action by placing initiatives on a roadmap.

    Outcomes

    • Detailed BI improvement initiatives, prioritized by value and effort
    • Defined roadmap for completion of tasks associated with each initiative and accountability

    Research Support

    • Info-Tech’s BI Initiatives and Roadmap Tool

    Proposed Participants in this Step

    Project Manager

    Project Team

    Create detailed BI strategy initiatives by bringing together the objectives listed in the previous phases

    When developing initiatives, all components of the initiative need to be considered, from its objectives and goals to its benefits, risks, costs, effort required, and relevant stakeholders.

    Use outputs from previous project steps as inputs to the initiative and roadmap building:

    The image shows the previous project steps as inputs to the initiative and roadmap building, with arrow pointing from one to the next.

    Determining the dependencies that exist between objectives will enable the creation of unique initiatives with associated to-do items or tasks.

    • Group objectives into similar buckets with dependencies
    • Select one overarching initiative
    • Adapt remaining objectives into tasks of the main initiative
    • Add any additional tasks

    Leverage Info-Tech’s BI Initiatives and Roadmap Tool to build a fit-for-purpose improvement roadmap

    BI Initiatives and Roadmap Tool

    Overview

    Use the BI Initiatives and Roadmap Tool to develop comprehensive improvement initiatives and add them to a BI strategy improvement roadmap.

    Recommended Participants

    • BI project team

    Tool Guideline

    Tab 1. Instructions Use this tab to get an understanding as to how the tool works.
    Tab 2. Inputs Use this tab to customize the inputs used in the tool.
    Tab 3. Activities Repository Use this tab to list and prioritize activities, to determine dependencies between them, and build comprehensive initiatives with them.
    Tab 4. Improvement Initiatives Use this tab to develop detailed improvement initiatives that will form the basis of the roadmap. Map these initiatives to activities from Tab 3.
    Tab 5. Improvement Roadmap Use this tab to create your BI strategy improvement roadmap, assigning timelines and accountability to initiatives and tasks, and to monitor your project performance over time.

    Activity: Consolidate BI activities into the tool and assign dependencies and priorities

    3.1.1

  • 2 hours
    1. Have one person from the BI project team populate Tab 3. Activities Repository with the BI strategy activities that were compiled in Phases 1 and 2. Use drop-downs to indicate in which phase the objective was originally ideated.
    2. With BI project team executives, discuss and assign dependencies between activities in the Dependencies columns. A dependency exists if:
    • An activity requires consideration of another activity.
    • An activity requires the completion of another activity.
    • Two activities should be part of the same initiative.
    • Two activities are very similar in nature.
  • Then discuss and assign priorities to each activity in the Priority column using input from previous Phases. For example, if an activity was previously indicated as critical to the business, if a similar activity appears multiple times, or if an activity has several dependencies, it should be higher priority.
  • Inputs

    • BI improvement activities created in Phases 1 and 2

    Output

    • Activities with dependencies and priorities

    Materials

    • BI Initiatives and Roadmap Tool

    Participants

    • BI project team

    Activity: Consolidate BI activities into the tool and assign dependencies and priorities (cont’d.)

    3.1.1

    2 hours

    Screenshot of Tab 3. BI Activities Repository, with samples improvement activities, dependencies, statuses, and priorities

    The image is of a screenshot of Tab 3. BI Activities Repository, with samples improvement activities, dependencies, statuses, and priorities.

    Revisit the outputs of your current state assessment and note which activities have already been completed in the “Status” column, to avoid duplication of your efforts.

    When classifying the status of items in your activity repository, distinguish between broader activities (potential initiatives) and granular activities (tasks).

    Activity: Customize project inputs and build out detailed improvement initiatives

    3.1.2

    1.5 hours

    1. Follow instructions on Tab 2. Inputs to customize inputs you would like to use for your project.
    2. Review the activities repository and select up to 12 overarching initiatives based on the activities with extreme or highest priority and your own considerations.
    • Rewording where necessary, transfer the names of your initiatives in the banners provided on Tab 4. Improvement Initiatives.
    • On Tab 3, indicate these activities as “Selected (initiatives)” in the Status column.
  • In Tab 4, develop detailed improvement initiatives by indicating the owner, taxonomy, start and end periods, cost and effort estimates, goal, benefit/value, and risks of each initiative.
  • Use drop-downs to list “Related activities,” which will become tasks under each initiative.
    • activities with dependency to the initiative
    • activities that lead to the same goal or benefit/value of the main initiative

    Screenshot of the Improvement Initiative template, to be used for developing comprehensive initiatives

    <p data-verified=The image is a screenshot of the Improvement Initiative template, to be used for developing comprehensive initiatives.">

    Inputs

    • Tab 3. Activities Repository

    Output

    • Unique and detailed improvement initiatives

    Materials

    • BI Initiatives and Roadmap Tool
    • BI Initiatives section of the BI Strategy and Roadmap Template

    Participants

    • BI project team

    Visual representations of your initiative landscape can aid in prioritizing tasks and executing the roadmap

    Building a comprehensive BI program will be a gradual process involving a variety of stakeholders. Different initiatives in your roadmap will either be completed sequentially or in parallel to one another, given dependencies and available resources. The improvement roadmap should capture and represent this information.

    To determine the order in which main initiatives should be completed, exercises such as a value–effort map can be very useful.

    Example: Value–Effort Map for a BI Project

    Initiatives that are high value–low effort are found in the upper left quadrant and are bolded; These may be your four primary initiatives. In addition, initiative five is valuable to the business and critical to the project’s success, so it too is a priority despite requiring high effort. Note that you need to consider dependencies to prioritize these key initiatives.

    Value–Effort Map for a BI Project
    1. Data profiling techniques training
    2. Improve usage metrics
    3. Communication plan for BI
    4. Staff competency evaluation
    5. Formalize practice capabilities
    6. Competency improvement plan program
    7. Metadata architecture improvements
    8. EDW capability improvements
    9. Formalize oversight for data manipulation

    This exercise is best performed using a white board and sticky notes, and axes can be customized to fit your needs (E.g. cost, risk, time, etc.).

    Activity: Build an overall BI strategy improvement roadmap for the entire project

    3.1.3

    45 minutes

    The BI Strategy Improvement Roadmap (Tab 5 of the BI Initiatives and Roadmap Tool) has been populated with your primary initiatives and related tasks. Read the instructions provided at the top of Tab 5.

    1. Use drop-downs to assign a Start Period and End Period to each initiative (already known) and each task (determined here). As you do so, the roadmap will automatically fill itself in. This is where the value–effort map or other prioritization exercises may help.
    2. Assign Task Owners reporting Managers.
    3. Update the Status and Notes columns on an ongoing basis. Hold meetings with task owners and managers about blocked or overdue items.
    • Updating status should also be an ongoing maintenance requirement for Tab 3 in order to stay up to date on which activities have been selected as initiatives or tasks, are completed, or are not yet acted upon.

    Screenshot of the BI Improvement Roadmap (Gantt chart) showing an example initiative with tasks, and assigned timeframes, owners, and status updates.

    INPUTS

    • Tab 3. Activities Repository
    • Tab 4. Improvement Initiatives

    OUTPUT

    • BI roadmap

    Materials

    • BI Initiatives and Roadmap Tool
    • Roadmap section of the BI Strategy and Roadmap Template

    Participants

    • BI project team

    Obtain approval for your BI strategy roadmap by organizing and presenting project findings

    Use a proprietary presentation template

    Recommended Participants

    • Project sponsor
    • Relevant IT & business executives
    • CIO
    • BI project team

    Materials & Requirements

    Develop your proprietary presentation template with:

    • Results from Phases 1 and 2 and Step 3.1
    • Information from:
      • Info-Tech’s Build a Reporting and Analytics Strategy
    • Screen shots of outputs from the:
      • BI Practice Assessment Tool
      • BI Initiatives and Roadmap Tool

    Next Steps

    Following the approval of your roadmap, begin to plan the implementation of your first initiatives.

    Overall Guidelines

    • Invite recommended participants to an approval meeting.
    • Present your project’s findings with the goal of gaining key stakeholder support for implementing the roadmap.
    1. Set the scene using BI vision & objectives.
    2. Present the results and roadmap next.
    3. Dig deeper into specific issues by touching on the important components of this blueprint to generate a succinct and cohesive presentation.
  • Make the necessary changes and updates stemming from discussion notes during this meeting.
  • Submit a formal summary of findings and roadmap to your governing body for review and approval (e.g. BI steering committee, BI CoE).
  • Info-Tech Insight

    At this point, it is likely that you already have the support to implement a data quality improvement roadmap. This meeting is about the specifics and the ROI.

    Maximize support by articulating the value of the data quality improvement strategy for the organization’s greater information management capabilities. Emphasize the business requirements and objectives that will be enhanced as a result of tackling the recommended initiatives, and note any additional ramifications of not doing so.

    Leverage Info-Tech’s presentation template to present your BI strategy to the executives

    Use the BI Strategy and Roadmap Executive Presentation Template to present your most important findings and brilliant ideas to the business executives and ensure your BI program is endorsed. Business executives can also learn about how the BI strategy empowers them and how they can help in the BI journey.

    Important Messages to Convey

    • Executive summary of the presentation
    • Current challenges faced by the business
    • BI benefits and associated opportunities
    • SWOT analyses of the current BI
    • BI end-user satisfaction survey
    • BI vision, mission, and goals
    • BI initiatives that take you to the future state
    • (Updated) Analytical Strategy
    • Roadmap that depicts the timeline

    STEP 3.2

    Continuous Improvement Opportunities for BI

    Create supplementary policies and programs to augment your BI strategy

    Step Objectives

    • Develop a plan for encouraging users to continue to use Excel, but in a way that does not compromise overall BI effectiveness.
    • Take steps to establish a positive organizational culture around BI.

    Step Activities

    3.2.1 Construct a concrete policy to integrate Excel use with your new BI strategy.

    3.2.2 Map out the foundation for a BI Ambassador network.

    Outcomes

    • Business user understanding of where Excel manipulation should and should not occur
    • Foundation for recognizing exceptional BI users and encouraging development of enterprise-wide business intelligence

    Research Support

    • Info-Tech’s BI Initiatives and Roadmap Tool
    • Info-Tech’s BI Strategy and Roadmap Template

    Proposed Participants in this Step

    Project Manager

    Project Team

    Additional Business Users

    Establish Excel governance to better serve Excel users while making sure they comply with policies

    Excel is the number one BI tool

    • BI applications are developed to support information needs.
    • The reality is that you will never migrate all Excel users to BI. Some Excel users will continue to use it. The key is to support them while imposing governance.
    • The goal is to direct them to use the data in BI or in the data warehouse instead of extracting their own data from various source systems.

    The Tactic: Centralize data extraction and customize delivery

    • Excel users formerly extracted data directly from the production system, cleaned up the data, manipulated the data by including their own business logic, and presented the data in graphs and pivot tables.
    • With BI, the Excel users can still use Excel to look at the information. The only difference is that BI or data warehouse will be the data source of their Excel workbook.

    Top-Down Approach

    • An Excel policy should be created at the enterprise level to outline which Excel use cases are allowed, and which are not.
    • Excel use cases that involve extracting data from source systems and transforming that data using undisclosed business rules should be banned.
    • Excel should be a tool for manipulating, filtering, and presenting data, not a tool for extracting data and running business rules.

    Excel

    Bottom-Up Approach

    • Show empathy to your users. They just want information to get their work done.
    • A sub-optimal information landscape is the root cause, and they are the victims. Excel spreadmarts are the by-products.
    • Make the Excel users aware of the risks associated with Excel, train them in BI, and provide them with better information in the BI platform.

    Activity: Create an Excel governance policy

    3.2.1

    4 hours

    Construct a policy around Excel use to ensure that Excel documents are created and shared in a manner that does not compromise the integrity of your overall BI program.

    1. Review the information artifact list harvested from Step 2.1 and identify all existing Excel-related use cases.
    2. Categorize the Excel use cases into “allowed,” “not allowed,” and “not sure.” For each category define:
    3. Category To Do: Policy Context
      Allowed Discuss what makes these use cases ideal for BI. Document use cases, scenarios, examples, and reasons that allow Excel as an information artifact.
      Not Allowed Discuss why these cases should be avoided. Document forbidden use cases, scenarios, examples, and reasons that use Excel to generate information artifacts.
      Not Sure Discuss the confusions; clarify the gray area. Document clarifications and advise how end users can get help in those “gray area” cases.
    4. Document the findings in the BI Strategy and Roadmap Template in the Manage and Sustain BI Strategy section, or a proprietary template. You may also need to create a separate Excel policy to communicate the Dos and Don’ts.

    Inputs

    • Step 2.1 – A list of information artifacts

    Output

    • Excel-for-BI Use Policy

    Materials

    • BI Strategy Roadmap and Template, or proprietary document

    Participants

    • Business executives
    • CIO
    • Head of BI
    • BI team

    Build a network of ambassadors to promote BI and report to IT with end-user feedback and requests

    The Building of an Insider Network: The BI Ambassador Network

    BI ambassadors are influential individuals in the organization that may be proficient at using BI tools but are passionate about analytics. The network of ambassadors will be IT’s eyes, ears, and even mouth on the frontline with users. Ambassadors will promote BI, communicate any messages IT may have, and keep tabs on user satisfaction.

    Ideal candidate:

    • A good relationship with IT.
    • A large breadth of experience with BI, not just one dashboard.
    • Approachable and well-respected amongst peers.
    • Has a passion for driving organizational change using BI and continually looking for opportunities to innovate.

    Push

    • Key BI Messages
    • Best Practices
    • Training Materials

    Pull

    • Feedback
    • Complaints
    • Thoughts and New Ideas

    Motivate BI ambassadors with perks

    You need to motivate ambassadors to take on this additional responsibility. Make sure the BI ambassadors are recognized in their business units when they go above and beyond in promoting BI.

    Reward Approach Reward Type Description
    Privileges High Priority Requests Given their high usage and high visibility, ambassadors’ BI information requests should be given a higher priority.
    First Look at New BI Development Share the latest BI updates with ambassadors before introducing them to the organization. Ambassadors may even be excited to test out new functionality.
    Recognition Featured in Communications BI ambassadors’ use cases and testimonials can be featured in BI communications. Be sure to create a formal announcement introducing the ambassadors to the organization.
    BI Ambassador Certificate A certificate is a formal way to recognize their efforts. They can also publicly display the certificate in their workspace.
    Rewards Appointed by Senior Executives Have the initial request to be a BI ambassador come from a senior executive to flatter the ambassador and position the role as a reward or an opportunity for success.
    BI Ambassador Awards Award an outstanding BI ambassador for the year. The award should be given by the CEO in a major corporate event.

    Activity: Plan for a BI ambassador network

    3.2.2

    2 hours

    Identify individuals within your organization to act as ambassadors for BI and a bridge between IT and business users.

    1. Obtain a copy of your latest organizational chart. Review your most up-to-date organizational chart and identify key BI consumers across a variety of functional units. In selecting potential BI ambassadors, reflect on the following questions:
    • Does this individual have a good relationship with IT?
    • What is the depth of their experience with developing/consuming business intelligence?
    • Is this individual respected and influential amongst their respective business units?
    • Has this individual shown a passion for innovating within their role?
  • Create a mandate and collateral detailing the roles and responsibilities for the ambassador role, e.g.:
    • Promote BI to members of your group
    • Represent the “voice of the data consumers”
  • Approach the ambassador candidates and explain the responsibilities and perks of the role, with the goal of enlisting about 10-15 ambassadors
  • Inputs

    • An updated organizational chart
    • A list of BI users

    Output

    • Draft framework for BI ambassador network

    Materials

    • BI Strategy and Roadmap Template or proprietary document

    Participants

    • Business executives
    • CIO
    • Head of BI
    • BI team

    Keeping tabs on metadata is essential to creating a data democracy with BI

    A next generation BI not only provides a platform that mirrors business requirements, but also creates a flexible environment that empowers business users to explore data assets without having to go back and forth with IT to complete queries.

    Business users are generally not interested in the underlying architecture or the exact data lineages; they want access to the data that matters most for decision-making purposes.

    Metadata is data about data

    It comes in the form of structural metadata (information about the spaces that contain data) and descriptive metadata (information pertaining to the data elements themselves), in order to answer questions such as:

    • What is the intended purpose of this data?
    • How up-to-date is this information?
    • Who owns this data?
    • Where is this data coming from?
    • How have these data elements been transformed?

    By creating effective metadata, business users are able to make connections between and bring together data sources from multiple areas, creating the opportunity for holistic insight generation.

    Like BI, metadata lies in the Information Dimension layer of our data management framework.

    The metadata needs to be understood before building anything. You need to identify fundamentals of the data, who owns not only that data, but also its metadata. You need to understand where the consolidation is happening and who owns it. Metadata is the core driver and cost saver for building warehouses and requirements gathering.

    – Albert Hui, Principal, Data Economist

    Deliver timely, high quality, and affordable information to enable fast and effective business decisions

    In order to maximize your ROI on business intelligence, it needs to be treated less like a one-time endeavor and more like a practice to be continually improved upon.

    Though the BI strategy provides the overall direction, the BI operating model – which encompasses organization structure, processes, people, and application functionality – is the primary determinant of efficacy with respect to information delivery. The alterations made to the operating model occur in the short term to improve the final deliverables for business users.

    An optimal BI operating model satisfies three core requirements:

    Timeliness

    Effectiveness

  • Affordability
  • Bring tangible benefits of your revamped BI strategy to business users by critically assessing how your organization delivers business intelligence and identifying opportunities for increased operational efficiency.

    Assess and Optimize BI Operations

    Focus on delivering timely, quality, and affordable information to enable fast and effective business decisions

    Implement a fit-for-purpose BI and analytics solution to augment your next generation BI strategy

    Organizations new to business intelligence or with immature BI capabilities are under the impression that simply getting the latest-and-greatest tool will provide the insights business users are looking for.

    BI technology can only be as effective as the processes surrounding it and the people leveraging it. Organizations need to take the time to select and implement a BI suite that aligns with business goals and fosters end-user adoption.

    As an increasing number of companies turn to business intelligence technology, vendors are responding by providing BI and analytics platforms with more and more features.

    Our vendor landscape will simplify the process of selecting a BI and analytics solution by:

    Differentiating between the platforms and features vendors are offering.

    Detailing a robust framework for requirements gathering to pinpoint your organization’s needs.

    Developing a high-level plan for implementation.

    Select and Implement a Business Intelligence and Analytics Solution

    Find the diamond in your data-rough using the right BI & Analytics solution

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-tech analysts with your team:

    3.1.1-3.1.3

    Construct a BI improvement initiative roadmap

    During these activities, your team will consolidate the list of BI initiatives generated from the assessments conducted in previous phases, assign timelines to each action, prioritize them using a value–effort matrix, and finally produce a roadmap for implementing your organization’s BI improvement strategy.

    3.2

    Identify continuous improvement opportunities for BI

    Our analyst team will work with your organization to ideate supplementary programs to support your BI strategy. Defining Excel use cases that are permitted and prohibited in conjunction with your BI strategy, as well as structuring an internal BI ambassador network, are a few extra initiatives that can enhance your BI improvement plans.

    Insight breakdown

    Your BI platform is not a one-and-done initiative.

    A BI program is not a static project that is created once and remains unchanged. Your strategy must be treated as a living platform to be revisited and revitalized in order to provide effective enablement of business decision making. Develop a BI strategy that propels your organization by building it on business goals and objectives, as well as comprehensive assessments that quantitatively and qualitatively evaluate your current BI capabilities.

    Put the “B” back in “BI.”

    The closer you align your new BI platform to real business interests, the stronger will be the buy-in, realized value, and groundswell of enthusiastic adoption. Ultimately, getting this phase right sets the stage to best realize a strong ROI for your investment in the people, processes, and technology that will be your next generation BI platform.

    Go beyond the platform.

    BI success is not based solely on the technology it runs on; technology cannot mask gaps in capabilities. You must be capable in your environment – data management, data quality, and related data practices must be strong, otherwise the usefulness of the intelligence suffers. The best BI solution does not only provide a technology platform, but also addresses the elements that surround the platform. Look beyond tools and holistically assess the maturity of your BI practice with input from both the BI consumer and provider perspectives.

    Appendix

    Detailed list of BI Types

    Style Description Strategic Importance (1-5) Popularity (1-5) Effort (1-5)
    Standards Preformatted reports Standard, preformatted information for backward-looking analysis. 5 5 1
    User-defined analyses Pre-staged information where “pick lists” enable business users to filter (select) the information they wish to analyze, such as sales for a selected region during a selected previous timeframe. 5 4 2
    Ad-hoc analyses Power users write their own queries to extract self-selected pre-staged information and then use the information to perform a user-created analysis. 5 4 3
    Scorecards and dashboards Predefined business performance metrics about performance variables that are important to the organization, presented in a tabular or graphical format that enables business users to see at a glance how the organization is performing. 4 4 3
    Multidimensional analysis (OLAP) Multidimensional analysis (also known as On-line analytical processing): Flexible tool-based user-defined analysis of business performance and the underlying drivers or root causes of that performance. 4 3 3
    Alerts Predefined analyses of key business performance variables, comparison to a performance standard or range, and communication to designated businesspeople when performance is outside the predefined performance standard or range. 4 3 3
    Advanced Analytics Application of long-established statistical and/or operations research methods to historical business information to look backward and characterize a relevant aspect of business performance, typically by using descriptive statistics 5 3 4
    Predictive Analytics Application of long-established statistical and/or operations research methods to historical business information to predict, model, or simulate future business and/or economic performance and potentially prescribe a favored course of action for the future 5 3 5

    Our BI strategy approach follows Info-Tech’s popular IT Strategy Framework

    A comprehensive BI strategy needs to be developed under the umbrella of an overall IT strategy. Specifically, creating a BI strategy is contributing to helping IT mature from a firefighter to a strategic partner that has close ties with business units.

    1. Determine mandate and scope 2. Assess drivers and constraints 3. Evaluate current state of IT 4. Develop a target state vision 5. Analyze gaps and define initiatives 6. Build a roadmap 8. Revamp 7. Execute
    Mandate Business drivers Holistic assessments Vision and mission Initiatives Business-driven priorities
    Scope External drivers Focus-area specific assessments Guiding principles Risks
    Project charter Opportunities to innovate Target state vision Execution schedule
    Implications Objectives and measures

    This BI strategy blueprint is rooted in our road-tested and proven IT strategy framework as a systematic method of tackling strategy development.

    Research contributors

    Internal Contributors

    • Andy Woyzbun, Executive Advisor
    • Natalia Nygren Modjeska, Director, Data & Analytics
    • Crystal Singh, Director, Data & Analytic
    • Andrea Malick, Director, Data & Analytics
    • Raj Parab, Director, Data & Analytics
    • Igor Ikonnikov, Director, Data & Analytics
    • Andy Neill, Practice Lead, Data & Analytics
    • Rob Anderson, Manager Sales Operations
    • Shari Lava, Associate Vice-President, Vendor Advisory Practice

    External Contributors

    • Albert Hui, Principal, DataEconomist
    • Cameran Hetrick, Senior Director of Data Science & Analytics, thredUP
    • David Farrar, Director – Marketing Planning & Operations, Ricoh Canada Inc
    • Emilie Harrington, Manager of Analytics Operations Development, Lowe’s
    • Sharon Blanton, VP and CIO, The College of New Jersey
    • Raul Vomisescu, Independent Consultant

    Research contributors and experts

    Albert Hui

    Consultant, Data Economist

    Albert Hui is a cofounder of Data Economist, a data-consulting firm based in Toronto, Canada. His current assignment is to redesign Scotiabank’s Asset Liability Management for its Basel III liquidity compliance using Big Data technology. Passionate about technology and problem solving, Albert is an entrepreneur and result-oriented IT technology leader with 18 years of experience in consulting and software industry. His area of focus is on data management, specializing in Big Data, business intelligence, and data warehousing. Beside his day job, he also contributes to the IT community by writing blogs and whitepapers, book editing, and speaking at technology conferences. His recent research and speaking engagement is on machine learning on Big Data.

    Albert holds an MBA from the University of Toronto and a master’s degree in Industrial Engineering. He has twin boys and enjoys camping and cycling with them in his spare time.

    Albert Hui Consultant, Data Economist

    Cameran Hetrick

    Senior Director of Analytics and Data Science, thredUP

    Cameran is the Senior Director of Analytics and Data Science at thredUP, a startup inspiring a new generation to think second hand first. There she helps drives top line growth through advanced and predictive analytics. Previously, she served as the Director of Data Science at VMware where she built and led the data team for End User Computing. Before moving to the tech industry, she spent five years at The Disneyland Resort setting ticket and hotel prices and building models to forecast attendance. Cameran holds an undergraduate degree in Economics/Mathematics from UC Santa Barbara and graduated with honors from UC Irvine's MBA program.

    Cameran Hetrick Senior Director of Analytics and Data Science, thredUP

    Bibliography

    Bange, Carsten and Wayne Eckerson. “BI and Data Management in the Cloud: Issues and Trends.” BARC and Eckerson Group, January 2017. Web.

    Business Intelligence: The Strategy Imperative for CIOs. Tech. Information Builders. 2007. Web. 1 Dec. 2015.

    COBIT 5: Enabling Information. Rolling Meadows, IL: ISACA, 2013. Web.

    Dag, Naslund, Emma Sikander, and Sofia Oberg. "Business Intelligence - a Maturity Model Covering Common Challenges." Lund University Publications. Lund University, 2014. Web. 23 Oct. 2015.

    “DAMA Guide to the Data Management Body of Knowledge (DAMA-DMBOK Guide).” First Edition. DAMA International. 2009. Digital. April 2014.

    Davenport, Thomas H. and Bean, Randy. “Big Data and AI Executive Survey 2019.” NewVantage Partners LLC. 2019. Web.

    "Debunking the Business of Analytics." Experian Data Quality. Sept. 2013. Web.

    Bibliography

    Drouin, Sue. "Value Chain." SAP Analytics. February 27, 2015.

    Farrar, David. “BI & Data analytics workshop feedback.” Ricoh Canada. Sept. 2019.

    Fletcher, Heather. "New England Patriots Use Analytics & Trigger Emails to Retain Season Ticket Holders." Target Marketing. 1 Dec. 2011. Web.

    Gonçalves, Alex. "Social Media Analytics Strategy - Using Data to Optimize Business Performance.” Apress. 2017.

    Imhoff, Claudia, and Colin White. "Self Service Business Intelligence: Empowering Users to Generate Insights." SAS Resource Page. The Data Warehouse Institute, 2011. Web.

    Khamassi, Ahmed. "Building An Analytical Roadmap : A Real Life Example." Wipro. 2014.

    Kuntz, Jerry, Pierre Haren, and Rebecca Shockley. IBM Insight 2015 Teleconference Series. Proc. of Analytics: The Upside of Disruption. IBM Institute for Business Value, 19 Oct. 2015. Web.

    Kwan, Anne , Maximillian Schroeck, Jon Kawamura. “Architecting and operating model, A platform for accelerating digital transformation.” Part of a Deliotte Series on Digital Industrial Transformation, 2019. Web.

    Bibliography

    Lebied, Mona. "11 Steps on Your BI Roadmap To Implement A Successful Business Intelligence Strategy." Business Intelligence. July 20, 2018. Web.

    Light, Rob. “Make Business Intelligence a Necessity: How to Drive User Adoption.” Sisense Blog. 30 July 2018.

    Mazenko, Elizabeth. “Avoid the Pitfalls: 3 Reasons 80% of BI Projects Fail.” BetterBuys. October 2015.

    Marr, Bernard. "Why Every Business Needs A Data And Analytics Strategy.” Bernard Marr & Co. 2019.

    Mohr, Niko and Hürtgen, Holger. “Achieving Business Impact with Data.” McKinsey. April 2018.

    MIT Sloan Management

    Quinn, Kevin R. "Worst Practices in Business Intelligence: Why BI Applications Succeed Where BI Tools Fail." (2007): 1-19. BeyeNetwork. Information Builders, 2007. Web. 1 Dec. 2015.

    Ringdal, Kristen. "Learning multilevel Analysis." European social Survey. 2019.

    Bibliography

    Schaefer, Dave, Ajay Chandramouly, Burt Carmak, and Kireeti Kesavamurthy. "Delivering Self-Service BI, Data Visualization, and Big Data Analytics." IT@Intel White Paper (2013): 1-11. June 2013. Web. 30 Nov. 2015.

    Schultz, Yogi. “About.” Corvelle Consulting. 2019.

    "The Current State of Analytics: Where Do We Go From Here?" SAS Resource Page. SAS & Bloomberg Businessweek, 2011. Web.

    "The Four Steps to Defining a Customer Analytics Strategy." CCG Analytics Solutions & Services. Nov 10,2017.

    Traore, Moulaye. "Without a strategic plan, your analytics initiatives are risky." Advisor. March 12, 2018. web.

    Wells, Dave. "Ten Mistakes to Avoid When Gathering BI Requirements." Engineering for Industry. The Data Warehouse Institute, 2008. Web.

    “What is a Business Intelligence Strategy and do you need one?” Hydra. Sept 2019. Web.

    Williams, Steve. “Business Intelligence Strategy and Big Data Analytics.” Morgan Kaufman. 2016.

    Wolpe, Toby. "Case Study: How One Firm Used BI Analytics to Track Staff Performance | ZDNet." ZDNet. 3 May 2013. Web.

    Yuk, Mico. “11 Reasons Why Most Business Intelligence Projects Fail.” Innovative enterprise Channels. May 2019.

    Manage Exponential Value Relationships

    • Buy Link or Shortcode: {j2store}210|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:

    These challenges require new skills which build trust and collaboration among vendors.

    Our Advice

    Critical Insight

    Outcome-based relationships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.

    Impact and Result

    • Assess your readiness to take on the new types of vendor relationships that will help you succeed.
    • Identify where you need to build your capabilities in order to successfully manage relationships.
    • Successfully manage outcomes, financials, risk, and relationships in complex vendor relationships.

    Manage Exponential Value Relationships Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage Exponential Value Relationships Storyboard – Learn about the new era of exponential vendor relationships and the capabilities needed to succeed.

    This research walks you through how to assess your capabilities to undertake a new model of vendor relationships and drive exponential IT.

    • Manage Exponential Value Relationships Storyboard

    2. Exponential Relationships Readiness Assessment – Assess your readiness to engage in exponential vendor partnerships.

    This tool will facilitate your readiness assessment.

    • Exponential Relationships Readiness Assessment
    [infographic]

    Further reading

    Manage Exponential Value Relationships

    Are you ready to manage outcome-based agreements?

    Analyst Perspective

    Outcome-based agreements require a higher degree of mutual trust.

    Kim Osborne Rodriguez

    Exponential IT brings with it an exciting new world of cutting-edge technology and increasingly accelerated growth of business and IT. But adopting and driving change through this paradigm requires new capabilities to grow impactful and meaningful partnerships with external vendors who can help implement technologies like artificial intelligence and virtual reality.

    Building outcome-based partnerships involves working very closely with vendors who, in many cases, will have just as much to lose as the organizations implementing these new technologies. This requires a greater degree of trust between parties than a standard vendor relationship. It also drastically increases the risks to both organizations; as each loses some control over data and outcomes, they must trust that the other organization will follow through on commitments and obligations.

    Outcome-based partnerships build upon traditional vendor management practices and create the potential for organizations to embrace emerging technology in new ways.

    Kim Osborne Rodriguez
    Research Director, CIO Advisory
    Info-Tech Research Group

    Executive Summary

    Exponential IT drives change

    Vendor relationships must evolve

    To deliver exponential value

    Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:

    • Build strategic relationships with external entities to support the autonomization of the enterprise.
    • Procure, operate, and manage contracts and performance in outcome-based relationships.
    • Build relationships with new vendors.

    These challenges require new skills which build trust and collaboration with vendors.

    Traditional vendor management approaches are still important for organizations to develop and maintain. But exponential relationships bring new challenges:

    • A shift from managing technology service agreements to managing business capability agreements
    • Increased vendor access to intellectual property, confidential information, and customers

    IT leaders must adapt traditional vendor management capabilities to successfully lead this change.

    Outcome-based relationships should not be undertaken lightly as they can significantly impact the risk profile of the organization. Use this research to:

    • Assess your foundational vendor management capabilities as well as the transformative capabilities you need to manage outcome-based relationships.
    • Identify where you need to build your capabilities in order to successfully manage relationships.
    • Successfully manage outcomes, financials, risk, and relationships in complex vendor partnerships.

    Exponential value relationships will help drive exponential IT and autonomization of the enterprise.

    Info-Tech Insight

    Outcome-based partnerships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.

    Vendor relationships can be worth billions of dollars

    Positive vendor relationships directly impact the bottom line, sometimes to the tune of billions of dollars annually.

    • Organizations typically spend 40% to 80% of their total budget on external suppliers.
    • Greater supplier trust translates directly to greater business profits, even in traditional vendor relationships.1
    • Based on over a decade of data from vehicle manufacturers, greater supplier relationships nearly doubled the unit profit margin on vehicles, contributing over $20 billion to Toyota’s annual profits based on typical sales volume.2
    • Having positive vendor relationships can be instrumental in times of crisis – when scarcity looms, vendors often choose to support their best customers.3,4 For example, Toyota protected itself from the losses many original equipment manufacturers (OEMs) faced in 2020 and showed improved profitability that year due to increased demand for vehicles which it was able to supply as a result of top-ranked vendor relationships.
    1 PR Newswire, 2022.
    2 Based on 10 years of data comparing Toyota and Nissan, every 1-point increase in the company’s Working Relations Index was correlated with a $15.77 net profit increase per unit. Impact on Toyota annual profits is based on 10.5 million units sold in 2021 and 2022.
    3 Interview with Renee Stanley, University of Texas at Arlington. Conducted 17 May 2023.
    4 Plante Moran, 2020.

    Supplier Trust Impacts OEM Profitability

    Sources: Macrotrends, Plante Moran 2022, Nissan 2022 and 2023, and Toyota 2022. Profit per car is based on total annual profit divided by total annual sales volume.

    Outcome-based relationships are a new paradigm

    In a new model where organizations are procuring autonomous capabilities, outcomes will govern vendor relationships.

    An outcome-based relationship requires a higher level of mutual trust than traditional vendor relationships. This requires shared reward and shared risk.

    Don’t forget about traditional vendor management relationships! Not all vendor relationships can (or should) be outcome-based.

    Managing Exponential Value Relationships.

    Case study

    INDUSTRY: Technology

    SOURCE: Press Release

    Microsoft and OpenAI partner on Azure, Teams, and Microsoft Office suite

    In January 2023, Microsoft announced a $10 billion investment in OpenAI, allowing OpenAI to continue scaling its flagship large language model, ChatGPT, and giving Microsoft first access to deploy OpenAI’s products in services like GitHub, Microsoft Office, and Microsoft Teams.

    Shared risk

    Issues with OpenAI’s platforms could have a debilitating effect on Microsoft’s own reputation – much like Google’s $100 billion stock loss following a blunder by its AI platform Bard – not to mention the financial loss if the platform does not live up to the hype.

    Shared reward

    This was a particularly important strategic move by Microsoft, as its main competitors develop their own AI models in a race to the top. This investment also gave OpenAI the resources to continue scaling and evolving its services much faster than it would be capable of on its own. If OpenAI’s products succeed, there is a significant upside for both companies.

    The image contains a graph that demonstrates time to reach 1 million users.

    Adapt your approach to vendor relationships

    Both traditional vendors and exponential relationships are important.

    Traditional

    procurement

    Vendor

    management

    Exponential vendor relationships

    • Ideal for procuring a product or service
    • Typically evaluates vendors based on their capabilities and track record of success
    • Focuses on metrics, KPIs, and contracts to deliver success to the organization purchasing the product or service
    • Vendors typically only have access to company data showing what is required to deliver their product or service
    • Ideal for managing vendors supplying products or services
    • Typically evaluates vendors based on the value and the criticality of a vendor to drive VM-resource allocation
    • External vendors do not generally participate in sharing of risks or rewards outside of payment for services or incentives/penalties
    • Vendors typically have limited access to company data
    • Ideal for procuring an autonomous capability
    • Typically evaluated based on the total possible value creation for both parties
    • External vendors share in substantial portions of the risks and rewards of the relationship
    • Vendors typically have significant access to company data, including proprietary methods, intellectual property, and customer lists

    Use this research to successfully
    manage outcome-based relationships.

    Use Info-Tech’s research to Jump Start Your Vendor Management Initiative.

    Common obstacles

    Exponential relationships require new approaches to vendor management as businesses autonomize:

    • Autonomization refers to the shift toward autonomous business capabilities which leverage technologies such as AI and quantum computing to operate independently of human interaction.
    • The speed and complexity of technology advancement requires that businesses move quickly and confidently to develop strong relationships and deliver value.
    • We are seeing businesses shift from procuring products and services to procuring autonomous business capabilities (sometimes called “as a service,” or aaS). This shift can drive exponential value but also increases complexity and risk.
    • Exponential IT requires a shift in emphasis toward more mature relationship and risk management strategies, compared to traditional vendor management.

    The shift from technology service agreements to business capability agreements needs a new approach

    Eighty-seven percent of organizations are currently experiencing talent shortages or expect to within a few years.

    Source: McKinsey, “Mind the [skills] gap”, 2021.

    Sixty-three percent of IT leaders plan to implement AI in their organizations by the end of 2023.

    Source: Info-Tech Research Group survey, 2022

    Insight summary

    Build trust

    Successfully managing exponential relationships requires increased trust and the ability to share both risks and rewards. Outcome-based vendors typically have greater access to intellectual property, customer data, and proprietary methods, which can pose a risk to the organization if this information is used to benefit competitors. Build mutual trust by sharing both risks and rewards.

    Manage risk

    Outcome-based relationships with external vendors can drastically affect an organization’s risk profile. Carefully consider third-party risk and shared risk, including ESG risk, as well as the business risk of losing control over capabilities and assets. Qualified risk specialists (such as legal, regulatory, contract, intellectual property law) should be consulted before entering outcome-based relationships.

    Drive outcomes

    Fostering strategic relationships can be instrumental in times of crisis, when being the customer of choice for key vendors can push your organization up the line from the vendor’s side – but be careful about relying on this too much. Vendor objectives may not align with yours, and in the end, everyone needs to protect themselves.

    Assess your readiness for exponential value relationships

    Key deliverable:

    Exponential Relationships Readiness Assessment

    Determine your readiness to build exponential value relationships.

    Measure the value of this blueprint

    Save thousands of dollars by leveraging this research to assess your readiness, before you lose millions from a relationship gone bad.

    Our research indicates that most organizations would take months to prepare this type of assessment without using our research. That’s over 80 person-hours spent researching and gathering data to support due diligence, for a total cost of thousands of dollars. Doesn’t your staff have better things to do?

    Start by answering a few brief questions, then return to this slide at the end to see how much your answers have changed.

    Establish Baseline Metrics

    Use Info-Tech’s research to Exponential Relationships Readiness Assessment.

    Estimated time commitment without Info-Tech’s research (person-hours)

    Establish a baseline

    Gauge the effectiveness of this research by asking yourself the following questions before and after completing your readiness assessment:

    Questions

    Before

    After

    To what extent are you satisfied with your current vendor management approach?

    How many of your current vendors would you describe as being of strategic importance?

    How much do you spend on vendors annually?

    How much value do you derive from your vendor relationships annually?

    Do you have a vendor management strategy?

    What outcomes are you looking to achieve through your vendor relationships?

    How well do you understand the core capabilities needed to drive successful vendor management?

    How well do you understand your current readiness to engage in outcome-based vendor relationships?

    Do you feel comfortable managing the risks when working with organizations to implement artificial intelligence and other autonomous capabilities?

    How to use this research

    Five tips to get the most out of your readiness assessment.

    1. Each category consists of five competencies, with a maximum of five points each. The maximum score on this assessment is 100 points.
    2. Effectiveness levels range from basic (level 1) to advanced (level 5). Level 1 is generally considered the baseline for most effectively operating organizations. If your organization is struggling with level 1 competencies, it is recommended to improve maturity in those areas before pursuing exponential relationships.
    3. This assessment is qualitative; complete the assessment to the best of your ability, based on the scoring rubric provided. If you fall between levels, use the lower one in your assessment.
    4. The scoring rubric may not perfectly fit the processes and practices within every organization. Consider the spirit of the description and score accordingly.
    5. Other industry- and region-specific competencies may be required to succeed at exponential relationships. The competencies in this assessment are a starting point, and internal validation and assessments should be conducted to uncover additional competencies and skills.

    Financial management

    Manage your budget and spending to stay on track throughout your relationship.

    “Most organizations underestimate the amount of time, money, and skill required to build and maintain a successful relationship with another organization. The investment in exponential relationships is exponential in itself – as are the returns.”

    – Jennifer Perrier, Principal Research Director,
    Info-Tech Research Group

    This step involves the following participants:

    • Executive leadership team, including CIO
    • CFO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage scope and budget in exponential IT relationships.

    Successfully manage complex finances

    Stay on track and keep your relationship running smoothly.

    Why is this important?

    • Finance is at the core of most business – it drives decision making, acts as a constraint for innovation and optimization, and plays a key role in assessing options (such as return on investment or payback period).
    • Effectively managing finances is a critical success factor in developing strong relationships. Each organization must be able to manage their own budget and spending in order to balance the risk and reward in the relationship. Often, these risks and rewards will come in the form of profit and loss or revenue and spend.

    Build it into your practice:

    1. Ensure your financial decision-making practices are aligned with the organizational and relationship strategy. Do metrics and criteria reflect the organization’s goals?
    2. Develop strong accounting and financial analysis practices – this includes the ability to conduct financial due diligence on potential vendors.
    3. Develop consistent methodology to track and report on the desired outcomes on a regular basis.

    Build your ability to manage finances

    The five competencies needed to manage finances in exponential value relationships are:

    Budget procedures

    Financial alignment

    Adaptability

    Financial analysis

    Reporting & compliance

    Clearly articulate and communicate budgets, with proactive analysis and reporting.

    There is a strong, direct alignment between financial outcomes and organizational strategy and goals.

    Financial structures can manage many different types of relationships and structures without major overhaul.

    Proactive financial analysis is conducted regularly, with actionable insights.

    This exceeds legal requirements and includes proactive and actionable reporting.

    Relationship management

    Drive exponential value by becoming a customer of choice.

    “The more complex the business environment becomes — for instance, as new technologies emerge or as innovation cycles get faster — the more such relationships make sense. And the better companies get at managing individual relationships, the more likely it is that they will become “partners of choice” and be able to build entire portfolios of practical and value-creating partnerships.”

    (“Improving the management of complex business partnerships.” McKinsey, 2019)

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage relationships in exponential IT relationships.

    Take your relationships to the next level

    Maintaining positive relationships is key to building trust.

    Why is this important?

    • All relationships will experience challenges, and the ability to resolve these issues will rely heavily on the relationship management skills and soft skills of the leadership within each organization.
    • Based on a 20-year study of vendor relationships in the automotive sector, business-to-business trust is a function of reasonable demands, follow-through, and information sharing.
    (Source: Plante Moran, 2020)

    Build it into your practice:

    1. Develop the soft skills necessary to promote psychological safety, growth mindset, and strong and open communication channels.
    2. Be smart about sharing information – you don’t need to share everything, but being open about relevant information will enhance trust.
    3. Both parties need to work hard to develop trust necessary to build a true relationship. This will require increased access to decision-makers, clearly defined guardrails, and the ability for unsatisfied parties to leave.

    Build your ability to manage relationships

    The five competencies needed to manage relationships in exponential partnerships are:

    Strategic alignment

    Follow-through

    Information sharing

    Shared risk & rewards

    Communication

    Work with vendors to create roadmaps and strategies to drive mutual success.

    Ensure demands are reasonable and consistently follow through on commitments.

    Proactively and freely share relevant information between parties.

    Equitably share responsibility for outcomes and benefits from success.

    Ensure clear, proactive, and frequent communication occurs between parties.

    Performance management

    Outcomes management focuses on results, not methods.

    According to Jennifer Robinson, senior editor at Gallup, “This approach focuses people and teams on a concrete result, not the process required to achieve it. Leaders define outcomes and, along with managers, set parameters and guidelines. Employees, then, have a high degree of autonomy to use their own unique talents to reach goals their own way.” (Forbes, 2023)

    In the context of exponential relationships, vendors can be given a high degree of autonomy provided they meet their objectives.

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage outcomes in exponential IT relationships.

    Manage outcomes to drive mutual success

    Build trust by achieving shared objectives.

    Why is this important?

    • Relationships are based on shared risk and shared reward for all parties. In order to effectively communicate the shared rewards, you must first understand and communicate your objectives for the relationship, then measure outcomes to ensure all parties are benefiting.
    • Effectively managing outcomes reduces the risk that one party will choose to leave based on a perception of benefits not being achieved. Parties may still leave the agreement, but decisions should be based on shared facts and issues should be communicated and addressed early.

    Build it into your practice:

    1. Clearly articulate what you hope to achieve by entering an outcome-based relationship. Each party should outline and agree to the goals, objectives, and desired outcomes from the relationship.
    2. Document how rewards will be shared among parties. What type of rewards are anticipated? Who will benefit and how?
    3. Develop consistent methodology to track and report on the desired outcomes on a regular basis. This might consist of a vendor scorecard or a monthly meeting.

    Build your ability to manage outcomes

    The five competencies needed to manage outcomes in exponential value relationships are:

    Goal setting

    Negotiation

    Performance tracking

    Issue
    resolution

    Scope management

    Set specific, measurable and actionable goals, and communicate them with stakeholders.

    Clearly articulate and agree upon measurable outcomes between all parties.

    Proactively track progress toward goals/outcomes and discuss results with vendors regularly.

    Openly discuss potential issues and challenges on a regular basis. Find collaborative solutions to problems.

    Proactively manage scope and discuss with vendors on a regular basis.

    Risk management

    Exponential IT means exponential risk – and exponential rewards.

    One of the key differentiators between traditional vendor relationships and exponential relationships is the degree to which risk is shared between parties. This is not possible in all industries, which may limit companies’ ability to participate in this type of exponential relationship.

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Risk management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage risk in exponential IT relationships.

    Relationships come with a lot of hidden risks

    Successfully managing complex risks can be the difference between a spectacular success and company-ending failure.

    Why is this important?

    • Relationships inherently involve a loss of control. You are relying on another party to fulfill their part of the agreement, and you depend on the success of the outcome. Loss of control comes with significant risks.
    • Sharing in risk is what differentiates an outcome-based relationship from a traditional vendor relationship; vendors must have skin in the game.
    • Organizations must consider many different types of risk when considering a relationship with a vendor: fraud, security, human rights, labor relations, ESG, and operational risks. Remember that risk is not inherently bad; some risk is necessary.

    Build it into your practice:

    1. Build or hire the necessary risk expertise needed to properly assess and evaluate the risks of potential vendor relationships. This includes intellectual property, ESG, legal/regulatory, cybersecurity, data security, and more.
    2. Develop processes and procedures which clearly communicate and report on risk on a regular basis.

    Info-Tech Insight

    Some highly regulated industries (such as finance) are prevented from transferring certain types of risk. In these industries, it may be much more difficult to form vendor relationships.

    Don’t forget about third-party ESG risk

    Customers care about ESG. You should too.

    Protect yourself against third-party ESG risks by considering the environmental and social impacts of your vendors.

    Third-party ESG risks can include the following:

    • Environmental risk: Vendors with unsustainable practices such as carbon emissions or waste generation of natural resource depletion can negatively impact the organization’s environmental goals.
    • Social risk: Unsafe or illegal labor practices, human rights violations, and supply chain management issues can reflect negatively on organizations that choose to work with vendors who engage in such practices.
    • Governance risk: Vendors who engage in illegal or unethical behaviors, including bribery and corruption or data and privacy breaches can impact downstream customers.

    Working with vendors that have a poor record of ESG carries a very real reputational risk for organizations who do not undertake appropriate due diligence.

    A global survey of nearly 14,000 customers revealed that…

    Source: EY Future Consumer Index, 2021

    Seventy-seven percent of customers believe companies have a responsibility to manufacture sustainably.

    Sixty-eight percent of customers believe businesses should ensure their suppliers meet high social and environmental standards.

    Fifty-five percent of customers consider the environmental impact of production in their purchasing decisions.

    Build your ability to manage risk

    The five competencies needed to manage risk in exponential value relationships are:

    Third-party risk

    Value chain

    Data management

    Regulatory & compliance

    Monitoring & reporting

    Understand and assess third-party risk, including ESG risk, in potential relationships.

    Assess risk throughout the value chain for all parties and balance risk among parties.

    Proactively assess and manage potential data risks, including intellectual property and strategic data.

    Manage regulatory and compliance risks, including understanding risk transfer and ultimate risk holder.

    Proactive and open monitoring and reporting of risks, including regular communication among stakeholders.

    Contract management

    Contract management is a critical part of vendor management.

    Well-managed contracts include clearly defined pricing, performance-based outcomes, clear roles and responsibilities, and appropriate remedies for failure to meet requirements. In outcome-based relationships, contracts are generally used as a secondary method of enforcing performance, with relationship management being the primary method of addressing challenges and ensuring performance.

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Risk management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage risk in exponential IT relationships.

    Build your ability to manage contracts

    The five competencies needed to manage contracts in exponential value relationships are:

    Pricing

    Performance outcomes

    Roles and responsibilities

    Remedies

    Payment

    Pricing is clearly defined in contracts so that the total cost is understood including all fees, optional pricing, and set caps on increases.

    Contracts are performance-based whenever possible, including deliverables, milestones, service levels, due dates, and outcomes.

    Each party's roles and responsibilities are clearly defined in the contract documents with adequate detail.

    Contracts contain appropriate remedies for a vendor's failure to meet SLAs, due dates, and other obligations.

    Payment is made after performance targets are met, approved, or accepted.

    Activity 1: Assess your readiness for exponential relationships

    1-3 hours

    1. Gather key stakeholders from across your organization to participate in the readiness assessment exercise.
    2. As a group, review the core competencies from the previous four sections and determine where your organization’s effectiveness lies for each competency. Record your responses in the Exponential Relationships Readiness Assessment tool.

    Download the Exponential Relationships Readiness Assessment tool.

    Input Output
    • Core competencies
    • Knowledge of internal processes and capabilities
    • Readiness assessment
    Materials Participants
    • Exponential
      Relationships Readiness Assessment
      tool
    • Whiteboard/flip charts
    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Understand your assessment

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Create an action plan.

    Understand the results of your assessment

    Consider the following recommendations based on your readiness assessment scores:

    • The chart to the right shows sample results. The bars indicate the recommended scores, and the line indicates the readiness score.
    • Three or more categories below the recommended scores, or any categories more than five points below the recommendation: outcome-based relationships are not recommended at this time.
    • Two or more categories below the recommended scores: Proceed with caution and limit outcome-based relationships to low-risk areas. Continue to mature capabilities.
    • One category below the recommended scores: Evaluate the risks and benefits before engaging in higher-risk vendor relationships. Continue to mature capabilities.
    • All categories at or above the recommended scores: You have many of the core capabilities needed to succeed at exponential relationships! Continue to evaluate and refine your vendor relationships strategy, and identify any additional competencies needed based on your industry or region.

    Acme Corp Exponential Relationships Readiness.

    Activity 2: Create an action plan

    1 hour

    1. Gather the stakeholders who participated in the readiness assessment exercise.
    2. As a group, review the results of the readiness assessment. Where there any surprise? Do the results reflect your understanding of the organization’s maturity?
    3. Determine which areas are likely to limit the organization’s relationship capability, based on lowest scoring areas and relative importance to the organization.
    4. Break out into groups and have each group identify three actions the organization could take to mature the lowest scoring areas.
    5. Bring the group back together and prioritize the actions. Note who will be accountable for each next step.
    InputOutput
    • Readiness assessment
    • Action plan to improve maturity of capabilities
    MaterialsParticipants
    • Exponential
      Relationship Readiness Assessment
      tool
    • Whiteboard/flip charts
    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Related Info-Tech Research

    Jump Start Your Vendor Management Initiative
    Create and implement a vendor management framework to begin obtaining measurable results in 90 days.

    Elevate Your Vendor Management Initiative
    Transform your VMI from tactical to strategic to maximize its impact and value

    Evaluate Your Vendor Account Team to Optimize Vendor Relations
    Understand the value of knowing your account team’s influence in the organization, and your influence, to drive results.

    Related Info-Tech Research

    Build an IT Risk Management Program
    Mitigate the IT risks that could negatively impact your organization.

    Build an IT Budget
    Effective IT budgets are more than a spreadsheet. They tell a story.

    Adopt an Exponential IT Mindset
    Thrive through the next paradigm shift..

    Author

    Kim Osborne Rodriguez

    Kim Osborne Rodriguez
    Research Director, CIO Advisory
    Info-Tech Research Group

    Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects.

    Kim holds a Bachelor’s degree in Honours Mechatronics Engineering and an option in Management Sciences from the University of Waterloo.

    Research Contributors and Experts

    Jack Hakimian

    Jack Hakimian
    Senior Vice President
    Info-Tech Research Group

    Jack has more than 25 years of technology and management consulting experience. He has served multibillion-dollar organizations in multiple industries including financial services and telecommunications. Jack also served several large public sector institutions.

    He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.

    Michael Tweedie

    Michael Tweedie
    Practice Lead, CIO Strategy
    Info-Tech Research Group

    Mike Tweedie brings over 25 years as a technology executive. He’s led several large transformation projects across core infrastructure, application and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.

    Mike holds a Bachelor’s degree in Architecture from Ryerson University.

    Scott Bickley

    Scott Bickley
    Practice Lead, VCCO
    Info-Tech Research Group

    Scott Bickley is a Practice Lead & Principal Research Director at Info-Tech Research Group, focused on Vendor Management and Contract Review. He also has experience in the areas of IT Asset Management (ITAM), Software Asset Management (SAM), and technology procurement along with a deep background in operations, engineering, and quality systems management.

    Scott holds a B.S. in Justice Studies from Frostburg State University. He also holds active IAITAM certification designations of CSAM and CMAM and is a Certified Scrum Master (SCM).

    Donna Bales

    Donna Bales
    Principal Research Director
    Info-Tech Research Group

    Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group, specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multistakeholder industry initiatives.

    Donna has a bachelor’s degree in economics from the University of Western Ontario.

    Research Contributors and Experts

    Jennifer Perrier

    Jennifer Perrier
    Principal Research Director
    Info-Tech Research Group

    Jennifer has 25 years of experience in the information technology and human resources research space, joining Info-Tech in 1998 as the first research analyst with the company. Over the years, she has served as a research analyst and research manager, as well as in a range of roles leading the development and delivery of offerings across Info-Tech’s product and service portfolio, including workshops and the launch of industry roundtables and benchmarking. She was also Research Lead for McLean & Company, the HR advisory division of Info-Tech, during its start-up years.

    Jennifer’s research expertise spans the areas of IT strategic planning, governance, policy and process management, people management, leadership, organizational change management, performance benchmarking, and cross-industry IT comparative analysis. She has produced and overseen the development of hundreds of publications across the full breadth of both the IT and HR domains in multiple industries. In 2022, Jennifer joined Info-Tech’s IT Financial Management Practice with a focus on developing financial transparency to foster meaningful dialogue between IT and its stakeholders and drive better technology investment decisions.

    Phil Bode

    Phil Bode
    Principal Research Director
    Info-Tech Research Group

    Phil has 30+ years of experience with IT procurement-related topics: contract drafting and review, negotiations, RFXs, procurement processes, and vendor management. Phil has been a frequent speaker at conferences, a contributor to magazine articles in CIO Magazine and ComputerWorld, and quoted in many other magazines. He is a co-author of the book The Art of Creating a Quality RFP.

    Phil has a Bachelor of Science in Business Administration with a double major of Finance and Entrepreneurship and a Bachelor of Science in Business Administration with a major of Accounting, both from the University of Arizona.

    Research Contributors

    Erin Morgan

    Erin Morgan
    Assistant Vice President, IT Administration
    University of Texas at Arlington

    Renee Stanley

    Renee Stanley
    Assistant Director IT Procurement and Vendor Management
    University of Texas at Arlington

    Note: Additional contributors did not wish to be identified.

    Bibliography

    Andrea, Dave. “Plante Moran’s 2022 Working Relations Index® (WRI) Study shows supplier relations can improve amid industry crisis.” Plante Moran, 25 Aug 2022. Accessed 18 May 2023.
    Andrea, Dave. “Trust between suppliers and OEMs can better prepare you for the next crisis.” Plante Moran, 9 Sept 2020. Accessed 17 May 2023.
    Cleary, Shannon, and Carolan McLarney. “Organizational Benefits of an Effective Vendor Management Strategy.” IUP Journal of Supply Chain Management, Vol. 16, Issue 4, Dec 2019.
    De Backer, Ruth, and Eileen Kelly Rinaudo. “Improving the management of complex business partnerships.” McKinsey, 21 March 2019. Accessed 9 May 2023 .
    Dennean, Kevin et al. “Let's chat about ChatGPT.” UBS, 22 Feb 2023. Accessed 26 May 2023.
    F&I Tools. “Nissan Worldwide Vehicle Sales Report.” Factory Warranty List, 2022. Accessed 18 May 2023.
    Gomez, Robin. “Adopting ChatGPT and Generative AI in Retail Customer Service.” Radial, 235, April 2023. Accessed 10 May 2023.
    Harms, Thomas and Kristina Rogers. “How collaboration can drive value for you, your partners and the planet.” EY, 26 Oct 2021. Accessed 10 May 2023.
    Hedge & Co. “Toyota, Honda finish 1-2; General Motors finishes at 3rd in annual Supplier Working Relations Study.” PR Newswire, 23 May 2022. Accessed 17 May 2023.
    Henke Jr, John W., and T. Thomas. "Lost supplier trust, lost profits." Supply Chain Management Review, May 2014. Accessed 17 May 2023.
    Information Services Group, Inc. “Global Demand for IT and Business Services Continues Upward Surge in Q2, ISG Index™ Finds.” BusinessWire, 7 July 2021. Accessed 8 May 2023.
    Kasanoff, Bruce. “New Study Reveals Costs Of Bad Supplier Relationships.” Forbes, 6 Aug 2014. Accessed 17 May 2023.
    Macrotrends. “Nissan Motor Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
    Macrotrends. “Toyota Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
    McKinsey. “Mind the [skills] gap.” McKinsey, 27 Jan 2021. Accessed 18 May 2023.
    Morgan, Blake. “7 Examples of How Digital Transformation Impacted Business Performance.” Forbes, 21 Jul 2019. Accessed 10 May 2023.
    Nissan Motor Corporation. “Nissan reports strong financial results for fiscal year 2022.” Nissan Global Newsroom, 11 May 2023. Accessed 18 May 2023.

    Bibliography

    “OpenAI and Microsoft extend partnership.” Open AI, 23 Jan 2023. Accessed 26 May 2023.
    Pearson, Bryan. “The Apple Of Its Aisles: How Best Buy Lured One Of The Biggest Brands.“ Forbes, 23 Apr 2015. Accessed 23 May 2023.
    Perifanis, Nikolaos-Alexandros and Fotis Kitsios. “Investigating the Influence of Artificial Intelligence on Business Value in the Digital Era of Strategy: A Literature Review.” Information, 2 Feb 2023. Accessed 10 May 2023.
    Scott, Tim and Nathan Spitse. “Third-party risk is becoming a first priority challenge.” Deloitte. Accessed 18 May 2023.
    Stanley, Renee. Interview by Kim Osborne Rodriguez, 17 May 2023.
    Statista. “Toyota's retail vehicle sales from 2017 to 2021.” Statista, 27 Jul 2022. Accessed 18 May 2023.
    Tlili, Ahmed, et al. “What if the devil is my guardian angel: ChatGPT as a case study of using chatbots in education.” Smart Learning Environments, 22 Feb 2023. Accessed 9 May 2023.
    Vitasek, Kate. “Outcome-Based Management: What It Is, Why It Matters And How To Make It Happen.” Forbes, 12 Jan 2023. Accessed 9 May 2023.

    Manage Service Catalogs

    • Buy Link or Shortcode: {j2store}44|cart{/j2store}
    • Related Products: {j2store}44|crosssells{/j2store}
    • member rating overall impact: 9.0/10
    • member rating average dollars saved: $3,956
    • member rating average days saved: 24
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture

    The challenge

    • Your business users may not be aware of the full scope of your services.
    • Typically service information is written in technical jargon. For business users, this means that the information will be tough to understand.
    • Without a service catalog, you have no agreement o what is available, so business will assume that everything is.

    Our advice

    Insight

    • Define your services from a user's or customer perspective.
      • When your service catalog contains too much information that does not apply to most users, they will not use it.
    • Separate the line-of-business services from enterprise services. It simplifies your documentation process and makes the service catalog more comfortable to use.

    Impact and results 

    • Our approach helps you organize your service catalog in a business-friendly way while keeping it manageable for IT.
    • And manageable also means that your service catalog remains a living document. You can update your service records easily.
    • Your service catalog forms a visible bridge between IT and the business. Improve IT's perception by communicating the benefits of the service catalog.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why building a service catalog is a good idea for your company. We'll show you our methodology and the ways we can help you in handling this.

    Minimize the risks from attrition through an effective knowledge transfer process.

    Launch the initiative

    Our launch phase will walk you through the charter template, build help a balanced team, create your change message and communication plan to obtain buy-in from all your organization's stakeholders.

    • Design & Build a User-Facing Service Catalog – Phase 1: Launch the Project (ppt)
    • Service Catalog Project Charter (doc)

    Identify and define the enterprise services

    Group enterprise services which you offer to everyone in the company, logically together.

    • Design & Build a User-Facing Service Catalog – Phase 2: Identify and Define Enterprise Services (ppt)
    • Sample Enterprise Services (ppt)

    Identify and define your line-of-business (LOB) services

    These services apply only to one business line. Other business users should not see them in the catalog.

    • Design & Build a User-Facing Service Catalog – Phase 3: Identify and Define Line of Business Services (ppt)
    • Sample LOB Services – Industry Specific (ppt)
    • Sample LOB Services – Functional Group (ppt)

    Complete your services definition chart

    Complete this chart to allow the business to pick what services to include in the service catalog. It also allows you to extend the catalog with technical services by including IT-facing services. Of course, separated-out only for IT.

    • Design & Build a User-Facing Service Catalog – Phase 4: Complete Service Definitions (ppt)
    • Services Definition Chart (xls)

    Master the Public Cloud IaaS Acquisition Models

    • Buy Link or Shortcode: {j2store}228|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $3,820 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Understanding the differences in IaaS platform agreements, purchasing options, associated value, and risks. What are your options for:

    • Upfront or monthly payments
    • Commitment discounts
    • Support options
    • Migration planning and support

    Our Advice

    Critical Insight

    IaaS platforms offer similar technical features, but they vary widely on their procurement model. By fully understanding the procurement differences and options, you will be able to purchase wisely, save money both long and short term, and mitigate investment risk.

    Most vendors have similar processes and options to buy. Finding a transparent explanation and summary of each platform in a side-by-side review is difficult.

    • Are vendor reps being straight forward?
    • What are the licensing requirements?
    • What discounts or incentives can I negotiate?
    • How much do I have to commit to and for how long?

    Impact and Result

    This project will provide several benefits for both IT and the business. It includes:

    • Best IaaS platform to support current and future procurement requirements.
    • Right-sized cloud commitment tailored to the organization’s budget.
    • Predictable and controllable spend model.
    • Flexible and reliable IT infrastructure that supports the lines of business.
    • Reduced financial and legal risk.

    Master the Public Cloud IaaS Acquisition Models Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to learn how the public cloud IaaS procurement models compare. Review Info-Tech’s methodology and understand the top three platforms, features, and benefits to support and inform the IaaS vendor choice.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Educate

    Learn the IaaS basics, terminologies, purchasing options, licensing requirements, hybrid options, support, and organization requirements through a checklist process.

    • Master the Public Cloud IaaS Acquisition Models – Phase 1: Educate
    • Public Cloud Procurement Checklist
    • Microsoft Public Cloud Licensing Guide

    2. Evaluate

    Review and understand the features, downsides, and differences between the big three players.

    • Master the Public Cloud IaaS Acquisition Models – Phase 2: Evaluate
    • Public Cloud Procurement Comparison Summary

    3. Execute

    Decide on a primary vendor that meets requirements, engage with a reseller, negotiate pricing incentives, migration costs, review, and execute the agreement.

    • Master the Public Cloud IaaS Acquisition Models – Phase 3: Execute
    • Public Cloud Acquisition Executive Summary Template

    Infographic

    Skills Development on the Mainframe Platform

    • Buy Link or Shortcode: {j2store}336|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    Mainframes remain a critical part of an organization’s infrastructure and will need to support these platforms for the foreseeable future. Despite the importance, it can be a challenge for organizations to find qualified resources to support them. Meanwhile, companies are unsure of where to find help to train and develop their teams on mainframe technologies and are at risk of a skills gap within their teams.

    Our Advice

    Critical Insight

    • Mainframes continue to have wide usage, particularly in enterprise organizations. The complexity of moving or replatforming many of these applications means these platforms will be around for a long time still.
    • Companies need to be proactive about developing their teams to support their mainframe systems.

    Impact and Result

    • Companies can protect their assets by cultivating a pipeline of qualified resources to support their mainframe infrastructure.
    • There is a robust training ecosystem headed by large, reputable organizations to help develop and support companies' resources. You don’t have to do it alone.

    Skills Development on the Mainframe Platform Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Skills Development on the Mainframe Platform Storyboard – An overview of the solutions available to support your mainframe training and skills development needs.

    Your mainframes are not going to disappear overnight. These systems often support the most critical operations in your organization. You need to ensure you have the right qualified resources to support your platforms.

    • Skills Development on the Mainframe Platform Storyboard
    [infographic]

    Position IT to Support and Be a Leader in Open Data Initiatives

    • Buy Link or Shortcode: {j2store}326|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Open data programs are often seen as unimportant or not worth taking up space in the budget in local government.
    • Open data programs are typically owned by a single open data evangelist who works on it as a side-of-desk project.
    • Having a single resource spend a portion of their time on open data doesn’t allow the open data program to mature to the point that local governments are realizing benefits from it.
    • It is difficult to gain buy-in for open data as it is hard to track the benefits of an open data program.

    Our Advice

    Critical Insight

    • Local government can help push the world towards being more open, unlocking economic benefits for the wider economy.
    • Cities don’t know the solutions to all of their problems often they don’t know all of the problems they have. Release data as a platform to crowdsource solutions and engage your community.
    • Build your open data policies in collaboration with the community. It’s their data, let them shape the way it’s used!

    Impact and Result

    • Level-set expectations for your open data program. Every local government is different in terms of the benefits they can achieve with open data; ensure the business understands what is realistic to achieve.
    • Create a team of open data champions from departments outside of IT. Identify potential champions for the team and use this group to help gain greater business buy-in and gather feedback on the program’s direction.
    • Follow the open data maturity model in order to assess your current state, identify a target state, and assess capability gaps that need to be improved upon.
    • Use industry best practices to develop an open data policy and processes to help improve maturity of the open data program and reach your desired target state.
    • Identify metrics that you can use to track, and communicate the success of, the open data program.

    Position IT to Support and Be a Leader in Open Data Initiatives Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop your open data program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set the foundation for the success of your open data program

    Identify your open data program's current state maturity, and gain buy-in from the business for the program.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 1: Set the Foundation for the Success of Your Open Data Program
    • Open Data Maturity Assessment
    • Open Data Program – IT Stakeholder Powermap Template
    • Open Data in Our City Stakeholder Presentation Template

    2. Grow the maturity of your open data program

    Identify a target state maturity and reach it through building a policy and processes and the use of metrics.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 2: Grow the Maturity of Your Open Data Program
    • Open Data Policy Template
    • Open Data Process Template
    • Open Data Process Descriptions Template
    • Open Data Process Visio Templates (Visio)
    • Open Data Process Visio Templates (PDF)
    • Open Data Metrics Template
    [infographic]

    Workshop: Position IT to Support and Be a Leader in Open Data Initiatives

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Business Drivers for Open Data Program

    The Purpose

    Ensure that the open data program is being driven out from the business in order to gain business support.

    Key Benefits Achieved

    Identify drivers for the open data program that are coming directly from the business.

    Activities

    1.1 Understand constraints for the open data program.

    1.2 Conduct interviews with the business to gain input on business drivers and level-set expectations.

    1.3 Develop list of business drivers for open data.

    Outputs

    Defined list of business drivers for the open data program

    2 Assess Current State and Define Target State of the Open Data Program

    The Purpose

    Understand the gaps between where your program currently is and where you want it to be.

    Key Benefits Achieved

    Identify top processes for improvement in order to bring the open data program to the desired target state maturity.

    Activities

    2.1 Perform current state maturity assessment.

    2.2 Define desired target state with business input.

    2.3 Highlight gaps between current and target state.

    Outputs

    Defined current state maturity

    Identified target state maturity

    List of top processes to improve in order to reach target state maturity

    3 Develop an Open Data Policy

    The Purpose

    Develop a draft open data policy that will give you a starting point when building your policy with the community.

    Key Benefits Achieved

    A draft open data policy will be developed that is based on best-practice standards.

    Activities

    3.1 Define the purpose of the open data policy.

    3.2 Establish principles for the open data program.

    3.3 Develop a rough governance outline.

    3.4 Create a draft open data policy document based on industry best-practice examples.

    Outputs

    Initial draft of open data policy

    4 Develop Open Processes and Identify Metrics

    The Purpose

    Build open data processes and identify metrics for the program in order to track benefits realization.

    Key Benefits Achieved

    Formalize processes to set in place to improve the maturity of the open data program.

    Identify metrics that can track the success of the open data program.

    Activities

    4.1 Develop the roles that will make up the open data program.

    4.2 Create processes for new dataset requests, updates of existing datasets, and the retiring of datasets.

    4.3 Identify metrics that will be used for measuring the success of the open data program.

    Outputs

    Initial draft of open data processes

    Established metrics for the open data program

    Performance Measurement

    • Buy Link or Shortcode: {j2store}24|cart{/j2store}
    • Related Products: {j2store}24|crosssells{/j2store}
    • member rating overall impact: 9.0/10
    • member rating average dollars saved: $19,436
    • member rating average days saved: 23
    • Parent Category Name: Strategy and Governance
    • Parent Category Link: /strategy-and-governance
    Reinforce service orientation in your IT organization through IT metrics that make value-driven behavior happen..

    Manage Requirements in an Agile Environment

    • Buy Link or Shortcode: {j2store}522|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design

    The process of navigating from waterfall to Agile can be incredibly challenging. Even more problematic; how do you operate your requirements management practices once there? There traditionally isn’t a role for a business analyst, the traditional keeper of requirements. It isn’t like switching on a light.

    You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they’ve leveraged Agile.

    But you aren’t here for assurances. You’re here for answers and help.

    Our Advice

    Critical Insight

    Agile and requirements management are complementary, not competitors.

    Impact and Result

    Info-Tech’s advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. How can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?

    Manage Requirements in an Agile Environment is your guide.

    Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.

    Manage Requirements in an Agile Environment Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage Requirements in an Agile Environment Blueprint – Agile and Requirements Management are complementary, not competitors

    Provides support and guidance for organizations struggling with their requirements management practices in Agile environments.

    • Manage Requirements in an Agile Environment Storyboard

    2. Agile Requirements Playbook – A practical playbook for aligning your teams, and articulating the guidelines for managing your requirements in Agile.

    The Agile Requirements Playbook becomes THE artifact for your Agile requirements practices. Great for onboarding, reviewing progress, and ensuring a shared understanding of your ways of working.

    • Agile Requirements Playbook

    3. Documentation Calculator – A tool for determining the right level of documentation for your organization, and whether you’re spending too much, or even not enough, on Agile Requirements documentation.

    The Documentation Calculator can inform your documentation decison making, ensuring you're investing just the right amount of time, money, and effort.

    • Documentation Calculator

    4. Agile Requirements Workbook – Supporting tools and templates in advancing your Agile Requirements practice, to be used in conjunction with the Agile Requirements Blueprint, and the Playbook.

    This workbook is designed to capture the results of your exercises in the Manage Requirements in an Agile Environment Storyboard. Each worksheet corresponds to an exercise in the storyboard. This is a tool for you, so customize the content and layout to best suit your product. The workbook is also a living artifact that should be updated periodically as the needs of your team and organization change.

    • Agile Requirements Workbook

    5. Agile Requirements Assessment – Establishes your current Agile requirements maturity, defines your target maturity, and supports planning to get there.

    The Agile Requirements Assessment is a great tool for determining your current capabilities and maturity in Agile and Business Analysis. You can also articulate your target state, which enables the identification of capability gaps, the creation of improvement goals, and a roadmap for maturing your Agile Requirements practice.

    • Agile Requirements Assessment

    Infographic

    Workshop: Manage Requirements in an Agile Environment

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Framing Agile and Business Analysis

    The Purpose

    Sets the context for the organization, to ensure a shared understanding of the benefits of both Agile and business analysis/requirements management.

    Key Benefits Achieved

    Have a shared definition of Agile and business analysis / requirements.

    Understand the current state of Agile and business analysis in your organization.

    Activities

    1.1 Define what Agile and business analysis mean in your organization.

    1.2 Agile requirements assessment.

    Outputs

    Alignment on Agile and business analysis / requirements in your organization.

    A current and target state assessment of Agile and business analysis in your organization.

    2 Tailoring Your Approach

    The Purpose

    Confirm you’re going the right way for effective solution delivery.

    Key Benefits Achieved

    Confirm the appropriate delivery methodology.

    Activities

    2.1 Confirm your selected methodology.

    Outputs

    Confidence in your selected project delivery methodology.

    3 Defining Your Requirements Thresholds

    The Purpose

    Provides the guardrails for your Agile requirements practice, to define a high-level process, roles and responsibilities, governance and decision-making, and how to deal with change.

    Key Benefits Achieved

    Clearly defined interactions between the BA and their partners

    Define a plan for management and governance at the project team level

    Activities

    3.1 Define your agile requirements process.

    3.2 Define your agile requirements RACI.

    3.3 Define your governance.

    3.4 Define your change and backlog refinement plan.

    Outputs

    Agile requirements process.

    Agile requirements RACI.

    A governance and documentation plan.

    A change and backlog refinement approach.

    4 Planning Your Next Steps

    The Purpose

    Provides the action plan to achieve your target state maturity

    Key Benefits Achieved

    Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization.

    Establish a roadmap for next steps to mature your Agile requirements practice.

    Activities

    4.1 Define your stakeholder communication plan.

    4.2 Identify your capability gaps.

    4.3 Plan your agile requirements roadmap.

    Outputs

    A stakeholder communication plan.

    A list of capability gaps to achieve your desired target state.

    A prioritized roadmap to achieve the target state.

    5 Agile Requirements Techniques (Optional)

    The Purpose

    To provide practical guidance on technique usage, which can enable an improved experience with technical elements of the blueprint.

    Key Benefits Achieved

    An opportunity to learn new tools to support your Agile requirements practice.

    Activities

    5.1 Managing requirements' traceability.

    5.2 Creating and managing user stories.

    5.3 Managing your requirements backlog.

    5.4 Maintaining a requirements library.

    Outputs

    Support and advice for leveraging a given tool or technique.

    Support and advice for leveraging a given tool or technique.

    Support and advice for leveraging a given tool or technique.

    Support and advice for leveraging a given tool or technique.

    Further reading

    Manage Requirements in an Agile Environment

    Agile and requirements management are complementary, not competitors

    Analyst's Perspective

    The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business then you have failed, regardless of how fast you've gone.

    Delivery in Agile doesn't mean you stop needing solid business analysis. In fact, it's even more critical, to ensure your products and projects are adding value. With the rise of Agile, the role of the business analyst has been misunderstood.

    As a result, we often throw out the analysis with the bathwater, thinking we'll be just fine without analysis, documentation, and deliberate action, as the speed and dexterity of Agile is enough.

    Consequently, what we get is wasted time, money, and effort, with solutions that fail to deliver value, or need to be re-worked to get it right.

    The best organizations find balance between these two forces, to align, and gain the benefits of both Agile and business analysis, working in tandem to manage requirements that bring solutions that are "just right".

    This is a picture of Vincent Mirabelli

    Vincent Mirabelli
    Principal Research Director, Applications Delivery and Management
    Info-Tech Research Group

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    The process of navigating from waterfall to Agile can be incredibly challenging. And even more problematic; how do you operate your requirements management practices once there? Since there traditionally isn't a role for a business analyst; the traditional keeper of requirements. it isn't like switching on a light.

    You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they've leveraged Agile.

    But you aren't here for assurances. You're here for answers and help.

    Common Obstacles

    many organizations and teams face is that there are so busy doing Agile that they fail to be Agile.

    Agile was supposed to be the saving grace of project delivery but is misguided in taking the short-term view of "going quickly" at the expense of important elements, such as team formation and interaction, stakeholder engagement and communication, the timing and sequencing of analysis work, decision-making, documentation, and dealing with change.

    The idea that good requirements just happen because you have user stories is wrong. So, requirements remain superficial, as you "can iterate later"…but sometimes later never comes, or doesn't come fast enough.

    Organizations need to be very deliberate when aligning their Agile and requirements management practices. The work is the same. How the work is done is what changes.

    Info-Tech's Approach

    Infotech's advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. And how can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?

    Manage Requirements in an Agile Environment is your guide.

    Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.

    Info-Tech Insight

    Agile and requirements management are complementary, not competitors.

    The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone.

    Insight summary

    Overarching insight

    Agile and requirements management are complementary, not competitors.

    The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone

    Phase 1 insight

    • The purpose of requirements in waterfall is for approval. The purpose in Agile is for knowledge management, as Agile has no memory.
    • When it comes to the Agile manifesto, "over" does not mean "instead of".
    • In Agile, the what of business analysis does doesn't change. What does change is the how and when that work happens.

    Phase 2 insight

    • Understand your uncertainties; it's a great way to decide what level of Agile (if any) is needed.
    • Finding your "Goldilocks" zone will take time. Be patient.

    Phase 3 insight

    • Right-size your governance, based on team dynamics and project complexity. A good referee knows when to step in, and when to let the game flow.
    • Agile creates a social contract amongst the team, and with their leaders and organization.
    • Documentation needs to be valuable. Do what is acceptable and necessary to move work to future steps. Not documenting also comes with a cost, but one you pay in the future. And that bill will come due, with interest (aka, technical debt, operational inefficiencies, etc.).
    • A lack of acceptable documentation makes it more difficult to have agility. You're constantly revalidating your current state (processes, practices and structure) and re-arguing decisions already made. This slows you down more than maintaining documentation ever would.

    Phase 4 insight

    • Making Agile predictable is hard, because people are not predictable; people are prone to chaos.

    There have been many challenges with waterfall delivery

    It turns out waterfall is not that great at reducing risk and ensuring value delivery after all

    • Lack of flexibility
    • Difficulty in measuring progress
    • Difficulties with scope creep
    • Limited stakeholder involvement
    • Long feedback loops

    48%
    Had project deadlines more than double

    85%
    Exceeded their original budget by at least 20%

    25%
    At least doubled their original budget

    This is an image of the waterfall project results

    Source: PPM Express.

    Agile was meant to address the shortcomings of waterfall

    The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution, became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stay with the status quo. Given that organizations evolve at a rapid pace, what was a pain at the beginning of an initiative may not be so even 6 months later.

    Agile became the answer.

    Since its' first appearance nearly 20 years ago, Agile has become the methodology of choice for a many of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.

    Adopting Agile led to challenges with requirements

    Requirements analysis, design maturity, and management are critical for a successful Agile transformation.

    "One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
    – "Large Scale IT Projects – From Nightmare to Value Creation"

    "Requirements maturity is more important to project outcomes than methodology."
    – "Business Analysis Benchmark: Full Report"

    "Mature Agile practices spend 28% of their time on analysis and design."
    – "Quantitative Analysis of Agile Methods Study (2017): Twelve Major Findings"

    "There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
    – "The Business Case for Agile Business Analysis" - Requirements Engineering Magazine

    Strong stakeholder satisfaction with requirements results in higher satisfaction in other areas

    This is an image of a bar graph comparing the percentage of respondents with high stakeholder satisfaction, to the percentage of respondents with low stakeholder satisfaction for four different categories.  these include: Availability of IT Capacity to Complete Projects; Overall IT Projects; IT Projects Meet Business Needs; Overall IT Satisfaction

    N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.

    Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.

    Info-Tech's Agile requirements framework

    This is an image of Info-Tech's Agile requirements framework.  The three main categories are: Sprint N(-1); Sprint N; Sprint N(+1)

    Agile requirements are a balancing act

    Collaboration

    Many subject matter experts are necessary to create accurate requirements, but their time is limited too.

    Communication

    Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.

    Documentation

    Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.

    Control

    Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.

    What changes for the business analyst?

    In Agile, the what of business analysis does not change.

    What does change is the how and when that work happens.

    Business analysts need to focus on six key elements when managing requirements in Agile.

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    Where does the business analysis function fit on an Agile team?

    Team formation is key, as Agile is a team sport

    A business analyst in an Agile team typically interacts with several different roles, including:

    • The product owner,
    • The Sponsor or Executive
    • The development team,
    • Other stakeholders such as customers, end-users, and subject matter experts
    • The Design team,
    • Security,
    • Testing,
    • Deployment.

    This is an image the roles who typically interact with a Business Analyst.

    How we do our requirements work will change

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    As a result, you'll need to focus on;

    • Emphasizing flexibility
    • Enabling continuous delivery
    • Enhancing collaboration and communication
    • Developing a user-centered approach

    Get stakeholders on board with Agile requirements

    1. Stakeholder feedback and management support are key components of a successful Agile Requirements.
    2. Stakeholders can see a project's progression and provide critical feedback about its success at critical milestones.
    3. Management helps teams succeed by trusting them to complete projects with business value at top of mind and by removing impediments that are inhibiting their productivity.
    4. Agile will bring a new mindset and significant numbers of people, process, and technology changes that stakeholders and management may not be accustomed to. Working through these issues in requirements management enables a smoother rollout.
    5. Management will play a key role in ensuring long-term Agile requirements success and ultimately rolling it out to the rest of the organization.
    6. The value of leadership involvement has not changed even though responsibilities will. The day-to-day involvement in projects will change but continual feedback will ultimately dictate the success or failure of a project.

    Measuring your success

    Tracking metrics and measuring your progress

    As you implement the actions from this Blueprint, you should see measurable improvements in;

    • Team and stakeholder satisfaction
    • Requirements quality
    • Documentation cost

    Without sacrificing time to delivery

    Metric Description and motivation
    Team satisfaction (%) Expect team satisfaction to increase as a result of clearer role delineation and value contribution.
    Stakeholder satisfaction (%) Expect Stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value
    Requirements rework Measures the quality of requirements from your Agile Projects. Expect that the Requirements Rework will decrease, in terms of volume/frequency.
    Cost of documentation Quantifies the cost of documentation, including Elicitation, Analysis, Validation, Presentation, and Management
    Time to delivery Balancing Metric. We don't want improvements in other at the expense of time to delivery

    Info-Tech's methodology for Agile requirements

    1. Framing Agile and Business Analysis

    2. Tailoring Your Approach

    3. Defining Your Requirements Thresholds

    4. Planning Your Next Steps

    Phase Activities

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Decide the best-fit approach for delivery

    2.2 Manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 Define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    Phase Outcomes

    Recognize the benefits and detriments of both Agile and BA.

    Understand the current state of Agile and business analysis in your organization.

    Confirm the appropriate delivery methodology.

    Manage your requirements backlog.

    Connect the business need to user story.

    Clearly defined interactions between the BA and their partners.

    Define a plan for management and governance at the project team level.

    Documentation and tactics that are right-sized for the need.

    Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization.

    Establish a roadmap for next steps to mature your Agile requirements practice.

    Blueprint tools and templates

    Key deliverable:

    This is a screenshot from the Agile Requirements Playbook

    Agile Requirements Playbook

    A practical playbook for aligning your teams and articulating the guidelines for managing your requirements in Agile

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    This is a screenshot from the Documentation Calculator

    Documentation Calculator

    A tool to help you answer the question: What is the right level of Agile requirements documentation for my organization?

    This is a screenshot from the Agile Requirements Assessment

    Agile Requirements Assessment

    Establishes your current maturity level, defines your target state, and supports planning to get there.

    This is a screenshot from the Agile Requirements Workbook

    Agile Requirements Workbook

    Supporting tools and templates in advancing your Agile requirements practice, to be used with the Agile Requirements Blueprint and Playbook.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    1. Framing Agile and Business Analysis / 2. Tailoring Your Approach 3. Defining Your Requirements
    Thresholds
    3. Defining Your Requirements Thresholds / 4. Planning Your Next Steps (OPTIONAL) Agile Requirements Techniques (a la carte) Next Steps and Wrap-Up (Offsite)

    Activities

    What does Agile mean in your organization? What do requirements mean in your organization?

    Agile Requirements Assessment

    Confirm your selected methodology

    Define your Agile requirements process

    Define your Agile requirements RACI (Optional)

    Define your Agile requirements governance

    Defining your change management plan

    Define your

    communication plan

    Capability gap list

    Planning your Agile requirements roadmap

    Managing requirements traceability

    Creating and managing user stories

    Managing your requirements backlog

    Maintaining a requirements library

    Develop Agile Requirements Playbook

    Complete in-progress deliverables from previous four days.

    Set up review time for workshop deliverables and next steps

    Outcomes

    Shared definition of Agile and business analysis / requirements

    Understand the current state of Agile and business analysis in your organization

    Agile requirements process

    Agile requirements RACI (Optional)

    Defined Agile requirements governance and documentation plan

    Change and backlog refinement plan

    Stakeholder communication plan

    Action plan and roadmap for maturing your Agile requirements practice

    Practical knowledge and practice about various tactics and techniques in support of your Agile requirements efforts

    Completed Agile Requirements Playbook

    Guided Implementation

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Scope objectives, and your specific challenges.

    Call #4: Define your approach to project delivery.

    Call #6: Define your Agile requirements process.

    Call #9: Identify gaps from current to target state maturity.

    Call #2: Assess current maturity.

    Call #5: Managing your requirements backlog.

    Call #7: Define roles and responsibilities.

    Call #10: Pprioritize next steps to mature your Agile requirements practice.

    Call #3: Identify target-state capabilities.

    Call #8: Define your change and backlog refinement approach.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 10 calls over the course of 4 to 6 months.

    Framing Agile and Business Analysis

    Phase 1

    Framing Agile and Business Analysis

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • EXERCISE: What do Agile and requirements mean in your organization?
    • ASSESSMENT: Agile requirements assessment
    • KEY DELIVERABLE: Agile Requirements Playbook

    This phase involves the following participants:

    • Business analyst and project team
    • Stakeholders
    • Sponsor/Executive

    Managing Requirements in an Agile Environment

    Step 1.1

    Understand the benefits and limitations of Agile and business analysis

    Activities

    1.1.1 Define what Agile and business analysis mean in your organization

    This step involves the following participants:

    • Business analyst and project team
    • Sponsor/Executive

    Outcomes of this step

    • Recognize the benefits and detriments of both Agile and business analysis

    Framing Agile and Business Analysis

    There have been many challenges with waterfall delivery

    It turns out waterfall is not that great at reducing risk and ensuring value delivery after all

    • Lack of flexibility
    • Difficulty in measuring progress
    • Difficulties with scope creep
    • Limited stakeholder involvement
    • Long feedback loops

    48%
    Had project deadlines more than double

    85%
    Exceeded their original budget by at least 20%

    25%
    At least doubled their original budget

    This is an image of the Waterfall Project Results

    Source: PPM Express.

    Business analysis had a clear home in waterfall

    Business analysts had historically been aligned to specific lines of business, in support of their partners in their respective domains. Somewhere along the way, the function was moved to IT. Conceptually this made sense, in that it allowed BAs to provide technical solutions to complex business problems. This had the unintended result of lost domain knowledge, and connection to the business.

    It all starts with the business. IT enables business goals. The closer you can get to the business, the better.

    Business analysts were the main drivers of helping to define the business requirements, or needs, and then decompose those into solution requirements, to develop the best option to solve those problems, or address those needs. And the case for good analysis was clear. The later a poor requirement was caught, the more expensive it was to fix. And if requirements were poor, there was no way to know until much later in the project lifecycle, when the cost to correct them was exponentially higher, to the tune of 10-100x the initial cost.

    This is an image of a graph showing the cost multiplier for Formulating Requirements, Architecture Design, Development, Testing and, Operations

    Adapted from PPM Express. "Why Projects Fail: Business Analysis is the Key".

    Agile was meant to address the shortcomings of waterfall

    The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stand pat in the current state. And besides, organizations evolve at a rapid pace. What was a pain at the beginning of an initiative may not be so even six months later.

    Agile became the answer.

    Since its first appearance nearly 20 years ago, Agile has become the methodology of choice for a huge swathe of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.

    To say that's significant is an understatement.

    The four core values of Agile helped shift focus

    According to the Agile manifesto, "We value. . ."

    This is an image of what is valued according to the Agile Manifesto.

    "…while there is value in the items on the right, we value the items on the left more."

    Source: Agilemanifesto, 2001

    Agile has made significant inroads in IT and beyond

    94% of respondents report using Agile practices in their organization

    according to Digital.AI's "The 15th State of Agile Report"

    That same report notes a steady expansion of Agile outside of IT, as other areas of the organization seek to benefit from increased agility and responsiveness, including Human Resources, Finance and Marketing.

    While it addressed some problems…

    This is an image of the Waterfall Project Results, compared to Agile Product Results.

    "Agile projects are 37% faster to market than [the] industry average"

    (Requirements Engineering Magazine, 2017)

    • Business requirements documents are massive and unreadable
    • Waterfall erects barriers and bottlenecks between the business and the development team
    • It's hard to define the solution at the outset of a project
    • There's a long turnaround between requirements work and solution delivery
    • Locking in requirements dictates an often-inflexible solution. And the costs to make changes tend to add up.

    …Implementing Agile led to other challenges

    This is an image of a series of thought bubbles, each containing a unique challenge resulting from implementing Agile.

    Adopting Agile led to challenges with requirements

    Requirements analysis, design maturity, and management are critical for a successful Agile transformation.

    "One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
    – BCG, 2015

    "Requirements maturity is more important to project outcomes than methodology."
    – IAG Consulting, 2009.

    "Mature Agile practices spend 28% of their time on analysis and design."
    – InfoQ, 2017."

    "There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
    – Requirements Engineering Magazine, 2017

    Strong stakeholder satisfaction with requirements results in higher satisfaction in other areas

    This is an image of a bar graph comparing the percentage of respondents with high stakeholder satisfaction, to the percentage of respondents with low stakeholder satisfaction for four different categories.  these include: Availability of IT Capacity to Complete Projects; Overall IT Projects; IT Projects Meet Business Needs; Overall IT Satisfaction

    N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.

    Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.

    Agile is being misinterpreted as an opportunity to bypass planning and analysis activities

    Agile is a highly effective tool.

    This isn't about discarding Agile. It is being used for things completely outside of what was originally intended. When developing products or code, it is in its element. However, outside of that realm, its being used to bypass business analysis activities, which help define the true customer and business need.

    Business analysts were forced to adapt and shift focus. Overnight they morphed into product owners, or no longer had a place on the team. Requirements and analysis took a backseat.

    The result?

    Increased rework, decreased stakeholder satisfaction, and a lot of wasted money and effort.

    "Too often, the process of two-week sprints becomes the thing, and the team never gets the time and space to step back and obsess over what is truly needed to delight customers."
    Harvard Business Review, 9 April 2021.

    Info-Tech Insight

    Requirements in Agile are the same, but the purpose of requirements changes.

    • The purpose of requirements in waterfall is for stakeholder approval.
    • The purpose of requirements in Agile is knowledge management; to maintain a record of the current state.

    Many have misinterpreted the spirit of Agile and waterfall

    The stated principles of waterfall say nothing of how work is to be linear.

    This is an image of a comparison between using Agile and Being Prescriptive.This is an image of Royce's 5 principles for success.

    Source: Royce, Dr. Winston W., 1970.

    For more on Agile methodology, check out Info-Tech's Agile Research Centre

    How did the pendulum swing so far?

    Shorter cycles of work made requirements management more difficult. But the answer isn't to stop doing it.

    Organizations went from engaging business stakeholders up front, and then not until solution delivery, to forcing those partners to give up their resources to the project. From taking years to deliver a massive solution (which may or may not even still fit the need) to delivering in rapid cycles called sprints.

    This tug-of-war is costing organizations significant time, money, and effort.

    Your approach to requirements management needs to be centered. We can start to make that shift by better aligning our Agile and business analysis practices. Outside of the product space, Agile needs to be combined with other disciplines (Harvard Business Review, 2021) to be effective.

    Agility is important. Though it is not a replacement for approach or strategy (RCG Global Services, 2022). In Agile, team constraints are leveraged because of time. There is a failure to develop new capabilities to address the business needs Harvard Business Review, 2021).

    Agility needs analysis.

    Agile requirements are a balancing act

    Collaboration

    Many subject matter experts are necessary to create accurate requirements, but their time is limited too.

    Communication

    Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.

    Documentation

    Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.

    Control

    Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.

    Start by defining what the terms mean in your organization

    We do this because there isn't even agreement by the experts on what the terms "Agile" and "business analysis" mean, so let's establish a definition within the context of your organization.

    1.1.1 What do Agile and business analysis mean in your organization?

    Estimated time: 30 Minutes

    1. Explore the motivations behind the need for aligning Agile with business analysis. Are there any current challenges related to outputs, outcomes, quality? How can the team and organization align the two more effectively for the purposes of requirements management?
    2. Gather the appropriate stakeholders to discuss their definition of the terms "Agile" and "business analysis" It can be related to their experience, practice, or things they've read or heard.
    3. Brainstorm and document all shared thoughts and perspectives.
    4. Synthesize those thoughts and perspectives into a shared definition of each term, of a sentence or two.
    5. Revisit this definition as needed, and as your Agile requirements efforts evolve.

    Input

    • Challenges and experiences/perspectives related to Agile and business requirements

    Output

    • A shared definition of Agile and business analysis, to help guide alignment on Agile requirements management

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Build your Agile Requirements Playbook

    Keep the outcomes of this blueprint in a single document

    Share at the beginning of a new project, as part of team member onboarding, and revisit as your practice matures.

    This is a series of three screenshots from the Agile Requirements Playbook.

    Your Agile Requirements Playbook will include

    • Your shared definition of Agile and business analysis for your organization
    • The Agile Requirements Maturity Assessment
    • A Methodology Selection Matrix
    • Agile requirements RACI
    • A defined Agile requirements process
    • Documentation Calculator
    • Your Requirements Repository Information
    • Capability Gap List (from current to target state)
    • Target State Improvement Roadmap and Action Plan

    Step 1.2

    Align Agile and Business Analysis Within Your Organization

    Activities

    1.2.1 Assess your Agile requirements maturity

    This step involves the following participants:

    • Business Analyst and Project Team
    • Stakeholders
    • Sponsor/Executive

    Outcomes of this step

    • Complete the Agile Requirements Maturity Assessment to establish your current and target states

    Framing Agile and Business Analysis

    Consider the question: "Why Agile?"

    What is the driving force behind that decision?

    There are many reasons to leverage the power of Agile within your organization, and specifically as part of your requirements management efforts. And it shouldn't just be to improve productivity. That's only one aspect.
    Begin by asking, "Why Agile?" Are you looking to improve:

    • Time to market
    • Team engagement
    • Product quality
    • Customer satisfaction
    • Stakeholder engagement
    • Employee satisfaction
    • Consistency in delivery of value
    • Predictably of your releases

    Or a combination of the above?

    Info-Tech Insight

    Project delivery methodologies aren't either/or. You don't have to be 100% waterfall or 100% Agile. Select the right approach for your project, product, or service.

    In the end, your business partners don't want projects delivered faster, they want value faster!

    For more on understanding Agile, check out the Implement Agile Practices That Work Blueprint

    Responses to a 2019 KPMG survey:

    13% said that their top management fully supports Agile transformation.

    76% of organizations did not agree that their organization supports Agile culture.

    62% of top management believe Agile has no implications for them.

    What changes for the business analyst?

    Business analysts need to focus on six key elements when managing requirements in Agile.

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    In Agile, the what of business analysis does not change.

    What does change is the how and when that work happens.

    1.2.1 Assess your Agile requirements maturity

    This is a series of screenshots from the Agile Requirements Maturity Assessment.

    1.2.1 Assess your Agile requirements maturity

    Estimated time: 30 Minutes

      1. Using the Agile Requirements Maturity Assessment, gather all appropriate stakeholders, and discuss and score the current state of your practice. Scoring can be done by:
        1. Consensus: Generally better with a smaller group, where the group agrees the score and documents the result
        2. Average: Have everyone score individually, and aggregate the results into an average, which is then entered.
        3. Weighted Average: As above, but weight the individual scores by individual or line of business to get a weighted average.
      2. When current state is complete, revisit to establish target state (or hold as a separate session) using the same scoring approach as in current state.
        1. Recognize that there is a cost to maturity, so don't default to the highest score by default.
        2. Resist the urge at this early stage to generate ideas to navigate from current to target state. We will re-visit this exercise in Phase 4, once we've defined other pieces of our process and practice.

    Input

    • Participant knowledge and experience

    Output

    • A current and target state assessment of your Agile requirements practice

    Materials

    • Agile Requirements Maturity Assessment

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Tailoring Your Approach

    Phase 2

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • Selecting the appropriate delivery methodology
    • Managing your requirements backlog
    • Tracing from business need to user story

    This phase involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Managing Requirements in an Agile Environment

    Step 2.1

    Confirm the Best-fit Approach for Delivery

    Activities

    2.1.1 Confirm your methodology

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • A review of potential delivery methodologies to select the appropriate, best-fit approach to your projects

    Confirming you're using the best approach doesn't have be tricky

    Selecting the right approach (or confirming you're on the right track) is easier when you assess two key inputs to your project; your level of certainty about the solution, and the level of complexity among the different variables and inputs to your project, such as team experience and training, the number of impacted stakeholders or context. lines of business, and the organizational

    Solution certainty refers to the level of understanding of the problem and the solution at the start of the project. In projects with high solution certainty, the requirements and solutions are well defined, and the project scope is clear. In contrast, projects with low solution certainty have vague or changing requirements, and the solutions are not well understood.

    Project complexity refers to the level of complexity of the project, including the number of stakeholders, the number of deliverables, and the level of technical complexity. In projects with high complexity, there are many stakeholders with different priorities, many deliverables, and high technical complexity. In contrast, projects with low complexity have fewer stakeholders, fewer deliverables, and lower technical complexity.

    "Agile is a fantastic approach when you have no clue how you're going to solve a problem"

    • Ryan Folster, Consulting Services Manager, Business Analysis, Dimension Data

    Use Info-Tech's methodology selection matrix

    Waterfall methodology is best suited for projects with high solution certainty and high complexity. This is because the waterfall model follows a linear and sequential approach, where each phase of the project is completed before moving on to the next. This makes it ideal for projects where the requirements and solutions are well-defined, and the project scope is clear.

    On the other hand, Agile methodology is best suited for projects with low solution certainty. Agile follows an iterative and incremental approach, where the requirements and solutions are detailed and refined throughout the project. This makes it ideal for projects where the requirements and solutions are vague or changing.

    Note that there are other models that exist for determining which path to take, should this approach not fit within your organization.

    Use info-tech's-methodology-selection-matrix

    This is an image of Info-Tech’s methodology selection matrix

    Adapted from The Chaos Report, 2015 (The Standish Group)

    Download the Agile Requirements Workbook

    2.1.1 Confirm your methodology

    Estimated time: 30 Minutes

    1. Using the Agile Requirements Workbook, find the tab labelled "Methodology Assessment" and answer the questions to establish your complexity and certainty scores, where;

    1 = Strongly disagree
    2 = Disagree
    3 = Neutral
    4 = Agree
    5 = Strongly agree.

    1. In the same workbook, plot the results in the grid on the tab labelled "Methodology Matrix".
    2. Projects falling into Green are good fits for Agile. Yellow are viable. And Red may not be a great fit for Agile.
    3. Note: Ultimately, the choice of methodology is yours. Recognize there may be additional challenges when a project is too complex, or uncertainty is high.

    Input

    • Current project complexity and solution certainty

    Output

    • A clear choice of delivery methodology

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Step 2.2

    Manage Your Requirements Backlog

    Activities

    2.2.1 Create your user stories

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • Understand how to convert requirements into user stories, which populate the Requirements Backlog.

    Tailoring Your Approach

    There is a hierarchy to requirements

    This is a pyramid, with the base being: Solution Requirements; The middle being: Stakeholder Requirements; and the Apex being: Business Requirements.
    • Higher-level statements of the goals, objectives, or needs of the enterprise.
    • Business requirements focus on the needs of the organization, and not the stakeholders within it.

    Defines

    Intended benefits and outcomes

    • Statements of the needs of a particular stakeholder or class of stakeholders, and how that stakeholder will interact with a solution.

    Why it is needed, and by who

    • Describes the characteristics of a solution that meets business requirements and stakeholder requirements. Functional describes the behavior and information that the solution will manage. They describe capabilities the system will be able to perform in terms of behaviors or operations. Non-functional represents constraints on the ultimate solution and tends to be less negotiable.

    What is needed, and how its going to be achieved

    Connect the dots with a traceability matrix

    Business requirements describe what a company needs in order to achieve its goals and objectives. Solution requirements describe how those needs will be met. User stories are a way to express the functionality that a solution will provide from the perspective of an end user.

    A traceability matrix helps clearly connect and maintain your requirements.

    To connect business requirements to solution requirements, you can start by identifying the specific needs that the business has and then determining how those needs can be met through technology or other solutions; or what the solution needs to do to meet the business need. So, if the business requirement is to increase online sales, a solution requirement might include implementing a shopping cart feature on your company website.

    Once you have identified the solution requirements, you can then use those to create user stories. A user story describes a specific piece of functionality that the solution will provide from the perspective of a user.

    For example, "As a customer, I want to be able to add items to my shopping cart so that I can purchase them." This user story is directly tied to the solution requirement of implementing a shopping cart feature.

    Tracing from User Story back up to Business Requirement is essential in ensuring your solutions support your organization's strategic vison and objectives.

    This is an image of a traceability matrix for Business Requirements.

    Download the Info-Tech Requirements Traceability Matrix

    Improve the quality of your solution requirements

    A solution requirement is a statement that clearly outlines the functional capability that the business needs from a system or application.

    There are several attributes to look for in requirements:

    Verifiable

    Unambiguous

    Complete

    Consistent

    Achievable

    Traceable

    Unitary

    Agnostic

    Stated in a way that can be easily tested

    Free of subjective terms and can only be interpreted in one way

    Contains all relevant information

    Does not conflict with other requirements

    Possible to accomplish with budgetary and technological constraints

    Trackable from inception through to testing

    Addresses only one thing and cannot be decomposed into multiple requirements

    Doesn't pre-suppose a specific vendor or product

    For more on developing high quality requirements, check out the Improve Requirements Gathering Blueprint

    Prioritize your requirements

    When everything is a priority, nothing is a priority.

    Prioritization is the process of ranking each requirement based on its importance to project success. Each requirement should be assigned a priority level. The delivery team will use these priority levels to ensure efforts are targeted toward the proper requirements as well as to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order your requirements.

    The MoSCoW Model of Prioritization

    This is an image of The MoSCoW Model of Prioritization

    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994

    (Source: ProductPlan).

    Base your prioritization on the right set of criteria

    Criteria Description
    Regulatory and legal compliance These requirements will be considered mandatory.
    Policy compliance Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory.
    Business value significance Give a higher priority to high-value requirements.
    Business risk Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Likelihood of success Especially in proof-of-concept projects, it is recommended that requirements have good odds.
    Implementation complexity Give a higher priority to low implementation difficulty requirements.
    Alignment with strategy Give a higher priority to requirements that enable the corporate strategy.
    Urgency Prioritize requirements based on time sensitivity.
    Dependencies A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.

    Info-Tech Insight

    It is easier to prioritize requirements if they have already been collapsed, resolved, and rewritten. There is no point in prioritizing every requirement that is elicited up front when some of them will eventually be eliminated.

    Manage solution requirements in a Product backlog

    What is a backlog?

    Agile teams are familiar with the use of a Sprint Backlog, but in Requirements Management, a Product Backlog is a more appropriate choice.

    A product backlog and a Sprint backlog are similar in that they are both lists of items that need to be completed in order to deliver a product or project, but there are some key differences between the two.

    A product backlog is a list of all the features, user stories, and requirements that are needed for a product or project. It is typically created and maintained by the business analyst or product owner and is used to prioritize and guide the development of the product.

    A Sprint backlog, on the other hand, is a list of items specifically for an upcoming sprint, which is an iteration of work in Scrum. The Sprint backlog is created by the development team and is used to plan and guide the work that will be done during the sprint. The items in the Sprint backlog are typically taken from the product backlog and are prioritized based on their importance and readiness.

    For more on building effective product backlogs, visit Deliver on Your Digital Product Vision

    A backlog stores and organizes requirements at various stages

    Your backlog must give you a holistic understanding of demand for change in the product.

    A well-formed backlog can be thought of as a DEEP backlog

    Detailed appropriately: Requirements are broken down and refined as necessary

    Emergent: The backlog grows and evolves over time as requirements are added and removed.

    Estimated: The effort to deliver a requirement is estimated at each tier.

    Prioritized: A requirement's value and priority are determined at each tier.

    This is an image of an inverted funnel, with the top being labeled: Ideas; The middle being labeled: Qualified; and the bottom being labeled: Ready.

    Adapted from Essential Scrum

    Ensure requests and requirements are ready for development

    Clearly define what it means for a requirement, change, or maintenance request to be ready for development.

    This will help ensure the value and scope of each functionality and change are clear and well understood by both developers and stakeholders before the start of the sprint. The definition of ready should be two-fold: ready for the backlog, and ready for coding.

    1. Create a checklist that indicates when a requirement or request is ready for the development backlog. Consider the following questions:
      1. Is the requirement or request in the correct format?
      2. Does the desired functionality or change have significant business value?
      3. Can the requirement or request be reasonably completed within defined release timelines under the current context?
      4. Does the development team agree with the budget and points estimates?
      5. Is there an understanding of what the requirement or request means from the stakeholder or user perspective?
    2. Create a checklist that indicates when a requirement or request is ready for development. Consider the following questions:
      1. Have the requirements and requests been prioritized in the backlog?
      2. Has the team sufficiently collaborated on how the desired functionality or change can be completed?
      3. Do the tasks in each requirement or request contain sufficient detail and direction to begin development?
      4. Can the requirement or request be broken down into smaller pieces?

    Converting solution requirements into user stories

    Define the user

    Who will be interacting with the product or feature being developed? This will help to focus the user story on the user's needs and goals.

    Create the story

    Create the user story using the following template: "As a [user], I want [feature] so that [benefit]."
    This helps articulate the user's need and the value that the requirement will provide.

    Decompose

    User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.

    Prioritize

    User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.

    2.2.1 Create your user stories

    Estimated time: 60 Minutes

    1. Gather the project team and relevant stakeholders. Have access to your current list of solution requirements.
    2. Leverage the approach on previous slide "Converting Solution Requirements into User Stories" to generate a collection of user stories.

    NOTE: There is not a 1:1 relationship between requirements and user stories.
    It is possible that a single requirement will have multiple user stories, and similarly, that a single user story will apply to multiple solution requirements.

    Input

    • Requirements
    • Use Case Template

    Output

    • A collection of user stories

    Materials

    • Current Requirements

    Participants

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Use the INVEST model to create good user stories

    At this point your requirements should be high-level stories. The goal is to refine your backlog items, so they are . . .

    A vertical image of the Acronym: INVEST, taken from the first letter of each bolded word in the column to the right of the image.

    Independent: Ideally your user stories can be built in any order (i.e. independent from each other). This allows you to prioritize based on value and not get caught up in sequencing and prerequisites.
    Negotiable: As per the Agile principle, collaboration over contracts. Your user stories are meant to facilitate collaboration between the developer and the business. Therefore, they should be built to allow negotiation between all parties.
    Valuable: A user story needs to state the value so it can be effectively prioritized, but also so developers know what they are building.
    Estimable: As opposed to higher-level approximation given to epics, user stories need more accuracy in their estimates in order to, again, be effectively prioritized, but also so teams can know what can fit into a sprint or release plans.
    Small: User stories should be small enough for a number of them to fit into a sprint. However, team size and velocity will impact how many can be completed. A general guideline is that your teams should be able to deliver multiple stories in a sprint.
    Testable: Your stories need to be testable, which means they must have defined acceptance criteria and any related test cases as defined in your product quality standards.
    Source: Agile For All

    Defining Your Requirements Thresholds

    Phase 3

    Defining Your Requirements Thresholds

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • Assigning roles and responsibilities optional (Tool: RACI)
    • Define your Agile requirements process
    • Calculate the cost of your documentation (Tool: Documentation Calculator)
    • Define your backlog refinement plan

    This phase involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Managing Requirements in an Agile Environment

    Step 3.1

    Define Project Roles and Responsibilities

    Activities

    3.1.1 Define your Agile requirements RACI (optional)

    3.1.2 Define your Agile requirements process

    Defining Your Requirements Thresholds

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • A defined register of roles and responsibilities, along with a defined process for how Agile requirements work is to be done.

    Defining Your Requirements Thresholds

    Where does the BA function fit on an Agile team?

    Team formation is key, as Agile is a team sport

    A business analyst in an Agile team typically interacts with several different roles, including the product owner, development team, and many other stakeholders throughout the organization.

    This is an image the roles who typically interact with a Business Analyst.

    • The product owner, to set the priorities and direction of the project, and to gather requirements and ensure they are being met. Often, but not always, the BA and product owner are the same individual.
    • The development team, to provide clear and concise requirements that they can use to build and test the product.
    • Other stakeholders, such as customers, end-users, and subject matter experts to gather their requirements, feedback and validate the solution.
      • Design, to ensure that the product meets user needs. They may provide feedback and ensure that the design is aligned with requirements.
      • Security, to ensure that the solution meets all necessary security requirements and to identify potential risks and appropriate use of controls.
      • Testing, to ensure that the solution is thoroughly tested before it is deployed. They may create test cases or user scenarios that validate that everything is working as intended.
      • Deployment, to ensure that the necessary preparations have been made, including testing, security, and user acceptance.

    Additionally, during the sprint retrospectives, the team will review their performance and find ways to improve for the next sprint. As a team member, the business analyst helps to identify areas where the team could improve how they are working with requirements and understand how the team can improve communication with stakeholders.

    3.1.1 (Optional) Define Your Agile Requirements RACI

    Estimated Time: 60 Minutes

    1. Identify the project deliverables: The first step is to understand the project deliverables and the tasks that are required to complete them. This will help you to identify the different roles and responsibilities that need to be assigned.
    2. Define the roles and responsibilities: Identify the different roles that will be involved in the project and their associated responsibilities. These roles may include project manager, product owner, development team, stakeholders, and any other relevant parties.
    3. Assign RACI roles: Assign a RACI role to each of the identified tasks. The RACI roles are:
      1. Responsible: the person or team who is responsible for completing the task
      2. Accountable: the person who is accountable for the task being completed on time and to the required standard
      3. Consulted: the people or teams who need to be consulted to ensure the task is completed successfully
      4. Informed: the people or teams who need to be informed of the task's progress and outcome
    4. Create the RACI chart: Use the information gathered in the previous steps to create a matrix or chart that shows the tasks, the roles, and the RACI roles assigned to each task.
    5. Review and refine: Review the RACI chart with the project team and stakeholders to ensure that it accurately reflects the roles and responsibilities of everyone involved. Make any necessary revisions and ensure that all parties understand their roles and responsibilities.
    6. Communicate and implement: Communicate the RACI chart to all relevant parties and ensure that it is used as a reference throughout the project. This will help to ensure that everyone understands their role and that tasks are completed on time and to the required standard.

    Input

    • A list of required tasks and activities
    • A list of stakeholders

    Output

    • A list of defined roles and responsibilities for your project

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    A Case Study in Team Formation

    Industry: Anonymous Organization in the Energy sector
    Source: Interview

    Challenge

    Agile teams were struggling to deliver within a defined sprint, as there were consistent delays in requirements meeting the definition of ready for development. As such, sprints were often delayed, or key requirements were descoped and deferred to a future sprint.

    During a given two-week sprint cycle, the business analyst assigned to the team would be working along multiple horizons, completing elicitation, analysis, and validation, while concurrently supporting the sprint and dealing with stakeholder changes.

    Solution

    As a part of addressing this ongoing pain, a pilot program was run to add a second business analyst to the team.

    The intent was, as one is engaged preparing requirements through elicitation, analysis, and validation for a future sprint, the second is supporting the current sprint cycle, and gaining insights from stakeholders to refine the requirements backlog.

    Essentially, these two were leap-frogging each other in time. At all times, one BA was focused on the present, and one on the future.

    Result

    A happier team, more satisfied stakeholders, and consistent delivery of features and functions by the Agile teams. The pilot team outperformed all other Agile teams in the organization, and the "2 BA" approach was made the new standard.

    Understanding the Agile requirements process

    Shorter cycles make effective requirements management more necessary, not less

    Short development cycles can make requirements management more difficult because they often result in a higher rate of change to the requirements. In a shorter timeframe, there is less time to gather and verify requirements, leading to a higher likelihood of poor or incomplete requirements. Additionally, there may be more pressure to make decisions quickly, which can lead to less thorough analysis and validation of requirements. This can make it more challenging to ensure that the final solution meets the needs of the stakeholders.
    When planning your requirements cycles, it's important to consider;

    • Your sprint logistics (how long?)
    • Your release plan (at the end of every sprint, monthly, quarterly?)
    • How the backlog will be managed (as tickets, on a visual medium, such as a Kanban board?)
    • How will you manage communication?
    • How will you monitor progress?
    • How will future sprint planning happen?

    Info-Tech's Agile requirements framework

    Sprint N(-1)

    Sprint N

    Sprint N(+1)

    An image of Sprint N(-1) An image of Sprint N An image of Sprint N(+1)

    Changes from waterfall to Agile

    Gathering and documenting requirements: Requirements are discovered and refined throughout the project, rather than being gathered and documented up front. This can be difficult for business analysts who are used to working in a waterfall environment where all requirements are gathered and documented before development begins.
    Prioritization of requirements: Requirements are prioritized based on their value to the customer and the team's ability to deliver them. This can be difficult for business analysts who are used to prioritizing requirements based on the client's needs or their own understanding of what is important.

    Defining acceptance criteria: Acceptance criteria are defined for each user story to ensure that the team understands what needs to be delivered. Business analysts need to understand how to write effective acceptance criteria and how to use them to ensure that the team delivers what the customer needs.
    Supporting Testing and QA: The business analyst plays a role in ensuring that testing (and test cases) are completed and of proper quality, as defined in the requirements.

    Managing changing requirements: It is expected that requirements will change throughout the project. Business analysts need to be able to adapt quickly to changing requirements and ensure that the team is aware of the changes and how they will impact the project.
    Collaboration with stakeholders: Requirements are gathered from a variety of stakeholders, including customers, users, and team members. Business analysts need to be able to work effectively with all stakeholders to gather and refine requirements and ensure that the team is building the right product.

    3.1.2 Define your Agile requirements process

    Estimated time: 60 Minutes

    1. Gather all relevant stakeholders to discuss and define your process for requirements management.
    2. Have a team member facilitate the session to define the process. The sample in the Agile Requirements Workbook can be used optionally as a starting point. You can also use any existing processes and procedures as a baseline.
    3. Gain agreement on the process from all involved stakeholders.
    4. Revisit the process periodically to review its performance and make adjustments as needed.

    NOTE: The process is intended to be at a high enough level to leave space and flexibility for team members to adapt and adjust, but at a sufficient depth that everyone understands the process and workflows. In other words, the process will be both flexible and rigid, and the two are not mutually exclusive.

    Input

    • Project team and RACI
    • Existing Process (if available)

    Output

    • A process for Agile requirements that is flexible yet rigid

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Establish the right level of governance and decision-making

    Establishing the right level of governance and decision making is important in Agile requirements because there is a cost to decision making, as time plays an important factor. Even the failure to decide can have significant impacts.

    Good governance and decision-making practices can help to minimize risks, ensure that requirements are well understood and managed, and that project progress is tracked and reported effectively.

    In Agile environments, this often involves establishing clear roles and responsibilities, implementing effective communication and collaboration practices, and ensuring that decision-making processes are efficient and effective.

    Good requirements management practices can help to ensure that projects are aligned with organizational goals and strategy, that stakeholders' needs are understood and addressed, and that deliverables are of high quality and meet the needs of the business.

    By ensuring that governance and decision-making is effective, organizations can improve the chances of project success, and deliver value to the business. Risks and costs can be mitigated by staying small and nimble.

    Check out Make Your IT Governance Adaptable

    Develop an adaptive governance process

    A pyramid, with the number 4 at the apex, and the number 1 at the base.  In order from base-apex, the following titles are found to the right of the pyramid: Ad-Hoc governance; Controlled Governance; Agile Governance; Embedded/Automated governance.

    Maturing governance is a journey

    Organizations should look to progress in their governance stages. Ad-hoc and controlled governance tends to be slow, expensive, and a poor fit for modern practices.

    The goal as you progress through your stages is to delegate governance and empower teams to make optimal decisions in real-time, knowing that they are aligned with the understood best interests of the organization.

    Automate governance for optimal velocity, while mitigating risks and driving value.

    This puts your organization in the best position to be adaptive and able to react effectively to volatility and uncertainty.

    A graph charting Trust and empowerment on the x-axis, and Progress Integration on the Y axis.

    Five key principles for building an adaptive governance framework

    Delegate and empower

    Decision making must be delegated down within the organization, and all resources must be empowered and supported to make effective decisions.

    Define outcomes

    Outcomes and goals must be clearly articulated and understood across the organization to ensure decisions are in line and stay within reasonable boundaries.

    Make risk- informed decisions

    Integrated risk information must be available with sufficient data to support decision making and design approaches at all levels of the organization.

    Embed / automate

    Governance standards and activities need to be embedded in processes and practices. Optimal governance reduces its manual footprint while remaining viable. This also allows for more dynamic adaptation.

    Establish standards and behavior

    Standards and policies need to be defined as the foundation for embedding governance practices organizationally. These guardrails will create boundaries to reinforce delegated decision making.

    Sufficient decision-making power should be given to your Agile teams

    Push the decision-making process down to your pilot teams.

    • Bring your business stakeholders and subject matter experts together to identify the potential high-level risks.
    • Bring your business stakeholders and subject matter experts together to identify the potential high-level risks.
    • Discuss with the business the level of risk they are willing to accept.
    • Define the level of authority project teams have in making critical decisions.

    "Push the decision making down as far as possible, down to the point where sprint teams completely coordinate all the integration, development, and design. What I push up the management chain is risk taking. [Management] decides what level of risk they are willing to take and [they] demonstrate that by the amount of decision making you push down."
    – Senior Manager, Canadian P&C Insurance Company, Info-Tech Interview

    Step 3.2

    Define Your Level of Acceptable Documentation

    Activities

    3.2.1 Calculate the cost of documentation

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Outcomes of this step

    • Quantified cost of documentation produced for your Agile project.

    Defining Your Requirements Thresholds

    Right-size Your Documentation

    Why do we need it, and what purpose does it serve?

    Before creating any documentation, consider why; why are you creating documentation, and what purpose is it expected to serve?
    Is it:

    • … to gain approval?
    • … to facilitate decision-making?
    • .. to allow the team to think through a challenge or compare solution options?

    Next, consider what level of documentation would be acceptable and 'enough' for your stakeholders. Recognize that 'enough' will depend on your stakeholder's personal definition and perspective.
    There may also be considerations for maintaining documentation for the purposes of compliance, and auditability in some contexts and industries.
    The point is not to eliminate all documentation, but rather, to question why we're producing it, so that we can create just enough to deliver value.

    "What does the next person need to do their work well, to gain or create a shared understanding?"
    - Filip Hendrickx, Innovating BA and Founder, altershape

    Documentation comes at a cost

    We need to quantify the cost of documentation, against the expected benefit

    All things take time, and that would imply that all things have an inherent cost. We often don't think in these terms, as it's just the work we do, and costs are only associated with activities requiring additional capital expenditure. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.

    When creating documentation, we are making a decision. There is an opportunity cost of investing time to create, and concurrently, not working on other activities. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.

    In order to make better informed decisions about the types, quantity and even quality of the documentation we are producing, we need to capture that data. To ensure we are receiving good value for our documentation, we should compare the expected costs to the expected benefits of a sprint or project.

    3.2.1 Calculate the cost of documentation

    Estimated time: as needed

    1. Use this tool to quantify the cost of creating and maintaining current state documentation for your Agile requirements team. It provides an indication, via the Documentation Cost Index, of when your project is documenting excessively, relative to the expected benefits of the sprint or project.
    2. In Step 1, enter the hourly rate for the person (or persons) completing the business analysis function for your Agile team. NB: This does not have to be a person with the title of business analyst. If there are multiple people fulfilling this role, enter the average rate (if their rates are same or similar) or a weighted average (if there is a significant range in the hourly rate)
    3. In Step 2, enter the expected benefit (in $) for the sprint or project.
    4. In Step 3, enter the total number of hours spent on each task/activity during the sprint or project. Use blank spaces as needed to add tasks and activities not listed.
    5. In Step 4, you'll find the Documentation Cost Index, which compares your total documentation cost to the expected benefits. The cell will show green when the value is < 0.8, yellow between 0.8 and 1, and red when >1.
    6. Use the information to plan future sprints and documentation needs, identify opportunities for improvement in your requirements practice, and find balance in "just enough" documentation.

    Input

    • Project team and RACI
    • Existing Process (if available)

    Output

    • A process for Agile requirements that is flexible yet rigid

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Lack of documentation also comes at a cost

    Lack of documentation can bring costs to Agile projects in a few different ways.

    • Onboarding new team members
    • Improving efficiency
    • Knowledge management
    • Auditing and compliance
    • Project visibility
    • Maintaining code

    Info-Tech Insight

    Re-using deliverables (documentation, process, product, etc.) is important in maintaining the velocity of work. If you find yourself constantly recreating your current state documentation at the start of a project, it's hard to deliver with agility.

    Step 3.3

    Manage Requirements as an Asset

    Activities

    3.3.1 Discuss your current perspectives on requirements as assets

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Outcomes of this step

    • Awareness of the value in, and tactics for enabling effective management of requirements as assets

    Defining Your Requirements Thresholds

    What do we mean by "assets"?

    And when do requirements become assets?

    In order to delivery with agility, you need to maximize the re-usability of artifacts. These artifacts could take the form of current state documentation, user stories, test cases, and yes, even requirements for re-use.
    Think of it like a library for understanding where your organization is today. Understanding the people, processes, and technology, in one convenient location. These artifacts become assets when we choose to retain them, rather than discard them at the end of a project, when we think they'll no longer be needed.
    And just like finding a single book in a vast library, we need to ensure our assets can be found when we need them. And this means making them searchable.
    We can do this by establishing criteria for requirements and artifact reuse;

    • What business need and benefit is it aligned to?
    • What metadata needs to be attached, related to source, status, subject, author, permissions, type, etc.?
    • Where will it be stored for ease of retrieval?

    Info-Tech Insight

    When writing requirements for products or services, write them for the need first, and not simply for what is changing.

    The benefits of managing requirements as assets

    Retention of knowledge in a knowledge base that allows the team to retain current business requirements, process documentation, business rules, and any other relevant information.
    A clearly defined scope to reduce stakeholder, business, and compliance conflicts.
    Impact analysis of changes to the current organizational assets.

    Source: Requirement Engineering Magazine, 2017.

    A case study in creating an asset repository

    Industry: Anonymous Organization in the Government sector
    Source: Interview

    Challenge

    A large government organization faced a challenge with managing requirements, processes, and project artifacts with any consistency.

    Historically, their documentation was lacking, with multiple versions existing in email sent folders and manila folders no one could find. Confirming the current state at any given time meant the heavy lift of re-documenting and validating, so that effort was avoided for an excessive period.

    Then there was a request for audit and compliance, to review their existing documentation practices. With nothing concrete to show, drastic recommendations were made to ensure this practice would end.

    Solution

    A small but effective team was created to compile and (if not available) document all existing project and product documentation, including processes, requirements, artifacts, business cases, etc.

    A single repository was built and demonstrated to key stakeholders to ensure it would satisfy the needs of the audit and compliance group.

    Result

    A single source of truth for the organization, which was;

    • Accessible (view access to the entire organization).
    • Transparent (anyone could see and understand the process and requirements as intended).
    • A baseline for continuous improvement, as it was clear what the one defined "best way" was.
    • Current, where no one retained current documentation outside of this library.

    3.3.1 Discuss your current perspectives on requirements as assets

    Estimated time: 30 Minutes

    1. Gather all relevant stakeholder to share perspectives on the use of requirements as assets, historically in the organization.
    2. Have a team member facilitate the session. It is optional to document the findings.
    3. After looking at the historical use of requirements as assets, discuss the potential uses, benefits, and drawbacks of managing as assets in the target state.

    Input

    • Participant knowledge and experience

    Output

    • A shared perspective and history on requirements as assets

    Materials

    • A method for data capture (optional)

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Apply changes to baseline documentation

    Baseline + Release Changes = New Baseline

    • Start from baseline documentation dramatically to reduce cost and risk
    • Treat all scope as changes to baseline requirements
    • Sum of changes in the release scope
    • Sum of changes and original baseline becomes the new baseline
    • May take additional time and effort to maintain accurate baseline

    What is the right tool?

    While an Excel spreadsheet is great to start off, its limitations will become apparent as your product delivery process becomes more complex. Look at these solutions to continue your journey in managing your Agile requirements:

    Step 3.4

    Define Your Requirements Change Management Plan

    Activities

    3.4.1 Triage your requirements

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Outcomes of this step

    • An approach for determining the appropriate level of governance over changes to requirements.

    Expect and embrace change

    In Agile development, change is expected and embraced. Instead of trying to rigidly follow a plan that may become outdated, Agile teams focus on regularly reassessing their priorities and adapting their plans accordingly. This means that the requirements can change often, and it's important for the team to have a process in place for managing these changes.

    A common approach to managing change in Agile is to use a technique called "backlog refinement." Where previously we populated our backlog with requirements to get them ready for development and deployment, this involves regularly reviewing and updating the list of work to be done. The team will prioritize the items on the evolving backlog, and the prioritized items will be worked on during the next sprint. This allows the team to quickly respond to changes in requirements and stay focused on the most important work.

    Another key aspect of managing change in Agile is effective communication. The team should have regular meetings, such as daily stand-up meetings or weekly sprint planning meetings, to discuss any changes in requirements and ensure that everyone is on the same page.

    Best practices in change and backlog refinement

    Communicate

    Clearly communicate your change process, criteria, and any techniques, tools, and templates that are part of your approach.

    Understand impacts/risks

    Maintain consistent control and communication and ensure that an impact assessment is completed. This is key to managing risks.

    Leverage tools

    Leverage tools when you have them available. This could be a Requirements Management system, a defect/change log, or even by turning on "track changes" in your documents.

    Cross-reference

    For every change, define the source of the change, the reason for the change, key dates for decisions, and any supporting documentation.

    Communicate the reason, and stay on message throughout the change

    Leaders of successful change spend considerable time developing a powerful change message: a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff. They create the change vision with staff to build ownership and commitment.

    • The change message should:
    • Explain why the change is needed.
    • Summarize the things that will stay the same.
    • Highlight the things that will be left behind.
    • Emphasize the things that are being changed.
    • Explain how the change will be implemented.
    • Address how the change will affect the various roles in the organization.
    • Discuss staff's role in making the change successful.

    The five elements of communicating the reason for the change:

    An image of a cycle, including the five elements for communicating the reason for change.  these include: What will the role be for each department and individual?; What is the change?; Why are we doing it?; How are we going to go about it?; How long will it take us?

    How to make the management of changes more effective

    Key decisions and considerations

    How will changes to requirements be codified?
    How will intake happen?

    • What is the submission process?
    • Who has approval to submit?
    • What information is needed to submit a request?

    How will potential changes be triaged and evaluated?

    • What criteria will be used to assess the impact and urgency of the potential change?
    • How will you treat material and non-material changes?

    What is the review and approval process?

    • How will acceptance or rejection status be communicated to the submitter?

    3.4.1 Triage Your requirements

    An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact.  To the right of the image, are text boxes elaborating on each heading.

    If there's no material impact, update and move on

    An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact. To the right of the image, is a cycle including the following terms: Validate change; Update requirements; Track change (log); Package and communicate

    Material changes require oversight and approval

    An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact. To the right of the image, is a cycle including the following terms: Define impact; Revise; Change control needed?; Implement change.

    Planning Your Next Steps

    Phase 4

    Planning Your Next Steps

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • Completing Your Agile Requirements Playbook
    • EXERCISE: Capability Gap List

    This phase involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Managing Requirements in an Agile Environment

    Step 4.1

    Preparing New Ways of Working

    Activities

    4.1.1 Define your communication plan

    Planning Your Next Steps

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • Recognize the changes required on the team and within the broader organization, to bring stakeholders on board.

    How we do requirements work will change

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    As a result, you'll need to focus on;

    Emphasizing flexibility: In Agile organizations, there is a greater emphasis on flexibility and the ability to adapt to change. This means that requirements may evolve over time and may not be fully defined at the beginning of the project.
    Enabling continuous delivery: Agile organizations often use continuous delivery methods, which means that new features and functionality are delivered to users on a regular basis. This requires a more iterative approach to requirements management, as new requirements may be identified and prioritized during the delivery process.
    Enhancing collaboration and communication: Agile organizations place a greater emphasis on collaboration and communication between team members, stakeholders, and customers.
    Developing a user-centered approach: Agile organizations often take a user-centered approach to requirements gathering, which means that the needs and goals of the end-user are prioritized.

    Change within the team, and in the broader organization

    How to build an effective blend Agile and requirements management

    Within the team

    • Meetings should happen as needed
    • Handoffs should be clear and concise
    • Interactions should add value
    • Stand-ups should similarly add value, and shouldn't be for status updates

    Within the organization

    • PMO inclusion, to ensure alignment across the organization
    • Business/Operating areas, to recognize what they are committing to for time, resources, etc.
    • Finance, for how your project or product is funded
    • Governance and oversight, to ensure velocity is maintained

    "Whether in an Agile environment or not, collaboration and relationships are still required and important…how you collaborate, communicate, and how you build relationships are key."
    - Paula Bell, CEO, Paula A. Bell Consulting

    Get stakeholders on board with Agile requirements

    1. Stakeholder feedback and management support are key components of successful Agile requirements.
    2. Stakeholders can see a project's progression and provide critical feedback about its success at critical milestones.
    3. Management helps teams succeed by trusting them to complete projects with business value at top of mind and by removing impediments that are inhibiting their productivity.
    4. Agile will bring a new mindset and significant amounts of people, process, and technology changes that stakeholders and management may not be accustomed to. Working through these issues in requirements management enables a smoother rollout.
    5. Management will play a key role in ensuring long-term Agile requirements success and ultimately rolling it out to the rest of the organization.
    6. The value of leadership involvement has not changed even though responsibilities will. The day-to-day involvement in projects will change but continual feedback will ultimately dictate the success or failure of a project.

    4.1.1 Define your communication plan

    Estimated time: 60 Minutes

      1. Gather all relevant stakeholder to create a communication plan for project or product stakeholders.
      2. Have a team member facilitate the session.
      3. Identify
      4. ;
        1. Each stakeholder
        2. The nature of information they are interested in
        3. The channel or medium best to communicate with them
        4. The frequency of communication
      5. (Optional) Consider validating the results with the stakeholders, if not present.
      6. Document the results in the Agile Requirements Workbook and include in Agile Requirements Playbook.
      7. Revisit as needed, whether at the beginning of a new initiative, or over time, to ensure the content is still valid.

    Input

    • Participant knowledge and experience

    Output

    • A plan for communicating with stakeholders

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team

    Step 4.2

    Develop a Roadmap for Next Steps

    Activities

    4.2.1 Develop your Agile requirements action plan

    4.2.2 Prioritize with now, next, later

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • A comprehensive and prioritized list of opportunities and improvements to be made to mature the Agile requirements practice.

    Planning Your Next Steps

    Identify opportunities to improve and close gaps

    Maturing at multiple levels

    With a mindset of continuous improvement, there is always some way we can get better.

    As you mature your Agile requirements practice, recognize that those gaps for improvement can come from multiple levels, from the organizational down to the individual.

    Each level will bring challenges and opportunities.

    The organization

    • Organizational culture
    • Organizational behavior
    • Political will
    • Unsupportive stakeholders

    The team

    • Current ways of working
    • Team standards, norms and values

    The individual

    • Practitioner skills
    • Practitioner experience
    • Level of training received

    Make sure your organization is ready to transition to Agile requirements management

    A cycle is depicted, with the following Terms: Learning; Automation; Integrated teams; Metrics and governance; Culture.

    Learning:

    Agile is a radical change in how people work
    and think. Structured, facilitated learning is required throughout the transformation to
    help leaders and practitioners go from

    doing Agile to being Agile.

    Automation:

    While Agile is tool-agnostic at its roots, Agile work management tools and DevOps inspired SDLC tools that have become a key part of Agile practices.

    Integrated Teams:


    While temporary project teams can get some benefits from Agile, standing, self-organizing teams that cross business, delivery, and operations are essential to gain the full benefits of Agile.

    Metrics and Governance:

    Successful Agile implementations
    require the disciplined use

    of delivery and operations
    metrics that support governance focused on developing better teams.

    Culture:

    Agile teams believe that value is best created by standing, self-organizing cross-functional teams who deliver sustainably in frequent,
    short increments supported by leaders
    who coach them through challenges.

    Info-Tech Insight

    Agile gaps may only have a short-term, perceived benefit. For example, coding without a team mindset can allow for maximum speed to market for a seasoned developer. Post-deployment maintenance initiatives, however, often lock the single developer as no one else understands the rationale for the decisions that were made.

    4.2.1 Develop your Agile requirements action plan

    Estimated time: 60 Minutes

    1. Gather all relevant stakeholder to create a road map and action plan for requirements management.
    2. Have a team member facilitate the session using the results of the Agile Requirements Maturity Assessment.
    3. Identify gaps from current to future state and brainstorm possible actions that can be taken to address those gaps. Resist the urge to analyze or discuss the feasibility of each idea at this stage. The intent is idea generation.
    4. When the group has exhausted all ideas, the facilitator should group like ideas together, with support from participants. Discuss any ideas that are unclear or ambiguous.
    5. Document the results in the Agile Requirements Workbook.

    Note: the feasibility and timing of the ideas will happen in the following "Now, Next, Later" exercise.

    Prioritize your roadmap

    Taking steps to mature your Agile requirements practice.

    An image of the Now; Next; Later technique.

    The "Now, Next, Later" technique is a method for prioritizing and planning improvements or tasks. This involves breaking down a list of tasks or improvements into three categories:

    • "Now" tasks are those that must be completed immediately. These tasks are usually urgent or critical, and they must be completed to keep the project or organization running smoothly.
    • "Next" tasks are those that should be completed soon. These tasks are not as critical as "now" tasks, but they are still important and should be tackled relatively soon.
    • "Later" tasks are those that can be completed later. These tasks are less critical and can be deferred without causing major problems.

    By using this technique, you can prioritize and plan the most important tasks first, while also allowing for flexibility and the ability to adjust plans as necessary.
    This process also helps you get a clear picture on what needs to be done first and what can be done later. This way you can work on the most important things first, and keep track of what you need to do next, for keeping the development/improvement process smooth and efficient.

    Monitor your progress

    Monitoring progress is important in achieving your target state. Be deliberate with your actions, to continue to mature your Agile requirements practice.

    As you navigate toward your target state, continue to monitor your progress, your successes, and your challenges. As your Agile requirements practice matures, you should see improvements in the stated metrics below.

    Establish a cadence to review these metrics, as well as how you are progressing on your roadmap, against the plan.

    This is not about adding work, but rather, about ensuring you're heading in the right direction; finding the balance in your Agile requirements practice.

    Metric
    Team satisfaction (%) Expect team satisfaction to increase as a result of clearer role delineation and value contribution.
    Stakeholder satisfaction (%) Expect stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value.
    Requirements rework Measures the quality of requirements from your Agile projects. Expect that the requirements rework will decrease, in terms of volume/frequency.
    Cost of documentation Quantifies the cost of documentation, including elicitation, analysis, validation, presentation, and management.
    Time to delivery Balancing metric. We don't want improvements in other at the expense of time to delivery.

    Appendix

    Research Contributors and Experts

    This is a picture of Emal Bariali

    Emal Bariali
    Business Architect & Business Analyst
    Bariali Consulting

    Emal Bariali is a Senior Business Analyst and Business Architect with 17 years of experience, executing nearly 20 projects. He has experience in both waterfall and Agile methodologies and has delivered solutions in a variety of forms, including custom builds and turnkey projects. He holds a Master's degree in Information Systems from the University of Toronto, a Bachelor's degree in Information Technology from York University, and a post-diploma in Software & Database Development from Seneca College.

    This is a picture of Paula Bell

    Paula Bell
    Paula A. Bell Consulting, LLC

    Paula Bell is the CEO of Paula A Bell Consulting, LLC. She is a Business Analyst, Leadership and Career Development coach, consultant, speaker, and author with 21+ years of experience in corporate America in project roles including business analyst, requirements manager, business initiatives manager, business process quality manager, technical writer, project manager, developer, test lead, and implementation lead. Paula has experience in a variety of industries including media, courts, manufacturing, and financial. Paula has led multiple highly-visible multi-million-dollar technology and business projects to create solutions to transform businesses as either a consultant, senior business analyst, or manager.

    Currently she is Director of Operations for Bridging the Gap, where she oversees the entire operation and their main flagship certification program.

    This is a picture of Ryan Folster

    Ryan Folster
    Consulting Services Manager, Business Analysis
    Dimension Data

    Ryan Folster is a Business Analyst Lead and Product Professional from Johannesburg, South Africa. His strong focus on innovation and his involvement in the business analysis community have seen Ryan develop professionally from a small company, serving a small number of users, to large multi-national organizations. Having merged into business analysis through the business domain, Ryan has developed a firm grounding and provides context to the methodologies applied to clients and projects he is working on. Ryan has gained exposure to the Human Resources, Asset Management, and Financial Services sectors, working on projects that span from Enterprise Line of Business Software to BI and Compliance.

    Ryan is also heavily involved in the local chapter of IIBA®; having previously served as the chapter president, he currently serves as a non-executive board member. Ryan is passionate about the role a Business Analyst plays within an organization and is a firm believer that the role will develop further in the future and become a crucial aspect of any successful business.

    This is a picture of Filip Hendrickx

    Filip Hendrickx
    Innovating BA, Visiting Professor @ VUB
    altershape

    Filip loves bridging business analysis and innovation and mixes both in his work as speaker, trainer, coach, and consultant.

    As co-founder of the BA & Beyond Conference and IIBA Brussels Chapter president, Filip helps support the BA profession and grow the BA community in and around Belgium. For these activities, Filip received the 2022 IIBA® EMEA Region Volunteer of the Year Award.

    Together with Ian Richards, Filip is the author ofBrainy Glue, a business novel on business analysis, innovation and change. Filip is also co-author of the BCS book Digital Product Management and Cycles, a book, method and toolkit enabling faster innovation.

    This is a picture of Fabricio Laguna

    Fabricio Laguna
    Professional Speaker, Consultant, and Trainer
    TheBrazilianBA.com

    Fabrício Laguna, aka The Brazilian BA, is the main reference on business analysis in Brazil. Author and producer of videos, articles, classes, lectures, and playful content, he can explain complex things in a simple and easy-to-understand way. IIBA Brazil Chapter president between 2012-2022. CBAP, AAC, CPOA, PMP, MBA. Consultant and instructor for more than 25 years working with business analysis, methodology, solution development, systems analysis, project management, business architecture, and systems architecture. His online courses are approved by students from 65 countries.

    This is a picture of Ryland Leyton

    Ryland Leyton
    Business Analyst and Agile Coach
    Independent Consultant

    Ryland Leyton, CBAP, PMP, CSM, is an avid Agile advocate and coach, business analyst, author, speaker, and educator. He has worked in the technology sector since 1998, starting off with database and web programming, gradually moving through project management and finding his passion in the BA and Agile fields. He has been a core team member of the IIBA Extension to the BABOK and the IIBA Agile Analysis Certification. Ryland has written popular books on agility, business analysis, and career. He can be reached at www.RylandLeyton.com.

    This is a picture of Steve Jones

    Steve Jones
    Supervisor, Market Support Business Analysis
    ISO New England

    Steve is a passionate analyst and BA manager with more than 20 years of experience in improving processes, services and software, working across all areas of software development lifecycle, business change and business analysis. He rejoices in solving complex business problems and increasing process reproducibility and compliance through the application of business analysis tools and techniques.

    Steve is currently serving as VP of Education for IIBA Hartford. He is a CBAP, certified SAFe Product Owner/Product Manager, Six Sigma Green Belt, and holds an MS in Information Management and Communications.

    This is a picture of Angela Wick

    Angela Wick
    Founder
    BA-Squared and BA-Cube

    Founder of BA-Squared and BA-Cube.com, Angela is passionate about teaching practical, modern product ownership and BA skills. With over 20 years' experience she takes BA skills to the next level and into the future!
    Angela is also a LinkedIn Learning instructor on Agile product ownership and business analysis, an IC-Agile Authorized Trainer, Product Owner and BA highly-rated trainer, highly-rated speaker, sought-after workshop facilitator, and contributor to many industry publications, including:

    • IIBA BABOK v3 Core Team, leading author on the BABOK v3
    • Expert Reviewer, IIBA Agile Extension to the BABOK
    • PMI BA Practice Guide – Expert Reviewer
    • PMI Requirements Management Practice Guide – Expert Reviewer
    • IIBA Competency Model – Lead Author and Team Lead, V1, V2, and V3.

    This is a picture of Rachael Wilterdink

    Rachael Wilterdink
    Principal Consultant
    Infotech Enterprises

    Rachael Wilterdink is a Principal Consultant with Infotech Enterprises. With over 25 years of IT experience, she holds multiple business analysis and Agile certifications. As a consultant, Rachael has served clients in the financial, retail, manufacturing, healthcare, government, non-profit, and insurance industries. Giving back to the professional community, Ms. Wilterdink served on the boards of her local IIBA® and PMI® chapters. As a passionate public speaker, Rachael presents various topics at conferences and user groups across the country and the world. Rachael is also the author of the popular eBook "40 Agile Transformation Pain Points (and how to avoid or manage them)."

    Bibliography

    "2021 Business Agility Report: Rising to the Challenge." Business Agility, 2021. Accessed 13 June 2022.
    Axure. "The Pitfalls of Agile and How We Got Here". Axure. Accessed 14 November 2022.
    Beck, Kent, et al. "Manifesto for Agile Software Development." Agilemanifesto. 2001.
    Brock, Jon, et al. "Large-Scale IT Projects: From Nightmare to Value Creation." BCG, 25 May 2015.
    Bryar, Colin and Bill Carr. "Have We Taken Agile Too Far?" Harvard Business Review, 9 April 2021. Accessed 11 November, 2022.
    Clarke, Thomas. "When Agile Isn't Responsive to Business Goals" RCG Global Services, Accessed 14 November 2022.
    Digital.ai "The 15th State of Agile Report". Digital.ai. Accessed 21 November 2022.
    Hackshall, Robin. "Product Backlog Refinement." Scrum Alliance. 9 Oct. 2014.
    Hartman, Bob. "New to Agile? INVEST in good user stories." Agile For All.
    IAG Consulting. "Business Analysis Benchmark: Full Report." IAG Consulting, 2009.
    Karlsson, Johan. "Backlog Grooming: Must-Know Tips for High-Value Products." Perforce. 18 May 2018
    KPMG. Agile Transformation (2019 Survey on Agility). KPMG. Accessed November 29.
    Laguna, Fabricio "REQM guidance matrix: A framework to drive requirements management", Requirements Engineering Magazine. 12 September 2017. Accessed 10 November 2022.
    Miller, G. J. (2013). Agile problems, challenges, & failures. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.
    Product Management: MoSCoW Prioritization." ProductPlan, n.d. Web.
    Podeswa, Howard "The Business Case for Agile Business Analysis" Requirements Engineering Magazine. 21 February 2017. Accessed 7 November 2022.
    PPM Express. "Why Projects Fail: Business Analysis is the Key". PPM Express. Accessed 16 November 2022.
    Reifer, Donald J. "Quantitative Analysis of Agile Methods Study: Twelve Major Findings." InfoQ, 6 February, 2017.
    Royce, Dr. Winston W. "Managing the Development of Large Software Systems." Scf.usc.edu. 1970. (royce1970.pdf (usc.edu))
    Rubin, Kenneth S. Essential Scrum: A Practical Guide to the Most Popular Agile Process. Pearson Education. 2012.
    Singer, Michael. "15+ Surprising Agile Statistics: Everything You Need To Know About Agile Management". Enterprise Apps Today. 22 August 2022.
    The Standish Group. The Chaos Report, 2015. The Standish Group.

    Where do I go next?

    Improve Requirements Gathering

    Back to basics: great products are built on great requirements.

    Make the Case for Product Delivery

    Align your organization on the practices to deliver what matters most.

    Requirements for Small and Medium Enterprises

    Right-size the guidelines of your requirements gathering process.

    Implement Agile Practices that Work

    Improve collaboration and transparency with the business to minimize project failure.

    Create an Agile-Friendly Gating and Governance Model

    Use Info-Tech's Agile Gating Framework as a guide to gating your Agile projects following a "trust but verify" approach.

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    Deliver on Your Digital Product Vision

    Build a product vision your organization can take from strategy through execution.

    Terms and Conditions for consulting to businesses

    By signing an agreement with Gert Taeymans bvba, Client declares that he agrees with the Terms and Conditions referred to hereafter. Terms and conditions on Client's order form or any other similar document shall not be binding upon Gert Taeymans bvba.

    The prices, quantities and delivery time stated in any quotation are not binding upon Gert Taeymans bvba. They are commercial estimates only which Gert Taeymans bvba will make reasonable efforts to achieve. Prices quoted in final offers will be valid only for 30 days. All prices are VAT excluded and do not cover expenses, unless otherwise agreed in writing. Gert Taeymans bvba reserves the right to increase a quoted fee in the event that Client requests a variation to the work agreed.

    The delivery times stated in any quotation are of an indicative nature and not binding upon Gert Taeymans bvba, unless otherwise agreed in writing. Delivery times will be formulated in working days. In no event shall any delay in delivery be neither cause for cancellation of an order nor entitle Client to any damages.

    Amendments or variations of the initial agreement between Client and Gert Taeymans bvba will only be valid when accepted by both parties in writing.

    Any complaints concerning the performance of services must be addressed to Gert Taeymans bvba in writing and by registered mail within 7 working days of the date of the performance of the services.

    In no event shall any complaint be just cause for non-payment or deferred payment of invoices. Any invoice and the services described therein will be deemed irrevocably accepted by Client if no official protest of non-payment has been sent by Client within 7 working days from the date of the mailing of the invoice.

    Client shall pay all invoices of Gert Taeymans bvba within thirty (30) calendar days of the date of invoice unless otherwise agreed in writing by Gert Taeymans bvba. In the event of late payment, Gert Taeymans bvba may charge a monthly interest on the amount outstanding at the rate of two (2) percent with no prior notice of default being required, in which case each commenced month will count as a full month. Any late payment will entitle Gert Taeymans bvba to charge Client a fixed handling fee of 300 EUR. All costs related to the legal enforcement of the payment obligation, including lawyer fees, will be charged to Client.

    In no event will Gert Taeymans bvba be liable for damages of any kind, including without limitation, direct, incidental or consequential damages (including, but not limited to, damages for lost profits, business interruption and loss of programs or information) arising out of the use of Gert Taeymans bvba services.

    Gert Taeymans bvba collects personal data from Client for the performance of its services and the execution of its contracts. Such personal data can also be used for direct marketing, allowing Gert Taeymans bvba to inform Client of its activities on a regular basis. If Client objects to the employment of its personal data for direct marketing, Client must inform Gert Taeymans bvba on the following address: gert@gerttaeymans.consulting.

    Client can consult, correct or amend its personal data by addressing such request to Gert Taeymans bvba by registered mail. Personal data shall in no event be sold, rented or made available to other firms or third parties where not needed for the execution of the contract. Gert Taeymans bvba reserves the right to update and amend its privacy policy from time to time to remain consistent with applicable privacy legislation.

    The logo of the Client will be displayed on the Gert Taeymans bvba website, together with a short description of the project/services.

    Any changes to Client’s contact information such as addresses, phone numbers or e-mail addresses must be communicated to Gert Taeymans bvba as soon as possible during the project.

    Both parties shall maintain strict confidence and shall not disclose to any third party any information or material relating to the other or the other's business, which comes into that party's possession and shall not use such information and material. This provision shall not, however, apply to information or material, which is or becomes public knowledge other than by breach by a party of this clause.

    Gert Taeymans bvba has the right at any time to change or modify these terms and conditions at any time without notice.

    The agreement shall be exclusively governed by and construed in accordance with the laws of Belgium. The competent courts of Antwerp, Belgium will finally settle any dispute about the validity, the interpretation or the execution of this agreement.

    These Terms and Conditions are the only terms and conditions applicable to both parties.

    If any provision or provisions of these Terms and Conditions shall be held to be invalid, illegal or unenforceable, such provision shall be enforced to the fullest extent permitted by applicable law, and the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired thereby.

    Embed Privacy and Security Culture Within Your Organization

    • Buy Link or Shortcode: {j2store}379|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: 10 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance

    Engagement with privacy and security within organizations has not kept pace with the increasing demands from regulations. As a result, organizations often find themselves saying they support privacy and security engagement but struggling to create behavioral changes in their staff.

    However, with new privacy and security requirements proliferating globally, we can’t help but wonder how much longer we can carry on with this approach.

    Our Advice

    Critical Insight

    To truly take hold, privacy and security engagement must be supported by senior leadership, aligned with business objectives, and embedded within each of the organization’s operating groups and teams.

    Impact and Result

    • Develop a defined structure for privacy and security in the context of your organization, your obligations, and your objectives.
    • Align your business goals and strategy with privacy and security to obtain support from your senior leadership team.
    • Identify and implement a set of metrics to monitor the success of each of the six engagement enablers amongst your team.

    Embed Privacy and Security Culture Within Your Organization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a culture of privacy and security at your organization, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define privacy and security in the context of the organization

    Use the charter template to document the primary outcomes and objectives for the privacy and security engagement program within the organization and map the organizational structure to each of the respective roles to help develop a culture of privacy and security.

    • Privacy and Security Engagement Charter

    2. Map your privacy and security enablers

    This tool maps business objectives and key strategic goals to privacy and security objectives and attributes identified as a part of the overall engagement program. Leverage the alignment tool to ensure your organizational groups are mapped to their corresponding enablers and supporting metrics.

    • Privacy and Security Business Alignment Tool

    3. Identify and track your engagement indicators

    This document maps out the organization’s continued efforts in ensuring employees are engaged with privacy and security principles, promoting a strong culture of privacy and security. Use the playbook to document and present the organization’s custom plan for privacy and security culture.

    • Privacy and Security Engagement Playbook

    Infographic

    Workshop: Embed Privacy and Security Culture Within Your Organization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Determine Drivers and Engagement Objectives

    The Purpose

    Understand the current privacy and security landscape in the organization.

    Key Benefits Achieved

    Targeted set of drivers from both a privacy and security perspective

    Activities

    1.1 Discuss key drivers for a privacy and security engagement program.

    1.2 Identify privacy requirements and objectives.

    1.3 Identify security requirements and objectives.

    1.4 Review the business context.

    Outputs

    Understanding of the role and requirements of privacy and security in the organization

    Privacy drivers and objectives

    Security drivers and objectives

    Privacy and security engagement program objectives

    2 Align Privacy and Security With the Business

    The Purpose

    Ensure that your privacy and security engagement program is positioned to obtain the buy-in it needs through business alignment.

    Key Benefits Achieved

    Direct mappings between a culture of privacy and security and the organization’s strategic and business objectives

    Activities

    2.1 Review the IT/InfoSec strategy with IT and the InfoSec team and map to business objectives.

    2.2 Review the privacy program and privacy strategic direction with the Privacy/Legal/Compliance team and map to business objectives.

    2.3 Define the four organizational groupings and map to the organization’s structure.

    Outputs

    Privacy and security objectives mapped to business strategic goals

    Mapped organizational structure to Info-Tech’s organizational groups

    Framework for privacy and security engagement program

    Initial mapping assessment within Privacy and Security Business Alignment Tool

    3 Map Privacy and Security Enablers to Organizational Groups

    The Purpose

    Make your engagement plan tactical with a set of enablers mapped to each of the organizational groups and privacy and security objectives.

    Key Benefits Achieved

    Measurable indicators through the use of targeted enablers that customize the organization’s approach to privacy and security culture

    Activities

    3.1 Define the privacy enablers.

    3.2 Define the security enablers.

    3.3 Map the privacy and security enablers to organizational structure.

    3.4 Revise and complete Privacy and Security Business Alignment Tool inputs.

    Outputs

    Completed Privacy and Security Engagement Charter.

    Completed Privacy and Security Business Alignment Tool.

    4 Identify and Select KPIs and Metrics

    The Purpose

    Ensure that metrics are established to report on what the business wants to see and what security and privacy teams have planned for.

    Key Benefits Achieved

    End-to-end, comprehensive program that ensures continued employee engagement with privacy and security at all levels of the organization.

    Activities

    4.1 Segment KPIs and metrics based on categories or business, technical, and behavioral.

    4.2 Select KPIs and metrics for tracking privacy and security engagement.

    4.3 Assign ownership over KPI and metric tracking and monitoring.

    4.4 Determine reporting cadence and monitoring.

    Outputs

    KPIs and metrics identified at a business, technical, and behavioral level for employees for continued growth

    Completed Privacy and Security Engagement Playbook

    Develop Infrastructure & Operations Policies and Procedures

    • Buy Link or Shortcode: {j2store}452|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $46,324 Average $ Saved
    • member rating average days saved: 42 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
    • Standard operating procedures are less effective without a policy to provide a clear mandate and direction.
    • Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
    • Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

    Our Advice

    Critical Insight

    • Document what you need to document and forget the rest. Always check to see if you can use a previously approved policy before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.

    Impact and Result

    • Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
    • Create effective policies that are reasonable, measurable, auditable, and enforceable.
    • Create and document procedures to support policy changes.

    Develop Infrastructure & Operations Policies and Procedures Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should change your approach to developing Infrastructure & Operations policies and procedures, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify policy and procedure gaps

    Create a prioritized action plan for documentation based on business need.

    • Develop Infrastructure & Operations Policies and Procedures – Phase 1: Identify Policy and Procedure Gaps

    2. Develop policies

    Adapt policy templates to meet your business requirements.

    • Develop Infrastructure & Operations Policies and Procedures – Phase 2: Develop Policies
    • Availability and Capacity Management Policy
    • Business Continuity Management Policy
    • Change Control – Freezes & Risk Evaluation Policy
    • Change Management Policy
    • Configuration Management Policy
    • Firewall Policy
    • Hardware Asset Management Policy
    • IT Triage and Support Policy
    • Release Management Policy
    • Software Asset Management Policy
    • System Maintenance Policy – NIST
    • Internet Acceptable Use Policy

    3. Document effective procedures

    Improve policy adherence and service effectiveness through procedure standardization and documentation.

    • Develop Infrastructure & Operations Policies and Procedures – Phase 3: Document Effective Procedures
    • Capacity Plan Template
    • Change Management Standard Operating Procedure
    • Configuration Management Standard Operation Procedures
    • Incident Management and Service Desk SOP
    • DRP Summary Template
    • Service Desk Standard Operating Procedure
    • HAM Standard Operating Procedures
    • SAM Standard Operating Procedures
    [infographic]

    Further reading

    Develop Infrastructure & Operations Policies and Procedures

    Document what you need to document and forget the rest.

    Table of contents

    Project Rationale

    Project Outlines

    • Phase 1: Identify Policy and Procedure Gaps
    • Phase 2: Develop Policies
    • Phase 3: Document Effective Procedures

    Bibliography

    ANALYST PERSPECTIVE

    Document what you need to document now and forget the rest.

    "Most IT organizations struggle to create and maintain effective policies and procedures, despite known improvements to consistency, compliance, knowledge transfer, and transparency.

    The numbers are staggering. Fully three-quarters of IT professionals believe their policies need improvement, and the same proportion of organizations don’t update procedures as required.

    At the same time, organizations that over-document and under-document perform equally poorly on key measures such as policy quality and policy adherence. Take a practical, step-by-step approach that prioritizes the documentation you need now. Leave the rest for later."

    (Andrew Sharp, Research Manager, Infrastructure & Operations Practice, Info-Tech Research Group)

    Our understanding of the problem

    This Research Is Designed For:

    • Infrastructure Managers
    • Chief Technology Officers
    • IT Security Managers

    This Research Will Help You:

    • Address policy gaps
    • Develop effective procedures and procedure documentation to support policy compliance

    This Research Will Also Assist:

    • Chief Information Officers
    • Enterprise Risk and Compliance Officers
    • Chief Human Resources Officers
    • Systems Administrators and Engineers

    This Research Will Help Them:

    • Understand the importance of a coherent approach to policy development
    • Understand the importance of Infrastructure & Operations policies
    • Support Infrastructure & Operations policy development and enforcement

    Info-Tech Best Practice

    This blueprint supports templates for key policies and procedures that help Infrastructure & Operations teams to govern and manage internal operations. For security policies, see the NIST SP 800-171 aligned Info-Tech blueprint, Develop and Deploy Security Policies.

    Executive Summary

    Situation

    • Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
    • Standard operating procedures are less effective without a policy to provide a clear mandate and direction.

    Complication

    • Existing policies were written, approved, signed – and forgotten for years because no one has time to maintain them.
    • Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
    • Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

    Resolution

    • Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
    • Create effective policies that are reasonable, measurable, auditable, and enforceable.
    • Create and document procedures to support policy changes.

    Info-Tech Insight

    1. Document what you need to document and forget the rest.
      Always check if a previously approved policy exists before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.
    2. Support policies with documented procedures.
      Build procedures that embed policy adherence in daily operations. Find opportunities to automate policy adherence (e.g. removing local admin rights from user computers).

    What are policies, procedures, and processes?

    A policy is a governing document that states the long-term goals of the organization and in broad strokes outlines how they will be achieved (e.g. a Data Protection Policy).

    In the context of policies, a procedure is composed of the steps required to complete a task (e.g. a Backup and Restore Procedure). Procedures are informed by required standards and recommended guidelines. Processes, guidelines, and standards are three pillars that support the achievement of policy goals.

    A process is higher level than a procedure – a set of tasks that deliver on an organizational goal.

    Better policies and procedures reduce organizational risk and, by strengthening the ability to execute processes, enhance the organization’s ability to execute on its goals.

    Visualization of policies, procedures, and processes using pillars. Two separate structures, 'Policy A' and 'Policy B', are each held up by three pillars labelled 'Standards', 'Procedures', and 'Guidelines'. Two lines pass through the pillars of both structures and are each labelled 'Value-creating process'.

    Document to improve governance and operational processes

    Deliver value

    Build, deliver, and support Infrastructure assets in a consistent way, which ultimately reduces costs associated with downtime, errors, and rework. A good manual process is the foundation for a good automated process.

    Simplify Training

    Use documentation for knowledge transfer. Routine tasks can be delegated to less-experienced staff.

    Maintain compliance

    Comply with laws and regulations. Policies are often required for compliance, and formally documented and enforced policies help the organization maintain compliance by mandating required due diligence, risk reduction, and reporting activities.

    Provide transparency

    Build an open kitchen. Other areas of the organization may not understand how Infra & Ops works. Your documentation can provide the answer to the perennial question: “Why does that take so long?”

    Info-Tech Best Practice

    Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

    Document what you need to document – and forget the rest

    Half of all organizations believe their policy suite is insufficient. (Info-Tech myPolicies Survey Data (N=59))

    Pie chart with three sections labelled 'Too Many Policies and Procedures 14%', 'Adequate Policies and Procedures 37%', 'Insufficient Policies and Procedures 49%'

    Too much documentation and a lack of documentation are both ineffective. (Info-Tech myPolicies Survey Data (N=59))

    Two bar charts labelled 'Policy Adherence' and 'Policy Quality' each with three bars representing 'Too Many Policies and Procedures', 'Insufficient Policies and Procedures', and 'Adequate Policies and Procedures'. The values shown are an average score out of 5. For Policy Adherence: Too Many is 2.4, Insufficient is 2.1, and Adequate is 3.2. For Policy Quality: Too Many is 2.9, Insufficient is 2.6, and Adequate is 4.1.

    77% of IT professionals believe their policies require improvement. (Kaspersky Lab)

    Presenting: A COBIT-aligned policy suite

    We’ve developed a suite of effective policy templates for every Infra & Ops manager based on Info-Tech’s IT Management & Governance Framework.

    Policy templates and the related aspects of Info-Tech's IT Management & Governance Framework

    Info-Tech Best Practice

    Look for these symbols as you work through the deck. Prioritize and focus on the policies you work on first based on the value of the policy to the enterprise and the existing gaps in your governance structure.

    Project outline

    Phases

    1. Identify policy and procedure gaps 2. Develop policies 3. Document effective procedures

    Steps

    • Review and right-size the existing policy set
    • Create an action plan to address policy gaps
    • Modify policy templates and gather feedback
    • Implement, enforce, measure, and maintain new policies
    • Scope and outline procedures
    • Document and maintain procedures

    Outcomes

    Action list of policy and procedure gaps New or updated Infrastructure & Operations policies Procedure documentation

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Accelerate policy development with a Guided Implementation

    Your trusted advisor is just a call away.

    • Identify Policy and Procedure Gaps (Calls 1-2)
      Assess current policies, operational challenges, and gaps. Mitigate significant risks first.
    • Create and Review Policies (Calls 2-4)
      Modify and review policy templates with an Info-Tech analyst.
    • Create and Review Procedures (Calls 4-6)
      Workflow procedures, using templates wherever possible. Review documentation best practices.

    Contact Info-Tech to set up a Guided Implementation with a dedicated advisor who will walk you through every stage of your policy development project.

    Develop Infrastructure & Operations Policies and Procedures

    Phase 1

    Identify Policy and Procedure Gaps

    PHASE 1: Identify Policy and Procedure Gaps

    Step 1.1: Review and right-size the existing policy set

    This step will walk you through the following activities:

    • Identify gaps in your existing policy suite
    • Document challenges to core Infrastructure & Operations processes
    • Identify documentation that can close gaps
    • Prioritize your documentation effort

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Infrastructure Supervisors

    Results & Insights

    • Results: A review of the existing policy suite and identification of opportunities for improvement.
    • Insights: Not all gaps necessarily require a fresh policy. Repurpose, refresh, or supplement existing documentation wherever appropriate.

    Conduct a policy review

    Associated Activity icon 1(a) 30 minutes per policy

    You’ve got time to review your policy suite. Make the most of it.

    1. Start with organizational requirements.
      • What initiatives are on the go? What policies or procedures do you have a mandate to create?
    2. Weed out expired and dated policies.
      • Gather your existing policies. Identify when each one was published or last reviewed.
      • Decide whether to retire, merge, or update expired or obviously dated policy.
    3. Review policy statements.
      • Check that the organization is adequately supporting policy statements with SOPs, standards, and guidelines. Ensure role-related information is up to date.
    4. Document and bring any gaps forward to the next activity. If no action is required, indicate that you have completed a review and submit the findings for approval.

    But they just want one policy...

    A review of your policy suite is good practice, especially when it hasn’t been done for a while. Why?
    • Existing policies may address what you’re trying to do with a new policy. Using or modifying an existing policy avoids overlap and contradiction and saves you the effort required to create, communicate, approve, and maintain a new policy.
    • Review the suite to validate that you’re addressing the most important challenges first.

    Brainstorm improvements for core Infrastructure & Operations processes

    Associated Activity icon 1(b) 1 hour

    Supplement the list of gaps from your policy review with process challenges.

    1. Write out key Infra & Ops–related processes – one piece of flipchart paper per process. You can work through all of these processes or cherry-pick the processes you want to improve first.
    2. With participants, write out in point form how you currently execute on these processes (e.g. for Asset Management, you might be tagging hardware, tracking licenses, etc.)
    3. Work through a “Start – Stop – Continue” exercise. Ask participants: What should we start doing? What must we stop doing? What do we do currently that’s valuable and must continue? Write ideas on sticky notes.
    4. Once you’ve worked through the “Start – Stop – Continue” exercise for all processes, group similar suggestions for improvements.

    Asset Management: Manage hardware and software assets across their lifecycle to protect assets and manage costs.

    Availability and Capacity Management: Balance current and future availability, capacity, and performance needs with cost-to-serve.

    Business Continuity Management: Continue operation of critical business processes and IT services.

    Change Management: Deliver technical changes in a controlled manner.

    Configuration Management: Define and maintain relationships between technical components.

    Problem Management: Identify incident root cause.

    Operations Management: Coordinate operations.

    Release and Patch Management: Deliver updates and manage vulnerabilities in a controlled manner.

    Service Desk: Respond to user requests and all incidents.

    PHASE 1: Identify Policy and Procedure Gaps

    Step 1.2: Create an action plan to address policy gaps

    This step will walk you through the following activities:

    • Identify challenges and gaps that can be addressed via documentation
    • Prioritize high-value, high-risk gaps

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Infrastructure Supervisors

    Results & Insights

    • Results: An action plan to tackle policy and procedures gaps, aligned with business requirements and business value.
    • Insights: Not all documentation is equally valuable. Prioritize documentation that delivers value and mitigates risk.

    Support policies with procedures, standards, and guidelines

    Use a working definition for each type of document.

    Policy: Directives, rules, and mandates that support the overarching, long-term goals of the organization.

    • Standards: Prescriptive, uniform requirements.
    • Procedures: Specific, detailed, step-by-step instructions for completing a task.
    • Guidelines: Non-enforceable, recommended best practices.

    Info-Tech Best Practice

    Take advantage of your Info-Tech advisory membership by scheduling review sessions with an analyst. We provide high-level feedback to ensure your documentation is clear, concise, and consistent and aligns with the governance objectives you’ve identified.

    Answer the following questions to decide if governance documentation can help close gaps

    Associated Activity icon 1(c) 30 minutes

    Documentation supports knowledge sharing, process consistency, compliance, and transparency. Ask the following questions:

    1. What is the purpose of the documentation?
      Procedures support task completion. Policies set direction and manage organizational risk.
    2. Should it be enforceable?
      Policies and standards are enforceable; guidelines are not. Procedures are enforceable in that they should support policy enforcement.
    3. What is the scope?
      To document a task, create a procedure. Set overarching rules with policies. Use standards and guidelines to set detailed rules and best practices.
    4. What’s the expected cadence for updates?
      Policies should be revisited and revised less frequently than procedures.

    Info-Tech Best Practice

    Reinvent the wheel? I don’t think so!

    Always check to see if a gap can be addressed with existing tools before drafting a new policy

    • Is there an existing policy that could be supported with new or updated procedures, technical standards, or guidelines?
    • Is there a technical control you can deploy that would enforce the terms of an existing, approved policy?
    • It may be simpler to amend an existing policy instead of creating a new one.

    Some problems can’t be solved by better documentation (or by documentation alone). Consider additional strategies that address people, process, and technology.

    Tackle high-value, high-risk gaps first

    Associated Activity icon 1(d) 30 minutes

    Prioritize your documentation effort.

    1. List each proposed piece of documentation on the board.
    2. Assign a score to the risk posed to the business by the lack of documentation and to the expected benefit of completing the documentation. Use a scoring scale between 1 and 3 such as the one on the right.
    3. Prioritize documentation that mitigates risks and maximizes benefits.
    4. If you need to break ties, consider effort required to develop, implement, and enforce policies or procedures.

    Example Scoring Scale

    Score Business risk of missing documentation Business benefit of value of documentation

    1

    Low: Affects ad hoc activities or non-critical data. Low: Minimal impact.

    2

    Moderate: Impacts productivity or internal goodwill. Moderate: Required periodically; some cross-training opportunities.

    3

    High: Impacts revenue, safety, or external goodwill. High: Save time for common or ongoing processes; extensive improvement to training/knowledge transfer.

    Info-Tech Insight

    Documentation pulls resources away from other important programs and projects, so ultimately it must be a demonstrably higher priority than other work. This exercise is designed to align documentation efforts with business goals.

    Phase 1: Review accomplishments

    Policy pillars: Standards, Procedures, Guidelines

    Summary of Accomplishments

    • Identified gaps in the existing policy suite and identified pain points in existing Infra & Ops processes.
    • Developed a list of policies and procedures that can address existing gaps and prioritized the documentation effort.

    Develop Infrastructure & Operations Policies and Procedures

    Phase 2

    Develop Policies

    PHASE 2: Develop Policies

    Step 2.1: Modify policy templates and gather feedback

    This step will walk you through the following activities:

    • Modify policy templates

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Technical Writer

    Results & Insights

    • Results: Your own COBIT-aligned policies built by modifying Info-Tech templates.
    • Insights: Effective policies are easy to read and navigate.

    Write Good-er: Be Clear, Consistent, and Concise

    Effective policies adhere to the three Cs of documentation.

    1. Be clear. Make it as easy as possible for a user to learn how to comply with your policy.
    2. Be consistent. Write policies that complement each other, not contradict each other.
    3. Be concise. Make it as quick and easy as possible to read and understand your policy.

    Info-Tech Best Practice

    To download the full suite of templates all at once, click the “Download Research” button on the research landing page on the website.

    Use the three Cs: Be Clear

    Understanding makes compliance possible. Create policy with the goal of making compliance as easy as possible. Use positive, simple language to convey your intentions and rationale to your audience. Staff will make an effort adhere to your policy when they understand the need and are able to comply with the terms.

    1. Choose a skilled writer. Select a writer who can write clearly and succinctly.
    2. Default to simple language and define key terms. Define scope and key terms upfront. Avoid using technical terms outside of technical documentation; if they’re necessary be sure to define them as well.
    3. Use active, positive language. Where possible, tell people what they can do, not what they can’t.
    4. Keep the structure simple. Complicated documents are less likely to be understood and read. Use short sentences and paragraphs. Lists are a helpful way to summarize important information. Guide your reader through the document with appropriately named section headers, tables of contents, and numeration.
    5. Add a process for handling exceptions. Refer to procedures, standards, and guidelines documentation. Try to keep these links as static as possible. Also, refer to a process for handling exceptions.
    6. Manage the integrity of electronic documents. When published electronically, the policy should have restricted editing access or should be published in a non-editable format. Access to the procedure and policy storage database for employees should be read-only.

    Info-Tech Insight

    Highly effective policies are easy to navigate. Your policies should be “skimmable.” Very few people will fully read a policy before accepting it. Make it easy to navigate so the reader can easily find the policy statements that apply to them.

    Use the three Cs: Be Consistent

    Ensure that policies are aligned with other organizational policies and procedures. It detracts from compliance if different policies prescribe different behavior in the same situation. Moreover, your policies should reflect the corporate culture and other company standards. Use your policies to communicate rules and get employees aligned with how your company works.

    1. Use standard sentences and paragraphs. Policies are usually expressed in short, standard sentences. Lists should also be used when necessary or appropriate.
    2. Remember the three Ws. When writing a policy, always be sure to clearly state what the rule is, when it should be applied, and who needs to follow it. Policies should clearly define their scope of application and whether directives are mandatory or recommended.
    3. Use an outline format. Using a numbered or outline format will make a document easier to read and will make content easier to look up when referring back to the document at a later time.
    4. Avoid amendments. Avoid the use of information that is quickly outdated and requires regular amendment (e.g. names of people).
    5. Reference a set of supplementary documents. Codify your tactics outside of the policy document, but make reference to them within the text. This makes it easier to ensure consistency in the behavior prescribed by your policies.

    "One of the issues is the perception that policies are rules and regulations. Instead, your policies should be used to say ‘this is the way we do things around here.’" (Mike Hughes CISA CGEIT CRISC, Principal Director, Haines-Watts GRC)

    Use the three Cs: Be Concise

    Reading and understanding policies shouldn’t be challenging, and it shouldn’t significantly detract from productive time. Long policies are more difficult to read and understand, increasing the work required for employees to comply with them. Put it this way: How often do you read the Terms and Conditions of software you’ve installed before accepting them?

    1. Be direct. The quicker you get to the point, the easier it is for the reader to interpret and comply with your policy.
    2. Your policy is a rule, not a recipe. Your policy should outline what needs to be accomplished and why – your standards, guidelines, and SOPs address the how.
    3. Keep policies short. Nobody wants to read a huge policy book, so keep your policies short.
    4. Use additional documentation where needed. In addition to making consistency easier, this shortens the length of your policies, making them easier to read.
    5. Policy still too large? Modularize it. If you have an extremely large policy, it’s likely that it’s too widely scoped or that you’re including statements that should be part of procedure documentation. Consider breaking your policy into smaller, focused, more digestible documents.

    "If the policy’s too large, people aren’t going to read it. Why read something that doesn’t apply to me?" (Carole Fennelly, Owner and Principal, cFennelly Consulting)

    "I always try to strike a good balance between length and prescriptiveness when writing policy. Your policies … should be short and describe the problem and your approach to solving it. Below policies, you write standards, guidelines, and SOPs." (Michael Deskin, Policy and Technical Writer, Canadian Nuclear Safety Commission)

    Customize policy documents

    Associated Activity icon 2(a) 1-2 hours per policy

    Use the policies templates to support key Infrastructure & Operations programs.

    INPUT: List of prioritized policies

    OUTPUT: Written policy drafts ready for review

    Materials: Policy templates

    Participants: Policy writer, Signing authority

    No policy template will be a perfect fit for your organization. Use Info-Tech’s research to develop your organization’s program requirements. Customize the policy templates to support those requirements.

    1. Work through policies from highest to lowest priority as defined in Phase 1.
    2. Follow the instructions written in grey text to customize the policy. Follow the three Cs when you write your policy.
    3. When your draft is finished, prepare to request signoff from your signing authority by reviewing the draft with an Info-Tech analyst.
    4. Complete the highest ranked three or four draft policies. Review all these policies with relevant stakeholders and include all relevant signing authorities in the signoff process.
    5. Rinse and repeat. Iterate until all relevant polices are complete.

    Request, Incident, and Problem Management

    An effective, timely service desk correlates with higher overall end-user satisfaction across all other IT services. (Info-Tech Research Group, 2016 (N=25,998))

    An icon for the 'DSS02 Service Desk' template. An icon for the 'DSS03 Incident and Problem Management' template.

    Use the following template to create a policy that outlines the goals and mandate for your service and support organization:

    • IT Triage and Support Policy

    Support the program and associated policy statements using Info-Tech’s research:

    • Standardize the Service Desk
    • Incident and Problem Management
    • Design & Build a User-Facing Service Catalog

    Embrace Standardization

    • Outline the support and service mandate with the policy. Support the policy with the methodology in Info-Tech’s research.
    • Over time, organizations without standardized processes face confusion, redundancies, and cost overruns. Standardization avoids wasting energy and effort building new solutions to solved issues.
    • Standard processes for IT services define repeatable approaches to work and sandbox creative activities.
    • Create tickets for every task and categorize them using a standard classification system. Use the resulting data to support root-cause analysis and long-term trend management.
    • Create a single point of contact for users for all incidents and requests. Escalate and resolve tickets faster.
    • Empower end users and technicians with knowledge bases that help them solve problems without intervention.

    Change, Release, and Patch Management

    Slow turnaround, unauthorized changes, and change-related incidents are all too familiar to many managers.

    An icon for the 'BAI06 Change Management' template. An icon for the 'BAI07 Release Management' template.

    Use the following templates to create policies that define effective patch, release, and change management:

    • Change Management Policy
    • Release and Patch Management Policy
    • Change Control – Freezes & Risk Evaluation Policy

    Ensure the policy is supported by using the following Info-Tech research:

    • Optimize Change Management

    Embrace Change

    • IT system owners resist change management when they see it as slow and bureaucratic.
    • At the same time, an increasingly interlinked technical environment may cause issues to appear in unexpected places. Configuration management systems are often not kept up to date, so preventable conflicts get missed.
    • No process exists to support the identification and deployment of critical security patches. Tracking down users to find a maintenance window takes significant, dedicated effort and intervention from the management team.
    • Create a unified change management process that reduces risk and is balanced in its approach toward deploying changes, while also maintaining throughput of patches, fixes, enhancements, and innovation.

    IT Asset Management (ITAM)

    A proactive, dynamic ITAM program will pay dividends in support, contract management, appropriate provisioning, and more.

    An icon for the 'BAI09 Asset Management' template.

    Start by outlining the requirements for effective asset management:

    • Hardware Asset Management Policy
    • Software Asset Management Policy

    Support ITAM policies with the following Info-Tech research:

    • Implement IT Asset Management

    Leverage Asset Data

    • Create effective, directional policies for your asset management program that provide a mandate for action. Support the policies with robust procedures, capable staff, and right-fit technology solutions.
    • Poor management of assets generally leads to higher costs due to duplicated purchases, early replacement, loss, and so on.
    • Visibility into asset location and ownership improves security and accountability.
    • A centralized repository of asset data supports request fulfilment and incident management.
    • Asset management is an ongoing program, not a one-off project, and must be resourced accordingly. Organizations often implement an asset management program and let it stagnate.

    "Many of the large data breaches you hear about… nobody told the sysadmin the client data was on that server. So they weren’t protecting and monitoring it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

    Business Continuity Management (BCM)

    Streamline the traditional approach to make BCM practical and repeatable.

    An icon for the 'DSS04 DR and Business Continuity' template.

    Set the direction and requirements for effective BCM:

    • Business Continuity Management Policy

    Support the BCM policy with the following Info-Tech research:

    • Create a Right-Sized Disaster Recovery Plan
    • Develop a Business Continuity Plan

    Build Organizational Resilience

    • Evidence of disaster recovery and business continuity planning is increasingly required to comply with regulations, mitigate business risk, and meet customer demands.
    • IT leaders are often asked to take the lead on business continuity, but overall accountability for business continuity rests with the board of directors, and each business unit must create and maintain its business continuity plan.
    • Set an organizational mandate for BCM with the policy.
    • Divide the business continuity mandate into manageable parcels of work. Follow Info-Tech’s practical methodology to tackle key disaster recovery and business continuity planning activities one at a time.

    Info-Tech Best Practice

    Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

    Availability, Capacity, and Operations Management

    What was old is new again. Use time-tested techniques to manage and plan cloud capacity and costs.

    An icon for the 'BAI04 Availability and Capacity Management' template. An icon for the 'DSS01 Operations Management' template. An icon for the 'BAI10 Configuration Management' template.

    Set the direction and requirements for effective availability and capacity management:

    • Availability and Capacity Management Policy
    • System Maintenance Policy – NIST

    Support the policy with the following Info-Tech research:

    • Develop an Availability and Capacity Management Plan
    • Improve IT Operations Management
    • Develop an IT Infrastructure Services Playbook

    Mature Service Delivery

    • Hybrid IT deployments – managing multiple locations, delivery models, and service providers – are the future of IT. Hybrid deployments significantly complicate capacity planning and operations management.
    • Effective operations management practices develop structured processes to automate activities and increase process consistency across the IT organization, ultimately improving IT efficiency.
    • Trying to add mature service delivery can feel like playing whack-a-mole. Systematically improve your service capabilities using the tactical, iterative approach outlined in Improve IT Operations Management.

    Enhance your overall security posture with a defensible, prescriptive policy suite

    Align your security policy suite with NIST Special Publication 800-171.

    Security policies support the organization’s larger security program. We’ve created a dedicated research blueprint and a set of templates that will help you build security policies around a robust framework.

    • Start with a security charter that aligns the security program with organizational objectives.
    • Prioritize security policies that address significant risks.
    • Work with technical and business stakeholders to adapt Info-Tech’s NIST SP 800-171–aligned policy templates (at right) to reflect your organizational objectives.

    A diagram listing all the different elements in a 'Security Charter': 'Access Control', 'Audit & Acc.', 'Awareness and Training', 'Config. Mgmt.', 'Identification and Auth.', 'Incident Response', 'Maintenance', 'Media Protection', 'Personnel Security', 'Physical Protection', 'Risk Assessment', 'Security Assessment', 'System and Comm. Protection', and 'System and Information Integrity'.

    Review and download Info-Tech's blueprint Develop and Deploy Security Policies.

    Info-Tech Best Practice

    Customize Info-Tech’s policy framework to align your policy suite to NIST SP 800-171. Given NIST’s requirements for the control of confidential information, organizations that align their policies to NIST standards will be in a strong governance position.

    PHASE 2: Develop Policies

    Step 2.2: Implement, enforce, measure, and maintain new policies

    This step will walk you through the following activities:

    • Gather stakeholder feedback
    • Identify preventive and detective controls
    • Identify required supports
    • Seek policy approval
    • Establish roles and responsibilities for policy maintenance

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Infrastructure Supervisors
    • Technical Writer
    • Policy Stakeholders

    Results & Insights

    • Results: Well-supported policies that have received signoff.
    • Insights: If you’re not prepared to enforce the policy, you might not actually need a policy. Use the policy statements as guidelines or standards, create and implement procedures, and build a culture of compliance. Once you can confidently execute on required controls, seek signoff.

    Gather feedback from users to assess the feasibility of the new policies

    Associated Activity icon 2(b) Review period: 1-2 weeks

    Once the policies are drafted, roundtable the drafts with stakeholders.

    INPUT: Draft policies

    OUTPUT: Reviewed policy drafts ready for approval

    Materials: Policy drafts

    Participants: Policy stakeholders

    1. Form a test group of users who will be affected by the policy in different ways. Keep the group to around five staff.
    2. Present new policies to the testers. Allow them to read the documents and attempt to comply with the new policies in their daily routines.
    3. Collect feedback from the group.
      • Consider using interviews, email surveys, chat channels, or group discussions.
      • Solicit ideas on how policy statements could be improved or streamlined.
    4. Make reasonable changes to the first draft of the policies before submitting them for approval. Policies will only be followed if they’re realistic and user friendly.

    Info-Tech Best Practice

    Allow staff the opportunity to provide input on policy development. Giving employees a say in policy development helps avoid obstacles down the road. This is especially true if you’re trying to change behavior rather than lock it in.

    Develop mechanisms for monitoring and enforcement

    Associated Activity icon 2(c) 20 minutes per policy

    Brainstorm preventive and detective controls.

    INPUT: Draft policies

    OUTPUT: Reviewed policy drafts ready for approval

    Materials: Policy drafts

    Participants: Policy stakeholders

    Preventive controls are designed to discourage or pre-empt policy breaches before they occur. Training, approvals processes, and segregation of duties are examples of preventive controls. (Ohio University)

    Detective controls help enforce the policy by identifying breaches after they occur. Forensic analysis and event log auditing are examples of detective controls. (Ohio University)

    Not all policies require the same level of enforcement. Policies that are required by law or regulation generally require stricter enforcement than policies that outline best practices or organizational values.

    Identify controls and enforcement mechanisms that are in line with policy requirements. Build control and enforcement into procedure documentation as needed.

    Suggestions:

    1. Have staff sign off on policies. Disclose any monitoring/surveillance.
    2. Ensure consequences match the severity of the infraction. Document infractions and ensure that enforcement is applied consistently across all infractions.
    3. Automatic controls shouldn’t get in the way of people’s ability to do their jobs. Test controls with users before you roll them out widely.

    Support the policy before seeking approval

    A policy is only as strong as its supporting pillars.

    Create Standards

    Standards are requirements that support policy adherence. Server builds and images, purchase approval criteria, and vulnerability severity definitions can all be examples of standards that improve policy adherence.

    Where reasonable, use automated controls to enforce standards. If you automate the control, consider how you’ll handle exceptions.

    Create Guidelines

    If no standards exist – or best practices can’t be monitored and enforced, as standards require – write guidelines to help users remain in compliance with the policy.

    Create Procedures: We’ll cover procedure development and documentation in Phase 3.

    Info-Tech Insight

    In general, failing to follow or strictly enforce a policy creates a risk for the business. If you’re not confident a policy will be followed or enforced, consider using policy statements as guidelines or standards as an interim measure as you update procedures and communicate and roll out changes that support adherence and enforcement.

    Seek approval and communicate the policy

    Policies ultimately need to be accepted by the business.

    • Once the drafts are completed, identify who is in charge of approving the policies.
    • Ensure all stakeholders understand the importance, context, and repercussions of the policies.
    • The approvals process is about appropriate oversight of the drafted policies. For example:
      • Do the policies satisfy compliance and regulatory requirements?
      • Do the policies work with the corporate culture?
      • Do the policies address the underlying need?

    If the draft is rejected:

    • Acquire feedback and make revisions.
    • Resubmit for approval.

    If the draft is approved:

    • Set the effective date and a review date.
    • Begin communication, training, and implementation.
    • Employees must know that there are new policies and understand the steps they must take to comply with the policies in their work.
    • Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.
    • Employees must be informed on where to get help or ask questions and from whom to request policy exceptions.

    "A lot of board members and executive management teams… don’t understand the technology and the risks posed by it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

    Identify policy management roles and responsibilities

    Associated Activity icon 2(d) 30 minutes

    Discuss and assign roles and responsibilities for ongoing policy management.

    Role

    Responsibilities

    Executive sponsor

  • Supports the program at the highest levels of the business, as needed
  • Program lead

  • Leads the Infrastructure & Operations policy management program
  • Identifies and communicates status updates to the executive sponsor and the project team
  • Coordinates business demands and interviews and organizes stakeholders to identify requirements
  • Manages the work team and coordinates policy rollout
  • Policy writer

  • Authors and updates policies based on requirements
  • Coordinates with outsourced editor for completion of written documents
  • IT infrastructure SMEs

  • Provide technical insight into capabilities and limitations of infrastructure systems
  • Provide advice on possible controls that can aid policy rollout, monitoring, and enforcement
  • Legal expert

  • Provides legal advice on the policy’s legal terms and enforceability
  • "Whether at the level of a government, a department, or a sub-organization: technology and policy expertise complement one another and must be part of the conversation." (Peter Sheingold, Portfolio Manager, Cybersecurity, MITRE Corporation)

    Phase 2: Review accomplishments

    Effective Policies: Clear, Consistent, and Concise

    An icon for the 'DSS02 Service Desk' template.

    An icon for the 'DSS03 Incident and Problem Management' template.

    An icon for the 'BAI06 Change Management' template.

    An icon for the 'BAI07 Release Management' template.

    An icon for the 'BAI09 Asset Management' template.

    An icon for the 'DSS04 DR and Business Continuity' template.

    An icon for the 'BAI04 Availability and Capacity Management' template.

    An icon for the 'DSS01 Operations Management' template.

    An icon for the 'BAI10 Configuration Management' template.

    Summary of Accomplishments

    • Built priority policies based on templates aligned with the IT Management & Governance Framework and COBIT 5.
    • Reviewed controls and policy supports.
    • Assigned roles and responsibilities for ongoing policy maintenance.

    Develop Infrastructure & Operations Policies and Procedures

    Phase 3

    Document Effective Procedures

    PHASE 3: Document Effective Procedures

    Step 3.1: Scope and outline procedures

    This step will walk you through the following activities:

    • Prioritize SOP documentation
    • Draft workflows using a tabletop exercise
    • Modify templates, as applicable

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Technical Writer
    • Infrastructure Supervisors

    Results & Insights

    • Results: An action plan for SOP documentation and an outline of procedure workflows.
    • Insights: Don’t let tools get in the way of documentation – low-tech solutions are often the most effective way to build and analyze workflows.

    Prioritize your SOP documentation effort

    Associated Activity icon 3(a) 1-2 hours

    Build SOP documentation that gets used and doesn’t just check a box.

    1. Review the list of procedure gaps from Phase 1. Are any other procedures needed? Are some of the procedures now redundant?
    2. Establish the scope of the proposed procedures. Who are the stakeholders? What policies do they support?
    3. Run a basic prioritization exercise using a three-point scale. Higher scores mean greater risks or greater benefits. Score the risk of the undocumented procedure to the business (e.g. potential effect on data, productivity, goodwill, health and safety, or compliance). Score the benefit to the business of documenting the procedure (e.g. throughput improvements or knowledge transfer).
    4. Different procedures require different formats. Decide on one or more formats that can help you effectively document the procedure:
      • Flowcharts: Depict workflows and decision points. Provide an at-a-glance view that is easy to follow. Can be supported by checklists and diagrams where more detail is required.
      • Checklists: A reminder of what to do, rather than how to do it. Keep instructions brief.
      • Diagrams: Visualize objects, topologies, and connections for reference purposes.
      • Tables: Establish relationships between related categories.
      • Prose: Use full-text instructions where other documentation strategies are insufficient.

    Modify the following Info-Tech templates for larger SOPs

    Support these processes...

    ...with these blueprints...

    ...to create SOPs using these templates.

    An icon for the 'DSS04 DR and Business Continuity' template. Create a Right-Sized Disaster Recovery Plan DRP Summary
    An icon for the 'BAI09 Asset Management' template. Implement IT Asset Management HAM SOP and SAM SOP
    An icon for the 'BAI06 Change Management' template. An icon for the 'BAI07 Release Management' template. Optimize Change Management Change Management SOP
    An icon for the 'DSS02 Service Desk' template. An icon for the 'DSS03 Incident and Problem Management' template. Standardize the Service Desk Service Desk SOP

    Use tabletop planning or whiteboards to draft workflows

    Associated Activity icon 3(b) 30 minutes

    Tabletop planning is a paper-based exercise in which your team walks through a particular process and maps out what happens at each stage.

    OUTPUT: Steps in the current process for one SOP

    Materials: Tabletop, pen, and cue cards

    Participants: Process owners, SMEs

    1. For this exercise, choose one particular process to document.
    2. Document each step of the process on cue cards, which can be arranged on the table in sequence.
    3. Be sure to include task ownership in your steps.
    4. Map out the process as it currently happens – we’ll think about how to improve it later.
    5. Keep focused. Stay on task and on time.

    Example:

    • Step 3: PM reviews new defects daily
    • Step 4: PM assigns defects to tech leads
    • Step 5: Assigned resource updates status – frequency is based on ticket priority

    Info-Tech Insight

    Don’t get weighed down by tools. Relying on software or other technological tools can detract from the exercise. Use simple tools such as cue cards to record steps so that you can easily rearrange steps or insert steps based on input from the group.

    Collaborate to optimize the SOP

    Associated Activity icon 3(c) 30 minutes

    Review the tabletop exercise. What gaps exist in current processes?
    How can the processes be made better? What are the outputs and checkpoints?

    OUTPUT: Identify steps to optimize the SOP

    Materials: Tabletop, pen, and cue cards

    Participants: Process owners, SMEs

    Example:

    • Step 3: PM reviews new defects daily
    • NEW STEP: Schedule 10-minute daily defect reviews with PM and tech leads to evaluate ticket priority
    • Step 4: PM assigns defects to tech leads
    • Step 5: Assigned resource updates status – frequency is based on ticket priority
      • Step 5 Subprocess: Ticket status update
      • Step 5 Output: Ticket status moved to OPEN by assigned resource – acknowledges receipt by assigned resource

    A note on colors: Use white cards to record steps. Record gaps on yellow cards (e.g. a process step not documented) and risks on red cards (e.g. only one person knows how to execute a step) to highlight your gaps/to-dos and risks to be mitigated or accepted.

    If it’s necessary to clarify complex process flows during the exercise, you can also use green cards for decision diamonds, purple for document/report outputs, and blue for subprocesses.

    PHASE 3: Document Effective Procedures

    Step 3.2: Document effective procedures

    This step will walk you through the following activities:

    • Document workflows, checklists, and diagrams
    • Establish a cadence for document review and updates

    This step involves the following participants:

    • Infrastructure Manager
    • Technical Writer

    Results & Insights

    • Results: Improved SOP documentation and document management practices.
    • Insights: It’s possible to keep up with changes if you put the right cues and accountabilities in place. Include document review in project and change management procedures and hold staff accountable for completion.

    Document workflows with flowcharting software

    Suggestions for workflow documentation

    • Whether you draft the workflow on a whiteboard or using cue cards, the first iteration is usually messy. Clean up the flow as you document the results of the exercise.
    • Make the workflow as simple as possible and no simpler. Eliminate any decision points that aren’t strictly necessary to complete the procedure.
    • Use standard flowchart shapes (see next slide).
    • Use links to connect to related documentation.
    • Review the documented workflow with participants.

    Download the following workflow examples:

    Establish flowcharting standards

    If you don’t have existing flowchart standards, then keep it simple and stick to basic flowcharting conventions as described below.

    Basic flowcharting convention: a circle can be used for 'Start, End, and Connector'. Start, End, and Connector: Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified Modeling Language (UML) also uses the circle for start and end points.
    Basic flowcharting convention: a rounded rectangle can be used for 'Start and End'. Start and End: Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes.
    Basic flowcharting convention: a rectangle can be used for 'Process Step'. Process Step: Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the subprocess symbol and flowchart the subprocess separately.
    Basic flowcharting convention: a rectangle with double-line on the ends can be used for 'Subprocess'. Subprocess: A series of steps. For example, a critical incident SOP might reference a recovery process as one of the possible actions. Marking it as a subprocess, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process).
    Basic flowcharting convention: a diamond can be used for 'Decision'. Decision: Represents decision points, typically with Yes/No branches, but you could have other branches depending on the question (e.g. a “Priority?” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues).
    Basic flowcharting convention: a rectangle with a wavy bottom can be used for 'Document/Report Output'. Document/Report Output: For example, the output from a backup process might include an error log.

    Support workflows with checklists and diagrams

    Diagrams

    • Diagrams are a visual representation of real-world phenomena and the connections between them.
    • Be sure to use standard shapes. Clearly label elements of the diagram. Use standard practices, including titles, dates, authorship, and versioning.
    • IT systems and interconnections are layered. Include physical, logical, protocol, and data flow connections.

    Examples:

    • XMPL Recovery Workflows
    • Workflow Library

    Checklists

    • Checklists are best used as short-form reminders on how to complete a particular task.
    • Remember the audience. If the process will be carried out by technical staff, there’s technical background material you won’t need to spell out in detail.

    Examples:

    • Employee Termination Process Checklist
    • XMPL Systems Recovery Playbook

    Establish a cadence for documentation review and maintenance

    Lock-in the work with strong document management practices.

    • Identify documentation requirements as part of project planning.
    • Require a manager or supervisor to review and approve SOPs.
    • Check documentation status as part of change management.
    • Hold staff accountable for documentation.

    "It isn’t unusual for us to see infrastructure or operations documentation that is wildly out of date. We’re talking months, even years. Often it was produced as one big effort and then not reliably maintained." (Gary Patterson, Consultant, Quorum Resources)

    Only a quarter of organizations update SOPs as needed

    A bar chart representing how often organizations update SOPs. Each option has two bars, one representing 'North America', the other representing 'Europe and Asia'. 'Never or rarely' is 11% in North America and 3% in Europe and Asia. 'Ad-hoc approach' is 38% in North America and 28% in Europe and Asia. 'For audits/annual reviews' is 33% in North America and 45% in Europe and Asia. 'As needed/via change management' is 18% in North America and 25% in Europe and Asia. Source: Info-Tech Research Group (N=104)

    Info-Tech Best Practice

    Use Info-Tech’s research Create Visual SOP Documents to further evaluate document management practices and toolsets.

    Phase 3: Review accomplishments

    Workflow documentation: Cue cards into flowcharts

    Summary of Accomplishments

    • Identified priority procedures for documentation activities.
    • Created procedure documentation in the appropriate format and level of granularity to support Infra & Ops policies.
    • Published and maintained procedure documentation.

    Research contributors and experts

    Carole Fennelly, Owner
    cFennelly Consulting

    Picture of Carole Fennelly, Owner, cFennelly Consulting.

    Carole Fennelly provides pragmatic cyber security expertise to help organizations bridge the gap between technical and business requirements. She authored the Center for Internet Security (CIS) Solaris and Red Hat benchmarks, which are used globally as configuration standards to secure IT systems. As a consultant, Carole has defined security strategies, and developed policies and procedures to implement them, at numerous Fortune 500 clients. Carole is a Certified Information Security Manager (CISM), Certified Security Compliance Specialist (CSCS), and Certified HIPAA Professional (CHP).

    Marko Diepold, IT Audit Manager
    audit2advise

    Picture of Marko Diepold, IT Audit Manager, audit2advise.

    Marko is an IT Audit Manager at audit2advise, where he delivers audit, risk advisory, and project management services. He has worked as a Security Officer, Quality Manager, and Consultant at some of Germany’s largest companies. He is a CISA and is ITIL v3 Intermediate and ITGCP certified.

    Research contributors and experts

    Martin Andenmatten, Founder & Managing Director
    Glenfis AG

    Picture of Martin Andenmatten, Founder and Managing Director, Glenfis AG.

    Martin is a digital transformation enabler who has been involved in various fields of IT for more than 30 years. At Glenfis, he leads large Governance and Service Management projects for various customers. Since 2002, he has been the course manager for ITIL® Foundation, ITIL® Service Management, and COBIT training. He has published two books on ISO 20000 and ITIL.

    Myles F. Suer, CIO Chat Facilitator
    CIO.com/Dell Boomi

    Picture of Myles F. Suer, CIO Chat Facilitator, CIO.com/Dell Boomi.

    Myles Suer, according to LeadTails, is the number 9 influencer of CIOs. He is also the facilitator for the CIOChat, which has executive-level participants from around the world in such industries as banking, insurance, education, and government. Myles is also the Industry Solutions Marketing Manager at Dell Boomi.

    Research contributors and experts

    Peter Sheingold, Portfolio Manager
    Cybersecurity, Homeland Security Center, The MITRE Corporation

    Picture of Peter Sheingold, Portfolio Manager, Cybersecurity, Homeland Security Center, The MITRE Corporation.

    Peter leads tasks that involve collaboration with the Department of Homeland Security (DHS) sponsors and MITRE colleagues and connect strategy, policy, organization, and technology. He brings a deep background in homeland security and strategic analysis to his work with DHS in the immigration, border security, and cyber mission spaces. Peter came to MITRE in 2005 but has worked with DHS from its inception.

    Robert D. Austin, Professor
    Ivey Business School

    Picture of Robert D. Austin, Professor, Ivey Business School.

    Dr. Austin is a professor of Information Systems at Ivey Business School and an affiliated faculty member at Harvard Medical School. Before his appointment at Ivey, he was a professor of Innovation and Digital Transformation at Copenhagen Business School, and, before that, a professor of Technology and Operations Management at the Harvard Business School.

    Research contributors and experts

    Ron Jones, Director of IT Infrastructure and Service Management
    DATA Communications

    Picture of Ron Jones, Director of IT Infrastructure and Service Management, DATA Communications.

    Ron is a senior IT leader with over 20 years of management experiences from engineering to IT Service Management and operations support. He is known for joining organizations and leading enhanced process efficiency and has improved software, hardware, infrastructure, and operations solution delivery and support. Ron has worked for global and Canadian firms including BlackBerry, DoubleClick, Cogeco, Infusion, Info-Tech Research Group, and Data Communications Management.

    Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations
    University of Chicago

    Picture of Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations, University of Chicago.

    Scott is an accomplished IT executive with 26 years of experience in technical and leadership roles. In his current role, Scott provides strategic leadership, vision, and oversight for an IT portfolio supporting 31,000 users consisting of services utilized by campuses located in North America, Asia, and Europe; oversees the University’s Command Center; and chairs the UC Cyberinfrastructure Alliance (UCCA), a group of research IT providers that collectively deliver services to the campus and partners.

    Research contributors and experts

    Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant
    Point B

    Picture of Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant, Point B.

    Steve has 20 years of experience in information security design, implementation, and assessment. He has provided information security services to a wide variety of organizations, including government agencies, hospitals, universities, small businesses, and large enterprises. With his background as a systems administrator, security consultant, security architect, and information security director, Steve has a strong understanding of both the strategic and tactical aspects of information security. Steve has significant hands-on experience with security controls, operating systems, and applications. Steve has a master's degree in Information Science from the University of Washington.

    Tony J. Read, Senior Program/Project Lead & Interim IT Executive
    Read & Associates

    Picture of Tony J. Read, Senior Program/Project Lead and Interim IT Executive, Read and Associates.

    Tony has over 25 years of international IT leadership experience, within high tech, computing, telecommunications, finance, banking, government, and retail industries. Throughout his career, Tony has led and successfully implemented key corporate initiatives, contributing millions of dollars to the top and bottom line. He established Read & Associates in 2002, an international IT management and program/project delivery consultancy practice whose aim is to provide IT value-based solutions, realizing stakeholder economic value and network advantage. These key concepts are presented in his new book: The IT Value Network: From IT Investment to Stakeholder Value, published by J. Wiley, NJ.

    Related Info-Tech research

    • Develop and Deploy Security Policies
    • Develop an Availability and Capacity Management Plan
    • Improve IT Operations Management
    • Develop an IT Infrastructure Services Playbook
    • Create a Right-Sized Disaster Recovery Plan
    • Develop a Business Continuity Plan
    • Implement IT Asset Management
    • Optimize Change Management
    • Standardize the Service Desk
    • Incident and Problem Management
    • Design & Build a User-Facing Service Catalog

    Bibliography

    “About Controls.” Ohio University, ND. Web. 2 Feb 2018.

    England, Rob. “How to implement ITIL for a client?” The IT Skeptic. Two Hills Ltd, 4 Feb. 2010. Web. 2018.

    “Global Corporate IT Security Risks: 2013.” Kaspersky Lab, May 2013. Web. 2018.

    “Information Security and Technology Policies.” City of Chicago, Department of Innovation and Technology, Oct. 2014. Web. 2018.

    ISACA. COBIT 5: Enabling Processes. International Systems Audit and Control Association. Rolling Meadows, IL.: 2012.

    “IT Policy & Governance.” NYC Information Technology & Telecommunications, ND. Web. 2018.

    King, Paula and Kent Wada. “IT Policy: An Essential Element of IT Infrastructure”. EDUCAUSE Review. May-June 2001. Web. 2018.

    Luebbe, Max. “Simplicity.” Site Reliability Engineering. O’Reilly Media. 2017. Web. 2018.

    Swartout, Shawn. “Risk assessment, acceptance, and exception with a process view.” ISACA Charlotte Chapter September Event, 2013. Web. 2018.

    “User Guide to Writing Policies.” Office of Policy and Efficiency, University of Colorado, ND. Web. 2018.

    “The Value of Policies and Procedures.” New Mexico Municipal League, ND. Web. 2018.

    Implement and Optimize Application Integration Governance

    • Buy Link or Shortcode: {j2store}361|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Enterprise Integration
    • Parent Category Link: /enterprise-integration
    • Enterprises begin integrating their applications without recognizing the need for a managed and documented governance model.
    • Application Integration (AI) is an inherently complex concept, involving the communication among multiple applications, groups, and even organizations; thus developing a governance model can be overwhelming.
    • The options for AI Governance are numerous and will vary depending on the size, type, and maturity of the organization, adding yet another layer of complexity.

    Our Advice

    Critical Insight

    • Governance is essential with integrated applications. If you are planning to integrate your applications, you should already be considering a governance model.
    • Proper governance requires oversight into chains of responsibility, policy, control mechanisms, measurement, and communication.
    • People and process are key. Technology options to aid in governance of integrated apps exist, but will not greatly contribute to the success of AI.

    Impact and Result

    • Assess your capabilities and determine which area of governance requires the most attention to achieve success in AI.
    • Form an Integration Center of Competency to oversee AI governance to ensure compliance and increase success.
    • Conduct ongoing training with your personnel to ensure up-to-date skills and end user understanding.
    • Frequently revisit your AI governance strategy to ensure alignment with business goals.

    Implement and Optimize Application Integration Governance Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Implement and optimize Application Integration Governance

    Know where to start and where to focus your attention in the implementation of an AI governance strategy.

    • Storyboard: Implement and Optimize Application Integration Governance

    2. Assess the organization's capabilities in AI Governance

    Assess your current and target states in AI Governance.

    • Application Integration Governance Gap Analysis Tool

    3. Create an Integration Center of Competency

    Have a governing body to oversee AI Governance.

    • Integration Center of Competency Charter Template

    4. Establish AI Governance principles and guidelines

    Create a basis for the organization’s AI governance model.

    • Application Integration Policy and Principles Template

    5. Create an AI service catalog

    Keep record of services and interfaces to reduce waste.

    • Integration Service Catalog Template
    [infographic]

    2020 Applications Priorities Report

    • Buy Link or Shortcode: {j2store}159|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • Although IT may have time to look at trends, it does not have the capacity to analyze the trends and turn them into initiatives.
    • IT does not have time to parse trends for initiatives that are relevant to them.
    • The business complains that if IT does not pursue trends the organization will get left behind by cutting-edge competitors. At the same time, when IT pursues trends, the business feels that IT is unable to deal with the basic issues.

    Our Advice

    Critical Insight

    • Take advantage of a trend by first understanding why it is happening and how it is actionable. Build momentum now. Breaking a trend into bite-sized initiatives and building them into your IT foundations enables the organization to maintain pace with competitors and make the technological leap.
    • The concepts of shadow IT and governance are critical. As it becomes easier for the business to purchase its own applications, it will be essential for IT to embrace this form of user empowerment. With a diminished focus on vendor selection, IT will drive the most value by directing its energy toward data and integration governance.

    Impact and Result

    • Determine how to explore, adopt, and optimize the technology and practice initiatives in this report by understanding which core objective(s) each initiative serves:
      • Optimize the effectiveness of the IT organization.
      • Boost the productivity of the enterprise.
      • Enable business growth through technology.

    2020 Applications Priorities Report Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief for a summary of the priorities and themes that an IT organization should focus on this year.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Read the 2020 Applications Priorities Report

    Use Info-Tech's 2020 Applications Priorities Report to learn about the five initiatives that IT should prioritize for the coming year.

    • 2020 Applications Priorities Report Storyboard
    [infographic]

    Get Started With Artificial Intelligence

    • Buy Link or Shortcode: {j2store}345|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $24,469 Average $ Saved
    • member rating average days saved: 18 Average Days Saved
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy
    • It is hard to not hear about how AI is revolutionizing the world. Across all industries, new applications for AI are changing the way humans work and how we interact with technologies that are used in modern organizations.
    • It can be difficult to see the specific applications of AI for your business. With all of the talk about the AI revolution, it can be hard to tie the rapidly changing and growing field of AI to your industry and organization and to determine which technologies are worth serious time and investment, and which ones are too early and not worth your time.

    Our Advice

    Critical Insight

    • AI is not a magic bullet. Instead, it is a tool for speeding up data-driven decision making. A more appropriate term for current AI technology is data-enabled, automated, adaptive decision support. Use when appropriate.
    • Garbage in, garbage out still applies to AI ‒ and it is even more relevant! AI technology has its foundations in data. Lots of it. Relevant, accurate, and timely data is essential to the effective use of AI.
    • AI is a rapidly evolving field – and this means that you can learn from others more effectively. Using a use case-based approach, you can learn from the successes and failures of others to more rapidly narrow down how AI can show value for you.

    Impact and Result

    • Understand what AI really means in practice.
    • Learn what others are doing in your industry to leverage AI technologies for competitive advantage.
    • Determine the use cases that best apply to your situation for maximum value from AI in your environment.
    • Define your first AI proof-of-concept (PoC) project to start exploring what AI can do for you.
    • Separate the signal from the noise when wading through the masses of marketing material around AI.

    Get Started With Artificial Intelligence Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to get up to speed with the rapid changes in AI technologies taking over the world today, review Info-Tech’s methodology, and understand the four ways we can support you on your AI journey.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Explore the possibilities

    Understand what AI really is in the modern world and how AI technologies impact the business functions.

    • Get Started With Artificial Intelligence – Phase 1: Explore the Possibilities

    2. Learn from your peers and give your AI a purpose

    Develop a good understanding of where AI is delivering value in your industry and other verticals. Determine the top three business goals to get value from your AI and give your AI a purpose.

    • Get Started With Artificial Intelligence – Phase 2: Learn From Your Peers and Give Your AI a Purpose

    3. Select your first AI PoC

    Brainstorm your AI PoC projects, prioritize and sequence your AI ideas, select your first AI PoC, and create a minimum viable business case for this use case.

    • Get Started With Artificial Intelligence – Phase 3: Select Your First AI PoC
    • Idea Reservoir Tool
    • Minimum Viable Business Case Document
    • Prototyping Workbook
    [infographic]

    2024 Tech Trends

    • Buy Link or Shortcode: {j2store}289|cart{/j2store}
    • member rating overall impact: 10
    • Parent Category Name: Innovation
    • Parent Category Link: /improve-your-core-processes/strategy-and-governance/innovation

    AI has revolutionized the landscape, placing the spotlight firmly on the generative enterprise.

    The far-reaching impact of generative AI across various sectors presents fresh prospects for organizations to capitalize on and novel challenges to address as they chart their path for the future. AI is more than just a fancy auto-complete. At this point it may look like that, but do not underestimate the evolutive power.

    In this year's Tech Trends report, we explore three key developments to capitalize on these opportunities and three strategies to minimize potential risks.

    Generative AI will take the lead.

    As AI transforms industries and business processes, IT and business leaders must adopt a deliberate and strategic approach across six key domains to ensure their success.

    Seize Opportunities:

    • Business models driven by AI
    • Automation of back-office functions
    • Advancements in spatial computing

    Mitigate Risks:

    • Ethical and responsible AI practices
    • Incorporating security from the outset
    • Ensuring digital sovereignty

    Implement a Transformative IVR Experience That Empowers Your Customers

    • Buy Link or Shortcode: {j2store}68|cart{/j2store}
    • member rating overall impact: 8.5/10 Overall Impact
    • member rating average dollars saved: $6,499 Average $ Saved
    • member rating average days saved: 15 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Today’s customers expect a top-tier experience when interacting with businesses.
    • The advancements in IVR technology mean that IT departments are managing added complexity in drafting a strategy for a top-tier IVR approach.
    • Implementing best practices and the right enabling technology stack is critical to supporting world-class customer experience through IVR.

    Our Advice

    Critical Insight

    • Don’t assume that contact centers and IVR systems are relics of the past. Customers still look to phone calls as being the most effective way to get a fast answer.
    • Tailor your IVR system for your customers. There is no “one-size-fits-all” approach – understand your key customer demographics and support their experience by implementing the most effective strategies for them.
    • Don’t buy best of breed, buy best for you. Base your enabling technology selection on your requirements and use cases, not on the latest industry trends and developments.

    Impact and Result

    • Before selecting and deploying technology solutions, create a database of common customer pain points and FAQs to act as an outline for the call flow tree.
    • Understand and apply operational best practices, such as ensuring proper call menu organization and using self-service applications, to improve IVR metrics and, ultimately, the customer experience.
    • Understand emerging technologies and evolving trends in the IVR space, including natural language processing and integrating your IVR with other essential enterprise applications (e.g. customer relationship management platforms).

    Implement a Transformative IVR Experience That Empowers Your Customers Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Transformative IVR Experience Deck – A deck outlining the best strategies and enabling technologies to implement in your IVR approach to improve your customer experience.

    This storyboard offers insight into impactful strategies and beneficial enabling technologies to implement in your IVR approach to improve your customers’ experience and to reduce the load on your support staff. This deck outlines IT’s role in the IVR development process, offering insight into how to develop an effective IVR call flow and providing details on relevant enabling technologies to consider implementing to further improve your offering.

    • Implement a Transformative IVR Experience That Empowers Your Customers – Phases 1-4

    2. IVR Call Flow Template – A template designed to help you build an effective call flow tree by providing further insight into how to better understand your customers.

    This template demonstrates an ideal IVR approach, outlining a sample call flow for a telecommunications company designed to meet the needs of a curated customer persona. Use this template to gain a better understanding of your own key customers and to construct your own call flow tree.

    • Create an IVR Call Flow That Empowers Your Customers
    [infographic]

    Further reading

    Implement a Transformative IVR Experience That Empowers Your Customers

    Learn the strategies that will allow you to develop an effective interactive voice response (IVR) framework that supports self-service and improves customer experience.

    Stop! Are you ready for this project?

    This Research Is Designed For:

    • Business analysts, application directors/managers, and customer service leaders tasked with developing and executing a technology enablement strategy for optimizing their contact center approach.
    • Any organization aiming to improve its customer experience by implementing a customer-centric approach to over-the-phone service via an IVR system.

    This Research Will Help You:

    • Adopt the best strategies for outlining an effective IVR approach and for transforming an existing IVR system.
    • Improve customer experience and ultimately customer satisfaction by enabling you to create a more efficient IVR call flow tree.
    • Select the proper IVR strategies to focus on based on the maturity level of your organization's call center.
    • Review the "art of the possible" and learn of the latest developments in successful IVR execution.
    • Learn IT's role in developing a successful IVR system and in developing a technology strategy that optimizes your IVR approach.

    Executive Summary

    Your Challenge

    • Today's customers expect a top-tier experience when interacting with businesses.
    • The advancements in IVR technology mean that IT departments are managing added complexity in drafting a strategy for a top-tier IVR approach.
    • Implementing best practices and the right enabling technology stack is critical to supporting world-class customer experience through IVR.

    Common Obstacles

    • Many organizations do not have a clear understanding of customers' drivers for contacting their IVR.
    • As many contact centers look to improve the customer experience, the need for an impactful IVR system has markedly increased. The proliferation of recommendations for IVR best practices and related technologies has made it difficult to identify and implement the right approach.
    • With a growing number of IVR-related requests, IT must be prepared to speak intelligently about requirements and the "art of the possible."

    Info-Tech's Approach

    • Before selecting and deploying technology solutions, create a database of common customer call drivers to act as an outline for the call flow tree.
    • Understand and apply operational best practices, such as ensuring proper call menu organization and using self-service applications, to improve IVR metrics and, ultimately, the customer experience.
    • Understand evolving trends and emerging technologies in the IVR space, including offering personalized service and using natural language processing/conversational AI.

    Info-Tech Insight

    Tailor your IVR system specifically for your customers. There is no one-size-fits-all approach. Understand your key customers and support their experience by implementing the most effective strategies for them.

    Voice is still the dominant way in which customers choose to receive support

    Despite the contrary beliefs that the preference for phone support and IVR systems is declining, studies have consistently shown that consumers still prefer receiving customer service over the phone.

    76%

    of customers prefer the "traditional" medium of phone calls to reach customer support agents.

    50%

    of customers across all age groups generally use the phone to contact customer support, making it the most-used customer service channel.

    Your IVR approach can make or break your customers' experience

    The feelings that customers are left with after interacting with contact centers and support lines has a major impact on their future purchase decisions

    Effective IVR systems provide customers with positive experiences, keeping them happy and satisfied. Poorly executed IVR systems leave customers feeling frustrated and contribute to an overall negative experience. Negative experiences with your IVR system could lead to your customers taking their business elsewhere.

    In fact, research by Haptik shows that an average of $262 per customer is lost each year due to poor IVR experiences ("7 Conversational IVR Trends for 2021 and Beyond," Haptik, 2021).

    50%

    of customers have abandoned their business transactions while dealing with an IVR system.

    Source: Vonage, 2020

    45%

    of customers will abandon a business altogether due to a poor IVR experience.

    Source: "7 Remarkable IVR Trends For the Year 2022 And Beyond," Haptik, 2021

    IVR systems only improve your customers' experience when done properly

    There are many common mistakes that organizations make when implementing their own IVR strategies:

    1. Offering too many menu options. IVR systems are supposed to allow customers to resolve their inquiries quickly, so it is integral that you organize your menu effectively. Less is more when it comes to your IVR call flow tree.
    2. A lack of self-service capabilities. IVR systems are meant to maximize customer service and improve the customer experience by offering self-service functionality. If resolutions for common issues can't be found through IVR, your return on investment (ROI) is limited.
    3. Having callers get stuck in an "IVR loop." Customers caught hearing the same information repeatedly will often abandon their call. Don't allow customers to get "tangled" in your call flow tree; always make human contact an option.
    4. Not offering personalized service. The inability to identify customers by their number or other identifying features leads to poor personalization and time wasted repeating information, contributing to an overall negative experience.
    5. Not updating the IVR system. By not taking advantage of new developments in IVR technology and by not using customer and employee feedback to upgrade your offering, you are missing out on the potential to improve your customers' experience. Complacency kills, and your organization will be at a competitive disadvantage because of it.

    Implement a transformative IVR approach that empowers your customers

    Call flow trees don't grow overnight; they require commitment, nurturing, and care

    1. Focus on the Roots of Your Call Flow Tree
      • Your call flow tree will only grow as strong as the roots allow it; begin beneath the surface by understanding the needs of your customers and the goals of your organization first, before building your initial IVR menu.
    2. Allow Customers the Opportunity to Branch Out
      • Empower your customers by directing your call flow tree to self-service applications where possible and to live agents when necessary.
    3. Let Your Call Flow Tree Flourish
      • Integrate your IVR with other relevant business applications and apply technological developments that align with the needs of your customers and the goals of your organization.
    4. Keep Watering Your Call Flow Tree
      • Don't let your call flow tree die! Elicit feedback from relevant stakeholders and develop an iterative review cycle to identify and implement necessary changes to your call flow tree, ensuring continued growth.

    IT plays an integral role in supporting the IVR approach

    IT is responsible for providing technology enablement of the IVR strategy

    While IT may not be involved in organizing the call flow tree itself, their impact on an organization's IVR approach is undeniable. Not only will IT assist with the implementation and integration of your IVR system, they will also be responsible for maintaining the technology on an ongoing basis. As such, IT should be a part of your organization's software selection team, following Info-Tech's methodology for optimizing your software selection process.

    • With an understanding of the organization's customer experience management strategy and business goals, IT should be looked toward to:
    • Provide insight into the "art of the possible" with IVR systems.
    • Recommend enabling technologies relative to your call center's maturity (e.g. agent assist and natural language processing).
    • Outline integration capabilities with your existing application portfolio.
    • Highlight any security concerns.
    • Assist with vendor engagement.
    • Take part in stakeholder feedback groups, consulting with agents about their pain points and attempting to solve their problems.

    Guided Implementation

    What does a typical GI on this topic look like?

    Focus on the Roots of Your Call Flow Tree

    Allow Customers the Opportunity to Branch Out Let Your IVR Call Flow Tree Flourish Keep Watering Your Call Flow Tree

    Call #1: Introduce the project, scoping customer call drivers and defining metrics of success.

    Call #3: Discuss the importance of promoting self-service and how to improve call routing processes, assessing the final tiers of the IVR.

    Call #4: Discuss the benefits of integrating your IVR within your existing business architecture and using relevant enabling technologies.

    Call #5: Discuss how to elicit feedback from relevant stakeholders and develop an iterative IVR review cycle, wrapping up the project.

    Call #2: Begin assessing initial IVR structure.

    A Guided Implementation (GI) is a series

    of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 5 to 7 calls over the course of 4 to 6 months.

    Phase 1

    Focus on the Roots of Your Call Flow Tree

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Understand your customers

    1.2 Develop goals for your IVR

    1.3 Align goals with KPIs

    1.4 Build your initial IVR menu

    2.1 Build the second tier of your IVR menu

    2.2 Build the third tier of your IVR menu

    3.1 Learn the benefits of a personalized IVR

    3.2 Review new technology to apply to your IVR

    4.1 Gather insights on your IVR's performance

    4.2 Create an agile review method

    This phase will walk you through the following activities:

    • Building a database of your customers' call drivers
    • Developing IVR-related goals and connecting them with your key performance indicators (KPIs)
    • Developing the first tier of your IVR menu

    This phase involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Implement a Transformative IVR Approach That Empowers Your Customers

    Step 1.1

    Understand Your Customers

    This step will walk you through the following activity:

    1.1.1 Build a database of the reasons why your customers call your contact center

    Focus on the Roots of Your Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • List of your customers' call drivers

    Help your customers get to where they need to go

    Understand which questions customers need answered the most and organize your IVR menu accordingly

    • With any IVR system, your primary focus should be creating a simple, easily navigated call flow. You not only want your customers to be able to find the solutions that they are looking for, but you want them to be able to do so easily and quickly.
    • In order to direct customers more efficiently, you need to understand why they're motivated to call your contact center. This will be different for every organization, so it requires a deeper understanding of your customers.
    • After understanding the motivators behind your customers' reasons for calling, you'll be able to organize your call flow tree effectively.
    • Assign the most popular reasons that customers call first in your IVR call flow. Organizing your call flow in such a way will ensure a quicker turn around time for customer inquiries, providing callers with the immediate resolution that they are seeking.

    "Call flows are the structure of a call center's interactive voice response (IVR). They define the path a caller takes to reach a resolution. The more efficient the flow, the quicker a resolution can be – thereby delivering a better caller experience."

    Thomas Randall, Ph.D.
    Senior Research Analyst
    Info-Tech Research Group

    1.1.1 Activity: Build a list of the most common reasons that your key customers call your contact center

    30 minutes

    1. As a group, review the reasons that customers call your contact center. This includes reviewing which questions are asked most frequently, what services are most often inquired about, and what pain points and complaints live agents hear most regularly.
    2. Organize each call driver from most to least popular based on how often they are heard.
    3. Record your findings.
    Input Output
    • List of common customer questions
    • List of common customer pain points/complaints
    • Database of customer call drivers
    Materials Participants
    • Whiteboard
    • Markers
    • Project team
    • Customer service leaders/live agents

    Info-Tech Insight

    To understand why your customers are calling, first you need to know who your customers are. Improve your caller understanding by creating customer personas.

    1.1.1 Activity: Build a list of the most common reasons that your key customers call your contact center

    Example

    Customer Call Drivers
    Need to pay a bill
    Complaints about an outage to their service
    Inquiry about new plans
    Need to update account information
    Complaints about their last bill

    Step 1.2

    Develop Goals for Your IVR

    This step will walk you through the following activity:

    1.2.1 Outline IVR-related goals relevant to your organization.

    Focus on the Roots of Your Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Goals for your organizational IVR

    Create IVR-related goals you wish for your organization to achieve

    Organizations across different industries will measure success in a multitude of ways; develop goals that are relevant to your needs and desires

    Based on your customer experience strategy and what industry you're in, the goals that you aim to accomplish will look different. A doctor's office will be more concerned with an accurate diagnosis and high first call resolution rate than low average talk time!

    Setting business goals relevant to your organization is only half of the battle; it's just as important to hold your organization accountable to those goals and measure your continued progress toward meeting them.

    1.2.1 Activity: Brainstorm a list of goals that you would like your organization to achieve when optimizing your IVR approach

    30 minutes

    1. In two to three groups, brainstorm goals related to your IVR that are relevant to your organization.
    2. Classify these goals as being either quick wins or part of a longer-term engagement based on the time they would take to accomplish.
    3. Introduce your goals to the entire group, coming to an agreement on the top goals that the organization should aim to achieve through implementing a new/transformed IVR approach.
    InputOutput
    • Customer experience strategy
    • Desired IVR-related achievements
    • Organizational IVR goals
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    1.2.1 Activity: Brainstorm a list of goals that you would like your organization to achieve when optimizing your IVR approach

    Example

    Goal Designation
    Lower the average queue time Quick win
    Lower call abandonment rate Quick win
    Lower customer attrition Long-term
    Lower employee attrition Long-term
    Increase average speed of answer Quick win

    Step 1.3

    Align Your Goals With Your KPIs

    This step will walk you through the following activity:

    1.3.1 Review your organizational IVR goals and connect them with your key performance indicators (KPIs)

    Focus on the Roots of Your Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Metrics used to measure organizational success related to your IVR

    Ensure you are using the proper metrics for measuring the success of your call flow tree

    You won't know if your IVR is operating successfully if you don't know what success looks like for you. It is important to align your contact center KPIs with your business goals so you can hold your IVR system accountable.

    Example

    Metric Description Current Score Target Score [Date/Year]
    First call resolution
    Average abandonment rate
    Customer attrition
    Employee attrition
    Average queue time
    Service level
    Average speed of answer
    Average handle time
    Average call transfer rate
    Average talk time
    Customer self-service resolution
    Agent satisfaction
    Customer satisfaction

    1.3.1 Activity: Develop KPIs for your contact center and connect them to your organization's business goals

    30 minutes

    1. As a group, establish the metrics or KPIs that will be used to measure your progress against the organizational IVR goals created in Activity 1.2.1.
    2. Take note of your current score for each of your organizational goals and determine your target score.
    3. Attach a deadline or target date by which you would like to reach your target score. Target dates can vary based on whether your goal is classified as a quick win or part of a longer-term engagement.
    InputOutput
    • Organizational IVR goals
    • KPIs
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    Step 1.4

    Build Your Initial IVR Menu

    This step will walk you through the following activity:

    1.4.1 Develop the first tier of your IVR menu, determining the initial selections that customers will have to choose from

    Focus on the Roots of Your Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Tier one of your IVR call flow tree

    Keep your IVR concise – minimize the length of your voice prompts and limit the depth of your menus

    You don't want to overload your customers with information. Providing your callers with overly detailed prompts and too many menu options will only lead to frustration, ultimately diminishing both the efficiency and the effectiveness of your IVR. Limiting the length of your voice prompts and the depth of your menus will lay out a clear path for your callers, increasing the likelihood that they are able to navigate your IVR accurately.

    Each of your IVR menus should provide your customers with no more than five selections.

    Your IVR should offer a maximum of three menu tiers.

    Each of your selection "descriptions" or voice prompts should be no longer than four seconds in length.

    Info-Tech Insight

    According to a study by Telzio (2020), introductory IVR messages that greet your customers and identify your company should be under 7.9 seconds in length. Longer introductions will only bore, frustrate, and overload the customer before the call really even begins.

    When developing your voice prompts, it is integral to speak clearly using simple and easily understood language

    • Speak clearly and stay away from industry-specific jargon to ensure that your voice prompts are widely understood by your customer base. This will allow callers to digest the information relayed through your IVR more accurately.
    • Part of increasing the retention of information communicated through your IVR is also ensuring that sufficient pauses are taken between each of your voice prompts. Just as you want to avoid overloading your customers with voice prompts that are too long and too detailed, you also want to give your callers adequate time to process the information that is being relayed to them.
    • Improving the ease of listening to your IVR will reduce the risk of overwhelming your callers and will increase the likelihood that they are able to follow along appropriately, directing themselves down the proper call flow.

    Info-Tech Insight

    Securing voice talent and be expensive and cumbersome. Consider using an automated voice through a text-to-speech solution for your prompts. This will ensure that all your prompts are consistent throughout your menus, and it also makes it significantly easier to provide crucial updates within your IVR system.

    When sufficient pauses are taken between menu options, input errors can be reduced by over…

    Source: Ansafone Contact Centers, 2019

    1.4.1 Activity: Begin building your call flow tree by developing the initial selections that customers will choose from when dialing into your IVR

    30 minutes

    1. Review the database of customer call drivers completed in Activity 1.1.1 to create the opening menu of your IVR call flow tree.
    2. Limit your selections/prompts to a maximum of five by grouping related questions, services, and complaints/pain points into broad categories.
    3. Organize your selections/prompts according to how often customers call in relating to that topic.

    Info-Tech Insight

    Remember: You don't need five selections! That is the maximum recommended number of prompts to use and will most likely be reserved for more complex call flows. More isn't always better. If you can limit your initial menu to fewer selections, then do so.

    InputOutput
    • Database of customer call drivers
    • Initial IVR menu
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    1.4.1 Activity: Begin building your call flow tree by developing the initial selections that customers will choose from when dialing into your IVR

    Example

    IVR Initial Greeting

    1. For Billing and Payments

    2. To Report an Outage

    3. To Make Changes to Your Plan or Account

    Phase 2

    Allow Customers the Opportunity to Branch Out

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Understand your customers

    1.2 Develop goals for your IVR

    1.3 Align goals with KPIs

    1.4 Build your initial IVR menu

    2.1 Build the second tier of your IVR menu

    2.2 Build the third tier of your IVR menu

    3.1 Learn the benefits of a personalized IVR

    3.2 Review new technology to apply to your IVR

    4.1 Gather insights on your IVR's performance

    4.2 Create an agile review method

    This phase will walk you through the following activities:

    • Completing the second tier of your call flow tree
    • Completing the third and final tier of your call flow tree

    This phase involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Implement a Transformative IVR Approach That Empowers Your Customers

    Step 2.1

    Build the Second Tier of Your IVR Menu

    This step will walk you through the following activity:

    • 2.1.1 Complete the second tier of your call flow tree, branching out from your initial menu

    Allow Customers the Opportunity to Branch Out

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Tier 2 of your IVR call flow tree

    An IVR system should empower your customers to solve problems on their own

    Integrate business applications into your IVR menus to enable self-service capabilities and automate processes where possible

    • An IVR system should assist your customer service team while also empowering your customers. This can be accomplished through offering self-service and using automated messaging via a broadcast messaging system.
    • Some common self-service practices include providing callers with the ability to check credit card statements, pay bills, and track shipments.
    • Automated messaging can be used to address common customer questions. For instance, if a company-wide issue exists, an automated message can outline the issue and highlight the approximate time for resolution, providing customers with the answer they were seeking while eliminating the need to speak to a live agent. This technique is commonly practiced by internet providers during outages.
    • Providing callers with the opportunity to find a resolution for themselves through self-service and automated messaging not only improves the customer experience but also frees up your customer service team for more pressing matters.

    73%

    of customers want to be provided with the ability to solve issues on their own.

    67%

    of customers prefer to use self-service options over speaking with a customer service representative.

    Source: Raffle, 2020

    2.1.1 Activity: Grow your call flow tree! Begin branching out from your initial menu options and develop the second tier of your IVR system

    30 minutes

    1. Branch out from your initial IVR menu created in Activity 1.4.1. Get more specific in your prompts, branching out from the general groupings you have created.
    2. Consult with your database of customer call drivers created in Activity 1.1.1 to organize your subgroupings, again prioritizing the services most sought and the questions, complaints, and pain points most frequently heard.
    3. Limit each subsection to a maximum of five prompts.

    Info-Tech Insight

    Always provide your callers with the option to go back to a previous menu or to have menu options repeated.

    InputOutput
    • Database of customer call drivers
    • Initial IVR menu
    • Second IVR menu
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    2.1.1 Activity: Grow your call flow tree! Begin branching out from your initial menu options and develop the second tier of your IVR system

    Example

    This is an image of the sample flow tree from Activity 2.1.1


    Step 2.2

    Build the Third Tier of Your IVR Menu

    This step will walk you through the following activity:

    2.2.1 Complete your call flow tree by branching out your third and final tier of menu options.

    Allow Customers the Opportunity to Branch Out

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Third and final tier of your IVR call flow tree

    Provide your callers with the option to speak to a live agent – but not too soon

    While promoting self-service and automating certain processes will improve the functionality of your IVR, it is also important to realize that some issues will ultimately require human intervention. An effective IVR system harmonizes these concepts by making human contact an option, but not too early in the process. You need to find the right balance!

    When organizing your IVR call flow tree, you need to be conscious of sending clients in an endless "IVR loop." You should never have your IVR continually repeat its menu options. Customers will abandon an IVR if they are stuck in an IVR loop, being forced to listen to the same information repeatedly without having a way to reach an agent.

    If a problem cannot be solved within three steps or by the third tier of your IVR menus, callers should be provided with the option to speak to a live agent, if not automatically routed to one. By providing your callers with the option to speak to a live agent on the third tier of your IVR, you are still offering ample time for customers to discover an avenue to solve their issue on their own through self-service, without frustrating them by losing them in an endless loop of IVR options.

    30%

    of customers say that not being able to reach a human agent is the most frustrating aspect of a poor customer service experience.

    Source: ProProfs Chat, 2022

    Info-Tech Insight

    Consider routing callers to a live agent not only on the third tier of your IVR menus but also after three input errors. Multiple input errors can show an eagerness to speak to a representative or a strong misunderstanding of the IVR offering.

    How you direct a customer to a live agent can make all the difference

    Don't think that just offering your customers the option to speak to a live agent is enough. When aiming to significantly improve your customers' experience, how you direct calls to your live agents plays a major role. When a call is being directed to a live agent, be sure to:

    • Optimize your call routing and minimize call transfers. Use skills-based routing to direct your incoming client calls to the most suitable agent to resolve their issue. Inaccurately routing callers through your IVR leads to having to transfer the customer to another agent, which is a major contributor to a negative customer experience.
    • Include wait-time expectations and call-back functionality. There is no denying it: Waiting on hold can be a real pain. If a customer needs to go on hold, inform them of where they are in the queue and what the approximate wait time is. A little transparency can go a long way. You should also provide customers with the option to have a representative call them back. This greatly improves the customer experience, particularly when wait times are long.
    • Play useful on-hold messages. If a customer does decide to wait on the line to speak to a representative, ensure your on-hold messaging doesn't negatively impact their experience. Always have multiple songs and messages available to cycle through to limit customer annoyance. For on-hold messages, consider mentioning self-service capabilities available on other channels or providing company news and information on special promotions. Know your key customer demographics and plan your on-hold messaging accordingly.

    72%

    of customers view having to talk to multiple agents as poor customer service.

    Source: ProProfs Chat, 2022

    33%

    of customers highlight waiting on hold as being their biggest frustration.

    Source: EmailAnalytics, 2022

    2.2.1 Activity: Complete your call flow tree!

    30 minutes

    1. Branch out from the second tier of your IVR call flow tree created in Activity 2.1.1, connecting relevant prompts with self-service applications and automated responses. Keep in mind, most of your frequently asked questions can and should be directed toward an automated response.
    2. Direct all remaining prompts to a live agent, ensuring each selection from your second-tier menu is capped off appropriately.

    Info-Tech Insight

    Remember: Your IVR system doesn't live in isolation. The information offered by your IVR, particularly from automated messages, should be consistent with information found within other resources (e.g. online knowledge bases).

    InputOutput
    • Tier 1 and 2 of your IVR menus
    • Completed IVR call flow
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    2.2.1 Activity: Complete your call flow tree!

    Example

    This is an image of the sample flow tree from Activity 2.2.1

    Phase 3

    Let Your IVR Call Flow Tree Flourish

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Understand your customers

    1.2 Develop goals for your IVR

    1.3 Align goals with KPIs

    1.4 Build your initial IVR menu

    2.1 Build the second tier of your IVR menu

    2.2 Build the third tier of your IVR menu

    3.1 Learn the benefits of a personalized IVR

    3.2 Review new technology to apply to your IVR

    4.1 Gather insights on your IVR's performance

    4.2 Create an agile review method

    This phase will walk you through the following activities:

    • Reviewing the benefits of offering personalized service
    • Reviewing new technologies offered in the IVR space

    This phase involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Implement a Transformative IVR Approach That Empowers Your Customers

    Step 3.1

    Learn the Benefits of a Personalized IVR

    This step will walk you through the following activity:

    3.1.1 Review the benefits of offering personalized service, namely by connecting your IVR system with your customer knowledge base

    Let Your IVR Call Flow Tree Flourish

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Understanding the importance of offering personalized service

    Personalizing service is integral for improving your customer experience

    Integrate your IVR system with your customer relationship management (CRM) system or customer knowledge base of choice to provide support to your customers on a personal level.

    The integration of your IVR system with your CRM or other applicable knowledge base allows for customer data (e.g. customer history and previous interactions) to be accessible to your staff during calls. Access to this data allows for a deeper understanding of your customers and for personalization of service. This provides immediate benefits to your contact center that will improve your customer experience.

    When you inevitably do need to transfer a customer to another agent, they won't have to repeat their issue to a new representative, as all their information will now be easily accessible. Being forced to repeat themselves to multiple agents is a major cause of frustration for customers. This integration would also allow you to route callers to the previous agent that they dealt with whenever possible for the purpose of continuity, and it would enable you to implement other beneficial technologies as well.

    One such example is "agent assist." Agent assist is an AI bot that listens in on calls, learning customer context and automatically searching knowledge bases to help resolve queries without the agent having to put the caller on hold to manually perform that work themselves. Not only does agent assist improve customer resolution times, but it also ramps up onboarding time, allowing for new agents to enter the workforce and perform with confidence earlier.

    76%

    of consumers expect personalized experiences.

    71%

    of customers expect internal collaboration so that they don't have to repeat themselves.

    Source: Zendesk, 2019

    Personalization can empower your IVR in many ways

    Personalizing your IVR does much more than just provide your customer service representatives with conversational context. Personalization enables your IVR to recognize callers by their phone number, or even by voice via biometric authentication technologies.

    This advanced level of recognition allows your IVR to greet your callers by name, speak to them in their preferred language, send follow-up correspondence to their preferred method of communication (i.e. email or SMS), and even provide them with contact numbers and addresses for your organization's physical locations that are closest to them.

    An example of a more advanced functionality is having your IVR call flow personalized for each customer based on their call history. As customers call in, their data is collected, ultimately improving your IVR's ability to predict and understand caller intent. This makes personalized call flows possible. If customers typically call in to make payments, your IVR can logically deduce that their next call will be for the same reason, and it will alter the call menu to direct them to that functionality more efficiently.

    Step 3.2

    Review New Technology to Apply to Your IVR

    This step will walk you through the following activity:

    3.2.1 Review new technologies offered in the IVR space and understand their impact

    Let Your IVR Call Flow Tree Flourish

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Understanding of key technologies

    Let your customers tell you exactly what they need

    Use natural language processing and conversational AI to further advance your IVR offering

    Instead of making your customers work their way through your call flow tree to find out what they need, why not just ask them? Conversational IVR, also known as an "intuitive IVR system," makes this possible.

    Think Google Assistant, Siri, and Alexa. Your customers can simply tell you what they need and your conversational IVR, using the advancements in natural language processing and conversational AI, will take it from there, directing callers to the resources needed to resolve their issues.

    Powerful enough to understand full sentences and not just select words or phrases, the increased intelligence of a conversational IVR system allows it to handle complex customer inquiries. Leveraging machine learning capabilities, the system will only continue to improve its ability to understand caller intent, ultimately leading to increased call routing accuracy as it fields more and more calls.

    Info-Tech Insight

    Remember: Your customers want fast and easy, not overwhelming and confusing. Some customers who are greeted with an open-ended question from a conversational IVR may not be sure how to respond.

    Understand your key customer demographics and act accordingly. It may be beneficial to provide your callers with guidelines of what to say. Outlining appropriate responses that will guide your customers to their desired department quicker will boost their experience with your conversational IVR.

    There are a lot of benefits to implementing a conversational IVR

    • Putting your callers in control and offering a more humanized approach, conversational IVRs are the preferred first point of contact for customers.
    • Conversational IVRs reduce the time required to reach resolution and can handle more calls than a standard IVR.
    • Conversational IVRs allow for the collection of more relevant data. By not limiting callers to predetermined menu options, you can track the reasons behind customers' calls with more accuracy, using this data to drive future IVR developments.
    • Conversational IVRs are more cost-effective than standard IVRs. According to a report by IBM, companies world-wide spend over $1.3 trillion to address 256 billion customer calls annually. This means that each call a live agent addresses costs an average of $30 (Cognigy, 2020). With a conversational IVR, that cost can be reduced to one-eighth (ETCIO.com, 2020).
    • Conversational IVRs can be handle calls in multiple languages, offering improved scalability for companies operating multi-nationally.

    60%

    of callers will bypass the pre-recorded messages in a standard IVR to reach a human voice.

    Source: Cognigy, 2020

    66%

    of requests can be resolved faster by a conversational IVR than by a live agent.

    Source: Cognigy, 2020

    Despite this, only...

    28%

    of IVR systems contacted use voice response as their primary input method.

    Source: Telzio, 2020

    How do you know if a conversational IVR is right for your organization?

    Large, enterprise-level organizations that field a high volume of customer calls are more likely to receive the benefits and higher ROI from implementing a conversational IVR

    Instead of updating the entire IVR system and implementing a conversational IVR, smaller and mid-level organizations should consider attaching a natural language processing front-end to their existing IVR. Through this, you will be able to reap a lot of the same benefits you would if you were to upgrade to a conversational IVR.

    You can attach a natural language processing front-end to your existing IVR in two ways.

    1. Use an API to recognize your customer's voice prompts. Greet your customers with a question, such as "what is your reason for calling," as your initial IVR menu, and when your customer answers, their response will be sent to your selected API (Amazon Lex, IBM Watson, Google Dialogflow, etc.). The API will then process the customer's input and direct the caller to the appropriate branch of your call flow tree.
    2. Use a conversational AI platform to field your calls. Implement a conversational AI platform to be the first point of contact for your customers. After receiving and analyzing the input from your customers, the platform would then route your callers to your current IVR system and to the appropriate menu, whether that be to an automated message, a self-service application, or a live agent.

    Phase 4

    Keep Watering Your IVR Call Flow Tree

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Understand your customers

    1.2 Develop goals for your IVR

    1.3 Align goals with KPIs

    1.4 Build your initial IVR menu

    2.1 Build the second tier of your IVR menu

    2.2 Build the third tier of your IVR menu

    3.1 Learn the benefits of a personalized IVR

    3.2 Review new technology to apply to your IVR

    4.1 Gather insights on your IVR's performance

    4.2 Create an agile review method

    This phase will walk you through the following activities:

    • Understanding the importance of receiving feedback from relevant stakeholders and the best practices for obtaining feedback
    • Understanding the best practices for developing an ongoing review cycle

    This phase involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Implement a Transformative IVR Approach That Empowers Your Customers

    Step 4.1

    Gather Insights on Your IVR's Performance

    This step will walk you through the following activity:

    4.1.1 Understand the importance of receiving feedback and review the best methods for obtaining it from your clients.

    Keep Watering Your IVR Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Understanding of the importance of receiving feedback and how to obtain it from customers

    Elicit feedback from your employees and from your customers

    Your live agents are on the proverbial front lines, fielding calls from customers daily. As such, they are the prime stakeholders for knowing what kinds of calls the organization receives and how often. Their input on the most frequent reasons that customers call, whether it be to address common pain points or to have FAQs answered, is invaluable. Ask them regularly for their feedback on how the IVR system is performing and which updates should be implemented.

    While improving the agent experience is a driver behind adopting an IVR system, the focus should always be improving your customer experience. So why wouldn't you ask your customers for their feedback on your IVR offering? Most customers don't only want to be asked to provide feedback, they expect to be asked. Have your agents ask your customers directly about their experience with your IVR or use the functions of your IVR to offer automated end-of-call surveys.

    Info-Tech Insight

    Many IVR systems are capable of recording calls. Listening back on previous calls is another great way to further understand how your IVR is performing, and it also can provide a glimpse into your customers' experience.

    Surveys provide great insight into your customers' level of satisfaction – not only with your IVR but also with your live agents

    Customer satisfaction score (CSAT) is a great way to determine how happy callers are with their experiences with your organization. CSAT surveys ask your clients outright how satisfied they are with their recent interaction and have them rate your service on a scale. While straightforward, the feedback received from CSAT surveys is more general and can lack depth.

    For more detailed responses, consider asking your clients an open-ended question as opposed to using a rating scale. This will provide you with a more specific understanding of your customers' experience. For this, an IVR system that supports voice transcription is best. Automated speech-to-text functionality will ensure rapid results.

    Another option is to offer a survey that includes skip logic. These multi-tiered surveys, much like an IVR call flow tree, direct your callers to different follow-up questions based on their previous answers. While capable of providing more insight into the customer experience, these surveys are only recommended for more complex service offerings.

    Customer feedback is vitally important

    Asking for feedback makes your callers feel valued, and it also provides your organization with extremely useful information – including an understanding of what you may need to change within your IVR

    90%

    of consumers believe that organizations should provide them with the opportunity to give customer feedback.

    Source: SmallBizGenius, 2022

    41%

    of customer support professionals say that CSAT is their team's most important KPI.

    Source: Hiver, 2022

    Step 4.2

    Create an Agile Review Method

    This step will walk you through the following activity:

    4.2.1 Understand the best practices for developing an ongoing review cycle for your IVR approach

    Keep Watering Your IVR Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Understanding of the importance of IVR maintenance and of the development of an iterative review cycle

    Create an agile review method to continually enhance your call flows

    • Track items
      • Elicit feedback from your key stakeholders (i.e. live agents) as part of a regular review – every month, two months, six months, or year – of your call flow tree's efficiency. Delve into the feedback elicited from your customers at the same intervals. Look for patterns and trends and record items accordingly.
    • Manage backlog
      • Store and organize your recorded items into a backlog, prioritizing items to implement in order of importance. This could be structured by way of identifying which items are a quick win vs. which items are part of a more strategic and long-term implementation.
    • Perform iteration
      • Record key metric scores and communicate the changes you have planned to stakeholders before you implement items. Then, make the change.
    • Be retrospective
      • Examine the success of the implementation by comparing your metric scores from before and after the change. Record instances where performing similar changes could be carried out better in future iterations.

    Summary of Accomplishment

    • Knowledge Gained
      • Benefits of enabling personalized service
      • IVR-enabling technologies
      • Methods of eliciting feedback
    • Processes Optimized
      • IVR voice prompt creation
      • IVR voice prompt organization
      • IVR review cycles
    • Deliverables Completed
      • Database of customer call drivers
      • Organizational IVR goals and KPIs
      • IVR call flow tree

    Related Info-Tech Research

    This is a picture of a hand holding a cellular phone

    Choose a Right-Sized Contact Center Solution

    • IT needs a method to pinpoint which contact center solution best aligns with business objectives, adapting to a post-COVID-19 world of remote work, flexibility, and scalability.
    This image contains a screenshot from Info-tech's Build a Strong Technology Foundation for Customer Experience Management.

    Build a Strong Technology Foundation for Customer Experience Management

    • Customer expectations around personalization, channel preferences, and speed-to-resolution are at an all-time high. Your customers are willing to pay more for high-value experiences, and having a strong customer experience management (CXM) strategy is a proven path to creating sustainable value for the organization.
    This image contains a screenshot from Info-tech's IT Strategy Research Center

    IT Strategy Research Center

    • Create an IT strategy based on business needs, not just intuition.
    This image contains a screenshot from Info-tech's SoftwareReviews blueprint.

    SoftwareReviews

    • Accelerate and improve your software selection process with enterprise software reviews. Focus on available resources for communications platform as a service providers and conversational intelligence software.

    Bibliography

    "7 Conversational IVR Trends for 2021 and Beyond." Haptik, 25 March 2021. Accessed 16 June 2022.
    "7 Remarkable IVR Trends For the Year 2022 And Beyond." Haptik, 30 Dec. 2021. Accessed 27 April 2022.
    "8 IVR Strategies that Keep Customers Happy." Ansafone Contact Centers, 31 May 2019. Accessed 25 April 2022.
    "Agent Assist." Speakeasy AI, 19 April 2022. Accessed 27 April 2022.
    "AI chatbot that's easy to use." IBM, n.d. Accessed 21 June 2022.
    "IVR Trends to Watch in 2020 and Beyond: Inside CX." Intrado, 1 May 2020. Accessed 27 April 2022.
    "RIP IVR: 1980-2020." Vonage, 2 June 2020. Accessed 16 June 2022.
    Andrea. "What do Customers Want? – 37 Customer Service Statistics." SmallBizGenius, 17 March 2022. Accessed 24 May 2022.
    Anthony, James. "106 Customer Service Statistics You Must See: 2021/2022 Data & Analysis." FinancesOnline, 14 Jan. 2022. Accessed 27 April 2022.
    Brown, James. "14 stats that prove the importance of self-service in customer service." raffle, 13 Oct. 2020. Accessed 17 June 2022.
    Buesing, Eric, et al. "Getting the best customer service from your IVR: Fresh eyes on an old problem." McKinsey & Company, 1 Feb. 2019. Accessed 25 April 2022.
    Callari, Ron. "IVR Menus and Best Practices." Telzio, 4 Sep. 2020. Accessed 27 April 2022.
    Cornell, Jared. "104 Customer Service Statistics & Facts of 2022." ProProfs Chat, 6 April 2022. Accessed 16 June 2022.
    DeCarlo, Matthew. "18 Common IVR Mistakes & How To Configure Effective IVR." GetVoIP, 13 June 2019. Accessed 27 April 2022.
    DeMers, Jayson. "77 Customer Service Statistics to Know." EmailAnalytics, 23 March 2022. Accessed 27 April 2022.
    Frants, Valeriy. Interview. Conducted by Austin Wagar, 22 June 2022.
    Grieve, Patrick. "Personalized customer service: what it is and how to provide it." Zendesk, 28 June 2019. Accessed 27 April 2022.
    "How Natural Language Processing Can Help Your Interactive Voice Response System Meet Best Practice." Hostcomm, 15 July 2019. Accessed 25 April 2022.
    "IVR and customer experience: get the best UX for your clients." Kaleyra, 14 Dec. 2020. Accessed 25 April 2022.
    Irvine, Bill. "Selecting an IVR System for Customer Satisfaction Surveys." IVR Technology Group, 14 April 2020. Accessed 22 June 2022.
    Kulbyte, Toma. "Key Customer Experience Statistics to Know." SuperOffice, 24 June 2021. Accessed 24 May 2022.
    Leite, Thiago. "What's the Difference Between Standard & Conversational IVR?" Cognigy, 27 Oct. 2020. Accessed 24 May 2022.
    Maza, Cristina. "What is IVR? The ultimate guide." Zendesk, 30 Sep. 2020. Accessed 25 April 2022.
    McCraw, Corey. "What is IVR Call Flow? Benefits, Features, Metrics & More." GetVoIP, 30 April 2020. Accessed 25 April 2022.
    Mircevski, Bruno. "Smart IVR Introduction – What Is It and Why You Should Use It." Ideta, 7 March 2022. Accessed 28 April 2022.
    Oriel, Astha. "Artificial Intelligence in IVR: A Step Towards Faster Customer Services." Analytics Insight, 19 Aug. 2020. Accessed 24 May 2022.
    Perzynska, Kasia. "What is CSAT & How to Measure Customer Satisfaction?" Survicate, 9 March 2022. Accessed 22 June 2022.
    Pratt, Mary K. "How to set business goals, step by step." TechTarget, 27 April 2022. Accessed 21 June 2022.
    Robinson, Kerry. "Insight of the Week: Make Your IVR More Like Alexa." Waterfield Tech, 20 April 2022. Accessed 25 April 2022.
    Sehgal, Karishma. "Exclusive Research – 76% of customer service teams offer support outside of business hours." Hiver, 4 May 2022. Accessed 22 June 2022.
    Smith, Mercer. "111 Customer Service Statistics and Facts You Shouldn't Ignore." Help Scout, 23 May 2022. Accessed 24 June 2022.
    Thompson, Adrian. "A Guide to Conversational IVR." The Bot Forge, 27 Jan. 2021. Accessed 21 June 2022.
    Tolksdorf, Juergen. " 5 Ways to Leverage AI and Agent-Assist to Improve Customer Experience." Genesys, 19 May 2020. Accessed 27 April 2022.
    Vaish, Aakrit. "5 ways conversational IVR is helping businesses revolutionize customer service." ETCIO.com, 20 March 2020. Web.
    Westfall, Leah. "Improving customer experience with the right IVR strategy." RingCentral, 23 July 2021. Accessed 25 April 2022.

    Create a Post-Implementation Plan for Microsoft 365

    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    M365 projects are fraught with obstacles. Common mistakes organizations make include:

    • Not having a post-migration plan in place.
    • Treating user training as an afterthought.
    • Inadequate communication to end users.

    Our Advice

    Critical Insight

    There are three primary areas where organizations fail in a successful implementation of M365: training, adoption, and information governance. While it is not up to IT to ensure every user is well trained, it is their initial responsibility to find champions, SMEs, and business-based trainers and manage information governance from the backup, retention, and security aspects of data management.

    Impact and Result

    Migrating to M365 is a disruptive move for most organizations. It poses risk to untrained IT staff, including admins, help desk, and security teams. The aim for organizations, especially in this new hybrid workspace, is to maintain efficiencies through collaboration, share information in a secure environment, and work from anywhere, any time.

    Create a Post-Implementation Plan for Microsoft 365 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a Post-Implementation Plan for Microsoft 365 Storyboard – A deck that guides you through the important considerations that will help you avoid common pitfalls and make the most of your investment.

    There are three primary goals when deploying Microsoft 365: productivity, security and compliance, and collaborative functionality. On top of these you need to meet the business KPIs and IT’s drive for adoption and usage. This research will guide you through the important considerations that are often overlooked as this powerful suite of tools is rolled out to the organization.

    [infographic]

    Further reading

    Create a Post-Implementation Plan for Microsoft 365

    You’ve deployed M365. Now what? Look at your business goals and match your M365 KPIs to meet those objectives.

    Analyst perspective

    You’ve deployed M365. Now what?

    John Donovan

    There are three primary objectives when deploying Microsoft 365: from a business perspective, the expectations are based on productivity; from an IT perspective, the expectations are based on IT efficiencies, security, and compliance; and from an organizational perspective, they are based on a digital employee experience and collaborative functionality.

    Of course, all these expectations are based on one primary objective, and that is user adoption of Teams, OneDrive, and SharePoint Online. A mass adoption, along with a high usage rate and a change in the way users work, is required for your investment in M365 to be considered successful.

    So, adoption is your first step, and that can be tracked and analyzed through analytics in M365 or other tools. But what else needs to be considered once you have released M365 on your organization? What about backup? What about security? What about sharing data outside your business? What about self-service? What about ongoing training? M365 is a powerful suite of tools, and taking advantage of all that it entails should be IT’s primary goal. How to accomplish that, efficiently and securely, is up to you!

    John Donovan
    Principal Research Director, I&O
    Info-Tech Research Group

    Insight summary

    Collaboration, efficiencies, and cost savings need to be earned

    Migrating to M365 is a disruptive move for most organizations. Additionally, it poses risk to untrained IT staff, including admins, help desk, and security teams. The aim for organizations, especially in this new hybrid workspace, is to maintain efficiencies through collaboration, share information in a secure environment, and work from anywhere, any time. However, organizations need to manage their licensing and storage costs and build this new way of working through post-deployment planning. By reducing their hardware and software footprint they can ensure they have earned these savings and efficiencies.

    Understand any shortcomings in M365 or pay the price

    Failing to understand any shortcomings M365 poses for your organization can ruin your chances at a successful implementation. Commonly overlooked expenses include backup and archiving, especially for regulated organizations; spending on risk mitigation through third-party tools for security; and paying a premium to Microsoft to use its Azure offerings with Microsoft Sentinel, Microsoft Defender, or any security add-on that comes at a price above your E5 license, which is expensive in itself.

    Spend time with users to understand how they will use M365

    Understanding business processes is key to anticipating how your end users will adopt M365. By spending time with the staff and understanding their day-to-day activities and interactions, you can build better training scenarios to suit their needs and help them understand how the apps in M365 can help them do their job. On top of this you need to meet the business KPIs and IT’s drive for adoption and usage. Encourage early adopters to become trainers and champions. Success will soon follow.

    Executive summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    M365 is a full suite of tools for collaboration, communication, and productivity, but organizations find the platform is not used to its full advantage and fail to get full value from their license subscription.

    Many users are unsure which tool to use when: Do you use Teams or Viva Engage, MS Project or Planner? When do you use SharePoint versus OneDrive?

    From an IT perspective, finding time to help users at the outset is difficult – it’s quite the task to set up governance, security, and backup. Yet training staff must be a priority if the implementation is to succeed.

    M365 projects are fraught with obstacles. Common mistakes organizations make include:

    • No post-migration plan in place.
    • User training is an afterthought.
    • Lack of communication to end users.
    • No C-suite promotion and sponsorship.
    • Absence of a vision and KPIs to meet that vision.

    To define your post-migration tasks and projects:

    • List all projects in a spreadsheet and rank them according to difficulty and impact.
    • Look for quick wins with easy tasks that have high impact and low difficulty.
    • Build a timeline to execute your plans and communicate clearly how these plans will impact the business and meet that vision.

    Failure to take meaningful action will not bode well for your M365 journey.

    Info-Tech Insight

    There are three primary areas where organizations fail in a successful implementation of M365: training, adoption, and information governance. While it is not up to IT to ensure every user is well trained, it is their initial responsibility to find champions, SMEs, and business-based trainers and to manage information governance from backup, retention, and security aspects of data management.

    Business priorities

    What priorities is IT focusing on with M365 adoption?

    What IT teams are saying

    • In a 2019 SoftwareONE survey, the biggest reason IT decision makers gave for adopting M365 was to achieve a “more collaborative working style.”
    • Organizations must plan and execute a strategy for mass adoption and training to ensure processes match business goals.
    • Cost savings can only be achieved through rightsizing license subscriptions, retiring legacy apps, and building efficiencies within the IT organization.
    • With increased mobility comes with increased cybersecurity risk. Make sure you take care of your security before prioritizing mobility. Multifactor authentication (MFA), conditional access (CA), and additional identity management will maintain a safe work-from-anywhere environment.

    Top IT reasons for adopting M365

    61% More collaborative working style

    54% Cost savings

    51% Improved cybersecurity

    49% Greater mobility

    Source: SoftwareONE, 2019; N=200 IT decision makers across multiple industries and organization sizes

    Define & organize post-implementation projects

    Key areas to success

    • Using Microsoft’s M365 adoption guide, we can prioritize and focus on solutions that will bring about better use of the M365 suite.
    • Most of your planning and prioritizing should be done before implementation. Many organizations, however, adopted M365 – and especially Teams, SharePoint Online, and OneDrive – in an ad hoc manner in response to the pandemic measures that forced users to work from home.
    • Use a Power BI Pro license to set up dashboards for M365 usage analytics. Install GitHub from AppSource and use the templates that will give you good insight and the ability to create business reports to show adoption and usage rates on the platform.
    • Reimagine your working behavior. Remember, you want to bring about a more collective and open framework for work. Take advantage of a champion SME to show the way. Every organization is different, so make sure your training is aligned to your business processes.
    The image contains a screenshot of the M365 post-implementation tasks.

    Process steps

    Define Vision

    Build Team

    Plan Projects

    Execute

    Define your vision and what your priorities are for M365. Understand how to reach your vision.

    Ensure you have an executive sponsor, develop champions, and build a team of SMEs.

    List all projects in a to-be scenario. Rank and prioritize projects to understand impact and difficulty.

    Build your roadmap, create timelines, and ensure you have enough resources and time to execute and deliver to the business.

    Info-Tech’s approach

    Use the out-of-the-box tools and take advantage of your subscription.

    The image contains a screenshot of the various tools and services Microsoft provides.

    Info-Tech Insight

    A clear understanding of the business purpose and processes, along with insight into the organizational culture, will help you align the right apps with the right tasks. This approach will bring about better adoption and collaboration and cancel out the shadow IT products we see in every business silo.

    Leverage built-in usage analytics

    Adoption of services in M365

    To give organizations insight into the adoption of services in M365, Microsoft provides built-in usage analytics in Power BI, with templates for visualization and custom reports. There are third-party tools out there, but why pay more? However, the template app is not free; you do need a Power BI Pro license.

    Usage Analytics pulls data from ActiveDirectory, including location, department, and organization, giving you deeper insight into how users are behaving. It can collect up to 12 months of data to analyze.

    Reports that can be created include Adoption, Usage, Communication, Collaboration (how OneDrive and SharePoint are being used), Storage (cloud storage for mailboxes, OneDrive, and SharePoint), and Mobility (which clients and devices are used to connect to Teams, email, Yammer, etc.).

    Source: Microsoft 365 usage analytics

    Understand admin roles

    Prevent intentional or unintentional internal breaches

    Admin Roles

    Best Practices

    • Global admin: Assign this role only to users who need the most access to management features and data across your tenant. Only global admins can modify an admin role.
    • Exchange admin: Assign this role to users who need to view and manage user mailboxes, M365 groups, and Exchange Online and handle Microsoft support requests.
    • Groups admin: These users can create, edit, delete, and restore M365 groups as well as create expiration and naming policies.
    • Helpdesk admin: These users can resets passwords, force user sign-out, manage Microsoft support requests, and monitor service health.
    • Teams/SharePoint Online admin: Assign these roles for users who manage the Teams and SharePoint Admin Center.
    • User admin: These users can assign licenses, add users and groups, manage user properties, and create and manage user views.

    Only assign two to four global admins, depending on the size of the organization. Too many admins increases security risk. In larger organizations, segment admin roles using role-based access control.

    Because admins have access to sensitive data, you’ll want to assign the least permissive role so they can access only the tools and data they need to do their job.

    Enable MFA for all admins except one break-glass account that is stored in the cloud and not synced. Ensure a complex password, stored securely, and use only in the event of an MFA outage.

    Due to the large number of admin roles available and the challenges that brings with it, Microsoft has a built-in tool to compare roles in the admin portal. This can help you determine which role should be used for specific tasks.

    Secure your M365 tenant

    A checklist to ensure basic security coverage post M365

    • Multifactor Authentication: MFA is part of your M365 tenant, so using it should be a practical identity security. If you want additional conditional access (CA), you will require an Azure AD (AAD) Premium P1+ license. This will ensure adequate identity security protecting the business.
    • Password Protection: Use the AAD portal to set this up under Security > Authentication Methods. Microsoft provides a list of over 2,000 known bad passwords and variants to block.
    • Legacy Authentication: Disable legacy protocols; check to see if your legacy apps/workflows/scripts use them in the AAD portal. Once identified, update them and turn the protocols off. Use CA policies.
    • Self-Service Password Reset: Enable self-service to lower the helpdesk load for password resets. Users will have to initially register and set security questions. Hybrid AD businesses must write back to AD from AAD once changes are made.
    • Security Defaults: For small businesses, turn on default settings. To enable additional security settings, such as break- glass accounts, go into Manage Security Defaults in your AAD properties.
    • Conditional Access (CA) Policies: Use CA policies if strong identity security and zero trust are required. To create policies in AAD go to Security > Conditional Access > New Policies.

    Identity Checklist

    • Enable MFA for Admins
    • Enable MFA for Users
    • Disable App Passwords
    • Configure Trusted IPs
    • Disable Text/Phone MFA
    • Remember MFA on Trusted Devices for 90 Days
    • Train Staff in Using MFA Correctly
    • Integrate Apps Into Azure AD

    Training guidelines

    Identify business scenarios and training adoption KPIs

    • Customize your training to meet your organizational goals, align with your business culture, and define how users will work inside the world of M365.
    • Create scenario templates that align to your current day-to-day operations in each department. These can be created by individual business unit champions.
    • Make sure you have covered must-have capabilities and services within M365 that need to be rolled out post-pilot.
    • Phase in large transitions rather than multiple small ones to ensure collaboration between departments meets business scenarios.
    • Ensure your success metrics are being measured and continue to communicate and train after deployment using tools available in M365. See Microsoft’s adoption guidelines and template for training.

    Determine your training needs and align with your business processes. Choose training modalities that will give users the best chance of success. Consider one or many training methods, such as:

    • Online training
    • In-person classroom
    • Business scenario use cases
    • Mentoring
    • Department champion/Early adopter
    • Weekly bulletin fun facts

    Don’t forget backup!

    Providing 99% uptime and availability is not enough

    Why is M365 backup so important?

    Accidental Data Deletion.

    If a user is deleted, that deletion gets replicated across the network. Backup can save you here by restoring that user.

    Internal and External Security Threats.

    Malicious internal deletion of data and external threats including viruses, ransomware, and malware can severely damage a business and its reputation. A clean backup can easily restore the business’ uninfected data.

    Legal and Compliance Requirements.

    While e-discovery and legal hold are available to retain sensitive data, a third-party backup solution can easily search and restore all data to meet regulatory requirements – without depending on someone to ensure a policy was set.

    Retention Policy Gaps.

    Retention policies are not a substitute for backup. While they can be used to retain or delete content, they are difficult to keep track of and manage. Backups offer greater latitude in retention and better security for that data.

    Retire your legacy apps to gain adoption

    Identify like for like and retire your legacy apps

    Legacy

    Microsoft 365

    SharePoint 2016/19

    SharePoint Online

    Microsoft Exchange Server

    Microsoft Exchange in Azure

    Skype for Business Server

    Teams

    Trello

    Planner 2022

    System Center Configuration Manager (SCCM)

    Endpoint Manager, Intune, Autopilot

    File servers

    OneDrive

    Access

    Power Apps

    To meet the objectives of cost reduction and rationalization, look at synergies that M365 brings to the table. Determine what you are currently using to meet collaboration, storage, and security needs and plan to use the equivalent in your Microsoft entitlement.

    Managing M365’s hidden costs

    Licenses and storage limits TCO

    • Email security. Ninety-one percent of all cyberattacks come from phishing on email. Microsoft Defender for M365 is a bolt-on, so it is an additional cost.
    • Backup. This will bring additional cost to M365. Plan to spend more to ensure data is backed up and stored.
    • Email archiving. Archiving is different than backup. See our research on the subject. Archiving is needed for compliance purposes. Email archiving solutions are available through third-party software, which is an added cost.
    • Email end-to-end encryption. This is a requirement for all organizations that are serious about security. The enterprise products from Microsoft come at an additional cost.
    • Cybersecurity training. IT needs to ramp up on training, another expense.
    • Microsoft 365 Power Platform Licencing. From low-code and no-code developer tools (Power Apps), workflow tools (Power Automate), and business intelligence (Power BI) – while the E5 license gives you Power BI Pro, there are limitations and costs. Power BI Pro has limitations for data volume, data refresh, and query response time, so your premium license comes at a considerably marked up cost.

    M365 is not standalone

    • While Microsoft 365 is a platform that is ”just good enough,” it is actually not good enough in today’s cyberthreat environment. Microsoft provides add-ons with Defender for 365, Purview, and Sentinel, which pose additional costs, just like a third-party solution would. See the Threat Intelligence & Incident Response research in our Security practice.
    • The lack of data archiving, backup, and encryption means additional costs that may not have been budgeted for at the outset. Microsoft provides 30-60-90-day recovery, but anything else is additional cost. For more information see Understand the Difference between Backups and Archiving.

    Compliance and regulations

    Security and compliance features out of the box

    There are plenty of preconfigured security features contained in M365, but what’s available to you depends on your license. For example, Microsoft Defender, which has many preset policies, is built-in for E5 licenses, but if you have E3 licenses Defender is an add-on.

    Three elements in security policies are profiles, policies, and policy settings.

    • Preset Profiles come in the shape of:
      • Standard – baseline protection for most users
      • Strict – aggressive protection for profiles that may be high-value targets
      • Built-in Protection – turned on by default; it is not recommended to make exceptions based on users, groups, or domains
    • Preset Security Policies
      • Exchange Online Protection Policies – anti-spam, -malware, and -phishing policies
      • Microsoft Defender Policies – safe links and safe attachments policies
    • Policy Settings
      • User impersonation protection for internal and external domains
      • Select priorities from strict, standard, custom, and built-in

    Info-Tech Insight

    Check your license entitlement before you start purchasing add-ons or third-party solutions. Security and compliance are not optional in today’s cybersecurity risk world. With many organizations offering hybrid and remote work arrangements and bring-your-own-device (BYOD) policies, it is necessary to protect your data at the tenant level. Defender for Microsoft 365 is a tool that can protect both your exchange and collaboration environments.

    More information: Microsoft 365 Defender

    Use Intune and Autopilot

    Meet the needs of your hybrid workforce

    • Using the tools available in M365 can help you develop your hybrid or remote work strategy.
    • This strategy will help you maintain security controls for mobile and BYOD.
    • Migrating to Intune and Autopilot will give rise to the opportunity to migrate off SCCM and further reduce your on-premises infrastructure.

    NOTE: You must have Azure AD Premium and Windows 10 V1703 or later as well as Intune or other MDM service to use Autopilot. There is a monthly usage fee based on volume of data transmitted. These fees can add up over time.

    For more details visit the following Microsoft Learn pages:

    Intune /Autopilot Overview

    The image contains a screenshot of the Intune/Autopilot Overview.

    Info-Tech’s research on zero-touch provisioning goes into more detail on Intune and Autopilot:
    Simplify Remote Deployment With Zero-Touch Provisioning

    M365 long-term strategies

    Manage your costs in an inflationary world

    • Recent inflation globally, whether caused by supply chain woes or political uncertainty, will impact IT and cloud services along with everything else. Be prepared to pay more for your existing services and budget accordingly.
    • Your long-term strategies must include ongoing cost management, data management, security risks, and license and storage costs.
    • Continually investigate efficiencies, overlaps, and new tools in M365 that can get the job done for the business. Use as many of the applications as you can to ensure you are getting the best bang for your buck.
    • Watch for upgrades in the M365 suite of tools. As Microsoft continues to improve and deliver on most business applications well after their first release, you may find that something that was previously inefficient could work in your environment today and replace a tool you currently use.

    Ongoing Activities You Need to Maintain

    • Be aware of increased license costs and higher storage costs.
    • Keep an eye on Teams sprawl.
    • Understand your total cost of ownership.
    • Continue to look at legacy apps and get rid of your infrastructure debt.

    Activity

    Build your own M365 post-migration plan

    1. Using slide 6 as your guideline, create your own project list using impact and difficulty as your weighting factors.
    2. Do this exercise as a whiteboard sticky note exercise to agree on impact and difficulty as a team.
    3. Identify easy wins that have high impact.
    4. Place the projects into a project plan with time lines.
    5. Agree on start and completion dates.
    6. Ensure you have the right resources to execute.

    The image contains a screenshot of the activity described in the above text.

    Related Info-Tech Research

    Govern Office 365

    • Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.

    Drive Ongoing Adoption With an M365 Center of Excellence

    • Accelerate business processes change and get more value from your subscription by building and sharing, thanks to an effective center of excellence.

    Simplify Remote Deployment With Zero-Touch Provisioning

    • Adopt zero-touch provisioning to provide better services to your end users.
    • Save time and resources during device deployment while providing a high-quality experience to remote end users.

    Bibliography

    “5 Reasons Why Microsoft Office 365 Backup Is Important.” Apps 4Rent, Dec 2021, Accessed Oct 2022 .
    Chandrasekhar, Aishwarya. “Office 365 Migration Best Practices & Challenges 2022.” Saketa, 31 Mar 2022. Accessed Oct. 2022.
    Chronlund, Daniel. “The Fundamental Checklist – Secure your Microsoft 365 Tenant”. Daniel Chronlund Cloud Tech Blog,1 Feb 2019. Accessed 1 Oct 2022.
    Davies, Joe. “The Microsoft 365 Enterprise Deployment Guide.” Tech Community, Microsoft, 19 Sept 2018. Accessed 2 Oct 2022.
    Dillaway, Kevin. “I Upgraded to Microsoft 365 E5, Now What?!.” SpyGlassMTG, 10 Jan 2022. Accessed 4 Oct. 2022.
    Hartsel, Joe. “How to Make Your Office 365 Implementation Project a Success.” Centric, 20 Dec 2021. Accessed 2 Oct. 2022.
    Jha, Mohit. “The Ultimate Microsoft Office 365 Migration Checklist for Pre & Post Migration.” Office365 Tips.Org, 24 June 2022. Accessed Sept. 2022.
    Lang, John. “Why organizations don't realize the full value of Microsoft 365.“Business IT, 29 Nov 202I. Accessed 10 Oct 2022.
    Mason, Quinn. “How to increase Office 365 / Microsoft 365 user adoption.” Sharegate, 19 Sept 2019. Accessed 3 Oct 2022.
    McDermott, Matt. “6-Point Office 365 Post-Migration Checklist.” Spanning , 12 July 2019 . Accessed 4 Oct 2022.
    “Microsoft 365 usage analytics.” Microsoft 365, Microsoft, 25 Oct 2022. Web.
    Sharma, Megha. “Office 365 Pre & Post Migration Checklist.’” Kernel Data Recovery, 26 July 2022. Accessed 30 Sept. 2022.
    Sivertsen, Per. “How to avoid a failed M365 implementation? Infotechtion, 19 Dec 2021. Accessed 2 Oct. 2022.
    St. Hilaire, Dan. “Most Common Mistakes with Office 365 Deployment (and How to Avoid Them).“ KnowledgeWave, 4Mar 2019. Accessed Oct. 2022.
    “Under the Hood of Microsoft 365 and Office 365 Adoption.” SoftwareONE, 2019. Web.

    Improve Service Desk Ticket Queue Management

    • Buy Link or Shortcode: {j2store}492|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Service desk tickets pile up in the queue, get lost or buried, jump between queues without progress, leading to slow response and resolution times, a seemingly insurmountable backlog and breached SLAs.
    • There are no defined rules or processes for how tickets should be assigned and routed and technicians don’t know how to prioritize their assigned work, meaning tickets take too long to get to the right place and aren’t always resolved in the correct or most efficient order.
    • Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

    Our Advice

    Critical Insight

    If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue, then it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

    Impact and Result

    • Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
    • Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Once processes have been defined, identify opportunities to build in automation to improve efficiency.
    • Ensure everyone who handles tickets is clear on their responsibilities and establish clear ownership and accountability for queue management.

    Improve Service Desk Ticket Queue Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Ticket Queue Management Deck – A guide to service desk ticket queue management best practices and advice

    This storyboard reviews the top ten pieces of advice for improving ticket queue management at the service desk.

    • Improve Service Desk Ticket Queue Management Storyboard

    2. Service Desk Queue Structure Template – A template to help you map out and optimize your service desk ticket queues

    This template includes several examples of service desk queue structures, followed by space to build your own model of your optimal service desk queue structure and document who is assigned to each queue and responsible for managing each queue.

    • Service Desk Queue Structure Template
    [infographic]

    Further reading

    Improve Service Desk Ticket Queue Management

    Strong queue management is the foundation to good customer service

    Analyst Perspective

    Secure your foundation before you start renovating.

    Service Desk and IT leaders who are struggling with low efficiency, high backlogs, missed SLAs, and poor service desk metrics often think they need to hire more resources or get a new ITSM tool with better automation and AI capabilities. However, more often than not, the root cause of their challenges goes back to the fundamentals.

    Strong ticket queue management processes are critical to the success of all other service desk processes. You can’t resolve incidents and fulfill service requests in time to meet SLAs without first getting the ticket to the right place efficiently and then managing all tickets in the queue effectively. It sounds simple, but we see a lot of struggles around queue management, from new tickets sitting too long before being assigned, to in-progress tickets getting buried in favor of easier or higher-priority tickets, to tickets jumping from queue to queue without progress, to a seemingly insurmountable backlog.

    Once you have taken the time to clearly structure your queues, assign resources, and define your processes for routing tickets to and from queues and resolving tickets in the queue, you will start to see response and resolution time decrease along with the ticket backlog. However, accountability for queue management is often overlooked and is really key to success.
    This is an image of Dr. Natalie Sansone, Senior Research Analyst at Info-Tech Research Group

    Natalie Sansone, PhD
    Senior Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Tickets come into the service desk via multiple channels (email, phone, chat, portal) and aren’t consolidated into a single queue, making it difficult to know what to prioritize.
    • New tickets sit in the queue for too long before being assigned while assigned tickets sit for too long without progress or in the wrong queue, leading to slow response and resolution times.
    • Tickets quickly pile up in the queues, get lost or buried, or jump between queues without finding the right home, leading to a seemingly insurmountable backlog and breached SLAs.

    Common Obstacles

    • All tickets pile into the same queue, making it difficult to view, manage, or know who’s working on what.
    • There are no defined rules or processes for how tickets should be assigned and routed, meaning they often take too long to get to the right place.
    • Technicians have no guidelines as to how to prioritize their work, and no easy way to organize their tickets or queue to know what to work on next.
    • Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

    Info-Tech’s Approach

    • Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
    • Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Ensure everyone who handles tickets is clear on their responsibilities.
    • Establish clear ownership and accountability for queue management.
    • Once processes have been defined, identify opportunities to build in automation to improve efficiency.

    Info-Tech Insight

    If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

    Timeliness is essential to customer satisfaction

    And timeliness can’t be achieved without good queue management practices.

    As soon as that ticket comes in, the clock starts ticking…

    A host of different factors influence service desk response time and resolution time, including process optimization and documentation, workflow automation, clearly defined prioritization and escalation rules, and a comprehensive and easily accessible knowledgebase.

    However, the root cause of poor response and resolution time often comes down to the basics like ticket queue management. Without clearly defined processes and ownership for assigning and actioning tickets from the queue in the most effective order and manner, customer satisfaction will suffer.

    For every 12-hour delay in response time*, CSAT drops by 9.6%.

    *to email and web support tickets
    Source: Freshdesk, 2021

    A Freshworks analysis of 107 million service desk interactions found the relationship between CSAT and response time is stronger than resolution time - when customers receive prompt responses and regular updates, they place less value on actual resolution time.

    A queue is simply a line of people (or tickets) waiting to be helped

    When customers reach out to the service desk for help, their messages are converted into tickets that are stored in a queue, waiting to be actioned appropriately.

    Ticket Queue

    Email/web
    Ideally, the majority of tickets come into the ticket queue through email or a self-service portal, allowing for appropriate categorization, prioritization, and assignment.

    Phone
    For IT teams with a high volume of support requests coming in through the phone, reducing wait time in queue may be a priority.

    Chat
    Live chat is growing in popularity as an intake method and may require routing and distribution rules to prevent long or multiple queues.

    Queue Management

    Queue management is a set of processes and tools to direct and monitor tickets or manage ticket flow. It involves the following activities:

    • Review incoming tickets
    • Categorize and prioritize tickets
    • Route or assign appropriately
    • View or update ticket status
    • Monitor resource workload
    • Ensure tickets are being actioned in time
    • Proactively identify SLA breaches

    Ineffective queue management can bury you in backlog

    Ticket backlog with poor queue management

    Without a clear and efficient process or accountability for moving incoming tickets to the right place, tickets will be worked on randomly, older tickets will get buried, the backlog will grow, and SLAs will be missed.

    Ticket backlog with good queue management

    With effective queue management and ownership, tickets are quickly assigned to the right resource, worked on within the appropriate SLO/SLA, and actively monitored, leading to a more manageable backlog and good response and resolution times.

    A growing backlog will quickly lead to dissatisfied end users and staff

    Failing to efficiently move tickets from the queue or monitor tickets in the queue can quickly lead to tickets being buried and support staff feeling buried in tickets.

    Common challenges with queue management include:

    • Tickets come in through multiple channels and aren’t consolidated into a single queue
    • New tickets sit unassigned for too long, resulting in long response times
    • Tickets move around between multiple queues with no clear ownership
    • Assigned tickets sit too long in a queue without progress and breach SLA
    • No accountability for queue ownership and monitoring
    • Technicians cherry pick the easiest tickets from the queue
    • Technicians have no easy way to organize their queue to know what to work on next

    This leads to:

    • Long response times
    • Long resolution times
    • Poor workload distribution and efficiency
    • High backlog
    • Disengaged, frustrated staff
    • Dissatisfied end users

    Info-Tech Insight

    A growing backlog will quickly lead to frustrated and dissatisfied customers, causing them to avoid the service desk and seek alternate methods to get what they need, whether going directly to their favorite technician or their peers (otherwise known as shadow IT).

    Dig yourself out with strong queue management

    Strong queue management is the foundation to good customer service.

    Build a mature ticket queue management process that allows your team to properly prioritize, assign, and work on tickets to maximize response and resolution times.

    A mature queue management process will:

    • Reduce response time to address tickets.
    • Effectively prioritize tickets and ensure everyone knows what to work on next.
    • Ensure tickets get assigned and routed to the right queue and/or resource efficiently.
    • Reduce overall resolution time to resolve tickets.
    • Enable greater accountability for queue management and monitoring of tickets.
    • Improve customer and employee satisfaction.

    As queue management maturity increases:
    Response time decreases
    Resolution time decreases
    Backlog decreases
    End-user satisfaction increases

    Ten Tips to Effectively Manage Your Queue

    The remaining slides in this deck will review these ten pieces of advice for designing and managing your ticket queues effectively and efficiently.

    1. Define your optimal queue structure
    2. Design and assign resources to relevant queues
    3. Define and document queue management processes
    4. Clearly define queue management responsibilities for every team member
    5. Establish clear ownership & accountability over all queues
    6. Always keep ticket status and documentation up to date
    7. Shift left to reduce queue volume
    8. Build-in automation to improve efficiency
    9. Configure your ITSM tool to support and optimize queue management processes
    10. Don’t lose visibility of the backlog

    #1: Define your optimal queue structure

    There is no one right way to do queue management; choose the approach that will result in the highest value for your customers and IT staff.

    Sample queue structures

    This is an image of a sample Queue structure, where Incoming Tickets from all channels pass through auto or manual Queue assignment, to a numbered queue position.

    *Queues may be defined by skillset, role, ticket category, priority, or a hybrid.

    Triage and Assign

    • All incoming tickets are assigned to an appropriate queue based on predefined criteria.
    • Queue assignment may be done through automated workflows based on specific fields within the ticket, or manually by a
    • Queue Manager, dedicated coordinator, or Tier 1 staff.
    • Queues may be defined based on:
      • Skillset/team (e.g. Infrastructure, Security, Apps, etc.)
      • Ticket category (e.g. Network, Office365, Hardware, etc.)
      • Priority (e.g. P1, P2, P3, P4, P5)
    • Resources may be assigned to multiple queues.

    Define your optimal queue structure (cont.)

    Tiered generalist model

    • All incidents and service requests are routed to Tier 1 first, who prioritize and, if appropriate, conduct initial triage, troubleshooting, and resolution on a wide range of issues.
    • More complex or high-priority tickets are escalated to resources at Tier 2 and/or Tier 3, who are specialists working on projects in addition to support tickets.
    This is an image of the Tiered Generalist Model

    Unassigned queue

    • Very small teams may work from an unassigned queue if there are processes in place to monitor tickets and workload balance.
    • Typically, these teams work by resolving the oldest tickets first regardless of complexity (also known as First In, First Out or FIFO). However, this doesn’t allow for much flexibility in terms of priority of the request or customer.
    This is an image of an unassigned queue model

    #2: Design and assign resources to relevant queues

    Once you’ve defined your overall structure, define the content of each queue.

    This image depicts a sample queue organization structure. The bin titles are: Workgroup; Customer Group; Problem Type; and Hybrid

    Info-Tech Insight

    Start small; don’t create a queue for every possible ticket type. Remember that someone needs to be accountable for each of these queues, so only build what you can monitor.

    #3 Define and document queue management processes

    A clear, comprehensive, easily digestible SOP or workflow outlining the steps for handling new tickets and working tickets from the queue will help agents deliver a consistent experience.

    PROCESS INCLUDES:

    DEFINE THE FOLLOWING:

    TRIAGING INCOMING TICKETS

    • Ensure a ticket is created for every issue coming from every channel (e.g. phone, email, chat, walk-in, portal).
    • Assign a priority to each ticket.
    • Categorize ticket and add any necessary documentation
    • Update ticket status.
    • Delete spam, merge duplicate tickets, clean up inbox.
    • Assign tickets to appropriate queue or resource, escalate when necessary.
    • How should tickets be prioritized?
    • How should tickets from each channel be prioritized and routed? (e.g. are phone calls resolved right away? Are chats responded to immediately?)
    • Criteria that determine where a ticket should be sent or assigned (i.e. ticket category, priority, customer type).
    • How should VIP tickets be handled?
    • When should tickets be automatically escalated?
    • Which tickets require hierarchical escalation (i.e. to management)?

    WORKING ON ASSIGNED TICKETS

    • Continually update ticket status and documentation.
    • Assess which tickets should be worked on or completed ahead of others.
    • Troubleshoot, resolve, or escalate tickets.
    • In what order should tickets be worked on (e.g. by priority, by age, by effort, by time to breach)?
    • How long should a ticket be worked on without progress before it should be escalated to a different tier or queue?
    • Exceptions to the rule (e.g. in which circumstances should a lower priority ticket be worked on over a higher priority ticket).

    Process recommendations

    As you define queue management processes, keep the following advice in mind:

    Rotate triage role

    The triage role is critical but difficult. Consider rotating your Tier 1 resources through this role, or your service desk team if you’re a very small group.

    Limit and prioritize channels

    You decide which channels to enable and prioritize, not your users. Phone and chat are very interrupt-driven and should be reserved for high-priority issues if used. Your users may not understand that but can learn over time with training and reinforcement.

    Prioritize first

    Priority matrixes are necessary for consistency but there are always circumstances that require judgment calls. Think about risk and expected outcome rather than simply type of issue alone. And if the impact is bigger than the initial classification, change it.

    Define VIP treatment

    In some organizations, the same issue can be more critical if it happens to a certain user role (e.g. client facing, c-suite). Identify and flag VIP users and clearly define how their tickets should be prioritized.

    Consider time zone

    If users are in different time zones, take their current business hours into account when choosing which ticket to work on.

    Info-Tech Insight

    Think of your service desk as an emergency room. Patients come in with different symptoms, and the triage nurse must quickly assess these symptoms to decide who the patient should see and how soon. Some urgent cases will need to see the doctor immediately, while others can wait in another queue (the waiting room) for a while before being dealt with. Some cases who come in through a priority channel (e.g. ambulance) may jump the queue. Checklists and criteria can help with this decision making, but some degree of judgement is also required and that comes with experience. The triage role is sometimes seen as a junior-level role, but it actually requires expertise to be done well.

    For more detailed process guidance, see Standardize the Service Desk

    Info-Tech’s blueprint Standardize the Service Desk will help you standardize and document core service desk processes and functions, including:

    • Service desk structure, roles, and responsibilities
    • Metrics and reporting
    • Ticket handling and ticket quality
    • Incident and critical incident management
    • Ticket categorization
    • Prioritization and escalation
    • Service request fulfillment
    • Self-service considerations
    • Building a knowledgebase
    this image contains three screenshots from Info-Tech's Standardize the Service Desk Blueprint

    #4 Clearly define queue management responsibilities for every team member

    This may be one of the most critical yet overlooked keys to queue management success. Define the following:

    Who will have overall accountability?

    Someone must be responsible for monitoring all incoming and open tickets as well as assigned tickets in every queue to ensure they are routed and fulfilled appropriately. This person must have authority to view and coordinate all queues and Queue Managers.

    Who will manage each queue?

    Someone must be responsible for managing each queue, including assigning resources, balancing workload, and ensuring SLOs are met for the tickets within their queue. For example, the Apps Manager may be the Queue Manager for all tickets assigned to the Apps team queue.

    Who is responsible for assigning tickets?

    Will you have a triage team who monitors and assigns all incoming tickets? What are their specific responsibilities (e.g. prioritize, categorize, attempt troubleshooting, assign or escalate)? If not, who is responsible for assigning new tickets and how is this done? Will the triage role be a rotating role, and if so, what will the schedule be?

    What are everyone’s responsibilities?

    Everyone who is assigned tickets should understand the ticket handling process and their specific responsibilities when it comes to queue management.

    #5 Establish clear ownership & accountability over all queues

    If everyone is accountable, then no one is accountable. Ownership for each queue and all queues must be clearly designated.

    You may have multiple queue manager roles: one for each queue, and one who has visibility over all the queues. Typically, these roles make up only part of an individual’s job. Clearly define the responsibilities of the Queue Manager role; sample responsibilities are on the right.

    Info-Tech Insight

    Lack of authority over queues – especially those outside Tier 1 of the service desk – is one of the biggest pitfalls we see causing aging tickets and missed SLAs. Every queue needs clear ownership and accountability with everyone committed to meeting the same SLOs.

    The Queue Manager or Coordinator is accountable for ensuring tickets are routed to the correct resources service level objectives or agreements are met.

    Specific responsibilities may include:

    • Monitors queues daily
    • Ensures new tickets are assigned to appropriate resources for resolution
    • Verifies tickets have been routed and assigned correctly and reroutes if necessary
    • Reallocates tickets if assigned resource is suddenly unavailable or away
    • Ensures ticket handling process is met, ticket status is up to date and correct, and ticket documentation is complete
    • Escalates tickets that are aging or about to breach
    • Ensures service level objectives or agreements are met
    • Facilitates resource allocation based on workload
    • Coordinates tickets that require collaboration across workgroups to ensure resolution is achieved within SLA
    • Associates child and parent tickets
    • Prepares reports on ticket status and volume by queues
    • Regularly reviews reports to identify and act on issues and make improvements or changes where needed
    • Identifies opportunities for improvement

    #6 Always keep ticket status and documentation up to date

    Anyone should be able to quickly understand the status and progress on a ticket without needing to ask the technician working on it. This means both the ticket status and documentation must be continually and accurately updated.

    Ticket Documentation
    Ticket descriptions and documentation must be kept accurate and up to date. This ensures that if the ticket is escalated or assigned to a new person, or the Queue Manager or Service Desk Manager needs to know what progress has been made on a ticket, that person doesn’t need to waste time with back-and-forth communication with the technician or end user.

    Ticket Status
    The ticket status field should change as the ticket moves toward resolution, and must be updated every time the status changes. This ensures that anyone looking at the ticket queue can quickly learn and communicate the status of a ticket, tickets don’t get lost or neglected, metrics are accurate (such as time to resolve), and SLAs are not impacted if a ticket is on hold.

    Common ticket statuses include:

    • New/open
    • Assigned
    • In progress
    • Declined
    • Canceled
    • Pending/on hold
    • Resolved
    • Closed
    • Reopened

    For more guidance on ticket handling and documentation, download Info-Tech’s blueprint: Standardize the Service Desk.

    • For ticket handling and documentation, see Step 1.4
    • For ticket status fields, see Step 2.2.

    #7 Shift left to reduce queue volume

    Enable processes such as knowledge management, self-service, and problem management to prevent tickets from even coming into the queue.

    Shift left means enabling fulfilment of repeatable tasks and requests via faster, lower-cost delivery channels, self-help tools, and automation.

    This image contains a graph, where the Y axis is labeled Cost, and the X axis is labeled Time to Resolve.  On the graph are depicted service desk levels 0, 1, 2, and 3.

    Shift to Level 1

    • Identify tickets that are often escalated beyond Tier 1 but could be resolved by Level 1 if they were given the tools, training, resources, or access they need to do so.
    • Provide tools to succeed at resolving those defined tasks (e.g. knowledge article, documentation, remote tools).
    • Embed knowledge management in resolution workflows.

    Shift to End User

    • Build a centralized, easily accessible self-service portal where users can search for solutions to resolve their issues without having to submit a ticket.
    • Communicate and train users on how to use the portal regularly update and improve it.

    Automate & Eliminate

    • Identify processes or tasks that could be automated to eliminate work.
    • Invest in problem management and event management to fix the root problem of recurring issues and prevent a problem from occurring in the first place, thereby preventing future tickets.

    #8 Build in automation to improve efficiency

    Manually routing every ticket can be time-consuming and prone to errors. Once you’ve established the process, automate wherever possible.

    Automation rules can be used to ensure tickets are assigned to the right person or queue, to alert necessary parties when a ticket is about to breach or has breached SLA, or to remind technicians when a ticket has sat in a queue or at a particular status for too long.

    This can improve efficiency, reduce error, and bring greater visibility to both high-priority tickets and aging tickets in the backlog.

    However, your processes, queues, and responsibilities must be clearly defined before you can build in automation.

    For more guidance on implementing automation and AI within your service desk, see these blueprints:

    https://tymansgrpup.com/research/ss/accelerate-your-automation-processes https://tymansgrpup.com/research/ss/improve-it-operations-with-ai-and-ml

    For examples of rules, triggers, and fields you can automate to improve the efficiency of your queue management processes, see the next slide.

    Sample automation rules

    Criteria or triggers you can automate actions based on:

    • Ticket type
    • Specific field in a ticket web form
    • Ticket form that was used (e.g. specific service request form from the portal)
    • Ticket category
    • Ticket priority
    • Keyword in an email subject line
    • Keywords or string in a chat
    • Requester name or email
    • Requester location
    • Requester/ticket language
    • Requester VIP status
    • Channel ticket was received through
    • SLAs or time-based automations
    • Agent skill
    • Agent status or capacity

    Fields or actions those triggers can automate

    • Priority
    • Category
    • Ticket routing
    • Assigned agent
    • Assigned queue
    • SLA/due date
    • Notifications/communication

    Sample Automation Rules

    • When ticket is about to breach, send alert to Queue Manager and Service Desk Manager.
    • When ticket comes from VIP user, set urgency to high.
    • When ticket status has been set to “open” for ten hours, send an alert to Queue Manager.
    • When ticket status has been set to “on hold” for five days, send a reminder to assignee.
    • When ticket is categorized as “Software-ERP,” send to ERP queue.
    • When ticket is prioritized as P1/critical, send alert to emergency response team.
    • When ticket is prioritized as P1 and hasn’t been updated for one hour, send an alert to Incident Manager.
    • When an in-progress ticket is reassigned to a new queue, alert Queue Manager.
    • When ticket has not been resolved within seven days, flag as aging ticket.

    #9 Configure your ITSM tool to support and optimize queue management processes

    Configure your tool to support your needs; don’t adjust your processes to match the tool.

    • Most ITSM tools have default queues out of the box and the option to create as many custom queues, filters, and views as you need. Custom queues should allow you to name the queue, decide which tickets will be sent to the queue, and what columns or information are displayed in the queue.
    • Before you configure your queues and dashboards, sit down with your team to decide what you need and what will best enable each agent to manage their workload.
    • Decide which queues each role should have access to – most should only need to see their own queue and their team’s queue.
    • Configure which queues or views new tickets will be sent to.
    • Configure automation rules defined earlier (e.g. automate sending certain tickets to specific queues or sending notifications to specific parties when certain conditions are met).
    • Configure dashboards and reports on queue volume and ticket status data relevant to each team to help them manage their workload, increase visibility, and identify issues or actions.

    Info-Tech Insight

    It can be overwhelming to support agents when their view is a long and never-ending queue. Set the default dashboard view to show only those tickets assigned to the viewer to make it appear more manageable and easier to organize.

    Configure queues to maximize productivity

    Info-Tech Insight

    The queue should quickly give your team all the information they need to prioritize their work, including ticket status, priority, category, due date, and updated timestamps. Configuration is important - if it’s confusing, clunky, or difficult to filter or sort, it will impact response and resolution times and can lead to missed tickets. Give your team input into configuration and use visuals such as color coding to help agents prioritize their work – for example, VIP tickets may be clearly flagged, critical or high priority tickets may be highlighted, tickets about to breach may be red.

    this image contains a sample queue organization which demonstrates how to maximize productivity

    #10 Don’t lose visibility of the backlog

    Be careful not to focus so much on assigning new tickets that you forget to update aging tickets, leading to an overwhelming backlog and dissatisfied users.

    Track metrics that give visibility into how quickly tickets are being resolved and how many aging tickets you have. Metrics may include:

    • Ticket resolution time by priority, by workgroup
    • Ticket volume by status (i.e. open, in progress, on hold, resolved)
    • Ticket volume by age
    • Ticket volume by queue and assignee

    Regularly review reports on these metrics with the team.

    Make it an agenda item to review aging tickets, on hold tickets, and tickets about to breach or past breach with the team.

    Take action on aging tickets to ensure progress is being made.

    Set rules to close tickets after a certain number of attempts to reach unresponsive users (and change ticket status appropriately).

    Schedule times for your team to tackle aged tickets or tickets in the backlog.

    Info-Tech Insight

    It can be easy for high priority work to constantly push down low priority work, leaving the lower priority tickets to constantly be ignored and users to be frustrated. If you’re struggling with aging tickets, backlog, and tickets breaching SLA, experiment with your team and queue structure to figure out the best resource distribution to handle your workload. This could mean rotating people through the triage role to allow them time to work through the backlog, reducing the number of people doing triage during slower volume periods, or giving technicians dedicated time to work through tickets. For help with forecasting demand and optimizing resources, see Staff the Service Desk to Meet Demand.

    Activity 1.1: Define ticket queues

    1 hour

    Map out your optimal ticket queue structure using the Service Desk Queue Structure Template. Follow the instructions in the template to complete it as a team.

    The template includes several examples of service desk queue structures followed by space to build your own model of an optimal service desk queue structure and to document who is assigned to each queue and responsible for managing each queue.

    Note:

    The template is not meant to map out your entire service desk structure (e.g. tiers, escalation paths) or ticket resolution process, but simply the ticket queues and how a ticket moves between queues. For help documenting more detailed process workflows or service desk structure, see the blueprint Standardize the Service Desk.

    this image contains screenshot from Info-Tech's blueprint: Service Desk Queue structure Template

    Input

    • Current queue structure and roles

    Output

    • Defined service desk ticket queues and assigned responsibilities

    Materials

    • Org chart
    • ITSM tool for reference, if needed

    Participants

    • Service Desk Manager
    • IT Director
    • Queue Managers

    Document in the Service Desk Queue Structure Template.

    Related Info-Tech Research

    Standardize the Service Desk

    This project will help you build and improve essential service desk processes including incident management, request fulfillment, and knowledge management to create a sustainable service desk.

    Optimize the Service Desk With a Shift-Left Strategy

    This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

    Improve Service Desk Ticket Intake

    This project will help you streamline your ticket intake process and identify improvements to your intake channels.

    Staff the Service Desk to Meet Demand

    This project will help you determine your optimal service desk structure and staffing levels based on your unique environment, workload, and trends.

    Works Cited

    “What your Customers Really Want.” Freshdesk, 31 May 2021. Accessed May 2022.

    Leverage Big Data by Starting Small

    • Buy Link or Shortcode: {j2store}201|cart{/j2store}
    • member rating overall impact: 7.0/10 Overall Impact
    • member rating average dollars saved: 3 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Big Data
    • Parent Category Link: /big-data
    • The desire for rapid decision making is increasing and the complexity of data sources is growing; business users want access to several new data sources, but in a way that is controlled and easily consumable.
    • Organizations may understand the transformative potential of a big data initiative, but struggle to make the transition from the awareness of its importance to identifying a concrete use case for a pilot project.
    • The big data ecosystem is crowded and confusing, and a lack of understanding of that ecosystem may cause a paralysis for organizations.

    Our Advice

    Critical Insight

    • Big data is simply data. With technological advances, what was once considered big data is now more approachable for all organizations irrespective of size.
    • The variety element is the key to unlocking big data value. Drill down into your specific use cases more effectively by focusing on what kind of data you should use.
    • Big data is about deep analytics. Deep doesn’t mean difficult. Visualization of data, integrating new data, and understanding associations are ways to deepen your analytics.

    Impact and Result

    • Establish a foundational understanding of what big data entails and what the implications of its different elements are for your organization.
    • Confirm your current maturity for taking on a big data initiative, and make considerations for core data management practices in the context of incorporating big data.
    • Avoid boiling the ocean by pinpointing use cases by industry and functional unit, followed by identifying the most essential data sources and elements that will enable the initiative.
    • Leverage a repeatable pilot project framework to build out a successful first initiative and implement future projects en-route to evolving a big data program.

    Leverage Big Data by Starting Small Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should leverage big data, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Undergo big data education

    Build a foundational understanding of the current big data landscape.

    • Leverage Big Data by Starting Small – Phase 1: Undergo Big Data Education

    2. Assess big data readiness

    Appraise current capabilities for handling a big data initiative and revisit the key data management practices that will enable big data success.

    • Leverage Big Data by Starting Small – Phase 2: Assess Big Data Readiness
    • Big Data Maturity Assessment Tool

    3. Pinpoint a killer big data use case

    Armed with Info-Tech’s variety dimension framework, identify the top use cases and the data sources/elements that will power the initiative.

    • Leverage Big Data by Starting Small – Phase 3: Pinpoint a Killer Big Data Use Case
    • Big Data Use-Case Suggestion Tool

    4. Structure a big data proof-of-concept project

    Leverage a repeatable framework to detail the core components of the pilot project.

    • Leverage Big Data by Starting Small – Phase 4: Structure a Big Data Proof-of-Concept Project
    • Big Data Work Breakdown Structure Template
    • Data Scientist
    • Big Data Cost/Benefit Tool
    • Big Data Stakeholder Presentation Template
    • Big Data Communication Tracking Template
    [infographic]

    Workshop: Leverage Big Data by Starting Small

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Undergo Big Data Education

    The Purpose

    Understand the basic elements of big data and its relationship to traditional business intelligence.

    Key Benefits Achieved

    Common, foundational knowledge of what big data entails.

    Activities

    1.1 Determine which of the four Vs is most important to your organization.

    1.2 Explore new data through a social lens.

    1.3 Brainstorm new opportunities for enhancing current reporting assets with big data sources.

    Outputs

    Relative importance of the four Vs from IT and business perspectives

    High-level improvement ideas to report artifacts using new data sources

    2 Assess Your Big Data Readiness

    The Purpose

    Establish an understanding of current maturity for taking on big data, as well as revisiting essential data management practices.

    Key Benefits Achieved

    Concrete idea of current capabilities.

    Recommended actions for developing big data maturity.

    Activities

    2.1 Determine your organization’s current big data maturity level.

    2.2 Plan for big data management.

    Outputs

    Established current state maturity

    Foundational understanding of data management practices in the context of a big data initiative

    3 Pinpoint Your Killer Big Data Use Case

    The Purpose

    Explore a plethora of potential use cases at the industry and business unit level, followed by using the variety element of big data to identify the highest value initiative(s) within your organization.

    Key Benefits Achieved

    In-depth characterization of a pilot big data initiative that is thoroughly informed by the business context.

    Activities

    3.1 Identify big data use cases at the industry and/or departmental levels.

    3.2 Conduct big data brainstorming sessions in collaboration with business stakeholders to refine use cases.

    3.3 Revisit the variety dimension framework to scope your big data initiative in further detail.

    3.4 Create an organizational 4-column data flow model with your big data sources/elements.

    3.5 Evaluate data sources by considering business value and risk.

    3.6 Perform a value-effort assessment to prioritize your initiatives.

    Outputs

    Potential big data use cases

    Potential initiatives rooted in the business context and identification of valuable data sources

    Identification of specific data sources and data elements

    Characterization of data sources/elements by value and risk

    Prioritization of big data use cases

    4 Structure a Big Data Proof-of-Concept Project

    The Purpose

    Put together the core components of the pilot project and set the stage for enterprise-wide support.

    Key Benefits Achieved

    A repeatable framework for implementing subsequent big data initiatives.

    Activities

    4.1 Construct a work breakdown structure for the pilot project.

    4.2 Determine your project’s need for a data scientist.

    4.3 Establish the staffing model for your pilot project.

    4.4 Perform a detailed cost/benefit analysis.

    4.5 Make architectural considerations for supporting the big data initiative.

    Outputs

    Comprehensive list of tasks for implementing the pilot project

    Decision on whether or not a data scientist is needed, and where data science capabilities will be sourced

    RACI chart for the project

    Big data pilot cost/benefit summary

    Customized, high-level architectural model that incorporates technologies that support big data

    Transform Your Field Technical Support Services

    • Buy Link or Shortcode: {j2store}112|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • Redefine the role of deskside or field technicians as demand for service evolves and service teams are restructured.
    • Redefine the role of onsite technicians when the help desk is outsourced.
    • Define requirements when supplementing with outsourced field services teams.
    • Identify barriers to streamlining processes.
    • Look for opportunities to streamline processes and better use technical teams.
    • Communicate and manage change to support roles.

    Our Advice

    Critical Insight

    • Service needs to be defined in a way that considers the organizational need for local, hands-on technicians, the need for customer service, and the need to make the best use of resources that you have.
    • Service level agreements will need to be refined and metrics will need to be analyzed for capacity and skilled planning.
    • Organizational change management will be key to persuade users to engage with the technical team in a way that supports the new structure.

    Impact and Result

    • Many IT teams are struggling to keep up with demand while trying to refocus on customer service. With more remote workers than ever, organizations who have traditionally provided desktop and field services have been revaluating the role of the field service technicians. Add in the price of fuel, and there is even more reason to assess the support model.
    • Often changes to the way IT does support, especially if moving centralized support to an outsourcer, is met with resistance by end users who don’t see the value of phoning someone else when their local technician is still available to problem solve. This speaks to the need to ensure the central group is providing value to end users as well as the technical team.
    • With the challenges of finding the right number of technicians with the right skills, it’s time to rethink remote support and how that can be used to train and upskill the people you have. And it’s time to think about how to use field services tools to make the best use of your technician’s time.

    Transform Your Field Technical Support Services Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Transform Field Services Guide – A brief deck that outlines key migration steps to improve our remote client support services.

    This blueprint will help you:

    • Transform Your Field Technical Services Storyboard

    2. Transform Field Services Template – A template to create a transformation proposal.

    This template will help you to build your proposal to transform your field services.

    • Proposal to Transform Field Technical Services Template
    [infographic]

    Further reading

    Transform Your Field Technical Support Services

    Improve service and reduce costs through digital transformation.

    Analyst Perspective

    Improve staffing challenges through digital transformation.

    Many IT teams are struggling to keep up with demand while trying to refocus on customer service. With more remote workers than ever, organizations who have traditionally provided desktop and field services have been revaluating the role of the field service technicians. Add in the price of fuel, and there is even more reason to assess the support model. Often changes to the way IT does support, especially if moving centralized support to an outsourcer, is met with resistance by end users who don’t see the value of phoning someone else when their local technician is still available to problem solve. This speaks to the need to ensure the central group is providing value to end users as well as the technical team. With the challenges of finding the right number of technicians with the right skills, it’s time to rethink remote support and how that can be used to train and upskill the people you have. And it’s time to think about how to use field services tools to make the best use of your technician’s time.

    The image contains a picture of Sandi Conrad.

    Sandi Conrad

    Principal Research Director

    Infrastructure & Operations Practice

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    With remote work becoming a normal employee offering for many organizations, self-serve/self-solve becoming more prominent, and a common call out to improve customer service, there is a need to re-examine the way many organizations are supplying onsite support. For organizations with a small number of offices, a central desk with remote tools may be enough or can be combined with a concierge service or technical center, but for organizations with multiple offices it becomes difficult to provide a consistent level of service for all customers unless there is a team onsite for each location. This may not be financially possible if there isn’t enough work to keep a technical team busy full-time.

    Common Obstacles

    Where people have a choice between calling a central phone number or talking to the technician down the hall, the in-person experience often wins out. End users may resist changes to in-person support as work is rerouted to a centralized group by choosing to wait for their favorite technician to show up onsite rather than reporting issues centrally. This can make the job of the onsite technician more challenging as they need to schedule time in every visit for unplanned work. And where technicians need to support multiple locations, travel needs to be calculated into lost technician time and costs.

    Info-Tech’s Approach

    • Service needs to be defined in a way that considers the organizational need for local, hands-on technicians, the need for customer service, and the need to make the best use of resources that you have.
    • Service-level agreements will need to be refined and metrics will need to be analyzed for capacity and skilled planning.
    • Organizational change management will be key to persuade users to engage with the technical team in a way that supports the new structure.

    Info-Tech Insight

    Improving process will be helpful for smaller teams, but as teams expand or work gets more complicated, investment in appropriate tools to support field services technicians will enable them to be more efficient, reduce costs, and improve outcomes when visits are warranted.

    Your challenge

    This research is designed to help organizations who are looking to:

    • Redefine the role of deskside or field technicians as demand for service evolves and service teams are restructured.
    • Redefine the role of onsite technicians when the help desk is outsourced.
    • Define requirements when supplementing with outsourced field services teams.
    • Identify barriers to streamlining processes.
    • Look for opportunities to streamline processes and better use technical teams.
    • Communicate and manage change to support roles.

    With many companies having new work arrangements for users, where remote work may be a permanent offering or if your digital transformation is well underway, this provides an opportunity to rethink how field support needs to be done.

    What is field services?

    Field services is in-person support delivered onsite at one or more locations. Management of field service technicians may include queue management, scheduling service and maintenance requests, triaging incidents, dispatching technicians, ordering parts, tracking job status, and billing.

    The image contains a diagram to demonstrate what may be supported by field services and what should be supported by field services.

    What challenges are you trying to solve within your field services offering?

    Focus on the reasons for the change to ensure the outcome can be met. Common goals include improved customer service, better technician utilization, and increased response time and stability.

    • Discuss specific challenges the team feels are contributing to less-than-ideal customer service.
    • Does the team have the skills, knowledge, and tools they need to be successful? Technicians may be solving issues with the customer looking over their shoulder. Having quick access to knowledge articles or to subject matter experts who can provide deeper expertise remotely may be the difference between a single visit to resolve or multiple or extended visits.
    • What percentage of tickets would benefit from triage and troubleshooting done remotely before sending a technician onsite? Where there are a high number of no-fault-found visits, this may be imperative to improving technician availability.
    • Review method for distribution of tickets, including batching criteria and dispatching of technicians. Are tickets being dispatched efficiently? By location and/or priority? Is there an attempt to solve more tickets centrally? Should there be? What SLA adjustment is reasonable for onsite visits?
    • Has the support value been defined?
    The image contains a graph to demonstrate Case Casuals in Field Services, where the highest at 55% is break/fix.

    Field services will see the biggest improvements through technology updates

    Customer Intake

    Provide tools for scheduling technicians, self-serve and self- or assisted-solve through ITSM or CRM-based portal and visual remote tools.

    The image contains a picture to demonstrate the different field services.

    Triage and Troubleshoot

    Upgrade remote tools to visual remote solutions to troubleshoot equipment as well as software. Eliminate no-fault-found visits and improve first-time fix rate by visually inspecting equipment before technician deployments.

    Improve Communications

    FSM GPS and SMS updates can be set to notify customers when a technician is close by and can be used for customer sign-off to immediately update service records and launch survey or customer billing where applicable.

    Schedule Technicians

    Field service management (FSM) ITSM modules will allow skills-based scheduling for remote technicians and determine best route for multi-site visits.

    Enable Work From Anywhere

    FSM mobile applications can provide technicians with daily schedules, turn-by-turn directions, access to inventory, knowledge articles, maintenance, and warranty and asset records. Visual remote captures service records and enables access to SMEs.

    Manage Expectations

    Know where technicians are for routing to emergency calls and managing workload using field service management solutions with GPS.

    Digital transformation can dramatically improve customer and technician experience

    The image contains an arrown that dips and rises dramatically to demonstrate how digital transformation can dramatically increase customer and technician experience.
    Sources: 1 - TechSee, 2019; 2 - Glartek; 3 - Geoforce; 4 - TechSee, 2020

    Improve technician utilization and scheduling with field services management software

    Field services management (FSM) software is designed to improve scheduling of technicians by skills and location while reducing travel time and mileage. When integrated with ITSM software, the service record is transferred to the field technician for continuity and to prepare for the job. FSM mobile apps will enable technicians to receive schedule updates through the day and through GPS update the dispatcher as technicians move from site to site.

    FSM solutions are designed to manage large teams of technicians, providing automated dispatch recommendations based on skills matching and proximity.

    Routes can be mapped to reduce travel time and mileage and adjusted to respond to emergency requests by technician skills or proximity. Automation will provide suggestions for work allocation.

    Spare parts management may be part of a field services solution, enabling technicians to easily identify parts needed and update real-time inventory as parts are deployed.

    Push notifications in real-time streamline communications from the field to the office, and enable technicians to close service records while in the field.

    Dispatchers can easily view availability, assign work orders, attach notes to work orders, and immediately receive updates if technicians acknowledge or reject a job.

    Maintenance work can be built into online checklists and forms to provide a technician with step-by-step instructions and to ensure a complete review.

    Skills and location-based routing allow dispatchers to be able to see closest tech for emergency deployments.

    Improve time to resolve while cutting costs by using visual remote support tools

    Visual remote support tools enable live video sessions to clearly see what the client or field service technician sees, enabling the experts to provide real-time assistance where the experts will provide guidance to the onsite person. Getting a view of the technology will reduce issues with getting the right parts, tools, and technicians onsite and dramatically reduce second visits.

    Visual remote tools can provide secure connections through any smartphone, with no need for the client to install an application.

    The technicians can take control of the camera to zoom in, turn on the flashlight for extra lighting, take photos, and save video directly to the tickets.

    Optical character recognition allows automatic text capture to streamline process to check warranty, recalls, and asset history.

    Visual, interactive workflows enhance break/fix and inspections, providing step-by-step guidance visual evidence and using AI and augmented reality to assess the images, and can provide next steps by connecting to a visual knowledgebase.

    Integration with field service management tools will allow information to easily be captured and uploaded immediately into the service record.

    Self-serve is available through many of these tools, providing step-by-step instructions using visual cues. These solutions are designed to work in low-bandwidth environments, using Wi-Fi or cellular service, and sessions can be started with a simple link sent through SMS.

    Advisory Call Outline: Software Selection Engagement

    • Buy Link or Shortcode: {j2store}609|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Selection takes forever. Traditional software selection drags on for years, sometimes in perpetuity.
    • IT is viewed as a bottleneck and the business has taken control of software selection.
    • “Gut feel” decisions rule the day. Intuition, not hard data, guides selection, leading to poor outcomes.
    • Negotiations are a losing battle. Money is left on the table by inexperienced negotiators.
    • Overall: Poor selection processes lead to wasted time, wasted effort, and applications that continually disappoint.

    Our Advice

    Critical Insight

    • Adopt a formal methodology to accelerate and improve software selection results.
    • Improve business satisfaction by including the right stakeholders and delivering new applications on a truly timely basis.
    • Kill the “sacred cow” requirements that only exist because “it’s how we’ve always done it.”
    • Forget about “RFP” overload and hone in on the features that matter to your organization.
    • Skip the guesswork and validate decisions with real data.
    • Take control of vendor “dog and pony shows” with single-day, high-value, low-effort, rapid-fire investigative interviews.
    • Master vendor negotiations and never leave money on the table.

    Impact and Result

    • Improving software selection is a critical project that will deliver huge value.
    • Hit a home run with your business stakeholders: use a data-driven approach to select the right application vendor for their needs – fast.
    • Shatter stakeholder expectations with truly rapid application selections.
    • Boost collaboration and crush the broken telephone with concise and effective stakeholder meetings.
    • Lock in hard savings and do not pay list price by using data-driven tactics.

    Advisory Call Outline: Software Selection Engagement Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Advisory Call Outline

    Info-Tech's expert analyst guidance will help you save money, align stakeholders, and speed up the application selection process.

    • Advisory Call Outline: Software Selection Engagement Deck

    2. Workshop Overview

    Info-Tech's workshop will help you implement a repeatable, data-driven approach that accelerates software selection efforts.

    • Rapid Software Selection Workshop Overview
    [infographic]

    Break Open Your DAM With Intuitive Metadata

    • Buy Link or Shortcode: {j2store}389|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Organizations are facing challenges from explosive information growth in both volume and complexity, as well as the need to use more new sources of information for social media just to remain in business.
    • A lot of content can be created quickly, but managing those digital assets properly through metadata tagging that will be used consistently and effectively requires processes to be in place to create standardized and informational metadata at the source of content creation.
    • Putting these processes in place changes the way the organization handles its information, which may generate pushback, and requires socialization and proper management of the metadata strategy.

    Our Advice

    Critical Insight

    • Metadata is an imperative part of the organizations broader information management strategy. Some may believe that metadata is not needed anymore; Google search is not a magic act – it relies on information tagging that reflects cultural sentiment.
    • Metadata should be pliable. It needs to grow with the changing cultural and corporate vernacular and knowledge, and adapt to changing needs.
    • Build a map for your metadata before you dig for buried treasure. Implement metadata standards and processes for current digital assets before chasing after your treasure troves of existing artifacts.

    Impact and Result

    • Create a sustainable and effective digital asset management (DAM) program by understanding Info-Tech’s DAM framework and how the framework fits within your organization for better management of key digital assets.
    • Create an enterprise-wide metadata design principles handbook to keep track of metadata schemas and standards, as well as communicate the standards to the entire organization.
    • Gather requirements for your DAM program, as well as the DAM system and roles, by interviewing key stakeholders and identifying prevalent pains and opportunities. Understand where digital assets are created, used, and stored throughout the enterprise to gain a high-level perspective of DAM requirements.
    • Identify the organization’s current state of metadata management along with the target state, identify the gaps, and then define solutions to fill those gaps. Ensure business initiatives are woven into the mix.
    • Create a comprehensive roadmap to prioritize initiatives and delineate responsibilities.

    Break Open Your DAM With Intuitive Metadata Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a digital asset management program focused on metadata, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a foundation for your DAM project

    Gain an in-depth understanding of what digital asset management is as well as how it is supported by Info-Tech’s DAM framework.

    • Break Open Your DAM With Intuitive Metadata – Phase 1: Build a Foundation for Your DAM Project
    • DAM Design Principles Handbook
    • Where in the World Is My Digital Asset? Tool
    • Digital Asset Inventory Tool
    • DAM Requirements Gathering Tool

    2. Dive into the DAM strategy

    Create a metadata program execution strategy and assess current and target states for the organization’s DAM.

    • Break Open Your DAM With Intuitive Metadata – Phase 2: Dive Into the DAM Strategy
    • DAM Roadmap Tool
    • DAM Metadata Execution Strategy Document

    3. Create intuitive metadata for your DAM

    Design a governance plan for ongoing DAM and metadata management.

    • Break Open Your DAM With Intuitive Metadata – Phase 3: Create Intuitive Metadata for Your Digital Assets
    • Metadata Manager Tool
    [infographic]

    Workshop: Break Open Your DAM With Intuitive Metadata

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Structure the Metadata Project

    The Purpose

    Develop a foundation of knowledge regarding DAM and metadata, as well as the best practices for organizing the organization’s information and digital assets for ideal findability.

    Key Benefits Achieved

    Design standardized processes for metadata creation and digital asset management to help to improve findability of key assets.

    Gain knowledge of how DAM can benefit both IT and the business.

    Activities

    1.1 Build a DAM and metadata knowledge foundation.

    1.2 Kick-start creation of the organization’s DAM design principles handbook.

    1.3 Interview key business units to understand drivers for the program.

    1.4 Develop a DAM framework.

    Outputs

    DAM Design Principles Handbook

    DAM Execution Strategy Document

    2 Assess Requirements for the DAM Program

    The Purpose

    Inventory the organization’s key digital assets and their repositories.

    Gather the organization’s requirements for a full-time digital asset librarian, as well as the DAM system.  

    Key Benefits Achieved

    Determine clear and specific requirements for the organization from the DAM system and the people involved.

    Activities

    2.1 Conduct a digital asset inventory to identify key assets to include in DAM.

    2.2 Prioritize digital assets to determine their risk and value to ensure appropriate support through the information lifecycle.

    2.3 Determine the requirements of the business and IT for the DAM system and its metadata.

    Outputs

    Digital Asset Inventory Tool

    DAM Requirements Gathering Tool

    3 Design Roadmap and Plan Implementation

    The Purpose

    Determine strategic initiatives and create a roadmap outlining key steps required to get the organization to start enabling data-driven insights.

    Determine timing of the initiatives. 

    Key Benefits Achieved

    Establish a clear direction for the DAM program.

    Build a step-by-step outline of how to create effective metadata with true business-IT collaboration.

    Have prioritized initiatives with dependencies mapped out.

    Activities

    3.1 Assess current and target states of DAM in the organization.

    3.2 Brainstorm and document practical initiatives to close the gap.

    3.3 Discuss strategies rooted in business requirements to execute the metadata management program to improve findability of digital assets.

    Outputs

    DAM Roadmap Tool

    4 Establish Metadata Governance

    The Purpose

    Identify the roles required for effective DAM and metadata management.

    Create sample metadata according to established guiding principles and implement a feedback method to create intuitive metadata in the organization. 

    Key Benefits Achieved

    Metadata management is an ongoing project. Implementing it requires user input and feedback, which governance will help to support.

    By integrating metadata governance with larger information or data governance bodies, DAM and metadata management will gain sustainability. 

    Activities

    4.1 Discuss and assign roles and responsibilities for initiatives identified in the roadmap.

    4.2 Review policy requirements for the information assets in the organization and strategies to address enforcement.

    4.3 Integrate the governance of metadata into larger governance committees.

    Outputs

    DAM Execution Strategy

    Negotiate SaaS Agreements That Are Built to Last

    • Buy Link or Shortcode: {j2store}137|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $72,298 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Internal stakeholders usually have different – and often conflicting – needs and expectations that require careful facilitation and management.
    • SaaS solutions bring forth a unique form of “switching costs” that can make a decision to migrate solutions financially, technically, and politically painful.

    Our Advice

    Critical Insight

    • Conservatively, it’s possible to save 5% of the overall IT budget through comprehensive software and SaaS contract review.
    • Focus on the terms and conditions, not just the price.
    • Learning to negotiate is crucial.

    Impact and Result

    • Take control of your SaaS contract negotiations from the beginning.
    • Look at your contract holistically to find cost savings.
    • Guide communication between vendors and your organization for the duration of contract negotiations.
    • Redline the terms and conditions of your SaaS contract.
    • Prioritize crucial terms and conditions to negotiate.

    Negotiate SaaS Agreements That Are Built to Last Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to redline and negotiate a SaaS agreement, review Info-Tech’s methodology, and understand the different ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Gather requirements

    Build and manage the stakeholder team, and then document the business use case.

    • Negotiate SaaS Agreements That Are Built to Last – Phase 1: Gather Requirements
    • RASCI Chart
    • Vendor Communication Management Plan
    • Software Business Use Case Template
    • SaaS TCO Calculator

    2. Redline contract

    Redline the proposed SaaS contract.

    • Negotiate SaaS Agreements That Are Built to Last – Phase 2: Redline Contract
    • SaaS Terms and Conditions Evaluation Tool

    3. Negotiate contract

    Create a thorough negotiation plan.

    • Negotiate SaaS Agreements That Are Built to Last – Phase 3: Negotiate Contract
    • SaaS Contract Negotiation Terms Prioritization Checklist
    • Controlled Vendor Communications Letter
    • Key Vendor Fiscal Year End Calendar
    • Contract Negotiation Tactics Playbook
    [infographic]

    Workshop: Negotiate SaaS Agreements That Are Built to Last

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Collect and Review Data

    The Purpose

    Assemble documentation.

    Key Benefits Achieved

    Understand current position before going forward.

    Activities

    1.1 Assemble existing contracts.

    1.2 Document their strategic and tactical objectives.

    1.3 Identify current status of the vendor relationship and any historical context.

    1.4 Clarify goals for ideal future state.

    Outputs

    Business Use Case.

    2 Define the Business Use Case and Build a Stakeholder Team

    The Purpose

    Define the business use case and build a stakeholder team.

    Key Benefits Achieved

    Create a business use case to document functional and non-functional requirements.

    Build an internal cross-functional stakeholder team to negotiate the contract.

    Activities

    2.1 Establish a negotiation team and define roles.

    2.2 Write a communication plan.

    2.3 Complete a business use case.

    Outputs

    RASCI Matrix

    Communications Plan

    SaaS TCO Calculator

    Business Use Case

    3 Redline the Contract

    The Purpose

    Examine terms and conditions and prioritize for negotiation.

    Key Benefits Achieved

    Discover cost savings.

    Improve agreement terms.

    Prioritize terms for negotiation.

    Activities

    3.1 Review general terms and conditions.

    3.2 Review license and application specific terms and conditions.

    3.3 Match to business and technical requirements.

    3.4 Redline the agreement.

    Outputs

    SaaS Terms and Conditions Evaluation Tool

    SaaS Contract Negotiation Terms Prioritization Checklist

    4 Build a Negotiation Strategy

    The Purpose

    Create a negotiation strategy.

    Key Benefits Achieved

    Controlled communication established.

    Negotiation tactics chosen.

    Negotiation timeline plotted.

    Activities

    4.1 Review vendor and application specific negotiation tactics.

    4.2 Build negotiation strategy.

    Outputs

    Contract Negotiation Tactics Playbook

    Controlled Vendor Communications Letter

    Key Vendor Fiscal Year End Calendar

    Build a Strategic IT Workforce Plan

    • Buy Link or Shortcode: {j2store}390|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $180,171 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Organizational Design
    • Parent Category Link: /organizational-design
    • Talent has become a competitive differentiator. To 46% of business leaders, workforce planning is a top priority – yet only 13% do it effectively.
    • CIOs aren’t sure what they need to give the organization a competitive edge or how current staffing line-ups fall short.

    Our Advice

    Critical Insight

    • A well defined strategic workforce plan (SWP) isn’t just a nice-to-have, it’s a must-have.
    • Integrate as much data as possible into your workforce plan to best prepare you for the future. Without knowledge of your future initiatives, you are filling hypothetical holes.
    • To be successful, you need to understand your strategic initiatives, workforce landscape, and external and internal trends.

    Impact and Result

    The workforce planning process does not need to be onerous, especially with help from Info-Tech’s solid planning tools. With the right people involved and enough time invested, developing an SWP will be easier than first thought and time well spent. Leverage Info-Tech’s client-tested 5-step process to build a strategic workforce plan:

    1. Build a project charter
    2. Assess workforce competency needs
    3. Identify impact of internal and external trends
    4. Identify the impact of strategic initiatives on roles
    5. Build and monitor the workforce plan

    Build a Strategic IT Workforce Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a strategic workforce plan for IT, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Initiate the project

    Assess the value of a strategic workforce plan and the IT department’s fit for developing one, and then structure the workforce planning project.

    • Build a Strategic Workforce Plan – Phase 1: Initiate the Project
    • IT Strategic Workforce Planning Project Charter Template
    • IT Strategic Workforce Planning Project Plan Template

    2. Analyze workforce needs

    Gather and analyze workforce needs based on an understanding of the relevant internal and external trends, and then produce a prioritized plan of action.

    • Build a Strategic Workforce Plan – Phase 2: Analyze Workforce Needs
    • Workforce Planning Workbook

    3. Build the workforce plan

    Evaluate workforce priorities, plan specific projects to address them, and formalize and integrate strategic workforce planning into regular planning processes.

    • Build a Strategic Workforce Plan – Phase 3: Build and Monitor the SWP
    [infographic]

    Workshop: Build a Strategic IT Workforce Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Project Goals, Metrics, and Current State

    The Purpose

    Develop a shared understanding of the challenges your organization is facing with regards to talent and workforce planning.

    Key Benefits Achieved

    An informed understanding of whether or not you need to develop a strategic workforce plan for IT.

    Activities

    1.1 Identify goals, metrics, and opportunities

    1.2 Segment current roles

    1.3 Identify organizational culture

    1.4 Assign job competencies

    1.5 Assess current talent

    Outputs

    Identified goals, metrics, and opportunities

    Documented organizational culture

    Aligned competencies to roles

    Identified current talent competency levels

    2 Assess Workforce and Analyze Trends

    The Purpose

    Perform an in-depth analysis of how internal and external trends are impacting the workforce.

    Key Benefits Achieved

    An enhanced understanding of the current talent occupying the workforce.

    Activities

    2.1 Assess environmental trends

    2.2 Identify impact on workforce requirements

    2.3 Identify how trends are impacting critical roles

    2.4 Explore viable options

    Outputs

    Complete internal trends analysis

    Complete external trends analysis

    Identified internal and external trends on specific IT roles

    3 Perform Gap Analysis

    The Purpose

    Identify the changing competencies and workforce needs of the future IT organization, including shortages and surpluses.

    Key Benefits Achieved

    Determined impact of strategic initiatives on workforce needs.

    Identification of roles required in the future organization, including surpluses and shortages.

    Identified projects to fill workforce gaps.

    Activities

    3.1 Identify strategic initiatives

    3.2 Identify impact of strategic initiatives on roles

    3.3 Determine workforce estimates

    3.4 Determine projects to address gaps

    Outputs

    Identified workforce estimates for the future

    List of potential projects to address workforce gaps

    4 Prioritize and Plan

    The Purpose

    Prepare an action plan to address the critical gaps identified.

    Key Benefits Achieved

    A prioritized plan of action that will fill gaps and secure better workforce outcomes for the organization.

    Activities

    4.1 Determine and prioritize action items

    4.2 Determine a schedule for review of initiatives

    4.3 Integrate workforce planning into regular planning processes

    Outputs

    Prioritized list of projects

    Completed workforce plan

    Identified opportunities for integration

    Select and Use SDLC Metrics Effectively

    • Buy Link or Shortcode: {j2store}150|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $2,991 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Your organization wants to implement (or revamp existing) software delivery metrics to monitor performance as well as achieve its goals.
    • You know that metrics can be a powerful tool for managing team behavior.
    • You also know that all metrics are prone to misuse and mismanagement, which can lead to unintended consequences that will harm your organization.
    • You need an approach for selecting and using effective software development lifecycle (SDLC) metrics that will help your organization to achieve its goals while minimizing the risk of unintended consequences.

    Our Advice

    Critical Insight

    • Metrics are powerful, dangerous, and often mismanaged, particularly when they are tied to reward or punishment. To use SDLC metrics effectively, know the dangers, understand good practices, and then follow Info-Tech‘s TAG (team-oriented, adaptive, and goal-focused) approach to minimize risk and maximize impact.

    Impact and Result

    • Begin by understanding the risks of metrics.
    • Then understand good practices associated with metrics use.
    • Lastly, follow Info-Tech’s TAG approach to select and use SDLC metrics effectively.

    Select and Use SDLC Metrics Effectively Research & Tools

    Start here – read the Executive Brief

    Understand both the dangers and good practices related to metrics, along with Info-Tech’s TAG approach to the selection and use of SDLC metrics.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the dangers of metrics

    Explore the significant risks associated with metrics selection so that you can avoid them.

    • Select and Use SDLC Metrics Effectively – Phase 1: Understand the Risks of Metrics

    2. Know good practices related to metrics

    Learn about good practices related to metrics and how to apply them in your organization, then identify your team’s business-aligned goals to be used in SDLC metric selection.

    • Select and Use SDLC Metrics Effectively – Phase 2: Know Good Practices Related to Metrics
    • SDLC Metrics Evaluation and Selection Tool

    3. Rank and select effective SDLC metrics for your team

    Follow Info-Tech’s TAG approach to selecting effective SDLC metrics for your team, create a communication deck to inform your organization about your selected SDLC metrics, and plan to review and revise these metrics over time.

    • Select and Use SDLC Metrics Effectively – Phase 3: Rank and Select Effective SDLC Metrics for Your Team
    • SDLC Metrics Rollout and Communication Deck
    [infographic]

    Workshop: Select and Use SDLC Metrics Effectively

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Dangers of Metrics

    The Purpose

    Learn that metrics are often misused and mismanaged.

    Understand the four risk areas associated with metrics: Productivity loss Gaming behavior Ambivalence Unintended consequences

    Productivity loss

    Gaming behavior

    Ambivalence

    Unintended consequences

    Key Benefits Achieved

    An appreciation of the dangers associated with metrics.

    An understanding of the need to select and manage SDLC metrics carefully to avoid the associated risks.

    Development of critical thinking skills related to metric selection and use.

    Activities

    1.1 Examine the dangers associated with metric use.

    1.2 Share real-life examples of poor metrics and their impact.

    1.3 Practice identifying and mitigating metrics-related risk.

    Outputs

    Establish understanding and appreciation of metrics-related risks.

    Solidify understanding of metrics-related risks and their impact on an organization.

    Develop the skills needed to critically analyze a potential metric and reduce associated risk.

    2 Understand Good Practices Related to Metrics

    The Purpose

    Develop an understanding of good practices related to metric selection and use.

    Introduce Info-Tech’s TAG approach to metric selection and use.

    Identify your team’s business-aligned goals for SDLC metrics.

    Key Benefits Achieved

    Understanding of good practices for metric selection and use.

    Document your team’s prioritized business-aligned goals.

    Activities

    2.1 Examine good practices and introduce Info-Tech’s TAG approach.

    2.2 Identify and prioritize your team’s business-aligned goals.

    Outputs

    Understanding of Info-Tech’s TAG approach.

    Prioritized team goals (aligned to the business) that will inform your SDLC metric selection.

    3 Rank and Select Your SDLC Metrics

    The Purpose

    Apply Info-Tech’s TAG approach to rank and select your team’s SDLC metrics.

    Key Benefits Achieved

    Identification of potential SDLC metrics for use by your team.

    Collaborative scoring/ranking of potential SDLC metrics based on their specific pros and cons.

    Finalize list of SDLC metrics that will support goals and minimize risk while maximizing impact.

    Activities

    3.1 Select your list of potential SDLC metrics.

    3.2 Score each potential metric’s pros and cons against objectives using a five-point scale.

    3.3 Collaboratively select your team’s first set of SDLC metrics.

    Outputs

    A list of potential SDLC metrics to be scored.

    A ranked list of potential SDLC metrics.

    Your team’s first set of goal-aligned SDLC metrics.

    4 Create a Communication and Rollout Plan

    The Purpose

    Develop a rollout plan for your SDLC metrics.

    Develop a communication plan.

    Key Benefits Achieved

    SDLC metrics.

    A plan to review and adjust your SDLC metrics periodically in the future.

    Communication material to be shared with the organization.

    Activities

    4.1 Identify rollout dates and responsible individuals for each SDLC metric.

    4.2 Identify your next SDLC metric review cycle.

    4.3 Create a communication deck.

    Outputs

    SDLC metrics rollout plan

    SDLC metrics review plan

    SDLC metrics communication deck

    Stabilize Release and Deployment Management

    • Buy Link or Shortcode: {j2store}453|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $38,699 Average $ Saved
    • member rating average days saved: 37 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management

    Lack of control over the release process, poor collaboration between teams, and manual deployments lead to poor quality releases at a cost to the business.

    Our Advice

    Critical Insight

    • Manage risk. Release management should stabilize the IT environment. A poorly designed release can take down the whole business. Rushing releases out the door leads to increased risk for the business.
    • Quality processes are key. Standardized process will enable your release and deployment management teams to have a framework to deploy new releases with minimal chance of costly downtime further down the production chain.
    • Business must own the process. Release managers need oversight of the business to remain good stewards of the release management process.

    Impact and Result

    • Be prepared with a release management policy. With vulnerabilities discovered and published at an alarming pace, organizations have to build a plan to address and fix them quickly. A detailed release and patch policy should map out all the logistics of the deployment in advance, so that when necessary, teams can handle rollouts like a well-oiled machine.
    • Automate your software deployment and patch management strategy. Replace tedious and time-consuming manual processes with the use of automated release and patch management tools. Some organizations have a variety of release tools for various tasks and processes to ensure all or most of the required processes are covered across a diverse development environment.
    • Test deployments and monitor your releases. Larger organizations may have the luxury of a test environment prior to deployment, but that may be cost prohibitive for smaller organizations. If resources are a constraint, roll out the patch gradually and closely monitor performance to be able to quickly revert in the event of an issue.

    Stabilize Release and Deployment Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should control and stabilize your release and deployment management practice while improving the quality of releases and deployments, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Analyze current state

    Begin improving release management by assessing the current state and gaining a solid understanding of how core operational processes are actually functioning within the organization.

    • Stabilize Release and Deployment Management – Phase 1: Analyze Current State
    • Release Management Maturity Assessment
    • Release Management Project Roadmap Tool
    • Release Management Workflow Library (Visio)
    • Release Management Workflow Library (PDF)
    • Release Management Standard Operating Procedure
    • Patch Management Policy
    • Release Management Policy
    • Release Management Deployment Tracker
    • Release Management Build Procedure Template

    2. Plan releases and deployments

    Plan releases to gather all the pieces in one place and define what, why, when, and how a release will happen.

    • Stabilize Release and Deployment Management – Phase 2: Release and Deployment Planning

    3. Build, test, deploy

    Take a holistic and comprehensive approach to effectively designing and building releases. Get everything right the first time.

    • Stabilize Release and Deployment Management – Phase 3: Build, Test, Deploy

    4. Measure, manage, improve

    Determine desired goals for release management to ensure both IT and the business see the benefits of implementation.

    • Stabilize Release and Deployment Management – Phase 4: Measure, Manage, Improve
    [infographic]

    Workshop: Stabilize Release and Deployment Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Analyze Current State

    The Purpose

    Release management improvement begins with assessment of the current state.

    Key Benefits Achieved

    A solid understanding of how core operational processes are actually functioning within the organization.

    Activities

    1.1 Evaluate process maturity.

    1.2 Assess release management challenges.

    1.3 Define roles and responsibilities.

    1.4 Review and rightsize existing policy suite.

    Outputs

    Maturity Assessment

    Release Management Policy

    Release Management Standard Operating Procedure

    Patch Management Policy

    2 Release Management Planning

    The Purpose

    In simple terms, release planning puts all the pertinent pieces in one place.

    Key Benefits Achieved

    It defines the what, why, when, and how a release will happen.

    Activities

    2.1 Design target state release planning process.

    2.2 Define, bundle, and categorize releases.

    2.3 Standardize deployment plans and models.

    Outputs

    Release Planning Workflow

    Categorization and prioritization schemes

    Deployment models aligned to release types

    3 Build, Test, and Deploy

    The Purpose

    Take a holistic and comprehensive approach to effectively designing and building releases.

    Key Benefits Achieved

    Standardize build and test procedures to begin to drive consistency.

    Activities

    3.1 Standardize build procedures for deployments.

    3.2 Standardize test plans aligned to release types.

    Outputs

    Build procedure for hardware and software releases

    Test models aligned to deployment models

    4 Measure, Manage, and Improve

    The Purpose

    Determine and define the desired goals for release management as a whole.

    Key Benefits Achieved

    Agree to key metrics and success criteria to start tracking progress and establish a post-deployment review process to promote continual improvement.

    Activities

    4.1 Determine key metrics to track progress.

    4.2 Establish a post-deployment review process.

    4.3 Understand and define continual improvement drivers.

    Outputs

    List of metrics and goals

    Post-deployment validation checklist

    Project roadmap

    Application Portfolio Management

    • Buy Link or Shortcode: {j2store}28|cart{/j2store}
    • Related Products: {j2store}28|crosssells{/j2store}
    • member rating overall impact: 9.1/10
    • member rating average dollars saved: $81,275
    • member rating average days saved: 20
    • Parent Category Name: Applications
    • Parent Category Link: /applications

    The challenge

    • The chances are that you, too, have too many or far too many applications in your organization. You will not be alone. Almost 60% of companies report the same issue. 
    • That is due to poorly managed portfolios.
    • Your application managers now need to support too many non-critical applications, and they spend insufficient time on the vital applications.
    • You can rarely find the required pieces to rationalize your portfolio in one place. You will need to find the resources and build a team.
    • The lack of standard practices to define the value that each application in a portfolio provides to the company causes misalignments.

    Our advice

    Insight

    • There is no silver bullet solution. Going too rigid in your approach causes delays in value realization through application portfolio management. It may even prevent this altogether. Define flexible inputs to your portfolio and align closely with your business goals.

    Impact and results 

    • Define the outputs of your application rationalization effort, with clear roles and responsibilities.
    • Tailor the application rationalization framework (ARF) to your company's motivations, goals, and limitations.
    • Apply various application assessments to build a clear picture of your portfolio.
    • Build an application portfolio roadmap that shows your target state based on your rationalization decisions.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why you should rationalize your application portfolio using a tailored framework for your company. We'll show you our methodology and the ways we can help you in handling this.

    Lay the foundations

    Define why you want to rationalize your application portfolio. Define the end state and scope. Build your action plan.

    • Build an Application Rationalization Framework – Phase 1: Lay Your Foundations (ppt)
    • Application Rationalization Tool (xls)

    Plan the application rationalization framework

    Understand what the core assessments are that you perform in these rationalizations. Define your framework and how rigorous you want to apply the reviews based on your business context.

    • Build an Application Rationalization Framework – Phase 2: Plan Your Application Rationalization Framework (ppt)

    Test and adapt your application rationalization framework (ARF)

    Our tool allows you to test the elements of your ARF. Then do a retrospective and adapt based on your experience and desired outcomes. 

    • Build an Application Rationalization Framework – Phase 3: Test and Adapt Your Application Rationalization Framework (ppt)
    • Application TCO Calculator (xls)
    • Value Calculator (xls)

    Initiate your roadmap

    Review your dispositions to ensure they align with your goals. 

    • Build an Application Rationalization Framework – Phase 4: Initiate Your Roadmap (ppt)
    • Disposition Prioritization Tool (xls)

     

    Build Your BizDevOps Playbook

    • Buy Link or Shortcode: {j2store}177|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Today’s rapidly scaling and increasingly complex products create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality.
    • Many organizations see BizDevOps as a solution to help meet this demand. However, they often lack the critical cross-functional collaboration and team-sport culture that are critical for success.
    • The industry provides little consensus and guidance on how to prepare for the transition to BizDevOps.

    Our Advice

    Critical Insight

    • BizDevOps is cultural, not driven by tools. It is about delivering high-quality and valuable releases to stakeholders through collective ownership, continuous collaboration, and team-first behaviors supported by tools.
    • BizDevOps begins with a strong foundation in five key areas. The crux of successful BizDevOps is centered on the strategic adoption and optimization of building great requirements, collaborative practices, iterative delivery, application management, and high-fidelity environments.
    • Teams take STOCK of what it takes to collaborate effectively. Teams and stakeholders must show up, trust the delivery method and people, orchestrate facilitated activities, clearly communicate and knowledge share every time they collaborate.

    Impact and Result

    • Bring the right people to the table. BizDevOps brings significant organizational, process and technology changes to improve delivery effectiveness. Include the key roles in the definition and validation of your BizDevOps vision and practices.
    • Focus on the areas that matter. Review your current circumstances and incorporate the right practices that addresses your key challenges and blockers to becoming BizDevOps.
    • Build your BizDevOps playbook. Gain a broad understanding of the key plays and practices that makes a successful BizDevOps organization. Verify and validate these practices in order to tailor them to your context. Keep your playbook live.

    Build Your BizDevOps Playbook Research & Tools

    Start here – read the Executive Brief

    Find out why you should implement BizDevOps, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Get started with BizDevOps

    Set the right expectations with your stakeholders and define the context of your BizDevOps implementation.

    • Build Your BizDevOps Playbook – Phase 1: Get Started With BizDevOps
    • BizDevOps Playbook

    2. Tailor your BizDevOps playbook

    Tailor the plays in your BizDevOps playbook to your circumstances and vision.

    • Build Your BizDevOps Playbook – Phase 2: Tailor Your BizDevOps Playbook
    [infographic]

    Workshop: Build Your BizDevOps Playbook

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Set Your Expectations

    The Purpose

    Discuss the goals of your BizDevOps playbook.

    Identify the various perspectives who should be included in the BizDevOps discussion.

    Level set expectations of your BizDevOps implementation.

    Key Benefits Achieved

    Identification of the key roles who should be included in the BizDevOps discussion.

    Learning of key practices to support your BizDevOps vision and goals.

    Your vision of BizDevOps in your organization.

    Activities

    1.1 Define BizDevOps.

    1.2 Understand your key stakeholders.

    1.3 Define your objectives.

    Outputs

    Your BizDevOps definition

    List of BizDevOps stakeholders

    BizDevOps vision and objectives

    2 Set the Context

    The Purpose

    Understand the various methods to initiate the structuring of facilitated collaboration.

    Share a common way of thinking and behaving with a set of principles.

    Focus BizDevOps adoption on key areas of software product delivery.

    Key Benefits Achieved

    A chosen collaboration method (Scrum, Kanban, Scrumban) to facilitate collaboration

    A mutually understanding and beneficial set of guiding principles

    Areas where BizDevOps will see the most benefit

    Activities

    2.1 Select your foundation method.

    2.2 Define your guiding principles.

    2.3 Focus on the areas that matter.

    Outputs

    Chosen collaboration model

    List of guiding principles

    High-level assessment of delivery practices and its fit for BizDevOps

    3 Tailor Your BizDevOps Playbook

    The Purpose

    Review the good practices within Info-Tech’s BizDevOps Playbook.

    Tailor your playbook to reflect your circumstances.

    Key Benefits Achieved

    Understanding of the key plays involved in product delivery

    Product delivery plays that reflect the challenges and opportunities of your organization and support your BizDevOps vision

    Activities

    3.1 Review and tailor the plays in your playbook

    Outputs

    High-level discussion of key product delivery plays and its optimization to support BizDevOps

    Create a Service Management Roadmap

    • Buy Link or Shortcode: {j2store}394|cart{/j2store}
    • member rating overall impact: 8.9/10 Overall Impact
    • member rating average dollars saved: $71,003 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Our Advice

    Critical Insight

    • Having effective service management practices in place will allow you to pursue activities, such as innovation, and drive the business forward.
    • Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value.
    • Providing consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Impact and Result

    • Understand the foundational and core elements that allow you to build a successful service management practice focused on outcomes.
    • Use Info-Tech’s advice and tools to perform an assessment of your organization’s current state, identify the gaps, and create a roadmap for success.
    • Increase business and customer satisfaction by delivering services focused on creating business value.

    Create a Service Management Roadmap Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why many service management maturity projects fail to address foundational and core elements, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the project

    Kick-off the project and complete the project charter.

    • Create a Service Management Roadmap – Phase 1: Launch Project
    • Service Management Roadmap Project Charter

    2. Assess the current state

    Determine the current state for service management practices.

    • Create a Service Management Roadmap – Phase 2: Assess the Current State
    • Service Management Maturity Assessment Tool
    • Organizational Change Management Capability Assessment Tool
    • Service Management Roadmap Presentation Template

    3. Build the roadmap

    Build your roadmap with identified initiatives.

    • Create a Service Management Roadmap – Phase 3: Identify the Target State

    4. Build the communication slide

    Create the communication slide that demonstrates how things will change, both short and long term.

    • Create a Service Management Roadmap – Phase 4: Build the Roadmap
    [infographic]

    Workshop: Create a Service Management Roadmap

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Service Management

    The Purpose

    Understand service management.

    Key Benefits Achieved

    Gain a common understanding of service management, the forces that impact your roadmap, and the Info-Tech Service Management Maturity Model.

    Activities

    1.1 Understand service management.

    1.2 Build a compelling vision and mission.

    Outputs

    Constraints and enablers chart

    Service management vision, mission, and values

    2 Assess the Current State of Service Management

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand attitudes, behaviors, and culture.

    Understand governance and process ownership needs.

    Understand strengths, weaknesses, opportunities, and threats.

    Defined desired state.

    Activities

    2.1 Assess cultural ABCs.

    2.2 Assess governance needs.

    2.3 Perform SWOT analysis.

    2.4 Define desired state.

    Outputs

    Cultural improvements action items

    Governance action items

    SWOT analysis action items

    Defined desired state

    3 Continue Current-State Assessment

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand the current maturity of service management processes.

    Understand organizational change management capabilities.

    Activities

    3.1 Perform service management process maturity assessment.

    3.2 Complete OCM capability assessment.

    3.3 Identify roadmap themes.

    Outputs

    Service management process maturity activities

    OCM action items

    Roadmap themes

    4 Build Roadmap and Communication Tool

    The Purpose

    Use outputs from previous steps to build your roadmap and communication one-pagers.

    Key Benefits Achieved

    Easy-to-understand roadmap one-pager

    Communication one-pager

    Activities

    4.1 Build roadmap one-pager.

    4.2 Build communication one-pager.

    Outputs

    Service management roadmap

    Service management roadmap – Brought to Life communication slide

    Further reading

    Create a Service Management Roadmap

    Implement service management in an order that makes sense.

    ANALYST PERSPECTIVE

    "More than 80% of the larger enterprises we’ve worked with start out wanting to develop advanced service management practices without having the cultural and organizational basics or foundational practices fully in place. Although you wouldn’t think this would be the case in large enterprises, again and again IT leaders are underestimating the importance of cultural and foundational aspects such as governance, management practices, and understanding business value. You must have these fundamentals right before moving on."

    Tony Denford,

    Research Director – CIO

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIO
    • Senior IT Management

    This Research Will Help You:

    • Create or maintain service management (SM) practices to ensure user-facing services are delivered seamlessly to business users with minimum interruption.
    • Increase the level of reliability and availability of the services provided to the business and improve the relationship and communication between IT and the business.

    This Research Will Also Assist

    • Service Management Process Owners

    This Research Will Help Them:

    • Formalize, standardize, and improve the maturity of service management practices.
    • Identify new service management initiatives to move IT to the next level of service management maturity.

    Executive summary

    Situation

    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Complication

    • IT organizations want to be seen as strategic partners, but they fail to address the cultural and organizational constraints.
    • Without alignment with the business goals, services often fail to provide the expected value.
    • Traditional service management approaches are not adaptable for new ways of working.

    Resolution

    • Follow Info-Tech’s methodology to create a service management roadmap that will help guide the optimization of your IT services and improve IT’s value to the business.
    • The blueprint will help you right-size your roadmap to best suit your specific needs and goals and will provide structure, ownership, and direction for service management.
    • This blueprint allows you to accurately identify the current state of service management at your organization. Customize the roadmap and create a plan to achieve your target service management state.

    Info-Tech Insight

    Having effective service management practices in place will allow you to pursue activities such as innovation and drive the business forward. Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value. Consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Poor service management manifests in many different pains across the organization

    Immaturity in service management will not result in one pain – rather, it will create a chaotic environment for the entire organization, crippling IT’s ability to deliver and perform.

    Low Service Management Maturity

    These are some of the pains that can be attributed to poor service management practices.

    • Frequent service-impacting incidents
    • Low satisfaction with the service desk
    • High % of failed deployments
    • Frequent change-related incidents
    • Frequent recurring incidents
    • Inability to find root cause
    • No communication with the business
    • Frequent capacity-related incidents

    And there are many more…

    Mature service management practices are a necessity, not a nice-to-have

    Immature service management practices are one of the biggest hurdles preventing IT from reaching its true potential.

    In 2004, PwC published a report titled “IT Moves from Cost Center to Business Contributor.” However, the 2014-2015 CSC Global CIO Survey showed that a high percentage of IT is still considered a cost center.

    And low maturity of service management practices is inhibiting activities such as agility, DevOps, digitalization, and innovation.

    A pie chart is shown that is titled: Where does IT sit? The chart has 3 sections. One section represents IT and the business have a collaborative partnership 28%. The next section represents at 33% where IT has a formal client/service provider relationship with the business. The last section has 39% where IT is considered as a cost center.
    Source: CSC Global CIO Survey: 2014-2015 “CIOs Emerge as Disruptive Innovators”

    39%: Resources are primarily focused on managing existing IT workloads and keeping the lights on.

    31%: Too much time and too many resources are used to handle urgent incidents and problems.

    There are many misconceptions about what service management is

    Misconception #1: “Service management is a process”

    Effective service management is a journey that encompasses a series of initiatives that improves the value of services delivered.

    Misconception #2: “Service Management = Service Desk”

    Service desk is the foundation, since it is the main end-user touch point, but service management is a set of people and processes required to deliver business-facing services.

    Misconception #3: “Service management is about the ITSM tool”

    The tool is part of the overall service management program, but the people and processes must be in place before implementing.

    Misconception #4: “Service management development is one big initiative”

    Service management development is a series of initiatives that takes into account an organization’s current state, maturity, capacities, and objectives.

    Misconception #5: “Service management processes can be deployed in any order, assuming good planning and design”

    A successful service management program takes into account the dependencies of processes.

    Misconception #6: “Service management is resolving incidents and deploying changes”

    Service management is about delivering high-value and high-quality services.

    Misconception #7: “Service management is not the key determinant of success”

    As an organization progresses on the service management journey, its ability to deliver high-value and high-quality services increases.

    Misconception #8: “Resolving Incidents = Success”

    Preventing incidents is the name of the game.

    Misconception #9: “Service Management = Good Firefighter”

    Service management is about understanding what’s going on with user-facing services and proactively improving service quality.

    Misconception #10: “Service management is about IT and technical services (e.g. servers, network, database)”

    Service management is about business/user-facing services and the value the services provide to the business.

    Service management projects often don’t succeed because they are focused on process rather than outcomes

    Service management projects tend to focus on implementing process without ensuring foundational elements of culture and management practices are strong enough to support the change.

    1. Aligning your service management goals with your organizational objectives leads to better understanding of the expected outcomes.
    2. Understand your customers and what they value, and design your practices to deliver this value.

    3. IT does not know what order is best when implementing new practices or process improvements.
    4. Don't run before you can walk. Fundamental practices must reach the maturity threshold before developing advanced practices. Implement continuous improvement on your existing processes so they continue to support new practices.

    5. IT does not follow best practices when implementing a practice.
    6. Our best-practice research is based on extensive experience working with clients through advisory calls and workshops.

    Info-Tech can help you create a customized, low-effort, and high-value service management roadmap that will shore up any gaps, prove IT’s value, and achieve business satisfaction.

    Info-Tech’s methodology will help you customize your roadmap so the journey is right for you

    With Info-Tech, you will find out where you are, where you want to go, and how you will get there.

    With our methodology, you can expect the following:

    • Eliminate or reduce rework due to poor execution.
    • Identify dependencies/prerequisites and ensure practices are deployed in the correct order, at the correct time, and by the right people.
    • Engage all necessary resources to design and implement required processes.
    • Assess current maturity and capabilities and design the roadmap with these factors in mind.

    Doing it right the first time around

    You will see these benefits at the end

      ✓ Increase the quality of services IT provides to the business.

      ✓ Increase business satisfaction through higher alignment of IT services.

      ✓ Lower cost to design, implement, and manage services.

      ✓ Better resource utilization, including staff, tools, and budget.

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Follow our model and get to your target state

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The canopy of the tree are labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Each step along the way, Info-Tech has the tools to help you

    Phase 1: Launch the Project

    Assemble a team with the right talent and vision to increase the chances of project success.

    Phase 2: Assess Current State

    Understand where you are currently on the service management journey using the maturity assessment tool.

    Phase 3: Build Roadmap

    Based on the assessments, build a roadmap to address areas for improvement.

    Phase 4: Build Communication slide

    Based on the roadmap, define the current state, short- and long-term visions for each major improvement area.

    Info-Tech Deliverables:

    • Project Charter
    • Assessment Tools
    • Roadmap Template
    • Communication Template

    CIO call to action

    Improving the maturity of the organization’s service management practice is a big commitment, and the project can only succeed with active support from senior leadership.

    Ideally, the CIO should be the project sponsor, even the project leader. At a minimum, the CIO needs to perform the following activities:

    1. Walk the talk – demonstrate personal commitment to the project and communicate the benefits of the service management journey to IT and the steering committee.
    2. Improving or adopting any new practice is difficult, especially for a project of this size. Thus, the CIO needs to show visible support for this project through internal communication and dedicated resources to help complete this project.

    3. Select a senior, capable, and results-driven project leader.
    4. Most likely, the implementation of this project will be lengthy and technical in some nature. Therefore, the project leader must have a good understanding of the current IT structure, senior standing within the organization, and the relationship and power in place to propel people into action.

    5. Help to define the target future state of IT’s service management.
    6. Determine a realistic target state for the organization based on current capability and resource/budget restraints.

    7. Conduct periodic follow-up meetings to keep track of progress.
    8. Reinforce or re-emphasize the importance of this project to the organization through various communication channels if needed.

    Stabilizing your environment is a must before establishing any more-mature processes

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • The business landscape was rapidly changing for this manufacturer and they wanted to leverage potential cost savings from cloud-first initiatives and consolidate multiple, self-run service delivery teams that were geographically dispersed.

    Solution

    Original Plan

    • Consolidate multiple service delivery teams worldwide and implement service portfolio management.

    Revised Plan with Service Management Roadmap:

    • Markets around the world had very different needs and there was little understanding of what customers value.
    • There was also no understanding of what services were currently being offered within each geography.

    Results

    • Plan was adjusted to understand customer value and services offered.
    • Services were then stabilized and standardized before consolidation.
    • Team also focused on problem maturity and drove a continuous improvement culture and increasing transparency.

    MORAL OF THE STORY:

    Understanding the value of each service allowed the organization to focus effort on high-return activities rather than continuous fire fighting.

    Understand the processes involved in the proactive phase

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • Services were fairly stable, but there were significant recurring issues for certain services.
    • The business was not satisfied with the service quality for certain services, due to periodic availability and reliability issues.
    • Customer feedback for the service desk was generally good.

    Solution

    Original Plan

    • Review all service desk and incident management processes to ensure that service issues were handled in an effective manner.

    Revised Plan with Service Management Roadmap:

    • Design and deploy a rigorous problem management process to determine the root cause of recurring issues.
    • Monitor key services for events that may lead to a service outage.

    Results

    • Root cause of recurring issues was determined and fixes were deployed to resolve the underlying cause of the issues.
    • Service quality improved dramatically, resulting in high customer satisfaction.

    MORAL OF THE STORY:

    Make sure that you understand which processes need to be reviewed in order to determine the cause for service instability. Focusing on the proactive processes was the right answer for this company.

    Have the right culture and structure in place before you become a service provider

    CASE STUDY

    Industry: Healthcare

    Source:Journal of American Medical Informatics Association

    Challenge

    • The IT organization wanted to build a service catalog to demonstrate the value of IT to the business.
    • IT was organized in technology silos and focused on applications, not business services.
    • IT services were not aligned with business activities.
    • Relationships with the business were not well established.

    Solution

    Original Plan

    • Create and publish a service catalog.

    Revised Plan: with Service Management Roadmap:

    • Establish relationships with key stakeholders in the business units.
    • Understand how business activities interface with IT services.
    • Lay the groundwork for the service catalog by defining services from the business perspective.

    Results

    • Strong relationships with the business units.
    • Deep understanding of how business activities map to IT services.
    • Service definitions that reflect how the business uses IT services.

    MORAL OF THE STORY:

    Before you build and publish a service catalog, make sure that you understand how the business is using the IT services that you provide.

    Calculate the benefits of using Info-Tech’s methodology

    To measure the value of developing your roadmap using the Info-Tech tools and methodology, you must calculate the effort saved by not having to develop the methods.

    A. How much time will it take to develop an industry-best roadmap using Info-Tech methodology and tools?

    Using Info-Tech’s tools and methodology you can accurately estimate the effort to develop a roadmap using industry-leading research into best practice.

    B. What would be the effort to develop the insight, assess your team, and develop the roadmap?

    This metric represents the time your team would take to be able to effectively assess themselves and develop a roadmap that will lead to service management excellence.

    C. Cost & time saving through Info-Tech’s methodology

    Measured Value

    Step 1: Assess current state

    Cost to assess current state:

    • 5 Directors + 10 Managers x 10 hours at $X an hour = $A

    Step 2: Build the roadmap

    Cost to create service management roadmap:

    • 5 Directors + 10 Managers x 8 hours at $X an hour = $B

    Step 3: Develop the communication slide

    Cost to create roadmaps for phases:

    • 5 Directors + 10 Managers x 6 hours at $X an hour = $C

    Potential financial savings from using Info-Tech resources:

    Estimated cost to do “B” – (Step 1 ($A) + Step 2 ($B) + Step 3 ($C)) = $Total Saving

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Create a Service Management Roadmap – project overview


    Launch the project

    Assess the current state

    Build the roadmap

    Build communication slide

    Best-Practice Toolkit

    1.1 Create a powerful, succinct mission statement

    1.2 Assemble a project team with representatives from all major IT teams

    1.3 Determine project stakeholders and create a communication plan

    1.4 Establish metrics to track the success of the project

    2.1 Assess impacting forces

    2.2 Build service management vision, mission, and values

    2.3 Assess attitudes, behaviors, and culture

    2.4 Assess governance

    2.5 Perform SWOT analysis

    2.6 Identify desired state

    2.7 Assess SM maturity

    2.8 Assess OCM capabilities

    3.1 Document overall themes

    3.2 List individual initiatives

    4.1 Document current state

    4.2 List future vision

    Guided Implementations

    • Kick-off the project
    • Build the project team
    • Complete the charter
    • Understand current state
    • Determine target state
    • Build the roadmap based on current and target state
    • Build short- and long-term visions and initiative list

    Onsite Workshop

    Module 1: Launch the project

    Module 2: Assess current service management maturity

    Module 3: Complete the roadmap

    Module 4: Complete the communication slide

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

    Activities

    Understand Service Management

    1.1 Understand the concepts and benefits of service management.

    1.2 Understand the changing impacting forces that affect your ability to deliver services.

    1.3 Build a compelling vision and mission for your service management program.

    Assess the Current State of Your Service Management Practice

    2.1 Understand attitudes, behaviors, and culture.

    2.2 Assess governance and process ownership needs.

    2.3 Perform SWOT analysis.

    2.4 Define the desired state.

    Complete Current-State Assessment

    3.1 Conduct service management process maturity assessment.

    3.2 Identify organizational change management capabilities.

    3.3 Identify themes for roadmap.

    Build Roadmap and Communication Tool

    4.1 Build roadmap one-pager.

    4.2 Build roadmap communication one-pager.

    Deliverables

    1. Constraints and enablers chart
    2. Service management vision, mission, and values
    1. Action items for cultural improvements
    2. Action items for governance
    3. Identified improvements from SWOT
    4. Defined desired state
    1. Service Management Process Maturity Assessment
    2. Organizational Change Management Assessment
    1. Service management roadmap
    2. Roadmap Communication Tool in the Service Management Roadmap Presentation Template

    PHASE 1

    Launch the Project

    Launch the project

    This step will walk you through the following activities:

    • Create a powerful, succinct mission statement based on your organization’s goals and objectives.
    • Assemble a project team with representatives from all major IT teams.
    • Determine project stakeholders and create a plan to convey the benefits of this project.
    • Establish metrics to track the success of the project.

    Step Insights

    • The project leader should have a strong relationship with IT and business leaders to maximize the benefit of each initiative in the service management journey.
    • The service management roadmap initiative will touch almost every part of the organization; therefore, it is important to have representation from all impacted stakeholders.
    • The communication slide needs to include the organizational change impact of the roadmap initiatives.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Launch the Project

    Step 1.1 – Kick-off the Project

    Start with an analyst kick-off call:

    • Identify current organization pain points relating to poor service management practices
    • Determine high-level objectives
    • Create a mission statement

    Then complete these activities…

    • Identify potential team members who could actively contribute to the project
    • Identify stakeholders who have a vested interest in the completion of this project

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Step 1.2 – Complete the Charter

    Review findings with analyst:

    • Create the project team; ensure all major IT teams are represented
    • Review stakeholder list and identify communication messages

    Then complete these activities…

    • Establish metrics to complete project planning
    • Complete the project charter

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Use Info-Tech’s project charter to begin your initiative

    1.1 Service Management Roadmap Project Charter

    The Service Management Roadmap Project Charter is used to govern the initiative throughout the project. It provides the foundation for project communication and monitoring.

    The template has been pre-populated with sample information appropriate for this project. Please review this sample text and change, add, or delete information as required.

    The charter includes the following sections:

    • Mission Statement
    • Goals & Objectives
    • Project Team
    • Project Stakeholders
    • Current State (from phases 2 & 3)
    • Target State (from phases 2 & 3)
    • Target State
    • Metrics
    • Sponsorship Signature
    A screenshot of Info-Tech's Service Management Roadmap Project Charter is shown.

    Use Info-Tech’s ready-to-use deliverable to customize your mission statement

    Adapt and personalize Info-Tech’s Service Management Roadmap Mission Statement and Goals & Objectives below to suit your organization’s needs.

    Goals & Objectives

    • Create a plan for implementing service management initiatives that align with the overall goals/objectives for service management.
    • Identify service management initiatives that must be implemented/improved in the short term before deploying more advanced initiatives.
    • Determine the target state for each initiative based on current maturity and level of investment available.
    • Identify service management initiatives and understand dependencies, prerequisites, and level of effort required to implement.
    • Determine the sequence in which initiatives should be deployed.
    • Create a detailed rollout plan that specifies initiatives, time frames, and owners.
    • Engage the right teams and obtain their commitment throughout both the planning and assessment of roadmap initiatives.
    • both the planning and assessment of roadmap initiatives. Obtain support for the completed roadmap from executive stakeholders.

    Example Mission Statement

    To help [Organization Name] develop a set of service management practices that will better address the overarching goals of the IT department.

    To create a roadmap that sequences initiatives in a way that incorporates best practices and takes into consideration dependencies and prerequisites between service management practices.

    To garner support from the right people and obtain executive buy-in for the roadmap.

    Create a well-balanced project team

    The project leader should be a member of your IT department’s senior executive team with goals and objectives that will be impacted by service management implementation. The project leader should possess the following characteristics:

    Leader

    • Influence and impact
    • Comprehensive knowledge of IT and the organization
    • Relationship with senior IT management
    • Ability to get things done

    Team Members

    Identify

    The project team members are the IT managers and directors whose day-to-day lives will be impacted by the service management roadmap and its implementation. The service management initiative will touch almost every IT staff member in the organization; therefore, it is important to have representatives from every single group, including those that are not mentioned. Some examples of individuals you should consider for your team:

    • Service Delivery Managers
    • Director/Manager of Applications
    • Director/Manager of Infrastructure
    • Director/Manager of Service Desk
    • Business Relationship Managers
    • Project Management Office

    Engage & Communicate

    You want to engage your project participants in the planning process as much as possible. They should be involved in the current-state assessment, the establishment of goals and objectives, and the development of your target state.

    To sell this project, identify and articulate how this project and/or process will improve the quality of their job. For example, a formal incident management process will benefit people working at the service desk or on the applications or infrastructure teams. Helping them understand the gains will help to secure their support throughout the long implementation process by giving them a sense of ownership.

    The project stakeholders should also be project team members

    When managing stakeholders, it is important to help them understand their stake in the project as well as their own personal gain that will come out of this project.

    For many of the stakeholders, they also play a critical role in the development of this project.

    Role & Benefits

    • CIO
    • The CIO should be actively involved in the planning stage to help determine current and target stage.

      The CIO also needs to promote and sell the project to the IT team so they can understand that higher maturity of service management practices will allow IT to be seen as a partner to the business, giving IT a seat at the table during decision making.

    • Service Delivery Managers/Process Owners
    • Service Delivery Managers are directly responsible for the quality and value of services provided to the business owners. Thus, the Service Delivery Managers have a very high stake in the project and should be considered for the role of project leader.

      Service Delivery Managers need to work closely with the process owners of each service management process to ensure clear objectives are established and there is a common understanding of what needs to be achieved.

    • IT Steering Committee
    • The Committee should be informed and periodically updated about the progress of the project.

    • Manager/Director – Service Desk
    • The Manager of the Service Desk should participate closely in the development of fundamental service management processes, such as service desk, incident management, and problem management.

      Having a more established process in place will create structure, governance, and reduce service desk staff headaches so they can handle requests or incidents more efficiently.

    • Manager/Director –Applications & Infrastructure
    • The Manager of Applications and Infrastructure should be heavily relied on for their knowledge of how technology ties into the organization. They should be consulted regularly for each of the processes.

      This project will also benefit them directly, such as improving the process to deploy a fix into the environment or manage the capacity of the infrastructure.

    • Business Relationship Manager
    • As the IT organization moves up the maturity ladder, the Business Relationship Manager will play a fundamental role in the more advanced processes, such as business relationship management, demand management, and portfolio management.

      This project will be an great opportunity for the Business Relationship Manager to demonstrate their value and their knowledge of how to align IT objectives with business vision.

    Ensure you get the entire IT organization on board for the project with a well-practiced change message

    Getting the IT team on board will greatly maximize the project’s chance of success.

    One of the top challenges for organizations embarking on a service management journey is to manage the magnitude of the project. To ensure the message is not lost, communicate this roadmap in two steps.

    1. Communicate the roadmap initiative

    The most important message to send to the IT organization is that this project will benefit them directly. Articulate the pains that IT is currently experiencing and explain that through more mature service management, these pains can be greatly reduced and IT can start to earn a place at the table with the business.

    2. Communicate the implementation of each process separately

    The communication of process implementation should be done separately and at the beginning of each implementation. This is to ensure that IT staff do not feel overwhelmed or overloaded. It also helps to keep the project more manageable for the project team.

    Continuously monitor feedback and address concerns throughout the entire process

    • Host lunch and learns to provide updates on the service management initiative to the entire IT team.
    • Understand if there are any major roadblocks and facilitate discussions on how to overcome them.

    Articulate the service management initiative to the IT organization

    Spread the word and bring attention to your change message through effective mediums and organizational changes.

    Key aspects of a communication plan

    The methods of communication (e.g. newsletters, email broadcast, news of the day, automated messages) notify users of implementation.

    In addition, it is important to know who will deliver the message (delivery strategy). You need IT executives to deliver the message – work hard on obtaining their support as they are the ones communicating to their staff and should be your project champions.

    Anticipate organizational changes

    The implementation of the service management roadmap will most likely lead to organizational changes in terms of structure, roles, and responsibilities. Therefore, the team should be prepared to communicate the value that these changes will bring.

    Communicating Change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • What are we trying to achieve?
    • How often will we be updated?

    The Qualities of Leadership: Leading Change

    Create a project communication plan for your stakeholders

    This project cannot be successfully completed without the support of senior IT management.

    1. After the CIO has introduced this project through management meetings or informal conversation, find out how each IT leader feels about this project. You need to make sure the directors and managers of each IT team, especially the directors of application and infrastructure, are on board.
    2. After the meeting, the project leader should seek out the major stakeholders (particularly the heads of applications and infrastructure) and validate their level of support through formal or informal meetings. Create a list documenting the major stakeholders, their level of support, and how the project team will work to gain their approval.
    3. For each identified stakeholder, create a custom communication plan based on their role. For example, if the director of infrastructure is not a supporter, demonstrate how this project will enable them to better understand how to improve service quality. Provide periodic reporting or meetings to update the director on project progress.

    INPUT

    • A collaborative discussion between team members

    OUTPUT

    • Thorough briefing for project launch
    • A committed team

    Materials

    • Communication message and plan
    • Metric tracking

    Participants

    • Project leader
    • Core project team

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1

    A screenshot of activity 1.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    1.2

    A screenshot of activity 1.2 is shown.

    Assemble the project team

    Create a project team with representatives from all major IT teams. Engage and communicate to the project team early and proactively.

    1.3

    A screenshot of activity 1.3 is shown.

    Identify project stakeholders and create a communication plan

    Info-Tech will help you identify key stakeholders who have a vested interest in the success of the project. Determine the communication message that will best gain their support.

    1.4

    A screenshot of activity 1.4 is shown.

    Use metrics to track the success of the project

    The onsite analyst will help the project team determine the appropriate metrics to measure the success of this project.

    PHASE 2

    Assess Your Current Service Management State

    Assess your current state

    This step will walk you through the following activities:

    • Use Info-Tech’s Service Management Maturity Assessment Tool to determine your overall practice maturity level.
    • Understand your level of completeness for each individual practice.
    • Understand the three major phases involved in the service management journey; know the symptoms of each phase and how they affect your target state selection.

    Step Insights

    • To determine the real maturity of your service management practices, you should focus on the results and output of the practice, rather than the activities performed for each process.
    • Focus on phase-level maturity as opposed to the level of completeness for each individual process.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Determine Your Service Management Current State

    Step 2.1 – Assess Impacting Forces

    Start with an analyst kick-off call:

    • Discuss the impacting forces that can affect the success of your service management program
    • Identify internal and external constraints and enablers
    • Review and interpret how to leverage or mitigate these elements

    Then complete these activities…

    • Present the findings of the organizational context
    • Facilitate a discussion and create consensus amongst the project team members on where the organization should start

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.2 – Build Vision, Mission, and Values

    Review findings with analyst:

    • Review your service management vision and mission statement and discuss the values

    Then complete these activities…

    • Socialize the vision, mission, and values to ensure they are aligned with overall organizational vision. Then, set the expectations for behavior aligned with the vision, mission, and values

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.3 – Assess Attitudes, Behaviors, and Culture

    Review findings with analyst:

    • Discuss tactics for addressing negative attitudes, behaviors, or culture identified

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.4 – Assess Governance Needs

    Review findings with analyst:

    • Understand the typical types of governance structure and the differences between management and governance
    • Choose the management structure required for your organization

    Then complete these activities…

    • Determine actions required to establish an effective governance structure and add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.5 – Perform SWOT Analysis

    Review findings with analyst:

    • Discuss SWOT analysis results and tactics for addressing within the roadmap

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.6 – Identify Desired State

    Review findings with analyst:

    • Discuss desired state and commitment needed to achieve aspects of the desired state

    Then complete these activities…

    • Use the desired state to critically assess the current state of your service management practices and whether they are achieving the desired outcomes
    • Prep for the SM maturity assessment

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.7 – Perform SM Maturity Assessment

    Review findings with analyst:

    • Review and interpret the output from your service management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Service Management Maturity Assessment

    Step 2.8 – Review OCM Capabilities

    Review findings with analyst:

    • Review and interpret the output from your organizational change management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Organizational Change Management Assessment

    Understand and assess impacting forces – constraints and enablers

    Constraints and enablers are organizational and behavioral triggers that directly impact your ability and approach to establishing Service Management practices.

    A model is shown to demonstrate the possibe constraints and enablers on your service management program. It incorporates available resources, the environment, management practices, and available technologies.

    Effective service management requires a mix of different approaches and practices that best fit your organization. There’s not a one-size-fits-all solution. Consider the resources, environment, emerging technologies, and management practices facing your organization. What items can you leverage or use to mitigate to move your service management program forward?

    Use Info-Tech’s “Organizational Context” template to list the constraints and enablers affecting your service management

    The Service Management Roadmap Presentation Template will help you understand the business environment you need to consider as you build out your roadmap.

    Discuss and document constraints and enablers related to the business environment, available resources, management practices, and emerging technologies. Any constraints will need to be addressed within your roadmap and enablers should be leveraged to maximize your results.


    Screenshot of Info-Tech's Service Management Roadmap Presentation Template is shown.

    Document constraints and enablers

    1. Discuss and document the constrains and enablers for each aspect of the management mesh: environment, resources, management practices, or technology.
    2. Use this as a thought provoker in later exercises.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Organizational context constraints and enablers

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Build compelling vision and mission statements to set the direction of your service management program

    While you are articulating the vision and mission, think about the values you want the team to display. Being explicit can be a powerful tool to create alignment.

    A vision statement describes the intended state of your service management organization, expressed in the present tense.

    A mission statement describes why your service management organization exists.

    Your organizational values state how you will deliver services.

    Use Info-Tech’s “Vision, Mission, and Values” template to set the aspiration & purpose of your service management practice

    The Service Management Roadmap Presentation Template will help you document your vision for service management, the purpose of the program, and the values you want to see demonstrated.

    If the team cannot gain agreement on their reason for being, it will be difficult to make traction on the roadmap items. A concise and compelling statement can set the direction for desired behavior and help team members align with the vision when trying to make ground-level decisions. It can also be used to hold each other accountable when undesirable behavior emerges. It should be revised from time to time, when the environment changes, but a well-written statement should stand the test of time.

    A screenshot of the Service Management Roadmap Presentation Temaplate is shown. Specifically it is showing the section on the vision, mission, and values results.

    Document your organization’s vision, mission , and values

    1. Vision: Identify your desired target state, consider the details of that target state, and create a vision statement.
    2. Mission: Consider the fundamental purpose of your SM program and craft a statement of purpose.
    3. Values: As you work through the vision and mission, identify values that your organization prides itself in or has the aspiration for.
    4. Discuss common themes and then develop a concise vision statement and mission statement that incorporates the group’s ideas.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Vision statement
    • Mission statement
    • Organizational values

    Materials

    • Whiteboards or flip charts
    • Sample vision and mission statements

    Participants

    • All stakeholders
    • Senior leadership

    Understanding attitude, behavior, and culture

    Attitude

    • What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users.

    Any form of organizational change involves adjusting people’s attitudes, creating buy-in and commitment. You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive. It must be made visible and related to your desired behavior.

    Behaviour

    • What people do. This is influenced by attitude and the culture of the organization.

    To implement change within IT, especially at a tactical level, both IT and organizational behavior needs to change. This is relevant because people don’t like to change and will resist in an active or passive way unless you can sell the need, value, and benefit of changing their behavior.

    Culture

    • The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources.

    The organizational or corporate “attitude,” the impact on employee behavior and attitude is often not fully understood. Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed any organizational change or strategy.

    Culture is a critical and under-addressed success factor

    43% of CIOs cited resistance to change as the top impediment to a successful digital strategy.

    CIO.com

    75% of organizations cannot identify or articulate their culture or its impact.

    Info-Tech

    “Shortcomings in organizational culture are one of the main barriers to company success in the digital age.”

    McKinsey – “Culture for a digital age”

    Examples of how they apply

    Attitude

    • “I’ll believe that when I see it”
    • Positive outlook on new ideas and changes

    Behaviour

    • Saying you’ll follow a new process but not doing so
    • Choosing not to document a resolution approach or updating a knowledge article, despite being asked

    Culture

    • Hero culture (knowledge is power)
    • Blame culture (finger pointing)
    • Collaborative culture (people rally and work together)

    Why have we failed to address attitude, behavior, and culture?

      ✓ While there is attention and better understanding of these areas, very little effort is made to actually solve these challenges.

      ✓ The impact is not well understood.

      ✓ The lack of tangible and visible factors makes it difficult to identify.

      ✓ There is a lack of proper guidance, leadership skills, and governance to address these in the right places.

      ✓ Addressing these issues has to be done proactively, with intent, rigor, and discipline, in order to be successful.

      ✓ We ignore it (head in the sand and hoping it will fix itself).

    Avoidance has been a common strategy for addressing behavior and culture in organizations.

    Use Info-Tech’s “Culture and Environment” template to identify cultural constraints that should be addressed in roadmap

    The Service Management Roadmap Presentation Template will help you document attitude, behavior, and culture constraints.

    Discuss as a team attitudes, behaviors, and cultural aspects that can either hinder or be leveraged to support your vision for the service management program. Capture all items that need to be addressed in the roadmap.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically showing the culture and environment slide.

    Document your organization’s attitudes, behaviors, and culture

    1. Discuss and document positive and negative aspects of attitude, behavior, or culture within your organization.
    2. Identify the items that need to be addressed as part of your roadmap.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Culture and environment worksheet

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    The relationship to governance

    Attitude, behavior, and culture are still underestimated as core success factors in governance and management.

    Behavior is a key enabler of good governance. Leading by example and modeling behavior has a cascading impact on shifting culture, reinforcing the importance of change through adherence.

    Executive leadership and governing bodies must lead and support cultural change.

    Key Points

    • Less than 25% of organizations have formal IT governance in place (ITSM Tools).
    • Governance tends to focus on risk and compliance (controls), but forgets the impact of value and performance.

    Lack of oversight often limits the value of service management implementations

    Organizations often fail to move beyond risk mitigation, losing focus of the goals of their service management practices and the capabilities required to produce value.

    Risk Mitigation

    • Stabilize IT
    • Service Desk
    • Incident Management
    • Change Management

    Gap

    • Organizational alignment through governance
    • Disciplined focus on goals of SM

    Value Production

    • Value that meets business and consumer needs

    This creates a situation where service management activities and roadmaps focus on adjusting and tweaking process areas that no longer support how the organization needs to work.

    How does establishing governance for service management provide value?

    Governance of service management is a gap in most organizations, which leads to much of the failure and lack of value from service management processes and activities.

    Once in place, effective governance enables success for organizations by:

    1. Ensuring service management processes improve business value
    2. Measuring and confirming the value of the service management investment
    3. Driving a focus on outcome and impact instead of simply process adherence
    4. Looking at the integrated impact of service management in order to ensure focused prioritization of work
    5. Driving customer-experience focus within organizations
    6. Ensuring quality is achieved and addressing quality impacts and dependencies between processes

    Four common service management process ownership models

    Your ownership structure largely defines how processes will need to be implemented, maintained, and improved. It has a strong impact on their ability to integrate and how other teams perceive their involvement.

    An organizational structure is shown. In the image is an arrow, with the tip facing in the right direction. The left side of the arrow is labelled: Traditional, and the right side is labelled: Complex. The four models are noted along the arrow. Starting on the left side and going to the right are: Distributed Process Ownership, Centralized Process Ownership, Federated Process Ownership, and Service Management Office.

    Most organizations are somewhere within this spectrum of four core ownership models, usually having some combination of shared traits between the two models that are closest to them on the scale.

    Info-Tech Insight

    The organizational structure that is best for you depends on your needs, and one is not necessarily better than another. The next four slides describe when each ownership level is most appropriate.

    Distributed process ownership

    Distributed process ownership is usually evident when organizations initially establish their service management practices. The processes are assigned to a specific group, who assumes some level of ownership over its execution.

    The distributed process ownership model is shown. CIO is listed at the top with four branches leading out from below it. The four branches are labelled: Service Desk, Operations, Applications, and Security.

    Info-Tech Insight

    This model is often a suitable approach for initial implementations or where it may be difficult to move out of siloes within the organization’s structure or culture.

    Centralized process ownership

    Centralized process ownership usually becomes necessary for organizations as they move into a more functional structure. It starts to drive management of processes horizontally across the organization while still retaining functional management control.

    A centralized process ownership model is shown. The CIO is at the top and the following are branches below it: Service Manager, Support, Middleware, Development, and Infrastructure.

    Info-Tech Insight

    This model is often suitable for maturing organizations that are starting to look at process integration and shared service outcomes and accountability.

    Federated process ownership

    Federated process ownership allows for global control and regional variation, and it supports product orientation and Agile/DevOps principles

    A federated process ownership model is shown. The Sponsor/CIO is at the top, with the ITSM Executive below it. Below that level is the: Process Owner, Process Manager, and Process Manager.

    Info-Tech Insight

    Federated process ownership is usually evident in organizations that have an international or multi-regional presence.

    Service management office (SMO)

    SMO structures tend to occur in highly mature organizations, where service management responsibility is seen as an enterprise accountability.

    A service management office model is shown. The CIO is at the top with the following branches below it: SMO, End-User Services, Infra., Apps., and Architecture.

    Info-Tech Insight

    SMOs are suitable for organizations with a defined IT and organizational strategy. A SMO supports integration with other enterprise practices like enterprise architecture and the PMO.

    Determine which process ownership and governance model works best for your organization

    The Service Management Roadmap Presentation Template will help you document process ownership and governance model

    Example:

    Key Goals:

      ☐ Own accountability for changes to core processes

      ☐ Understand systemic nature and dependencies related to processes and services

      ☐ Approve and prioritize improvement and CSI initiatives related to processes and services

      ☐ Evaluate success of initiative outcomes based on defined benefits and expectations

      ☐ Own Service Management and Governance processes and policies

      ☐ Report into ITSM executive or equivalent body

    Membership:

      ☐ Process Owners, SM Owner, Tool Owner/Liaison, Audit

    Discuss as a team which process ownership model works for your organization. Determine who will govern the service management practice. Determine items that should be identified in your roadmap to address governance and process ownership gaps.

    Use Info-Tech’s “SWOT” template to identify strengths, weaknesses, opportunities & threats that should be addressed

    The Service Management Roadmap Presentation Template will help you document items from your SWOT analysis.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically the SWOT section is shown.

    Brainstorm the strengths, weaknesses, opportunities, and threats related to resources, environment, technology, and management practices. Add items that need to be addressed to your roadmap.

    Perform a SWOT analysis

    1. Brainstorm each aspect of the SWOT with an emphasis on:
    • Resources
    • Environment
    • Technologies
    • Management Practices
  • Record your ideas on a flip chart or whiteboard.
  • Add items to be addressed to the roadmap.
  • INPUT

    • A collaborative discussion

    OUTPUT

    • SWOT analysis
    • Priority items identified

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Indicate desired maturity level for your service management program to be successful

    Discuss the various maturity levels and choose a desired level that would meet business needs.

    The desired maturity model is depicted.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Desired state of service management maturity

    Materials

    • None

    Participants

    • All stakeholders

    Use Info-Tech’s Service Management Process Maturity Assessment Tool to understand your current state

    The Service Management Process Maturity Assessment Tool will help you understand the true state of your service management.

    A screenshot of Info-Tech's Service Management Process Assessment Tool is shown.

    Part 1, Part 2, and Part 3 tabs

    These three worksheets contain questions that will determine the overall maturity of your service management processes. There are multiple sections of questions focused on different processes. It is very important that you start from Part 1 and continue the questions sequentially.

    Results tab

    The Results tab will display the current state of your service management processes as well as the percentage of completion for each individual process.

    Complete the service management process maturity assessment

    The current-state assessment will be the foundation of building your roadmap, so pay close attention to the questions and answer them truthfully.

    1. Start with tab 1 in the Service Management Process Maturity Assessment Tool. Remember to read the questions carefully and always use the feedback obtained through the end-user survey to help you determine the answer.
    2. In the “Degree of Process Completeness” column, use the drop-down menu to input the results solicited from the goals and objectives meeting you held with your project participants.
    3. A screenshot of Info-Tech's Service Management Process Assessment Tool is shown. Tab 1 is shown.
    4. Host a meeting with all participants following completion of the survey and have them bring their results. Discuss in a round-table setting, keeping a master sheet of agreed upon results.

    INPUT

    • Service Management Process Maturity Assessment Tool questions

    OUTPUT

    • Determination of current state

    Materials

    • Service Management Process Maturity Assessment Tool

    Participants

    • Project team members

    Review the results of your current-state assessment

    At the end of the assessment, the Results tab will have action items you could perform to close the gaps identified by the process assessment tool.

    A screenshot of Info-Tech's Service Management Process Maturity Assessment Results is shown.

    INPUT

    • Maturity assessment results

    OUTPUT

    • Determination of overall and individual practice maturity

    Materials

    • Service Management Maturity Assessment Tool

    Participants

    • Project team members

    Use Info-Tech’s OCM Capability Assessment tool to understand your current state

    The Organizational Change Management Capabilities Assessment tool will help you understand the true state of your organizational change management capabilities.

    A screenshot of Info-Tech's Organizational Change Management Capabilities Assessment

    Complete the Capabilities tab to capture the current state for organizational change management. Review the Results tab for interpretation of the capabilities. Review the Recommendations tab for actions to address low areas of maturity.

    Complete the OCM capability assessment

    1. Open Organizational Change Management Capabilities Assessment tool.
    2. Come to consensus on the most appropriate answer for each question. Use the 80/20 rule.
    3. Review result charts and discuss findings.
    4. Identify roadmap items based on maturity assessment.

    INPUT

    • A collaborative discussion

    OUTPUT

    • OCM Assessment tool
    • OCM assessment results

    Materials

    • OCM Capabilities Assessment tool

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1

    A screenshot of activity 2.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    2.2

    A screenshot of activity 2.2 is shown.

    Complete the assessment

    With the project team in the room, go through all three parts of the assessment with consideration of the feedback received from the business.

    2.3

    A screenshot of activity 2.3 is shown.

    Interpret the results of the assessment

    The Info-Tech onsite analyst will facilitate a discussion on the overall maturity of your service management practices and individual process maturity. Are there any surprises? Are the results reflective of current service delivery maturity?

    PHASE 3

    Build Your Service Management Roadmap

    Build Roadmap

    This step will walk you through the following activities:

    • Document your vision and mission on the roadmap one-pager.
    • Using the inputs from the current-state assessments, identify the key themes required by your organization.
    • Identify individual initiatives needed to address key themes.

    Step Insights

    • Using the Info-Tech thought model, address foundational gaps early in your roadmap and establish the management methods to continuously make them more robust.
    • If any of the core practices are not meeting the vision for your service management program, be sure to address these items before moving on to more advanced service management practices or processes.
    • Make sure the story you are telling with your roadmap is aligned to the overall organizational goals.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Determine Your Service Management Target State

    Step 3.1 – Document the Overall Themes

    Start with an analyst kick-off call:

    • Review the outputs from your current-state assessments to identify themes for areas that need to be included in your roadmap

    Then complete these activities…

    • Ensure foundational elements are solid by adding any gaps to the roadmap
    • Identify any changes needed to management practices to ensure continuous improvement

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 3.2 – Determine Individual Initiatives

    Review findings with analyst:

    • Determine the individual initiatives needed to close the gaps between the current state and the vision

    Then complete these activities…

    • Finalize and document roadmap for executive socialization

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Identify themes that can help you build a strong foundation before moving to higher level practices

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The top most branches of the tree is labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Use Info-Tech’s “Service Management Roadmap” template to document your vision, themes and initiatives

    The Service Management Roadmap Presentation Template contains a roadmap template to help communicate your vision, themes to be addressed, and initiatives

    A screenshot of Info-Tech's Service Management Roadmap template is shown.

    Working from the lower maturity items to the higher value practices, identify logical groupings of initiatives into themes. This will aid in communicating the reasons for the needed changes. List the individual initiatives below the themes. Adding the service management vision and mission statements can help readers understand the roadmap.

    Document your service management roadmap

    1. Document the service management vision and mission on the roadmap template.
    2. Identify, from the assessments, areas that need to be improved or implemented.
    3. Group the individual initiatives into logical themes that can ease communication of what needs to happen.
    4. Document the individual initiatives.
    5. Document in terms that business partners and executive sponsors can understand.

    INPUT

    • Current-state assessment outputs
    • Maturity model

    OUTPUT

    • Service management roadmap

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1

    A screenshot of activity 3.1 is shown.

    Identify themes to address items from the foundational level up to higher value service management practices

    Identify easily understood themes that will help others understand the expected outcomes within your organization.

    A screenshot of activity 3.2 is shown.

    Document individual initiatives that contribute to the themes

    Identify specific activities that will close gaps identified in the assessments.

    PHASE 2

    Build Communication Slide

    Complete your service management roadmap

    This step will walk you through the following activities:

    • Use the current-state assessment exercises to document the state of your service management practices. Document examples of the behaviors that are currently seen.
    • Document the expected short-term gains. Describe how you want the behaviors to change.
    • Document the long-term vision for each item and describe the benefits you expect to see from addressing each theme.

    Step Insights

    • Use the communication template to acknowledge the areas that need to be improved and paint the short- and long-term vision for the improvements to be made through executing the roadmap.
    • Write it in business terms so that it can be used widely to gain acceptance of the upcoming changes that need to occur.
    • Include specific areas that need to be fixed to make it more tangible.
    • Adding the values from the vision, mission, and values exercise can also help you set expectations about how the team will behave as they move towards the longer-term vision.

    Phase 4 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Build the Service Management Roadmap

    Step 4.1: Document the Current State

    Start with an analyst kick-off call:

    • Review the pain points identified from the current state analysis
    • Discuss tactics to address specific pain points

    Then complete these activities…

    • Socialize the pain points within the service delivery teams to ensure nothing is being misrepresented
    • Gather ideas for the future state

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 4.2: List the Future Vision

    Review findings with analyst:

    • Review short- and long-term vision for improvements for the pain points identified in the current state analysis

    Then complete these activities…

    • Prepare to socialize the roadmap
    • Ensure long-term vision is aligned with organizational objectives

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Use Info-Tech’s “Service Management Roadmap – Brought to Life” template to paint a picture of the future state

    The Service Management Roadmap Presentation Template contains a communication template to help communicate your vision of the future state

    A screenshot of Info-Tech's Service Management Roadmap - Brought to Life template

    Use this template to demonstrate how existing pain points to delivering services will improve over time by painting a near- and long-term picture of how things will change. Also list specific initiatives that will be launched to affect the changes. Listing the values identified in the vision, mission, and values exercise will also demonstrate the team’s commitment to changing behavior to create better outcomes.

    Document your current state and list initiatives to address them

    1. Use the previous assessments and feedback from business or customers to identify current behaviors that need addressing.
    2. Focus on high-impact items for this document, not an extensive list.
    3. An example of step 1 and 2 are shown.
    4. List the initiatives or actions that will be used to address the specific pain points.

    An example of areas for improvement.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    Document your future state

    An example of document your furture state is shown.

    1. For each pain point document the expected behaviors, both short term and longer term.
    2. Write in terms that allow readers to understand what to expect from your service management practice.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation Template

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    A screenshot of activity 4.1 is shown.

    Identify the pain points and initiatives to address them

    Identify items that the business can relate to and initiatives or actions to address them.

    4.2

    A screenshot of activity 4.2 is shown.

    Identify short- and long-term expectations for service management

    Communicate the benefits of executing the roadmap both short- and long-term gains.

    Research contributors and experts

    Photo of Valence Howden

    Valence Howden, Principal Research Director, CIO Practice

    Info-Tech Research Group

    Valence helps organizations be successful through optimizing how they govern, design, and execute strategies, and how they drive service excellence in all work. With 30 years of IT experience in the public and private sectors, he has developed experience in many information management and technology domains, with focus in service management, enterprise and IT governance, development and execution of strategy, risk management, metrics design and process design, and implementation and improvement.

    Photo of Graham Price

    Graham Price, Research Director, CIO Practice

    Info-Tech Research Group

    Graham has an extensive background in IT service management across various industries with over 25 years of experience. He was a principal consultant for 17 years, partnering with Fortune 500 clients throughout North America, leveraging and integrating industry best practices in IT service management, service catalog, business relationship management, IT strategy, governance, and Lean IT and Agile.

    Photo of Sharon Foltz

    Sharon Foltz, Senior Workshop Director

    Info-Tech Research Group

    Sharon is a Senior Workshop Director at Info-Tech Research Group. She focuses on bringing high value to members via leveraging Info-Tech’s blueprints and other resources enhanced with her breadth and depth of skills and expertise. Sharon has spent over 15 years in various IT roles in leading companies within the United States. She has strong experience in organizational change management, program and project management, service management, product management, team leadership, strategic planning, and CRM across various global organizations.

    Related Info-Tech Research

    Build a Roadmap for Service Management Agility

    Extend the Service Desk to the Enterprise

    Bibliography

    • “CIOs Emerge as Disruptive Innovators.” CSC Global CIO Survey: 2014-2015. Web.
    • “Digital Transformation: How Is Your Organization Adapting?” CIO.com, 2018. Web.
    • Goran, Julie, Laura LaBerge, and Ramesh Srinivasan. “Culture for a digital age.” McKinsey, July 2017. Web.
    • The Qualities of Leadership: Leading Change. Cornelius & Associates, 14 April 2012.
    • Wilkinson, Paul. “Culture, Ethics, and Behavior – Why Are We Still Struggling?” ITSM Tools, 5 July 2018. Web.

    Right-Size the Service Desk for Small Enterprise

    • Buy Link or Shortcode: {j2store}487|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk

    The service desk is a major function within IT. Small enterprises with constrained resources need to look at designing a service desk that enables consistency in supporting the business and finds the right balance of documentation.

    Determining the right level of documentation to provide backup and getting the right level of data for good reporting may seem like a waste of time when the team is small, but this is key to knowing when to invest in more people, upgraded technology, and whether your efforts to improve service are successful.

    Our Advice

    Critical Insight

    It’s easy to lose sight of the client experience when working as a small team supporting a variety of end users. Changing from a help desk to a service desk requires a focus on what it means to be a customer centric service desk and a change to the way the technicians think about providing support.

    • Make the best use of the team. Clearly define roles and responsibilities and monitor those wearing multiple hats to make sure they don’t burn out.
    • Build cross training and documentation into your culture to preserve service levels while giving team members time off to recharge.
    • Don’t discount the benefit of good tools. As volume increases, so does the likelihood of issues and requests getting missed. Look for tools that will help to keep a customer focus.

    Impact and Result

    • Improved workload distribution for technicians and enable prioritization based on work type, urgency, and impact.
    • Improved communications methods and messaging will help the technicians to set expectations appropriately and reduce friction between each other and their supported end users.
    • Best practices and use of industry standard tools will reduce administrative overhead while improving workload management.

    Right-Size the Service Desk for Small Enterprise Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Right-Size the Service Desk for Small Enterprise Storyboard – A step-by-step guide to help you identify and prioritize initiatives to become more customer centric.

    This blueprint provides a framework to quickly identify a plan for service desk improvements. It also provides references to build out additional skills and functionality as a continual improvement initiative.

    • Right-Size the Service Desk for Small Enterprise Storyboard

    2. Maturity Assessment – An assessment to determine baseline maturity.

    The maturity assessment will provide a baseline and identify areas of focus based on level of current and target maturity.

    • IT Service Desk Maturity Assessment for Small Enterprise

    3. Standard Operating Procedure – A template to build out a clear, concise SOP right-sized for a small enterprise.

    The SOP provides an excellent guide to quickly inform new team members or contractors of your support approach.

    • Incident Management and Service Desk SOP for Small Enterprise

    4. Categorization Scheme – A template to build out an effective categorization scheme.

    The categorization scheme template provides examples of asset-based categories, resolution codes and status.

    • Service Desk Asset-Based Categories Template

    5. Improvement Plan – A template to present the improvement plan to stakeholders.

    This template provides a starting point for building your communications on planned improvements.

    • Service Desk Improvement Initiative
    [infographic]

    Further reading

    Right-Size the Service Desk for Small Enterprise

    Turn your help desk into a customer-centric service desk.

    Analyst Perspective

    Small enterprises have many of the same issues as large ones, but with far fewer resources. Focus on the most important aspects to improve customer service.

    The service desk is a major function within IT. Small enterprises with constrained resources need to look at designing a service desk that enables consistency in supporting the business and finds the right balance of documentation.

    Evaluate documentation to ensure there is always redundancy built in to cover absences. Determining coverage will be an important factor, especially if vendors will be brought into the organization to assist during shortages. They will not have the same level of knowledge as teammates and may have different requirements for documentation.

    It is important to be customer centric, thinking about how services are delivered and communicated with a focus on providing self-serve at the appropriate level for your users and determining what information the business needs for expectation-setting and service level agreements, as well as communications on incidents and changes.

    And finally, don’t discount the value of good reporting. There are many reasons to document issues besides just knowing the volume of workload and may become more important as the organization evolves or grows. Stakeholder reporting, regulatory reporting, trend spotting, and staff increases are all good reasons to ensure minimum documentation standards are defined and in use.

    Photo of Sandi Conrad, Principal Research Director, Info-Tech Research Group. Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Table of Contents

    Title Page Title Page
    Blueprint benefits 6 Incident management 25
    Start / Stop / Continue exercise 10 Prioritization scheme 27
    Complete a maturity assessment 11 Define SLAs 29
    Select an ITSM tool 13 Communications 30
    Define roles & responsibilities 15 Reporting 32
    Queue management 17 What can you do to improve? 33
    Ticket handling best practices 18 Staffing 34
    Customer satisfaction surveys 19 Knowledge base & self-serve 35
    Categorization 20 Customer service 36
    Separate ticket types 22 Ticket analysis 37
    Service requests 23 Problem management 38
    Roadmap 39

    Insight summary

    Help desk to service desk

    It’s easy to lose sight of the client experience when working as a small team supporting a variety of end users. Changing from a help desk to a service desk requires a focus on what it means to be a customer-centric service desk and a change to the way the technicians think about providing support.

    Make the best use of the team

    • Clearly define primary roles and responsibilities, and identify when and where escalations should occur.
    • Divide the work in a way that makes the most sense based on intake patterns and categories of incidents or service requests.
    • Recognize who is wearing multiple hats, and monitor to make sure they don’t burn out or struggle to keep up.
    • Determine the most appropriate areas to outsource based on work type and skills required.

    Build cross-training into your culture

    • Primary role holders need time off and need to know the day-to-day work won’t be waiting for them when they come back.
    • The knowledge base is your first line of defense to make sure incidents don’t have to wait for resolution and to avoid having technicians remote in on their day off.
    • When volumes spike for incidents and service requests, everyone needs to be prepared to pitch in. Train the team to recognize and step up to the call to action.

    Don’t discount the benefit of good tools

    • When volume increases, so does the likelihood of missing issues and requests.
    • Designate a single solution to manage the workload, so there is one place to go for work orders, incident reporting, asset data, and more.
    • Set up self-serve for users so they have access to how-to articles and can check the status of tickets themselves.
    • Create a service catalog to make it easy for them to request the most frequent items easily.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Standard Operating Procedures

    Sample of the Standard Operating Procedures deliverable.

    Maturity Assessment

    Sample of the Maturity Assessment deliverable.

    Categorization scheme

    Sample of the Categorization scheme deliverable.

    Improvement Initiative

    Sample of the Improvement Initiative deliverable.
    Create a standard operating procedure to ensure the support team has a consistent understanding of how they need to engage with the business.

    Blueprint benefits

    IT benefits

    • Improve workload distribution for technicians and enable prioritization based on work type, urgency, and impact.
    • Improved communications methods and messaging will help the technicians set expectations appropriately and reduce friction between each other and their supported end users.
    • Best practices and use of industry-standard tools will reduce administrative overhead while improving workload management.

    Business benefits

    • IT taking a customer-centric approach will improve access to support and reduce interruptions to the way they do business.
    • Expectation setting and improved communications will allow the business to better plan their work around new requests and will have a better understanding of service level agreements.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is six to ten calls over the course of three to four months.

    The current state discussion will determine the path.

    What does a typical GI on this topic look like?

    Current State & Vision

    Best Practices

    Service Requests & Incidents

    Communications

    Next Steps & Roadmap

    Call #1: Discuss current state & create a vision

    Call #2: Document roles & responsibilities

    Call #3:Review and define best practices for ticket handling Call #4: Review categorization

    Call #5: Discuss service requests & self-serve

    Call #6: Assess incident management processes
    Call #7: Assess and document reporting and metrics

    Call #8: Discuss communications methods

    Call #9: Review next steps

    Call #10: Build roadmap for updates

    For a workshop on this topic, see the blueprint Standardize the Service Desk

    Executive Brief Case Study

    Southwest CARE Center
    Logo for Southwest Care.
    INDUSTRY
    Healthcare

    Service Desk Project

    After relying on a managed service provider (MSP) for a number of years, the business hired Kevin to repatriate IT. As part of that mandate, his first strategic initiative was to build a service desk. SCC engaged Info-Tech Research Group to select and build a structure; assign roles and responsibilities; implement incident management, request fulfilment, and knowledge management processes; and integrate a recently purchased ITSM tool.

    Over the course of a four-day onsite engagement, SCC’s IT team worked with two Info-Tech analysts to create and document workflows, establish ticket handling guidelines, and review their technological requirements.

    Results

    The team developed a service desk standard operating procedure and an implementation roadmap with clear service level agreements.

    Southwest CARE Center (SCC) is a leading specialty healthcare provider in New Mexico. They offer a variety of high-quality services with a focus on compassionate, patient-centered healthcare.

    “Info-Tech helped me to successfully rebrand from an MSP help desk to an IT service desk. Sandi and Michel provided me with a customized service desk framework and SOP that quickly built trust within the organization. By not having to tweak and recalibrate my service desk processes through trial and error, I was able to save a year’s worth of work, resulting in cost savings of $30,000 to $40,000.” (Kevin Vigil, Director of Information Technology, Southwest CARE Center)

    The service desk is the cornerstone for customer satisfaction

    Bar charts comparing 'Dissatisfied' vs 'Satisfied End Users' in both 'Service Desk Effectiveness' and 'Timeliness'.
    N=63, small enterprise organizations from the End-User Satisfaction Diagnostic, at December 2021
    Dissatisfied was classified as those organizations with an average score less than 7.
    Satisfied was classified as those organizations with an average score greater or equal to 8.
    • End users who were satisfied with service desk effectiveness rated all other IT processes 36% higher than dissatisfied end users.
    • End users who were satisfied with service desk timeliness rated all other IT processes 34% higher than dissatisfied end-users.

    Improve the service desk with a Start, Stop, Continue assessment

    Use this exercise as an opportunity to discuss what’s working and what isn’t with your current help desk. Use this to define your goals for the improvement project, with a plan to return to the results and rerun the exercise on a regular basis.

    STOP

    • What service desk processes are counterproductive?
    • What service blockers exist that consistently undermine good results?
    • Are end-user relationships with individual team members negatively impacting satisfaction?
    • Make notes on initial ideas for improvement.

    START

    • What service process improvements could be implemented immediately?
    • What technical qualifications do individual staff members need to improve?
    • What opportunities exist to improve service desk communications with end users?
    • How can escalation and triage be more efficient?

    CONTINUE

    • What aspects of your current service desk are positive?
    • What processes are efficient and can be emulated elsewhere?
    • Where can you identify high levels of end-user satisfaction?

    Complete a maturity assessment to create a baseline and areas of focus

    The Service Desk Maturity Assessment tool helps organizations assess their service desk process maturity and focus the project on the activities that matter most.

    The tool will help guide improvement efforts and measure your progress.

    • The second tab of the tool walks through a qualitative assessment of your service desk practices. Questions will prompt you to evaluate how you are executing key activities. Select the answer in the drop-down menus that most closely aligns with your current state.
    • The third tab displays your rate of process completeness and maturity. You will receive a score for each phase, an overall score, and advice based on your performance.
    • Document the results of the efficiency assessment in the Service Desk Improvement Initiative.
    • The tool is intended for periodic use. Review your answers each year and devise initiatives to improve the process performance where you need it most.
    Sample of the Service Desk Maturity Assessment.

    Define your vision for the support structure

    Use this vision for communicating with the business and your IT team

    Consider service improvements and how those changes can be perceived by the organization. For example, offering multiple platforms, such as adding Macs to end-user devices, could translate to “Providing the right IT solutions for the way our employees want to work.”

    To support new platforms, you might need to look at the following steps to get there:
    • Evaluate skills needed – can you upskill generalists quickly, or will specialists be required? Determine training needs for support staff on new platforms.
    • Estimate uptake of the new platform and adjusting budgets – will these mostly be role-based decisions?
    • Determine what applications will work on the new platform and which will have a parity offering, which will require a solution like Parallels or VirtualBox, and which might need substitute applications.
    • What utilities will be needed to secure your solutions such as for encryption, antivirus, and firewalls?
    • What changes in the way you deploy and patch machines?
    • What level of support do you need to provide – just platform, or applications as well? What self-serve training can be made available?
    If you need to change the way you deploy equipment, you may want to review the blueprint Simplify Remote Deployment With Zero-Touch Provisioning

    Info-Tech Insight

    Identify some high-level opportunities and plan out how these changes will impact the way you provide support today. Document steps you’ll need to follow to make it happen. This may include new offerings and product sourcing, training, and research.

    Facilitate service desk operations with an ITSM tool

    You don’t need to spend a fortune. Many solutions are free or low-cost for a small number of users, and you don’t necessarily have to give up functionality to save money.

    Encourage users to submit requests through email or self-serve to keep organized. Ensure that reporting will provide you with the basics without effort, but ensure report creation is easy enough if you need to add more.

    Consider tools that do more than just store tickets. ITSM tools for small enterprises can also assist with:
    • Equipment and software license management
    • Self-serve for password reset and improving the experience for end users to submit tickets
    • Software deployment
    • Onboarding and offboarding workflows
    • Integration with monitoring tools
    Info-Tech Insight Buying rather than building allows you the greatest flexibility and can provide enterprise-level functionality at small-enterprise pricing. Use Info-Tech’s IT Service Management Selection Guide to create a business case and list of requirements for your ITSM purchase.
    Logo for Spiceworks.
    Logo for ZenDesk. Logo for SysAid.
    Logo for ManageEngine.
    Logo for Vector Networks.
    Logo for Freshworks.
    Logo for Squadcast.
    Logo for Jira Software.
    Logos contain links

    ITSM implementations are the perfect time to fix processes

    Consider engaging a partner for the installation and setup as they will have the expertise to troubleshoot and get you to value quickly.

    Even with a partner, don’t rely on them to set up categories, prioritizations, and workflows. If you have unique requirements, you will need to bring your design work to the table to avoid getting a “standard install” that will need to be modified later.

    When we look at what makes a strong and happy product launch, it boils down to a few key elements:
    • Improving customer service, or at least avoiding a decline
    • Improving access to information for technical team and end users
    • Successfully taking advantage of workflows, templates, and other features designed to improve the technician and user experience
    • Using existing processes with the new tools, without having to completely reengineer how things are done
    For a complete installation guide, visit the blueprint Build an ITSM Implementation Plan
    To prepare for a quick time to value in setting up the new ITSM tool, prioritize in this order:
    1. Categorization and status codes
    2. Prioritization
    3. Divide tickets into incidents and service requests
    4. Create workflows for onboarding and offboarding (automate where you can)
    5. Track escalations to vendors
    6. Reporting
    7. Self-serve
    8. Equipment inventory (leading to hardware asset management)

    Define roles looking to balance between customer service and getting things done

    The team will need to provide backfill for each other with high volume, vacations, and leave, but also need to proactively manage interruptions appropriately as they work on projects.
    Icon of a bullseye. First contact – customer service, general knowledge
    Answers phones, chats, responds to email, troubleshooting, creates knowledge articles for end users.
    Icon of a pie chart. Analyst – experienced troubleshooter, general knowledge
    Answers phone when FC isn’t available, responds to email, troubleshooting, creates knowledge articles for first contact, escalates to other technicians or vendors.
    Icon of a lightbulb. Analyst – experienced troubleshooter, specialist
    Answers phones only when necessary, troubleshooting, creates knowledge articles for anyone in IT, consults with peers, escalates to vendors.
    Icon of gear on a folder. Engineer – deep expertise, specialist
    Answers phones only when necessary, troubleshooting, creates knowledge articles for anyone in IT, consults with peers, escalates to vendors.
    Icon of a handshake. Vendor, Managed Service Providers
    Escalation point per contract terms, must meet SLAs, communicate regularly with analysts and management as appropriate. Who escalates and who manages them?
    Row of colorful people.

    Note roles in the Incident Management and Service Desk – Standard Operating Procedure Template

    Keep customers happy and technicians calm by properly managing your queue

    If ticket volume is too high or too dispersed to effectively have teams self-select tickets, assign a queue manager to review tickets throughout the day to ensure they’re assigned and on the technician’s schedule. This is particularly important for technicians who don’t regularly work out of the ticketing system. Follow up on approaching or missed SLAs.

    • Separate incidents (break fix) and service requests: Prioritize incidents over service requests to focus on getting users doing business as soon as possible. Schedule service requests for slower times or assign to technicians who are not working the front lines.
    • First in/first out…mostly: We typically look to prioritize incidents over service requests and only prioritize incidents if there are multiple people or VIPs affected. Where everything is equal, deal with the oldest first. Pause occasionally to deal with quick wins such as password resets.
    • Update ticket status and notes: Knowing what tickets are in progress and which ones are waiting on information or parts is important for anyone looking to pick up the next ticket. Make sure everyone is aware of the benefits of keeping this information up to date, so technicians know what to work on next without duplicating each other’s work.
    • Implement solutions quickly by using knowledge articles: Continue to build out the knowledge base to be able to resolve end-user issues quickly, check to see if additional information is needed before escalating tickets to other technicians.
    • Encourage end users to create tickets through the portal: Issues called in are automatically moved to the front of the queue, regardless of urgency. Make it easy for users to report issues using the portal and save the phone for urgent issues to allow appropriate prioritization of tickets.
    • Create a process to add additional resources on a regular basis to keep control of the backlog: A few extra hours once a week may be enough if the team is focused without interruptions.
    • Determine what backlog is acceptable to your users: Set that as a maximum time to resolve. Ideally, set up automated escalations for tickets that are approaching target SLAs, and build flexibility into schedules to have an “all hands on deck” option if the volume gets too high.

    Info-Tech Insight

    Make sure your queue manager has an accurate escalation list and has the authority to assign tickets and engage with the technical team to manage SLAs; otherwise, SLAs will never be consistently managed.

    Best practices for ticket handling

    Accurate data leads to good decisions. If working toward adding staff members, reducing recurring incidents, gaining access to better tools, or demonstrating value to the business, tickets will enable reporting and dashboards to manage your day-to-day business and provide reports to stakeholders.
    • Provide an easy way for end users to electronically submit tickets and encourage them to do so. This doesn’t mean you shouldn’t still accept phone calls, but that should be encouraged for time sensitive issues.
    • Create and update tickets, but not at the expense of good customer service. Agents can start the ticket but shouldn’t spend five minutes creating the ticket when they should be troubleshooting the problem.
    • Update the ticket when the issue is resolved or needs to be escalated. If agents are escalating, they should make sure all relevant information is passed along to the next technician.
    • Update user of ETA if issue cannot be resolved quickly.
    • Update categories to reflect the actual issue and resolution.
    • Reference or link to the knowledge base article as the documented steps taken to resolve the incident.
    • Validate incident is resolved with client. Automate this process with ticket closure after a certain time.
    • Close or resolve the ticket on time.
    Ticket templates (or quick tickets) for common incidents can lead to fast creation, data input, and categorizations. Templates can reduce the time it takes to create tickets from two minutes to 30 seconds.
    Sample ticket template.

    Create a right-sized self-service portal

    Review tickets and talk to the team to find out the most frequent requests and the most frequent incidents that could be solved by the end user if there were clear instructions. Check with your user community to see what they would like to see in the portal.

    A portal is only as attractive as it is useful. Enabling ticket creation and review is the bare minimum and may not entice users to the portal if email is just as easy to use for ticket creation.

    Consider opening the portal to groups other than IT. HR, finance, and others may have information they want to share or forms to fill in or download where an employee portal rather than an IT portal could be helpful. Work with other departments to see if they would find value. Make sure your solution is easy to use when adding content. Low-code options are useful for this.

    Portals could be built in the ITSM solution or SharePoint/Teams and should include:

    • Easy ways to create and see status on all tickets
    • Manuals, how-to articles, links to training
    • Answers to common questions, could be a wiki or Q&A for users to help each other as well as IT
    • Could have a chatbot to help people find documents or to create a ticket

    Info-Tech Insight

    Consider using video capture software to create short how-to videos for common questions. Vendors such as TechSmith Snagit , Vimeo Screen Recorder, Screencast-O-Matic Video Recording, and Movavi Screen Recording may be quick and easy to learn.

    49%

    49% of employees have trouble finding information at work

    35%

    Employees can cut time spent looking for information by 35% with quality intranet

    (Source: Liferay)

    Use customer satisfaction surveys to monitor service levels

    Transactional surveys are tied to specific interactions and provide a means of communication to help users communicate satisfaction or dissatisfaction with single interactions.
    • Keep it simple: One question to rate the service with opportunity to add a comment is enough to understand the sentiment and potential issues, and it will be more likely that the user will fill it out.
    • Follow up: Feedback will only be provided if customers think it’s being read and actioned. Set an alert to receive notification of any negative feedback and follow up within one or two business days to show you’re listening.

    A simple customer feedback form with smiley face scale.

    Relationship surveys can be run annually to obtain feedback on the overall customer experience.

    Inform yourself of how well you are doing or where you need improvement in the broad services provided.

    Provide a high-level perspective on the relationship between the business and IT.

    Help with strategic improvement decisions.

    Should be sent over a duration of time and to the entire customer base after they’ve had time to experience all the services provided by the service desk. This can be done on an annual basis.

    For example: Info-Tech’s End User Satisfaction Diagnostic. Included in your membership.

    Keep categorizations simple

    Asset categorization provides reports that are straightforward and useful for IT and that are typically used where the business isn’t demanding complex reports.

    Too many options can cause confusion; too few options provide little value. Try to avoid using “miscellaneous” – it’s not useful information. Test your tickets against your new scheme to make sure it works for you. Effective classification schemes are concise, easy to use correctly, and easy to maintain.

    Build out the categories with these questions:
    • What kind of asset am I working on? (type)
    • What general asset group am I working on? (category)
    • What particular asset am I working on? (sub-category)

    Create resolution codes to further modify the data for deeper reporting. This is typically a separate field, as you could use the same code for many categories. Keep it simple, but make sure it’s descriptive enough to understand the type of work happening in IT.

    Create and define simple status fields to quickly review tickets and know what needs to be actioned. Don’t stop the clock for any status changes unless you’re waiting on users. The elapsed time is important to measure from a customer satisfaction perspective.

    Info-Tech Insight

    Think about how you will use the data to determine which components need to be included in reports. If components won’t be used for reporting, routing, or warranty, reporting down to the component level adds little value.

    Example table of categorizations.


    Need to make quick progress? Use Info-Tech Research Group’s Service Desk Asset-Based Categories template.

    1.1 Build or review your categories

    1-3 hours

    Input: Existing tickets

    Output: Categorization scheme

    Materials: Whiteboard/Flip charts, Markers, Sample categorization scheme

    Participants: CIO, Service desk manager, Technicians

    Discuss:

    • How can you use categories and resolution information to enhance reporting?
    • What level of detail do you need to be able to understand the data and take action? What level of detail is too much?
    • Are current status fields allowing you to accurately assess pending work at a glance?

    Draft:

    1. Start with existing categories and review, identifying duplicates and areas of inconsistency.
    2. Write out proposed resolution codes and status fields and critically assess their value.
    3. Test categories and resolution codes against a few recent tickets.
    4. Record the ticket categorization scheme in the Incident Management and Service Desk – Standard Operating Procedure.

    Download the Incident Management and Service Desk – Standard Operating Procedure Template

    Separate tickets into service requests and incidents

    Tickets should be separated into different ticket types to be able to see briefly what needs to be prioritized. This may seem like a non-issue if you have a small team, but if you ever need to report how quickly you’re solving break-fix issues or whether you’re doing root cause analysis, this will save on future efforts. Separating ticket types may make it easier to route tickets automatically or to a new provider in the future.

    INCIDENTS

    SERVICE REQUESTS

    Icon of a bullseye.

    PRIORITIZATION

    Incidents will be prioritized based on urgency and impact to the organization. Service requests will be scheduled and only increase in prioritization if there is an issue with the request process (e.g. new hire start).
    Icon of a handshake.

    SLAs

    Did incidents get resolved according to prioritization rules? REPONSE & RESOLUTION Did service requests get completed on time? SCHEDULING & FULFILMENT
    Icon of a lightbulb.

    TRIAGE & ROOT CAUSE ANALYSIS

    Incidents will typically need triage at the service desk unless something is set up to go directly to a specialist. Service requests don’t need triage and can be routed automatically for approvals and fulfillment.

    “For me, the first key question is, is this keeping you from doing business? Is this a service request? Is it actually something that's broken? Well, okay. Now let's have the conversation about what's broken and keeping you from doing business.” (Anonymous CIO)

    Determine how service requests will be fulfilled

    Process steps for service requests: 'Request, Approve, Schedule, Fulfill, Notify requester, Close ticket'.

    • Identify standard requests, meaning any product approved for use and deployment in the organization.
    • Determine whether this should be published and how. Consider a service catalog with the ability to create tickets right from the request page. If there is an opportunity to automate fulfillment, build that into your workflow and project plans.
    • Create workflows for complicated requests such as onboarding, and build them into a template in the service desk tool. This will allow you to reduce the administrative work to deploy tasks.
    • Who will fulfill requests? There may be a need for more than one technician to be able to fulfill if volume dictates, but it’s important to determine what will be done by each level to quickly assign those tickets for scheduling. Define what will be done by each group of technicians.
    • Determine reasonable SLAs for most service requests. Identify which ones will not meet “normal” SLAs. As you build out a service catalog or automate fulfillment, SLAs can be refined.

    Info-Tech Insight

    Service requests are not as urgent as incidents and should be scheduled.

    Set the SLA based on time to fulfill, plus a buffer to schedule around more urgent service requests.

    1.2 Identify service requests and routing needs

    2-3 hours

    Input: Ticket data, Existing workflow diagrams

    Output: Workflow diagrams

    Materials: Whiteboard/Flip charts, Markers, Visio

    Participants: CIO, Service desk manager, Technicians

    Identify:

    1. Create your list of typical service requests and identify the best person to fulfill, based on complexity, documentation, specialty, access rights.
    2. Review service requests which include multiple people or departments, such as onboarding and offboarding
    3. Draw existing processes.
    4. Discuss challenges and critique existing process.
    5. Document proposed changes and steps that will need to be taken to improve the process.

    Download the Incident Management and Service Desk – Standard Operating Procedure Template

    Incident management

    Critical incidents and normal incidents

    Even with a small team, it’s important to define a priority for response and resolution time for SLA and uptime reporting and extracting insights for continual improvement efforts.

    • Mission-critical systems or problems that affect many people should always come first (i.e. Severity Level 1).
    • The bulk of reported problems, however, are often individual problems with desktop PCs (i.e. Severity Level 3 or 4).
    • Some questions to consider when deciding on problem severity include:
      • How is productivity affected?
      • How many users are affected?
      • How many systems are affected?
      • How critical are the affected systems to the organization?
    • Decide how many severity levels the organization needs the service desk to have. Four levels of severity is ideal for most organizations.
    Go to incident management for SE

    Super-specialization of knowledge is also a common factor in smaller teams and is caused by complex architectures. While helpful, if that knowledge isn’t documented, it can walk out the door with the resource and the rest of the team is left scrambling.

    Lessons learned may be gathered for critical incidents but often are not propagated, which impacts the ability to solve recurring incidents.

    Over time, repeated incidents can have a negative impact on the customer’s perception that the service desk is a credible and essential service to the business.

    Cover image for 'Incident Management for Small Enterprise'.
    Click picture for a link to the blueprint

    1.3 Activity: Identify critical systems

    1 hour

    Input: Ticket data, Business continuity plan

    Output: Service desk SOP

    Materials: Whiteboard/Flip charts, Markers

    Participants: CIO, Service desk manager, Technicians

    Discuss and document:

    1. Create a list of the most critical systems, and identify and document the escalation path.
    2. Review inventory of support documents for critical systems and identify any that require runbooks to ensure quick resolution in the event of an outage or major performance issue. Refer to the blueprint Incident Management for Small Enterprise to prioritize and document runbooks as needed.
    3. Review vendor agreements to determine if SLAs are appropriate to support needs. If there is a need for adjustments, determine options for modifying or renegotiating SLAs.

    Download the Incident Runbook Prioritization Tool

    Prioritization scheme

    Keep the priority scheme simple and meaningful, using this framework to communicate and report to stakeholders and set SLAs for response and resolution.
    1. Focus primarily on incidents. Service requests should always be medium urgency, unless there is a valid reason to move one to high level.
    2. Separate major outages from all other tickets as these are a major factor in business impact.
    3. Decide how many levels of severity are appropriate for your organization.
    4. Build a prioritization matrix, breaking down priority levels by impact and urgency.
    5. Build out the definitions of “impact” and “urgency” to complete the prioritization matrix.
    6. Run through examples of each priority level to make sure everyone is on the same page.
    A matrix of prioritization with rows as levels of 'IMPACT' and columns as levels of 'URGENCY'. Ratings range from 'Critical' at 'Extensive/Critical' to 'Low' at 'Low Impact/Low'.

    Document escalation rules and contacts

    Depending on the size of the team, escalations may be mostly to internal technical colleagues or could be primarily to vendors.

    • Ensure the list of escalation rules and contacts is accurate and available, adding expected SLAs for quick reference
    • If tickets are being escalated but shouldn’t be, ensure knowledge articles and training materials are up to date
    • Follow up on all external escalations, ensuring SLAs are respected
    • Publish an escalation path for clients if service is not meeting their needs (for internal and external providers) and automate escalations for tickets breaching SLAs
    Escalation rules strung together.
    User doesn’t know who will fix the issue but expects to see it done in a reasonable time. If issue cannot be resolved right away, set expectations for resolution time.
    • Document information so next technician doesn’t need to ask the same questions.
    • Escalate to the right technician the first time.
    • Check notes to catch up on the issue.
    • Run tests if necessary.
    • Contact user to troubleshoot and fix.
    • Meet SLAs or update client on new ETA.
    • Provide complete information to vendor.
    • Monitor resolution.
    • Follow up with vendor if delays.
    • Update client as needed.
    • Vendor will provide support according to agreement.
    • Encourage vendor to provide regular updates to IT.
    • Review vendor performance regularly.
    • IT will validate issue is resolved and close ticket.
    Validate user is happy with the experience

    Define, measure, and report on service level agreements

    Improving communications is the most effective way to improve customer service
    1. Set goals for time to respond and time to resolve for different incident levels, communicate to the technical team, and test ability to meet these goals.
    2. Set goals for time to fulfil for most service requests, document exceptions (e.g. onboarding).
    3. Create reports to measure against goals and determine what information will be most effective for reporting to the business.
    4. Management: Communicate expectations to the business leaders and end users.
    5. Management: Set regular cadence to meet with stakeholders to discuss expectations and review relevant metrics.
    6. Management: Determine how metrics will be tracked and reviewed to manage technical partners.
    Keep messaging simple
    • Be prepared with detailed reporting if needed, but focus on a few key metrics to inform stakeholders of progress against goals.
    • Use trending to tell a story, especially when presenting success stories.
    • Use appropriate media for each type of message. For example: SLAs can be listed on automated ticket responses or in a banner on the portal.

    Determine what communications are most important and who will do them

    Icon of a bperson ascending a staircase.

    PROACTIVE, PLANNED CHANGES

    From: Service Desk

    Messaging provided by engineer or director, sent to all employees; proactive planning with business unit leaders.

    Icon of a bullseye.

    OUTAGES & UPDATES

    From: Service Desk

    Use templates to send out concise messaging and updates hourly, with input from technical team working on restoring services to all; director to liaise with business stakeholders.

    Icon of a lightbulb.

    UPDATES TO SERVICES, SELF-SERVE

    From: Director

    Send announcements no more than monthly about new services and processes.

    Icon of a handshake.

    REGULAR STAKEHOLDER COMMUNICATIONS

    From: Director

    Monthly reporting to business and IT stakeholders on strategic and project goals, manage escalations.

    1.4 Create communications plan

    2 hours

    Input: Sample past communications

    Output: Communications templates

    Materials: Whiteboard/flip charts, Markers

    Participants: CIO, Service desk manager, Technicians

    Determine where templates are needed to ensure quick and consistent communications. Review sample templates and modify to suit your needs:

    1. Proactive, planned changes
    2. Outages and updates
    3. Updates to services, self-serve
    4. Regular stakeholder communications

    Download the communications templates

    Create reports that are useful and actionable

    Reporting serves two purposes:

    1. Accountability to stakeholders
    2. Identification of items that need action

    To determine what reports are needed, ask yourself:

    • What are your goals?
    • What story are you trying to tell?
    • What do you need to manage day to day?
    • What do you need to report to get funding?
    • What do you need to report to your stakeholders for service updates?

    Determine which metrics will be most useful to suit your strategic and operational goals

    STRATEGIC GOAL (stakeholders): Improve customer service evidenced by:

    TIME

    • Aged backlog
    • Service requests solved within SLA (could also look for quick ones, e.g. tickets solved in one day, % solved within one hour)
    • Volume of incidents and time to solve each type
    • Critical incidents solved in 4 hours
    • Incidents solved same day

    QUALITY

    • Percentage of tickets solved at first contact
    • SLAs missed
    • Percentage of services available to request through catalog
    • Percentage of tickets created through portal (speaks to quality of experience)
    • Customer satisfaction survey results – transactional and annual

    RESOURCES

    • Knowledge articles used by technicians
    • Knowledge articles used by end users
    • Tickets resolved at each technician level (volume)
    • Non-standard requests evaluated and fulfilled by volume & time served
    • Volume of recurring incidents
    OPERATIONAL GOALS: Report to director & technicians

    What else can you do to improve service?

    Review the next few pages to see if you need additional blueprints to help you:
    • Evaluate staffing and training needs to ensure the right number of resources are available and they have the skills they need for your environment.
    • Create self-service for end users to get quick answers and create tickets.
    • Create a knowledge base to ensure backup for technical expertise.
    • Develop customer service skills through training.
    • Perform ticket analysis to better understand your technical environment.

    Be agile in your approach to service

    It’s easy for small teams to get overwhelmed when covering for vacations, illness, or leave. Determine where priorities may be adjusted during busy or short-staffed times.

    • Have a plan to cross-train technicians and create comprehensive knowledge articles for coverage during vacations and unexpected absences.
    • Know where it makes sense to bring in vendors, such as for managed print services, or to cover for extended absences.
    • Look for opportunities to automate functions or reduce administrative overhead through workflows.
    • Identify any risks and determine how to mitigate, such as managing or changing administrative passwords.
    • Create self-serve to enable ticket creation and self-solve for those users who wish to use it.

    Staff the service desk to meet demand

    • With increasing complexity of support and demand on service desks, staff are often left feeling overwhelmed and struggling to keep up with ticket volume, resulting in long resolution times and frustrated end users.
    • However, it’s not as simple as hiring more staff to keep up with ticket volume. IT managers must have the data to support their case for increasing resources or even maintaining their current resources in an environment where many executives are looking to reduce headcount.
    • Without changing resources to match demand, IT managers will need to determine how to maximize the use of their resources to deliver better service.

    Cover image for 'Staff the Service Desk to Meet Demand'.
    Click picture for a link to the blueprint

    Create and manage a knowledge base

    With a small team, it may seem redundant to create a knowledge base, but without key system and process workflows and runbooks, an organization is still at risk of bottlenecks and knowledge failure.

    • Use a knowledge base to document pre-escalation troubleshooting steps, known errors and workarounds, and runbook solutions.
    • Where incidents may have many root causes, document which are the most frequent solutions and where variations are typically used.
    • Start with an inventory of personal documents, compare and consolidate into the knowledge base, and ensure they are accurate and up to date.
    • Assign someone to review articles on a regular basis and flag for editing and archiving as the technical environment changes.
    • Supplement with vendor-provided or purchased content. Two options for purchased content include RightAnswers or Netformx.

    Info-Tech Insight

    Appeal to a broad audience. Use non-technical language whenever possible to help less technical readers. Identify error messages and use screenshots where it makes sense. Take advantage of social features like voting buttons to increase use.

    Optimize the service desk with a shift-left strategy

    • “Shift left” is a strategy which moves appropriate technical work to users through knowledge articles, automation and service catalogs, freeing up time for technicians to work on more complex issues.
    • Many organizations have built a great knowledge base but fail to see the value of it over time as it becomes overburdened with overlapping and out-of-date information. Knowledge capture, updating, and review must be embedded into your processes if you want to keep the knowledge base useful.
    • Similarly, the self-service portal is often deployed out of the box with little input from end users and fails to deliver its intended benefits. The portal needs to be designed from the end user’s point of view with the goal of self-resolution if it will serve its purpose of deflecting tickets.

    Cover image for 'Optimize the Service Desk With a Shift-Left Strategy'.
    Click picture for a link to the blueprint

    Customer service isn’t just about friendliness

    Your team will all need to deal with end users at some point, and that may occur in times of high stress. Ensure the team has the skills they need to actively listen, stay positive, and de-escalate.

    Info-Tech’s customer service program is a modular approach to improve skills one area at a time. Delivering good customer service means being effective in these areas:
    • Customer focus – Focus on the customer and use a positive, caring, and helpful attitude.
    • Listening and verbal communication skills – Demonstrate empathy and patience, actively listen, and speak in user-friendly ways to help get your point across.
    • Written communication skills – Use appropriate tone, language, and terms in writing (whether via chat, email, or other).
    • Manage difficult situations – Remain calm and in control when dealing with difficult customers and situations.
    • Go the extra mile – Go beyond simply resolving the request to make each interaction positive and memorable.

    Deliver a customer service training program to your IT department

    • There’s a common misconception that customer service skills can’t be taught, so no effort is made to improve those skills.
    • Even when there is a desire to improve customer service, it’s hard for IT teams to make time for training and improvement when they’re too busy trying to keep up with tickets.
    • A talented service desk agent with both great technical and customer service skills doesn’t have to be a rare unicorn, and an agent without innate customer service skills isn’t a lost cause. Relevant and impactful customer service habits, techniques, and skills can be taught through practical, role-based training.
    • IT leaders can make time for this training through targeted, short modules along with continual on-the-job coaching and development.

    Cover image for 'Deliver Customer Service Training Program to Your IT Department'.
    Click picture for a link to the blueprint

    Improve your ticket analysis

    Once you’ve got great data coming into the ticketing system, it’s important to rethink your metrics and determine if there are more insights to be found.

    Analyzing ticket data involves:
    • Collecting ticket data and keeping it clean. Based on the metrics you’re analyzing, define ticket expectations and keep the data up to date.
    • Showing the value of the service desk. SLAs are meaningless if they are not met consistently. The prerequisite to implementing proper SLAs is fully understanding the proper workload of the service desk.
    • Understanding – and improving – the user experience. You cannot improve the user experience without meaningful metrics that allow you to understand the user experience. Different user groups will have different needs and different expectations of the level of service. Your metrics should reflect those needs and expectations.

    Analyze your service desk ticket data

    Properly analyzing ticket data is challenging for the following reasons:
    • Poor ticket hygiene and unclear ticket handling
    • Service desk personnel are not sure where to start with analysis
    • Too many metrics are tracked to parse actionable data from the noise
    Ticket data won’t give you a silver bullet, but it can help point you in the right direction.

    Cover image for 'Analyze Your Service Desk Ticket Data'.
    Click picture for a link to the blueprint

    Start doing problem management

    Proactively focusing on root cause analysis will reduce the most disruptive incidents to the organization.

    • A focus on elimination of critical incidents and the more disruptive recurring incidents will reduce future workloads for the team and improve customer satisfaction.
    • This can be challenging when the team is already struggling with workload; however, setting a regular cadence to review tickets, looking for trends, and identifying at least one focus area a month can be a positive outcome for everyone.
    • Focus on the most impactful ticket or service first. The initial goal should be to reduce or eliminate critical and high-impact incidents. Once the high-stress situations are reduced, proactively scheduling the smaller but still time-consuming repeatable incidents can be done.
    • Where you have vendors involved, work with them to determine when root cause analysis must happen and where they’ll need to coordinate with your team or other supporting vendors.

    Problem management

    Problem management can be challenging because it requires skills and knowledge to go deep into a problem and troubleshoot the root cause of an issue, but it also requires uninterrupted time.
    • Problem management, however, can be taught, and the issue isn’t always hard to spot if you have time to look.
    • Using tried and true methods for walking through an issue step by step will enable the team to improve their investigative and troubleshooting skills.
    • Reduction of one or two major incidents and recurring incidents per month will pay off quickly in reducing reactive ticket volume and improve customer satisfaction.

    Cover image for 'Problem Management'.
    Click picture for a link to the blueprint

    Create your roadmap with high-level requirements

    Determine what tasks and projects need to be completed to meet your improvement goals. Create a high-level project plan and balance with existing resources.

    Roadmap of high-level requirements with 'Goals' as row headers and their timelines mapped out across fiscal quarters.

    Bibliography

    Taylor, Sharon and Ivor Macfarlane. ITIL Small Scale Implementation. Office of Government Commerce, 2005.

    “Share, Collaborate, and Communicate on One Consistent Platform.” Liferay, n.d. Accessed 19 July 2022.

    Rodela, Jimmy. “A Beginner’s Guide to Customer Self-Service.” The Ascent, 18 May 2022. Web.

    Passwordless Authentication

    • Buy Link or Shortcode: {j2store}466|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing
    • Parent Category Link: /end-user-computing
    • Stakeholders believe that passwords are still good enough.
    • You don’t know how the vendor products match to the capabilities you need to offer.
    • What do you need to test when you prototype these new technologies?
    • What associated processes/IT domains will be impacted or need to be considered?

    Our Advice

    Critical Insight

    Passwordless is the right direction even if it’s not your final destination.

    Impact and Result

    • Be able to handle objections from those who believe passwords are still “fine.”
    • Prioritize the capabilities you need to offer the enterprise, and match them to products/features you can buy from vendors.
    • Integrate passwordless initiatives with other key functions (cloud, IDaM, app rationalization, etc.).

    Passwordless Authentication Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Passwordless Authentication – Know when you’ve been beaten!

    Back in 2004 we were promised "the end of passwords" – why, then, are we still struggling with them today?

    • Passwordless Authentication Storyboard
    [infographic]

    Further reading

    Passwordless Authentication

    Know when you've been beaten!

    Executive Summary

    Your Challenge

    • The IT world is an increasingly dangerous place.
    • Every year literally billions of credentials are compromised and exposed on the internet.
    • The average employee has between 27 and 191 passwords to manage.
    • The line between business persona and personal persona has been blurred into irrelevancy.
    • You need a method of authenticating users that is up to these challenges

    Common Obstacles

    • Legacy systems aside (wouldn't that be nice) this still won't be easy.
    • Social inertia – passwords worked before, so surely, they can still work today! Besides, users don't want to change.
    • Analysis paralysis – I don't want to get this wrong! How do I choose something that is going to be at the core of my infrastructure for the next 10 years?
    • Identity management – how can you fix authentication when people have multiple usernames?

    Info-Tech's Approach

    • Inaction is not an option.
    • Most commercial, off-the-shelf apps are moving to a SaaS model, so start your efforts with them.
    • Your existing vendors already have technologies you are underusing or ignoring – stop that!
    • Your users want this change – they just might not know it yet…
    • Much like zero trust network access, the journey is more important than the destination. Incremental steps on the path toward passwordless authentication will still yield significant benefits.

    Info-Tech Insight

    Users have been burdened with unrealistic expectations when it comes to their part in maintaining enterprise security. Given the massive rise in the threat landscape, it is time for Infrastructure to adopt a user-experience-based approach if we want to move the needle on improving security posture.

    Password Security Fallacy

    "If you buy the premise…you buy the bit."
    Johnny Carson

    We've had plenty of time to see this coming.

    Why haven't we done something?

    • Passwords are a 1970s construct.
    • End-users are complexity averse.
    • Credentials are leaked all the time.
    • New technologies will defeat even the most complex passwords.

    Build the case, both to business stakeholders and end users, that "password" is not a synonym for "security."

    Be ready for some objection handling!

    This is an image of Bill Gates and Gavin Jancke at the 2004 RSA Conference in San Francisco, CA

    Image courtesy of Microsoft

    RSA Conference, 2004
    San Francisco, CA

    "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
    Bill Gates

    What about "strong" passwords?

    There has been a password arms race going on since 1988

    A massive worm attack against ARPANET prompted the initial research into password strength

    Password strength can be expressed as a function of randomness or entropy. The greater the entropy the harder for an attacker to guess the password.

    This is an image of Table 1 from Google Cloud Solutions Architects.  it shows the number of bits of entropy for a number of Charsets.

    Table: Modern password security for users
    Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects

    From this research, increasing password complexity (length, special characters, etc.) became the "best practice" to secure critical systems.

    How many passwords??

    XKCD Comic #936 (published in 2011)

    This is an image of XKCD Comic # 936.

    Image courtesy of Randall Munroe XKCD Comics (CC BY-NC 2.5)

    It turns out that humans however are really bad at remembering complex passwords.

    An Intel study (2016) suggested that the average enterprise employee needed to remember 27 passwords. A more recent study from LastPass puts that number closer to 191.

    PEBKAC
    Problem Exists Between Keyboard and Chair

    Increasing entropy is the wrong way to fight this battle – which is good because we'd lose anyway.

    Over the course of a single year, researchers at the University of California, Berkeley identified and tracked nearly 2 billion compromised credentials.

    3.8 million were obtained via social engineering, another 788K from keyloggers. That's approx. 250,000 clear text credentials harvested every week!

    The entirety of the password ecosystem has significant vulnerabilities in multiple areas:

    • Unencrypted server- and client-side storage
    • Sharing
    • Reuse
    • Phishing
    • Keylogging
    • Question-based resets

    Even the 36M encrypted credentials compromised every week are just going to be stored and cracked later.

    Source: Google, University of California, Berkeley, International Computer Science Institute

     data-verified=22B hash/s">

    Image courtesy of NVIDIA, NVIDIA Grace

    • Current GPUs (2021) have 200+ times more cracking power than CPU systems.

    <8h 2040-bit RSA Key

    Image: IBM Quantum System One (CES 2020) by IBM Research is licensed under CC BY-ND 2.0

    • Quantum computing can smash current encryption methods.
    • Google engineers have demonstrated techniques that reduce the number of qubits required from 1B to a mere 20 million

    Enabling Technologies

    "Give me a place to stand, and a lever long enough, and I will move the world."
    Archimedes

    Technology gives us (too many) options

    The time to prototype is NOW!

    Chances are you are already paying for one or more of these technologies from a current vendor:

    • SSO, password managers
    • Conditional access
    • Multifactor
    • Hardware tokens
    • Biometrics
    • PINs

    Address all three factors of authentication

    • Something the user knows
    • Something the user has
    • Something the user is

    Global Market of $12.8B
    ~16.7% CAGR
    Source: Report Linker, 2022.

    Focus your prototype efforts in four key testing areas

    • Deployment
    • User adoption/training
    • Architecture (points of failure)
    • Disaster recovery

    Three factors for positive identification

    Passwordless technologies focus on alternate authentication factors to supplement or replace shared secrets.

    Knows: A secret shared between the user and the system; Has: A token possessed by the user and identifiable as unique by the system; Is: A distinctive and repeatable attribute of the user sampled by the system

    Something you know

    Shared secrets have well-known significant modern-day problems, but only when used in isolation. For end users, consider time-limited single use options, password managers, rate-limited login attempts, and reset rather than retrieval requests. On the system side, never forget strong cryptographic hashing along with a side of salt and pepper when storing passwords.

    Something you have

    A token (now known as a cryptographic identification device) such as a pass card, fob, smartphone, or USB key that is expected to be physically under the control of the user and is uniquely identifiable by the system. Easily decoupled in the event the token is lost, but potentially expensive and time-consuming to reprovision.

    Something you are or do

    Commonly referred to as biometrics, there are two primary classes. The first is measurable physical characteristics of the user such as a fingerprint, facial image, or retinal scan. The second class is a series of behavioral traits such as expected location, time of day, or device. These traits can be linked together in a conditional access policy.

    Unlike other authentication factors, biometrics DO NOT provide for exact matches and instead rely on a confidence interval. A balance must be struck against the user experience of false negatives and the security risk of a false positive.

    Prototype testing criteria

    Deployment

    Does the solution support the full variety of end-user devices you have in use?

    Can the solution be configured with your existing single sign-on or central identity broker?

    User Experience

    Users already want a better experience than passwords.

    What new behavior are you expecting (compelling) from the user?

    How often and under what conditions will that behavior occur?

    Architecture

    Where are the points of failure in the solution?

    Consider technical elements like session thresholds for reauthorization, but also elements like automation and self-service.

    Disaster Recovery

    Understand the exact responsibilities Infra&Ops have in the event of a system or user failure.

    As many solutions are based in the public cloud, manage stakeholder expectations accordingly.

    Next Steps

    "Move the goalposts…and declare victory."
    Informal Fallacy (yet very effective…)

    It is more a direction than a destination…

    Get the easy wins in the bank and then lay the groundwork for the long campaign ahead.

    You're not going to get to a passwordless world overnight. You might not even get there for many years. But an agile approach to the journey ensures you will realize value every step of the way:

    • Start in the cloud:
    • Choose a single sign-on platform such as Azure Active Directory, Okta, Auth0, AWS IAM, TruSONA, HYPR, or others. Document Your Cloud Strategy.
    • Integrate the SaaS applications from your portfolio with your chosen platform.
    • Establish visibility and rationalize identity management:
      • Accounts with elevated privileges present the most risk – evaluate your authentication factors for these accounts first.
      • There is elegance (and deployment success) in Simplifying Identity & Access Management.
    • Pay your tech debt:

    Fast IDentity Online (2) is now part of the web's DNA and is critical for digital transformation

    • IoT
    • Anywhere remote work
    • Government identity services
    • Digital wallets

    Bibliography

    "Backup Vs. Archiving: Know the Difference." Open-E. Accessed 05 Mar 2022.Web.
    G, Denis. "How to Build Retention Policy." MSP360, Jan 3, 2020. Accessed 10 Mar 2022.
    Ipsen, Adam. "Archive Vs. Backup: What's the Difference? A Definition Guide." BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.
    Kang, Soo. "Mitigating the Expense of E-Discovery; Recognizing the Difference Between Back-Ups and Archived Data." Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.
    Mayer, Alex. "The 3-2-1 Backup Rule – An Efficient Data Protection Strategy." Naviko. Accessed 12 Mar 2022.
    Steel, Amber. "LastPass Reveals 8 Truths about Passwords in the New Password Exposé." LastPass Blog, 1 Nov. 2017. Web.
    "The Global Passwordless Authentication Market Size Is Estimated to Be USD 12.79 Billion in 2021 and Is Predicted to Reach USD 53.64 Billion by 2030 With a CAGR of 16.7% From 2022-2030." Report Linker, 9 June 2022. Web.
    "What Is Data-Archiving?" Proofpoint. Accessed 07 Mar 2022.

    Create and Implement an IoT Strategy

    • Buy Link or Shortcode: {j2store}57|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Disruptive & Emerging Technologies
    • Parent Category Link: /disruptive-emerging-technologies

    While the Internet of Things (IoT) or smart devices have the potential to transform businesses, they have to be implemented strategically to drive value. The business often engages directly with vendors, and many IoT solutions are implemented as point solutions with IT being brought in very late in the process.

    This leads to challenges with integration, communication, and data aggregation and storage. IT is often also left grappling with many new devices that need to be inventoried, added to lifecycle management practices, and secured.

    Unlock the true potential of IoT with early IT involvement

    As IoT solutions become more common, IT leaders must work closely with business stakeholders early in the process to ensure that IoT solutions make the most of opportunities and mitigate risks.

    1. Ensure that IoT solutions meet business needs: Assess IoT solutions to ensure that they meet business requirements and align with business strategy.
    2. Make integration and management smooth: Build and execute plans so IoT devices integrate with existing infrastructure and multiple devices can be managed efficiently.
    3. Ensure privacy and security: IoT solutions should meet clearly outlined privacy and security requirements and comply with regulations such as GDPR and CCPA.
    4. Collect and store data systematically: Manage what data will be collected and aggregated and how it will be stored so that the business can recognize value from the data with minimal risk.

    Create and Implement an IoT Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create and Implement an IoT Strategy Deck – A framework to assess and onboard IoT devices into your environment.

    The storyboard will help to create a steering committee and a playbook to quickly assess IoT ideas to determine the best way to support these ideas, test them in Proof of concepts, when appropriate, and give the business the confidence they need to get the right solution for the job and to know that IT can support them long term.

    • Create and Implement an IoT Strategy – Phases 1-3

    2. Steering Committee Charter Template – Improve governance starting with a steering committee charter to help you clearly define the role of the steering committee to improve outcomes.

    Create a steering committee to improve success of IoT implementations.

    • IoT Steering Committee Charter Template

    3. IoT Solution Playbook – Create an IoT playbook to define a framework to quickly assess new solutions and determine the best time and method for onboarding into your operational environment.

    Create a framework to quickly evaluate IoT solutions to mitigate risks and increase success.

    • IoT Solution Playbook

    Infographic

    Further reading

    Create and Implement an IoT Strategy

    Gain control of your IoT environment

    Create and Implement an IoT Strategy

    Gain control of your IoT environment

    EXECUTIVE BRIEF

    Table of Contents

    Page Contents Page Contents
    4 Analyst Perspective 27 Phase 2: Define the intake & assessment process
    5 Executive Summary 29 Define requirements for requesting new IoT solutions
    7 Common Obstacles 32 Define procedures for reviewing proposals and projects – BA/BRM
    8 Framework 38 Define criteria for assessing proposals and projects – data specialists
    9 Insight Summary 43 Define criteria for assessing proposals & projects – Privacy & Security
    10 Blueprint deliverables 47 Define criteria for assessing proposals & projects – Infrastructure & Operations
    11 Blueprint benefits 48 Define service objectives & evaluation process
    13 Measure the value of IoT 49 Phase 3: Prepare for a proof of value
    15 Guided Implementation 58 Create a template for designing a proof of value
    16 Phase 1: Define your governance process 59 Communications
    21 Define the committee’s roles & responsibilities 60 Research contributors and experts
    23 Define the IoT steering committee’s vision statement and mandate 61 Related InfoTech Research
    26 Define procedures for reviewing proposals and projects

    Analyst perspective

    IoT is an extremely efficient automated data collection system which produces millions of pieces of data. Many organizations will purchase point solutions to help with their primary business function to increase efficiency, increase profitability, and most importantly provide scalable services that cannot exist without automated data collection and analytical tools.

    Most of the solutions available are designed to perform a specific function within the parameters of the devices and applications designed by vendors. As these specific use cases proliferate within any organization, the data collected can end up housed in many places, owned by each specific business unit and used only for the originally designed purpose. Imagine though, if you could take the health information of many patients, anonymize it, and compare overall health of specific regions, rather than focusing only on the patient record as a correlated point; or many data points within cities to look at pedestrian, bike, and vehicle traffic to better plan infrastructure changes, improve city plans, and monitor pollution, then compared to other cities for additional modeling.

    In order to make these dramatic shifts to using many IoT solutions, it’s time to look at creating an IoT strategy that will ensure all systems meet strategic goals and will enable disparate data to be aggregated for greater insights. The act of aggregation of systems and data will require additional scrutiny to mitigate the potential perils for privacy, management, security, and auditability

    The strategy identifies who stewards use of the data, who manages devices, and how IT enables broader use of this technology. But with the increased volume of devices and data, operational efficiency as part of the strategy will also be critical to success.

    This project takes you through the process of defining vision and governance, creating a process for evaluating proposed solutions for proof of value, and implementing operational effectiveness.

    Photo of Sandi Conrad, Principal Research Director, Info-Tech Research Group.

    Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The business needs to move quickly to adopt new ways to collect and analyze data or automate actions. IoT may be the right answer, but it can be complex and create new challenges for IT teams.

    Many of these solutions are implemented by vendors as point solutions, but more organizations are recognizing they need to bring the data in-house to start driving insights.

    As IoT solutions become more prolific, the need to get more involved in securing and managing these solutions has become evident.

    Common Obstacles

    The business is often engaging directly with the vendors to better understand how they can benefit from these solutions, and IT is often brought in when the solution is ready to go live.

    When IT isn’t involved early, there may be challenges around integrations, communications, and getting access to data.

    Management becomes challenging as many devices are suddenly entering the environment, which need to be inventoried, added to lifecycle management practices, and secured.

    Info-Tech’s Approach

    Info-Tech’s approach starts with assessing the proposed solutions to:

    • Ensure they will meet the business need.
    • Understand data structure for integration to central data store.
    • Ensure privacy and security needs can be met.
    • Determine effort and technical requirements for integration into the infrastructure and appropriate onboarding into operations.

    Early intervention will improve results. IoT is one of the biggest challenges for IT departments to manage today. The large volume of devices and lack of insight into vendor solutions is making it significantly harder to plan for upgrades and contract renewals, and to guarantee security protocols are being met. Create a multistep onboarding process, starting with an initial assessment process to increase success for the business, then look to derive additional benefits to the business and mitigate risks.

    Your challenge

    Scaling up and out from an IoT point solution is complicated and requires collaboration from stakeholders that may not have worked well together before
    • Point solutions may be installed and configured with support outsourced to vendors, where integrations may be light or non-existent.
    • Each point solution will be owned by the business, with data used for a specific purpose, and may only require infrastructure support from the internal IT department.
    • Operational needs must be met to protect the business’ investment, and without involving IT early, agreements may be signed that don’t meet long-term goals of high value at reasonable prices.
    • To fully realize value from multiple disparate systems, a cohesive strategy to bring together data will be required, but with that comes a need to improve technology, determine data ownership, and improve oversight with strengthened security, privacy, and communications.
    • Where IoT is becoming a major source of data, taking a piecemeal approach will no longer be enough to be successful.

    IoT solutions may be chosen by the business, but to be successful and meet their requirements, a partnership with IT will ensure better communications with the service provider for a less stressful implementation with governance over security needs and protection of the organization’s data, and it will ensure that continual value is enabled through effective operations.

    Pie chart titled 'IoT project success' with '12% Fully successful', '30% Mostly successful', '40% Mostly unsuccessful', and 'Not at all successful'.
    (Source: Beecham Research qtd. in Software AG)

    Common obstacles

    These barriers make IoT challenging to implement for many organizations:
    • Solutions managed outside of IT, whether through an operational technology team or an outsourced vender, will require a comprehensive approach that encourages collaboration, common understandings of risk, and the ability to embrace change.
    • Technical expertise required will be broad and deep for a multi-solution implementation. Many types of devices, with varied connections and communications methods, will need to be architected with flexibility to accommodate changing technology and scalability needs.
    • Understanding the myriad options available and where it makes sense to deploy cutting-edge vs. proven technologies, as well as edge computing and digital twins.
    • External consultants specializing in IoT may need to be engaged to make these complex solutions successful, and they also need to be skilled in facilitating discussions within teams to bring them to a common understanding.
    • Analysis skills and a data strategy will be key to successfully correlating data from multiple sources, and AI will be key to making sense of vast amounts of data available and be able to use it for predictive work. According to the Microsoft IoT Signals report of October 2020, “79% of organizations adopt AI as part of their IoT solution, and those who do perceive IoT to be more critical to their company’s success (95% vs. 82%) and are more satisfied with IoT (96% vs. 87%).“
    Pie chart with two tiers titled 'Challenges to using IT'. The inner circle are challenge categories like 'Security', 'Lack of budget/staff', and the outer circle are the more specific challenges within them, such as 'Concerned about consumer privacy' and 'No human resources to implement & manage'.
    (Source: Microsoft IoT Signals, Edition 2, October 2020 n=3,000)

    Internet of Things Framework

    Interoperability of multiple IoT systems and data will be required to maximize value.

    GOVERNANCE

    What should I build? What are my concerns?
    Where should I build it? Why does it need to be built?

    DATA MODEL ——› BUSINESS OPERATING MODEL
    Data quality
    Metadata
    Persistence
    Lifecycle
    Sales, marketing
    Product manufacturing
    Service delivery
    Operations

    |—›

    BUSINESS USE CASE

    ‹—|
    Customer facing Internal facing ROI
    ˆ
    |
    ETHICS
    Deliberate misuse
    Unintentional consequences
    Right to informed consent
    Active vs. passive consent
    Bias
    Profit vs. common good
    Acceptable/fair use
    Responsibility assignment
    Autonomous action
    Transparency
    Vendor ethical implications
    ˆ
    |
    TECHNICAL OPERATIONAL MODEL
    Personal data
    Customer data
    Non-customer data
    Public data
    Third-party business data
    Data rights/proprietary data
    Identification
    Vendor data
    Profiling (Sharing/linkage of data sets)

    CONTROLS

    How do I operate and maintain it?

    1. SECURITY
      • Risk identification and assessment
      • Threat modeling – ineffective because of scale
      • Dumb, cheap endpoints without users
      • Massive attack surface
      • Data/system availability
      • Physical access to devices
      • Response to anonymized individuals
    2. COMPLIANCE
      • Internal
      • External
        NIST, SOC, ISO
        Profession/industry
      • Ethics
      • Regulatory
        PII, GDPR, PIPEDA
        Audit process
    1. OPERATIONAL STANDARDS
      • Industry best practices
      • Open standards vs. proprietary ones
      • Standardization
      • Automation
      • Vendor management
    2. TECHNICAL OPERATIONAL MODEL
      • Platforms
      • Insourcing/outsourcing
      • Acquisition
      • Asset management
      • Patching
      • Data protection
      • Source image control
      • Software development lifecycle
      • Vendor management
      • Disposition/disposal

    BRIDGING THE PHYSICAL WORLD AND THE VIRTUAL WORLD

    How should it be built?

    Diagram with 'Physical World' 'Internet of Things Devices' on the left, connected to 'Virtual World' 'Central Compute (Cloud/Data Center)', 'Edge Computing', and 'Business Systems and Applications' via 'Data - data-verified= Data Normalization' from physical to virtual and 'Instructions' from virtual to physical.">

    Insight summary

    Real value to the business will come from insights derived from data

    Many point solutions will solve many business issues and produce many data sets. Ensure your strategy includes plans on how to leverage data to further your organizational goals. A data specialist will make a significant difference in helping you determine how best to aggregate and analyze data to meet those needs.

    Provide the right level of oversight to help the business adopt IoT

    Regardless of who is initiating the request or installing the solution, it’s critical to have a framework that protects the organization and their data and a plan for managing the devices.

    The business doesn’t always know what questions to ask, so it’s important for IT to enable them if moving to a business-led innovation model, and it’s critical to helping them achieve business value early.

    Do a pre-implementation assessment to engage early and at the right level

    Many IoT solutions are business- and vendor-led and are hosted outside of the organization or managed inside the business unit.

    Having IT engage early allows the business to determine what level of support is appropriate for them, allows IT to ensure data integrity, and allows IT to ensure that security, privacy, and long-term operational needs are managed appropriately.

    Blueprint deliverables

    IoT Steering Committee Charter

    Create a steering committee to improve success of IoT implementations

    Sample of the IoT Steering Committee Charter.

    IoT Solution Playbook

    Create a framework to quickly evaluate IoT solutions to mitigate risks and increase success

    Sample of the IoT Solution Playbook.

    Blueprint benefits

    IT Benefits

    • Aggregation of processes and data may have compelling implications for increasing effectiveness of the business, but this may also increase risk. A framework will help to drive value while putting in appropriate guardrails.
    • IoT use cases may be varied within many industries, and the use of many types of sensors and devices complicates management and maintenance. A common understanding of how devices will be tracked, managed, and maintained is imperative to IT securing their systems and data.
    • A pilot program to evaluate effectiveness and either reject or move forward with a plan to onboard the solution as quickly as possible will ensure quick time to value and enable immediate implementation of controls to meet operational and security requirements.

    Business Benefits

    • Aggregation of many disparate groups of data can provide new insights into the way an organization interacts with its clients and how clients are using products and services.
    • As organizations innovate and new IoT solutions are introduced to the environment, solutions need to be evaluated quickly to determine if they’re going to meet the business case and then determine what needs to be put in place for technology, process, and policy to ensure success.
    • As new solutions are introduced, anyone who may be impacted through this new data-collection process will need to be informed and feel secure in the way information is analyzed and managed. This project will provide the framework to quickly assess the risks and develop a communications plan.

    Evaluate digital transformation opportunities with these guiding principles for smart solutions

    Problem & opportunity focus
    • Search for real problems to solve, with visible improvement possibilities
    • Don’t choose technology for technology’s sake
    • Keep an eye to the future
    • Strategic foresight
    Piece by piece
    • Avoid the “Big Bang” approach
    • Test technologies in multiple conditions
    • Run inexpensive pilots
    • Increase flexibility
    • Technology ecosystem
    User buy-in
    • Collaborate with the community
    • Gain and sustain support
    • Increase uptake of city technology
    • Crowdsource community ideas
    Recommendations:
    Focus on real problems • Be a fast follower • Build a technology ecosystem

    Info-Tech Insight

    When looking for a quick win, consider customer journey mapping exercises to find out what it takes to do the work today, for example, map the journey to apply for a building permit, renew a license, or register a patient.

    Measure the value of IoT

    There is a broad range of solutions for IoT all designed to collect information and execute actions in a way designed to increase profitability and/or improve services. McKinsey estimates value created through interoperability will account for 40% to 60% of the potential value of IoT applications.

    Revenue Generating
    • Production increases and efficiency
    • Reliability as data quality increases
    • New product development opportunities through better understanding of how your products are used
    • New product offerings with automated data collection and analysis of aggregated data
    Improved outcomes
    • Improved wellness programs for employees and patients through proactive health management
      • Reduction in health care/insurance costs
      • Reduction in time off for illness
    • Reduction in human error
    • Improved safety – fewer equipment malfunction incidents
    • Sustainability – reduction in emissions
    Increased access to data, especially if aggregating with other data sources, will increase opportunities for data analysis leading to more informed decision making.
    Cost Avoidance
    • Cost efficiency – lower energy consumption, less waste, improved product consumption
    • Reliability – reduced downtime of equipment due to condition-based maintenance
    • Security – decrease in malware attacks
    Operational Metrics
    • # supported devices
    • % of projects using IoT
    • % of managed systems
    • % of increase in equipment optimization

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 4 to 8 calls over the course of 2 to 4 months.

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3
    Call #1: Determine steering committee members and mandates.

    Call #2: Define process for meeting and assessing requests.

    Call #3: Define the intake process.

    Call #4: Define the role of the BRM & assessment criteria.

    Call #5: Define the process to secure funding.

    Call #6: Define assessment requirements for other IT groups.

    Call #7: Define proof of value process.

    Create and Implement an IoT Strategy

    Phase 1

    Define your governance process

    Steering Committee

    1.1 Define the committee’s roles and responsibilities in the IoT Steering Committee Charter

    1.2 Define the IoT steering committee’s vision statement and mandates

    1.3 Define procedures for reviewing proposals and roles and responsibilities

    Intake Process

    2.1 Define requirements for requesting new IoT solutions

    2.2 Define procedures for reviewing proposals and projects – BA/BRM

    2.3 Define procedures for reviewing proposals and projects – Data specialists

    2.4 Define procedures for reviewing proposals and projects – Privacy & Security

    2.5 Define procedures for reviewing proposals and projects – Infrastructure & Operations

    2.6 Define service objectives and evaluation process

    Proof of Value

    3.1 Determine the criteria for running a proof of value

    3.2 Define the template and process for running a proof of value

    This phase will provide the following activities

    • Create the steering committee project charter
    If a steering committee exists, it may be appropriate to define IoT governance under their mandate. If a committee doesn’t already exist or their mandate will not include IoT, consider creating a committee to set standards and processes and quickly evaluate solutions for feasibility and implementation.

    Create an IoT steering committee to ensure value will be realized and operational needs will be met

    The goals of the steering committee should be:

    • To align IoT initiatives with organizational goals. 
    • To effectively evaluate, approve, and prioritize IoT initiatives.
    • To approve IoT strategy & evaluation criteria.
    • To reinforce and define risk evaluation criteria as they relate to IoT technology.
    • To review pilot results and confirm the value achievement of approved IoT initiatives.
    • To ensure the investment in IoT technology can be integrated and managed using defined parameters.

    Assemble the right team to ensure the success of your IoT ecosystem

    Business stakeholders will provide clarity for their strategy and provide input into how they envision IoT solutions furthering those goals and how they may gain relevant insights from secondary data.

    As IoT solutions move beyond their primary goals, it will be critical to evaluate the continually increasing data to mitigate risks of unintended consequences as new data sets converge. The security team will need to evaluate solutions and enforce standards.

    CDO and analysts will assess opportunities for data convergence to create new insights into how your services are used.

    Lightbulb with the word 'Value' surrounded by categories relative to the adjacent paragraph, 'Data Scientists', 'Security and Privacy', 'Business Leaders', 'IT Executives', 'Operations', and 'Infrastructure & Enterprise Architects'. IT stakeholders will be driving these projects forward and ensuring all necessary resources are available and funded.

    Operational plans will include asset management, monitoring, and support to meet functional goals and manage throughout the asset lifecycle.

    Each solution added to the environment will need to be chosen and architected to meet primary functions and secondary data collection.

    Identify IoT steering committee participants to ensure broad assessment capabilities are available

    • The committee should include team members experienced enough to provide an effective assessment of IoT projects, and to provide input and oversight regarding business value, privacy, security, operational support, infrastructure, and architectural support.
    • A data specialist will be critical for evaluating opportunities to expand use of data and ensure data can be effectively validated and aggregated. Additional oversight will be needed to review aggregated data to protect against the unintended consequences of having data combined and creating personas that will identify individuals.
    • Additional experts may be invited to committee meetings as appropriate, and ideas should be discussed and clarified with the business unit bringing the ideas forward or that may be impacted by solutions.
    • Invite appropriate IT and business leaders to the initial meeting to gain agreement and form the governance model.

    Determine responsibilities of the committee to gain consensus and universal understanding

    Icon of binoculars. STRATEGIC
    ALIGNMENT
    • Define the IoT vision in alignment with the organizational strategy and mission.
    • Define strategy, policies and communication requirements for IoT projects.
    • Assess and bring forward proposals to utilize IoT to further organizational strategy.
    Icon of a person walking up an ascending bar graph. VALUE
    DELIVERY
    • Define criteria for evaluating and prioritizing proposals and projects.
    • Validate the IoT proposals to ensure value drivers are understood and achievable.
    • Identify opportunities to combine data sets for secondary analysis and insights.
    Icon of a lightbulb. RISK
    OPTIMIZATION
    • Evaluate data and combined data sets to avoid unintended consequences.
    • Ensure security standards are adhered to when integrating new solutions.
    • Reinforce privacy regulations, policy, and communications requirements.
    Icon of an arrow in a bullseye. RESOURCE
    OPTIMIZATION
    • Identify and validate investment and resource requirements.
    • Evaluate technical requirements and capabilities.
    • Align IoT management requirements to operations goals within IT.
    Icon of a handshake. PERFORMANCE
    MANAGEMENT
    • Assess validity of pilot project plan, including success criteria.
    • Identify corner cases to assess functionality and potential risks beyond core features.
    • Monitor progress, evaluate results, and ensure organizational needs will be met.
    • Evaluate pilot to determine if it will be moved into full production, reworked, or rejected.

    1.1 Exercise:
    Define the committee’s roles & responsibilities in the IoT steering committee charter

    1-3 hours

    Input: Current policies and assessment tools for security and privacy, Current IT strategy for introducing new solutions and setting standards

    Output: List of roles and responsibilities, High-level discussion points

    Materials: Whiteboard/flip charts, Steering committee workbook

    Participants: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Identify and document core and auxiliary members of the committee, ensuring all important facets of the IoT environment can be assessed.
    2. Identify and document the committee chair.
    3. Gain consensus on responsibilities of the steering committee.

    Download the IoT Steering Committee Charter

    Define the vision statement for the IoT committee to clarify mandate and communicate to stakeholders

    The vision statement will define what you’re trying to achieve and how. You may have the statement already solidified, but if not, start with brainstorming several outcomes and narrow to less than 5 focus areas.

    A vision statement should be concise and should be in support of the overall IT strategy and organizational mission. The vision statement will be used as a high-level guide for defining and assessing proposed solutions and evaluating potential outcomes. It can be used as a limiter to quickly weed out ideas that don’t fit within the mandate, but it can also inspire new ideas.

    • Support innovation
    • Enable the business
    • Enable operations for continual value

    New York City has a broad plan for implementing IoT to meet several aspects of their overall strategy and subsequently their IT strategy. Their strategic plan includes several focus areas that will benefit from IoT:
    • A vibrant democracy
    • An inclusive economy
    • Thriving neighborhoods
    • Healthy lives
    • Equity and excellence in education
    • A livable climate
    • Efficient mobility
    • Modern infrastructure
    Their overall mission is: “OneNYC 2050 is a strategy to secure our city’s future against the challenges of today and tomorrow. With bold actions to confront our climate crisis, achieve equity, and strengthen our democracy, we are building a strong and fair city. Join us.”

    In order to accomplish this overall mission, they’ve created a specific IT vision statement: “Improve digital infrastructure to meet the needs of the 21st century.”

    This may seem broad, and it includes not just IoT, but also the need to upgrade infrastructure to be able to enable IoT as a tool to meet the needs to collect data, take action, and better understand how people move and live within the city. You can read more of their strategy at this
    link: http://onenyc.cityofnewyork.us/about/

    1.2 Exercise:
    Define the IoT steering committee’s vision statement and mandate

    1 hour

    Input: Organizational vision and IT strategy

    Output: Vision statement

    Materials: Whiteboard/flip charts, Steering committee workbook

    Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Starting with the organizational mission statement, brainstorm areas of focus with the steering committee and narrow down the statement.
    2. Make sure it’s broad enough to encompass your goals, but succinct enough to allow you to identify projects that don’t meet the vision.
    3. Test with a few existing ideas.
    4. Document in your steering committee charter.

    Download the IoT Steering Committee Charter

    Use the COPIS methodology to define your project review process

    COPIS is a customer-focused methodology used to focus on the areas around the process, ensuring a holistic view starting with who the customer is and what they need, then building out the process and defining what will be required to be successful and who will be involved in fulfilling the work.

    Customer

    • Executive leadership
    • Business leaders

    Outputs

    • Risk assessment
    • Approvals to proceed
    • Pilot plan
    • Assessment to approve for production or reject

    Process

    • Review proposals
    • Ask questions and discuss with proposer & committee
    • Review pilot & testing plan
    • Engage with IT Team to define requirements

    Inputs

    • Request form including:
    • New idea
    • Business value defined
    • Data collected
    • Initial risk assessment
    • Implementation plan
    • Definition of success

    Suppliers

    • IT operations team
    • Device and software vendors
    • IT leaders
    • Risk committee
    Agenda & process flow



    Determine where people will access request form Ending point
    Sequence of right-facing arrows labelled 'Agenda & process flow'. Text in each arrow from left to right reads 'Confirm attendees required are in attendance', 'Review open action items', 'Assess new items', 'Assess prioritization', 'Review metrics & pilots in progress', 'Decisions & recommendations'.

    Create a committee charter to ensure roles are clarified and mandates can be met

    The purpose of the committee is to quickly assess and protect organizational interests while furthering the needs of the business

    The committee needs to be seen as an enabler to the business, not as a gatekeeper, so it must be thorough but responsive.

    The charter should include:
    • The vision to ensure clarity of purpose.
    • IoT mandates to focus the committee on assessment criteria.
    • Roles, responsibilities, and assignments to engage the right people who will provide the kind of guidance needed to ensure success.
    • Procedures to make the best use of each committee member’s time.
    • Process flow to guide evaluations to avoid unnecessary delays while reducing organizational risks.
    Stock image of someone reading on a tablet.

    1.3 Exercise:
    Define procedures for reviewing proposals and projects

    2-3 hours

    Input: Schedules of committee members, Process documentation for evaluating new technology

    Output: Procedures for reviewing proposals, Reference documentation for evaluating proposals

    Materials: Whiteboard/flip charts, Steering committee workbook

    Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Discuss as a group how often you will meet for reviews and project updates. Which roles will have veto rights on project approvals?
    2. Define the intake process and requirements for scheduling based on average lead time to get the group together and preview documentation.
    3. Identify where process documentation already exists to use for evaluation of proposals and projects, and what needs to be created to quickly move from evaluation to action phases.
    4. Define basic rules of engagement.
    5. Define process flow using COPIS methodology as a framework. Note the different stages that may be part of the intake flow. Some business partners may bring solutions to IT, and others may just have an idea that needs to be solutioned.

    Download the IoT Steering Committee Charter

    Create and Implement an IoT Strategy

    Phase 2

    Define the intake and assessment process

    Steering Committee

    1.1 Define the committee’s roles and responsibilities in the IoT Steering Committee Charter

    1.2 Define the IoT steering committee’s vision statement and mandates

    1.3 Define procedures for reviewing proposals and roles and responsibilities

    Intake Process

    2.1 Define requirements for requesting new IoT solutions

    2.2 Define procedures for reviewing proposals and projects – BA/BRM

    2.3 Define procedures for reviewing proposals and projects – Data specialists

    2.4 Define procedures for reviewing proposals and projects – Privacy & Security

    2.5 Define procedures for reviewing proposals and projects – Infrastructure & Operations

    2.6 Define service objectives and evaluation process

    Proof of Value

    3.1 Determine the criteria for running a proof of value

    3.2 Define the template and process for running a proof of value

    This phase will provide the following activities

    • Define requirements for requesting new IoT solutions
    • Define procedures for review proposals and projects
    • Define service objectives and evaluation process for reviewing proposals and projects

    Determine what information is necessary to start the intake process

    To encourage your business leaders to engage IT in evaluating and appropriately supporting the solution, start with an intake process that is simple and easily populated with business information.
    • Review intake forms from the PMO or build your own from the IoT Solution Playbook:
    • Start by asking for a clear picture of the solution. Ensure the requester can clearly articulate the business benefit to the solution, including what issues are being resolved and what success looks like.
    • Requesters may not be expected to seek out all relevant information to make the decision.
      • Consider providing a business analyst (BA) to assist with data gathering for further assessment and to launch the review process.
      • Review may require additional steps if it is not clear the proposed solution will perform as expected and could include conversations with the vendor or a determination that a full requirements-gathering process may need to be done.
    • Typically, a BA will launch the review process to have appropriate experts assess the feasibility of the solution; assess regulatory, privacy, and security concerns; and determine the level of involvement needed by IT and the project managers.
    • Have options for different starting points. Some requesters may be further along in their research as they know exactly what they want, while others will be early in the idea stage. Don’t discourage innovation by creating more work than they’re able to execute.

    Business goals and benefits are important to ensure the completed solution meets the intended purpose and enables appropriate collection, analysis, and use of data in the larger business context.

    Ongoing operational support and service need to be considered to ensure ongoing value, and adherence to security and privacy policies is critical.

    2.1 Exercise:
    Define requirements for requesting new IoT solutions

    1 hour

    Input: Business requirements for requesting IT solutions

    Output: Request form for business users, Section 1 of the IoT Solution Playbook

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Determine requirements for initiating an assessment.
      1. Will a business case be necessary to start, or can the assessment feed into the business case?
      2. How can you best access the work already done by the requester to not start over?
      3. Determine the right questions to understand how they will define success to ensure this solution will do what they need.
      4. Do you need a breakdown of the way they do the job today?
      5. What level of authorization needs to be on the request to move forward?
    3. Try to balance the effort of the requester against their role. Don’t expect them to investigate solutions beyond the business value.
    4. Provide them with a means to provide you any information they have gathered, especially if they have already spoken to vendors.

    Download the IoT Solution Playbook

    Define what role the BA or BRM will play to support the request process

    Identify questions that will need to be answered in order to assess if the solution will be fit for purpose, to help build out business cases, and to enable the appropriate assessments and engagement with project managers and technical teams.
    • Project sponsorship is key to moving the project ahead. Ensure the project sponsor and business owner will be in alignment on the solution and business needs.
    • Note any information that will help to prioritize this project among all other requests. This will feed into implementation timing and the project management needs, resourcing, and vendor engagement required.
    • Determine if a proof of value would be an asset. A proof of value can be time consuming, but it can mitigate the risks of large-scale failures.
    • Ask about data collection and data type, which will be a major part of the assessment for the data team and for security, privacy, infrastructure, and operational assessments.
    • Determine if any actions will need to be taken, which might include data transfer, notifications and alerts, or others. This may require additional discussions on actuators, RPA, data stores, and integrations.
    • Determine if any automation will be part of the solution, as this will help to inform future discussions on power, connectivity, security, and privacy.

    Download the blueprint Embed Business Relationship Management in IT if you need help to support the business in a more strategic manner.

    Info-Tech Insight

    Understanding the business issue more deeply can help the business analyst determine if the solution needs a review of business process as well as helping to build out the requirements well enough to improve chances of success.

    The BA should be able to determine initial workload and involvement of project managers and evaluators.

    Clearly articulate the business benefits to secure funding and resources

    If the business users need to build a business case, the information being collected will help to define the value, estimate costs, and evaluate risk

    IoT point solutions can be straightforward to articulate the business benefits as they will have very specific benefits which will likely fit into one of these categories:
    • Financial – to increase profitability or reduce costs through predictive maintenance and efficiency.
    • Business Development – innovation for new products, services, and methodologies
    • Improve specific outcomes – typically these will be industry specific, such as improved patient health care, reduced traffic congestion or use of city resources, improved billing, or fire prevention for utility companies.

    As you start to look at the bigger picture of how these different systems can bring together disparate data sets, the benefits will be harder to define, and the costs to implement this next level of data analysis can be daunting and expensive.

    This doesn’t necessitate a complete alignment of data collection purposes; there may be benefits to improving operations in secondary areas such as updating HVAC systems to reduce energy costs in a hospital, though the updated systems may also include sensors to monitor air quality and further improve patient outcomes.

    In these cases, there may be future opportunities to use this data in unexpected ways, but even where there aren’t, applying the same standards for security, privacy, and operations should apply.

    Table titled 'Increasing productivity through efficiency and yield are the top benefits organizations expect to see from IoT implementations' with three columns, one for type of benefit (ie efficiency, yield, quality, etc), one for different IoT implementations and one for percent increase.
    (Microsoft IoT Signals Report 2020, n= 3,000 IT Professionals)

    2.2 Exercise – BA/BRM: Define procedures for reviewing proposals and projects

    1 hour

    Input: Process documentation for evaluating new technology, Business case requirements

    Output: Interview questions and assessment criteria for BA/BRM

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive(s), Senior data specialist, Senior business executive(s)

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the business to determine whether the request will be fit for purpose.
    3. Additional questions may help to:
      1. Identify project sponsors to determine if requirements are defined or need to be, and who will champion this project through to implementation.
      2. Identify what additional work will be needed for you to shepherd the project through the various stage gates.
      3. Identify any prioritization criteria including business-specific milestones and outcomes.
    4. Document when a formal business case needs to be created.

    Download the IoT Solution Playbook

    Assess the vendor’s solution for accessibility to ensure data will be available and useable

    Data governance, including stewardship and ownership; lineage; and the ability to scale, deduplicate, normalize, validate, and aggregate disparate data will be critical to being able to analyze data to execute on strategic goals.

    If your organization isn’t poised to manage and make the best use of the data, see Info-Tech’s related blueprints:

    Relevant Research: Diagnostic:
    Data ownership is important to establish early on, as the owner(s) will be accountable for how data is used and accessed. Data needs to be owned by the organization (not the vendor) and needs to be accessible for:
    • Regulatory compliance.
    • Data quality and validation.
    • Data normalization.
    • Data aggregation and analysis.
    Vendor assessments need to investigate how data will be accessed, where data is normalized and how data will be validated.
    Data validation will have different levels of importance depending on the use case. Where data validation is critical, there may be a need to double up sensors in key areas, validate against adjacent sensors, better understand how and where data will be collected.
    • Infrared sensors may include intelligence to count people or objects.
    • Cameras might require manual counts but may provide better images.
    • Good quality images may require technology to distort faces for privacy.
    If data validation will include non-sensor data, such as validation against a security access database or visitor log, access to the data for validation may be required in near real time.

    Determine how often you need to access and download data

    Requirements will vary depending on whether sensors are collecting data for later analysis or if they are actuators that need to process data at the source.

    Determine where the data will reside and how it will be structured. If it will be open and controlled within your own environment, confer with your data team to ensure the solution is integrated into your data systems. If, however, the solution is a point solution which will be hosted by the vendor, understand who will be normalizing the data and how frequently you can export or transfer it into your own data repository. If APIs will need to be installed to enable data transfer, work with the vendor to test them.

    Self-contained or closed solutions may be quick to install and configure and may require minimal technical support from within your own IT team, but they will not provide visibility to the inner workings of the solution. This may create issues around integration and interoperability which could limit the functionality and usability beyond the point solution.

    If the solution chosen is a closed system, determine how you will need to interact with the vendor to gain access to the data. Interoperability may not be an option, so work with the vendor to set up a regular cadence for accessing the data.

    Questions for the vendor could include:

    1. How often can we access the data? Will the vendor push it on a regular basis? Is it on demand?
    2. Or will we need to pull the data? Is there an API?
    3. Will the data be normalized?
    4. Will the data be transferred, or will the vendor keep a historical record?
    5. Are there additional fees for archiving or for data extraction?
    Stock image of a large key inserted into the screen of a laptop.

    Identify whether digital twins are needed

    Create a virtual world to safely test and fail without impacting the real-world applications.

    As actuators are processing information and executing actions, there may be a benefit to assess the effectiveness and impact of various scenarios in a safe environment. Digital twins enable the creation of a virtual world to test these new use cases using real world scenarios.

    These virtual replicas will not be necessary for every IoT application as many solutions will be very straightforward in their application. But for those complex systems, such as smart buildings, smart cities and mechanically complex projects, digital twins can be created to run multiple simulations to aid in business continuity planning, performance assessments, R&D and more.

    Due to the expense and complexity of creating a full digital twin, carefully weighing the benefits, and identifying how it will be used, can help to build the business case to invest in the technology. Without the skills in house, reliance on a vendor to create the model and test scenarios will likely be part of the overall solution.

    The assessment will also include understanding what data will be transferred into the model, how often it will be updated, how it will be protected and who will need to be involved in the modeling process.

    Download the blueprint: Double Your Organization’s Effectiveness With a Digital Twin. if you need more information on how to leverage digital twin technology.

    Stock image of a twin mirroring the original person's action.

    To fully realize value in IoT, think beyond single use case solutions to leverage the data collected

    Expertise in data analysis will be key to moving forward with an enterprise approach to IoT and the data it produces.
    • A single IoT solution can add hundreds of sensors, collecting a wide variety of data for specific purposes. If multiple solutions are in place, there may be divergent data sets that may never be seen by anyone other than their specific data stewards.
    • Many organizations have started out with one or two solutions that support their primary business and may include some more mature offerings such as HVAC systems, which have used sensors for years. However, not all data is used today. In many cases, data is used for anomaly detection to improve operations, and only the non-standard information is used for alerting. McKinsey estimates less than 1% of data is used in these applications, with the remaining data stored or deleted, rather than used for optimization and predictive analysis.
    • Thinking beyond the initial use cases, there may be opportunities to create new services, improve services for existing products, or improve insights through analysis of juxtaposed data.
    • McKinsey reports up to $11.1 trillion a year in economic value may be possible by 2025 through the linking of the physical and digital worlds. Personal devices and all industries are potential growth areas – though factories and anywhere that could use predictive maintenance, cities, retail, and transportation will see the largest probable increases. Interoperability was identified as being required to maximize value, accounting for 40% to 60% of the potential value of IT applications.
    • Where data is used to correct and control anomalies, very little data is retained and used for optimization or predictive analysis. By taking a deliberate approach to normalize, correlate, and analyze data, organizations can gain insight into the way their products are used, benefit from predictive maintenance, improve health care, reduce costs, and more.
    (Source: McKinsey, 2015)

    By 2025 an estimated data volume of 79.4 zettabytes will be attributed to connected IoT devices. (Statistia)

    Build data governance and analysis into your strategy to find new insights from correlating new and existing data

    As a point solution, IoT provides a means to collect large amounts of data quickly and act. When determining the use case for IoT and best fit solutions, it’s important to think about what data needs to be collected and what actions will need to be coordinated. As the need for more than just a few IoT solutions surfaces, the complexity and potential usefulness of data increases. This can lead to significant changes to the scope of data collection, storage, and analysis and may lead to unintended consequences.
    • Some industries, such as governments looking to build smart cities, will have a very broad range of opportunities for IoT devices, as well as high levels of difficulty managing very disparate systems; other industries, such as healthcare, will have very focused prospects for data collection and analysis.
    • In any case, the introduction of new IoT solutions can create very large amounts of data quickly, and if used only for a single purpose, there may be lost opportunity for expanding use of data to better understand your product, customers, or environment.
    • Don’t limit analysis to only IoT-collected data, as this can be consolidated with other sources for validation, enhancement, and insights. For example, fleet transponders can be connected to travel logs and dispatch records for validation and evaluation of fuel and resource consumption.
    • Determine the best time and methods for consolidation and normalization; consider using data consolidation vendors if the expertise is not available in-house.
    • As data combines, there may be unintended consequences of unique anonymous identifiers combining to identify employees or customers, and the potential for privacy breeches will need to be evaluated as all new systems come on-line.

    “We find very little IoT data in real life flows through analytics solutions, regardless of customer size. Even in the large organizations, they tend to build at-purpose applications, rather than creating those analytical scenarios or think of consolidating the IoT data in a data lake like environment.” (Rajesh Parab, Info-Tech Research Group)

    2.3 Exercise – data specialists: Define criteria for assessing proposals and projects

    1-2 hours

    Input: Process documentation for evaluating new technology, Data governance documents

    Output: Interview questions and assessment criteria for data specialists

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the solution to ensure data governance and accessibility needs will be met.
    3. Additional questions may help to:
      1. Identify data owners or stewards to determine who will have authority over data and ensure their needs will be met.
      2. Identify what additional work will be needed for the data team to access, validate, normalize, and centralize data.
      3. Identify any concerns that will identify the solution as unviable.
      4. Identify any risks to data accessibility which will require mitigation.

    This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

    Download the IoT Solution Playbook

    Security assessments will need to include risk reviews specific to IoT

    The increase of data collectors and actuators creates a large attack surface that could easily provide an entry point for hackers to connect into an organization’s network. Assess existing protocols and risk registry to ensure all IoT systems are reviewed for security threats.

    The significant increase in devices and applications will require a review of security practices related to IoT to understand and mitigate risks. Even if the data collected is not considered integral to the business, such as with automated HVAC systems or an aquarium monitoring system, the devices can provide an entry point to access the network.

    IoT and ICS devices are functionally diverse and may include more mature solutions that have been acquired many times over. There are a wide variety of protocols that may not be recognized by vulnerability scanners as safe to operate in your environment. Many of these solutions will be agentless and may not be picked up by scanners on the network. Without knowing these devices exist or understanding the data traffic patterns, protecting the devices, data, and systems they’re attached to becomes challenging.

    Discovery and vulnerability scanners tuned specifically for IoT to look for and allow unusual protocols and traffic patterns will enable these devices to operate as designed without being shut down by vulnerability scanners protecting more traditional devices and traffic on an IT network. Orphaned devices can be found and removed. Solutions that will provide detailed asset inventories and network topologies will improve vulnerability detection.

    Systems that are air gapped or completely segregated may provide a layer of protection between IoT devices and the corporate network, but this may create additional difficulties in vulnerability assessment, identifying and responding to active threats, or managing the operational side. Additionally, if there are still functional connections between these systems for traffic to flow back to central repositories, operational systems, or remote connections, there are still potential threats.

    If security controls are not yet documented, see Info-Tech’s related blueprints:

    Relevant Research: Diagnostic:

    Align risk assessments to your existing risk registry, to quickly approve low-risk solutions and mitigate high risk

    Work with the business owner to understand how these systems are designed to work. Tracking normal patterns of behavior and traffic flow may be key to fine-tuning security settings to accommodate these solutions and prevent false positive shutdowns, especially if using automated remediation. Is the business owner identified, and will they be accessible throughout the lifecycle of the solution?

    Physical security: Will these systems be accessible to the public, and can they be secured in a way to minimize theft and vandalism? Will they require additional housing or waterproofing? Could access be completely secured? For example, could anyone access and install malware on a disconnected camera’s SD card?

    Security settings: For ease of service and installation, a vendor may use default security settings and passwords. This can create easy access for hackers to access the network and access sensitive data. Is there a possibility of IP theft though access by sensors? Determine who will have remote access to the system, and if the vendor will be supporting the system, will they be using least privilege or zero trust models? Determine their adherence to your security policy.

    Internet and network access and monitoring: Review connectivity and data transmission requirements and whether these can be accommodated in a way that balances security with operational needs. Will there be a need for air gapping, firewalls, or secure tunnelling, and will these solutions allow for discovery and monitoring? Can the vendor guarantee there are no back doors built into the code? Will the system be monitored for unauthorized access and activity, and what is the response process? Can it be integrated into your security operations center?

    Failover state: IoT devices with actuators or that may impact health and safety will need to be examined. Can you ensure actions in event of a failure will not be negatively impactful? For example, a door that locks on failover and cannot be opened from the inside will create safety risks; however, a door that opens on failover could result in theft of property or IP. Who controls and can access these settings?

    Firmware updates: Assess the history of updates released by the vendor and determine how these updates are sent to the devices and validated. Ensure the product has been developed using trusted platforms with security lifecycle models. Many devices will have embedded security solutions. Ensure these can be integrated into organizational security solutions and risk mitigation strategies.

    Enterprise IoT strategy will require a focus on privacy and risk

    Data aggregation creates new privacy concerns as data may be used outside of the original project parameters. The change of scope will need to be evaluated to determine personally identifiable information and what new issues it can create for the program, organization, and your audience.

    As a point solution, IoT provides a means to collect large amounts of data and, if actuators are completing tasks, act quickly. When determining the use case for IoT and best fit solutions, it’s important to think about what data needs to be collected and what actions will need to be coordinated.

    As the need for more than just a few IoT solutions surfaces, the complexity and potential usefulness of data increases. This can lead to significant changes to the scope of data collection, storage, and analysis, and may lead to unintended consequences.

    Questions to ask your vendors:
    1. Where may there be physical access to sensors and a possibility of theft, and can the data be encrypted?
    2. What type of information is captured by sensors and stored in the solution?
    3. Where is personally identifiable information captured, and where is it stored? How will you meet regulatory requirements such as GDPR? Where does the data fit within existing retention policies, and how long should it be kept?
    4. Will there be a need to post signage or update privacy statements in response to the information being collected?

    If data classification, privacy, and security controls are not yet documented, see Info-Tech’s related blueprints:

    Relevant Research:

    Don’t make assumptions about the type of data gathered with devices – ask the vendor to clearly state how and what is collected

    Carefully review how this information can be used by machine learning, in combination with other solutions, and if there is a possibility of unintended consequences that will create issues for your customers and therefore your own data sets.

    Look for ways of capturing information that will meet your business requirements while mitigating risk of capturing personally identifiable information. Examples would be LiDAR to capture movement instead of video, or AI to blur faces or license plate numbers at time of image capture.

    This chart identifies data collected by smartphone accelerometers which could be used to identify and profile an individual and understand their behaviors.

    Mobile device accelerometer data

    Table of Mobile device accelerometer data with columns 'Detection of sound vibrations', 'Body movements', and 'Motion trajectory of the device', and a key for color-coding labelling purple items as 'Health', yellow items as 'Personality traits, moods & emotions', and green items 'Identification'.
    Overview of sensitive inferences that can be drawn from accelerometer data. (Source: Association for Computing Machinery, 2019.)

    2.4 Exercise – Privacy & Security specialists: Define criteria for assessing proposals and projects

    1-2 hours

    Input: Process documentation for evaluating new technology, Data governance documents

    Output: Interview questions and assessment criteria for Privacy & Security specialists

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the solution to ensure security and privacy needs will be met.
    3. Additional questions may help to:
      1. Identify biggest risks created by a large influx of sensors and additional vendors.
      2. Identify options for mitigating risks for privacy and regulatory requirements.

    This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

    Download the IoT Solution Playbook

    Review infrastructure requirements to proactively engage with vendors

    A modernized architecture will provide needed flexibility for onboarding new IoT solutions as well as providing the structure to collect, transport, and house data; however, not everything will be on the network. Knowing requirements for integrations, communications, and support will eliminate surprises during implementation.

    The supporting applications will be collecting and analyzing data for each of these solutions, with most being hosted on public clouds or privately by the vendor. Access to the applications for data collection may require APIs or other middleware to transfer data outside of their application. Data transfer may be unimportant if the data collected will stand alone and never be integrated to other systems, but it will be critical if IoT plans include retrieving, aggregating, and analyzing data from most systems. If these systems are closed, determine the process to get this information, whether it’s through scheduled exports or batch transfers.

    Determine if data will be backed up by the vendor or if backups are the responsibility of your team. Work with the business owner to better understand business continuity requirements to plan appropriately for data transmission, storage, and archiving.

    Network and communications will vary dramatically depending on where sensors and actuators are located. On-premises solutions may rely on Wi-Fi on your network or may require an air-gapped or segregated network. External sensors may rely on public Wi-Fi, cellular, or satellite, and this may impact reliability and serviceability. If manual data collection is required, such as collecting SD cards on trail cams, who will be responsible, and will they have the tools and data repository they need to upload data manually? Are you able to work with the vendor to estimate traffic on these networks, and how will that impact costs for cellular or satellite service?

    Investigate power requirements. On-premises solutions may require additional wiring, but if using wind or solar, what is the backup? If using batteries, what is the expected lifespan? Who will be monitoring, and who will be changing the batteries?

    Determine monitoring requirements. Who should be responsible for performance monitoring, outages, data transmission, and validation? Is this a vendor premium service or a process to manage in-house? If managed by the vendor, discuss required SLAs and their ability to meet them.

    If your organization is dealing with technical debt and older architecture which could prevent progress, see Info-Tech’s related blueprints to build out the foundation.

    Relevant Research:

    Determine operational readiness to support and secure IoT solutions

    Availability and capacity planning, business continuity planning, and management of all operational and support requirements will need to be put in place. Execution of controls, maintenance plans, and operational support will be required to mitigate risks and reduce value of the solutions.

    One of the biggest challenges organizations that have already adopted IoT face is management of these systems. Without an accurate inventory, it’s impossible to know how secure the IoT systems are. Abandoned sensors, stolen cameras, and old and unpatched firmware all contribute to security risks.

    Existing asset management solutions may provide the right solution, but they are limited in many cases by the discovery tools in place. Many discovery tools are designed to scan the network and may not have access to segregated or air-gapped networks or a means to access anything in the cloud or requiring remote access. Evaluate the effectiveness of current tools, and if they prove to be inadequate, look for solutions that are geared specifically to IoT as they may provide additional useful management capabilities.

    IoT management tools will provide more than just inventory. They can discover IoT devices in a variety of environments, possibly adding micro-agents to access device attributes such as name, type, and date of build, and allowing metadata and tags to be added. Additionally, these solutions will provide the means to deploy firmware updates, change configuration settings, send notifications if devices are taken offline, and run vulnerability assessments. Some may even have diagnostics tools for troubleshooting and remediation.

    If operational processes aren’t in place, see Info-Tech’s related blueprints to build out the foundation.

    Relevant Research: Diagnostic:

    Identify what needs to happen to onboard these solutions into your support portfolio

    Evaluate support options to determine the best way to support the business. Even if support is completely outsourced, a support plan will be critical for holding vendors to account, bringing support in-house if support doesn’t meet your needs, and understanding dependencies while navigating through incidents and problem- and change-enablement processes.

    Regular maintenance for your team may include battery swaps, troubleshooting camera outages or intermittent sensors, or deploying patches. Understand the support requirements for the product lifecycle and who will be responsible for that work. If the vendor will be applying patches and upgrading firmware, get clarity on how often and how they’ll be deployed and validated. Ask the vendor about support documentation and offerings.

    Determine the best ways of collecting inventory on the solution. Determine what the solution offers to help with this process; however, if the project plan requires specific location details to add sensors, the project list may be the best way to initially onboard the sensors into inventory.

    Determine if warranty offerings are an appropriate solution for devices in each project, to schedule and record appropriate maintenance details and plan replacements as sensors reach end of life. Document dependencies for future planning.

    Stock image of an electrical worker fixing a security camera.

    2.5 Exercise – Infrastructure & Operations specialists: Define criteria for assessing proposals and projects

    1-2 hours

    Input: Process documentation for evaluating new technology, Data governance documents

    Output: Interview questions and assessment criteria for Infrastructure & Operations specialists

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the solutions to ensure the solutions can be integrated into the existing environment and operational processes.
    3. Additional questions may help to:
      1. Reduce risks and project failures from solutions that will be difficult to integrate or secure.
      2. Improve project planning for projects that are often driven by the vendor and the business.
      3. Reduce operational risks due to lack of integration with asset and operational processes.

    This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

    Download the IoT Solution Playbook

    2.6 Exercise: Define service objectives and evaluation process

    1 hour

    Input: List of criteria in the playbook, Understanding of resource availability of solution evaluators

    Output: Steering committee criteria for progressing projects through the process

    Materials: Whiteboard/flip charts, IoT Steering Committee Charter workbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    Now that you’ve defined the initial review requirements, meet as a group once more to finalize the process for reviewing requests. Look for ways to speed the process, including asynchronous communications and reviews. Consider meeting as a group for any solutions that may be deemed high risk or highly complex.

    1. Agree on what can be identified as a reasonable SLA to respond to the business on these requests.
    2. Agree on methods of communication between committee members and the business.
    3. Determine the criteria for determining when a proof of value should be initiated, and who will lead the process.

    Download the IoT Steering Committee Charter

    Create and Implement an IoT Strategy

    Phase 3

    Prepare for a Proof of Value

    Steering Committee

    1.1 Define the committee’s roles and responsibilities in the IoT Steering Committee Charter

    1.2 Define the IoT steering committee’s vision statement and mandates

    1.3 Define procedures for reviewing proposals and roles and responsibilities

    Intake Process

    2.1 Define requirements for requesting new IoT solutions

    2.2 Define procedures for reviewing proposals and projects – BA/BRM

    2.3 Define procedures for reviewing proposals and projects – Data specialists

    2.4 Define procedures for reviewing proposals and projects – Privacy & Security

    2.5 Define procedures for reviewing proposals and projects – Infrastructure & Operations

    2.6 Define service objectives and evaluation process

    Proof of Value

    3.1 Determine the criteria for running a proof of value

    3.2 Define the template and process for running a proof of value

    This phase will provide the following activities

    • Create proof of value criteria
    • Create proof of value template

    A proof of value can quickly help you prove value or fail fast

    Investing a small amount of time and money up front will validate the possibility of your proposed solution.

    A proof of value will require a vision and definition of your criteria for success, which will be necessary to determine if the project should go ahead. It should take no longer than three months and may be as short as a week.

    When should you run a proof of value?

    • When it is difficult to confirm that the solution is fit for purpose.
    • When the value of the solution is indeterminate.
    • When the solution is early in its lifecycle and not widely proven in the marketplace.
    • When scalability is questionable or unproven.
    • When the solution requires customization or configuration.

    Info-Tech Insight
    Where a solution is well known in the market, requires minimal customization, and is proven to be fit for purpose, a shorter evaluation or conversations with reference clients or partners may be all that is necessary.

    Table titled 'Reasons IoT proof of value projects fail'. There is a column for type of project (ie Scaling, Business, etc), one for reasons, and one for percentages.
    (Microsoft IoT Signals Report 2020, n= 3,000 IT Professionals)

    3.1 Exercise: Define the criteria for running a proof of value

    1 hour

    Input: Agreement of steering committee members to create a process to mitigate risk for complex solutions.

    Output: Proof of value template for use as appropriate to evaluate IoT solutions.

    Materials: IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. As a group, review the circumstances for when to run a proof of value.
    2. Determine who will help to build the proof of value plan.
    3. Determine requirements for participation in the proof of value process. Consider project size, complexity and risk and visibility.

    Download IoT Solution Playbook

    Design your proof of value to test the viability of the solution

    Engage the right stakeholders early to gather feedback and analysis and determine suitability

    Determine the proof of value methodology to ensure plan allows for fast testing
    • Go back to the original request: What are the goals for implementing this solution? Has this been clearly defined with criteria for success?
    • Define the technical team that will configure the solution, including vendors and technicians. Ensure the vendor fully understands your use cases and goals. Identify the level of support you’ll need to be implement and assess the solution.
    • Define the testing team, including technical and business users. Complete a journey map if needed to define the use case(s) at the right level of detail.
    • Ensure the test use case(s) have been defined and they all agree on the definition of success.
    • Make sure the team is available to do the testing and provide feedback, as high adoption will improve feedback which will be critical to successfully implementing the full solution.
    • Determine how to evaluate scalability with process, resources, and capacity.
    • Evaluate the risks and obstacles to reject the solution or mitigate and prevent scope creep.
    • Evaluate the vendor’s roadmap, training materials, and technical support options.

    Info-Tech Insight

    Additional information on building out a process for testing new technology can be found in the blueprint: Exploit Disruptive Infrastructure Technology.

    “Although scope creep is not the only nemesis a project can have, it does tend to have the farthest reach. Without a properly defined project and/or allowing numerous changes along the way, a project can easily go over budget, miss the deadline, and wreak havoc on project success.” (University Alliance, Villanova University)

    Define your objectives for the proof of value

    Referencing documents submitted to the committee, continue to refine the problem statement.

    Objectives are a key first step to show the solution will meet your needs.
    • Every technology is designed to solve a problem faced by somebody somewhere. For each technology that your team has decided to move forward with, identify and clearly state the problem it would solve.
    • A clear problem statement is a crucial part of a new technology’s business case. It is impossible to earn buy-in from the rest of the organization without demonstrating the necessity of a solution.
    • Perfection is impossible to achieve, especially during a proof of value (POV). However, knowing the pain points of the way things are done without this technology, and noting a reduction in pain and increase in efficiency and accuracy of data gathering will help in the initial feedback of the tests. Ensure the proof of value includes data validation to test accuracy.

    Info-Tech Insight

    Know your metrics going into the proof of value. Document performance, quality, and time to do the work and compare to metrics in the proof of value. Agree on what success looks like, to ensure that improvements are substantial enough to justify the expense and effort of implementing the solution.

    Questions to consider:
    • What are the project’s goals?
    • What is the desired future state?
    • What problems must be solved to call the POV a viable solution?
    • Where will the project be rolled out? Are there any concerns about communications and power that may need to be addressed?
    • Are there any risks to watch for?

    Info-Tech Insight

    Be sure to avoid scope creep! Remember: the goal of the proof of value project is to produce a minimum case for viability in a carefully defined area. Reserve a detailed accounting of costs and benefits for after the proof of value stage.

    Define use cases to test against current methods

    Outline the solution to the problem

    Determine how the solution should perform in completing tasks. Be careful not to focus too heavily on how things are done today: You’re looking for dramatic improvements, not going back to existing workarounds.
    • The use case will help to define the scope of the project, define adjacent use cases or tasks that will be out of scope, and to contain the test to a reasonable effort and time frame, while still testing core functionality.
    • Map processes based on expectations of how the solution should work, and compare these to the way things are done today. Identify if there are obvious improvements to the existing processes that if done, would change the existing results significantly. Take this into account when reviewing results. (This will also be useful if the project isn’t approved or is delayed.)
    • Identify where tasks and data collection will be automated and where they will need to stay manual or require additional integrations or solutions such as RPA. These other solutions may not factor into the proof of value but will need to be identified on the solution roadmap if it goes ahead.

    Blocks with arrows in between them, like an example of a step progression.

    Define steps to reach these goals today:
    • Discuss steps to completion
    • Effort to collect data
    • Effort to validate and correct data
    • Effort and ability to use the data for decision making, understanding your customers, and process improvements
    • Quality of data available with current methods compared to quality and volume of data using an IoT solution

    Determine the appropriate project team

    Bring in team members from the business and technical sides to test for those functions that matter most to each team. This effort will enable them to quickly identify risks and mitigate them as part of the product rollout or start the process to look at alternative solutions.
    • Stakeholders: Anyone who is impacted by the new technology and who will end up using, approving, or implementing it. Identify team members who will be willing and able to test the systems for data quality, collection, and workflow improvements.
    • Data analysts: Include someone who can validate the usefulness of data to meet the needs of the organization.
    • Security & Privacy: Include these team members to validate their expectations of how privacy and security needs can be met.
    • Infrastructure & Operations: These team members can test integrations, data collections, traffic flow, etc.
    • Vendor: Discuss what part the vendor can play in setting up the solution for running the proof of value.
    • Other business units: Identify business units that could benefit or be impacted by this solution. Invite them to participate in the roof of value, but remember to contain scope.
    Leverage the insights of the diverse working group
    • Processes are designed to transform inputs into outputs. All business activities can be mapped into processes.
    • A process map illustrates the sequence of actions and decisions that transform an input into an output.
    • Effective mapping gives managers an “aerial” view of the company’s processes, making it easier to identify inefficiencies, reduce waste, and ultimately streamline operations.
    • To identify business processes, have group members familiar with the affected business units identify how jobs are typically accomplished within those units.
    • Ensure they have the time to test the solution and provide valid feedback.

    Estimate the resources required for the pilot

    Time, money, technology, resources

    The benefit of running a proof of value is to make a decision on viability of a solution without the expense of implementing a full solution. This isn’t necessary for low-risk, highly proven solutions, which could be validated with references instead.

    Estimate

    Estimate the number of hours needed to implement the proof of value.

    Estimate

    Estimate the hours needed for business users to test.

    Estimate

    Estimate the costs of technology. If the solution can be run in a vendor sandbox or in a test/dev instance in the cloud, you may be able to keep these costs very low.

    Determine

    Determine the appropriate number of devices to test in multiple locations and environments; work with the vendor to see if they have evaluation devices or discounts for proof of value purposes.

    Conduct a post-proof of value review to finalize the decision to move forward

    Gather evaluators together to ensure the pilot team completed their assessments. A common failure of pilots is making assumptions around the level of participation that has taken place.
    • The core working group is responsible for producing a vision of the future and outlining new technology’s disruptive potential. The actual implementation of the proof of value (purchasing the hardware, negotiating the SLA with the vendor) is beyond the committee’s responsibilities.
    • If the proof of value goes ahead, the facilitator should block some time to evaluate the completed project against the key performance indicators identified in the initial plan.
    • Use the Proof of Value Template section of the IoT Solution Playbook to document POV requirements as well as finalizing the feedback loop.
    • Determine ratings for the proof of value to identify which solutions are not viable and which levels of viability are worth moving forward. Some viable solutions may need a different vendor, and some may need customization or multiple integrations. This is important for the project team to move ahead with the implementation.
    • Encourage everyone to provide enough feedback on the various processes to be confident in their declarations of worthiness and to confirm the proof of value was thorough.
    • Communicate your working group’s findings and success to a wide audience to gain interest in IoT solutions as well as to encourage the business to work with the committee to integrate solutions into the governance and operational structure.

    3.2 Exercise: Create a template for designing a proof of value

    1-3 hours

    Input: Agreement of steering committee members to create a process to mitigate risk for complex solutions

    Output: Proof of value template for use as appropriate to evaluate IoT solutions

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. As a group, review the Proof of Value Template section of the IoT Solution Playbook to determine if it will meet the needs of your business and technical groups.
    2. Determine who will work with the business to create the proof of value plan.
    3. Modify the template to suit your needs, keeping in mind a need for clarity of purpose, communications throughout the POV, and clearly stated goals and definitions of success.
    4. Set a target timeframe to run the POV, preferably no longer than 90 days.
    5. Determine appropriate steps to take for POVs that do not garner the expected participation to qualify a solution to move forward.
    6. Determine appropriate reporting for the evaluation process.

    Download IoT Solution Playbook

    Communications

    As with any new product, marketing and communications will be an important first step in letting the business know how to engage IT in its assessments of IoT innovations. As these solutions prove themselves, or even as you help the business to find better solutions, share your successes with the rest of the organization.

    Business units are already being courted by the vendors, so it’s up to IT to insert themselves in the process in a way that helps improve the success of the business team while still meeting IT’s objectives.

    Your customers will not willingly engage in highly bureaucratic processes and need to see a reason to engage.

    1. Keep the intake process simple.
    2. Provide support to answer the tough questions.
    3. Be clear on the benefits to the organization and the business unit by engaging with your group, and be clear about how you will help within a reasonable time frame.
      • IT will help navigate the vendor prerequisites, contracts, and product setup.
      • IT will assume some of the responsibility for the solution, especially around security and privacy.
      • The business unit will reap the rewards of the solution with minimal operational effort.

    Info-Tech Insight

    Consider building your playbook into your service catalog to make it easy for business users to start the request process. From there, you can create workflows and notifications, track progress, set and meet SLAs, and enable efficient asynchronous communications.

    Research Contributors and Experts

    Photo of John Burwash, Senior Director, Executive Services, Info-Tech Research Group.

    John Burwash
    Senior Director, Executive Services
    Info-Tech Research Group

    INFO~TECH RESEARCH GROUP

    Info-Tech Research Group is an IT research and advisory firm with over 23 years of experience helping enterprises around the world with managing and improving core IT processes. They write highly relevant and unbiased research to help leaders make strategic, timely, and well-informed decisions.

    External contributors
    4 external contributors have asked to remain anonymous.

    Photo of Jennifer Jones, Senior Research Advisor, Industry, Info-Tech Research Group.

    Jennifer Jones
    Senior Research Advisor, Industry
    Info-Tech Research Group

    Photo of Aaron Shum, Vice President, Security, Privacy & Risk, Info-Tech Research Group.

    Aaron Shum
    Vice President, Security, Privacy & Risk
    Info-Tech Research Group

    Photo of Rajesh Parab, Research Director, Applications, Data & Analytics, Info-Tech Research Group.

    Rajesh Parab
    Research Director, Applications, Data & Analytics
    Info-Tech Research Group

    Photo of Frank Sargent, Senior Director Practice Lead, Security, Privacy & Risk, Info-Tech Research Group.

    Frank Sargent
    Senior Director Practice Lead, Security, Privacy & Risk
    Info-Tech Research Group

    Photo of Scott Young, Principal Research Advisor, Infrastructure, Info-Tech Research Group.

    Scott Young
    Principal Research Advisor, Infrastructure
    Info-Tech Research Group

    Photo of Rocco Rao, Director, Research Advisor, Industry, Info-Tech Research Group.

    Rocco Rao
    Director, Research Advisor, Industry
    Info-Tech Research Group

    Bibliography

    Ayyaswamy, Regu, et al. “IoT Is Enabling Enterprise Strategies for New Beginnings.” Tata Consulting Services, 2020. Web.

    “Data Volume of Internet of Things (IoT) Connections Worldwide in 2019 and 2025.” Statistia, 2020.

    Dos Santos, Daniel, et al. “Cybersecurity in Building Automation Systems (BAS).” Forescout, 2020. Web.

    Earle, Nick. “Overcoming the Barriers to Global IoT Connectivity: How Regional Operators Can Reap Rewards From IoT.” IoTNow, 30 June 2021. Web.

    Faludi, Rob. “How Do IoT Devices Communicate?” Digi, 26 Mar. 2021. Web.

    Halper, Fern, and Philip Russom. “TDWI IoT Data Readiness Guide, Interpreting Your Assessment Score.” Cloudera, 2018. Web.

    Horwitz, Lauren. “IoT Enterprise Deployments Continue Apace, Despite COVID-19.” IoT World Today, 22 Apr. 2021.

    “How Does IoT Data Collection Work?” Digiteum, 13 Feb. 2020. Web.

    “IoT Data: How to Collect, Process, and Analyze Them.” Spiceworks, 26 Mar. 2019. Web.

    IoT Signals Report: Edition 2, Hypothesis Group for Microsoft, Oct. 2020. Web.

    King, Stacey. “4 Key Considerations for Consistent IoT Manageability and Security.” Forescout, 22 Aug. 2019. Web.

    Krämer, Jurgen. “Why IoT Projects Fail and How to Beat the Odds.” Software AG, 2020. Web.

    Kröger, Jacob Leon, et al. “Privacy Implications of Accelerometer Data: A Review of Possible Inferences” ICCSP, Jan. 2019, pp. 81-7. Web.

    Manyika, James, et al. “Unlocking the Potential of the Internet of Things.” McKinsey Global Institute, 1 June 2015. Web.

    Ricco, Emily. “How To Run a Successful Proof of Concept – Lessons From Hubspot.” Filtered. Web.

    Rodela, Jimmy. “The Blueprint, Your Complete Guide to Proof of Concept.” Motley Fool, 2 Jan 2021. Web.

    Sánchez, Julia, et al. “An Integral Pedagogical Strategy for Teaching and Learning IoT Cybersecurity.” Sensors, vol. 20, no. 14, July 2020, p. 3970.

    The IoT Generation of Vulnerabilities. SC Media, 2020. E-book.

    Woods, James P., Jr. “How Consumer IoT Devices Can Break Your Security.” HPE, 2 Nov. 2021.

    Security Priorities 2023

    • Buy Link or Shortcode: {j2store}254|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $909 Average $ Saved
    • member rating average days saved: 1 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Most people still want a hybrid work model but there is a shortage in security workforce to maintain secure remote work, which impacts confidence in the security practice.
    • Pressure of operational excellence drives organizational modernization with the consequence of higher risks of security attacks that impact not only cyber but also physical systems.
    • The number of regulations with stricter requirements and reporting is increasing, along with high sanctions for violations.
    • Accurate assessment of readiness and benefits to adopt next-gen cybersecurity technologies can be difficult. Additionally, regulation often faces challenges to keep up with next-gen cybersecurity technologies implications and risks of adoption, which may not always be explicit.
    • Software is usually produced as part of a supply chain instead in a silo. Thus, a vulnerability in any part of the supply chain can become a threat surface.

    Our Advice

    Critical Insight

    • Secure remote work still needs to be maintained to facilitate the hybrid work model post pandemic.
    • Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits. Hence, we need to secure organization modernization.
    • Organizations should use regulatory changes to improve security practices, instead of treating them as a compliance burden.
    • Next-gen cybersecurity technologies alone are not the silver bullet. A combination of technologies with skilled talent, useful data, and best practices will give a competitive advantage.

    Impact and Result

    • Use this report to help decide your 2023 security priorities by:
      • Collecting and analyzing your own related data, such as your organization 2022 incident reports. Use Info-Tech’s Security Priorities 2023 material for guidance.
      • Identifying your needs and analyzing your capabilities. Use Info-Tech's template to explain the priorities you need to your stakeholders.
      • Determining the next steps. Refer to Info-Tech's recommendations and related research.

    Security Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Security Priorities 2023 Report – A report to help decide your 2023 security priorities.

    Each organization is different, so a generic list of security priorities will not be applicable to every organization. Thus, you need to:

  • Collect and analyze your own related data such as your organization 2022 incident reports. Use Info-Tech’s Security Priorities 2023 material for guidance.
  • Identify your needs and analyze your capabilities. Use Info-Tech's template to explain the priorities you need to your stakeholders.
  • Refer to Info-Tech's recommendations and related research for guidance on the next steps.
    • Security Priorities 2023 Report

    Infographic

    Further reading

    Security Priorities 2023

    How we live post pandemic

    Each organization is different, so a generic list of priorities will not be applicable to every organization.

    During 2022, ransomware campaigns declined from quarter to quarter due to the collapse of experienced groups. Several smaller groups are developing to recapture the lost ransomware market. However, ransomware is still the most worrying cyber threat.

    Also in 2022, people returned to normal activities such as traveling and attending sports or music events but not yet to the office. The reasons behind this trend can be many fold, such as employees perceive that work from home (WFH) has positive productivity effects and time flexibility for employees, especially for those with families with younger children. On the other side of the spectrum, some employers perceive that WFH has negative productivity effects and thus are urging employees to return to the office. However, employers also understand the competition to retain skilled workers is harder. Thus, the trend is to have hybrid work where eligible employees can WFH for a certain portion of their work week.

    Besides ransomware and the hybrid work model, in 2022, we saw an evolving threat landscape, regulatory changes, and the potential for a recession by the end of 2023, which can impact how we prioritize cybersecurity this year. Furthermore, organizations are still facing the ongoing issues of insufficient cybersecurity resources and organization modernization.

    This report will explore important security trends, the security priorities that stem from these trends, and how to customize these priorities for your organization.

    In Q2 2022, the median ransom payment was $36,360 (-51% from Q1 2022), a continuation of a downward trend since Q4 2021 when the ransom payment median was $117,116.
    Source: Coveware, 2022

    From January until October 2022, hybrid work grew in almost all industries in Canada especially finance, insurance, real estate, rental and leasing (+14.7%), public administration and professional services (+11.8%), and scientific and technical services (+10.8%).
    Source: Statistics Canada, Labour Force Survey, October 2022; N=3,701

    Hybrid work changes processes and infrastructure

    Investment on remote work due to changes in processes and infrastructure

    As part of our research process for the 2023 Security Priorities Report, we used the results from our State of Hybrid Work in IT Survey, which collected responses between July 10 and July 29, 2022 (total N=745, with n=518 completed surveys). This survey details what changes in processes and IT infrastructure are likely due to hybrid work.

    Process changes to support hybrid work

    A bar graph is depicted with the following dataset: None of the above - 12%; Change management - 29%; Asset management - 34%; Service request support - 41%; Incident management - 42%

    Survey respondents (n=518) were asked what processes had the highest degree of change in response to supporting hybrid work. Incident management is the #1 result and service request support is #2. This is unsurprising considering that remote work changed how people communicate, how they access company assets, and how they connect to the company network and infrastructure.

    Infrastructure changes to support hybrid work

    A bar graph is depicted with the following dataset: Changed queue management and ticketing system(s) - 11%; Changed incident and service request processes - 23%; Addition of chatbots as part of the Service Desk intake process - 29%; Reduced the need for recovery office spaces and alternative work mitigations - 40%; Structure & day-to-day operation of Service Desk - 41%; Updated network architecture - 44%

    For 2023, we believe that hybrid work will remain. The first driver is that employees still prefer to work remotely for certain days of the week. The second driver is the investment from employers on enabling WFH during the pandemic, such as updated network architecture (44%) and the infrastructure and day-to-day operations (41%) as shown on our survey.

    Top cybersecurity concerns and organizational preparedness for them

    Concerns may correspond to readiness.

    In the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, we asked about cybersecurity concerns and the perception about readiness to meet current and future government legislation regarding cybersecurity requirements.

    Cybersecurity issues

    A bar graph is depicted with the following dataset: Cyber risks are not on the radar of the executive leaders or board of directors - 3.19; Organization is not prepared to respond to a cyber attack - 3.08; Supply chain risks related to cyber threats - 3.18; Talent shortages leading to capacity constraints in cyber security - 3.51; New government or industry-imposed regulations - 3.15

    Survey respondents were asked how concerned they are about certain cybersecurity issues from 1 (not concerned at all) to 5 (very concerned). The #1 concern was talent shortages. Other issues with similar concerns included cyber risks not on leadership's radar, supply chain risks, and new regulations (n=507).

    Cybersecurity legislation readiness

    A bar graph is depicted with the following dataset: 1 (Not confident at all) - 2.4%; 2 - 11.2%; 3 - 39.7%; 4 - 33.3%; 5 (Very confident) - 13.4%

    When asked about how confident organizations are about being prepared to meet current and future government legislation regarding cybersecurity requirements, from 1 (not confident at all) to 5 (very confident), the #1 response was 3 (n=499).

    Unsurprisingly, the ever-changing government legislation environment in a world emerging from a pandemic and ongoing wars may not give us the highest confidence.

    We know the concerns and readiness…

    But what is the overall security maturity?

    As part of our research process for the 2023 Security Priorities Report, we reviewed results of completed Info-Tech Research Group Security Governance and Management Benchmark diagnostics (N=912). This report details what we see in our clients' security governance maturity. Setting aside the perception on readiness – what are their actual security maturity levels?

    A bar graph is depicted with the following dataset: Security Culture - 47%; Policy and Process Governance - 47%; Event and Incident Management - 58%; Vulnerability - 57%; Auditing - 52%; Compliance Management - 58%; Risk Analysis - 52%

    Overall, assessed organizations are still scoring low (47%) on Security Culture and Policy and Process Governance. This justifies why most security incidents are still due to gaps in foundational security and security awareness, not lack of advanced controls such as event and incident management (58%).

    And how will the potential recession impact security?

    Organizations are preparing for recession, but opportunities for growth during recession should be well planned too.

    As part of our research process for the 2023 Security Priorities Report, we reviewed the results of the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, which collected responses between August 9 and September 9, 2022 (total N=813 with n=521 completed surveys).

    Expected organizational spending on cybersecurity compared to the previous fiscal year

    A bar graph is depicted with the following dataset: A decrease of more than 10% - 2.2%; A decrease of between 1-10% - 2.6%; About the same - 41.4%; An increase of between 1-10% - 39.6%; An increase of more than 10% - 14.3%

    Keeping the same spending is the #1 result and #2 is increasing spending up to 10%. This is a surprising finding considering the survey was conducted after the middle of 2022 and a recession has been predicted since early 2022 (n=489).

    An infographic titled Cloudy with a Chance of Recession

    Source: Statista, 2022, CC BY-ND

    US recession forecast

    Contingency planning for recessions normally includes tight budgeting; however, it can also include opportunities for growth such as hiring talent who have been laid off by competitors and are difficult to acquire in normal conditions. This can support our previous findings on increasing cybersecurity spending.

    Five Security Priorities for 2023

    This image describes the Five Security Priorities for 2023.

    Maintain Secure Hybrid Work

    PRIORITY 01

    • HOW TO STRATEGICALLY ACQUIRE, RETAIN, OR UPSKILL TALENT TO MAINTAIN SECURE SYSTEMS.

    Executive summary

    Background

    If anything can be learned from COVID-19 pandemic, it is that humans are resilient. We swiftly changed to remote workplaces and adjusted people, processes, and technologies accordingly. We had some hiccups along the way, but overall, we demonstrated that our ability to adjust is amazing.

    The pandemic changed how people work and how and where they choose to work, and most people still want a hybrid work model. However, the number of days for hybrid work itself varies. For example, from our survey in July 2022 (n=516), 55.8% of employees have the option of 2-3 days per week to work offsite, 21.0% for 1 day per week, and 17.8% for 4 days per week.

    Furthermore, the investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the cost doesn't end there, as we need to maintain the secure remote work infrastructure to facilitate the hybrid work model.

    Current situation

    Remote work: A 2022 survey by WFH Research (N=16,451) reports that ~14% of full-time employees are fully remote and ~29% are in a hybrid arrangement as of Summer-Fall 2022.

    Security workforce shortage: A 2022 survey by Bridewell (N=521) reports that 68% of leaders say it has become harder to recruit the right people, impacting organizational ability to secure and monitor systems.

    Confidence in the security practice: A 2022 diagnostic survey by Info-Tech Research Group (N=55) reports that importance may not correspond to confidence; for example, the most important selected cybersecurity area, namely Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice (80.5%).

    "WFH doubled every 15 years pre-pandemic. The increase in WFH during the pandemic was equal to 30 years of pre-pandemic growth."

    Source: National Bureau of Economic Research, 2021

    Leaders must do more to increase confidence in the security practice

    Importance may not correspond to confidence

    As part of our research process for the 2023 Security Priorities Report, we analyzed results from the Info-Tech Research Group diagnostics. This report details what we see in our clients' perceived importance of security and their confidence in existing security practices.

    Cybersecurity importance

    A bar graph is depicted with the following dataset: Importance to the Organization - 94.3%; Importance to My Department	92.2%

    Cybersecurity importance areas

    A bar graph is depicted with the following dataset: Mobility (Remote & Mobile Access) - 90.2%; Regulatory Compliance - 90.1%; Desktop Computing - 90.9%; Data Access / Integrity - 93.7%

    Confidence in cybersecurity practice

    A bar graph is depicted with the following dataset: Confidence in the Organization's Overall Security - 79.4%; Confidence in Security for My Department - 79.8%

    Confidence in cybersecurity practice areas

    A bar graph is depicted with the following dataset: Mobility (Remote & Mobile Access) - 75.8%; Regulatory Compliance - 81.5%; Desktop Computing - 80.9%; Data Access / Integrity - 80.5%

    Diagnostics respondents (N=55) were asked about how important security is to their organization or department. Importance to the overall organization is 2.1 percentage points (pp) higher, but confidence in the organization's overall security is slightly lower (-0.4 pp).

    If we break down to security areas, we can see that the most important area, Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice: 80.5%. From this data we can conclude that leaders must build a strong cybersecurity workforce to increase confidence in the security practice.

    Use this template to explain the priorities you need your stakeholders to know about.

    Maintain secure hybrid work plan

    Provide a brief value statement for the initiative.

    Build a strong cybersecurity workforce to increase confidence in the security practice to facilitate hybrid work.

    Initiative Description:

    • Description must include what organization will undertake to complete the initiative.
    • Review your security strategy for hybrid work.
    • Identify skills gaps that hinder the successful execution of the hybrid work security strategy.
    • Use the identified skill gaps to define the technical skill requirements for current and future work roles.
    • Conduct a skills assessment on your current workforce to identify employee skill gaps.
    • Decide whether to train, hire, contract, or outsource each skill gap.

    Drivers:

    List initiative drivers.

    • Employees still prefer to WFH for certain days of the week.
    • The investment on WFH during pandemic such as updated network architecture and infrastructure and day-to-day operations.
    • Tech companies' huge layoffs, e.g. Meta laid off more than 11,000 employees.

    Risks:

    List initiative risks and impacts.

    • Unskilled workers lacking certificates or years of experience who are trained and become skilled workers then quit or are hijacked by competitors.
    • Organizational and cultural changes cause friction with work-life balance.
    • Increased attack surface of remote/hybrid workforce.

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    • Increase perceived productivity by employees and increase retention.
    • Increase job satisfaction and work-life balance.
    • Hiring talent that has been laid off who are difficult to acquire in normal conditions.

    Related Info-Tech Research:

    Recommended Actions

    1. Identify skill requirements to maintain secure hybrid work

    Review your security strategy for hybrid work.

    Determine the skill needs of your security strategy.

    2. Identify skill gaps

    Identify skills gaps that hinder the successful execution of the hybrid work security strategy.

    Use the identified skill gaps to define the technical skill requirements for work roles.

    3. Decide whether to build or buy skills

    Conduct a skills assessment on your current workforce to identify employee skill gaps.

    Decide whether to train, hire, contract, or outsource each skill gap.

    Source: Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan, Info-Tech

    Secure Organization Modernization

    PRIORITY 02

    • TRENDS SUGGEST MODERNIZATION SUCH AS DIGITAL
      TRANSFORMATION TO THE CLOUD, OPERATIONAL TECHNOLOGY (OT),
      AND THE INTERNET OF THINGS (IOT) IS RISING; ADDRESSING THE RISK
      OF CONVERGING ENVIRONMENTS CAN NO LONGER BE DEFERRED.

    Executive summary

    From computerized milk-handling systems in Wisconsin farms, to automated railway systems in Europe, to Ausgrid's Distribution Network Management System (DNMS) in Australia, to smart cities and beyond; system modernization poses unique challenges to cybersecurity.

    The threats can be safety, such as the trains stopped in Denmark during the last weekend of October 2022 for several hours due to an attack on a third-party IT service provider; economics, such as a cream cheese production shutdown that occurred at the peak of cream cheese demand in October 2021 due to hackers compromising a large cheese manufacturer's plants and distribution centers; and reliability, such as the significant loss of communication for the Ukrainian military, which relied on Viasat's services.

    Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits.

    Current situation

    • Pressure of operational excellence: Competitive markets cannot keep pace with demand without modernization. For example, in automated milking systems, the labor time saved from milking can be used to focus on other essential tasks such as the decision-making process.
    • Technology offerings: Technologies are available and affordable such as automated equipment, versatile communication systems, high-performance human machine interaction (HMI), IIoT/Edge integration, and big data analytics.
    • Higher risks of cyberattacks: Modernization enlarges attack surfaces, which are not only cyber but also physical systems. Most incidents indicate that attackers gained access through the IT network, which was followed by infiltration into OT networks.

    IIoT market size is USD 323.62 billion in 2022 and projected to be around USD 1 trillion in 2028.

    Source: Statista,
    March 2022

    Modernization brings new opportunities and new threats

    Higher risks of cyberattacks on Industrial Control System (ICS)

    Target: Australian sewage plant.

    Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.

    Target: Middle East energy companies.

    Method: Shamoon.

    Impact: Overwritten Windows-based systems files.

    Target: German Steel Mill

    Method: Spear-phishing

    Impact: Blast furnace control shutdown failure.

    Target: Middle East Safety Instrumented System (SIS).

    Method: TRISIS/TRITON.

    Impact: Modified safety system ladder logic.

    Target: Viasat's KA-SAT Network.

    Method: AcidRain.

    Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat's services.

    A timeline displaying the years 1903; 2000; 2010; 2012; 2013; 2014; 2018; 2019; 2021; 2022 is displayed.

    Target: Marconi wireless telegraphs presentation. Method: Morse code.

    Impact: Fake message sent "Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily."

    Target: Iranian uranium enrichment plant.

    Method: Stuxnet.

    Impact: Compromised programmable logic controllers (PLCs).

    Target: ICS supply chain.

    Method: Havex.

    Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers.

    Target: Ukraine power grid.

    Method: BlackEnergy.

    Impact: Manipulation of HMI View causing 1-6 hour power outages for 230,000 consumers.

    Target: Colonial Pipeline.

    Method: DarkSide ransomware.

    Impact: Compromised billing infrastructure halted the pipeline operation.

    Sources:

    • DOE, 2018
    • CSIS, 2022
    • MIT Technology Review, 2022

    Info-Tech Insight

    Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

    Use this template to explain the priorities you need your stakeholders to know about.

    Secure organization modernization

    Provide a brief value statement for the initiative.

    The systems (OT, IT, IIoT) are evolving now – ensure your security plan has you covered.

    Initiative Description:

    • Description must include what organization will undertake to complete the initiative.
    • Identify the drivers to align with your organization's business objectives.
    • Build your case by leveraging a cost-benefit analysis and update your security strategy.
    • Identify people, process, and technology gaps that hinder the modernization security strategy.
    • Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.
    • Evaluate and enable modernization technology top focus areas and refine security processes.
    • Decide whether to train, hire, contract, or outsource to fill the security workforce gap.

    Drivers:

    List initiative drivers.

    • Pressure of operational excellence
    • Technology offerings
    • Higher risks of cyberattacks

    Risks:

    List initiative risks and impacts.

    • Complex systems with many components to implement and manage require diligent change management.
    • Organizational and cultural changes cause friction between humans and machines.
    • Increased attack surface of cyber and physical systems.

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    • Improve service reliability through continuous and real-time operation.
    • Enhance efficiency through operations visibility and transparency.
    • Gain cost savings and efficiency to automate operations of complex and large equipment and instrumentations.

    Related Info-Tech Research:

    Recommended Actions

    1. Identify modernization business cases to secure

    Identify the drivers to align with your organization's business objectives.

    Build your case by leveraging a cost-benefit analysis, and update your security strategy.

    2. Identify gaps

    Identify people, process, and technology gaps that hinder the modernization
    security strategy.

    Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.

    3. Decide whether to build or buy capabilities

    Evaluate and enable modernization technology top focus areas and refine
    security processes.

    Decide whether to train, hire, contract, or outsource to fill the security workforce gap.

    Sources:

    Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech

    Secure IT-OT Convergence, Info-Tech

    Develop a cost-benefit analysis

    Identify a modernization business case for security.

    Benefits

    Metrics

    Operational Efficiency and Cost Savings

    • Reduction in truck rolls and staff time of manual operations of equipment or instrumentation.
    • Cost reduction in energy usage such as substation power voltage level or water treatment chemical level.

    Improve Reliability and Resilience

    • Reduction in field crew time to identify the outage locations by remotely accessing field equipment to narrow down the
      fault areas.
    • Reduction in outage time impacting customers and avoiding financial penalty in service quality metrics.
    • Improve operating reliability through continuous and real-time trend analysis of equipment performance.

    Energy & Capacity Savings

    • Optimize energy usage of operation to reduce overall operating cost and contribution to organizational net-zero targets.

    Customers & Society Benefits

    • Improve customer safety for essential services such as drinkable water consumption.
    • Improve reliability of services and address service equity issues based on data.

    Cost

    Metrics

    Equipment and Infrastructure

    Upgrade existing security equipment or instrumentation or deploy new, e.g. IPS on Enterprise DMZ and Operations DMZ.

    Implement communication network equipment and labor to install and configure.

    Upgrade or construct server room including cooling/heating, power backup, and server and rack hardware.

    Software and Commission

    The SCADA/HMI software and maintenance fee as well as lifecycle upgrade implementation project cost.

    Labor cost of field commissioning and troubleshooting.

    Integration with security systems, e.g. log management and continuous monitoring.

    Support and Resources

    Cost to hire/outsource security FTEs for ongoing managing and operating security devices, e.g. SOC.

    Cost to hire/outsource IT/OT FTEs to support and troubleshoot systems and its integrations with security systems, e.g. MSSP.

    An example of a cost-benefit analysis for ICS modernization

    Sources:

    Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech

    Lawrence Berkeley National Laboratory, 2021

    IT-OT convergence demands new security approach and solutions

    Identify gaps

    Attack Vectors

    IT

    • User's compromised credentials
    • User's access device, e.g. laptop, smartphone
    • Access method, e.g. denial-of-service to modem, session hijacking, bad data injection

    OT

    • Site operations, e.g. SCADA server, engineering workstation, historian
    • Controls, e.g. SCADA Client, HMI, PLCs, RTUs
    • Process devices, e.g. sensors, actuators, field devices

    Defense Strategies

    • Limit exposure of system information
    • Identify and secure remote access points
    • Restrict tools and scripts
    • Conduct regular security audits
    • Implement a dynamic network environment

    (Control System Defense: Know the Opponent, CISA)

    An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.

    An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.

    Source: ISA-99, 2007

    RESPOND TO REGULATORY CHANGES

    PRIORITY 03

    • GOVERNMENT-ENACTED POLICY CHANGES AND INDUSTRY REGULATORY CHANGES COULD BE A COMPLIANCE BURDEN … OR PREVENT YOUR NEXT SECURITY INCIDENT.

    Executive summary

    Background

    Government-enacted regulatory changes are occurring at an ever-increasing rate these days. As one example, on November 10, 2022, the EU Parliament introduced two EU cybersecurity laws: the Network and Information Security (NIS2) Directive (applicable to organizations located within the EU and organizations outside the EU that are essential within an EU country) and the Digital Operational Resilience Act (DORA). There are also industry regulatory changes such as PCI DSS v4.0 for the payment sector and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for Bulk Electric Systems (BES).

    Organizations should use regulatory changes as a means to improve security practices, instead of treating them as a compliance burden. As said by lead member of EU Parliament Bart Groothuis on NIS2, "This European directive is going to help around 160,000 entities tighten their grip on security […] It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale."

    Current situation

    Stricter requirements and reporting: Regulations such as NIS2 include provisions for incident response, supply chain security, and encryption and vulnerability disclosure and set tighter cybersecurity obligations for risk management reporting obligations.

    Broader sectors: For example, the original NIS directive covers 19 sectors such as Healthcare, Digital Infrastructure, Transport, and Energy. Meanwhile, the new NIS2 directive increases to 35 sectors by adding other sectors such as providers of public electronic communications networks or services, manufacturing of certain critical products (e.g. pharmaceuticals), food, and digital services.

    High sanctions for violations: For example, Digital Services Act (DSA) includes fines of up to 6% of global turnover and a ban on operating in the EU single market in case of repeated serious breaches.

    Approximately 100 cross-border data flow regulations exist in 2022.

    Source: McKinsey, 2022

    Stricter requirements for payments

    Obligation changes to keep up with emerging threats and technologies

    64 New requirements were added
    A total of 64 requirements have been added to version 4.0 of the PCI DSS.

    13 New requirements become effective March 31, 2024
    The other 51 new requirements are considered best practice until March 31, 2025, at which point they will become effective.

    11 New requirements only for service providers
    11 of the new requirements are applicable only to entities that provide third-party services to merchants.

    Defined roles must be assigned for requirements.

    Focus on periodically assessing and documenting scope.

    Entities may choose a defined approach or a customized approach to requirements.

    An example of new requirements for PCI DSS v4.0

    Source: Prepare for PCI DSS v4.0, Info-Tech

    Use this template to explain the priorities you need your stakeholders to know about.

    Respond to regulatory changes

    Provide a brief value statement for the initiative.

    The compliance obligations are evolving – ensure your security plan has you covered.

    Initiative Description:

    Description must include what organization will undertake to complete the initiative.

    • Identify relevant security and privacy compliance and conformance levels.
    • Identify gaps for updated obligations, and map obligations into control framework.
    • Review, update, and implement policies and strategy.
    • Develop compliance exception process and forms.
    • Develop test scripts.
    • Track status and exceptions

    Drivers:

    List initiative drivers.

    • Pressure of new regulations
    • Governance, risk & compliance (GRC) tool offerings
    • High administrative or criminal penalties of non-compliance

    Risks:

    List initiative risks and impacts.

    • Complex structures and a great number of compliance requirements
    • Restricted budget and lack of skilled workforce for organizations such as local municipalities and small or medium organizations compared to private counterparts
    • Personal liability for some regulations for non-compliance

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    • Reduces compliance risk.
    • Reduces complexity within the control environment by using a single framework to align multiple compliance regimes.
    • Reduces costs and efforts related to managing IT audits through planning and preparation.

    Related Info-Tech Research:

    Recommended Actions

    1. Identify compliance obligations

    Identify relevant security and privacy obligations and conformance levels.

    Identify gaps for updated obligations, and map obligations into control framework.

    2. Implement compliance strategy

    Review, update, and implement policies and strategy.

    Develop compliance exception process.

    3. Track and report

    Develop test scripts to check your remediations to ensure they are effective.

    Track and report status and exceptions.

    Sources: Build a Security Compliance Program and Prepare for PCI DSS v4.0, Info-Tech

    Identify relevant security and privacy compliance obligations

    Identify obligations

    # Security Jurisdiction
    1 Network and Information Security (NIS2) Directive European Union (EU) and organizations outside the EU that are essential within an EU country
    2 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) North American electrical utilities
    3 Executive Order (EO) 14028: Improving the Nation's Cybersecurity, The White House, 2021 United States

    #

    Privacy Jurisdiction
    1 General Data Protection Regulation (GDPR) EU and EU citizens
    2 Personal Information Protection and Electronic Documents Act (PIPEDA) Canada
    3 California Consumer Privacy Act (CCPA) California, USA
    4 Personal Information Protection Law of the People’s Republic of China (PIPL) China

    An example of security and privacy compliance obligations

    How much does it cost to become compliant?

    • It is important to understand the various frameworks and to adhere to the appropriate compliance obligations.
    • Many factors influence the cost of compliance, such as the size of organization, the size of network, and current security readiness.
    • To manage compliance obligations, it is important to use a platform that not only performs internal and external monitoring but also provides third-party vendors (if applicable) with visibility into potential threats in their organization.

    Adopt Next-Generation Cybersecurity Technologies

    PRIORITY 04

    • GOVERNMENTS AND HACKERS ARE RECOGNIZING THE IMPORTANCE OF EMERGING TECHNOLOGIES, SUCH AS ZERO TRUST ARCHITECTURE AND AI-BASED CYBERSECURITY. SO SHOULD YOUR ORGANIZATION.

    Executive summary

    Background

    The cat and mouse game between threat actors and defenders is continuing. The looming question "can defenders do better?" has been answered with rapid development of technology. This includes the automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only on IT but also on other relevant environments, e.g. IoT, IIoT, and OT based on AI/ML.

    More fundamental approaches such as post-quantum cryptography and zero trust (ZT) are also emerging.
    ZT is a principle, a model, and also an architecture focused on resource protection by always verifying transactions using the least privilege principle. Hopefully in 2023, ZT will be more practical and not just a vendor marketing buzzword.

    Next-gen cybersecurity technologies alone are not a silver bullet. A combination of skilled talent, useful data, and best practices will give a competitive advantage. The key concepts are explainable, transparent, and trustworthy. Furthermore, regulation often faces challenges to keep up with next-gen cybersecurity technologies, especially with the implications and risks of adoption, which may not always be explicit.

    Current situation

    ZT: Performing an accurate assessment of readiness and benefits to adopt ZT can be difficult due to ZT's many components. Thus, an organization needs to develop a ZT roadmap that aligns with organizational goals and focuses on access to data, assets, applications, and services; don't select solutions or vendors too early.

    Post-quantum cryptography: Current cryptographic applications, such as RSA for PKI, rely on factorization. However, algorithms such as Shor's show quantum speedup for factorization, which can break current crypto when sufficient quantum computing devices are available. Thus, threat actors can intercept current encrypted information and store it to decrypt in the future.

    AI-based threat management: AI helps in analyzing and correlating data extremely fast compared to humans. Millions of telemetries, malware samples, raw events, and vulnerability data feed into the AI system, which humans cannot process manually. Furthermore, AI does not get tired in processing this big data, thus avoiding human error and negligence.

    Data breach mitigation cost without AI: USD 6.20 million; and with AI: USD 3.15 million

    Source: IBM, 2022

    Traditional security is not working

    Alert Fatigue

    Too many false alarms and too many events to process. Evolving threat landscapes waste your analysts' valuable time on mundane tasks, such as evidence collection. Meanwhile, only limited time is spared for decisions and conclusions, which results in the fear of missing an incident and alert fatigue.

    Lack of Insight

    To report progress, clear metrics are needed. However, cybersecurity still lacks in this area as the system itself is complex and some systems work in silos. Furthermore, lessons learned are not yet distilled into insights for improving future accuracy.

    Lack of Visibility

    System integration is required to create consistent workflows across the organization and to ensure complete visibility of the threat landscape, risks, and assets. Also, the convergence of OT, IoT, and IT enhances this challenge.

    Source: IBM Security Intelligence, 2020

    A business case for AI-based cybersecurity

    Threat management

    Prevention

    Risk scores are generated by machine learning based on variables such as behavioral patterns and geolocation. Zero trust architecture is combined with machine learning. Asset management leverages visibility using machine learning. Comply with regulations by improving discovery, classification, and protection of data using machine learning. Data security and data privacy services use machine learning for data discovery.

    Detection

    AI, advanced machine learning, and static approaches, such as code file analysis, combine to automatically detect and analyze threats and prevent threats from spreading, assisted by threat intelligence.

    Response

    AI helps in orchestrating security technologies for organizations to reduce the number of security agents installed, which may not talk to each other or, worse, may conflict with each other.

    Recovery

    AI continuously tunes based on lessons learned, such as creating security policies for improving future accuracy. AI also does not get fatigue, and it assists humans in a faster recovery.

    Prevention; Detection; Response; Recovery

    AI has been around since the 1940s, but why is it only gaining traction now? Because supporting technologies are only now available, including faster GPUs for complex computations and cheaper storage for massive volumes of data.

    Use this template to explain the priorities you need your stakeholders to know about.

    Adopt next-gen cybersecurity technologies

    Use this template to explain the priorities you need your stakeholders to know about.

    Develop a practical roadmap that shows the business value of next-gen cybersecurity technologies investment.

    Initiative Description:

    Description must include what organization will undertake to complete the initiative.

    • Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.
    • Adopt well-established data governance practices for cross-functional teams.
    • Conduct a maturity assessment of key processes and highlight interdependencies.
    • Develop a baseline and periodically review risks, policies and procedures, and business plan.
    • Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.
    • Monitor metrics on effectiveness and efficiency.

    Drivers:

    List initiative drivers.

    • Pressure of attacks by sophisticated threat actors
    • Next-gen cybersecurity technologies tool offerings
    • High cost of traditional security, e.g. longer breach lifecycle

    Risks:

    List initiative risks and impacts.

    • Lack of transparency of the model or bias, leading to non-compliance with policies/regulations
    • Risks related with data quality and inadequate data for model training
    • Adversarial attacks, including, but not limited to, adversarial input and model extraction

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    • Reduces the number of alerts, thus reduces alert fatigue.
    • Increases the identification of unknown threats.
    • Leads to faster detection and response.
    • Closes skills gap and increases productivity.

    Related Info-Tech Research:

    Recommended Actions

    1. People

    Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.

    Adopt well-established data governance practices for cross-functional teams.

    2. Process

    Conduct a maturity assessment of key processes and highlight interdependencies.

    Develop a baseline and periodically review risks, policies and procedures, and business plan.

    3. Technology

    Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.

    Monitor metrics on effectiveness and efficiency.

    Source: Leverage AI in Threat Management (keynote presentation), Info-Tech

    Secure Services and Applications

    PRIORITY 05

    • APIS ARE STILL THE #1 THREAT TO APPLICATION SECURITY.

    Executive summary

    Background

    Software is usually produced as part of a supply chain instead of in silos. A vulnerability in any part of the supply chain can become a threat surface. We have learned this from recent incidents such as Log4j, SolarWinds, and Kaseya where attackers compromised a Virtual System Administrator tool used by managed service providers to attack around 1,500 organizations.

    DevSecOps is a culture and philosophy that unifies development, security, and operations to answer this challenge. DevSecOps shifts security left by automating, as much as possible, development and testing. DevSecOps provides many benefits such as rapid development of secure software and assurance that, prior to formal release and delivery, tests are reliably performed and passed.

    DevSecOps practices can apply to IT, OT, IoT, and other technology environments, for example, by integrating a Secure Software Development Framework (SSDF).

    Current situation

    Secure Software Supply Chain: Logging is a fundamental feature of most software, and recently the use of software components, especially open source, are based on trust. From the Log4j incident we learned that more could be done to improve the supply chain by adopting ZT to identify related components and data flows between systems and to apply the least privilege principle.

    DevSecOps: A software error wiped out wireless services for thousands of Rogers customers across Canada in 2021. Emergency services were also impacted, even though outgoing 911 calls were always accessible. Losing such services could have been avoided, if tests were reliably performed and passed prior to release.

    OT insecure-by-design: In OT, insecurity-by-design is still a norm, which causes many vulnerabilities such as insecure protocols implementation, weak authentication schemes, or insecure firmware updates. Additional challenges are the lack of CVEs or CVE duplication, the lack of Software Bill of Materials (SBOM), and product supply chains issues such as vulnerable products that are certified because of the scoping limitation and emphasis on functional testing.

    Technical causes of cybersecurity incidents in EU critical service providers in 2019-2021 shows: software bug (12%) and faulty software changes/update (9%).

    Source: CIRAS Incident reporting, ENISA (N=1,239)

    Software development keeps evolving

    DOD Maturation of Software Development Best Practices

    Best Practices 30 Years Ago 15 Years Ago Present Day
    Lifecycle Years or Months Months or Weeks Weeks or Days
    Development Process Waterfall Agile DevSecOps
    Architecture Monolithic N-Tier Microservices
    Deployment & Packaging Physical Virtual Container
    Hosting Infrastructure Server Data Center Cloud
    Cybersecurity Posture Firewall + SIEM + Zero Trust

    Best practices in software development are evolving as shown on the diagram to the left. For example, 30 years ago the lifecycle was "Years or Months," while in the present day it is "Weeks or Days."

    These changes also impact security such as the software architecture, which is no longer "Monolithic" but "Microservices" normally built within the supply chain.

    The software supply chain has known integrity attacks that can happen on each part of it. Starting from bad code submitted by a developer, to compromised source control platform (e.g. PHP git server compromised), to compromised build platform (e.g. malicious behavior injected on SolarWinds build), to a compromised package repository where users are deceived into using the bad package by the similarity between the malicious and the original package name.

    Therefore, we must secure each part of the link to avoid attacks on the weakest link.

    Software supply chain guidance

    Secure each part of the link to avoid attacks on the weakest link.

    Guide for Developers

    Guide for Suppliers

    Guide for Customers

    Secure product criteria and management, develop secure code, verify third-party components, harden build environment, and deliver code.

    Define criteria for software security checks, protect software, produce well-secured software, and respond to vulnerabilities.

    Secure procurement and acquisition, secure deployment, and secure software operations.

    Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022

    "Most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these software components are developed, integrated, and deployed, as well as the practices used to ensure the components' security."

    Source: NIST – NCCoE, 2022

    Use this template to explain the priorities you need your stakeholders to know about.

    Secure services and applications

    Provide a brief value statement for the initiative.

    Adopt recommended practices for securing the software supply chain.

    Initiative Description:

    Description must include what organization will undertake to complete the initiative.

    • Define and keep security requirements and risk assessments up to date.
    • Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene.
    • Verify distribution infrastructure, product and individual components integrity, and SBOM.
    • Use multi-layered defenses, e.g. ZT for integration and control configuration.
    • Train users on how to detect and report anomalies and when to apply updates to a system.
    • Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.

    Drivers:

    List initiative drivers.

    • Cyberattacks exploit the vulnerabilities of weak software supply chain
    • Increased need to enhance software supply chain security, e.g. under the White House Executive Order (EO) 14028
    • OT insecure-by-design hinders OT modernization

    Risks:

    List initiative risks and impacts.

    Only a few developers and suppliers explicitly address software security in detail.

    Time pressure to deliver functionality over security.

    Lack of security awareness and lack of trained workforce.

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    Customers (acquiring organizations) achieve secure acquisition, deployment, and operation of software.

    Developers and suppliers provide software security with minimal vulnerabilities in its releases.

    Automated processes such as automated testing avoid error-prone and labor-intensive manual test cases.

    Related Info-Tech Research:

    Recommended Actions

    1. Procurement and Acquisition

    Define and keep security requirements and risk assessments up to date.

    Perform analysis on current market and supplier solutions and acquire security evaluation.

    Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene

    2. Deployment

    Verify distribution infrastructure, product and individual components integrity, and SBOM.

    Save and store the tests and test environment and review and verify the
    self-attestation mechanism.

    Use multi-layered defenses, e.g. ZT for integration and control configuration.

    3. Software Operations

    Train users on how to detect and report anomalies and when to apply updates to a system.

    Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.

    Apply supply chain risk management (SCRM) operations.

    Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022

    Bibliography

    Aksoy, Cevat Giray, Jose Maria Barrero, Nicholas Bloom, Steven J. Davis, Mathias Dolls, and Pablo Zarate. "Working from Home Around the World." Brookings Papers on Economic Activity, 2022.
    Barrero, Jose Maria, Nicholas Bloom, and Steven J. Davis. "Why working from home will stick." WFH Research, National Bureau of Economic Research, Working Paper 28731, 2021.
    Boehm, Jim, Dennis Dias, Charlie Lewis, Kathleen Li, and Daniel Wallance. "Cybersecurity trends: Looking over the horizon." McKinsey & Company, March 2022. Accessed
    31 Oct. 2022.
    "China: TC260 issues list of national standards supporting implementation of PIPL." OneTrust, 8 Nov. 2022. Accessed 17 Nov. 2022.
    Chmielewski, Stéphane. "What is the potential of artificial intelligence to improve cybersecurity posture?" before.ai blog, 7 Aug. 2022. Accessed 15 Aug. 2022.
    Conerly, Bill. "The Recession Will Begin Late 2023 Or Early 2024." Forbes, 1 Nov. 2022. Accessed 8 Nov. 2022.
    "Control System Defense: Know the Opponent." CISA, 22 Sep. 2022. Accessed 17 Nov. 2022.
    "Cost of a Data Breach Report 2022." IBM, 2022.
    "Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience." European Parliament News, 10 Nov. 2022. Press Release.
    "Cyber Security in Critical National Infrastructure Organisations: 2022." Bridewell, 2022. Accessed 7 Nov. 2022.
    Davis, Steven. "The Big Shift to Working from Home." NBER Macro Annual Session On
    "The Future of Work," 1 April 2022.
    "Digital Services Act: EU's landmark rules for online platforms enter into force."
    EU Commission, 16 Nov. 2022. Accessed 16 Nov. 2022.
    "DoD Enterprise DevSecOps Fundamentals." DoD CIO, 12 May 2022. Accessed 21 Nov. 2022.
    Elkin, Elizabeth, and Deena Shanker. "That Cream Cheese Shortage You Heard About? Cyberattacks Played a Part." Bloomberg, 09 Dec. 2021. Accessed 27 Oct. 2022.
    Evan, Pete. "What happened at Rogers? Day-long outage is over, but questions remain." CBC News, 21 April 2022. Accessed 15 Nov. 2022.
    "Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022." Coveware,
    28 July 2022. Accessed 18 Nov. 2022.
    "Fighting cybercrime: new EU cybersecurity laws explained." EU Commission, 10 Nov. 2022. Accessed 16 Nov. 2022.
    "Guide to PCI compliance cost." Vanta. Accessed 18 Nov. 2022.
    Hammond, Susannah, and Mike Cowan. "Cost of Compliance 2022: Competing priorities." Thomson Reuters, 2022. Accessed 18 Nov. 2022.
    Hemsley, Kevin, and Ronald Fisher. "History of Industrial Control System Cyber Incidents." Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.
    Hofmann, Sarah. "What Is The NIS2 And How Will It Impact Your Organisation?" CyberPilot,
    5 Aug. 2022. Accessed 16 Nov. 2022.
    "Incident reporting." CIRAS Incident Reporting, ENISA. Accessed 21 Nov. 2022.
    "Introducing SLSA, an End-to-End Framework for Supply Chain Integrity." Google,
    16 June 2021. Accessed 25 Nov. 2022.
    Kovacs, Eduard. "Trains Vulnerable to Hacker Attacks: Researchers." SecurityWeek, 29 Dec. 2015. Accessed 15 Nov. 2022.
    "Labour Force Survey, October 2022." Statistics Canada, 4 Nov. 2022. Accessed 7 Nov. 2022.
    Malacco, Victor. "Promises and potential of automated milking systems." Michigan State University Extension, 28 Feb. 2022. Accessed 15 Nov. 2022.
    Maxim, Merritt, et al. "Planning Guide 2023: Security & Risk." Forrester, 23 Aug. 2022. Accessed 31 Oct. 2022.
    "National Cyber Threat Assessment 2023-2024." Canadian Centre for Cyber Security, 2022. Accessed 18 Nov. 2022.
    Nicaise, Vincent. "EU NIS2 Directive: what's changing?" Stormshield, 20 Oct. 2022. Accessed
    17 Nov. 2022.
    O'Neill, Patrick. "Russia hacked an American satellite company one hour before the Ukraine invasion." MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.
    "OT ICEFALL: The legacy of 'insecure by design' and its implications for certifications and risk management." Forescout, 2022. Accessed 21 Nov. 2022.
    Palmer, Danny. "Your cybersecurity staff are burned out - and many have thought about quitting." ZDNet, 8 Aug. 2022. Accessed 19 Aug. 2022.
    Placek, Martin. "Industrial Internet of Things (IIoT) market size worldwide from 2020 to 2028 (in billion U.S. dollars)." Statista, 14 March 2022. Accessed 15 Nov. 2022.
    "Revised Proposal Attachment 5.13.N.1 ADMS Business Case PUBLIC." Ausgrid, Jan. 2019. Accessed 15 Nov. 2022.
    Richter, Felix. "Cloudy With a Chance of Recession." Statista, 6 April 2022. Web.
    "Securing the Software Supply Chain: Recommended Practices Guide for Developers." Enduring Security Framework (ESF), Aug. 2022. Accessed 22 Sep. 2022.
    "Securing the Software Supply Chain: Recommended Practices Guide for Suppliers." Enduring Security Framework (ESF), Sep. 2022. Accessed 21 Nov. 2022.
    "Securing the Software Supply Chain: Recommended Practices Guide for Customers." Enduring Security Framework (ESF), Oct. 2022. Accessed 21 Nov. 2022.
    "Security Guidelines for the Electricity Sector: Control System Electronic Connectivity."
    North American Electric Reliability Corporation (NERC), 28 Oct. 2013. Accessed 25 Nov. 2022.
    Shepel, Jan. "Schreiber Foods hit with cyberattack; plants closed." Wisconsin State Farmer,
    26 Oct. 2022. Accessed 15 Nov. 2022.
    "Significant Cyber Incidents." Center for Strategic and International Studies (CSIS). Accessed
    1 Sep. 2022.
    Souppaya, Murugiah, Michael Ogata, Paul Watrobski, and Karen Scarfone. "Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps." NIST - National Cybersecurity Center of Excellence (NCCoE), Nov. 2022. Accessed
    22 Nov. 2022.
    "Ten Things Will Change Cybersecurity in 2023." SOCRadar, 23 Sep. 2022. Accessed
    31 Oct. 2022.
    "The Nature of Cybersecurity Defense: Pentagon To Reveal Updated Zero-Trust Cybersecurity Strategy & Guidelines." Cybersecurity Insiders. Accessed 21 Nov. 2022.
    What Is Threat Management? Common Challenges and Best Practices." IBM Security Intelligence, 2020.
    Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.
    Violino, Bob. "5 key considerations for your 2023 cybersecurity budget planning." CSO Online,
    14 July 2022. Accessed 27 Oct. 2022

    Research Contributors and Experts

    Andrew Reese
    Cybersecurity Practice Lead
    Zones

    Ashok Rutthan
    Chief Information Security Officer (CISO)
    Massmart

    Chris Weedall
    Chief Information Security Officer (CISO)
    Cheshire East Council

    Jeff Kramer
    EVP Digital Transformation and Cybersecurity
    Aprio

    Kris Arthur
    Chief Information Security Officer (CISO)
    SEKO Logistics

    Mike Toland
    Chief Information Security Officer (CISO)
    Mutual Benefit Group

    Integrate Portfolios to Create Exceptional Customer Value

    • Buy Link or Shortcode: {j2store}176|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Through growth, both organic and acquisition, you have a significant footprint of projects and applications.
    • Projects and applications have little in common with one another, all with their own history and pedigree.
    • You need to look across your portfolio of applications and projects to see if they will collectively help the organization achieve its goals.

    Our Advice

    Critical Insight

    • Stakeholders don’t care about the minutia and activities involved in project and application portfolio management.
    • Timely delivery of effective and important applications that deliver value throughout their life are the most important factors driving business satisfaction with IT.

    Impact and Result

    • Define an organizing principle that will structure your projects and applications in a way that matters to your stakeholders.
    • Bridge application and project portfolio data using the organizing principle that matters to communicate with stakeholders across the organization.
    • Create a dashboard that brings together the benefits of both project and application portfolio management to improve visibility and decision making.

    Integrate Portfolios to Create Exceptional Customer Value Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should integrate your application and project portfolios, review Info-Tech’s methodology, and understand the three ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define the principle that organizes your portfolios, objectives, and stakeholders

    To bring your portfolios together, you need to start with learning about your objectives, principles, and stakeholders.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 1: Define the Principle That Organizes Your Portfolios, Objectives, and Stakeholders
    • Integrated Portfolio Dashboard Tool
    • Integrated Portfolio Dashboard Tool – Example

    2. Take stock of what brings you closer to your goals

    Get a deeper understanding of what makes up your organizing principle before learning about your applications and projects that are aligned with your principles.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 2: Take Stock of What Brings You Closer to Your Goals

    3. Bring it all together

    Bound by your organizing principles, bring your projects and applications together under a single dashboard. Once defined, determine the rollout and communication plan that suits your organization.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 3: Bring It All Together
    • Integrated Portfolio Communication and Roadmap Plan
    • Integrated Portfolio Communication and Roadmap Plan Example
    [infographic]

    Workshop: Integrate Portfolios to Create Exceptional Customer Value

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Looking at Your Principles

    The Purpose

    Determine your organizational objectives and organizing principle.

    Key Benefits Achieved

    A clear understanding of where you need to go as an organization.

    A clear way to enable all parts of your portfolio to come together.

    Activities

    1.1 Determine your organization’s objectives.

    1.2 Determine your key stakeholders.

    1.3 Define your organizing principle.

    1.4 Decompose your organizing principle into its core components.

    Outputs

    Determined organizing principle for your applications and projects

    2 Understanding Your Applications

    The Purpose

    Get a clear view of the applications that contribute to your organization’s objectives.

    Key Benefits Achieved

    A key element of IT value delivery is its applications. Gaining awareness allows you to evaluate if the right value is being provided.

    Activities

    2.1 Determine your complete list of applications.

    2.2 Determine the health of your applications.

    2.3 Link your applications to the organization’s core components.

    Outputs

    List of applications

    Application list with health statistics filled in

    List of applications with health metrics bound to the organization’s core components

    3 Understanding Your Projects

    The Purpose

    Get a clear view of your project portfolio and how it relates to your applications and their organizing principle.

    Key Benefits Achieved

    An understanding of your project portfolio.

    Activities

    3.1 List all in-flight projects and vital health statistics.

    3.2 Map out the key programs and projects in your portfolio to the application’s core components.

    Outputs

    List of projects

    List of projects mapped to applications they impact

    4 Rolling Out the New Dashboard

    The Purpose

    Bring together your application and project portfolios in a new, easy-to-use dashboard with a full rollout plan.

    Key Benefits Achieved

    Dashboard available for use

    Roadmap and communication plan to make dashboard implementable and tangible

    Activities

    4.1 Test the dashboard.

    4.2 Define your refresh cadence.

    4.3 Plan your implementation.

    4.4 Develop your communication plan.

    Outputs

    Validated dashboards

    Cybersecurity Priorities in Times of Pandemic

    • Buy Link or Shortcode: {j2store}381|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • Novel coronavirus 2019 (COVID-19) has thrown organizations around the globe into chaos as they attempt to continue operations while keeping employees safe.
    • IT needs to support business continuity – juggling available capacity and ensuring that services are available to end users – without clarity of duration, amid conditions that change daily, on a scale never seen before.
    • Security has never been more important than now. But…where to start? What are the top priorities? How do we support remote work while remaining secure?

    Our Advice

    Critical Insight

    • There is intense pressure to enable employees to work remotely, as soon as possible. IT is scrambling to enable access, source equipment to stage, and deploy products to employees, many of whom are unfamiliar with working from home.
    • There is either too much security to allow people to be productive or too little security to ensure that the organization remains protected and secure.
    • These events are unprecedented, and no plan currently exists to sufficiently maintain a viable security posture during this interim new normal.

    Impact and Result

    • Don’t start from scratch. Leverage your current security framework, processes, and mechanisms but tailor them to accommodate the new way of remote working.
    • Address priority security items related to remote work capability and its implications in a logical sequence. Some security components may not be as time sensitive as others.
    • Remain diligent! Circumstances may have changed, but the importance of security has not. In fact, IT security is likely more important now than ever before.

    Cybersecurity Priorities in Times of Pandemic Research & Tools

    Start here – read our Cybersecurity Priorities research.

    Our recommendations and the accompanying checklist tool will help you quickly get a handle on supporting a remote workforce while maintaining security in your organization.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Cybersecurity Priorities in Times of Pandemic Storyboard
    • Cybersecurity Priorities Checklist Tool
    [infographic]

    Engineer Your Event Management Process

    • Buy Link or Shortcode: {j2store}461|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management

    Build an event management practice that is situated in the larger service management environment. Purposefully choose valuable events to track and predefine their associated actions to cut down on data clutter.

    Our Advice

    Critical Insight

    Event management is useless in isolation. The goals come from the pain points of other ITSM practices. Build handoffs to other service management practices to drive the proper action when an event is detected.

    Impact and Result

    Create a repeatable framework to define monitored events, their root cause, and their associated action. Record your monitored events in a catalog to stay organized.

    Engineer Your Event Management Process Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Engineer Your Event Management Deck – A step-by-step document that walks you through how to choose meaningful, monitored events to track and action.

    Engineer your event management practice with tracked events informed by the business impact of the related systems, applications, and services. This storyboard will help you properly define and catalog events so you can properly respond when alerted.

    • Engineer Your Event Management Process – Phases 1-3

    2. Event Management Cookbook – A guide to help you walk through every step of scoping event management and defining every event you track in your IT environment.

    Use this tool to define your workflow for adding new events to track. This cookbook includes the considerations you need to include for every tracked event as well as the roles and responsibilities of those involved with event management.

    • Event Management Cookbook

    3. Event Management Catalog – Using the Event Management Cookbook as a guide, record all your tracked events in the Event Management Catalog.

    Use this tool to record your tracked events and alerts in one place. This catalog allows you to record the rationale, root-cause, action, and data governance for all your monitored events.

    • Event Management Catalog

    4. Event Management Workflow – Define your event management handoffs to other service management practices.

    Use this template to help define your event management handoffs to other service management practices including change management, incident management, and problem management.

    • Event Management Workflow (Visio)
    • Event Management Workflow (PDF)

    5. Event Management Roadmap – Implement and continually improve upon your event management practice.

    Use this tool to implement and continually improve upon your event management process. Record, prioritize, and assign your action items from the event management blueprint.

    • Event Management Roadmap
    [infographic]

    Workshop: Engineer Your Event Management Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Situate Event Management in Your Service Management Environment

    The Purpose

    Determine goals and challenges for event management and set the scope to business-critical systems.

    Key Benefits Achieved

    Defined system scope of Event Management

    Roles and responsibilities defined

    Activities

    1.1 List your goals and challenges

    1.2 Monitoring and event management RACI

    1.3 Abbreviated business impact analysis

    Outputs

    Event Management RACI (as part of the Event Management Cookbook)

    Abbreviated BIA (as part of the Event Management Cookbook)

    2 Define Your Event Management Scope

    The Purpose

    Define your in-scope configuration items and their operational conditions

    Key Benefits Achieved

    Operational conditions, related CIs and dependencies, and CI thresholds defined

    Activities

    2.1 Define operational conditions for systems

    2.2 Define related CIs and dependencies

    2.3 Define conditions for CIs

    2.4 Perform root-cause analysis for complex condition relationships

    2.5 Set thresholds for CIs

    Outputs

    Event Management Catalog

    3 Define Thresholds and Actions

    The Purpose

    Pre-define actions for every monitored event

    Key Benefits Achieved

    Thresholds and actions tied to each monitored event

    Activities

    3.1 Set thresholds to monitor

    3.2 Add actions and handoffs to event management

    Outputs

    Event Catalog

    Event Management Workflows

    4 Start Monitoring and Implement Event Management

    The Purpose

    Effectively implement event management

    Key Benefits Achieved

    Establish an event management roadmap for implementation and continual improvement

    Activities

    4.1 Define your data policy for event management

    4.2 Identify areas for improvement and establish an implementation plan

    Outputs

    Event Catalog

    Event Management Roadmap

    Further reading

    Engineer Your Event Management Process

    Track monitored events purposefully and respond effectively.

    EXECUTIVE BRIEF

    Analyst Perspective

    Event management is useless in isolation.

    Event management creates no value when implemented in isolation. However, that does not mean event management is not valuable overall. It must simply be integrated properly in the service management environment to inform and drive the appropriate actions.

    Every step of engineering event management, from choosing which events to monitor to actioning the events when they are detected, is a purposeful and explicit activity. Ensuring that event management has open lines of communication and actions tied to related practices (e.g. problem, incident, and change) allows efficient action when needed.

    Catalog your monitored events using a standardized framework to allow you to know:

    1. The value of tracking the event.
    2. The impact when the event is detected.
    3. The appropriate, right-sized reaction when the event is detected.
    4. The tool(s) involved in tracking the event.

    Properly engineering event management allows you to effectively monitor and understand your IT environment and bolster the proactivity of the related service management practices.

    Benedict Chang

    Benedict Chang
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Strive for proactivity. Implement event management to reduce response times of technical teams to solve (potential) incidents when system performance degrades.

    Build an integrated event management practice where developers, service desk, and operations can all rely on event logs and metrics.

    Define the scope of event management including the systems to track, their operational conditions, related configuration items (CIs), and associated actions of the tracked events.

    Common Obstacles

    Managed services, subscription services, and cloud services have reduced the traditional visibility of on- premises tools.

    System(s) complexity and integration with the above services has increased, making true cause and effect difficult to ascertain.

    Info-Tech’s Approach

    Clearly define a limited number of operational objectives that may benefit from event management.

    Focus only on the key systems whose value is worth the effort and expense of implementing event management.

    Understand what event information is available from the CIs of those systems and map those against your operational objectives.

    Write a data retention policy that balances operational, audit, and debugging needs against cost and data security needs.

    Info-Tech Insight

    More is NOT better. Even in an AI-enabled world, every event must be collected with a specific objective in mind. Defining the purpose of each tracked event will cut down on data clutter and response time when events are detected.

    Your challenge

    This research is designed to help organizations who are facing these challenges or looking to:

    • Build an event management practice that is situated in the larger service management environment.
    • Purposefully choose events and to track as well as their related actions based on business-critical systems, their conditions, and their related CIs.
    • Cut down on the clutter of current events tracked.
    • Create a framework to add new events when new systems are onboarded.

    33%

    In 2020, 33% of organizations listed network monitoring as their number one priority for network spending. 27% of organizations listed network monitoring infrastructure as their number two priority.
    Source: EMA, 2020; n=350

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Many organizations have multiple tools across multiple teams and departments that track the current state of infrastructure, making it difficult to consolidate event management into a single practice.
    • Managed services, subscription services, and cloud services have reduced the traditional visibility of on-premises tools
    • System(s) complexity and integration with the above services has increased, making true cause and effect difficult to ascertain.

    Build event management to bring value to the business

    33%

    33% of all IT organizations reported that end users detected and reported incidents before the network operations team was aware of them.
    Source: EMA, 2020; n=350

    64%

    64% of enterprises use 4-10 monitoring tools to troubleshoot their network.
    Source: EMA, 2020; n=350

    Info-Tech’s approach

    Choose your events purposefully to avoid drowning in data.

    A funnel is depicted. along the funnel are the following points: Event Candidates: 1. System Selection by Business Impact; 2. System Decomposition; 3. Event Selection and Thresholding; 4. Event Action; 5. Data Management; Valuable, Monitored, and Actioned Events

    The Info-Tech difference:

    1. Start with a list of your most business-critical systems instead of data points to measure.
    2. Decompose your business-critical systems into their configuration items. This gives you a starting point for choosing what to measure.
    3. Choose your events and label them as notifications, warnings, or exceptions. Choose the relevant thresholds for each CI.
    4. Have a pre-defined action tied to each event. That action could be to log the datapoint for a report or to open an incident or problem ticket.
    5. With your event catalog defined, choose how you will measure the events and where to store the data.

    Event management is useless in isolation

    Define how event management informs other management practices.

    Logging, Archiving, and Metrics

    Monitoring and event management can be used to establish and analyze your baseline. The more you know about your system baselines, the easier it will be to detect exceptions.

    Change Management

    Events can inform needed changes to stay compliant or to resolve incidents and problems. However, it doesn’t mean that changes can be implemented without the proper authorization.

    Automatic Resolution

    The best use case for event management is to detect and resolve incidents and problems before end users or IT are even aware.

    Incident Management

    Events sitting in isolation are useless if there isn’t an effective way to pass potential tickets off to incident management to mitigate and resolve.

    Problem Management

    Events can identify problems before they become incidents. However, you must establish proper data logging to inform problem prioritization and actioning.

    Info-Tech’s methodology for Engineering Your Event Management Process

    1. Situate Event Management in Your Service Management Environment 2. Define Your Monitoring Thresholds and Accompanying Actions 3. Start Monitoring and Implement Event Management

    Phase Steps

    1.1 Set Operational and Informational Goals

    1.2 Scope Monitoring and States of Interest

    2.1 Define Conditions and Related CIs

    2.2 Set Monitoring Thresholds and Alerts

    2.3 Action Your Events

    3.1 Define Your Data Policy

    3.2 Define Future State

    Event Cookbook

    Event Catalog

    Phase Outcomes

    Monitoring and Event Management RACI

    Abbreviated BIA

    Event Workflow

    Event Management Roadmap

    Insight summary

    Event management is useless in isolation.

    The goals come from the pain points of other ITSM practices. Build handoffs to other service management practices to drive the proper action when an event is detected.

    Start with business intent.

    Trying to organize a catalog of events is difficult when working from the bottom up. Start with the business drivers of event management to keep the scope manageable.

    Keep your signal-to-noise ratio as high as possible.

    Defining tracked events with their known conditions, root cause, and associated actions allows you to be proactive when events occur.

    Improve slowly over time.

    Start small if need be. It is better and easier to track a few items with proper actions than to try to analyze events as they occur.

    More is NOT better. Avoid drowning in data.

    Even in an AI-enabled world, every event must be collected with a specific objective in mind. Defining the purpose of each tracked event will cut down on data clutter and response time when events are detected.

    Add correlations in event management to avoid false positives.

    Supplement the predictive value of a single event by aggregating it with other events.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    This is a screenshot of the Event Management Cookbook

    Event Management Cookbook
    Use the framework in the Event Management Cookbook to populate your event catalog with properly tracked and actioned events.

    This is a screenshot of the Event Management RACI

    Event Management RACI
    Define the roles and responsibilities needed in event management.

    This is a screenshot of the event management workflow

    Event Management Workflow
    Define the lifecycle and handoffs for event management.

    This is a screenshot of the Event Catalog

    Event Catalog
    Consolidate and organize your tracked events.

    This is a screenshot of the Event Roadmap

    Event Roadmap
    Roadmap your initiatives for future improvement.

    Blueprint benefits

    IT Benefits

    • Provide a mechanism to compare operating performance against design standards and SLAs.
    • Allow for early detection of incidents and escalations.
    • Promote timely actions and ensure proper communications.
    • Provide an entry point for the execution of service management activities.
    • Enable automation activity to be monitored by exception
    • Provide a basis for service assurance, reporting and service improvements.

    Business Benefits

    • Less overall downtime via earlier detection and resolution of incidents.
    • Better visibility into SLA performance for supplied services.
    • Better visibility and reporting between IT and the business.
    • Better real-time and overall understanding of the IT environment.

    Case Study

    An event management script helped one company get in front of support calls.

    INDUSTRY - Research and Advisory

    SOURCE - Anonymous Interview

    Challenge

    One staff member’s workstation had been infected with a virus that was probing the network with a wide variety of usernames and passwords, trying to find an entry point. Along with the obvious security threat, there existed the more mundane concern that workers occasionally found themselves locked out of their machine and needed to contact the service desk to regain access.

    Solution

    The system administrator wrote a script that runs hourly to see if there is a problem with an individual’s workstation. The script records the computer's name, the user involved, the reason for the password lockout, and the number of bad login attempts. If the IT technician on duty notices a greater than normal volume of bad password attempts coming from a single account, they will reach out to the account holder and inquire about potential issues.

    Results

    The IT department has successfully proactively managed two distinct but related problems: first, they have prevented several instances of unplanned work by reaching out to potential lockouts before they receive an incident report. They have also successfully leveraged event management to probe for indicators of a security threat before there is a breach.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Introduce the Cookbook and explore the business impact analysis.

    Call #4: Define operational conditions.

    Call #6: Define actions and related practices.

    Call #8: Identify and prioritize improvements.

    Call #3: Define system scope and related CIs/ dependencies.

    Call #5: Define thresholds and alerts.

    Call #7: Define data policy.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 6 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Situate Event Management in Your Service Management Environment Define Your Event Management Scope Define Thresholds and Actions Start Monitoring and Implement Event Management Next Steps and Wrap-Up (offsite)

    Activities

    1.1 3.1 Set Thresholds to Monitor

    3.2 Add Actions and Handoffs to Event Management

    Introductions

    1.2 Operational and Informational Goals and Challenges

    1.3 Event Management Scope

    1.4 Roles and Responsibilities

    2.1 Define Operational Conditions for Systems

    2.2 Define Related CIs and Dependencies

    2.3 Define Conditions for CIs

    2.4 Perform Root-Cause Analysis for Complex Condition Relationships

    2.4 Set Thresholds for CIs

    3.1 Set Thresholds to Monitor

    3.2 Add Actions and Handoffs to Event Management

    4.1 Define Your Data Policy for Event Management

    4.2 Identify Areas for Improvement and Future Steps

    4.3 Summarize Workshop

    5.1 Complete In-Progress Deliverables From Previous Four Days

    5.2 Set Up Review Time for Workshop Deliverables and to Discuss Next Steps

    Deliverables
    1. Monitoring and Event Management RACI (as part of the Event Management Cookbook)
    2. Abbreviated BIA (as part of the Event Management Cookbook)
    3. Event Management Cookbook
    1. Event Management Catalog
    1. Event Management Catalog
    2. Event Management Workflows
    1. Event Management Catalog
    2. Event Management Roadmap
    1. Workshop Summary

    Phase 1

    Situate Event Management in Your Service Management Environment

    Phase 1 Phase 2 Phase 3

    1.1 Set Operational and Informational Goals
    1.2 Scope Monitoring and Event Management Using Business Impact

    2.1 Define Conditions and Related CIs
    2.2 Set Monitoring Thresholds and Alerts
    2.3 Action Your Events

    3.1 Define Your Data Policy
    3.2 Set Your Future of Event Monitoring

    Engineer Your Event Management Process

    This phase will walk you through the following activities:

    1.1.1 List your goals and challenges

    1.1.2 Build a RACI chart for event management

    1.2.1 Set your scope using business impact

    This phase involves the following participants:

    Infrastructure management team

    IT managers

    Step 1.1

    Set Operational and Informational Goals

    Activities

    1.1.1 List your goals and challenges

    1.1.2 Build a RACI chart for event management

    Situate Event Management in Your Service Management Environment

    This step will walk you through the following activities:

    Set the overall scope of event management by defining the governing goals. You will also define who is involved in event management as well as their responsibilities.

    This step involves the following participants:

    Infrastructure management team

    IT managers

    Outcomes of this step

    Define the goals and challenges of event management as well as their data proxies.

    Have a RACI matrix to define roles and responsibilities in event management.

    Situate event management among related service management practices

    This image depicts the relationship between Event Management and related service management practices.

    Event management needs to interact with the following service management practices:

    • Incident Management – Event management can provide early detection and/or prevention of incidents.
    • Availability and Capacity Management – Event management helps detect issues with availability and capacity before they become an incident.
    • Problem Management – The data captured in event management can aid in easier detection of root causes of problems.
    • Change Management – Event management can function as the rationale behind needed changes to fix problems and incidents.

    Consider both operational and informational goals for event management

    Event management may log real-time data for operational goals and non-real time data for informational goals

    Event Management

    Operational Goals (real-time)

    Informational Goals (non-real time)

    Incident Response & Prevention

    Availability Scaling

    Availability Scaling

    Modeling and Testing

    Investigation/ Compliance

    • Knowing what the outcomes are expected to achieve helps with the design of that process.
    • A process targeted to fewer outcomes will generally be less complex, easier to adhere to, and ultimately, more successful than one targeted to many goals.
    • Iterate for improvement.

    1.1.1 List your goals and challenges

    Gather a diverse group of IT staff in a room with a whiteboard.

    Have each participant write down their top five specific outcomes they want from improved event management.

    Consolidate similar ideas.

    Prioritize the goals.

    Record these goals in your Event Management Cookbook.

    Priority Example Goals
    1 Reduce response time for incidents
    2 Improve audit compliance
    3 Improve risk analysis
    4 Improve forecasting for resource acquisition
    5 More accurate RCAs

    Input

    • Pain points

    Output

    • Prioritized list of goals and outcomes

    Materials

    • Whiteboard/flip charts
    • Sticky notes

    Participants

    • Infrastructure management team
    • IT managers

    Download the Event Management Cookbook

    Event management is a group effort

    • Event management needs to involve multiple other service management practices and service management roles to be effective.
    • Consider the roles to the right to see how event management can fit into your environment.

    Infrastructure Team

    The infrastructure team is accountable for deciding which events to track, how to track, and how to action the events when detected.

    Service Desk

    The service desk may respond to events that are indicative of incidents. Setting a root cause for events allows for quicker troubleshooting, diagnosis, and resolution of the incident.

    Problem and Change Management

    Problem and change management may be involved with certain event alerts as the resultant action could be to investigate the root cause of the alert (problem management) or build and approve a change to resolve the problem (change management).

    1.1.2 Build a RACI chart for event management

    1. As a group, complete the RACI chart using the template to the right. RACI stands for the following:
      • Responsible. The person doing the work.
      • Accountable. The person who ensures the work is done.
      • Consulted. Two-way communication.
      • Informed. One-way communication
      • There must be one and only one accountable person for each task. There must also be at least one responsible person. Depending on the use case, RACI letters may be combined (e.g. AR means the person who ensures the work is complete but also the person doing the work).
    2. Start with defining the roles in the first row in your own environment.
    3. Look at the tasks on the first column and modify/add/subtract tasks as necessary.
    4. Populate the RACI chart as necessary.

    Download the Event Management Cookbook

    Event Management Task IT Manager SME IT Infrastructure Manager Service Desk Configuration Manager (Event Monitoring System) Change Manager Problem Manager
    Defining systems and configuration items to monitor R C AR R
    Defining states of operation R C AR C
    Defining event and event thresholds to monitor R C AR I I
    Actioning event thresholds: Log A R
    Actioning event thresholds: Monitor I R A R
    Actioning event thresholds: Submit incident/change/problem ticket R R A R R I I
    Close alert for resolved issues AR RC RC

    Step 1.2

    Scope Monitoring and Event Management Using Business Impact

    Activities

    1.2.1 Set your scope using business impact

    Situate Event Management in Your Service Management Environment

    This step will walk you through the following activities:

    • Set your scope of event management using an abbreviated business impact analysis.

    This step involves the following participants:

    • Infrastructure manager
    • IT managers

    Outcomes of this step

    • List of systems, services, and applications to monitor.

    Use the business impact of your systems to set the scope of monitoring

    Picking events to track and action is difficult. Start with your most important systems according to business impact.

    • Business impact can be determined by how costly system downtime is. This could be a financial impact ($/hour of downtime) or goodwill impact (internal/external stakeholders affected).
    • Use business impact to determine the rating of a system by Tier (Gold, Silver, or Bronze):
      • GOLD: Mission-critical services. An outage is catastrophic in terms of cost or public image/goodwill. Example: trading software at a financial institution.
      • SILVER: Important to daily operations but not mission critical. Example: email services at any large organization.
      • BRONZE: Loss of these services is an inconvenience more than anything, though they do serve a purpose and will be missed if they are never brought back online. Example: ancient fax machines.
    • Align a list of systems to track with your previously selected goals for event management to determine WHY you need to track that system. Tracking the system could inform critical SLAs (performance/uptime), vulnerability, compliance obligations, or simply system condition.

    More is not better

    Tracking too many events across too many tools could decrease your responsiveness to incidents. Start tracking only what is actionable to keep the signal-to-noise ratio of events as high as possible.

    % of Incidents Reported by End Users Before Being Recognized by IT Operations

    A bar graph is depicted. It displays the following Data: All Organizations: 40%; 1-3 Tools: 29; 4-10 Tools: 36%; data-verified=11 Tools: 52">

    Source: Riverbed, 2016

    1.2.1 Set your scope using business impact

    Collating an exhaustive list of applications and services is onerous. Start small, with a subset of systems.

    1. Gather a diverse group of IT staff and end users in a room with a whiteboard.
    2. List 10-15 systems and services. Solicit feedback from the group. Questions to ask:
      • What services do you regularly use? What do you see others using?
        (End users)
      • Which service comprises the greatest number of service calls? (IT)
      • What services are the most critical for business operations? (Everybody)
      • What is the cost of downtime (financial and goodwill) for these systems? (Business)
      • How does monitoring these systems align with your goals set in Step 1.1?
    3. Assign an importance to each of these systems from Gold (most important) to Bronze (least important).
    4. Record these systems in your Event Management Cookbook.
    Systems/Services/Applications Tier
    1 Core Infrastructure Gold
    2 Internet Access Gold
    3 Public-Facing Website Gold
    4 ERP Silver
    15 PaperSave Bronze

    Include a variety of services in your analysis

    It might be tempting to jump ahead and preselect important applications. However, even if an application is not on the top 10 list, it may have cross-dependencies that make it more valuable than originally thought.

    For a more comprehensive BIA, see Create a Right-Sized Disaster Recovery Plan
    Download the Event Management Cookbook

    Phase 2

    Define Your Monitoring Thresholds and Accompanying Actions

    Phase 1Phase 2Phase 3

    1.1 Set Operational and Informational Goals
    1.2 Scope Monitoring and Event Management Using Business Impact

    2.1 Define Conditions and Related CIs
    2.2 Set Monitoring Thresholds and Alerts
    2.3 Action Your Events

    3.1 Define Your Data Policy
    3.2 Set Your Future of Event Monitoring

    Engineer Your Event Management Process

    This phase will walk you through the following activities:

    • 2.1.1 Define performance conditions
    • 2.1.2 Decompose services into Related CIs
    • 2.2.1 Verify your CI conditions with a root-cause analysis
    • 2.2.2 Set thresholds for your events
    • 2.3.1 Set actions for your thresholds
    • 2.3.2 Build your event management workflow

    This phase involves the following participants:

    • Business system owners
    • Infrastructure manager
    • IT managers

    Step 2.1

    Define Conditions and Related CIs

    Activities

    2.1.1 Define performance conditions

    2.1.2 Decompose services into related CIs

    Define Your Monitoring Thresholds and Accompanying Actions

    This step will walk you through the following activities:

    For each monitored system, define the conditions of interest and related CIs.

    This step involves the following participants:

    Business system owners

    Infrastructure manager

    IT managers

    Outcomes of this step

    List of conditions of interest and related CIs for each monitored system.

    Consider the state of the system that is of concern to you

    Events present a snapshot of the state of a system. To determine which events you want to monitor, you need to consider what system state(s) of importance.

    • Systems can be in one of three states:
      • Up
      • Down
      • Degraded
    • What do these states mean for each of your systems chosen in your BIA?
    • Up and Down are self-explanatory and a good place to start.
    • However, degraded systems are indicative that one or more component systems of an overarching system has failed. You must uncover the nature of such a failure, which requires more sophisticated monitoring.

    2.1.1 Define system states of greatest importance for each of your systems

    1. With the system business owners and compliance officers in the room, list the performance states of your systems chosen in your BIA.
    2. If you have too many systems listed, start only with the Gold Systems.
    3. Use the following proof approaches if needed:
      • Positive Proof Approach – every system when it has certain technical and business performance expectations. You can use these as a baseline.
      • Negative Proof Approach – users know when systems are not performing. Leverage incident data and end-user feedback to determine failed or degraded system states and work backwards.
    4. Focus on the end-user facing states.
    5. Record your critical system states in the Event Management Cookbook.
    6. Use these states in the next several activities and translate them into measurable infrastructure metrics.

    Input

    • Results of business impact analysis

    Output

    • Critical system states

    Materials

    • Whiteboard/flip charts
    • Sticky notes
    • Markers

    Participants

    • Infrastructure manager
    • Business system owners

    Download the Event Management Cookbook

    2.1.2 Decompose services into relevant CIs

    Define your system dependencies to help find root causes of degraded systems.

    1. For each of your systems identified in your BIA, list the relevant CIs.
    2. Identify dependencies and relationship of those CIs with other CIs (linkages and dependencies).
    3. Starting with the Up/Down conditions for your Gold systems, list the conditions of the CIs that would lead to the condition of the system. This may be a 1:1 relationship (e.g. Core Switches down = Core Infrastructure down) or a many:1 relationship (some virtualization hosts + load balancers down = Core Infrastructure down). You do not need to define specific thresholds yet. Focus on conditions for the CIs.
    4. Repeat step 3 with Degraded conditions.
    5. Repeat step 3 and 4 with Silver and Bronze systems.
    6. Record the results in the Event Management Cookbook.

    Core Infrastructure Example

    An iceberg is depicted. below the surface, are the following terms in order from shallowest to deepest: MPLS Connection, Core Switches, DNS; DHCP, AD ADFS, SAN-01; Load Balancers, Virtualization Hosts (x 12); Power and Cooling

    Download the Event Management Cookbook

    Step 2.2

    Set Monitoring Thresholds and Alerts

    Activities

    2.2.1 Verify your CI conditions with a root-cause analysis

    2.2.2 Set thresholds for your events

    Define Your Monitoring Thresholds and Accompanying Actions

    This step will walk you through the following activities:

    Set monitoring thresholds for each CI related to each condition of interest.

    This step involves the following participants:

    Business system managers

    Infrastructure manager

    IT managers

    Service desk manager

    Outcomes of this step

    List of events to track along with their root cause.

    Event management will involve a significant number of alerts

    Separate the serious from trivial to keep the signal-to-noise ratio high.

    Event Categories: Exceptions: Alarms Indicate Failure; Alerts indicate exceeded thresholds; Normal Operation. Event Alerts: Informational; Exceptional; Warning

    Set your own thresholds

    You must set your own monitoring criteria based on operational needs. Events triggering an action should be reviewed via an assessment of the potential project and associated risks.

    Consider the four general signal types to help define your tracked events

    Latency – time to respond

    Examples:

    • Web server – time to complete request
    • Network – roundtrip ping time
    • Storage – read/write queue times

    Traffic – amount of activity per unit time

    Web sever – how many pages per minute

    Network – Mbps

    Storage – I/O read/writes per sec

    Errors – internally tracked erratic behaviors

    Web Server – page load failures

    Network – packets dropped

    Storage – disk errors

    Saturation – consumption compared to theoretical maximum

    Web Server – % load

    Network – % utilization

    Storage – % full

    2.2.1 Verify your CI conditions with a root-cause analysis

    RCAs postulate why systems go down; use the RCA to inform yourself of the events leading up to the system going down.

    1. Gather a diverse group of IT staff in a room with a whiteboard.
    2. Pick a complex example of a system condition (many:1 correlation) that has considerable data associated with it (e.g. recorded events, problem tickets).
    3. Speculate on the most likely precursor conditions. For example, if a related CI fails or is degraded, which metrics would you likely see before the failure?
    4. If something failed, imagine what you’d most likely see before the failure.
    5. Extend that timeline backward as far as you can be reasonably confident.
    6. Pick a value for that event.
    7. Write out your logic flow from event recognition to occurrence.
    8. Once satisfied, program the alert and ideally test in a non-prod environment.

    Public Website Example

    Dependency CIs Tool Metrics
    ISP WAN SNMP Traps Latency
    Telemetry Packet Loss
    SNMP Pooling Jitter
    Network Performance Web Server Response Time
    Connection Stage Errors
    Web Server Web Page DOM Load Time
    Performance
    Page Load Time

    Let your CIs help you

    At the end of the day, most of us can only monitor what our systems let us. Some (like Exchange Servers) offer a crippling number of parameters to choose from. Other (like MPLS) connections are opaque black boxes giving up only the barest of information. The metrics you choose are largely governed by the art of the possible.

    Case Study

    Exhaustive RCAs proved that 54% of issues were not caused by storage.

    This is the Nimble Storage Logo

    INDUSTRY - Enterprise IT
    SOURCE - ESG, 2017

    Challenge

    Despite a laser focus on building nothing but all-flash storage arrays, Nimble continued to field a dizzying number of support calls.

    Variability and complexity across infrastructure, applications, and configurations – each customer install being ever so slightly different – meant that the problem of customer downtime seemed inescapable.

    Solution

    Nimble embedded thousands of sensors into its arrays, both at a hardware level and in the code. Thousands of sensors per array multiplied by 7,500 customers meant millions of data points per second.

    This data was then analyzed against 12,000 anonymized app-data gap-related incidents.

    Patterns began to emerge, ones that persisted across complex customer/array/configuration combinations.

    These patterns were turned into signatures, then acted on.

    Results

    54% of app-data gap related incidents were in fact related to non-storage factors! Sub-optimal configuration, bad practices, poor integration with other systems, and even VM or hosts were at the root cause of over half of reported incidents.

    Establishing that your system is working fine is more than IT best practice – by quickly eliminating potential options the right team can get working on the right system faster thus restoring the service more quickly.

    Gain an even higher SNR with event correlation

    Filtering:

    Event data determined to be of minimal predictive value is shunted aside.

    Aggregation:

    De-duplication and combination of similar events to trigger a response based on the number or value of events, rather than for individual events.

    Masking:

    Ignoring events that occur downstream of a known failed system. Relies on accurate models of system relationships.

    Triggering:

    Initiating the appropriate response. This could be simple logging, any of the exception event responses, an alert requiring human intervention, or a pre-programmed script.

    2.2.2 Set thresholds for your events

    If the event management team toggles the threshold for an alert too low (e.g. one is generated every time a CPU load reaches 60% capacity), they will generate too many false positives and create far too much work for themselves, generating alert fatigue. If they go the other direction and set their thresholds too high, there will be too many false negatives – problems will slip through and cause future disruptions.

    1. Take your list of RCAs from the previous activity and conduct an activity with the group. The goal of the exercise is to produce the predictive event values that confidently predict an imminent event.
    2. Questions to ask:
      • What are some benign signs of this incident?
      • Is there something we could have monitored that would have alerted us to this issue before an incident occurred?
      • Should anyone have noticed this problem? Who? Why? How?
      • Go through this for each of the problems identified and discuss thresholds. When complete, include the information in the Event Management Catalog.

    Public Website Example

    Dependency Metrics Threshold
    Network Performance Latency 150ms
    Packet Loss 10%
    Jitter >1ms
    Web Server Response Time 750ms
    Performance
    Connection Stage Errors 2
    Web Page Performance DOM Load time 1100ms
    Page Load time 1200ms

    Download the Event Management Cookbook

    Step 2.3

    Action Your Events

    Activities

    2.3.1 Set actions for your thresholds

    2.3.2 Build your event management workflow

    Define Your Monitoring Thresholds and Associated Actions

    This step will walk you through the following activities:

    With your list of tracked events from the previous step, build associated actions and define the handoff from event management to related practices.

    This step involves the following participants:

    Event management team

    Infrastructure team

    Change manager

    Problem manager

    Incident manager

    Outcomes of this step

    Event management workflow

    Set actions for your thresholds

    For each of your thresholds, you will need an action tied to the event.

    • Review the event alert types:
      • Informational
      • Warning
      • Exception
    • Your detected events will require one of the following actions if detected.
    • Unactioned events will lead to a poor signal-to-noise ratio of data, which ultimately leads to confusion in the detection of the event and decreased response effectiveness.

    Event Logged

    For informational alerts, log the event for future analysis.

    Automated Resolution

    For a warning or exception event or a set of events with a well-known root cause, you may have an automated resolution tied to detection.

    Human Intervention

    For warnings and exceptions, human intervention may be needed. This could include manual monitoring or a handoff to incident, change, or problem management.

    2.3.1 Set actions for your thresholds

    Alerts generated by event management are useful for many different ITSM practitioners.

    1. With the chosen thresholds at hand, analyze the alerts and determine if they require immediate action or if they can be logged for later analysis.
    2. Questions to ask:
      1. What kind of response does this event warrant?
      2. How could we improve our event management process?
      3. What event alerts would have helped us with root-cause analysis in the past?
    3. Record the results in the Event Management Catalog.

    Public Website Example

    Outcome Metrics Threshold Response (s)
    Network Performance Latency 150ms Problem Management Tag to Problem Ticket 1701
    Web Page Performance DOM Load time 1100ms Change Management

    Download the Event Management Catalog

    Input

    • List of events generated by event management

    Output

    • Action plan for various events as they occur

    Materials

    • Whiteboard/flip charts
    • Pens
    • Paper

    Participants

    • Event Management Team
    • Infrastructure Team
    • Change Manager
    • Problem Manager
    • Incident Manager

    2.3.2 Build your event management workflow

    1. As a group, discuss your high-level monitoring, alerting, and actioning processes.
    2. Define handoff processes to incident, problem, and change management. If necessary, open your incident, problem, and change workflows and discuss how the event can further pass onto those practices. Discuss the examples below:
      • Incident Management: Who is responsible for opening the incident ticket? Can the incident ticket be automated and templated?
      • Change Management: Who is responsible for opening an RFC? Who will approve the RFC? Can it be a pre-approved change?
      • Problem Management : Who is responsible for opening the problem ticket? How can the event data be useful in the problem management process?
    3. Use and modify the example workflow as needed by downloading the Event Management Workflow.

    Example Workflow:

    This is an image of an example Event Management Workflow

    Download the Event Management Workflow

    Common datapoints to capture for each event

    Data captured will help related service management practices in different ways. Consider what you will need to record for each event.

    • Think of the practice you will be handing the event to. For example, if you’re handing the event off to incident or problem management, data captured will have to help in root-cause analysis to find and execute the right solution. If you’re passing the event off to change management, you may need information to capture the rationale of the change.
    • Knowing the driver for the data can help you define the right data captured for every event.
    • Consider the data points below for your events:

    Data Fields

    Device

    Date/time

    Component

    Parameters in exception

    Type of failure

    Value

    Download the Event Management Catalog

    Start Monitoring and Implement Event Management

    Phase 1Phase 2Phase 3

    1.1 Set Operational and Informational Goals
    1.2 Scope Monitoring and Event Management Using Business Impact

    2.1 Define Conditions and Related CIs
    2.2 Set Monitoring Thresholds and Alerts
    2.3 Action Your Events

    3.1 Define Your Data Policy
    3.2 Set Your Future of Event Monitoring

    Engineer Your Event Management Process

    This phase will walk you through the following activities:

    3.1.1 Define data policy needs

    3.2.1 Build your roadmap

    This phase involves the following participants:

    Business system owners

    Infrastructure manager

    IT managers

    Step 3.1

    Define Your Data Policy

    Activities

    3.1.1 Define data policy needs

    Start Monitoring and Implement Event Management

    This step will walk you through the following activities:

    Your overall goals from Phase 1 will help define your data retention needs. Document these policy statements in a data policy.

    This step involves the following participants:

    CIO

    Infrastructure manager

    IT managers

    Service desk manager

    Outcomes of this step

    Data retention policy statements for event management

    Know the difference between logs and metrics

    Logs

    Metrics

    A log is a complete record of events from a period:

    • Structured
    • Binary
    • Plaintext
    Missing entries in logs can be just as telling as the values existing in other entries. A metric is a numeric value that gives information about a system, generally over a time series. Adjusting the time series allows different views of the data.

    Logs are generally internal constructs to a system:

    • Applications
    • DB replications
    • Firewalls
    • SaaS services

    Completeness and context make logs excellent for:

    • Auditing
    • Analytics
    • Real-time and outlier analysis
    As a time series, metrics operate predictably and consistently regardless of system activity.

    This independence makes them ideal for:

    • Alerts
    • Dashboards
    • Profiling

    Large amounts of log data can make it difficult to:

    • Store
    • Transmit
    • Sift
    • Sort

    Context insensitivity means we can apply the same metric to dissimilar systems:

    • This is especially important for blackbox systems not fully under local control.

    Understand your data requirements

    Amount of event data logged by a 1000 user enterprise averages 113GB/day

    Source: SolarWinds

    Security Logs may contain sensitive information. Best practice is to ensure logs are secure at rest and in transit. Tailor your security protocol to your compliance regulations (PCI, etc.).
    Architecture and Availability When production infrastructure goes down, logging tends to go down as well. Holes in your data stream make it much more difficult to determine root causes of incidents. An independent secondary architecture helps solve problems when your primary is offline. At the very least, system agents should be able to buffer data until the pipeline is back online.
    Performance Log data grows: organically with the rest of the enterprise and geometrically in the event of a major incident. Your infrastructure design needs to support peak loads to prevent it from being overwhelmed when you need it the most.
    Access Control Events have value for multiple process owners in your enterprise. You need to enable access but also ensure data consistency as each group performs their own analysis on the data.
    Retention Near-real time data is valuable operationally; historic data is valuable strategically. Find a balance between the two, keeping in mind your obligations under compliance frameworks (GDPR, etc.).

    3.1.1 Set your data policy for every event

    1. Given your event list in the Event Management Catalog, include the following information for each event:
      • Retention Period
      • Data Sensitivity
      • Data Rate
    2. Record the results in the Event Management Catalog.

    Public Website Example

    Metrics/Log Retention Period Data Sensitivity Data Rate
    Latency 150ms No
    Packet Loss 10% No
    Jitter >1ms No
    Response Time 750ms No
    HAProxy Log 7 days Yes 3GB/day
    DOM Load time 1100ms
    Page Load time 1200ms
    User Access 3 years Yes

    Download the Event Management Catalog

    Input

    • List of events generated by event management
    • List of compliance standards your organization adheres to

    Output

    • Data policy for every event monitored and actioned

    Materials

    • Whiteboard/flip charts
    • Pens
    • Paper

    Participants

    • Event management team
    • Infrastructure team

    Step 3.2

    Set Your Future of Event Monitoring

    Activities

    3.2.1 Build your roadmap

    Start Monitoring and Implement Event Management

    This step will walk you through the following activities:

    Event management maturity is slowly built over time. Define your future actions in a roadmap to stay on track.

    This step involves the following participants:

    CIO

    Infrastructure manager

    IT managers

    Outcomes of this step

    Event management roadmap and action items

    Practice makes perfect

    For every event that generates an alert, you want to judge the predictive power of said event.

    Engineer your event management practice to be predictive. For example:

    • Up/Down Alert – Expected Consequence: Service desk will start working on the incident ticket before a user reports that said system has gone down.
    • SysVol Capacity Alert – Expected Consequence: Change will be made to free up space on the volume prior to the system crashing.

    If the expected consequence is not observed there are three places to look:

    1. Was the alert received by the right person?
    2. Was the alert received in enough time to do something?
    3. Did the event triggering the alert have a causative relationship with the consequence?

    While impractical to look at every action resulting from an alert, a regular review process will help improve your process. Effective alerts are crafted with specific and measurable outcomes.

    Info-Tech Insight

    False positives are worse than missed positives as they undermine confidence in the entire process from stakeholders and operators. If you need a starting point, action your false positives first.

    Mind Your Event Management Errors

    Two Donut charts are depicted. The first has a slice which is labeled 7% False Positive. The Second has a slice which is labeled 33% False Negative.

    Source: IEEE Communications Magazine March 2012

    Follow the Cookbook for every event you start tracking

    Consider building event management into new, onboarded systems as well.

    You now have several core systems, their CIs, conditions, and their related events listed in the Event Catalog. Keep the Catalog as your single reference point to help manage your tracked events across multiple tools.

    The Event Management Cookbook is designed to be used over and over. Keep your tracked events standard by running through the steps in the Cookbook.

    An additional step you could take is to pull the Cookbook out for event tracking for each new system added to your IT environment. Adding events in the Catalog during application onboarding is a good way to manage and measure configuration.

    Event Management Cookbook

    This is a screenshot of the Event Management Cookbook

    Use the framework in the Event Management Cookbook to populate your event catalog with properly tracked and actioned events.

    3.2.1 Build an event management roadmap

    Increase your event management maturity over time by documenting your goals.

    Add the following in-scope goals for future improvement. Include owner, timeline, progress, and priority.

    • Add additional systems/applications/services to event management
    • Expand condition lists for given systems
    • Consolidate tracking tools for easier data analysis and actioning
    • Integrate event management with additional service management practices

    This image contains a screenshot of a sample Event Management Roadmap

    Summary of Accomplishment

    Problem Solved

    You now have a structured event management process with a start on a properly tracked and actioned event catalog. This will help you detect incidents before they become incidents, changes needed to the IT environment, and problems before they spread.

    Continue to use the Event Management Cookbook to add new monitored events to your Event Catalog. This ensures future events will be held to the same or better standard, which allows you to avoid drowning in too much data.

    Lastly, stay on track and continually mature your event management practice using your Event Management Roadmap.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    This is an example of a RACI Chart for Event Management

    Build a RACI Chart for Event Management

    Define and document the roles and responsibilities in event management.

    This is an example of a business impact chart

    Set Your Scope Using Business Impact

    Define and prioritize in-scope systems and services for event management.

    Related Info-Tech Research

    Standardize the Service Desk

    Improve customer service by driving consistency in your support approach and meeting SLAs.

    Improve Incident and Problem Management

    Don’t let persistent problems govern your department

    Harness Configuration Management Superpowers

    Build a service configuration management practice around the IT services that are most important to the organization.

    Select Bibliography

    DeMattia, Adam. “Assessing the Financial Impact of HPE InfoSight Predictive Analytics.” ESG, Softchoice, Sept. 2017. Web.

    Hale, Brad. “Estimating Log Generation for Security Information Event and Log Management.” SolarWinds, n.d. Web.

    Ho, Cheng-Yuan, et al. “Statistical Analysis of False Positives and False Negatives from Real Traffic with Intrusion Detection/Prevention Systems.” IEEE Communications Magazine, vol. 50, no. 3, 2012, pp. 146-154.

    ITIL Foundation ITIL 4 Edition = ITIL 4. The Stationery Office, 2019.

    McGillicuddy, Shamus. “EMA: Network Management Megatrends 2016.” Riverbed, April 2016. Web.

    McGillicuddy, Shamus. “Network Management Megatrends 2020.” Enterprise Management Associates, APCON, 2020. Web.

    Rivas, Genesis. “Event Management: Everything You Need to Know about This ITIL Process.” GB Advisors, 22 Feb. 2021. Web.

    “Service Operations Processes.” ITIL Version 3 Chapters, 21 May 2010. Web.

    Optimize Software Pricing in a Volatile Competitive Market

    • Buy Link or Shortcode: {j2store}566|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Your challenge:

    • Rising supplier costs and inflation are eroding margins and impacting customers' budgets.
    • There is pressure from management to make a gut-feeling decision because of time, lack of skills, and process limitations.
    • You must navigate competing pricing-related priorities among product, sales, and finance teams.
    • Product price increases fail because discovery lacks understanding of costs, price/value equation, and competitive price points.
    • Customers can react negatively, and results are seen much later (more than 12 months) after the price decision.

    Our Advice

    Critical Insight

    Product leaders will price products based on a deep understanding of the buyer price/value equation and alignment with financial and competitive pricing strategies, and make ongoing adjustments based on an ability to monitor buyer, competitor, and product cost changes.

    Impact and Result

    • Success for many SaaS product managers requires a reorganization and modernization of pricing tools, techniques, and assumptions. Leaders will develop the science of tailored price changes versus across-the-board price actions and account for inflation exposure and the customers’ willingness to pay.
    • This will build skills on how to price new products or adjust pricing for existing products. The disciplines using our pricing strategy methodology will strengthen efforts to develop repeatable pricing models and processes and build credibility with senior management.

    Optimize Software Pricing in a Volatile Competitive Market Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Optimize Software Pricing in a Volatile Competitive Market Executive Brief - A deck to build your skills on how to price new products or adjust pricing for existing products.

    This Executive Brief will build your skills on how to price new products or adjust pricing for existing products.

    • Optimize Software Pricing in a Volatile Competitive Market Executive Brief

    2. Optimize Software Pricing in a Volatile Competitive Market Storyboard – A deck that provides key steps to complete the project.

    This blueprint will build your skills on how to price new products or adjust pricing for existing products with documented key steps to complete the pricing project and use the Excel workbook and customer presentation.

    • Optimize Software Pricing in a Volatile Competitive Market – Phases 1-3

    3. Optimize Software Pricing in a Volatile Competitive Market Workbook – A tool that enables product managers to simplify the organization and collection of customer and competitor information for pricing decisions.

    These five organizational workbooks for product pricing priorities, interview tracking, sample questions, and critical competitive information will enable the price team to validate price change data through researching the three pricing schemes (competitor, customer, and cost-based).

    • Optimize Software Pricing in a Volatile Competitive Market Workbook

    4. Optimize Software Pricing in a Volatile Competitive Market Presentation Template – A template that serves as a guide to communicating the Optimize Pricing Strategy team's results for a product or product line.

    This template includes the business case to justify product repricing, contract modifications, and packaging rebuild or removal for launch. This template calls for the critical summarized results from the Optimize Software Pricing in a Volatile Competitive Market blueprint and the Optimize Software Pricing in a Volatile Competitive Market Workbook to complete.

    • Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Infographic

    Further reading

    SoftwareReviews — A Division of INFO~TECH RESEARCH GROUP

    Optimize Software Pricing in a Volatile Competitive Market

    Leading SaaS product managers align pricing strategy to company financial goals and refresh the customer price/value equation to avoid leaving revenues uncaptured.

    Table of Contents

    Section Title Section Title
    1 Executive Brief 2 Key Steps
    3 Concluding Slides

    Optimize Software Pricing in a Volatile Competitive Market

    Leading SaaS product managers align pricing strategy to company financial goals and refresh the customer price/value equation to avoid leaving revenues uncaptured.

    EXECUTIVE BRIEF

    Analyst Perspective

    Optimized Pricing Strategy

    Product managers without well-documented and repeatable pricing management processes often experience pressure from “Agile” management to make gut-feel pricing decisions, resulting in poor product revenue results. When combined with a lack of customer, competitor, and internal cost understanding, these process and timing limitations drive most product managers into suboptimal software pricing decisions. And, adding insult to injury, the poor financial results from bad pricing decisions aren’t fully measured for months, which further compounds the negative effects of poor decision making.

    A successful product pricing strategy aligns finance, marketing, product management, and sales to optimize pricing using a solid understanding of the customer perception of price/value, competitive pricing, and software production costs.

    Success for many SaaS product managers requires a reorganization and modernization of pricing tools, techniques, and data. Leaders will develop the science of tailored price changes versus across-the-board price actions and account for inflation exposure and the customers’ willingness to pay.

    This blueprint will build your skills on how to price new products or adjust pricing for existing products. The discipline you build using our pricing strategy methodology will strengthen your team’s ability to develop repeatable pricing and will build credibility with senior management and colleagues in marketing and sales.

    Photo of Joanne Morin Correia, Principal Research Director, SoftwareReviews.

    Joanne Morin Correia
    Principal Research Director
    SoftwareReviews

    Executive Summary

    Organizations struggle to build repeatable pricing processes:
    • A lack of alignment and collaboration among finance, marketing, product development, and sales.
    • A lack of understanding of customers, competitors, and market pricing.
    • Inability to stay ahead of complex and shifting software pricing models.
    • Time is wasted without a deep understanding of pricing issues and opportunities, and revenue opportunities go unrealized.
    Obstacles add friction to the pricing management process:
    • Pressure from management to make quick decisions results in a gut-driven approach to pricing.
    • A lack of pricing skills and management processes limits sound decision making.
    • Price changes fail because discovery often lacks competitive intelligence and buyer value to price point understanding. Customers’ reactions are often observed much later, after the decision is made.
    • Economic disruptions, supplier price hikes, and higher employee salaries/benefits are driving costs higher.
    Use SoftwareReviews’ approach for more successful pricing:
    • Organize for a more effective pricing project including roles & responsibilities as well as an aligned pricing approach.
    • Work with CFO/finance partner to establish target price based on margins and key factors affecting costs.
    • Perform a competitive price assessment and understand the buyer price/value equation.
    • Arrive at a target price based on the above and seek buy-in and approvals.

    SoftwareReviews Insight

    Product leaders will price products based on a deep understanding of the buyer price/value equation and alignment with financial and competitive pricing strategies, and they will make ongoing adjustments based on an ability to monitor buyers, competitors, and product cost changes.

    What is an optimized price strategy?

    “Customer discovery interviews help reduce the chance of failure by testing your hypotheses. Quality customer interviews go beyond answering product development and pricing questions.” (Pricing Strategies, Growth Ramp, March 2022)

    Most product managers just research their direct competitors when launching a new SaaS product. While this is essential, competitive pricing intel is insufficient to create a long-term optimized pricing strategy. Leaders will also understand buyer TCO.

    Your customers are constantly comparing prices and weighing the total cost of ownership as they consider your competition. Why?

    Implementing a SaaS solution creates a significant time burden as buyers spend days learning new software, making sure tools communicate with each other, configuring settings, contacting support, etc. It is not just the cost of the product or service.

    Optimized Price Strategy Is…
    • An integral part of any product plan and business strategy.
    • Essential to improving and maintaining high levels of margins and customer satisfaction.
    • Focused on delivering the product price to your customer’s business value.
    • Understanding customer price-value for your software segment.
    • Monitoring your product pricing with real-time data to ensure support for competitive strategy.
    Price Strategy Is Not…
    • Increasing or decreasing price on a gut feeling.
    • Changing price for short-term gain.
    • Being wary of asking customers pricing-related questions.
    • Haphazardly focusing entirely on profit.
    • Just covering product costs.
    • Only researching direct competitors.
    • Focusing on yourself or company satisfaction but your target customers.
    • Picking the first strategy you see.

    SoftwareReviews Insight

    An optimized pricing strategy establishes the “best” price for a product or service that maximizes profits and shareholder value while considering customer business value vs. the cost to purchase and implement – the total cost of ownership (TCO).

    Challenging environment

    Product managers are currently experiencing the following:
    • Supplier costs and inflation are rising, eroding product margins and impacting customers’ budgets.
    • Pressure from management to make a gut-feeling decision because of time, lack of skills, and process limitations.
    • Navigating competing pricing-related priorities among product, sales, and finance.
    • Product price increases that fail because discovery lacks understanding of costs, price/value equation, and competitive price points.
    • Slowing customer demand due to poorly priced offerings may not be fully measured for many months following the price decision.
    Doing nothing is NOT an option!
    Offense Double Down

    Benefit: Leverage long-term financial and market assets

    Risk: Market may not value those assets in the future
    Fight Back

    Benefit: Move quickly

    Risk: Hard to execute and easy to get pricing wrong
    Defense Retrench

    Benefit: Reduce threats from new entrants through scale and marketing

    Risk: Causes managed decline and is hard to sell to leadership
    Move Away

    Benefit: Seize opportunities for new revenue sources

    Risk: Diversification is challenging to pull off
    Existing Markets and Customers New Markets and Customers

    Pricing skills are declining

    Among product managers, limited pricing skills are big obstacles that make pricing difficult and under-optimized.

    Visual of a bar chart with descending values, each bar has written on it: 'Limited - Limits in understanding of engineering, marketing, and sales expectations or few processes for pricing and/or cost', 'Inexperienced - Inexperience in pricing project skills and corporate training', 'Lagging - Financial lag indicators (marketing ROI, revenue, profitability, COGs)', 'Lacking - Lack of relevant competitive pricing/packaging information', 'Shifting - Shift to cloud subscription-based revenue models is challenging'.

    The top three weakest product management skills have remained constant over the past five years:
    • Competitive analysis
    • Pricing
    • End of life
    Pricing is the weakest skill and has been declining the most among surveyed product professionals every year. (Adapted from 280 Group, 2022)

    Key considerations for more effective pricing decisions

    Pricing teams can improve software product profitability by:
    • Optimizing software profit with four critical elements: properly pricing your product, giving complete and accurate quotations, choosing the terms of the sale, and selecting the payment method.
    • Implementing tailored price changes (versus across-the-board price actions) to help account for inflation exposure, customer willingness to pay, and product attribute changes.
    • Accelerating ongoing pricing decision-making with a dedicated cross-functional team ready to act quickly.
    • Resetting discounting and promotion, and revisiting service-level agreements.
    Software pricing leaders will regularly assess:

    Has it been over a year since prices were updated?

    Have customers told you to raise your prices?

    Do you have the right mix of customers in each pricing plan?

    Do 40% of your customers say they would be very disappointed if your product disappeared? (Adapted from Growth Ramp, 2021)

    Case Study

    Middleware Vendor

    INDUSTRY
    Technology Middleware
    SOURCE
    SoftwareReviews Custom Pricing Strategy Project
    A large middleware vendor, who is running on Microsoft Azure, known for quality development and website tools, needed to react strategically to the March 2022 Microsoft price increase.

    Key Initiative: Optimize New Pricing Strategy

    The program’s core objective was to determine if the vendor should implement a price increase and how the product should be packaged within the new pricing model.

    For this initiative, the company interviewed buyers using three key questions: What are the core capabilities to focus on building/selling? What are the optimal features and capabilities valued by customers that should be sold together? And should they be charging more for their products?

    Results
    This middleware vendor saw buyer support for a 10% price increase to their product line and restructuring of vertical contract terms. This enabled them to retain customers over multi-year subscription contracts, and the price increase enabled them to protect margins after the Microsoft price increase.

    The Optimize New Pricing Strategy included the following components:

    Components: 'Product Feature Importance & Satisfaction', 'Correlation of Features and Value Drivers', 'Fair Cost to Value Average for Category', 'Average Discounting for Category', 'Customer Value Is an Acceptable Multiple of Price'. First four: 'Component fails into the scope of optimizing price strategy to value'; last one: 'They are optimizing their price strategy decisions'.

    New product price approach

    As a collaborative team across product management, marketing, and finance, we see leaders taking a simple yet well-researched approach when setting product pricing.

    Iterating to a final price point is best done with research into how product pricing:

    • Delivers target margins.
    • Is positioned vs. key competitors.
    • Delivers customer value at a fair price/value ratio.
    To arrive at our new product price, we suggest iterating among 3 different views:

    New Target Price:

    • Buyer Price vs. Value
    • Cost - Plus
    • Vs. Key Competitors
    We analyzed:
    • Customer price/value equation interviews
    • Impacts of Supplier cost increases
    • Competitive pricing research
    • How product pricing delivers target margins

    Who should care about optimized pricing?

    Product managers and marketers who:

    • Support the mandate for optimizing pricing and revenue generation.
    • Need a more scientific way to plan and implement new pricing processes and methods to optimize revenues and profits.
    • Want a way to better apply customer and competitive insights to product pricing.
    • Are evaluating current pricing and cost control to support a refreshed pricing strategy.

    Finance, sales, and marketing professionals who are pricing stakeholders in:

    • Finding alternatives to current pricing and packaging approaches.
    • Looking for ways to optimize price within the shifting market momentum.

    How will they benefit from this research?

    • Refine the ability to effectively target pricing to specific market demands and customer segments.
    • Strengthen product team’s reputation for reliable and repeatable price-management capabilities among senior leadership.
    • Recognize and plan for new revenue opportunities or cost increases.
    • Allow for faster, more accurate intake of customer and competitive data. 
    • Improve pricing skills for professional development and business outcomes.
    • Create new product price, packaging, or market opportunities. 
    • Reduce financial costs and mistakes associated with manual efforts and uneducated guessing.
    • Price software products that better achieve financial goals optimizing revenue, margins, or market share.
    • Enhance the product development and sales processes with real competitive and customer expectations.

    Is Your Pricing Strategy Optimized?

    With the right pricing strategy, you can invest more money into your product, service, or growth. A 1% price increase will improv revenues by:

    Three bars: 'Customer acquisition, 3.32%', 'Customer retention, 6.71%', 'Price monetization, 12.7%'.

    Price monetization will almost double the revenue increases over customer acquisition and retention. (Pricing Strategies, Growth Ramp, March 2022)

    DIAGNOSE PRICE CHALLENGES

    Prices of today's cloud-based services/products are often misaligned against competition and customers' perceived value, leaving more revenues on the table.
    • Do you struggle to price new products with confidence?
    • Do you really know your SaaS product's costs?
    • Have you lost pricing power to stronger competitors?
    • Has cost focus eclipsed customer value focus?
    If so, you are likely skipping steps and missing key outputs in your pricing strategy.

    OPTIMIZE THESE STEPS

    ALIGNMENT
    1. Assign Team Responsibilities
    2. Set Timing for Project Deliverables
    3. Clarify Financial Expectations
    4. Collect Customer Contacts
    5. Determine Competitors
    6. BEFORE RESEARCH, HAVE YOU
      Documented your executive's financial expectations? If "No," return.

    RESEARCH & VALIDATE
    1. Research Competitors
    2. Interview Customers
    3. Test Pricing vs. Financials
    4. Create Pricing Presentation
    5. BEFORE PRESENTING, HAVE YOU:
      Clarified your customer and competitive positioning to validate pricing? If "No," return.

    BUY-IN
    1. Executive Pricing Presentation
    2. Post-Mortem of Presentation
    3. Document New Processes
    4. Monitor the Pricing Changes
    5. BEFORE RESEARCH, HAVE YOU:
      Documented your executive's financial expectations? If "No," return.

    DELIVER KEY OUTPUTS

    Sponsoring executive(s) signs-offs require a well-articulated pricing plan and business case for investment that includes:
    • Competitive features and pricing financial templates
    • Customer validation of price value
    • Optimized price presentation
    • Repeatable pricing processes to monitor changes

    REAP THE REWARDS

    • Product pricing is better aligned to achieve financial goals
    • Improved pricing skills or professional development
    • Stronger team reputation for reliable price management

    Key Insights

    1. Gain a competitive edge by using market and customer information to optimize product financials, refine pricing, and speed up decisions.
    2. Product leaders will best set software product price based on a deep understanding of buyer/price value equation, alignment with financial strategy, and an ongoing ability to monitor buyer, competitor, and product costs.

    SoftwareReviews’ methodology for optimizing your pricing strategy

    Steps

    1.1 Establish the Team and Responsibilities
    1.2 Educate/Align Team on Pricing Strategy
    1.2 Document Portfolio & Target Product(s) for Pricing Updates
    1.3 Clarify Product Target Margins
    1.4 Establish Customer Price/Value
    1.5 Identify Competitive Pricing
    1.6 Establish New Price and Gain Buy-In

    Outcomes

    1. Well-organized project
    2. Clarified product pricing strategy
    3. Customer value vs. price equation
    4. Competitive price points
    5. Approvals

    Insight summary

    Modernize your price planning

    Product leaders will price products based on a deep understanding of the buyer price/value equation and alignment with financial and competitive pricing strategies, and make ongoing adjustments based on an ability to monitor buyer, competitor, and product cost changes.

    Ground pricing against financials

    Meet and align with financial stakeholders.
    • Give finance a heads-up that you want to work with them.
    • Find out the CFO’s expectations for pricing and margins.
    • Ask for a dedicated finance team member.

    Align on pricing strategy

    Lead stakeholders in SaaS product pricing decisions to optimize pricing based on four drivers:
    • Customer’s price/value
    • Competitive strategy
    • Reflective of costs
    • Alignment with financial goals

    Decrease time for approval

    Drive price decisions, with the support of the CFO, to the business value of the suggested change:
    • Reference current product pricing guidelines
    • Compare to the competition and our strategy and weigh results against our customer’s price/value
    • Compare against the equation to business value for the suggested change
    Develop the skill of pricing products

    Increase product revenues and margins by enhancing modern processes and data monetization. Shift from intuitive to information-based pricing decisions.

    Look at other options for revenue

    Adjust product design, features, packaging, and contract terms while maintaining the functionality customers find valuable to their business.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
    Key deliverable:

    New Pricing Strategy Presentation Template

    Capture key findings for your price strategy with the Optimize Your Pricing in a Volatile Competitive Market Strategy Presentation Template

    Sample of the 'Acme Corp New Product Pricing' blueprint.

    Optimize Software Pricing in a Volatile Competitive Market Executive Brief

    This executive brief will build your knowledge on how to price new products or adjust pricing for existing products.

    Sample of the 'Optimize Software Pricing in a Volatile Competitive Market' blueprint.

    Optimize Software Pricing in a Volatile Competitive Market Workbook

    This workbook will help you prioritize which products require repricing, hold customer interviews, and capture competitive insights.

    Sample of the 'Optimize Software Pricing in a Volatile Competitive Market' workbook.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with a SoftwareReviews analyst to help implement our best practices in your organization.

    A typical GI is 4 to 8 calls over the course of 2 to 4 months.

    What does a typical GI on optimizing software pricing look like?

    Alignment

    Research & Reprice

    Buy-in

    Call #1: Share the pricing team vision and outline activities for the pricing strategy process. Plan next call – 1 week.

    Call #2: Outline products that require a new pricing approach and steps with finance. Plan next call – 1 week.

    Call #3: Discuss the customer interview process. Plan next call – 1 week.

    Call #4 Outline competitive analysis. Plan next call – 1 week.

    Call #5: Review customer and competitive results for initial new pricing business case with finance for alignment. Plan next call – 3 weeks.

    Call #6: Review the initial business case against financial plans across marketing, sales, and product development. Plan next call – 1 week.

    Call #7 Review the draft executive pricing presentation. Plan next call – 1 week.

    Call #8: Discuss gaps in executive presentation. Plan next call – 3 days.

    SoftwareReviews Offers Various Levels of Support to Meet Your Needs

    Included in Advisory Membership Optional add-ons

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Desire a Guided Implementation?

    • A GI is where your SoftwareReviews engagement manager and executive advisor/counselor will work with SoftwareReviews research team members to craft with you a Custom Key Initiative Plan (CKIP).
    • A CKIP guides your team through each of the major steps, outlines responsibilities between members of your team and SoftwareReviews, describes expected outcomes, and captures actual value delivered.
    • A CKIP also provides you and your team with analyst/advisor/counselor feedback on project outputs, helps you communicate key principles and concepts to your team, and helps you stay on project timelines.
    • If Guided Implementation assistance is desired, contact your engagement manager.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889
    Day 1 Day 2 Day 3 Day 4 Day 5
    Align Team, Identify Customers, and Document Current Knowledge
    Validate Initial Insights and Identify Competitors and Market View
    Schedule and Hold Buyer Interviews
    Summarize Findings and Provide Actionable Guidance to Stakeholders
    Present, Go Forward, and Measure Impact and Results
    Activities

    1.1 Identify Team Members, roles, and responsibilities

    1.2 Establish timelines and project workflow

    1.3 Gather current product and future financial margin expectations

    1.4 Review the Optimize Software Executive Brief and Workbook Templates

    1.4 Build prioritized pricing candidates hypothesis

    2.1 Identify customer interviewee types by segment, region, etc.

    2.2 Hear from industry analysts their perspectives on the competitors, buyer expectations, and price trends

    2.3 Research competitors for pricing, contract type, and product attributes

    3.2 Review pricing and attributes survey and interview questionnaires

    3.2 Hold interviews and use interview guides (over four weeks)

    A gap of up to 4 weeks for scheduling of interviews.

    3.3 Hold review session after initial 3-4 interviews to make adjustments

    4.1 Review all draft price findings against the market view

    4.2 Review Draft Executive Presentation

    5.1 Review finalized pricing strategy plan with analyst for market view

    5.2 Review for comments on the final implementation plan

    Deliverables
    1. Documented steering committee and working team
    2. Current and initial new pricing targets for strategy
    3. Documented team knowledge
    1. Understanding of market and potential target interviewee types
    2. Objective competitive research
    1. Initial review – “Are we going in the right direction with surveys?”
    2. Validate or adjust the pricing surveys to what you hear in the market
    1. Complete findings and compare to the market
    2. Review and finish drafting the Optimize Software Pricing Strategy presentation
    1. Final impute on strategy
    2. Review of suggested next steps and implementation plan

    Our process

    Align team, perform research, and gain executive buy-in on updated price points

    1. Establish the team and responsibilities
    2. Educate/align team on pricing strategy
    3. Document portfolio & target product(s) for pricing updates
    4. Clarify product target margins
    5. Establish customer price/value
    6. Identify competitive pricing
    7. Establish new price and gain buy-in

    Optimize Software Pricing in a Volatile Competitive Market

    Our process will help you deliver the following outcomes:

    • Well-organized project
    • Clarified product pricing strategy
    • Customer value vs. price equation
    • Competitive price points
    • Approvals

    This project involves the following participants:

    • Product management
    • Program leadership
    • Product marketing
    • CFO or finance representative/partner
    • Others
    • Representative(s) from Sales

    1.0 Assign team responsibilities

    Input: Steering committee roles and responsibilities, Steering committee interest and role

    Output: List of new pricing strategy steering committee and workstream members, roles, and timelines, Updated Software Pricing Strategy presentation

    Materials: Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: CFO, sponsoring executive, Functional leads – development, product marketing, product management, marketing, sales, customer success/support

    1-2 hours
    1. The product manager/member running this pricing/repricing program should review the entire Optimize Software Pricing in a Volatile Competitive Market blueprint and each blueprint attachment.
    2. The product manager should also refer to slide 19 of the Optimize Software Pricing in a Volatile Competitive Market blueprint and decide if help via a Guided Implementation (GI) is of value. If desired, alert your SoftwareReviews engagement manager.
    1-2 hours
    1. The product manager should meet with the chief product officer/CPO and functional leaders, and set the meeting agenda to:
      1. Nominate steering committee members.
      2. Nominate work-stream leads.
      3. Establish key pricing project milestones.
      4. Schedule both the steering committee (suggest monthly) and workstream lead meetings (suggest weekly) through the duration of the project.
      5. Ask the CPO to craft, outside this meeting, his/her version of the "Message from the chief product officer.”
      6. If a Guided Implementation is selected, inform the meeting attendees that a SoftwareReviews analyst will join the next meeting to share his/her Executive Brief on Pricing Strategy.
    2. Record all above findings in the Optimize Software Pricing in a Volatile Competitive Market Presentation Template.

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    SoftwareReviews Advisory Insight:

    Pricing steering committees are needed to steer overall product, pricing, and packaging decisions. Some companies include the CEO and CFO on this committee and designate it as a permanent body that meets monthly to give go/no-go decisions to “all things product and pricing related” across all products and business units.

    2.0 Educate the team

    1 hour

    Input: Typically, a joint recognition that pricing strategies need upgrading and have not been fully documented, Steering committee and working team members

    Output: Communication of team members involved and the makeup of the steering committee and working team, Alignment of team members on a shared vision of “why a new price strategy is critical” and what key attributes define both the need and impact on business

    Materials: Optimize Your Software Strategy Executive Brief PowerPoint presentation

    Participants: Initiative manager – individual leading the new pricing strategy, CFO/sponsoring executive, Working team – typically representatives in product marketing, product management, and sales, SoftwareReviews marketing analyst (optional)

    1. Walk the team through the Optimize Software Pricing in a Volatile Competitive Market Executive Brief PowerPoint presentation.
    2. Optional – Have the SoftwareReviews Advisory (SRA) analyst walk the team through the Optimize Software Pricing in a Volatile Competitive Market Executive Brief PowerPoint presentation as part of your session. Contact your engagement manager to schedule.
    3. Walk the team through the current version of the Optimize Software Pricing in a Volatile Competitive Market Presentation Template outlining project goals, steering committee and workstream make-up and responsibilities, project timeline and key milestones, and approach to arriving at new product pricing.
    4. Set expectations among team members of their specific roles and responsibilities for this project, review the frequency of steering committee and workstream meetings to set expectations of key milestones and deliverable due dates.

    Download the Optimize Software Pricing in a Volatile Competitive Market Executive Brief

    3.0 Document portfolio and target products for pricing update

    1-3 Hours

    Input: List of entire product portfolio

    Output: Prioritized list of product candidates that should be repriced

    Materials: Optimize Software Pricing in a Volatile Competitive Market Executive Brief presentation, Optimize Software Pricing in a Volatile Competitive Market Workbook

    Participants: Initiative manager – individual leading the new pricing strategy, CFO/sponsoring executive, Working team – typically representatives in product marketing, product management, and sales

    1. Walk the team through the current version of Optimize Software Pricing in a Volatile Competitive Market workbook, tab 2: “Product Portfolio Organizer.” Modify sample attributes to match your product line where necessary.
    2. As a group, record the product attributes for your entire portfolio.
    3. Prioritize the product price optimization candidates for repricing with the understanding that it might change after meeting with finance.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    4.0 Clarify product target margins

    2-3 sessions of 1 Hour each

    Input: Finance partner/CFO knowledge of target product current and future margins, Finance partner/CFO who has information on underlying costs with details that illustrate supplier contributions

    Output: Product finance markup target percentage margins and revenues

    Materials: Finance data on the product family, Optimize Software Pricing in a Volatile Competitive Market Workbook, Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Finance partner/CFO

    1. Schedule a meeting with your finance partner/CFO to validate expectations for product margins. The goal is to understand the detail of underlying costs/margins and if the impacts of supplier costs affect the product family. The information will be placed into the Optimize Software Pricing in a Volatile Competitive Market Workbook on tab 2, Product Portfolio Organizer under the “Unit Margins” heading.
    2. Arrive at a final “Cost-Plus New Price” based on underlying costs and target margins for each of the products. Record results in the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 2, under the “Cost-Plus New Price” heading.
    3. Record product target finance markup price under “Cost-Plus” in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9, and details in Appendix, “Cost-Plus Analysis,” slide 11.
    4. Repeat this process for any other products to be repriced.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    5.0 Establish customer price to value

    1-4 weeks

    Input: Identify segments within which you require price-to-value information, Understand your persona insight gaps, Review Sample Interview Guide using the Optimize Software Pricing in a Volatile, Competitive Market Workbook, Tab 4. Interview Guide.

    Output: List of interviewees, Updated Interview Guide

    Materials: Optimize Software Pricing in a Volatile Competitive Market Workbook, Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Customer success to help identify interviewees, Customers, prospects

    1. Identify a list of customers and prospects that best represent your target persona when interviewed. Choose interviewees who will inform key differences among key segments (geographies, company size, a mix of customers and prospects, etc.) and who are decision makers and can best inform insights on price/value and competitors.
    2. Recruit interviewees and schedule 30-minute interviews.
    3. Keep track of interviewees using the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 3: “Interviewee Tracking.”
    4. Review the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 4: “Interview Guide,” and modify/update it where appropriate.
    5. Record interviewee perspectives on the “price they are willing to pay for the value received” (price/value equation) using the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 4: “Interview Guide.”
    6. Summarize findings to result in an average “customer’s value price.” Record product target ”customer’s value price” in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9 and supporting details in Appendix, “Customer Pricing Analysis,” slide 12.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    6.0 Identify competitive pricing

    1-2 weeks

    Input: Identify price candidate competitors, Your product pricing, contract type, and product attribute information to compare against, Knowledge of existing competitor information, websites, and technology research sites to guide questions

    Output: Competitive product average pricing

    Materials: Optimize Software Pricing in a Volatile Competitive Market Workbook, Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Customers, prospects

    1. Identify the top 3-5 competitors’ products that you most frequently compete against with your selected product.
    2. Perform competitive intelligence research on deals won or lost that contain competitive pricing insights by speaking with your sales force.
    3. Use the interviews with key customers to also inform competitive pricing insights. Include companies which you may have lost to a competitor in your customer interviewee list.
    4. Modify and add key competitive pricing, contract, or product attributes in the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 5: “Competitive Information.”
    5. Place your product’s information into the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 5: “Competitive Information.”
    6. Research your competitors’ summarized pricing and product attribute insights into the workbook.
    7. Record research in the Summarize research on competitors to arrive at an average “Competitors Avg. Price”. Record in ”Customer’s Value Price” in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9, and details in Appendix, “Competitor Pricing Analysis,” slide 13.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    7.0 Establish new price and gain buy-in

    2-3 hours

    Input: Findings from competitive, cost-plus, and customer price/value analysis

    Output: Approvals for price change

    Materials: Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Steering committee, Working team – typically representatives in product marketing, product management, sales

    1. Using prior recorded findings of Customer’s Value Price, Competitors’ Avg. Price, and Finance Markup Price, arrive at a recommended “New Price” and record in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9 and the Appendix for Project Analysis Details.
    2. Present findings to steering committee. Be prepared to show customer interviews and competitive analysis results to support your recommendation.
    3. Plan internal and external communications and discuss the timing of when to “go live” with new pricing. Discuss issues related to migration to a new price, how to handle currently low-priced customers, and how to migrate them over time to the new pricing.
    4. Identify if it makes sense to target a date to launch the new pricing in the future, so customers can be alerted in advance and therefore take advantage of “current pricing” to drive added revenues.
    5. Confer with IT to assess times required to implement within CPQ systems and with product marketing for time to change sales proposals, slide decks, and any other affected assets and systems.

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Summary of Accomplishment

    Problem Solved

    With the help of this blueprint, you have deepened your and your company’s understanding of how to look at new pricing opportunities and what the market and the buyer will pay for your product. You are among the minority of product and marketing leaders that have thoroughly documented their new pricing strategy and processes – congratulations!

    The benefits of having led your team through the process are significant and include the following:

    • Allow for faster, more accurate intake of customer and competitive data 
    • Refine the ability to effectively target pricing to specific market demands and customer segments 
    • Understand the association between the value proposition of products and services
    • Reduce financial costs and mistakes associated with manual efforts & uneducated guessing
    • Recognize and plan for new revenue opportunities or cost increases
    • Create new market or product packaging opportunities
    And finally, by bringing your team along with you in this process, you have also led your team to become more customer-focused while pricing your products – a strategic shift that all organizations should pursue.

    If you would like additional support, contact us and we’ll make sure you get the professional expertise you need.

    Contact your account representative for more information.

    info@softwarereviews.com
    1-888-670-8889

    Bibliography

    “Chapter 4 Reasons for Project Failure.” Kissflow's Guide to Project Management. Kissflow, n.d. Web.

    Edie, Naomi. “Microsoft Is Raising SaaS Prices, and Other Vendors Will, Too.” CIO Dive, 8 December 2021. Web.

    Gruman, Galen, Alan S. Morrison, and Terril A. Retter. “Software Pricing Trends.” PricewaterhouseCoopers, 2018. Web.

    Hargrave, Marshall. “Example of Economic Exposure.” Investopedia, 12 April 2022. Web.

    Heaslip, Emily. “7 Smart Pricing Strategies to Attract Customers.” CO—, 17 November 2021. Web.

    Higgins, Sean. “How to Price a Product That Your Sales Team Can Sell.” HubSpot, 4 April 2022. Web.

    “Pricing Strategies.” Growth Ramp, March 2022. Web.

    “Product Management Skills Benchmark Report 2021.” 280 Group, 9 November 2021. Web.

    Quey, Jason. “Price Increase: How to Do a SaaS Pricing Change in 8 Steps.” Growth Ramp, 22 March 2021. Web.

    Steenburg, Thomas, and Jill Avery. “Marketing Analysis Toolkit: Pricing and Profitability Analysis.” Harvard Business School, 16 July 2010. Web.

    “2021 State of Competitive Intelligence.” Crayon and SCIO, n.d. Web.

    Valchev, Konstantin. “Cost of Goods Sold (COGS) for Software-as-a-Service (SaaS) Business.” OpenView Venture Partners, OV Blog, 20 April 2020. Web.

    “What Is Price Elasticity?” Market Business News, n.d. Web.

    Adding the Right Value: Building Cloud Brokerages That Enable

    • Buy Link or Shortcode: {j2store}110|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    In many cases, the answer is to develop a cloud brokerage to manage the complexity. But what should your cloud broker be delivering, and how?

    Our Advice

    Critical Insight

    • To avoid failure, you need to provide security and compliance, but basic user satisfaction means becoming a frictionless intermediary.
    • Enabling brokers provide knowledge and guidance for the best usage of cloud.
    • While GCBs fill a critical role as a control point for IT consumption, they can easily turn into a friction point for IT projects. It’s important to find the right balance between enabling compliance and providing frictionless usability.

    Impact and Result

    • Avoid disintermediation.
    • Maintain compliance.
    • Leverage economies of scale.
    • Ensure architecture discipline.

    Adding the Right Value: Building Cloud Brokerages That Enable Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a Cloud Brokerage Deck – A guide to help you start designing a cloud brokerage that delivers value beyond gatekeeping.

    Define the value, ecosystem, and metrics required to add value as a brokerage. Develop a brokerage value proposition that aligns with your audience and capabilities. Define and rationalize the ecosystem of partners and value-add activities for your brokerage. Define KPIs that allow you to maximize and balance both usability and compliance.

    • Adding the Right Value: Building Cloud Brokerages That Enable Storyboard
    [infographic]

    Further reading

    Adding the Right Value: Building Cloud Brokerages That Enable

    Considerations for implementing an institutional-focused cloud brokerage.

    Your Challenge

    Increasingly, large institutions and governments are adopting cloud-first postures for delivering IT resources. Combined with the growth of cloud offerings that are able to meet the certifications and requirements of this segment that has been driven by federal initiatives like Cloud-First in Canada and Cloud Smart in the United States, these two factors have left institutions (and the businesses that serve them) with the challenge of delivering cloud services to their users while maintaining compliance, control, and IT sanity.

    In many cases, the answer is to develop a cloud brokerage to manage the complexity. But what should your cloud broker be delivering and how?

    Navigating the Problem

    Not all cloud brokerages are the same. And while they can be an answer to cloud complexity, an ineffective brokerage can drain value and complicate operations even further. Cloud brokerages need to be designed:

    1. To deliver the right type of value to its users.
    2. To strike the balance between effective governance & security and flexibility & ease of use.

    Info-Tech’s Approach

    By defining your end goals, framing solutions based on the type of value and rigor your brokerage needs to deliver, and focusing on the right balance of security and flexibility, you can deliver a brokerage that delivers the best of all worlds.

    1. Define the brokerage value you want to deliver.
    2. Build the catalog and partner ecosystem.
    3. Understand how to maximize adoption and minimize disintermediation while maintaining architectural discipline and compliance.

    Info-Tech Insight

    Sometimes a brokerage delivery model makes sense, sometimes it doesn’t! Understanding the value addition you want your brokerage to provide before creating it allows you to not only avoid pitfalls and maximize benefits but also understand when a brokerage model does and doesn’t make sense in the first place.

    Project Overview

    Understand what value you want your brokerage to deliver

    Different institutions want brokerage delivery for different reasons. It’s important to define up front why your users need to work through a brokerage and what value that brokerage needs to deliver.

    What’s in the catalog? Is it there to consolidate and simplify billing and consumption? Or does it add value further up the technology stack or value chain? If so, how does that change the capabilities you need internally and from partners?

    Security and compliance are usually the highest priority

    Among institutions adopting cloud, a broker that can help deliver their defined security and compliance standards is an almost universal requirement. Especially in government institutions, this can mean the need to meet a high standard in both implementation and validation.

    The good news is that even if you lack the complete set of skills in-house, the high certification levels available from hyperscale providers combined with a growing ecosystem of service providers working on these platforms means you can usually find the right partner(s) to make it possible.

    The real goal: frictionless intermediation and enablement

    Ultimately, if end users can’t get what they need from you, they will go around you to get it. This challenge, which has always existed in IT, is further amplified in a cloud service world that offers users a cornucopia of options outside the brokerage. Furthermore, cloud users expect to be able to consume IT seamlessly. Without frictionless satisfaction of user demand your brokerage will become disintermediated, which risks your highest priorities of security and compliance.

    Understand the evolution: Info-Tech thought model

    While initial adoption of cloud brokerages in institutions was focused on ensuring the ability of IT to extend its traditional role as gatekeeper to the realm of cloud services, the focus has now shifted upstream to enabling ease of use and smart adoption of cloud services. This is evidenced clearly in examples like the US government’s renaming of its digital strategy from “Cloud First” to “Cloud Smart” and has been mirrored in other regions and institutions.

    Info-Tech Insights

    To avoid failure, you need to provide security and compliance.

    Basic user satisfaction means becoming a frictionless intermediary.

    Exceed expectations! Enabling brokers provide knowledge and guidance for the best usage of cloud.

    • Security & Compliance
    • Frictionless Intermediation
    • Cloud-Enabling Brokerage

    Define the role of a cloud broker

    Where do brokers fit in the cloud model?

    • NIST Definition: An entity that manages the use, performance, and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers.
    • Similar to a telecom master agent, a cloud broker acts as the middle-person and end-user point of contact, consolidating the management of underlying providers.
    • A government or institutional cloud broker (GCB) is responsible for the delivery of all cloud services consumed by the departments or agencies it supports or that are mandated to use it.

    Balancing governance and agility

    Info-Tech Insight

    While GCBs fill a critical role as a control point for IT consumption, they can easily turn into a friction point for IT projects. It’s important to find the right balance between enabling compliance and providing frictionless usability.

    Model brokerage drivers and benefits

    Reduced costs: Security through standardization: Frictionless consumption: Avoid disinter-mediation; Maintain compliance; Leverage economies of scale; Ensure architecture discipline

    Maintain compliance and ensure architecture discipline: Brokerages can be an effective gating point for ensuring properly governed and managed IT consumption that meets the specific regulations and compliances required for an institution. It can also be a strong catalyst and enabler for moving to even more effective cloud consumption through automation.

    Avoid disintermediation: Especially in institutions, cloud brokers are a key tool in the fight against disintermediation – that is, end users circumventing your IT department’s procurement and governance by consuming an ad hoc cloud service.

    Leverage economies of scale: Simply put, consolidation of your cloud consumption drives effectiveness by making the most of your buying power.

    Info-Tech Insights

    Understanding the importance of each benefit type to your brokerage audience will help you define the type of brokerage you need to build and what skills and partners will be required to deliver the right value.

    The brokerage landscape

    The past ten years have seen governments and institutions evolve from basic acceptance of cloud services to the usage of cloud as the core of most IT initiatives.

    • As part of this evolution, many organizations now have well-defined standards and guidance for the implementation, procurement, and regulation of cloud services for their use.
    • Both Canada (Strategic Plan for Information Management and Information Technology) and the United States (Cloud Smart – formerly known as Cloud First) have recently updated their guidance on adoption of cloud services. The Australian Government has also recently updated its Cloud Computing Policy.
    • AWS and Azure both now claim Full FedRAMP (Federal Risk and Authorization Management Program) certification.
    • This has not only enabled easy adoption of these core hyperscale cloud service by government but also driven the proliferation of a large ecosystem of FedRAMP-authorized cloud service providers.
    • This trend started with government at the federal level but has cascaded downstream to provincial and municipal governments globally, and the same model seems likely to be adopted by other governments and other institution types over time.

    Info-Tech Insight

    The ecosystem of platforms and tools has grown significantly and examples of best practices, especially in government, are readily available. Once you’ve defined your brokerage’s value stance, the building blocks you need to deliver often don’t need to be built from scratch.

    Address the unique challenges of business-led IT in institutions

    With the business taking more accountability and management of their own technology, brokers must learn how to evolve from being gatekeepers to enablers.

    This image This lists the Cons of IT acting as a gatekeeper providing oversight, and the Pros of IT acting as an Enabler in an IT Partnership.  the Cons are: Restrict System Access; Deliver & Monitor Applications; Own Organizational Risk; Train the Business.  The Pros are: Manage Role-Based Access; Deliver & Monitor Platforms; Share Organizational Risk; Coach & Mentor the Business

    Turn brokerage pitfalls into opportunities

    The greatest risks in using a cloud broker come from its nature as a single point of distribution for service and support. Without resources (or automation) to enable scale, as well as responsive processes for supporting users in finding the right services and making those services available through the brokerage, you will lose alignment with your users’ needs, which inevitably leads to disintermediation, loss of IT control, and broken compliance

    Info-Tech Insights

    Standardization and automation are your friend when building a cloud brokerage! Sometimes this means having a flexible catalog of options and configurations, but great brokerages can deliver value by helping their users redefine and evolve their workloads to work more effectively in the cloud. This means providing guidance and facilitating the landing/transformation of users’ workloads in the cloud, the right way.

    Challenges Impact
    • Single point of failure
    • Managing capacity
    • Alignment of brokerage with underlying agencies
    • Additional layer of complexity
    • Inability to deliver service
    • Disintermediation
    • Broken security/compliance
    • Loss of cost control/purchasing power

    Validate your cloud brokerage strategy using Info-Tech’s approach

    Value Definition

    • Define your brokerage type and value addition

    Capabilities Mapping

    • Understand the partners and capabilities you need to be able to deliver

    Measuring Value

    • Define KPIs for both compliant delivery and frictionless intermediation

    Provide Cloud Excellence

    • Move from intermediation to enablement and help users land on the cloud the right way

    Define the categories for your brokerage’s benefit and value

    Depending on the type of brokerage, the value delivered may be as simple as billing consolidation, but many brokerages go much deeper in their value proposition.

    This image depicts a funnel, where the following inputs make up the Broker Value: Integration, Interface and Management Enhancement; User Identity and Risk Management/ Security & Compliance; Cost & Workload Efficiency, Service Aggregation

    Define the categories of brokerage value to add

    • Purchasing Agents save the purchaser time by researching services from different vendors and providing the customer with information about how to use cloud computing to support business goals.
    • Contract Managers may also be assigned power to negotiate contracts with cloud providers on behalf of the customer. In this scenario, the broker may distribute services across multiple vendors to achieve cost-effectiveness, while managing the technical and procurement complexity of dealing with multiple vendors.
      • The broker may provide users with an application program interface (API) and user interface (UI) that hides any complexity and allows the customer to work with their cloud services as if they were being purchased from a single vendor. This type of broker is sometimes referred to as a cloud aggregator.
    • Cloud Enablers can also provide the customer with additional services, such as managing the deduplication, encryption, and cloud data transfer and assisting with data lifecycle management and other activities.
    • Cloud Customizers integrate various underlying cloud services for customers to provide a custom offering under a white label or its own brand.
    • Cloud Agents are essentially the software version of a Contract Manager and act by automating and facilitating the distribution of work between different cloud service providers.

    Info-Tech Insights

    Remember that these categories are general guidelines! Depending on the requirements and value a brokerage needs to deliver, it may fit more than one category of broker type.

    Brokerage types and value addition

    Info-Tech Insights

    Each value addition your brokerage invests in delivering should tie to reinforcing efficiency, compliance, frictionlessness, or enablement.

    Value Addition Purchasing Agent Contract Manager Cloud Enabler Cloud Customizer Cloud Agent
    Underlying service selection

    Standard Activity

    Standard Activity Standard Activity Standard Activity Common Activity
    Support and info Standard Activity

    Common Activity

    Standard Activity Standard Activity Common Activity
    Contract lifecycle (pricing/negotiation) Standard Activity Common Activity Standard Activity
    Workload distribution (to underlying services) (aggregation) Common Activity Standard Activity Standard Activity Standard Activity
    Value-add or layered on services Standard Activity Common Activity
    Customization/integration of underlying services Standard Activity
    Automated workload distribution (i.e. software) Standard Activity

    Start by delivering value in these common brokerage service categories

    Security & Compliance

    • Reporting & Auditing
    • SIEM & SOC Services
    • Patching & Monitoring

    Cost Management

    • Right-Sizing
    • Billing Analysis
    • Anomaly Detection & Change Recommendations

    Data Management

    • Data Tiering
    • Localization Management
    • Data Warehouse/Lake Services

    Resilience & Reliability

    • Backup & Archive
    • Replication & Sync
    • DR & HA Management
    • Ransomware Prevention/Mitigation

    Cloud-Native & DevOps Enablement

    • Infrastructure as Code (IaC)
    • DevOps Tools & Processes
    • SDLC Automation Tools

    Design, Transformation, and Integration

    • CDN Integration
    • AI Tools Integration
    • SaaS Customizations

    Activity: Brokerage value design

    Who are you and who are you building this for?

    • Internal brokerage (i.e. you are a department in an organization that is tasked with providing IT resources to other internal groups)
      • No profit motivation
      • Primary goal is to maintain compliance and avoid disintermediation
    • Third-party brokerage (i.e. you are an MSP that needs to build a brokerage to provide a variety of downstream services and act as the single point of consumption for an organization)
      • Focus on value-addition to the downstream services you facilitate for your client
      • Increased requirement to quickly add new partners/services from downstream as required by your client

    What requirements and pains do you need to address?

    • Remember that in the world of cloud, users ultimately can go around IT to find the resources and tools they want to use. In short, if you don’t provide ease and value, they will get it somewhere else.
    • Assess the different types of cloud brokerages out there as a guide to what sort of value you want to deliver.

    Why are you creating a brokerage? There are several categories of driver and more than one may apply.

    • Compliance and security gating/validation
    • Cost consolidation and governance
    • Value-add or feature enhancement of raw/downstream services being consumed

    It’s important to clearly understand how best you can deliver unique value to ensure that they want to consume from you.

    This is an image of a Venn diagram between the following: Who are you trying to serve?; Why and how are you uniquely positioned to deliver?; What requirements do they have and what pain points can you help solve?.  Where all three circles overlap is the Brokerage Value Proposition.

    Understand the ecosystem you’ll require to deliver value

    GCB

    • Enabling Effectiveness
    • Cost Governance
    • Adoption and User Satisfaction
    • Security & Compliance

    Whatever value proposition and associated services your brokerage has defined, either internal resources or additional partners will be required to run the platform and processes you want to offer on top of the defined base cloud platforms.

    Info-Tech Insights

    Remember to always align your value adds and activities to the four key themes:

    • Efficiency
    • Compliance
    • Frictionlessness
    • Cloud Enablement

    Delivering value may require an ecosystem

    The additional value your broker delivers will depend on the tools and services you can layer on top of the base cloud platform(s) you support.

    In many cases, you may require different partners to fulfil similar functions across different base platforms. Although this increases complexity for the brokerage, it’s also a place where additional value can be delivered to end users by your role as a frictionless intermediary.

    Base Partner/Platform

    • Third-party software & platforms
    • Third-party automations & integrations
    • Third-party service partners
    • Internal value-add functions

    Build the ecosystem you need for your value proposition

    Leverage partners and automation to bake compliance in.

    Different value-add types (based on the category/categories of broker you’re targeting) require different additional platforms and partners to augment the base cloud service you’re brokering.

    Security & Config

    • IaC Tools
    • Cloud Resource Configuration Validation
    • Templating Tools
    • Security Platforms
    • SDN and Networking Platforms
    • Resilience (Backup/Replication/DR/HA) Platforms
    • Data & Storage Management
    • Compliance and Validation Platforms & Partners

    Cost Management

    • Subscription Hierarchy Management
    • Showback and Chargeback Logic
    • Cost Dashboarding and Thresholding
    • Governance and Intervention

    Adoption & User Satisfaction

    • Service Delivery SLAs
    • Support Process & Tools
    • Capacity/Availability Management
    • Portal Usability/UX

    Speed of Evolution

    • Partner and Catalog/Service Additions
    • Broker Catalog Roadmapping
    • User Request Capture (new services)
    • User Request Capture (exceptions)

    Build your features and services lists

    Incorporate your end user, business, and IT perspectives in defining the list of mandatory and desired features of your target solution.

    See our Implement a Proactive and Consistent Vendor Selection Process blueprint for information on procurement practices, including RFP templates.

    End User

    • Visual, drag-and-drop models to define data models, business logic, and user interfaces
    • One-click deployment
    • Self-healing application
    • Vendor-managed infrastructure
    • Active community and marketplace
    • Prebuilt templates and libraries
    • Optical character recognition and natural language processing

    Business

    • Audit and change logs
    • Theme and template builder
    • Template management
    • Knowledgebase and document management
    • Role-based access
    • Business value, operational costs, and other KPI monitoring
    • Regulatory compliance
    • Consistent design and user experience across applications
    • Business workflow automation

    IT

    • Application and system performance monitoring
    • Versioning and code management
    • Automatic application and system refactoring and recovery
    • Exception and error handling
    • Scalability (e.g. load balancing) and infrastructure management
    • Real-time debugging
    • Testing capabilities
    • Security management
    • Application integration management

    Understand the stakeholders

    Hyperscale Platform/Base Platform: Security; Compliance and Validation;Portal/Front-End; Cost Governance; Broker Value Add(s)

    Depending on the value-add(s) you are trying to deliver, as well as the requirements from your institution(s), you will have a different delineation of responsibilities for each of the value-add dimensions. Typically, there will be at least three stakeholders whose role needs to be considered for each dimension:

    • Base Cloud Provider
    • Third-Party Platforms/Service Providers
    • Internal Resources

    Info-Tech Insights

    It’s important to remember that the ecosystem of third-party options available to you in each case will likely be dependent on if a given partner operates or supports your chosen base provider.

    Define the value added by each stakeholder in your value chain

    Value Addition Cost Governance Security & Compliance Adoption and User Satisfaction New Service Addition Speed End-User Cloud Effectiveness
    Base platform(s)
    Third party
    Internal

    A basic table of the stakeholders and platforms involved in your value stream is a critical tool for aligning activities and partners with brokerage value.

    Remember to tie each value-add category you’re embarking on to at least one of the key themes!

    Cost Governance → Efficiency

    Security & Compliance → Compliance

    Adoption & User Satisfaction → Frictionlessness

    New Service Addition Responsiveness → Frictionlessness, Enablement

    End-User Cloud Effectiveness → Enablement

    Info-Tech Insights

    The expectations for how applications are consumed and what a user experience should look like is increasingly being guided by the business and by the disintermediating power of the cloud-app ecosystem.

    “Enabling brokers” help embrace business-led IT

    In environments where compliance and security are a must, the challenges of handing off application management to the business are even more complex. Great brokers learn to act not just as a gatekeeper but an enabler of business-led IT.

    Business Empowerment

    Organizations are looking to enhance their Agile and BizDevOps practices by shifting traditional IT practices left and toward the business.

    Changing Business Needs

    Organizational priorities are constantly changing. Cost reduction opportunities and competitive advantages are lost because of delayed delivery of features.

    Low Barrier to Entry

    Low- and no-code development tools, full-stack solutions, and plug-and-play architectures allow non-technical users to easily build and implement applications without significant internal technical support or expertise.

    Democratization of IT

    A wide range of digital applications, services, and information are readily available and continuously updated through vendor and public marketplaces and open-source communities.

    Technology-Savvy Business

    The business is motivated to learn more about the technology they use so that they can better integrate it into their processes.

    Balance usability and compliance: accelerate cloud effectiveness

    Move to being an accelerator and an enabler! Rather than creating an additional layer of complexity, we can use the abstraction of a cloud brokerage to bring a wide variety of value-adds and partners into the ecosystem without increasing complexity for end users.

    Manage the user experience

    • Your portal is a great source of data for optimizing user adoption and satisfaction.
    • Understand the KPIs that matter to your clients or client groups from both a technical and a service perspective.

    Be proactive and responsive in meeting changing needs

    • Determine dashboard consumption by partner view.
    • Regularly review and address the gaps in your catalog.
    • Provide an easy mechanism for adding user-demanded services.

    Think like a service provider

    • You do need to be able to communicate and even market internally new services and capabilities as you add them or people won't know to come to you to use them.
    • It's also critical in helping people move along the path to enablement and knowing what might be possible that they hadn't considered.

    Provide cloud excellence functions

    Enablement Broker

    • Mentorship & Training
      • Build the skills, knowledge, and experiences of application owners and managers with internal and external expertise.
    • Organizational Change Leadership
      • Facilitate cultural, governance, and other organizational changes through strong relationships with business and IT leadership.
    • Good Delivery Practices & Thinking
      • Develop, share, and maintain a toolkit of good software development lifecycle (SDLC) practices and techniques.
    • Knowledge Sharing
      • Centralize a knowledgebase of up-to-date and accurate documentation and develop community forums to facilitate knowledge transfer.
    • Technology Governance & Leadership
      • Implement the organizational standards, policies, and rules for all applications and platforms and coordinate growth and sprawl.
    • Shared Services & Integrations
      • Provide critical services and integrations to support end users with internal resources or approved third-party providers and partners.

    Gauge value with the right metrics

    Focus your effort on measuring key metrics.

    Category

    Purpose

    Examples

    Business Value – The amount of value and benefits delivered. Justify the investment and impact of the brokerage and its optimization to business operations. ROI, user productivity, end-user satisfaction, business operational costs, error rate
    Application Quality – Satisfaction of application quality standards. Evaluate organizational effort to address and maximize user satisfaction and adoption rates. Adoption rate, usage friction metrics, user satisfaction metrics
    Delivery Effectiveness – The delivery efficiency of changes. Enable members to increase their speed to effective deployment, operation, and innovation on cloud platforms. Speed of deployment, landing/migration success metrics

    Determine measures that demonstrate the value of your brokerage by aligning it with your quality definition, value drivers, and users’ goals and objectives. Recognize that your journey will require constant monitoring and refinement to adjust to situations that may arise as you adopt new products, standards, strategies, tactics, processes, and tools.

    Activity Output

    Ultimately, the goal is designing a brokerage that can evolve from gatekeeping to frictionless intermediation to cloud enablement.

    Maintain focus on the value proposition, your brokerage ecosystem, and the metrics that represent enablement for your users and avoid pitfalls and challenges from the beginning.

    Activity: Define your brokerage type and value addition; Understand the partners and capabilities you need to be able to deliver; Define KPIs for both delivery (compliance) and adoption (frictionlessness); Output: GCB Strategy Plan; Addresses: Why and when you should build a GCB; How to avoid pitfalls; How to maximize benefits; How to maximize responsiveness and user satisfaction; How to roadmap and add services with agility.

    Appendix

    Related blueprints and tools

    Document Your Cloud Strategy

    This blueprint covers aligning your value proposition with general cloud requirements.

    Define Your Digital Business Strategy

    Phase 1 of this research covers identifying value chains to be transformed.

    Embrace Business-Managed Applications

    Phase 1 of this research covers understanding the business-managed applications as a factor in developing a frictionless intermediary model.

    Implement a Proactive and Consistent Vendor Selection Process

    This blueprint provides information on partner selection and procurement practices, including RFP templates.

    Bibliography

    “3 Types of Cloud Brokers That Can Save the Cloud.” Cloud Computing Topics, n.d. Web.

    Australian Government Cloud Computing Policy. Government of Australia, October 2014. Web.

    “Cloud Smart Policy Overview.” CIO.gov, n.d. Web.

    “From Cloud First to Cloud Smart.” CIO.gov, n.d. Web.

    Gardner, Dana. “Cloud brokering: Building a cloud of clouds.” ZDNet, 22 April 2011. Web.

    Narcisi, Gina. “Cloud, Next-Gen Services Help Master Agents Grow Quickly And Beat 'The Squeeze' “As Connectivity Commissions Decline.” CRN, 14 June 2017. Web.

    Smith, Spencer. “Asigra calls out the perils of cloud brokerage model.” TechTarget, 28 June 2019. Web.

    Tan, Aaron. “Australia issues new cloud computing guidelines.” TechTarget, 27 July 2020. Web.

    The European Commission Cloud Strategy. ec.europa.eu, 16 May 2019. Web.

    “TrustRadius Review: Cloud Brokers 2022.” TrustRadius, 2022. Web.

    Yedlin, Debbie. “Pros and Cons of Using a Cloud Broker.” Technology & Business Integrators, 17 April 2015. Web.

    Cut Cost Through Effective IT Category Planning

    • Buy Link or Shortcode: {j2store}213|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • IT departments typically approach sourcing a new vendor or negotiating a contract renewal as an ad hoc event.
    • There is a lack of understanding on how category planning governance can save money.
    • IT vendor “go to market” or sourcing activities are typically not planned and are a reaction to internal client demands or vendor contract expiration.

    Our Advice

    Critical Insight

    • Lack of knowledge of the benefits and features of category management, including the perception that the sourcing process takes too long, are two of the most common challenges that prevent IT from category planning.
    • Other challenges include the traditional view of contract renegotiation and vendor acquisition as a transactional event vs. an ongoing strategic process.
    • Finally, allocating resources and time to collect the data, vendor information, and marketing analysis prevents us from creating category plans.

    Impact and Result

    • An IT category plan establishes a consistent and proactive methodology or process to sourcing activities such as request for information (RFI), request for proposals, (RFPs), and direct negotiations with a specific vendor or“targeted negotiations” such as renewals.
    • The goal of an IT category plan is to leverage a strategic approach to vendor selection while identify cost optimizing opportunities that are aligned with IT strategy and budget objectives.

    Cut Cost Through Effective IT Category Planning Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create an IT category plan to reduce your IT cost, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create an IT category plan

    Use our three-step approach of Organize, Design, and Execute an IT Category Plan to get the most out of your IT budget while proactively planning your vendor negotiations.

    • IT Category Plan
    • IT Category Plan Metrics
    • IT Category Plan Review Presentation
    [infographic]

    Annual CIO Survey Report 2024

    • Buy Link or Shortcode: {j2store}106|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    CIOs today face increasing pressures, disruptive emerging technologies, talent shortages, and a slew of other challenges. What are their top concerns, priorities, and technology bets that will define the future direction of IT?

    CIO responses to our Future of IT 2024 survey reveal key insights on spending projects, the potential disruptions causing the most concern, plans for adopting emerging technology, and how firms are responding to generative AI.

    See how CIOs are sizing up the opportunities and threats of the year ahead

    Map your organization’s response to the external environment compared to CIOs across geographies and industries. Learn:

    • The CIO view on continuing concerns such as cybersecurity.
    • Where they rate their IT department’s maturity.
    • What their biggest concerns and budget increases are.
    • How they’re approaching third-party generative AI tools.

    Annual CIO Survey Report 2024 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Future of IT Survey 2024 – A summary of key insights from the CIO responses to our Future of IT 2024 survey.

    Take the pulse of the IT industry and see how CIOs are planning to approach 2024.

    • Annual CIO Survey Report for 2024
    [infographic]

    Further reading

    Annual CIO Survey Report 2024

    An inaugural look at what's on the minds of CIOs.

    1. Firmographics

    • Region
    • Title
    • Organization Size
    • IT Budget Size
    • Industry

    Firmographics

    The majority of CIO responses came from North America. Contributors represent regions from around the world.

    Countries / Regions Response %
    United States 47.18%
    Canada 11.86%
    Australia 9.60%
    Africa 6.50%
    China 0.28%
    Germany 1.13%
    United Kingdom 5.37%
    India 1.41%
    Brazil 1.98%
    Mexico 0.56%
    Middle East 4.80%
    Asia 0.28%
    Other country in Europe 4.52%

    n=354

    Firmographics

    A typical CIO respondent held a C-level position at a small to mid-sized organization.

    Half of CIOs hold a C-level position, 10% are VP-level, and 20% are director level

    Pie Chart of CIO positions

    38% of respondents are from an organization with above 1,000 employees

    Pie chart of size of organizations

    Firmographics

    A typical CIO respondent held a C-level position at a small to mid-sized organization.

    40% of CIOs report an annual budget of more than $10 million

    Pie chart of CIO annual budget

    A range of industries are represented, with 29% of respondents in the public sector or financial services

    Range of industries

    2. Key Factors

    • IT Maturity
    • Disruptive Factors
    • IT Spending Plans
    • Talent Shortage

    Two in three respondents say IT can deliver outcomes that Support or Optimize the business

    IT drives outcomes

    Most CIOs are concerned with cybersecurity disruptions, and one in four expect a budget increase of above 10%

    How likely is it that the following factors will disrupt your business in the next 12 months?

    Chart for factors that will disrupt your business

    Looking ahead to 2024, how will your organization's IT spending change compared to spending in 2023?

    Chart of IT spending change

    3. Adoption of Emerging Technology

    • Fastest growing tech for 2024 and beyond

    CIOs plan the most new spend on AI in 2024 and on mixed reality after 2024

    Top five technologies for new spending planned in 2024:

    1. Artificial intelligence - 35%
    2. Robotic process automation or intelligent process automation - 24%
    3. No-code/low-code platforms - 21%
    4. Data management solutions - 14%
    5. Internet of Things (IoT) - 13%

    Top five technologies for new spending planned after 2024:

    1. Mixed reality - 20%
    2. Blockchain - 19%
    3. Internet of Things (IoT) - 17%
    4. Robotics/drones - 16%
    5. Robotic process automation or intelligent process automation - 14%

    n=301

    Info-Tech Insight
    Three in four CIOs say they have no plans to invest in quantum computing, more than any other technology with no spending plans.

    4. Adoption of AI

    • Interest in generative AI applications
    • Tasks to be completed with AI
    • Progress in deploying AI

    CIOs are most interested in industry-specific generative AI applications or text-based

    Rate your business interest in adopting the following generative AI applications:

    Chart for interest in AI

    There is interest across all types of generative AI applications. CIOs are least interested in visual media generators, rating it just 2.4 out of 5 on average.

    n=251

    Info-Tech Insight
    Examples of generative AI solutions specific to the legal industry include Litigate, CoCounsel, and Harvey.

    By the end of 2024, CIOs most often plan to use AI for analytics and repetitive tasks

    Most popular use cases for AI by end of 2024:

    1. Business analytics or intelligence - 69%
    2. Automate repetitive, low-level tasks - 68%
    3. Identify risks and improve security - 66%
    4. IT operations - 62%
    5. Conversational AI or virtual assistants - 57%

    Fastest growing uses cases for AI in 2024:

    1. Automate repetitive, low-level tasks - 39%
    2. IT operations - 38%
    3. Conversational AI or virtual assistants - 36%
    4. Business analytics or intelligence - 35%
    5. Identify risks and improve security - 32%

    n=218

    Info-Tech Insight
    The least popular use case for AI is to help define business strategy, with 45% saying they have no plans for it.

    One in three CIOs are running AI pilots or are more advanced with deployment

    How far have you progressed in the use of AI?

    Chart of progress in use of AI

    Info-Tech Insight
    Almost half of CIOs say ChatGPT has been a catalyst for their business to adopt new AI initiatives.

    5. AI Risk

    • Perceived impact of AI
    • Approach to third-party AI tools
    • AI features in business applications
    • AI governance and accountability

    Six in ten CIOs say AI will have a positive impact on their organization

    What overall impact do you expect AI to have on your organization?

    Overall impact of AI on organization

    The majority of CIOs are waiting for professional-grade generative AI tools

    Which of the following best describes your organization's approach to third-party generative AI tools (such as ChatGPT or Midjourney)?

    Third-party generative AI

    Info-Tech Insight
    Business concerns over intellectual property and sensitive data exposure led OpenAI to announce ChatGPT won't use data submitted via its API for model training unless customers opt in to do so. ChatGPT users can also disable chat history to avoid having their data used for model training (OpenAI).

    One in three CIOs say they are accountable for AI, and the majority are exploring it cautiously

    Who in your organization is accountable for governance of AI?

    Governance of AI

    More than one-third of CIOs say no AI governance steps are in place today

    What AI governance steps does your organization have in place today?

    Chart of AI governance steps

    Among organizations that plan to invest in AI in 2024, 30% still say there are no steps in place for AI governance. The most popular steps to take are to publish clear explanations about how AI is used, and to conduct impact assessments (n=170).

    Chart of AI governance steps

    Among all CIOs, including those that do not plan to invest in AI next year, 37% say no steps are being taken toward AI governance today (n=243).

    6. Contribute to Info-Tech's Research Community

    • Volunteer to be interviewed
    • Attend LIVE in Las Vegas

    It's not too late; take the Future of IT online survey

    Contribute to our tech trends insights

    If you haven't already contributed to our Future of IT online survey, we are keeping the survey open to continue to collect insights and inform our research reports and agenda planning process. You can take the survey today. Those that complete the survey will be sent a complimentary Tech Trends 2024 report.

    Complete an interview for the Future of IT research project

    Help us chart the future course of IT

    If you are receiving this for completing the Future of IT online survey, thank you for your contribution. If you are interested in further participation and would like to provide a complementary interview, please get in touch at brian.Jackson@infotech.com. All interview subjects must also complete the online survey.

    If you've already completed an interview, thank you very much, and you can look forward to seeing more impacts of your contribution in the near future.

    LIVE 2023

    Methodology

    All data in this report is from Info-Tech's Future of IT online survey 2023 edition.

    A CIO focus for the Future of IT

    Data in this report represents respondents to the Future of IT online survey conducted by Info-Tech Research Group between May 11 and July 7, 2023.

    Only CIO respondents were selected for this report, defined as those who indicated they are the most senior member of their organization's IT department.

    This data segment reflects 355 total responses with 239 completing every question on the survey.

    Further data from the Future of IT online survey and the accompanying interview process will be featured in Info-Tech's Tech Trends 2024 report this fall and in forthcoming Priorities reports including Applications, Data & EA, CIO, Infrastructure, and Security.

    Acquire the Right Hires with Effective Interviewing

    • Buy Link or Shortcode: {j2store}576|cart{/j2store}
    • member rating overall impact: 8.5/10 Overall Impact
    • member rating average dollars saved: $15,749 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select
    • Scope: Acquiring the best talent relies heavily on an effective interviewing process, which involves the strategic preparation of stakeholders, including interviewers. Asking the most effective questions will draw out the most appropriate information to best assess the candidate. Evaluating the interview process and recording best practices will inspire continuous interviewing improvement within the organization.
    • Challenge: The majority of organizations do not have a solid interviewing process in place, and most interviewers are not practiced at interviewing. This results in many poor hiring decisions, costing the organization in many ways. Upsizing is on the horizon, the competition for good talent is escalating, and distinguishing between a good interviewee and a good candidate fit for a position is becoming more difficult.
    • Pain/Risk: Although properly preparing for and conducting an interview requires additional time on the part of HR, the hiring manager, and all interviewers involved, the long-term benefits of an effective interview process positively affect the organization’s bottom line and company morale.

    Our Advice

    Critical Insight

    • Most interviewers are not as good as they think they are, resulting in many poor hiring decisions. A poor hire can cost an organization up to 15 times the position’s annual salary, as well as hurt employee morale.
    • The Human Resources department needs to take responsibility for an effective interview process, but the business needs to take responsibility for developing its new hire needs, and assessing the candidates using the best questions and the most effective interview types and techniques.
    • All individuals with a stake in the interview process need to invest sufficient time to help define the ideal candidate, understand their roles and decision rights in the process, and prepare individually to interview effectively.
    • There are hundreds of different interview types, techniques, and tools for an organization to use, but the most practiced and most effective is behavioral interviewing.
    • There is no right interview type and technique. Each hiring scenario needs to be evaluated to pick the appropriate type and technique that should be practiced, and the right questions that should be asked.

    Impact and Result

    • Gain insight into and understand the need for a strong interview process.
    • Strategize and plan your organization’s interview process, including how to make up an ideal candidate profile, who should be involved in the process, and how to effectively match interview types, techniques, and questions to assess the ideal candidate attributes.
    • Understand various hiring scenarios, and how an interview process may be modified to reflect your organization’s scenario.
    • Learn about the most common interview types and techniques, when they are appropriate to use, and best practices around using them effectively.
    • Evaluate your interview process and yourself as an interviewer to better inform future candidate interviewing strategy.

    Acquire the Right Hires with Effective Interviewing Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Implement an effective interview and continuous improvement process

    Acquire the right hire.

    • Storyboard: Acquire the Right Hires with Effective Interviewing

    2. Document all aspects of your interview strategy and plan with stakeholders

    Ensure an effective and seamless interview process.

    • Candidate Interview Strategy and Planning Guide

    3. Recognize common interviewing errors and study best practices to address these errors

    Be an effective interviewer.

    • Screening Interview Template
    • Interview Guide Template
    • Supplement: Quick Fixes to Common Interview Errors
    • Pre-interview Guide for Interviewers
    • Candidate Communication Template
    [infographic]

    Improve Your IT Recruitment Process

    • Buy Link or Shortcode: {j2store}578|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select

    Business and IT leaders aiming to recruit and select the best talent need to:

    • Get involved in the talent acquisition process at key moments.
    • Market their organization to top talent through an authentic employer brand.
    • Create engaging and accurate job ads.
    • Leverage purposeful sourcing for anticipated talent needs.
    • Effectively assess candidates with a strong interview process.
    • Set up new employees for success.

    Our Advice

    Critical Insight

    To create a great candidate experience, IT departments must be involved in the process at key points, recruitment and selection is not a job for HR alone!

    Impact and Result

    • Use this how-to guide to articulate an authentic (employee value proposition) EVP and employer brand.
    • Perform an analysis of current sourcing methods and build an action plan to get IT involved.
    • Create an effective and engaging job ad to insure the right people are applying.
    • Train hiring managers to effectively deliver interviews that correctly assess candidate suitability.
    • Get links to in-depth Info-Tech resources and tools.

    Improve Your IT Recruitment Process Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Improve Your IT Recruitment Process – A guide to help you attract and select the best talent.

    Train your IT department to get involved in the recruitment process to attract and select the best talent.

    • Improve Your IT Recruitment Process Capstone Deck

    2. Improve Your IT Recruitment Process Workbook – A tool to document your action plans.

    Use this tool in conjunction with the Improve you IT Recruitment Process to document your action plans

    • Improve Your IT Recruitment Process Workbook

    3. Interview Guide Template – A template to organize interview questions and their rating scales, take notes during the interview, and ensure all interviews follow a similar structure.

    To get useful information from an interview, the interviewer should be focused on what candidates are saying and how they are saying it, not on what the next question will be, what probes to ask, or how they will score the responses. This Interview Guide Template will help interviewers stay focused and collect good information about candidates.

    • Interview Guide Template

    4. IT Behavioral Interview Question Library – A tool that contains a complete list of sample questions aligned with core, leadership, and IT competencies.

    Hiring managers can choose from a comprehensive collection of core, functional, and leadership competency-based behavioral interview questions.

    • IT Behavioral Interview Question Library

    5. Job Ad Template – A template to allow complete documentation of the characteristics, responsibilities, and requirements for a given job posting in IT.

    Use this template to develop a well-written job posting that will attract the star candidates and, in turn, deflect submission of irrelevant applications by those unqualified.

    • Job Ad Template

    6. Idea Catalog – A tool to evaluate virtual TA solutions.

    The most innovative technology isn’t necessarily the right solution. Review talent acquisition (TA) solutions and evaluate the purpose each option serves in addressing critical challenges and replacing critical in-person activities.

    • Idea Catalog: Adapt the Talent Acquisition Process to a Virtual Environment
    [infographic]

    Workshop: Improve Your IT Recruitment Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Employee Value Proposition and Employer Branding

    The Purpose

    Establish the employee value proposition (EVP) and employer brand.

    Key Benefits Achieved

    Have a well-defined EVP that you communicate through your employer brand.

    Activities

    1.1 Gather feedback.

    1.2 Build key messages.

    1.3 Assess employer brand.

    Outputs

    Content and themes surrounding the EVP

    Draft EVP and supporting statements

    A clearer understanding of the current employer brand and how it could be improved

    2 Job Ads and Sourcing

    The Purpose

    Develop job postings and build a strong sourcing program.

    Key Benefits Achieved

    Create the framework for an effective job posting and analyze existing sourcing methods.

    Activities

    2.1 Review and update your job ads.

    2.2 Review the effectiveness of existing sourcing programs.

    2.3 Review job ads and sourcing methods for bias.

    Outputs

    Updated job ad

    Low usage sourcing methods identified for development

    Minimize bias present in ads and sourcing methods

    3 Effective Interviewing

    The Purpose

    Create a high-quality interview process to improve candidate assessment.

    Key Benefits Achieved

    Training on being an effective interviewer.

    Activities

    3.1 Create an ideal candidate scorecard.

    3.2 Map out your interview process.

    3.3 Practice behavioral interviews.

    Outputs

    Ideal candidate persona

    Finalized interview and assessment process

    Practice interviews

    4 Onboarding and Action Plan

    The Purpose

    Drive employee engagement and retention with a robust program that acclimates, guides, and develops new hires.

    Key Benefits Achieved

    Evaluation of current onboarding practice.

    Activities

    4.1 Evaluate and redesign the onboarding program.

    Outputs

    Determine new onboarding activities to fill identified gaps.

    Further reading

    Improve Your IT Recruitment Process

    Train your IT department to get involved in the recruitment process to attract and select the best talent.

    Own the IT recruitment process

    Train your IT department to get involved in the recruitment process to attract and select the best talent.

    Follow this blueprint to:

    • Define and communicate the unique benefits of working for your organization to potential candidates through a strong employer brand.
    • Learn best practices around creating effective job postings.
    • Target your job posting efforts on the areas with the greatest ROI.
    • Create and deliver an effective, seamless, and positive interview and offer process for candidates.
    • Acclimate new hires and set them up for success.

    Get involved at key moments of the candidate experience to have the biggest impact


    Employee Value Proposition (EVP) and Employer Brand



    Job Postings and a Strong Sourcing Program

    Effective Interviewing

    Onboarding: Setting up New Hires For Success

    Awareness Research Application Screening Interview and Assessment Follow Up Onboarding

    RECRUIT QUALITY STAFF

    Hiring talent is critical to organizational success

    Talent is a priority for the entire organization:

    Respondents rated “recruitment” as the top issue facing organizations today (McLean & Company 2022 HR Trends Report).

    37% of IT departments are outsourcing roles to fill internal skill shortages (Info-Tech Talent Trends 2022 Survey).

    Yet bad hires are alarmingly common:

    Hiring is one of the least successful business processes, with three-quarters of managers reporting that they have made a bad hire (Robert Half, 2021).

    48% of survey respondents stated improving the quality of hires was the top recruiting priority for 2021 (Jobvite, 2021).

    Workshop overview

    Prework

    Day 1

    Day 2

    Day 3

    Day 4

    Post work

    Current Process and Job Descriptions Documented

    Establish the Employee Value Proposition (EVP) and Employer Brand

    Develop Job Postings and Build a Strong Sourcing Program

    Effective Interviewing

    Onboarding and Action Planning

    Putting the Action Plan Into Action!

    Activities

    • Recruitment Process Mapped Out and Stakeholders Identified
    • Prepare a JD and JP for Four Priority Jobs
    • Collect Information on Where Your Best Candidates Are Coming From

    1.1 Introduce the Concept of an EVP

    1.2 Brainstorm Unique Benefits of Working at Your Organization

    1.2 Employer Brand Introduction

    2.1 What Makes an Attractive Job Posting

    2.2 Create the Framework for Job Posting

    2.3 Improve the Sourcing Process

    2.4 Review Process for Bias

    3.1 Creating an Interview Process

    3.2 Selecting Interview Questions

    3.3 Avoiding Bias During Interviews

    3.4 Practice Interviews

    4.1 Why Onboarding Matters

    4.2 Acclimatize New Hires and Set Them Up for Success

    4.3 Action Plan

    5.1 Review Outputs and Select Priorities

    5.2 Consult With HR and Senior Management to Get Buy-In

    5.3 Plan to Avoid Relapse Behaviors

    Deliverables

    1. EVP draft completed
    2. Employer brand action plan
    1. Organization-specific job posting framework
    2. Sourcing Plan Template for four priority jobs
    3. Sourcing action plan
    1. Completed Interview Guide Template
    2. Managers practice a panel interview
    1. Onboarding best practices
    2. Action plan

    Enhance Your Recruitment Strategies

    The way you position the organization impacts who is likely to apply to posted positions.

    Develop a strong employee value proposition

    What is an employee value proposition?

    And what are the key components?

    The employee value proposition is your opportunity to showcase the unique benefits and opportunities of working at your organization, allowing you to attract a wider pool of candidates.

    AN EMPLOYEE VALUE PROPOSITION IS:

    AN EMPLOYEE VALUE PROPOSITION IS NOT:

    • An authentic representation of the employee experience
    • Aligned with organizational culture
    • Fundamental to all stages of the employee lifecycle
    • A guide to help investment in programs and policies
    • Short and succinct
    • What the employee can do for you
    • A list of programs and policies
    • An annual project

    THE FOUR KEY COMPONENTS OF AN EMPLOYEE VALUE PROPOSITION

    Rewards

    Organizational Elements

    Working Conditions

    Day-to-Day Job Elements

    • Compensation
    • Health Benefits
    • Retirement Benefits
    • Vacation
    • Culture
    • Customer Focus
    • Organization Potential
    • Department Relationships
    • Senior Management Relationships
    • Work/Life Balance
    • Working Environment
    • Employee Empowerment
    • Development
    • Rewards & Recognition
    • Co-Worker Relationships
    • Manager Relationships

    Creating a compelling EVP that presents a picture of your employee experience, with a focus on diversity, will attract a wide pool of diverse candidates to your team. This can lead to many internal and external benefits for your organization.

    How to collect information on your EVP

    Existing Employee Value Proposition: If your organization or IT department has an existing employee value proposition, rather than starting from scratch, we recommend leveraging that and moving to the testing phase to see if the EVP still resonates with staff and external parties.

    Employee Engagement Results: If your organization does an employee engagement survey, review the results to identify the areas in which the IT organization is performing well. Identify and document any key comment themes in the report around why employees enjoy working for the organization or what makes your IT department a great place to work.

    Social Media Sites. Prepare for the good, the bad, and the ugly. Social media websites like Glassdoor and Indeed make it easier for employees to share their experiences at an organization honestly and candidly. While postings on these sites won’t relate exclusively to the IT department, they do invite participants to identify their department in the organization. You can search these to identify any positive things people are saying about working for the organization and potentially opportunities for improvement (which you can use as a starting point in the retention section of this report).

    1.1 Gather feedback

    1. Download the Improve Your IT Recruitment Workbook.
    2. On tab 1.1, brainstorm the top five things you value most about working at the organization. Ask yourself what would fall in each category and identify any key themes. Be sure to take note of any specific quotes you have.
    3. Brainstorm limitations that the organization currently has in each of those areas.

    Download the Recruitment Workbook

    Input

    Output
    • Employee opinions
    • Employee responses to four EVP components
    • Content for EVP

    Materials

    Participants

    • Recruitment Workbook
    • Diverse employees
    • Different departments
    • Different role levels

    1.2 Build key messages

    1. Go to tab 1.2 in your workbook
    2. Identify themes from activity 1.1 that would be considered current strengths of you organization.
    3. Identify themes from activity 1.2 that are aspirational elements of your organization.
    4. Identify up to four key statements to focus on for the EVP, ensuring that your EVP speaks to at least one of the five categories above.
    5. Integrate these into one overall statement.

    Examples below.

    Input

    Output
    • Feedback from focus groups
    • EVP and supporting statements

    Materials

    Participants

    • Workbook handout
    • Pen and paper for documenting responses
    • IT leadership team

    Sample EVPs

    Shopify

    “We’re Shopify. Our mission is to make commerce better for everyone – but we’re not the workplace for everyone. We thrive on change, operate on trust, and leverage the diverse perspectives of people on our team in everything we do. We solve problems at a rapid pace. In short, we get shit done.”

    Bettercloud

    “At Bettercloud, we have a smart, ambitious team dedicated to delighting our customers. Our culture of ownership and transparency empowers our team to achieve goals they didn’t think possible. For all those on board, it’s going to be a challenging and rewarding journey – and we’re just getting started.”

    Ellevest

    “As a team member at Ellevest, you can expect to make a difference through your work, to have a direct impact on the achievement of a very meaningful mission, to significantly advance your career trajectory, and to have room for fun and fulfillment in your daily life. We know that achieving a mission as critical as ours requires incredible talent and teamwork, and team is the most important thing to us.”

    Sources: Built In, 2021; Workology, 2022

    Ensure your EVP resonates with employees and prospects

    Test your EVP with internal and external audiences.

    INTERNAL TEST REVOLVES AROUND THE 3A’s

    EXTERNAL TEST REVOLVES AROUND THE 3C’s

    ALIGNED: The EVP is in line with the organization’s purpose, vision, values, and processes. Ensure policies and programs are aligned with the organization’s EVP.

    CLEAR: The EVP is straightforward, simple, and easy to understand. Without a clear message in the market, even the best intentioned EVPs can be lost in confusion.

    ACCURATE: The EVP is clear and compelling, supported by proof points. It captures the true employee experience, which matches the organization’s communication and message in the market.

    COMPELLING: The EVP emphasizes the value created for employees and is a strong motivator to join this organization. A strong EVP will be effective in drawing in external candidates. The message will resonate with them and attract them to your organization.

    ASPIRATIONAL: The EVP inspires both individuals and the IT organization as a whole. Identify and invest in the areas that are sure to generate the highest returns for employees.

    COMPREHENSIVE: The EVP provides enough information for the potential employee to understand the true employee experience and to self-assess whether they are a good fit for your organization. If the EVP lacks depth, the potential employee may have a hard time understanding the benefits and rewards of working for your organization.

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Enhance Your Recruitment Strategies

    The way you position the organization impacts who is likely to apply to posted positions.

    Market your EVP to potential candidates: Employer Brand

    Employer brand includes how you market the EVP internally and externally – consistency is key

    The employer brand is the perception internal and external stakeholders hold of the organization and exists whether it has been curated or not. Curating the employer brand involves marketing the organization and employee experience. Grounding your employer brand in your EVP enables you to communicate and market an accurate portrayal of your organization and employee experience and make you desirable to both current and potential employees.

    The image contains a picture of several shapes. There is a trapezoid that is labelled EVP, and has a an arrow pointing to the text beside it. There is also an arrowing pointing down from it to another trapezoid that is labelled Employer Brand.

    The unique offering an employer provides to employees in return for their effort, motivating them to join or remain at the organization.

    The perception internal and external stakeholders hold of the organization.

    Alignment between the EVP, employer brand, and corporate brand is the ideal branding package. An in-sync marketing strategy ensures stakeholders perceive and experience the brand the same way, creating brand ambassadors.

    The image contains three circles that are connected. The circles are labelled: EVP, Employer Brand, Corporate Brand.

    Ensure your branding material creates a connection

    How you present your employer brand is just as important as the content. Ideally, you want the viewer to connect with and personalize the material for the message to have staying power. Use Marketing’s expertise to help craft impactful promotional materials to engage and excite the viewer.

    Visuals

    Images are often the first thing viewers notice. Use visuals that connect to your employer brand to engage the viewer’s attention and increase the likelihood that your message will resonate. However, if there are too many visuals this may detract from your content – balance is key!

    Language

    Wordsmithing is often the most difficult aspect of marketing. Your message should be accurate, informative, and engaging. Work with Marketing to ensure your wording is clever and succinct – the more concise, the better.

    Composition

    Integrate visuals and language to complete your marketing package. Ensure that the text and images are balanced to draw in the viewer.

    Case Study: Using culture to drive your talent pool

    This case study is happening in real time. Please check back to learn more as Goddard continues to recruit for the position.

    Recruiting at NASA

    Goddard Space Center is the largest of NASA’s space centers with approximately 11,000 employees. It is currently recruiting for a senior technical role for commercial launches. The position requires consulting and working with external partners and vendors.

    NASA is a highly desirable employer due to its strong culture of inclusivity, belonging, teamwork, learning, and growth. Its culture is anchored by a compelling vision, “For the betterment of Humankind,” and amplified by a strong leadership team that actively lives their mission and vision daily.

    Firsthand lists NASA as #1 on the 50 most prestigious internships for 2022.

    Rural location and no flexible work options add to the complexity of recruiting

    The position is in a rural area of Eastern Shore Virginia with a population of approximately 60,000 people, which translates to a small pool of candidates. Any hire from outside the area will be expected to relocate as the senior technician must be onsite to support launches twice a month. Financial relocation support is not offered and the position is a two-year assignment with the option of extension that could eventually become permanent.

    The image contains a picture of Steve Thornton.

    “Looking for a Talent Unicorn: a qualified, experienced candidate with both leadership skills and deep technical expertise that can grow and learn with emerging technologies.”

    Steve Thornton

    Acting Division Chief, Solutions Division, Goddard Space Flight Center, NASA

    Case Study: Using culture to drive your talent pool

    A good brand overcomes challenges.

    Culture takes the lead in NASA's job postings, which attract a high number of candidates. Postings begin with a link to a short video on working at NASA, its history, and how it lives its vision. The video highlights NASA's diversity of perspectives, career development, and learning opportunities.

    NASA's company brand and employer brand are tightly intertwined, providing a consistent view of the organization.

    The employer vision is presented in the best place to reach NASA's ideal candidate: usajobs.gov, the official website of the United States Government and the “go-to” for government job listings. NASA also extends its postings to other generic job sites as well as LinkedIn and professional associations.

    The image contains a picture of Robert Leahy.

    Interview with Robert Leahy

    Chief Information Officer, Goddard Space Flight Center, NASA

    2.1 Assess your organization’s employer brand

    1. Go to tab 2.1 in the Improve Your IT Recruitment Workbook.
    2. Put yourself in the shoes of someone on the outside looking in. If they were to look up your organization, what impression would they be given about what is like to work there?
    3. Run a Google search on your organization with key words “jobs,” “culture,” and “working environment” to see what a potential candidate would see when they begin researching your organization.
    4. You can use sites like:

    • Glassdoor
    • Indeed company pages
    • LinkedIn company pages
    • Social media
    • Your own website
  • Identify what your organization is doing well and record that under the “Continue” box in your workbook.
  • Record anything your organization should stop doing under the “Stop” box.
  • Brainstorm some ideas that your organization should think about implementing to improve the employer brand under the “Start” Box.
  • Input Output
    • Existing branding material on the internet
    • A clearer understanding of the current employer brand and how it could be improved
    Materials Participants
    • Workbook handout
    • Senior IT Leaders

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Enhance Your Recruitment Strategies

    The way you position the organization impacts who is likely to apply to posted positions.

    Create engaging job ads to attract talent to the organization

    We have a job description; can I just post that on Indeed?

    A job description is an internal document that includes sections such as general job information, major responsibilities, key relationships, qualifications, and competencies. It communicates job expectations to incumbents and key job data to HR programs.

    A job ad is an externally facing document that advertises a position with the intent of attracting job applicants. It contains key elements from the job description as well as information on the organization and its EVP.

    Write an Effective Job Ad

    • Ensure that your job ad speaks to the audience you are targeting through the language you use.
      • E.g. If you are hiring for a creative role, use creative language and formatting. If you are writing for students, emphasize growth opportunities.
    • Highlight the organization’s EVP.
    • Paint an accurate picture of key aspects of the role but avoid the nitty gritty as it may overwhelm applicants.
    • Link to your organization’s website and social media platforms so applicants can easily find more information.

    A job description informs a job ad, it doesn’t replace it. Don’t be lulled into using a job description as a posting when there’s a time crunch to fill a position. Refer to job postings as job advertisements to reinforce that their purpose is to attract attention and talent.

    An effective job posting contains the following elements:

    Position Title
    • Clearly defined job titles are important for screening applicants as this is one of the first things the candidate will read.
    • Indicating the earnings range that the position pays cuts out time spent on reviewing candidates who may never accept the position and saves them from applying to a job that doesn’t match what they are looking for.
    Company
    • Provide a brief description of the organization including the products or services it offers, the corporate culture, and any training and career development programs.
    Summary Description
    • Describe briefly why the position exists. In other words, what is the position's primary purpose? The statement should include the overall results the job is intended to produce and some of the key means by which the position achieves these results.
    Responsibilities
    • Use bullet points to list the fundamental accountabilities of the position. Candidates want to know what they will be doing on a day-to-day basis.
    • Begin each responsibility or accountability statement with an action word and follow with a brief phrase to describe what is done to accomplish the function.
    Position Characteristics
    • Give examples of key problems and thinking challenges encountered by the position. Describe the type of analysis or creativity required to resolve these problems.
    • Provide examples of final decision-making authority. The examples should reflect the constraints placed on the position by people, policies, and/or procedures.
    Position Requirements
    • List all formal education and certifications required.
    • List all knowledge and experience required.
    • List all personal attributes required.
    Work Conditions
    • List all work conditions that the employee must accommodate. This could include any sensory, physical, or mental requirements of the position or any special conditions of employment, such as hours.
    Process to Apply
    • Include the methods in which the organization wants to receive applications and contact information of who will receive the applications.

    Bottom Line: A truly successful job posting ferrets out those hidden stars that may be over cautious and filters out hundreds of applications from the woefully under qualified.

    The do’s and don’ts of an inclusive job ad

    DON’T overlook the power of words. Avoid phrases like “strong English language skills” as this may deter non-native English speakers from applying and a “clean-shaven” requirement can exclude candidates whose faith requires them to maintain facial hair.

    DON’T post a long requirements list. A study showed that the average jobseeker spends only 49.7 seconds reviewing a listing before deciding it's not a fit.*

    DON’T present a toxic work culture; phrases such as “work hard, play hard” can put off many candidates and play into the “bro- culture” stereotype in tech.

    Position Title: Senior Lorem Ipsum

    Salary Band: $XXX to $XXX

    Diversity is a core value at ACME Inc. We believe that diversity and inclusion is our strength, and we’re passionate about building an environment where all employees are valued and can perform at their best.

    As a … you will …

    Our ideal candidate ….

    Required Education and Experience

    • Bachelor’s degree in …
    • Minimum five (5) years …

    Required Skills

    Preferred Skills

    At ACME Inc. you will find …

    DO promote pay equity by being up front and honest about salary expectations.

    DO emphasize your organization’s commitment to diversity and an inclusive workplace by adding an equity statement.

    DO limit your requirements to “must haves” or at least showcase them first before the “nice-to-haves.”

    DO involve current employees or members of your employee resource groups when creating job descriptions to ensure that they ask for what you really need.

    DO focus on company values and criteria that are important to the job, not just what’s always been done.

    *Source: Ladders, 2013

    Before posting the job ad complete the DEI job posting validation checklist

    Does the job posting highlight your organization’s EVP

    Does the job posting avoid words that might discourage women, people of color, and other members of underrepresented groups from applying?

    Has the position description been carefully reviewed and revised to reflect current and future expectations for the position, rather than expectations informed by the persons who have previously held the job?

    Has the hiring committee eliminated any unnecessary job skills or requirements (college degree, years or type of previous experience, etc.) that might negatively impact recruitment of underrepresented groups?

    Has the hiring committee posted the job in places (job boards, websites, colleges, etc.) where applicants from underrepresented groups will be able to easily view or access it?

    Have members of the hiring committee attended job fairs or other events hosted by underrepresented groups?

    Has the hiring committee asked current employees from underrepresented groups to spread the word about the position?

    Has the hiring committee worked with the marketing team to ensure that people from diverse groups are featured in the organization’s website, publications, and social media?

    es the job description clearly demonstrate the organization’s and leadership’s commitment to DEI?

    *Source: Recruit and Retain People of Color in IT

    3.1 Review and update your job ads

    1. Download the Job Ad Template.
    2. Look online or ask HR for an example of a current job advertisement you are using.
    • If you don’t have one, you can use a job description as a starting point.
  • Review all the elements of the job ad and make sure they align with the list on the previous slide, adding or changing, as necessary. Your job ad should be no more than two pages long.
  • Using the tools on the previous two slides, review your first draft to ensure the job posting is free of language or elements that will discourage diverse candidates from applying.
  • Review your job advertisement with HR to get feedback or to use as a template going forward.
  • Input Output
    • Existing job ad or job description
    • Updated job ad
    Materials Participants
    • Job ad or job description
    • Job Ad Template
    • Hiring Managers

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Enhance Your Recruitment Strategies

    Focus on key programs and tactics to improve the effectiveness of your sourcing approach.

    Get involved with sourcing to get your job ad seen

    To meet growing expectations, organizations need to change the way they source

    Social Media

    Social media has trained candidates to expect:

    • Organizations to stay in touch and keep track of them.
    • A personalized candidate experience.
    • To understand organizational culture and a day in the life.

    While the focus on the candidate experience is important throughout the talent acquisition process, social media, technology, and values have made it a critical component of sourcing.

    Technology

    Candidates expect to be able to access job ads from all platforms.

    • Today, close to 90% of candidates use a mobile platform to job hunt (SmartRecruiters, 2022).
    • However, only 36% of organizations are optimizing their job postings for mobile. (The Undercover Recruiter, 2021)

    Job ads must be clear, concise, and easily viewed on a mobile device.

    Candidate Values

    Job candidate’s values are changing.

    • There is a growing focus on work/life balance, purpose, innovation, and career development. Organizations need to understand candidate values and highlight how the EVP aligns with these interests.

    Authenticity remains important.

    • Clearly and accurately represent your organization and its culture.

    Focus on key programs and tactics to improve the effectiveness of your sourcing approach

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    Take advantage of your current talent with an internal talent mobility program

    What is it?

    Positioning the right talent in the right place, at the right time, for the right reasons, and supporting them appropriately.

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    ITM program benefits:

    1. Retention
    2. Provide opportunities to develop professionally, whether in the current role or through promotions/lateral moves. Keep strong performers and high-potential employees committed to the organization.

    3. Close Skills Gap
    4. Address rapid change, knowledge drain due to retiring Baby Boomers, and frustration associated with time to hire or time to productivity.

    5. Cost/Time Savings
    6. Reduce spend on talent acquisition, severance, time to productivity, and onboarding.

    7. Employee Engagement
    8. Increase motivation and productivity by providing increased growth and development opportunities.

    9. EVP
    10. Align with the organization’s offering and what is important to the employees from a development perspective.

    11. Employee & Leadership Development
    12. Support and develop employees from all levels and job functions.

    Leverage social media to identify and connect with talent

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    What is it? The widely accessible electronic tools that enable anyone to publish and access information, collaborate on common efforts, and build relationships.

    Learning to use social media effectively is key to sourcing the right talent.

    • Today, 92% of organizations leverage social media for talent acquisition.
    • 80% of employers find passive candidates through social media – second only to referrals.
    • 86% percent of job seekers used social media for their most recent job search.
    (Ku, 2021)

    Benefits of social media:

    • Provides access to candidates who may not know the organization.
    • Taps extended networks.
    • Facilitates consistent communication with candidates and talent in pipelines.
    • Personalizes the candidate experience.
    • Provides access to extensive data.

    Challenges of social media:

    With the proliferation of social media and use by most organizations, social media platforms have become overcrowded. As a result:

    • Organizations are directly and very apparently competing for talent with competitors.
    • Users are bombarded with information and are tuning out.

    “It is all about how we can get someone’s attention and get them to respond. People are becoming jaded.”

    – Katrina Collier, Social Recruiting Expert, The Searchologist

    Reap the rewards of an employee referral program

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    What is it? Employees recommend qualified candidates. If the referral is hired, the referring employee typically receives some sort of reward.

    Benefits of an employee referral program:

    1. Lower Recruiting Costs
    2. 55% of organizations report that hiring a referral is less expensive that a non-referred candidate (Clutch, 2020).

    3. Decreased time to fill
    4. The average recruiting lifecycle for an employee referral is 29 days, compared with 55 days for a non referral (Betterup, 2022).

    5. Decreased turnover
    6. 46% percent of employees who were referred stay at their organization for a least one year, compared to 33% of career site hires (Betterup, 2022).

    7. Increased quality of hire
    8. High performers are more likely to refer other high performers to an organization (The University of Chicago Press, 2019).

    Avoid the Like Me Bias: Continually evaluate the diversity of candidates sourced from the employee referral program. Unless your workforce is already diverse, referrals can hinder diversity because employees tend to recommend people like themselves.

    Tap into your network of former employees

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    What is it? An alumni referral program is a formalized way to maintain ongoing relationships with former employees of the organization.

    Successful organizations use an alumni program:

    • 98% of the F500 have some sort of Alumni program (LinkedIn, 2019).

    Benefits of an alumni program:

    1. Branding
    • Alumni are regarded as credible sources of information. They can be a valuable resource for disseminating and promoting the employer brand.
  • Source of talent
    • Boomerang employees are doubly valuable as they understand the organization and also have developed skills and industry experience.
      • Recover some of the cost of turnover and cost per hire with a pool of prequalified candidates who will more quickly reach full productivity.
  • Referral potential
    • Developing a robust alumni network provides access to a larger network through referrals.
    • Alumni already know what is required to be successful in the organization so they can refer more suitable candidates.

    Make use of a campus recruiting program

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    What is it? A formalized means of attracting and hiring individuals who are about to graduate from schools, colleges, or universities.

    Almost 70% of companies are looking to employ new college graduates every year (HR Shelf, 2022).

    Campus recruitment benefits:

    • Increases employer brand awareness among talent entering the workforce.
    • Provides the opportunity to interact with large groups of potential candidates at one time.
    • Presents the opportunity to identify and connect with high-quality talent before they graduate and are actively looking for positions.
    • Offers access to a highly diverse audience.

    Info-Tech Insight

    Target schools that align with your culture and needs. Do not just focus on the most prestigious schools: they are likely more costly, have more intense competition, and may not actually provide the right talent.

    Identify opportunities to integrate non-traditional techniques

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    1. Professional industry associations
    • Tap into candidates who have the necessary competencies.

    5. Not-for-profit intermediaries

    • Partner with not-for-profits to tap into candidates in training or mentorship programs.
    • Example:
      • Year Up (General)
      • Bankwork$ (Banking)
      • Youth Build (Construction)
      • iFoster (Grocery)

    American Expresscreated a boot camp for software engineers in partnership with Year Up and Gateway Community College to increase entry-level IT hires.

    Results:

    • Annually hire 80-100 interns from Year Up.
    • Improved conversion rates: 72% of Year Up interns versus 60% of traditional interns.
    • Increased retention: 44 (Year Up) versus 18 months (traditional).
    (HBR, 2016)

    2. Special interest groups

    • Use for niche role sourcing.
    • Find highly specialized talent.
    • Drive diversity (Women in Project Management).

    6. Gamification

    • Attract curiosity and reaffirm innovation at your organization.
    • Communicate the EVP.
    3. Customers
    • Access those engaged with the organization.
    • Add the employer brand to existing messaging.

    PwC (Hungary) created Multiploy, a two-day game that allows students to virtually experience working in accounting or consulting at the organization.

    Results:

    • 78% of students said they wanted to work for PwC.
    • 92% indicated they had a more positive view of the firm.
    • Increase in the number of job applicants.
    (Zielinski, 2015)

    4. Exit interviews

    • Ask exiting employees “where should we recruit someone to replace you?”
    • Leverage their knowledge to glean insight into where to find talent.

    Partner with other organizational functions to build skills and leverage existing knowledge

    Use knowledge that already exists in the organization to improve talent sourcing capabilities.

    Marketing

    HR

    Marketing knows how to:

    • Build attention-grabbing content.
    • Use social media platforms effectively.
    • Effectively promote a brand.
    • Use creative methods to connect with people.

    HR knows how to:

    • Organize recruitment activities.
    • Identify the capabilities of various technologies available to support sourcing.
    • Solve issues that may arise along the way

    To successfully partner with other departments in your organization:

    • Acknowledge that they are busy. Like IT, they have multiple competing priorities.
    • Present your needs and prioritize them. Create a list of what you are looking for and then be willing to just pick your top need. Work with the other department to decide what needs can and cannot be met.
    • Present the business case. Emphasize how partnering is mutually beneficial. For example, illustrate to Marketing that promoting a strong brand with candidates will improve the organization’s overall reputation because often, candidates are customers.
    • Be reasonable and patient. You are asking for help, so be moderate in your expectations and flexible in working with your partner.

    Info-Tech Insight

    Encourage your team to seek out, and learn from, employees in different divisions. Training sessions with the teams may not always be possible but one-on-one chats can be just as effective and may be better received.

    5.1 Review the effectiveness of existing sourcing programs

    1. As a group review the description of each program as defined on previous slides. Ensure that everyone understands the definitions.
    2. In your workbook, look for the cell Internal Talent Mobility under the title; you will find five rows with the following
    • This program is formally structured and documented.
    • This program is consistently applied across the organization.
    • Talent is sourced this way on an ad hoc basis.
    • Our organization currently does not source talent this way.
    • There are metrics in place to assess the effectiveness of this program.
  • Ask everyone in the group if they agree with the statement for each column; once everyone has had a chance to answer each of the questions, discuss any discrepancies which exist.
  • After coming to a consensus, record the answers.
  • Repeat this process for the other four sourcing programs (social media, employee referral program, alumni network program, and campus recruiting program).
  • InputOutput
    • Existing knowledge on sourcing approach
    • Low usage sourcing methods identified for development
    MaterialsParticipants
    • Workbook
    • Hiring Managers

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Enhance Your Recruitment Strategies

    Interviews are the most often used yet poorly executed hiring tool.

    Create a high-quality interview process to improve candidate assessment

    Everyone believes they’re a great interviewer; self-assess your techniques, and “get real” to get better

    If you…

    • Believe everything the candidate says.
    • Ask mostly hypothetical questions: "What would you do in a situation where…"
    • Ask gimmicky questions: "If you were a vegetable, what vegetable would you be?"
    • Ask only traditional interview questions: "What are your top three strengths?”
    • Submit to a first impression bias.
    • Have not defined what you are looking for before the interview.
    • Ignore your gut feeling in an attempt to be objective.
    • Find yourself loving a candidate because they are just like you.
    • Use too few or too many interviewers in the process.
    • Do not ask questions to determine the motivational fit of the candidate.
    • Talk more than the interviewee.
    • Only plan and prepare for the interview immediately before it starts.

    …then stop. Use this research!

    Most interviewers are not effective, resulting in many poor hiring decisions, which is costly and counter-productive

    Most interviewers are not effective…

    • 82% of organizations don’t believe they hire highly talented people (Trost, 2022).
    • Approximately 76% of managers and HR representatives that McLean & Company interviewed agreed that the majority of interviewers are not very effective.
    • 66% of hiring managers come to regret their interview-based hiring decisions (DDI, 2021).

    …because, although everyone knows interviewing is a priority, most don’t make it one.

    • Interviewing is often considered an extra task in addition to an employee’s day-to-day responsibilities, and these other responsibilities take precedence.
    • It takes time to effectively design, prepare for, and conduct an interview.
    • Employees would rather spend this time on tasks they consider to be an immediate priority.

    Even those interviewers who are good at interviewing, may not be good enough.

    • Even a good interviewer can be fooled by a great interviewee.
    • Some interviewees talk the talk, but don’t walk the walk. They have great interviewing abilities but not the skills required to be successful in the specific position for which they are interviewing.
    • Even if the interviewer is well trained and prepared to conduct a strong interview, they can get caught up with an interviewee that seems very impressive on the surface, and end up making a bad hire.

    Preparing the Perfect Interview

    Step 5: Define decision rights

    Establish decision-making authority and veto power to mitigate post-interview conflicts over who has final say over a candidate’s status.

    Follow these steps to create a positive interview experience for all involved.

    Step 1: Define the ideal candidate profile; determine the attributes of the ideal candidate and their relative importance

    Define the attributes of the ideal candidate…

    Ideal candidate = Ability to do the job + Motivation to do the job + Fit

    Competencies

    • Education
    • Credentials
    • Technical skills
    • Career path
    • Salary expectations
    • Passion
    • Potential
    • Personality
    • Managerial style/preference

    Experiences

    • Years of service
    • Specific projects
    • Industry

    Data for these come from:

    • Interviews
    • Personality tests
    • Gut instinct or intuition

    Data for these come from:

    • Resumes
    • Interviews
    • Exercises and tests
    • References

    Caution: Evaluating for “organizational or cultural fit” can lead to interviewers falling into the trap of the “like me” bias, and excluding diverse candidates.

    …then determine the importance of the attributes.

    Non-negotiable = absolutely required for the job!

    Usually attributes that are hard to train, such as writing skills, or expensive to acquire after hire, such as higher education or specific technical skills.

    An Asset

    Usually attributes that can be trained, such as computer skills. It’s a bonus if the new hire has it.

    Nice-to-have

    Attributes that aren’t necessary for the job but beneficial. These could help in breaking final decision ties.

    Deal Breakers: Also discuss and decide on any deal breakers that would automatically exclude a candidate.

    The job description is not enough; meet with stakeholders to define and come to a consensus on the ideal candidate profile

    Definition of the Ideal Candidate

    • The Hiring Manager has a plan for the new hire and knows the criteria that will best fulfill that mandate.
    • The Executive team may have specific directives for what the ideal candidate should look like, depending on the level and critical nature of the position.
    • Industry standards, which are defined by regulatory bodies, are available for some positions. Use these to identify skills and abilities needed for the job.
    • Competitor information such as job descriptions and job reviews could provide useful data about a similar role in other organizations.
    • Exit interviews can offer insight into the most challenging aspects of the job and identify skills or abilities needed for success.
    • Current employees who hold the same or a similar position can explain the nuances of the day-to-day job and what attributes are most needed on the team.

    “The hardest work is accurately defining what kind of person is going to best perform this job. What are their virtues? If you’ve all that defined, the rest is not so tough.”

    – VP, Financial Services

    Use a scorecard to document the ideal candidate profile and help you select a superstar

    1. Download the Workbook and go to tab 6.1.
    2. Document the desired attributes for each category of assessment: Competencies, Experiences, Fit, and Motivation. You can find an Attribute Library on the next tab.
    3. Rank each attribute by level of priority: Required, Asset, or Nice-to-Have.
    4. Identify deal breakers that would automatically disqualify a candidate from moving forward.
    InputOutput
    • Job description
    • Stakeholder input
    • Ideal candidate persona
    MaterialsParticipants
    • Workbook
    • Hiring Managers

    To identify questions for screening interviews, use the Screening Interview Template

    A screening interview conducted by phone should have a set of common questions to identify qualified candidates for in-person interviews.

    The Screening Interview Template will help you develop a screening interview by providing:

    • Common screening questions that can be modified based on organizational needs and interview length.
    • Establishing an interview team.
    • A questionnaire format so that the same questions are asked of all candidates and responses can be recorded.

    Once completed, this template will help you or HR staff conduct candidate screening interviews with ease and consistency. Always do screening interviews over the phone or via video to save time and money.

    Info-Tech Insight

    Determine the goal of the screening interview – do you want to evaluate technical skills, communication skills, attitude, etc.? – and create questions based on this goal. If evaluating technical skill, have someone with technical competency conduct the interview.

    The image contains screenshots of the Screening Interview Template.

    Step 2: Choose interview types and techniques that best assess the ideal candidate attributes listed on the position scorecard

    There is no best interview type or technique for assessing candidates, but there could be a wrong one depending on the organization and job opening.

    • Understanding common interviewing techniques and types will help inform your own interviewing strategy and interview development.
    • Each interview technique and type has its own strengths and weakness and can be better suited for a particular organizational environment, type of job, or characteristic being assessed.
    The image contains a diagram to demonstrate the similarities and differences of Interview Technique and Interview Type. There is a Venn Diagram, the right circle is labelled: Interview Technique, and the right is: Interview Type. There is a double sided arrow below that has the following text: Unstructure, Semi-Structured, and Structured.

    Unstructured: A traditional method of interviewing that involves no constraints on the questions asked, no requirements for standardization, and a subjective assessment of the candidate. This format is the most prone to bias.

    Semi-Structured: A blend of structured and unstructured, where the interviewer will ask a small list of similar questions to all candidates along with some questions pertaining to the resume.

    Structured: An interview consisting of a standardized set of job-relevant questions and a scoring guide. The goal is to reduce interviewer bias and to help make an objective and valid decision about the best candidate.

    No matter which interview types or techniques you use, aim for it to be as structured as possible to increase its validity

    The validity of the interview increases as the degree of interview structure increases.

    Components of a highly structured interview include:

    1. Interview questions are derived from a job analysis (they are job related).
    2. Interview questions are standardized (all applicants are asked the same questions).
    3. Prompting, follow-up questioning, probing, and/or elaboration on questions are limited. Try to identify all prompts, follow-ups, and probes beforehand and include them in the interview guide so that all candidates get the same level of prompting and probing.
    4. Interview questions focus on behaviors or work samples rather than opinions or self-evaluations.
    5. Interviewer access to ancillary information (e.g. resumes, letters of reference, test scores, transcripts) is controlled. Sometimes limiting access to these documents can limit interviewer biases.
    6. Questions from the candidate are not allowed until after the interview. This allows the interviewer to stay on track and not go off the protocol.
    7. Each answer is rated during the interview using a rating scale tailored to the question (this is preferable to rating dimensions at the end of the interview and certainly preferable to just making an overall rating or ranking at the end).
    8. Rating scales are “anchored” with behavioral examples to illustrate scale points (e.g. examples of a “1,” “3,” or “5” answer).
    9. Total interview score is obtained by summing across scores for each of the questions.

    The more of these components your interview has, the more structured it is, and the more valid it will be.

    Step 3: Prepare interview questions to assess the attributes you are looking for in a candidate

    The purpose of interviewing is to assess, not just listen. Questions are what help you do this.

    Preparing questions in advance allows you to:

    • Match each question to a position requirement (included in your scorecard) to ensure that you assess all required attributes. Everything assessed should be job relevant!
    • Determine each question’s weighting, if applicable.
    • Give each candidate a chance to speak to all their job-relevant attributes.
    • Keep records should an unselected candidate decide to contest the decision.

    If you don’t prepare in advance:

    • You’ll be distracted thinking about what you are going to ask next and not be fully listening.
    • You likely won’t ask the same questions of all candidates, which impacts the ability to compare across candidates and doesn’t provide a fair process for everyone.
    • You likely won’t ask the questions you need to elicit the information needed to make the right decision.
    • You could ask illegal questions (see Acquire the Right Hires with Effective Interviewing for a list of questions not to ask in an interview).

    Use the Interview Question Planning Guide tab in the Candidate Interview Strategy and Planning Guide to prepare your interview questions.

    Use these tips to draft interview questions:

    • Use job analysis output, in particular the critical incident technique, to develop structured interview questions.
    • Search online or in books for example interview questions for the target position to inform interview question development. Just remember that candidates access these too, so be sure to ask for specific examples, include probing questions, and adapt or modify questions to change them.
    • Situational questions: The situation should be described in sufficient detail to allow an applicant to visualize it accurately and be followed by “what would you do?” Scoring anchors should reflect effective, typical, and ineffective behaviors.
    • Behavioral questions: Should assess a behavioral dimension (e.g. meeting deadlines) and apply to a variety of situations that share the underlying dimension (e.g. at work or school). Scoring anchors should be applicable to a variety of situations and reflect effective, typical, and ineffective behavior.

    Conduct an effective screening interview by listening to non-verbal cues and probing

    Follow these steps to conduct an effective screening interview:

    Introduce yourself and ask if now is a good time to talk. (Before calling, prepare your sales pitch on the organization and the position.)

    You want to catch candidates off guard so that they don’t have time to prepare scripted answers; however, you must be courteous to their schedule.

    Provide an overview of the position, then start asking pre-set questions. Take a lot of notes.

    It is important to provide candidates with as much information as possible about the position – they are deciding whether they are interested in the role as much as you are deciding whether they are suitable.

    Listen to how the questions are answered. Ask follow-up questions when appropriate and especially if the candidate seems to be holding something back.

    If there are long pauses or the candidate’s voice changes, there may be something they aren’t telling you that you should know.

    Be alert to inconsistencies between the resume and answers to the questions and address them.

    It’s important to get to the bottom of issues before the in-person interview. If dates, titles, responsibilities, etc. seem to be inconsistent, ask more questions.

    Ask candidates about their salary expectations.

    It’s important to ensure alignment of the salary expectations early on. If the expectations are much higher than the range, and the candidate doesn’t seem to be open to the lower range, there is no point interviewing them. This would be a waste of everyone’s time.

    Answer the applicant’s questions and conclude the interview.

    Wait until after the interview to rate the applicant.

    Don’t allow yourself to judge throughout the interview, or it could skew questions. Rate the applicant once the interview is complete.

    When you have a shortlist of candidates to invite to an in-person interview, use the Candidate Communication Template to guide you through proper phone and email communications.

    Don’t just prepare top-level interview questions; also prepare probing questions to probe to gain depth and clarity

    Use probing to drill down on what candidates say as much as possible and go beyond textbook answers.

    Question (traditional): “What would you identify as your greatest strength?”

    Answer: Ability to work on a team.

    Top-level interview questions set the stage for probing.

    Your interview script should contain the top two levels of questions in the pyramid and a few probes that you will likely need to ask. You can then drill down further depending on the candidate’s answers.

    Follow-Up Question:

    “Can you outline a particular example when you were able to exercise your teamwork skills to reach a team goal?”

    Probing questions start with asking what, when, who, why, and how, and gain insight into a candidate’s thought process, experiences, and successes.

    Probing Level 1:

    Probe around the what, how, who, when, and where. “How did you accomplish that?”

    How to develop probes? By anticipating the kinds of responses that candidates from different backgrounds or with different levels of experience are likely to give as a response to an interview question. Probes should provide a clear understanding of the situation, the behavior, and the outcome so that the response can be accurately scored. Common probes include:

    • What did you do? What was the outcome?
    • When did this take place (and how long did it take)?
    • Who was involved?
    • Were you leading or being led?
    • How did you accomplish what you did?
    • Why did you take those steps?

    Tailor probes to the candidate’s answers to evoke meaningful and insightful responses.

    Probing Level 2:

    Allow for some creativity.

    “What would you do differently if you were to do it again?”

    Conduct effective interviews and assessments

    Mitigate inherent biases of assessors by integrating formal assessments with objective anchors and clear criteria to create a more inclusive process.

    Consider leveraging behavioral interview questions in your interview to reduce bias.

    • In the past, companies were pushing the boundaries of the conventional interview, using unconventional questions to find top talent, e.g. “what color is your personality?” The logic was that the best people are the ones who don’t necessarily show perfectly on a resume, and they were intent on finding the best.
    • However, many companies have stopped using these questions after extensive statistical analysis revealed there was no correlation between candidates’ ability to answer them and their future performance on the job.
    • Asking behavioral interview questions based on the competency needs of the role is the best way to uncover if the candidates will be able to execute on the job.

    Assessments are created by people that have biases. This often means that assessments can be biased, especially with preferences towards a Western perspective. Even if the same assessments are administered, the questions will be interpreted differently by candidates with varying cultural backgrounds and lived experiences. If assessments do not account for this, it ultimately leads to favoring the answers of certain demographic groups, often ones similar to those who developed the assessment.

    Creating an interview question scorecard

    Attribute you are evaluating

    Probing questions prepared

    Area to take notes

    The image contains a screenshot of an Interview question scorecard.

    Exact question you will ask

    Place to record score

    Anchored scale with definitions of a poor, ok and great answer

    Step 4: Assemble an interview team

    HR and the direct reporting supervisor should always be part of the interview. Make a good impression with a good interview team.

    The must-haves:

    • The Future Manager should always be involved in the process. They should be comfortable with the new hire’s competencies and fit.
    • Human Resources should always be involved in the process – they maintain consistency, legality, and standardization. It’s their job to know the rules and follow them. HR may coordinate and maintain policy standards and/or join in assessing the candidate.
    • There should always be more than just one interviewer, even if it is not at the same time. This helps keep the process objective, allows for different opinions, and gives the interviewee exposure to multiple individuals in the company. But, try to limit the number of panel members to four or less.

    “At the end of the day, it’s the supervisor that has to live with the person, so any decision that does not involve the supervisor is a very flawed process.” – VP, Financial Services

    The nice-to-haves:

    • Future colleagues can offer benefits to both the interviewee and the colleague by:
      • Giving the candidate some insight into what their day-to-day job would be.
      • Relaxing the candidate; allowing for a less formal, less intimidating conversation.
      • Introducing potential teammates for a position that is highly collaborative.
      • Offering the interviewer an excellent professional development opportunity – a chance to present their understanding of what they do.
    • Executives should take part in interviewing for executive hiring, individuals that will report to an executive, or for positions that are extremely important. Executive time is scarce and expensive, so only use it when absolutely necessary.

    Record the interview team details in the Candidate Interview Strategy and Planning Guide template.

    Assign interviewers roles inside and outside the actual interview

    Define Interview Process Roles

    Who Should… Contact candidates to schedule interviews or communicate decisions?

    Who Should… Be responsible for candidate welcomes, walk-outs, and hand-offs between interviews?

    Who Should… Define and communicate each stakeholder’s role?

    Who Should… Chair the preparation and debrief meetings and play the role of the referee when trying to reach a consensus?

    Define Interview Roles

    • Set a role for each interviewer so they know what to focus on and where they fit into the process (e.g. Interviewer A will assess fit). Don’t ad hoc the process and allow everyone to interview based on their own ideas.
    • Consider interviewer qualifications and the impact of the new employee on each interviewer, when deciding the roles of each interviewer (i.e. who will interview for competency and who will interview for fit).
      • For example, managers may be most impacted by technical competencies and should be the interviewer to evaluate the candidate for technical competency.

    “Unless you’ve got roles within the panel really detailed and agreed upon, for example, who is going to take the lead on what area of questions, you end up with a situation where nobody is in charge or accountable for the final interview assessment." – VP, Financial Services

    Info-Tech Insight

    Try a Two Lens Assessment: One interviewer assesses the candidate as a project leader while another assesses them as a people leader for a question such as “Give me an example of when you exercised your leadership skills with a junior team member.”

    Step 5: Set decision rights in stone and communicate them in advance to manage stakeholder expectations and limit conflict

    All interviewers must understand their decision-making authority prior to the interview. Misunderstandings can lead to resentment and conflict.

    It is typical and acceptable that you, as the direct reporting manager, should have veto power, as do some executives.

    Veto Power

    Direct Supervisor or Manager

    Decision Makers: Must Have Consensus

    Other Stakeholders

    Direct Supervisor’s Boss

    Direct Supervisor

    Contributes Opinion

    HR Representative

    Peer

    After the preliminary interview, HR should not be involved in making the decision unless they have a solid understanding of the position.

    Peers can make an unfair assessment due to perceived competition with a candidate. Additionally, if a peer doesn’t want a candidate to be hired and the direct supervisor does hire the candidate, the peer may hold resentment against that candidate and set the team up for conflict.

    The decision should rest on those who will interact with the candidate on a daily basis and who manage the team or department that the candidate will be joining.

    The decisions being made can include whether or not to move a candidate onto the next phase of the hiring process or a final hiring decision. Deciding decision rights in advance defines accountability for an effective interview process.

    Create your interview team, assessments, and objective anchor scale

    1. Download the Behavioral Interview Question Library as a reference.
    2. On tab 9 of your workbook, document all the members of the team and their respective roles in the interview process. Fill in the decision-making authority section to ensure every team member is held accountable to their assigned tasks and understands how their input will be used.
    3. For each required attribute in the Ideal Candidate Scorecard, chose one to two questions from the library that can properly evaluate that attribute.
    4. Copy and paste the questions and probing questions into the Interview Guide Template.
    5. Create an objective anchor scale and clearly define what a poor, ok, and great answer to each question is.

    Download the Behavioral Interview Question Library

    Input Output
    • List of possible team members
    • Ideal Candidate Scorecard
    • Finalized hiring panel
    • Finalized interview and assessment process
    Materials Participants
    • IT Behavioral Interview Question Library
    • Workbook
    • Interview Guide Template
    • IT leadership team
    • IT staff members

    Conduct an effective, professional, and organized in-person interview

    Give candidates a warm, genuine greeting. Introduce them to other interviewers present. Offer a drink. Make small talk.

    “There are some real advantages to creating a comfortable climate for the candidate; the obvious respect for the individual, but people really let their guard down.”

    – HR Director, Financial Services

    Give the candidate an overview of the process, length, and what to expect of the interview. Indicate to the candidate that notes will be taken during the interview.

    If shorter than an hour, you probably aren’t probing enough or even asking the right questions. It also looks bad to candidates if the interview is over quickly.

    Start with the first question in the interview guide and make notes directly on the interview guide (written or typed) for each question.

    Take lots of notes! You think you’ll remember what was said, but you won’t. It also adds transparency and helps with documentation.

    Ask the questions in the order presented for interview consistency. Probe and clarify as needed (see next slide).

    Keep control of the interview by curtailing any irrelevant or long-winded responses.

    After all interview questions are complete, ask candidates if there was anything about their qualifications that was missed that they want to highlight.

    Lets you know they understand the job and gives them the feeling they’ve put everything on the table.

    Ask if the candidate has any questions. Respond to the questions asked.

    Answer candidate questions honestly because fit works both ways. Ensure candidates leave with a better sense of the job, expectations, and organizational culture.

    Review the compensation structure for the position and provide a realistic preview of the job and organization.

    Provide each candidate with a fair chance by maintaining a consistent interview process.

    Tell interviewees what happens next in the process, the expected time frame, and how they will be informed of the outcome. Escort them out and thank them for the interview.

    The subsequent slides provide additional detail on these eight steps to conducting an effective interview.

    Avoid these common biases and mistakes

    Common Biases

    Like-me effect: An often-unconscious preference for, and unfairly positive evaluation of, a candidate based on shared interests, personalities, and experiences, etc.

    Status effect: Overrating candidates based on the prestige of previously held positions, titles, or schools attended.

    Recency bias: Placing greater emphasis on interviews held closer to the decision-making date.

    Contrast effect: Rating candidates relative to those who precede or follow them during the interview process, rather than against previously determined data.

    Solution

    Assess candidates by using existing competency-based criteria.

    Common Mistakes

    Negative tone: Starting the interview on a negative or stressful note may derail an otherwise promising candidate.

    Poor interview management: Letting the candidate digress may leave some questions unanswered and reduce the interview value.

    Reliance of first impressions: Basing decisions on first impressions undermines the objectivity of competency-based selection.

    Failure to ask probing questions: Accepting general answers without asking follow-up questions reduces the evidentiary value of the interview.

    Solution

    Follow the structured interview process you designed and practiced.

    Ask the questions in the order presented in the interview guide, and probe and clarify as needed

    Do...

    Don’t…

    Take control of the interview by politely interrupting to clarify points or keep the interviewee on topic.

    Use probing to drill down on responses and ask for clarification. Ask who, what, when, why, and how.

    Be cognizant of confidentiality issues. Ask for a sample of work from a past position.

    Focus on knowledge or information gaps from previous interviews that need to be addressed in the interview.

    Ensure each member of a panel interview speaks in turn and the lead is given due respect to moderate.

    Be mean when probing. Intimidation actually works against you and is stressful for candidates. When you’re friendly, candidates will actually open up more.

    Interrupt or undermine other panel members. Their comments and questions are just as valid as yours are, and treating others unprofessionally gives a bad impression to the candidate.

    Ask illegal questions. Questions about things like religion, disability, and marital and family status are off limits.

    When listening to candidate responses, watch for tone, body language, and red flags

    Do...

    While listening to responses, also watch out for red and yellow flags.

    Listen to how candidates talk about their previous bosses – you want it to be mainly positive. If their discussion of past bosses reflects a strong sense of self-entitlement or a consistent theme of victimization, this could be a theme in their behavior and make them hard to work with.

    Red Flag

    A concern about something that would keep you from hiring the person.

    Yellow Flag

    A concern that needs to be addressed, but wouldn’t keep you from hiring the person.

    Pay attention to body language and tone. They can tell you a lot about candidate motivation and interest.

    Listen to what candidates want to improve. It’s an opportunity to talk about development and advancement opportunities in the organization.

    Not all candidates have red flags, but it is important to keep them in mind to identify potential issues with the candidate before they are hired.

    Don’t…

    Talk too much! You are there to listen. Candidates should do about 80% of the talking so you can adequately evaluate them. Be friendly, but ensure to spend the time allotted assessing, not chatting.

    If you talk too much, you may end up hiring a weak candidate because you didn’t perceive weaknesses or not hire a strong candidate because you didn’t identify strengths.

    What if you think you sense a red or yellow flag?

    Following the interview, immediately discuss the situation with others involved in the recruitment process or those familiar with the position, such as HR, another hiring manager, or a current employee in the role. They can help evaluate if it’s truly a matter of concern.

    Increase hiring success: Give candidates a positive perception of the organization in the interview

    Great candidates want to work at great organizations.

    When the interviewer makes a positive impression on a candidate and provides a positive impression of the organization it carries forward after they are hired.

    In addition, better candidates can be referred over the course of time due to higher quality networking.

    As much as choosing the right candidate is important to you, make sure the right candidate wants to choose you and work for your organization.

    The image contains a screenshot of a graph to demonstrate the percent of successful hires relates strongly to interviewers giving candidates a positive perception of the organization.

    Interview advice seems like common sense, but it’s often not heeded, resulting in poor interviews

    Don’t…

    Believe everything candidates say. Most candidates embellish and exaggerate to find the answers they think you want. Use probing to drill down to specifics and take them off their game.

    Ask gimmicky questions like “what color is your soul?” Responses to these questions won’t give you any information about the job. Candidates don’t like them either!

    Focus too much on the resume. If the candidate is smart, they’ve tailored it to match the job posting, so of course the person sounds perfect for the job. Read it in advance, highlight specific things you want to ask, then ignore it.

    Oversell the job or organization. Obviously you want to give candidates a positive impression, but don’t go overboard because this could lead to unhappy hires who don’t receive what you sold them. Candidates need to evaluate fit just as much as you.

    Get distracted by a candidate’s qualifications and focus only on their ability to do the job. Just because they are qualified does not mean they have the attitude or personality to fit the job or culture.

    Show emotion at any physical handicap. You can’t discriminate based on physical disability, so protect the organization by not drawing attention to it. Even if you don’t say anything, your facial expression may.

    Bring a bad day or excess baggage into the interview, or be abrupt, rushed, or uninterested in the interview. This is rude behavior and will leave a negative impression with candidates, which could impact your chances of hiring them.

    Submit to first impression bias because you’ll spend the rest of the interview trying to validate your first impression, wasting your time and the candidate’s. Remain as objective as possible and stick to the interview guide to stay focused on the task at hand.

    “To the candidate, if you are meeting person #3 and you’re hearing questions that person #1 and #2 asked, the company doesn’t look too hot or organized.” – President, Recruiting Firm

    Practice behavioral interviews

    1. In groups of at least three:
    • Assign one person to act as the manager conducting the interview, a second person to act as the candidate, and a third to observe.
    • The observer will provide feedback to the manager at the end of the role play based on the information you just learned.
    • Observers – please give feedback on the probing questions and body language.
  • Managers, select an interview question from the list your group put together during the previous exercise. Take a few minutes to think about potential probing questions you could follow up with to dig for more information.
  • Candidates, try to act like a real candidate. Please don’t make it super easy on the managers – but don’t make it impossible either!
  • Once the question has been asked and answered:
    • How did it go?
    • Were you able to get the candidate to speak in specifics rather than generalities? What tips do you have for others?
    • What didn’t go so well? Any surprises?
    • What would you do differently next time?
    • If this was a real hiring situation, would the information you got from just that one question help you make a hiring decision for the role?
  • Now switch roles and select a new interview question to use for this round. Repeat until everyone has had a chance to practice.
  • Input Output
    • Interview questions and scorecard
    • Practice interviews
    Materials Participants
    • IT Behavioral Interview Question Library
    • Workbook
    • Hiring Manager
    • Interview Panel Members

    Download the Behavioral Interview Question Library

    Record best practices, effective questions, and candidate insights for future use and current strategy

    Results and insights gained from evaluations need to be recorded and assessed to gain value from them going forward.

    • To optimize evaluation, all feedback should be forwarded to a central point so that the information can be shared with all stakeholders. HR can serve in this role.
    • Peer evaluations should be shared shortly after the interview. Immediate feedback that represents all the positive and negative responses is instructional for interviewers to consider right away.
    • HR can take a proactive approach to sharing information and analyzing and improving the interview process in order to collaborate with hiring departments for better talent management.
    • Collecting information about effective and ineffective interview questions will guide future interview revision and development efforts.

    Evaluations Can Inform Strategic Planning and Professional Development

    Strategic Planning

    • Survey data can be used to inform strategic planning initiatives in recruiting.
    • Use the information to build a case to the executive team for training, public relations initiatives, or better candidate management systems.

    Professional Development

    • Survey data from all evaluations should be used to inform future professional development initiatives.
    • Interview areas where all team members show weaknesses should be training priorities.
    • Individual weaknesses should be integrated into each professional development plan.

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Develop a Comprehensive Onboarding Plan

    Drive employee engagement and retention with a robust program that acclimates, guides, and develops new hires.

    Onboarding should pick up where candidate experience leaves off

    Do not confuse onboarding with orientation

    Onboarding ≠ Orientation

    Onboarding is more than just orientation. Orientation is typically a few days of completing paperwork, reading manuals, and learning about the company’s history, strategic goals, and culture. By contrast, onboarding is three to twelve months dedicated to welcoming, acclimating, guiding, and developing new employees – with the ideal duration reflecting the time to productivity for the role.

    A traditional orientation approach provides insufficient focus on the organizational identification, socialization, and job clarity that a new hire requires. This is a missed opportunity to build engagement, drive productivity, and increase organizational commitment. This can result in early disengagement and premature departure.

    Effective onboarding positively impacts the organization and bottom line

    Over the long term, effective onboarding has a positive impact on revenue and decreases costs.

    The benefits of onboarding:

    • Save money and frustration
      • Shorten processing time, reduce administrative costs, and improve compliance.
    • Boost revenue
      • Help new employees become productive faster – also reduce the strain on existing employees who would normally be overseeing them or covering a performance shortfall.
    • Drive engagement and reduce turnover
      • Quickly acclimate new hires to your organization’s environment, culture, and values.
    • Reinforce culture and employer brand
      • Ensure that new hires feel a connection to the organization’s culture.

    Onboarding drives new hire engagement from day one

    The image contains a graph to demonstrate the increase in overall engagement in relation to onboarding.

    When building an onboarding program, retain the core aims: acclimate, guide, and develop

    The image contains a picture of a circle with a smaller circle inside it, and a smaller circle inside that one. The smallest circle is labelled Acclimate, the medium sized circle is labelled Guide, and the biggest circle is labelled Develop.

    Help new hires feel connected to the organization by clearly articulating the mission, vision, values, and what the company does. Help them understand the business model, the industry, and who their competitors are. Help them feel connected to their new team members by providing opportunities for socialization and a support network.

    Help put new hires on the path to high performance by clearly outlining their role in the organization and how their performance will be evaluated.

    Help new hires receive the experience and training they require to become high performers by helping them build needed competencies.

    We recommend a three-to-twelve-month onboarding program, with the performance management aspect of onboarding extending out to meet the standard organizational performance management cycle.

    Info-Tech Insight

    The length of the onboarding program should align with the average time to productivity for the role(s). Consider the complexity of the role, the industry, and the level of the new hire when determining program length.

    For example, call center workers who are selling a straight-forward product may only require a three-month onboarding, while senior leaders may require a year-long program.

    Watch for signs that you aren’t effectively acclimating, guiding, and developing new hires

    Our primary and secondary research identified the following as the most commonly stated reasons why employees leave organizations prematurely. These issues will be addressed throughout the next section.

    Acclimate

    Guide

    Develop

    • Onboarding experience is misaligned from the employer’s brand.
    • Socialization and/or integration into the existing culture is left to the employee.
    • Key role expectations or role usefulness is not clearly communicated.
    • Company strategy is unclear.
    • Opportunities for advancement are unclear.
    • Coaching, counseling, and/or support from co-workers and/or management is lacking.
    • The organization fails to demonstrate that it cares about the new employee’s needs.

    “Onboarding is often seen as an entry-level HR function. It needs to rise in importance because it’s the first impression of the organization and can be much more powerful than we sometimes give it credit for. It should be a culture building and branding program.” – Doris Sims, SPHR, The Succession Consultant, and Author, Creative Onboarding Programs

    Use the onboarding tabs in the workbook to evaluate and redesign the onboarding program

    1. On tab 10, brainstorm challenges that face the organization's current onboarding program. Identify if they fall into the "acclimate," "guide," or "develop" category. Next, record the potential impact of this challenge on the overall effectiveness of the onboarding program.
    2. On tab 11, record each existing onboarding activity. Then, identify if that activity will be kept or if it should be retired. Next, document if the activity fell into the "acclimate," "guide," or "develop" category.
    3. On tab 12, document gaps that currently exist in the onboarding program. Modify the timeline along the side of the tab to ensure it reflects the timeline you have identified.
    4. On tab 13, document the activities that will occur in the new onboarding program. This should be a combination of current activities that you want to retain and new activities that will be added to address the gaps noted on tab 12. For each activity, identify if it will fall in the acclimate, guide, or develop section. Add any additional notes. Before moving on, make sure that there are no categories that have no activities (e.g. no guide activities).
    Input Output
    • Existing onboarding activities
    • Determine new onboarding activities
    • Map out onboarding responsibilities
    Materials Participants
    • Workbook
    • Hiring Managers
    • HR

    Review the administrative aspects of onboarding and determine how to address the challenges

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Sample challenges

    Potential solutions

    Some paperwork cannot be completed digitally (e.g. I-9 form in the US).

    Where possible, complete forms with digital signatures (e.g. DocuSign). Where not possible, begin the process earlier and mail required forms to employees to sign and return, or scan and email for the employee to print and return.

    Required compliance training material is not available virtually.

    Seek online training options where possible. Determine the most-critical training needs and prioritize the replication of materials in audio/video format (e.g. recorded lecture) and distribute virtually.

    Employees may not have access to their equipment immediately due to shipping or supply issues.

    Delay employee start dates until you can set them up with the proper equipment and access needed to do their job.

    New hires can’t get answers to their questions about benefits information and setup.

    Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits.

    Info-Tech Insight

    One of the biggest challenges for remote new hires is the inability to casually ask questions or have conversations without feeling like they’re interrupting. Until they have a chance to get settled, providing formal opportunities for questions can help address this.

    Review how company information is shared during onboarding and how to address the challenges

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Sample challenges

    Potential solutions

    Key company information such as organizational history, charts, or the vision, mission, and values cannot be clearly learned by employees on their own.

    Have the new hire’s manager call to walk through the important company information to provide a personal touch and allow the new hire to ask questions and get to know their new manager.

    Keeping new hires up to date on crisis communications is important, but too much information may overwhelm them or cause unnecessary stress.

    Sharing the future of the organization is a critical part of the company information stage of onboarding and the ever-changing nature of the COVID-19 crisis is informing many organizations’ future right now. Be honest but avoid over-sharing plans that may change.

    New hires can’t get answers to their questions about benefits information and setup.

    Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits.

    Review the socialization aspects of onboarding and determine how to address the challenges

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Sample challenges

    Potential solutions

    Team introductions via a team lunch or welcome event are typically done in person.

    Provide managers with a calendar of typical socialization events in the first few weeks of onboarding and provide instructions and ideas for how to schedule replacement events over videoconferencing.

    New hires may not have a point of contact for informal questions or needs if their peers aren’t around them to help.

    If it doesn’t already exist, create a virtual buddy program and provide instructions for managers to select a buddy from the new hire’s team. Explain that their role is to field informal questions about the company, team, and anything else and that they should book weekly meetings with the new hire to stay in touch.

    New hires will not have an opportunity to learn or become a part of the informal decision-making networks at the organization.

    Hiring managers should consider key network connections that new hires will need by going through their own internal network and asking other team members for recommendations.

    New hires will not be able to casually meet people around the office.

    Provide the employee with a list of key contacts for them to reach out to and book informal virtual coffee chats to introduce themselves.

    Adapt the Guide phase of onboarding to a virtual environment

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Sample challenges

    Potential solutions

    Performance management (PM) processes have been paused given the current crisis.

    Communicate to managers that new hires still need to be onboarded to the organization’s performance management process and that goals and feedback need to be introduced and the review process outlined even if it’s not currently happening.

    Goals and expectations differ or have been reprioritized during the crisis.

    Ask managers to explain the current situation at the organization and any temporary changes to goals and expectations as a result of new hires.

    Remote workers often require more-frequent feedback than is mandated in current PM processes.

    Revamp PM processes to include daily or bi-weekly touchpoints for managers to provide feedback and coaching for new hires for at least their first six months.

    Managers will not be able to monitor new hire work as effectively as usual.

    Ensure there is a formal approach for how employees will keep their managers updated on what they're working on and how it's going, for example, daily scrums or task-tracking software.

    For more information on adapting performance management to a virtual environment, see Info-Tech’s Performance Management for Emergency Work-From-Home research.

    Take an inventory of training and development in the onboarding process and select critical activities

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Categorize the different types of formal and informal training in the onboarding process into the following three categories. For departmental and individual training, speak to managers to understand what is required on a department and role basis:

    Organizational

    Departmental

    Individual

    For example:

    • Employee self-service overview
    • Health and safety/compliance training
    • Core competencies

    For example:

    • Software training (e.g. Salesforce)
    • Job shadowing to learn how to work equipment or to learn processes

    For example:

    • Mentoring
    • External courses
    • Support to work toward a certification

    In a crisis, not every training can be translated to a virtual environment in the short term. It’s also important to focus on critical learning activities versus the non-critical. Prioritize the training activities by examining the learning outcomes of each and asking:

    • What organizational training does every employee need to be a productive member of the organization?
    • What departmental or individual training do new hires need to be successful in their role?

    Lower priority or non-critical activities can be used to fill gaps in onboarding schedules or as extra activities to be completed if the new hire finds themselves with unexpected downtime to fill.

    Determine how onboarding training will be delivered virtually

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Who will facilitate virtual training sessions?

    • For large onboarding cohorts, consider live delivery via web conferencing where possible. This will create a more engaging training program and will allow new hires to interact with and ask questions of the presenter.
    • For individual new hires or small cohorts, have senior leaders or key personnel from across the organization record different trainings that are relevant for their role.
      • For example, training sessions about organizational culture can be delivered by the CEO or other senior leader, while sales training could be delivered by a sales executive.

      If there is a lack of resources, expertise, or time, outsource digital training to a content provider or through your LMS.

    What existing or free tools can be leveraged to immediately support digital training?

    • Laptops and PowerPoint to record training sessions that are typically delivered in-person
    • YouTube/Vimeo to host recorded lecture-format training
    • Company intranet to host links and files needed to complete training
    • Web conferencing software to host live training/orientation sessions (e.g. Webex)
    • LMS to host and track completion of learning content

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Adapt Your Onboarding Process to a Virtual Environment

    • Develop short-term solutions with a long-term outlook to quickly bring in new talent.

    Bibliography

    2021 Recruiter Nation Report. Survey Analysis, Jobvite, 2021. Web.

    “5 Global Stats Shaping Recruiting Trends.” The Undercover Recruiter, 2022. Web.

    Barr, Tavis, Raicho Bojilov, and Lalith Munasinghe. "Referrals and Search Efficiency: Who Learns What and When?" The University of Chicago Press, Journal of Labor Economics, vol. 37, no. 4, Oct. 2019. Web.

    “How to grow your team better, faster with an employee referral program.” Betterup, 10 Jan. 2022. Web.

    “Employee Value Proposition: How 25 Companies Define Their EVP.” Built In, 2021. Web.

    Global Leadership Forecast 2021. Survey Report, DDI World, 2021. Web.

    “Connecting Unemployed Youth with Organizations That Need Talent.” Harvard Business Review, 3 November 2016. Web.

    Ku, Daniel. “Social Recruiting: Everything You Need To Know for 2022.” PostBeyond, 26 November 2021. Web.

    Ladders Staff. “Shedding light on the job search.” Ladders, 20 May 2013. Web.

    Merin. “Campus Recruitment – Meaning, Benefits & Challenges.” HR Shelf, 1 February 2022. Web.

    Mobile Recruiting. Smart Recruiters, 2020. Accessed March 2022.

    Roddy, Seamus. “5 Employee Referral Program Strategies to Hire Top Talent.” Clutch, 22 April 2020. Web.

    Sinclair, James. “What The F*dge: That's Your Stranger Recruiting Budget?” LinkedIn, 11 November 2019. Web.

    “Ten Employer Examples of EVPs.” Workology, 2022. Web

    “The Higher Cost of a Bad Hire.” Robert Half, 15 March 2021. Accessed March 2022.

    Trost, Katy. “Hiring with a 90% Success Rate.” Katy Trost, Medium, 8 August 2022. Web.

    “Using Social Media for Talent Acquisition.” SHRM, 20 Sept. 2017. Web.

    IBM i Migration Considerations

    • Buy Link or Shortcode: {j2store}109|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    IBM i remains a vital platform and now many CIOs, CTOs, and IT leaders are faced with the same IBM i challenges regardless of industry focus: how do you evaluate the future viability of this platform, assess the future fit and purpose, develop strategies, and determine the future of this platform for your organization?

    Our Advice

    Critical Insight

    For organizations that are struggling with the iSeries/IBM i platform, resourcing challenges are typically the culprit. An aging population of RPG programmers and system administrators means organizations need to be more pro-active in maintaining in-house expertise. Migrating off the iSeries/IBM i platform is a difficult option for most organizations due to complexity, switching costs in the short term, and a higher long-term TCO.

    Impact and Result

    The most common tactic is for the organization to better understand their IBM i options and adopt some level of outsourcing for the non-commodity platform retaining the application support/development in-house. To make the evident, obvious; the options here for the non-commodity are not as broad as with commodity server platforms. Options include co-location, onsite outsourcing, managed and public cloud services.

    IBM i Migration Considerations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. IBM i Migration Considerations – A brief deck that outlines key migration options for the IBM i platforms.

    This project will help you evaluate the future viability of this platform; assess the fit, purpose, and price; develop strategies for overcoming potential challenges; and determine the future of this platform for your organization.

    • IBM i Migration Considerations Storyboard

    2. Infrastructure Outsourcing IBM i Scoring Tool – A tool to collect vendor responses and score each vendor.

    Use this scoring sheet to help you define and evaluate IBM i vendor responses.

    • Infrastructure Outsourcing IBM i Scoring Tool
    [infographic]

    Further reading

    IBM i Migration Considerations

    Don’t be overwhelmed by IBM i migration options.

    Executive Summary

    Your Challenge

    IBM i remains a vital platform and now many CIO, CTO, and IT leaders are faced with the same IBM i challenges regardless of industry focus; how do you evaluate the future viability of this platform, assess the future fit and purpose, develop strategies, and determine the future of this platform for your organization?

    Common Obstacles

    For organizations that are struggling with the iSeries/IBM i platform, resourcing challenges are typically the culprit. An aging population of RPG programmers and system administrators means organizations need to be more proactive in maintaining in-house expertise. Migrating off the iSeries/IBM i platform is a difficult option for most organizations due to complexity, switching costs in the short term, and a higher long-term TCO.

    Info-Tech Approach

    The most common tactic is for the organization to better understand its IBM i options and adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house. To make the evident, obvious: the options here for the non-commodity are not as broad as with commodity server platforms. Options include co-location, onsite outsourcing, managed hosting, and public cloud services.

    Info-Tech Insight

    “For over twenty years, IBM was ‘king,’ dominating the large computer market. By the 1980s, the world had woken up to the fact that the IBM mainframe was expensive and difficult, taking a long time and a lot of work to get anything done. Eager for a new solution, tech professionals turned to the brave new concept of distributed systems for a more efficient alternative. On June 21, 1988, IBM announced the launch of the AS/400, their answer to distributed computing.” (Dale Perkins)

    Review

    We help IT leaders make the most of their IBM i environment.

    Problem Statement:

    The IBM i remains a vital platform for many businesses and continues to deliver exceptional reliability and performance and play a key role in the enterprise. With the limited resources at hand, CIOs and the like must continually review and understand their migration path with the same regard as any other distributed system roadmap.

    This research is designed for:

    • IT strategic direction decision makers
    • IT managers responsible for an existing iSeries or IBM i platform
    • Organizations evaluating platforms for mission-critical applications

    This research will help you:

    1. Evaluate the future viability of this platform.
    2. Assess the fit, purpose, and price.
    3. Develop strategies for overcoming potential challenges.
    4. Determine the future of this platform for your organization.

    The “fit for purpose” plot

    Thought Model

    We will investigate the aspect of different IBM i scenarios as they impact business, what that means, and how that can guide the questions that you are asking as you move to an aligned IBM i IT strategy. Our model considers:

    • Importance to Business Outcomes
      • Important to strategic objectives
      • Provides competitive advantage
      • Non-commodity IT service or process
      • Specialized in-house knowledge required
    • Vendor’s Performance Advantage
      • Talent or access to skills
      • Economies of scale or lower cost at scale
      • Access to technology

    Info-Tech Insights

    With multiple control points to be addressed, care must be taken in simplifying your options while addressing all concerns to ease operational load.

    Map different 'IBM i' scenarios with axes 'Importance to Business Outcomes - Low to High' and 'Vendor’s Performance Advantage - Low to High'. Quadrant labels are '[LI/LA] Potentially Outsource: Service management, Help desk, desk-side support, Asset management', '[LI/HA] Outsource: Application & Infra Support, Web Hosting, SAP Support, Email Services, Infrastructure', '[HI/LA] Insource (For Now): Application development tech support', and '[HI/HA] Potentially Outsource: Onshore or offshore application maintenance'.

    IBM i environments are challenging

    “The IBM i Reality” – Darin Stahl

    Most members relying on business applications/workloads running on non-commodity platforms (zSeries, IBM i, Solaris, AIX, etc.) are first motivated to get out from under the perceived higher costs for the hardware platform.

    An additional challenge for non-commodity platforms is that from an IT Operations Management perspective they become an island with a diminishing number of integrated operations skills and solutions such as backup/restore and monitoring tools.

    The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support and development in-house.

    Key challenges with current IBM i environments:
    1. DR Requirements
      Understand what the business needs are and where users and resources are located.
    2. Market Lack of Expertise
      Skilled team members are hard to find.
    3. Cost Management
      There is a perceived cost disadvantage to managing on-prem solutions.
    4. Aging Support Teams
      Current support teams are aging with little backfill in skill and experience.

    Understand your options

    Co-Location

    A customer transitions their hardware environment to a provider’s data center. The provider can then manage the hardware and “system.”

    Onsite Outsourcing

    A provider will support the hardware/system environment at the client’s site.

    Managed Hosting

    A customer transitions their legacy application environment to an off-prem hosted, multi-tenanted environment.

    Public Cloud

    A customer can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings “re-host.”

    Co-Location

    Provider manages the data center hardware environment.

    Abstract

    Here a provider manages the system data center environment and hardware; however, the client’s in-house IBM i team manages the IBM i hardware environment and the system applications. The client manages all of the licenses associated with the platform as well as the hardware asset management considerations. This is typically part of a larger services or application transformation. This effectively outsources the data center management while maintaining all IBM i technical operations in-house.

    Advantages

    • On-demand bandwidth
    • Cost effective
    • Secure and compliant environment
    • On-demand remote “hands and feet” services
    • Improved IT DR services
    • Data center compliance

    Considerations

    • Application transformation
    • CapEx cost
    • Fluctuating network bandwidth costs
    • Secure connectivity
    • Disaster recovery and availability of vendor
    • Company IT DR and BC planning
    • Remote system maintenance (HW)

    Info-Tech Insights

    This model is extremely attractive for organizations looking to reduce their data center management footprint. Idea for the SMB.

    Onsite Sourcing

    A provider will support the hardware/system environment at the client’s site.

    Abstract

    Here a provider will support and manage the hardware/system environment at the client’s site. The provider may acquire the customer’s hardware and provide software licenses. This could also include hiring or “rebadging” staff supporting the platform. This type of arrangement is typically part of a larger services or application transformation. While low risk, it is not as cost-effective as other deployment models.

    Advantages

    • Managed environment within company premises
    • Cost effective (OpEx expense)
    • Economies of scale
    • On-demand “as-a-service” model
    • Improved IT DR staffing services
    • 24x7 monitoring and support

    Considerations

    • Outsourced IT talent
    • Terms and contract conditions
    • IT staff attrition
    • Increased liability
    • Modified technical support and engagement
    • Secure connectivity and communication
    • Internal problem and change management

    Info-Tech Insights

    Depending on the application lifecycle and viability, in-house skill and technical depth is a key consideration when developing your IBM i strategy.

    Managed Hosting

    Transition legacy application environment to an off-prem hosted multi-tenanted environment.

    Abstract

    This type of arrangement is typically part of an application migration or transformation. In this model, a client can “re-platform” the application into an off-premises-hosted provider platform. This would yield many of the cloud benefits however in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux) and the associated application.

    Advantages

    • Turns CapEx into OpEx
    • Reduces in-house need for diminishing or scarce human resources
    • Allows the enterprise to focus on the value of the IBM i platform through the reduction of system administrative toil
    • Improved IT DR services
    • Data center compliance

    Considerations

    • Application transformation
    • Network bandwidth
    • Contract terms and conditions
    • Modified technical support and engagement
    • Secure connectivity and communication
    • Technical security and compliance
    • Limited providers; reduced options

    Info-Tech Insights

    There is a difference between a “re-host” and “re-platform” migration strategy. Determine which solution aligns to the application requirements.

    Public Cloud

    Leverage “public cloud” alternatives with AWS, Google, or Microsoft AZURE.

    Abstract

    This type of arrangement is typically part of a larger migration or application transformation. While low risk, it is not as cost-effective as other deployment models. In this model, client can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings “re-host.” This would yield many of the cloud benefits however in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux).

    Advantages

    • Remote workforce accessibility
    • OpEx expense model
    • Improved IT DR services
    • Reduced infrastructure and system administration
    • Vendor management
    • 24x7 monitoring and support

    Considerations

    • Contract terms and conditions
    • Modified technical support and engagement
    • Secure connectivity and communication
    • Technical security and compliance
    • Limited providers; reduced options
    • Vendor/cloud lock-in
    • Application migration/”re-platform”
    • Application and system performance

    Info-Tech Insights

    This model is extremely attractive for organizations that consume primarily cloud services and have a large remote workforce.

    Understand your vendors

    • To best understand your options, you need to understand what IBM i services are provided by the industry vendors.
    • Within the following slides, you will find a defined activity with a working template that will create “vendor profiles” for each vendor.
    • As a working example, you can review the following partners:
    • Connectria (United States)
    • Rowton IT Solutions Ltd (United Kingdom)
    • Mid-Range (Canada)

    Info-Tech Insights

    Creating vendor profiles will help quickly filter the solution providers that directly meet your IBM i needs.

    Vendor Profile #1

    Rowton IT

    Summary of Vendor

    “Rowton IT thrive on creating robust and simple solutions to today's complex IT problems. We have a highly skilled and motivated workforce that will guarantee the right solution.

    Working with select business partners, we can offer competitive and cost effective packages tailored to suit your budget and/or business requirements.

    Our knowledge and experience cover vast areas of IT including technical design, provision and installation of hardware (Wintel and IBM Midrange), technical engineering services, support services, IT project management, application testing, documentation and training.”

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✖ Co-Location Services
    • ✔ Public Cloud Services (AWS)

    URL
    rowtonit.com

    Regional Coverage:
    United Kingdom

    Logo for RowtonIT.com.

    Vendor Profile #2

    Connectria

    Summary of Vendor

    “Every journey starts with a single step and for Connectria, that step happened to be with the world’s largest bank, Deutsche Bank. Followed quickly by our second client, IBM. Since then, we have added over 1,000 clients worldwide. For 25 years, each customer, large or small, has relied on Connectria to deliver on promises made to make it easy to do business with us through flexible terms, scalable solutions, and straightforward pricing. Join us on our journey.”

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✔ Co-Location Services
    • ✔ Public Cloud Services (AWS)

    URL
    connectria.com

    Regional Coverage:
    United States

    Logo for Connectria.

    Vendor Profile #3

    Mid-Range

    Summary of Vendor

    “Founded in 1988 and profitable throughout all of those 31 years, we have a solid track record of success. At Mid-Range, we use our expertise to assess your unique needs, in order to proactively develop the most effective IT solution for your requirements. Our full-service approach to technology and our diverse and in-depth industry expertise keep our clients coming back year after year.

    Serving clients across North America in a variety of industries, from small and emerging organizations to large, established enterprises – we’ve seen it all. Whether you need hardware or software solutions, disaster recovery and high availability, managed services or hosting or full ERP services with our JD Edwards offerings – we have the methods and expertise to help.”

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✔ Co-Location Services
    • ✔ Public Cloud Services (AWS)

    URL
    midrange.ca

    Regional Coverage:
    Canada

    Logo for Mid-Range.

    Activity

    Understand your vendor options

    Activities:
    1. Create your vendor profiles
    2. Score vendor responses
    3. Develop and manage your vendor agenda

    This activity involves the following participants:

    • IT strategic direction decision makers
    • IT managers responsible for an existing iSeries or IBM i platform

    Outcomes of this step:

    • Vendor Profile Template
    • Completed IT Infrastructure Outsourcing Scoring Tool

    Info-Tech Insights

    This check-point process creates transparency around agreement costs with the business and gives the business an opportunity to re-evaluate its requirements for a potentially leaner agreement.

    1. Create your vendor profiles

    Define what you are looking for:

    • Create a vendor profile for every vendor of interest.
    • Leverage our starting list and template to track and record the advantages of each vendor.

    Mindshift

    First National Technology Solutions

    Key Information Systems

    MainLine

    Direct Systems Support

    T-Systems

    Horizon Computer Solutions Inc.

    Vendor Profile Template

    [Vendor Name]

    Summary of Vendor

    [Vendor Summary]
    *Detail the Vendor Services as a Summary*

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✔ Co-Location Services
    • ✔ Public Cloud Services (AWS)
    *Itemize the Vendor Services specific to your requirements*

    URL
    https://www.url.com/
    *Insert the Vendor URL*

    Regional Coverage:
    [Country\Region]
    *Insert the Vendor Coverage & Locations*

    *Insert the Vendor Logo*

    2. Score your vendor responses

    Use the IT Infrastructure Outsourcing Scoring Tool to manage vendor responses.
    Use Info-Tech’s IT Infrastructure Outsourcing Scoring Tool to systematically score your vendor responses.

    The overall quality of the IBM i questions can help you understand what it might be like to work with the vendor.

    Consider the following questions:

    • Is the vendor clear about what it’s able to offer? Is its response transparent?
    • How much effort did the vendor put into answering the questions?
    • Does the vendor seem like someone you would want to work with?

    Once you have the vendor responses, you will select two or three vendors to continue assessing in more depth leading to an eventual final selection.

    Screenshot of the IT Infrastructure Outsourcing Scoring Tool's Scoring Sheet. There are three tables: 'Scoring Scale', 'Results', and one with 'RFP Questions'. Note on Results table says 'Top Scoring Vendors', and note on questions table says 'List your IBM i questions (requirements)'.

    Info-Tech Insights

    Watch out for misleading scores that result from poorly designed criteria weightings.

    3. Develop your vendor agenda

    Vendor Conference Call

    Develop an agenda for the conference call. Here is a sample agenda:
    • Review the vendor questions.
    • Go over answers to written vendor questions previously submitted.
    • Address new vendor questions.

    Commonly Debated Question:
    Should vendors be asked to remain anonymous on the call or should each vendor mention their organization when they join the call?

    Many organizations worry that if vendors can identify each other, they will price fix. However, price fixing is extremely rare due to its consequences and most vendors likely have a good idea which other vendors are participating in the bid. Another thought is that revealing vendors could either result in a higher level of competition or cause some vendors to give up:

    • A vendor that hears its rival is also bidding may increase the competitiveness of its bid and response.
    • A vendor that feels it doesn’t have a chance may put less effort into the process.
    • A vendor that feels it doesn’t have real competition may submit a less competitive or detailed response than it otherwise would have.

    Vendor Workshop

    A vendor workshop day is an interactive way to provide context to your vendors and to better understand the vendors’ offerings. The virtual or in-person interaction also offers a great way to understand what it’s like to work with each vendor and decide whether you could build a partnership with them in the long run.

    The main focus of the workshop is the vendors’ service solution presentation. Here is a sample agenda for a two-day workshop:

    Day 1
    • Meet and greet
    • Welcome presentation with objectives, acquisition strategy, and company overview
    • Overview of the current IT environment, technologies, and company expectations
    • Question and answer session
    • Site walk
    Day 2
    • Review Day 1 activities
    • Vendor presentations and solution framing
    Use the IT Infrastructure Outsourcing Scoring Tool to manage vendor responses.

    Related Info-Tech Research

    Effectively Acquire Infrastructure Services
    Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

    Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery
    There are very few IT infrastructure components you should be housing internally – outsource everything else.

    Build Your Infrastructure Roadmap
    Move beyond alignment: Put yourself in the driver’s seat for true business value.

    Define Your Cloud Vision
    Make the most of cloud for your organization.

    Document Your Cloud Strategy
    Drive consensus by outlining how your organization will use the cloud.

    Create a Right-Sized Disaster Recovery Plan
    Close the gap between your DR capabilities and service continuity requirements.

    Create a Better RFP Process
    Improve your RFPs to gain leverage and get better results.

    Research Authors

    Photo of Darin Stahl, Principal Research Advisor, Info-Tech Research Group.Darin Stahl, Principal Research Advisor, Info-Tech Research Group

    Principal Research Advisor within the Infrastructure Practice and leveraging 38+ years of experience, his areas of focus include: IT Operations Management, Service Desk, Infrastructure Outsourcing, Managed Services, Cloud Infrastructure, DRP/BCP, Printer Management, Managed Print Services, Application Performance Monitoring (APM), Managed FTP, and non-commodity servers (zSeries, mainframe, IBM i, AIX, Power PC).

    Photo of Troy Cheeseman, Practice Lead, Info-Tech Research Group.Troy Cheeseman, Practice Lead, Info-Tech Research Group

    Troy has over 24 years of experience and has championed large, enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT Operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) start-ups.

    Research Contributors

    Photo of Dan Duffy, President & Owner, Mid-Range.Dan Duffy, President & Owner, Mid-Range

    Dan Duffy is the President and Founder of Mid-Range Computer Group Inc., an IBM Platinum Business Partner. Dan and his team have been providing the Canadian and American IBM Power market with IBM infrastructure solutions including private cloud, hosting and disaster recovery, high availability and data center services since 1988. He has served on numerous boards and associations including the Toronto Users Group for Mid-Range Systems (TUG), the IBM Business Partners of the Americas Advisory Council, the Cornell Club of Toronto, and the Notre Dame Club of Toronto. Dan holds a Bachelor of Science from Cornell University.

    Photo of George Goodall, Executive Advisor, Info-Tech Research Group.George Goodall, Executive Advisor, Info-Tech Research Group

    George Goodall is an Executive Advisor in the Research Executive Services practice at Info-Tech Research Group. George has over 20 years of experience in IT consulting, enterprise software sales, project management, and workshop delivery. His primary focus is the unique challenges and opportunities in organizations with small and constrained IT operations. In his long tenure at Info-Tech, George has covered diverse topics including voice communications, storage, and strategy and governance.

    Bibliography

    “Companies using IBM i (formerly known as i5/OS).” Enlyft, 21 July 2021. Web.

    Connor, Clare. “IBM i and Meeting the Challenges of Modernization.” Ensono, 22 Mar. 2022. Web.

    Huntington, Tom. “60+ IBM i User Groups and Communities to Join?” HelpSystems, 16 Dec. 2021. Web.

    Perkins, Dale. “The Road to Power Cloud: June 21st 1988 to now. The Journey Continues.” Mid-Range, 1 Nov. 2021. Web.

    Prickett Morgan, Timothy. “How IBM STACKS UP POWER8 AGAINST XEON SERVERS.” The Next Platform, 13 Oct. 2015. Web.

    “Why is AS/400 still used? Four reasons to stick with a classic.” NTT, 21 July 2016. Web.

    Appendix

    Public Cloud Provider Notes

    Appendix –
    Cloud
    Providers


    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    AWS

    Appendix –
    Cloud
    Providers



    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    Google

    • Google Cloud console supports IBM Power Systems.
    • This offering provides cloud instances running on IBM Power Systems servers with PowerVM.
    • The service uses a per-day prorated monthly subscription model for cloud instance plans with different capacities of compute, memory, storage, and network. Standard plans are listed below and custom plans are possible.
    • There is no IBM i offering yet that we are aware of.
    • For AIX on Power, this would appear to be a better option than AWS (Converge Enterprise Cloud with IBM Power for Google Cloud).

    Appendix –
    Cloud
    Providers



    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    Azure

    • Azure has partners using the Azure Dedicated Host offerings to deliver “native support for IBM POWER Systems to Azure data centres” (PowerWire).
    • Microsoft has installed Power servers in an couple Azure data centers and Skytap manages the IBM i, AIX, and Linux environments for clients.
    • As far as I am aware there is no ability to install IBM i or AIX within an Azure Dedicated Host via the retail interfaces – these must be worked through a partner like Skytap.
    • The cloud route for IBM i or AIX might be the easiest working with Skytap and Azure. This would appear to be a better option than AWS in my opinion.

    Appendix –
    Cloud
    Providers



    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    IBM

    Get the Best Discount Possible With a Data-Driven Negotiation Approach

    • Buy Link or Shortcode: {j2store}610|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Vendors have well-honed negotiation strategies that don’t prioritize the customer’s best interest, and they will take advantage of your weaknesses to extract as much money as they can from the deal.
    • IT teams are often working with time pressure and limited resources or experience in negotiation. Even those with an experienced procurement team aren’t evenly matched with the vendor when it comes to the ins and outs of the product.
    • As a result, many have a poor negotiation experience and fail to get the discount they wanted, ultimately leading to dissatisfaction with the vendor.

    Our Advice

    Critical Insight

    • Requirements should always come first, but IT leaders are under pressure to get discounts and cost ends up playing a big role in decision making.
    • Cost is one of the top factors influencing satisfaction with software and the decision to leave a vendor.
    • The majority of software customers are receiving a discount. If you’re in the minority who are not, there are strategies you can and should be using to improve your negotiating skills. Discounts of up to 40% off list price are available to those who enter negotiations prepared.

    Impact and Result

    • SoftwareReviews data shows that there are multiple benefits to taking a concerted approach to negotiating a discount on your software.
    • The most common ways of getting a discount (e.g. volume purchasing) aren’t necessarily the best methods. Choose a strategy that is appropriate for your organization and vendor relationship and that focuses on maximizing the value of your investment for the long term. Optimizing usage or licenses as a discount strategy leads to the highest software satisfaction.
    • Using a vendor negotiation service or advisory group was one of the most successful strategies for receiving a discount. If your team doesn’t have the right negotiation expertise, Info-Tech can help.

    Get the Best Discount Possible With a Data-Driven Negotiation Approach Research & Tools

    Prepare to negotiate

    Leverage insights from SoftwareReviews data to best position yourself to receive a discount through your software negotiations.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Get the Best Discount Possible with a Data-Driven Negotiation Approach Storyboard
    [infographic]

    The Accessibility Business Case for IT

    • Buy Link or Shortcode: {j2store}519|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • Laws requiring digital accessibility are changing and differ by location.
    • You need to make sure your digital assets, products, and services (internal and external) are accessible to everyone, but getting buy-in is difficult.
    • You may not know where your gaps in understanding are because conventional thinking is driven by compliance and risk mitigation.

    Our Advice

    Critical Insight

    • The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.
    • Implementing accessibility feels counterintuitive to IT departments. IT always wants to optimize and move forward, but with accessibility you may stay at one level for what feels like an uncomfortably long period. Don’t worry; building consistency and shifting culture takes time.
    • Accessibility goes beyond compliance, which should be an outcome, not the objective. With 1 billion people worldwide with some form of disability, nearly everyone likely has a connection to disability, whether it be in themselves, family, or colleagues. The market of people with disabilities has a spending power of more than $6 trillion (WAI, 2018).

    Impact and Result

    • Take away the overwhelm that many feel when they hear “accessibility” and make the steps for your organization approachable.
    • Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.

    The Accessibility Business Case for IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The Accessibility Business Case for IT – Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.

    A step-by-step approach to walk you through understanding your current state related to accessibility maturity, identifying your desired future state, and building your business case to seek buy-in. This storyboard will help you figure out what’s right for your organization and build the accessibility business case for IT.

    • The Accessibility Business Case for IT – Phases 1-3

    2. Accessibility Business Case Template – A clear, concise, and compelling business case template to communicate the criticality of accessibility.

    The business case for accessibility is strong. Use this template to communicate to senior leaders the benefits, challenges, and risks of inaction.

    • Accessibility Business Case Template

    3. Accessibility Maturity Assessment – A structured tool to help you identify your current accessibility maturity level and identify opportunities to ensure progress.

    This tool uses a capability maturity model framework to evaluate your current state of accessibility. Maturity level is assessed on three interconnected aspects (people, process, and technology) across six dimensions proven to impact accessibility. Complete the assessment to get recommendations based on where you’re at.

    • Accessibility Maturity Assessment

    Infographic

    Further reading

    The Accessibility Business Case for IT

    Accessibility goes beyond compliance

    Analyst Perspective

    Avoid tech debt related to accessibility barriers

    Accessibility is important for individuals, businesses, and society. Diverse populations need diverse access, and it’s essential to provide access and opportunity to everyone, including people with diverse abilities. In fact, access to information and communications technologies (ICT) is a basic human right according to the United Nations.

    The benefits of ICT accessibility go beyond compliance. Many innovations that we use in everyday life, such as voice activation, began as accessibility initiatives and ended up creating a better lived experience for everyone. Accessibility can improve user experience and satisfaction, and it can enhance your brand, drive innovation, and extend your market reach (WAI, 2022).

    Although your organization might be required by law to ensure accessibility, understanding your users’ needs and incorporating them into your processes early will determine success beyond just compliance.

    Heather Leier-Murray, Senior Research Analyst, People and Leadership

    Heather Leier-Murray
    Senior Research Analyst, People and Leadership
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Info-Tech’s Approach

    Global IT and business leaders are challenged to make digital products and services accessible because inaccessibility comes with increasing risk to brand reputation, legal ramifications, and constrained market reach.

    • Laws requiring digital accessibility are changing and differ by location.
    • You need to make sure your digital assets, products, and services (internal and external) are accessible to everyone.
    • The cost of inaction is rising.

    Understanding where to start, where accessibility lives, and if or when you’re done can be overwhelmingly difficult.

    • Executive leadership buy-in is difficult to get.
    • Conventional thinking is driven by compliance and risk mitigation.
    • You don’t know where your gaps in understanding are.

    Conventional approaches to accessibility often fail because users are expected to do the hard work. You have to be doing 80% of the hard work.1

    Use Info-Tech’s research and resources to do what’s right for your organization. This framework takes away the overwhelm that many feel when they hear “accessibility” and makes the steps for your organization approachable.

    • Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.

    1. Harvard Business Review, 2021

    Info-Tech Insight
    The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.

    Your challenge

    This research is designed to help organizations who are looking to:

    • Build a business case for accessibility.
    • Ensure that digital assets, products, and services are accessible to everyone, internally and externally.
    • Support staff and build skills to support the organization with accessibility and accommodation.
    • Get assistance figuring out where to start on the road to accessibility compliance and beyond.

    The cost of inaction related to accessibility is rising. Preparing for accessibility earlier helps prevent tech debt; the longer you wait to address your accessibility obligations, the more costly it gets.

    More than 3,500 digital accessibility lawsuits were filed in the US in 2020, up more than 50% from 2018.

    Source: UsableNet. Inc.

    Common obstacles

    These barriers make accessibility difficult to address for many organizations:

    • You don’t know where your gaps in understanding are. Recognizing the importance of accessibility and how it fits into the bigger picture is key to developing buy-in.
    • Too often organizations focus on mitigating risk by being compliance driven. Shifting focus to the user experience, internally and externally, will realize better results.
    • Conventional approaches to accessibility often fail because the expectation is for users to do the hard work. One in five people have a permanent disability, but it’s likely everyone will be faced with some sort of disability at some point in their lives.1 Your organization has to be doing at least 80% of the hard work.2
    • Other types of compliance reside clearly with one area of the organization. Accessibility, however, has many homes: IT, user experience (UX), customer experience (CX), and even HR.

    1. Smashing Magazine

    2. Harvard Business Review, 2021

    90% of companies claim to prioritize diversity.

    Source: Harvard Business Review, 2020

    Only 4% of those that claim to prioritize diversity consider disability in those initiatives.

    Source: Harvard Business Review, 2020

    The four principles of accessibility

    WCAG (Web Content Accessibility Guidelines) identifies four principles of accessibility. WCAG is the most referenced standard in website accessibility lawsuits.

    The four principles of accessibility

    Source: eSSENTIAL Accessibility, 2022

    Why organizations address accessibility

    Top three reasons:

    61% 62% 78%
    To comply with laws To provide the best UX To include people with disabilities

    Source: Level Access

    Still, most businesses aren’t meeting compliance standards. Even though legislation has been in place for over 30 years, a 2022 study by WebAIM of 1,000,000 homepages returned a 96.8% WCAG 2.0 failure rate.

    Source: Institute for Disability Research, Policy, and Practice

    How organizations prioritize digital accessibility

    43% rated it as a top priority.

    36% rated it as important.

    Fewer than 5% rated as either low priority or not even on the radar.

    More than 65% agreed or strongly agreed it’s a higher priority than last year.

    Source: Angel Business Communications

    Organizations expect consumers to do more online

    The pandemic led to many businesses going digital and more people doing things online.

    Chart of activities performed more often compared to before COVID-19

    Chart of activities performed for the first time during COVID-19

    Source: Statistics Canada

    Disability is part of being human

    Merriam-Webster defines disability as a “physical, mental, cognitive, or developmental condition that impairs, interferes with, or limits a person’s ability to engage in certain tasks or actions or participate in typical daily activities and interactions.”1

    The World Health Organization (WHO) points out that a crucial part of the definition of disability is that it’s not just a health problem, but the environment impacts the experience and extent of disability. Inaccessibility creates barriers for full participation in society.2

    The likelihood of you experiencing a disability at some point in your life is very high, whether a physical or mental disability, seen or unseen, temporary or permanent, severe or mild.2

    Many people acquire disabilities as they age yet may not identify as “a person with a disability.”3 Where life expectancies are over 70 years of age, 11.5% of life is spent living with a disability. 4

    “Extreme personalization is becoming the primary difference in business success, and everyone wants to be a stakeholder in a company that provides processes, products, and services to employees and customers with equitable, person-centered experiences and allows for full participation where no one is left out.”
    – Paudie Healy, CEO, Universal Access

    1. Merriam-Webster
    2. World Health Organization
    3. Digital Leaders, as cited in WAI, 2018
    4. Disabled World, as cited in WAI, 2018

    Untapped talent resource

    Common myths about people with disabilities:

    • They can’t work.
    • They need more time off or are absent more often.
    • Only basic, unskilled work is appropriate for them.
    • Their productivity is lower than that of coworkers.
    • They cost more to recruit, train, and employ.
    • They decrease others’ productivity.
    • They’re not eligible for governmental financial incentives (e.g. apprentices).
    • They don’t fit in.

    These assumptions prevent organizations from hiring valuable people into the workforce and retaining them.

    Source: Forbes

    50% to 70% of people with disabilities are unemployed in industrialized countries. In the US alone, 61 million adults have a disability.

    Source: United Nations, as cited in Forbes

    Thought Model

    Info-Tech’s methodology for the accessibility business case for IT

    1. Understand Current State 2. Plan for Buy-in 3. Prepare Your Business Case
    Phase Steps
    1. Understand standards and legislation
    2. Build awareness
    3. Understand current accessibility maturity level Define desired future state
    1. Define desired future state
    2. Define goals and objectives
    3. Document roles and responsibilities
    1. Customize and populate the Accessibility Business Case Template and gain approval
    2. Validate post-approval steps and establish timelines
    Phase Outcomes
    • Accessibility maturity assessment
    • Accessibility drivers determined
    • Goals defined
    • Objectives identified
    • Roles and responsibilities documented
    • Business case drafted
    • Approval to move forward with implementing your accessibility program
    • Next steps and timelines

    Insight Summary

    Insight 1 The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.
    Insight 2 Implementing accessibility feels counterintuitive to IT departments. IT always wants to optimize and move forward, but with accessibility you may stay at one level for what feels like an uncomfortably long period. Don’t worry; building consistency and shifting culture takes time.
    Insight 3 Accessibility goes beyond compliance, which should be an outcome, not the objective. With 1 billion people worldwide with some form of disability, nearly everyone likely has a connection to disability, whether it be in themselves, family, or colleagues. The market of people with disabilities has a spending power of more than $6 trillion.1

    1. WAI, 2018

    Blueprint deliverables

    This blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    Accessibility Business Case Template

    The business case for accessibility is strong. Use this template to communicate to senior leaders the benefits and challenges of accessibility and the risks of inaction.

    Accessibility Maturity Assessment

    Use this assessment to understand your current accessibility maturity.

    Blueprint benefits

    Business Benefits IT Benefits
    • Don’t lose out on a 6-trillion-dollar market.
    • Don’t miss opportunities to work with organizations because you’re not accessible.
    • Enable and empower current employees with disabilities.
    • Minimize potential for negative brand reputation due to a lack of consideration for people with disabilities.
    • Decrease the risk of legal action being brought upon the organization.
    • Understand accessibility and know your role in it for your organization and your team members.
    • Be prepared and able to provide the user experience you want.
    • Decrease tech debt – start early to ensure accessibility for everyone.
    • Access an untapped labor market.
    • Mitigate IT retention challenges.

    Measure the value of this blueprint

    Improve stakeholder satisfaction and engagement

    • Tracking measures to understand the value of this blueprint is a critical part of the process.
    • Monitor employee engagement, overall stakeholder satisfaction with IT, and the overall end-customer satisfaction.
    • Remember, accessibility is not a one-and-done project – just because measures are positive does not mean your work is done.

    In phase 2 of this blueprint, we will help you establish current-state and target-state metrics for your organization.

    Suggested Metrics
    Overall end-customer satisfaction
    Monies saved through cost optimization efforts
    Employee engagement
    Monies save through application rationalization and standardization

    For more metrics ideas, see the Info-Tech IT Metrics Library.

    Executive Brief Case Study

    INDUSTRY
    Technology

    SOURCE
    W3C Web Accessibility Initiative (WAI), 2018

    Google

    Investing in accessibility
    With an innovative edge, Google invests in accessibility with the objective of making life easier for everyone. Google has created a broad array of accessibility innovations in its products and services so that people with disabilities get as much out of them as anyone else.

    Part of Google’s core mission, accessibility means more to Google than implementing fixes. It is viewed positively by the organization and drives it to be more innovative to make information available to everyone. Google approaches accessibility problems not as barriers but as ways to innovate and discover breakthroughs that will become mainstream in the future.

    Results
    Among Google’s innovations are contrast minimums, auto-complete, voice-control, AI advances, and machine learning auto-captioning. All of these were created for accessibility purposes but have positively impacted the user experience in general for Google.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 4 to 6 calls over the course of 2 to 4 months.

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Discuss motivation for the initiative and foundational knowledge requirements.

    Call #2: Discuss next steps to assess current accessibility maturity.

    Call #3: Discuss stakeholder engagement and future-state analysis.

    Call #4: Discuss defining goals and objectives, along with roles and responsibilities.

    Call #5: Review draft business case presentation.

    Call #6: Discuss post-approval steps and timelines.

    Phase 1

    Understand Your Current State

    Phase 1
    1.1 Understand standards and legislation
    1.2 Build awareness
    1.3 Understand maturity level

    Phase 2
    2.1 Define desired future state
    2.2 Define goals and objectives
    2.3 Document roles and responsibilities

    Phase 3
    3.1 Prepare business case template for presentation and approval
    3.2 Validate post-approval steps and establish timelines

    The Accessibility Business Case for IT

    This phase will walk you through the following activities:

    • Identifying and understanding accessibility and compliance requirements and the ramifications of noncompliance.
    • Defining accessibility, disability, and disability inclusion and building awareness of these with senior leaders.
    • Completing the Accessibility Maturity Assessment to help you understand your current state.

    Step 1.1

    Understand standards and legislation

    Activities

    1.1.1 Make a list of the legislation you need to comply with

    1.1.2 Seek legal and/or professional services’ input on compliance

    1.1.3 Detail the risks of inaction for your organization

    Understand Your Current State

    Outcomes of this step
    You will gain foundational understanding of the breadth of the regulation requirements for your organization. You will have reviewed and understand what is applicable to your organization.

    The regulatory landscape is evolving

    Canada

    • Canadian Human Rights Act
    • Policy on Communications and Federal Identity
    • Canadian Charter of Rights and Freedoms
    • Accessibility for Ontarians with Disabilities Act
    • Accessible Canada Act of 2019 (ACA)

    Europe

    • UK Equality Act 2010
    • EU Web and Mobile Accessibility Directive (2016)
    • EN 301 549 European Standard – Accessibility requirements for public procurement of ICT products and services

    United States

    • Section 508 of the US Rehabilitation Act of 1973
    • Americans with Disabilities Act of 1990 (ADA)
    • Section 255 of the Telecommunications Act of 1996
    • Air Carrier Access Act of 1986
    • 21st Century Communications and Video Accessibility Act of 2010 (CVAA)

    New Zealand

    • Human Rights Act 1993
    • Online Practice Guidelines for Government

    Australia

    • Disability Discrimination Act 1992 (DDA)

    Regulatory systems are moving toward an international standard.

    1.1.1 Make a list of the legislation you need to comply with

    1. Download the Accessibility Business Case Template.
    2. Conduct research and investigate what legislation and standards are applicable to your organization.
    3. a) Start by looking at your local legislation.
      b) Then consider any other regions you conduct business in.
      c) Also account for the various industries you are in.
    4. While researching, build a list of legislation requirements. Document these in your Accessibility Business Case Template as part of the Project Context section.
    Input Output
    • Research
    • Websites
    • Articles
    • List of legislation that applies to the organization related to accessibility
    Materials Participants
    • Accessibility Business Case Template
    • Project leader/initiator

    Download the Accessibility Business Case Template

    1.1.2 Seek professional advice on compliance

    1. Have general counsel review your list of regulations and standards related to accessibility or seek legal and/or professional support to review your list.
    2. Review or research further the implications of any suggestions from legal counsel.
    3. Make any updates to the Legal Landscape slide in the Accessibility Business Case Template.
    Input Output
    • Compiled list of applicable legislation and standards
    • Confirmed list of regulations that are applicable to your organization related to accessibility
    Materials Participants
    • Accessibility Business Case Template
    • Project leader/initiator
    • General counsel/professional services

    Download the Accessibility Business Case Template

    Ramifications of noncompliance

    Go beyond financial consequences

    Beyond the costs resulting from a claim, noncompliance can damage your organization in several ways.

    Financial Impact

    ADA Warning Shot: A complaint often indicates pending legal action to come. Addressing issues on a reactive, ad hoc basis can be quite expensive. It can cost almost $10,000 to address a single complaint, and chances are if you have one complaint, you have many.

    Lawsuit Costs: In the US, 265,000 demand letters were sent in 2020 under the ADA for inaccessible websites. On average, a demand letter could cost the company $25,000 (conservatively). These are low-end numbers; another estimate is that a small, quickly settled digital accessibility lawsuit could cost upwards of $350,000 for the defendant.

    Non-Financial Impact

    Reputational Impact: Claims brought upon a company can bring negative publicity with them. In contrast, having a clear commitment to accessibility demonstrates inclusion and can enhance brand image and reputation. Stakeholder expectations are changing, and consumers, investors, and employees alike want to support businesses with a purpose.

    Technology Resource Strains: Costly workarounds and ad hoc accommodation processes take away from efficiency and effectiveness. Updates and redesigns for accessibility and best practices will reduce costs associated with maintenance and service, including overall stakeholder satisfaction improvements.

    Access to Talent: 2022 saw a record high number of job openings, over 11.4 million in the US alone. Ongoing labor shortages require eliminating bias and keeping an open mind about who is qualified.

    Source: May Hopewell

    In the last four years, 83% of the retail 500 have been sued. Since 2018, 417 of the top 500 have received ADA-based digital lawsuits.

    Source: UsableNet

    1.1.3 Detail the risks of inaction for your organization

    1. Using the information that you’ve gathered through your research and legal/professional advice, detail the risks of inaction for your organization.
    2. a) Consider legal risks, consumer risks, brand risks, and employee risks. (Remember, risks aren’t just monetary.)
    3. Document the risks in your Accessibility Business Case Template.
    InputOutput
    • List of applicable legislation and standards
    • Information about risks
    • Identified accessibility maturity level
    MaterialsParticipants
    • Accessibility Business Case Template
    • Project leader/initiator

    Download the Accessibility Business Case Template

    Step 1.2

    Build awareness of accessibility and disability inclusion

    Activities

    1.2.1 Identify gaps in understanding

    1.2.2 Brainstorm how to reframe accessibility positively

    Understand Your Current State

    Outcomes of this step
    You’ll have a better understanding of accessibility so that you can effectively implement and promote it.

    Where to look for understanding

    First-hand experience of how people with disabilities interact with your organization is often eye-opening. It will help you understand the benefits and value of accessibility.

    Where to look for understanding

    • Talk with people you know with disabilities that are willing to share.*
    • Find role-specific training that’s appropriate.
    • Research. Articles and videos are easy to find.
    • Set up assistive technology trials.
    • Seek out first-hand experience from people with disabilities and how they work and use digital assets.

    Source: WAI, 2016

    * Remember, people with disabilities aren't obligated to discuss or explain their disabilities and may not be comfortable sharing. If you're asking for their time, be respectful, only ask if appropriate, and accept a "no" answer if the person doesn't wish to assist.

    1.2.1 Identify gaps in understanding

    Find out what accessibility is and why it is important. Learn the basics.

    1. Using the information that you’ve gathered through your research and legal counsel, conduct further research to understand the importance of accessibility.
    2. Answer these questions:
    3. a) What is accessibility? Why is it important?
      b) From the legislation and standards identified in step 1.1, what gaps exist?
      c) What is the definition of disability?
      d) How does your organization currently address accessibility?
      e) What are your risks?
      f) Do you have any current employees who have disabilities?
    4. Review the previous slide for suggestions on where to find more information to answer the above questions.
    5. Document any changes to the risks in your Accessibility Business Case Template.
    InputOutput
    • Articles
    • Interviews
    • Websites
    • Greater understanding of the lived experience of people with disabilities
    MaterialsParticipants
    • Articles
    • Websites
    • Accessibility Business Case Template
    • Project leader/initiator

    Download the Accessibility Business Case Template

    Reframe accessibility as a benefit, not a burden

    A clear understanding of accessibility and the related standards and regulations can turn accessibility from something big and scary to an achievable part of the business.

    The benefits of accessibility are:

    Market Reach Minimized Legal Risks Innovation Retention
    Over 1 billion people with a spending power of $6 trillion make up the global market of people with disabilities.1 Accessibility improves the experience for all users. In addition, many organizations require you to provide proof you meet accessibility standards during the RFP process. Accessibility regulations are changing, and claims are rising. Costs associated with legal proceedings can be more than just financial. Many countries have laws you need to follow. People with disabilities bring diversity of thought, have different lived experiences, and benefit inclusivity, which helps drive engagement. Plus accessibility features often solve unanticipated problems. Employing and supporting people with disabilities can reduce turnover and improve retention, reliability, company image, employee loyalty, ability awareness, and more.

    Source 1: WAI, 2018

    1.2.2 Brainstorm ways to reframe accessibility positively

    1. Using the information that you’ve gathered through your research, brainstorm additional positives of accessibility for your organization.
    2. Clearly identify the problem you want to solve (e.g., reframing accessibility positively in your organization).
    3. Collect any tools you want to use to during brainstorming (e.g., whiteboard, markers, sticky notes)
    4. Write down all the ideas that come to mind.
    5. Review all the points and group them into themes.
    6. Update the Accessibility Business Case Template with your findings.
    InputOutput
    • Research you have gathered
    • List of ways to positively reframe accessibility for your organization
    MaterialsParticipants
    • Sticky notes, whiteboard, pens, paper, markers.
    • Accessibility Business Case Template
    • Project leader/initiator

    Download the Accessibility Business Case Template

    Make it part of the conversation

    A first step to disability and accessibility awareness is to talk about it. When it is talked about as freely as other things are in the workplace, this can create a more welcoming workplace.

    Accessibility goes beyond physical access and includes technological access and support as well as our attitudes.

    Accessibility is making sure everyone (disabled or abled) can access the workplace equally.

    Adjustments in the workplace are necessary to create an accessible and welcoming environment. Understanding the three dimensions of accessibility in the workplace is a good place to start.

    Source: May Hopewell

    Three dimensions of accessibility in the workplace

    Three dimensions of accessibility in the workplace

    Case Study

    INDUSTRY
    Professional Services

    SOURCE
    Accenture

    Accenture takes an inclusive approach to increase accessibility.

    Accessibility is more than tools

    Employee experience was the focus of embarking on the accessibility journey, ensuring inclusivity was built in and every employee was able to use the tools they needed and could achieve their goals.

    "We are removing barriers in technology to make all of our employees, regardless of their ability, more productive.”
    — Melissa Summers, Managing Director – Global IT, Corporate Technology, Accenture

    Accessibility is inclusive

    The journey began with formalizing a Global IT Accessibility practice and defining an accessibility program charter. This provided direction and underpinned the strategy used to create a virtual Accessibility Center of Excellence and map out a multiyear plan of initiatives.

    The team then identified all the technologies they wanted to enhance by prioritizing ones that were high use and high impact. Involving disability champions gave insight into focus areas.

    Accessibility is innovation

    Working with partners like Microsoft and over 100 employees, Accenture continues toward the goal of 75% accessibility for all its global high-traffic internal platforms.

    Achievements thus far include:

    • 100% of new Accenture video and broadcast content is automatically captioned.
    • Accenture received a perfect Disability Equality Index (US) score of 100 out of 100 for 2017, 2018, and 2019.

    Step 1.3

    Understand your current accessibility maturity level

    Activities

    1.3.1 Complete the Accessibility Maturity Assessment

    Understand Your Current State

    Outcomes of this step
    Completed Accessibility Maturity Assessment to inform planning for and building your business case in Phases 2 and 3.

    Know where you are to know where to go

    Consider accessibility improvements from three interconnected aspects to determine current maturity level

    Accessibility Maturity

    People

    • Consider employee, customer, and user experience.

    Process

    • Review processes to ensure accessibility is considered early.

    Technology

    • Whether it’s new or existing, technology is an important tool to increase accessibility.

    Accessibility maturity levels

    INITIAL DEVELOPING DEFINED MANAGED OPTIMIZE
    At this level, accessibility processes are mostly undocumented, if they exist. Accessibility is most likely happening on a reactive, ad hoc basis. No one understands who is responsible for accessibility or what their role is. At this stage the organization is driven by the need for compliance. At the developing level, the organization is taking steps to increase accessibility but still has a lot of opportunity for improvements. The organization is defining and refining processes and is working toward building a library of assistive tools. At this level, processes related to accessibility are repeatable. However, there’s a tendency to resort to old habits under stress. The organization has tools in place to facilitate accommodation requests and technology is compatible with assistive technologies. Accessibility initiatives are driven by the desire to make the user experience better. The managed level is defined by its effective accessibility controls, processes, and metrics. The organization can mostly anticipate preferences of customers, employees, and users. The roles and responsibilities are defined, and disability is included as part of the organization’s diversity, equity, and inclusion (DEI) initiatives. This level is not the goal for all organizations. At this level there is a shift in the organization’s culture to a feeling of belonging. The organization also demonstrates ongoing process improvements. Everyone can experience a seamless interaction with the organization. The focus is on continuous improvement and using feedback to inform future initiatives.

    Determine your level of maturity

    Use Info-Tech’s Accessibility Maturity Assessment

    • On the accessibility questionnaire, tab 2, choose how much the statements apply to your organization. Answer the questions based on your knowledge of your current state organizationally.
    • Once you’ve answered all the questions, see the results on the tab 3, Accessibility Results. You can see your overall maturity level and the maturity level for each of six dimensions that are necessary to increase the success of an accessibility program.
    • Click through to tab 4, Recommendations, to see specific recommendations based on your results and proven research to progress through the maturity levels. Keep in mind that not all organizations will or should aspire to the “Optimize” maturity level.

    1.3.1 Complete the Accessibility Maturity Assessment

    1. Download the Accessibility Maturity Assessment and save it with the date so that as you work on your accessibility program, you can reassess later and track your progress.
    2. Once you have saved the assessment, select the appropriate answer for each statement on tab 2, Accessibility Questions, based on your knowledge of the organization’s approach.
    3. After reviewing all the accessibility statements, see your maturity level results on tab 3, Accessibility Results. Then see tab 4, Recommendations, for suggestions based on your answers.
    4. Document your accessibility maturity results in your Accessibility Business Case Template.
    Input Output
    • Assess your current state of accessibility by choosing all the statements that apply to your organization
    • Identified accessibility maturity level
    Materials Participants
    • Accessibility Maturity Assessment
    • Accessibility Business Case Template
    • Project leader/sponsor
    • IT leadership team

    Download the Accessibility Business Case Template

    Phase 2

    Plan for Senior Leader Buy-In

    Phase 1
    1.1 Understand standards and legislation
    1.2 Build awareness
    1.3 Understand maturity level

    Phase 2
    2.1 Define desired future state
    2.2 Define goals and objectives
    2.3 Document roles and responsibilities

    Phase 3
    3.1 Prepare business case template for presentation and approval
    3.2 Validate post-approval steps and establish timelines

    The Accessibility Business Case for IT

    This phase will walk you through the following activities:

    • Defining your desired future state.
    • Determining your accessibility program goals and objectives.
    • Clarifying and documenting roles and responsibilities related to accessibility in IT.

    This phase involves the following participants:

    • Project lead/sponsor
    • IT leadership team
    • Senior leaders/decision makers

    Step 2.1

    Define the desired future state of accessibility

    Activities

    2.1.1 Identify key stakeholders

    2.1.2 Hold a key stakeholder focus group

    2.1.3 Conduct a future-state analysis

    Outcomes of this step
    Following this step, you will have identified your aspirational maturity level and what your accessibility future state looks like for your organization.

    Plan for Senior Leader Buy-In

    Cheat sheet: Identify stakeholders

    Ask stakeholders, “Who else should I be talking to?” to discover additional stakeholders and ensure you don’t miss anyone.

    Identify stakeholders through the following questions:
    • Who in areas of influence will be adversely affected by potential environmental and social impacts of what you are doing?
    • At which stage will stakeholders be most affected (e.g. procurement, implementation, operations, decommissioning)?
    • Will other stakeholders emerge as the phases are started and completed?
    • Who is sponsoring the initiative?
    • Who benefits from the initiative?
    • Who is negatively impacted by the initiative?
    • Who can make approvals?
    • Who controls resources?
    • Who has specialist skills?
    • Who implements the changes?
    • Who are the owners, governors, customers, and suppliers of impacted capabilities or functions?
    Take a 360-degree view of potential internal and external stakeholders who might be impacted by the initiative.
    • Executives
    • Peers
    • Direct reports
    • Partners
    • Customers
    • Subcontractors
    • Subcontractors
    • Contractors
    • Lobby groups
    • Regulatory agencies

    Categorize your stakeholders with a stakeholder prioritization map

    A stakeholder prioritization map helps teams categorize their stakeholders by their level of influence and ownership.

    There are four areas in the map, and the stakeholders within each area should be treated differently.

    Players – Players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

    Mediators – Mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

    Noisemakers – Noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

    Spectators – Generally, spectators are apathetic and have little influence over or interest in the initiative.

    Stakeholder prioritization map

    Define strategies for engaging stakeholders by type

    Each group of stakeholders draws attention and resources away from critical tasks.

    By properly identifying your stakeholder groups, you can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of the Mediators and Players are met.

    Type Quadrant Actions
    Players High influence, high interest Actively Engage
    Keep them engaged through continuous involvement. Maintain their interest by demonstrating their value to its success.
    Mediators High influence, low interest Keep Satisfied
    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust, and include them in important decision-making steps. In turn, they can help you influence other stakeholders.
    Noisemakers Low influence, high interest Keep Informed
    Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.
    Spectators Low influence, low interest Monitor
    They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    2.1.1 Identify key stakeholders

    Collect this information by:

    1. List direct stakeholders for your area. Include stakeholders across the organization (both IT and business units) and externally.
    2. Create a stakeholder map to capture your stakeholders’ interest in and influence on digital accessibility.
    3. Shortlist stakeholders to invite as focus group participants in activity 2.1.2.
      • Aim for a combination of Players, Mediators, and Noisemakers.
    Input Output
    • List of stakeholders
    • Stakeholder requirements
    • A stakeholder map
    • List of stakeholders to include in the focus group in step 2.1.2
    Materials Participants
    • Sticky notes, pens, whiteboard, markers (optional)
    • Project leader/sponsor

    Hold a focus group to initiate planning

    Involve key stakeholders to determine the organizational drivers of accessibility, identify target maturity and key performance indicators (KPIs), and ultimately build the project charter.

    Building the project charter as a group will help you to clarify your key messages and secure buy-in from critical stakeholders up-front, which is key.

    Executing the business case for accessibility requires significant involvement from your IT leadership team. The challenge is that accessibility can be overwhelming because of inherent bias. Members of your IT leadership team will also need to participate in knowledge transfer, so get them involved up-front. The focus group will help stakeholders feel more engaged in the project, which is pivotal for success.

    You may feel like a full project charter isn’t necessary, and depending on your organizational size, it might not be. However, the exercise of building the charter is important regardless. No matter your current climate, some level of socializing the value of and plans for accessibility will be necessary.

    Meeting Agenda

    1. Short introduction
      Led by: Project Sponsor
      • Why the initiative is being considered.
    2. Make the case for the project
      Led by: Project Manager
      • Current state: What does the initiative address?
      • Future state: What is our target state of maturity?
    3. Success criteria
      Led by: Project Manager
      • How will success be measured?
    4. Define the project team
      Led by: Project Manager
      • Description of planned approach.
      • Stakeholder assessment.
      • What is required of the sponsor and stakeholders?
    5. Determine next steps
      Led by: Project Manager

    2.1.2 Hold a stakeholder focus group

    Identify the pain points you want to resolve and some of the benefits that you’d like to see from a program. By doing so, you’ll get a holistic view of what you need to achieve and what your drivers are.

    1. Ask the working group participants (as a whole or in smaller groups) to discuss pain points created by inaccessibility.
      • Challenges related to stakeholders.
      • Challenges created by process issues.
      • Difficulties improving accessibility practices.
    2. Discuss opportunities to be gained from improving these practices.
    3. Have participants write these down on sticky notes and place them on a whiteboard or flip chart.
    4. Review all the points as a group. Group challenges and benefits into themes.
    5. Have the group prioritize the risks and benefits in terms of what the solution must have, should have, could have, and won’t have.
    Input Output
    • Reasons for the project
    • Stakeholder requirements
    • Pain points and risks
    • A prioritized list of risks and benefits of the solution
    Materials Participants
    • Agenda (see previous slide)
    • Sticky notes, pens, whiteboard, markers (optional)
    • IT leadership
    • Other key stakeholders

    While defining future state, consider your drivers

    The Info-Tech Accessibility Maturity Framework identifies three key strategic drivers: compliance, experience, and incorporation.

    • Over 30% of organizations are focused on compliance, according to a 2022 survey by Harvard Business Review and Slack’s Future Forum. The survey asked more than 10,000 workers in six countries about their organizations’ approach to DEI.2

    Even though 90% of companies claim to prioritize diversity,1 over 30% are focused on compliance.2

    1. Harvard Business Review, 2020
    2. Harvard Business Review, 2022

    31.6% of companies remain in the Compliant stage, where they are focused on DEI compliance and not on integrating DEI throughout the organization or on creating continual improvement.

    Source: Harvard Business Review, 2022

    Align the benefits of program drivers to organizational goals or outcomes

    Although there will be various motivating factors, aligning the drivers of your accessibility program provides direction to the program. Connecting the advantages of program drivers to organizational goals builds the confidence of senior leaders and decision makers, increasing the continued commitment to invest in accessibility programming.

    Drivers Compliance Experience Incorporation
    Maturity level Initial Developing Defined Managed Optimized
    Description Any accessibility initiative is to comply with the minimum legislated requirement. Desire to avoid/decrease legal risk. Accessibility initiatives are focused on improving the experience of everyone from the start. Most organizations will be experience driven. Desire to increase accessibility and engagement. Accessibility is a seamless part of the whole organization and initiatives are focused on impacting social issues.
    Advantages Compliance is a good starting place for accessibility. It will reduce legal risk. Being people focused from the start of processes enables the organization to reduce tech debt, provide the best user experience, and realize other benefits of accessibility. There is a sense of belonging in the organization. The entire organization experiences the benefits of accessibility.
    Disadvantages Accessibility is about more than just compliance. Being compliance driven won’t give you the full benefits of accessibility. This can mean a culture change for the organization, which can take a long time. IT is used to moving quickly – it might feel counterintuitive to slow down and take time. It takes much longer to reach the associated level of maturity. Not possible for all organizations.

    Info-Tech Accessibility Maturity Framework

    Info-Tech Accessibility Maturity Framework

    After initially ensuring your organization is compliant with regulations and standards, you will progress to building disciplined process and consistent standardized processes. Eventually you will build the ability for predictable process, and lastly, you’ll optimize by continuously improving.

    Depending on the level of maturity you are trying to achieve, it could take months or even years to implement. The important thing to understand, however, is that accessibility work is never done.

    At all levels of the maturity framework, you must consider the interconnected aspects of people, process, and technology. However, as the organization progresses, the impact will shift from largely being focused on process and technology improvement to being focused on people.

    Info-Tech Insight
    IT typically works through maturity frameworks from the bottom to the top, progressing at each level until they reach the end. When it comes to digital accessibility initiatives, being especially thorough, thoughtful, and collaborative is critical to success. This will mean spending more time in the Developing, Defined, and Managed levels of maturity rather than trying to reach Optimized as quickly as you can. This may feel contrary to what IT historically considers as a successful implementation.

    Accessibility maturity levels

    Driver Description Benefits
    Initial Compliance
    • Accessibility processes are mostly undocumented.
    • Accessibility happens mostly on a reactive or ad hoc basis.
    • No one is aware of who is responsible for accessibility or what role they play.
    • Heavily focused on complying with regulations and standards to decrease legal risk.
    • The organization is aware of the need for accessibility.
    • Legal risk is decreased.
    Developing Experience
    • The organization is starting to take steps to increase accessibility beyond compliance.
    • Lots of opportunity for improvement.
    • Defining and refining processes.
    • Working toward building a library of assistive tools.
    • Awareness of the need for accessibility is growing.
    • Process review for accessibility increases process efficiency through avoiding rework.
    Defined Experience
    • Accessibility processes are repeatable.
    • There is a tendency to resort to old habits under stress.
    • Tools are in place to facilitate accommodation.
    • Employees know accommodations are available to them.
    • Accessibility is becoming part of daily work.
    Managed Experience
    • Defined by effective accessibility controls, processes, and metrics.
    • Mostly anticipating preferences.
    • Roles and responsibilities are defined.
    • Disability is included as part of DEI.
    • Employees understand their role in accessibility.
    • Engagement is positively impacted.
    • Attraction and retention are positively impacted.
    Optimized Incorporation
    • Not the goal for every organization.
    • Characterized by a dramatic shift in organizational culture and a feeling of belonging.
    • Ongoing continuous improvement.
    • Seamless interactions with the organization for everyone.
    • Using feedback to inform future initiatives.
    • More likely to be innovative and inclusive, reach more people positively, and meet emerging global legal requirements.
    • Better equipped for success.

    2.1.3 Conduct future-state analysis

    Identify your target state of maturity

    1. Provide the group with your maturity assessment results to review as well as the slides on the maturity levels, framework, and drivers.
    2. Compare the benefits listed on the Accessibility maturity levels slide to those that you named in the previous exercise and determine which maturity level best describes your target state.
    3. Discuss as a group and agree on one desired maturity level to reach.
    4. Review the other levels of maturity and determine what is in and out of scope for the project (higher-level benefits would be considered out of scope).
    5. Document your target state of maturity in your Accessibility Business Case Template.
    Input Output
    • Accessibility maturity levels chart on previous slide
    • Maturity level assessment results
    • Target maturity level documented
    Materials Participants
    • Paper and pens
    • Handouts of maturity levels
    • Accessibility Business Case Template
    • IT leadership team

    Download the Accessibility Business Case Template

    Case Study

    Accessibility as a differentiator

    INDUSTRY
    Financial

    SOURCE
    WAI-Engage

    Accessibility inside and out

    As a financial provider, Barclays embarked on the accessibility journey to engage customers and employees with the goal of equal access for all. One key statement that provided focus was “Essential for some, easier for all. ”

    “It's about helping everyone to work, bank and live their lives regardless of their age, situation, abilities or circumstances.”

    Embedding into experiences

    “The Barclays Accessibility team [supports] digital teams to embed accessibility into our services and culture through effective governance, partnering, training and tools. Establishing an enterprise-wide accessibility strategy, standards and programmes coupled with senior sponsorship helps support our publicly stated ambition of becoming the most accessible and inclusive FTSE company.”

    – Paul Smyth, Head of Digital Accessibility, Barclays

    It’s a circle, not a roadmap

    • Barclays continues the journey through partnerships with disability charities and accessibility experts and through regularly engaging with customers and colleagues with disabilities directly.
    • More accessible, inclusive products and services engage and attract more people with disabilities. This translates to a more diverse workforce that identifies opportunities for innovation. This leads to being attractive to diverse talent, and the circle continues.
    • Barclays’ mobile banking app was first to be accredited by accessibility consultants AbilityNet.

    Step 2.2

    Define your accessibility program goals and objectives

    Activities

    2.2.1 Create a list of goals and objectives

    2.2.2 Finalize key metrics

    Plan for Senior Leader Buy-In

    Outcomes of this step
    You will have clear measurable goals and objectives to respond to identified accessibility issues and organizational goals.

    What does a good goal look like?

    Use the SMART framework to build effective goals.

    S Specific: Is the goal clear, concrete, and well defined?
    M Measurable: How will you know when the goal is met?
    A Achievable: Is the goal possible to achieve in a reasonable time?
    R Relevant: Does this goal align with your responsibilities and with departmental and organizational goals?
    T Time-based: Have you specified a time frame in which you aim to achieve the goal?

    SMART is a common framework for setting effective goals. Make sure your goals satisfy these criteria to ensure you can achieve real results.

    2.2.1 Create a list of goals and objectives

    Use the outcomes from activity 2.1.2.

    1. Using the prioritized list of what your solution must have, should have, could have, and won’t have from activity 2.1.2, develop goals.
    2. Remember to use the SMART goal framework to build out each goal (see the previous slide for more information on SMART goals).
    3. Ensure each goal supports departmental and organizational goals to ensure it is meaningful.
    4. Document your goals and objectives in your Accessibility Business Case Template.
    InputOutput
    • Outcomes of activity 2.1.2
    • Organizational and departmental goals
    • Goals and objectives added to your Accessibility Business Case Template
    MaterialsParticipants
    • Accessibility Business Case Template
    • IT leadership team

    Download the Accessibility Business Case Template

    2.2.1 Create a list of goals and objectives

    Use the outcomes from activity 2.1.2.

    1. Using the prioritized list of what your solution must have, should have, could have, and won’t have from activity 2.1.2, develop goals.
    2. Remember to use the SMART goal framework to build out each goal (see the previous slide for more information on SMART goals).
    3. Ensure each goal supports departmental and organizational goals to ensure it is meaningful.
    4. Document your goals and objectives in your Accessibility Business Case Template.

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    1. Progressing through the accessibility maturity model.
    2. Addressing accessibility earlier in processes to avoid tech debt and rework late in projects or releases.
    3. Making accessibility part of the procurement process as a scoring consideration and vendor choice.
    4. Ensuring compliance with regulations and standards.
    Metric Current Goal
    Overall end-customer satisfaction 90 120
    Monies saved through cost optimization efforts
    Employee engagement
    Monies save through application rationalization and standardization

    For more metrics ideas, see the Info-Tech IT Metrics Library.

    2.2.2 Finalize key metrics

    Finalize key metrics the organization will use to measure accessibility success

    1. Brainstorm how you would measure the success of each goal based on the benefits, challenges, and risks you previously identified.
    2. Write each of the metric ideas down and finalize three to five key metrics which you will track. The metrics you choose should relate to the key challenges or risks you have identified and match your desired maturity level and driver.
    3. Document your key metrics in the Accessibility Business Case Template.
    InputOutput
    • Accessibility challenges and benefits
    • Goals from activity 2.2.1
    • Three to five key metrics to track
    MaterialsParticipants
    • Accessibility Business Case Template
    • IT leadership team
    • Project lead/sponsor

    Download the Accessibility Business Case Template

    Step 2.3

    Document accessibility program roles and responsibilities

    Activities

    2.3.1 Populate a RACI chart

    Plan for Senior Leader Buy-In

    Outcomes of this step
    At the end of this step, you will have a completed RACI chart documenting the roles and responsibilities related to accessibility for your accessibility business case.

    2.3.1 Populate a RACI

    Populate a RACI chart to identify who should be responsible, accountable, consulted, and informed for each key activity.

    Define who is responsible, accountable, consulted, and informed for the project team:

    1. Write out the list of all stakeholders along the top of a whiteboard. Write out the key project steps along the left-hand side.
    2. For each initiative, identify each team member’s role. Are they:
      Responsible: The one responsible for getting the job done.
      Accountable: Only one person can be accountable for each task.
      Consulted: Are involved by providing knowledge.
      Informed: Receive information about execution and quality.
    3. As you proceed, continue to add tasks and assign responsibility to the RACI chart in the appendix of the Accessibility Business Case Template.
    InputOutput
    • Stakeholder list
    • Key project steps
    • Project RACI chart
    MaterialsParticipants
    • Whiteboard
    • Accessibility Business Case Template
    • IT leadership team

    Download the Accessibility Business Case Template

    Phase 3

    Prepare your business case and get approval

    Phase 1
    1.1 Understand standards and legislation
    1.2 Build awareness
    1.3 Understand maturity level

    Phase 2
    2.1 Define desired future state
    2.2 Define goals and objectives
    2.3 Document roles and responsibilities

    Phase 3
    3.1 Prepare business case template for presentation and approval
    3.2 Validate post-approval steps and establish timelines

    The Accessibility Business Case for IT

    This phase will walk you through the following activities:

    • Compiling the work and learning you’ve done so far into a business case presentation.

    This phase involves the following participants:

    • Project lead/sponsor
    • Senior leaders/approval authority

    There is a business case for accessibility

    • When planning for initiatives, a business case is a necessary tool. Although it can feel like an administrative exercise, it helps create a compelling argument to senior leaders about the benefits and necessity of building an accessibility program.
    • No matter the industry, you need to justify how the budget and effort you require for the initiative support organizational goals. However, senior leaders of different industries might be motivated by different reasons. For example, government is strongly motivated by legal and equity aspects, commercial companies may be attracted to the increase in innovation or market reach, and educational and nonprofit companies are likely motivated by brand enhancement.
    • The organizational focus and goals will guide your business case for accessibility. Highlight the most relevant benefits to your operational landscape and the risk of inaction.

    Source: WAI, 2018

    “Many organizations are waking up to the fact that embracing accessibility leads to multiple benefits – reducing legal risks, strengthening brand presence, improving customer experience and colleague productivity.”
    – Paul Smyth, Head of Digital Accessibility, Barclays
    Source: WAI, 2018

    Step 3.1

    Customize and populate the Accessibility Business Case Template

    Activities

    3.1.1 Prepare your business case template for presentation and approval

    Build Your Business Case

    Outcomes of this step
    Following this step, you will have a customized business case presentation that you can present to senior leaders.

    Use Info-Tech’s template to communicate with stakeholders

    Obtain approval for your accessibility program by customizing Info-Tech’s Accessibility Business Case Template, which is designed to effectively convey your key messages. Tailor the template to suit your needs.

    It includes:

    • Project context
    • Project scope and objectives
    • Knowledge transfer roadmap
    • Next steps

    Info-Tech Insight
    The support of senior leaders is critical to the success of your accessibility program development. Remind them of the benefits and impact and the risks associated with inaction.

    Download the Accessibility Business Case Template

    3.1.1 Prepare a presentation for senior leaders to gain approval

    Now that you understand your current and desired accessibility maturity, the next step is to get sign-off to begin planning your initiatives.

    Know your audience:

    1. Consider who will be included in your presentation audience.
    2. You want your presentation to be succinct and hard-hitting. Management’s time is tight, and they will lose interest if you drag out the delivery. Impact them hard and fast with the challenges, benefits, and risks of inaction.
    3. Contain the presentation to no more than an hour. Depending on your audience, the actual presentation delivery could be quite short. You want to ensure adequate time for questions and answers.
    4. Schedule a meeting with the key decision makers who will need to approve the initiatives (IT leadership team, executive team, the board, etc.) and present your business case.
    InputOutput
    • Activity results
    • Accessibility Maturity Assessment results
    • A completed presentation to communicate your accessibility business case
    MaterialsParticipants
    • Accessibility Business Case Template
    • IT leadership team
    • Project sponsor
    • Project stakeholders
    • Senior leaders

    Download the Accessibility Business Case Template

    Step 3.2

    Validate post-approval steps and establish timelines

    Activities

    3.2.1 Prepare for implementation: Complete the implementation prep to-do list and assign proposed timelines

    Build Your Business Case

    Outcomes of this step
    This step will help you gain leadership’s approval to move forward with building and implementing the accessibility program.

    Prepare to implement your program

    Complete the to-do list to ensure you are ready to move your accessibility program forward.

    To Do Proposed Timeline
    Reach out to your change management team for assistance.
    Discuss your plan with HR.
    Build a project team.
    Incorporate any necessary changes from senior leaders into your business case.
    [insert your own addition here]
    [insert your own addition here]
    [insert your own addition here]
    [insert your own addition here]

    3.2.1 Prep for implementation (action planning)

    Use the implementation prep to-do list to make sure you have gathered relevant information and completed critical steps to be ready for success.

    Use the list on the previous slide to make sure you are set up for implementation success and that you’re ready to move your accessibility program forward.

    1. Assign proposed timelines to each of the items.
    2. Work through the list, collecting or completing each item.
    3. As you proceed, keep your identified drivers, current state, desired future state, goals, and objectives in mind.
    Input Output
    • Accessibility Maturity Assessment
    • Business case presentation and any feedback from senior leaders
    • Goals, objectives, identified drivers, and desired future state
    • High-level action plan
    Materials Participants
    • Previous slide containing the checklist
    • Project lead

    Related Info-Tech Research

    Implement and Mature Your User Experience Design Practice

    • Create a practice that is focused on human outcomes; it starts and ends with the people you are designing for. This includes:
      • Establishing a practice with a common vision.
      • Enhancing the practice through four design factors.
      • Communicating a roadmap to improve your business through design.

    Modernize Your Corporate Website to Drive Business Value

    • Users are demanding more valuable web functionalities and improved access to your website services.
    • The criteria of user acceptance and satisfaction involves more than an aesthetically pleasing user interface (UI). It also includes how emotionally attached the user is to the website and how it accommodates user behaviors.

    IT Diversity & Inclusion Tactics

    • Although inclusion is key to the success of a diversity and inclusion (D&I) strategy, the complexity of the concept makes it a daunting pursuit.
    • This is further complicated by the fact that creating inclusion is not a one-and-done exercise. Rather, it requires the ongoing commitment of employees and managers to reassess their own behaviors and to drive a cultural shift.

    Fix Your IT Culture

    • Go beyond value statements to create a culture that enables the departmental strategy.
    • There is confusion about how to translate culture from an abstract concept to something that is measurable, actionable, and process driven.
    • Organizations lack clarity about who is accountable and responsible for culture, with groups often pointing fingers at each other.

    Works cited

    “2021 State of Digital Accessibility.” Level Access, n.d. Accessed 10 Aug. 2022

    ”2022 Midyear Report: ADA Digital Accessibility Lawsuits.” UsableNet, 2022. Accessed 9 Nov. 2022

    “Barclay’s Bank Case Study.” WAI-Engage, 12 Sept. 2018. Accessed 7 Nov. 2022.

    Bilodeau, Howard, et al. “StatCan COVID-19 Data to Insights for a Better Canada.” Statistics Canada, 24 June 2021. Accessed 10 Aug. 2022.

    Casey, Caroline. “Do Your D&I Efforts Include People With Disabilities?” Harvard Business Review, 19 March 2020. Accessed 28 July 2022.

    Digitalisation World. “Organisations failing to meet digital accessibility standards.” Angel Business Communications, 19 May 2022. Accessed Oct. 2022.

    “disability.” Merriam-Webster.com Dictionary, Merriam-Webster, https://www.merriam-webster.com/dictionary/disability. Accessed 10 Aug. 2022.

    “Disability.” World Health Organization, 2022. Accessed 10 Aug 2022.

    “Driving the Accessibility Advantage at Accenture.” Accenture, 2022. Accessed 7 Oct. 2022.

    eSSENTIAL Accessibility. The Must-Have WCAG 2.1 Checklist. 2022

    Hopewell, May. Accessibility in the Workplace. 2022.

    “Initiate.” W3C Web Accessibility Initiative (WAI), 31 March 2016. Accessed 18 Aug. 2022.

    Kalcevich, Kate, and Mike Gifford. “How to Bake Layers of Accessibility Testing Into Your Process.” Smashing Magazine, 26 April 2021. Accessed 31 Aug. 2022.

    Noone, Cat. “4 Common Ways Companies Alienate People with Disabilities.” Harvard Business Review, 29 Nov. 2021. Accessed Jul. 2022.

    Taylor, Jason. “A Record-Breaking Year for ADA Digital Accessibility Lawsuits.” UsableNet, 21 December 2020. Accessed Jul. 2022.

    “The Business Case for Digital Accessibility.” W3C Web Accessibility Initiative (WAI), 9 Nov. 2018. Accessed 4 Aug. 2022.

    “The WebAIM Million.” Web AIM, 31 March 2022. Accessed 28 Jul. 2022.

    Washington, Ella F. “The Five Stages of DEI Maturity.” Harvard Business Review, November - December 2022. Accessed 7 Nov. 2022.

    Wyman, Nicholas. “An Untapped Talent Resource: People With Disabilities.” Forbes, 25 Feb. 2021. Accessed 14 Sep. 2022.

    Build a Security Metrics Program to Drive Maturity

    • Buy Link or Shortcode: {j2store}266|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $22,947 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.
    • Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
    • Because metrics can become very technical and precise,it's easy to think that they're inherently complicated (not true).

    Our Advice

    Critical Insight

    • The best metrics are tied to goals.
    • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

    Impact and Result

    • A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new more specific goals, and with them come more-specific metrics.
    • It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
    • A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training course).

    Build a Security Metrics Program to Drive Maturity Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a security metrics program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Link security metrics to goals to boost maturity

    Develop goals and KPIs to measure your progress.

    • Build a Security Metrics Program to Drive Maturity – Phase 1: Link Security Metrics to Goals to Boost Maturity
    • Security Metrics Determination and Tracking Tool
    • KPI Development Worksheets

    2. Adapt your reporting strategy for various metric types

    Learn how to present different types of metrics.

    • Build a Security Metrics Program to Drive Maturity – Phase 2: Adapt Your Reporting Strategy for Various Metric Types
    • Security Metrics KPX Dashboard
    • Board-Level Security Metrics Presentation Template
    [infographic]

    Workshop: Build a Security Metrics Program to Drive Maturity

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Current State, Initiatives, and Goals

    The Purpose

    Create a prioritized list of goals to improve the security program’s current state.

    Key Benefits Achieved

    Insight into the current program and the direct it needs to head in.

    Activities

    1.1 Discuss current state and existing approach to metrics.

    1.2 Review contract metrics already in place (or available).

    1.3 Determine security areas that should be measured.

    1.4 Determine what stakeholders are involved.

    1.5 Review current initiatives to address those risks (security strategy, if in place).

    1.6 Begin developing SMART goals for your initiative roadmap.

    Outputs

    Gap analysis results

    SMART goals

    2 KPI Development

    The Purpose

    Develop unique KPIs to measure progress against your security goals.

    Key Benefits Achieved

    Learn how to develop KPIs

    Prioritized list of security goals

    Activities

    2.1 Continue SMART goal development.

    2.2 Sort goals into types.

    2.3 Rephrase goals as KPIs and list associated metric(s).

    2.4 Continue KPI development.

    Outputs

    KPI Evolution Worksheet

    3 Metrics Prioritization

    The Purpose

    Determine which metrics will be included in the initial program launch.

    Key Benefits Achieved

    A set of realistic and manageable goals-based metrics.

    Activities

    3.1 Lay out prioritization criteria.

    3.2 Determine priority metrics (implementation).

    3.3 Determine priority metrics (improvement & organizational trend).

    Outputs

    Prioritized metrics

    Tool for tracking and presentation

    4 Metrics Reporting

    The Purpose

    Strategize presentation based around metric type to indicate organization’s risk posture.

    Key Benefits Achieved

    Develop versatile reporting techniques

    Activities

    4.1 Review metric types and discuss reporting strategies for each.

    4.2 Develop a story about risk.

    4.3 Discuss the use of KPXs and how to scale for less mature programs.

    Outputs

    Key Performance Index Tool and presentation materials

    Further reading

    Build a Security Metrics Program to Drive Maturity

    Good metrics come from good goals.

    ANALYST PERSPECTIVE

    Metrics are a maturity driver.

    "Metrics programs tend to fall into two groups: non-existent and unhelpful.

    The reason so many security professionals struggle to develop a meaningful metrics program is because they are unsure of what to measure or why.

    The truth is, for metrics to be useful, they need to be tied to something you care about – a state you are trying to achieve. In other words, some kind of goal. Used this way, metrics act as the scoreboard, letting you know if you’re making progress towards your goals, and thus, boosting your overall maturity."

    Logan Rohde, Research Analyst, Security Practice Info-Tech Research Group

    Executive summary

    Situation

    • Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.

    Complication

    • Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
    • Because metrics can become very technical and precise, it's easy to think they're inherently complicated (not true).

    Resolution

    • A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new, more specific goals, and with them comes more specific metrics.
    • It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
    • A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training).

    Info-Tech Insight

    1. Metrics lead to maturity, not vice versa
      • Tracking metrics helps you assess progress and regress in your security program. This helps you quantify the maturity gains you’ve made and continue to make informed strategic decisions.
    2. The best metrics are tied to goals
      • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

    Our understanding of the problem

    This Research is Designed For:

    • CISO

    This Research Will Help You:

    • Understand the value of metrics.
    • Right-size a metrics program based on your organization’s maturity and risk profile.
    • Tie metrics to goals to create meaningful KPIs.
    • Develop strategies to effectively communicate the right metrics to stakeholders.

    This Research Will Also Assist:

    • CIO
    • Security Manager
    • Business Professionals

    This Research Will Help Them:

    • Become informed on the metrics that matter to them.
    • Understand that investment in security is an investment in the business.
    • Feel confident in the progress of the organization’s security strategy.

    Info-Tech’s framework integrates several best practices to create a best-of-breed security framework

    Information Security Framework

    Governance

    • Context and Leadership
      • Information Security Charter
      • Information Security Organizational Structure
      • Culture and Awareness
    • Evaluation and Direction
      • Security Risk Management
      • Security Policies
      • Security Strategy and Communication
    • Compliance, Audit, and Review
      • Security Compliance Management
      • External Security Audit
      • Internal Security Audit
      • Management Review of Security

    Management

    • Prevention
      • Identity Security
        • Identity and Access Management
      • Data Security
        • Hardware Asset Management
        • Data Security & Privacy
      • Infrastructure Security
        • Network Security
        • Endpoint Security
        • Malicious Code
        • Application Security
        • Vulnerability Management
        • Cryptography Management
        • Physical Security
        • Cloud Security
      • HR Security
        • HR Security
      • Change and Support
        • Configuration and Change Management
        • Vendor Management
    • Detection
      • Security Threat Detection
      • Log and Event Management
    • Response and Recovery
      • Security Incident Management
      • Information Security in BCM
      • Security eDiscovery and Forensics
      • Backup and Recovery
    • Measurement
      • Metrics Program
      • Continuous Improvement

    Metrics help to improve security-business alignment

    While business leaders are now taking a greater interest in cybersecurity, alignment between the two groups still has room for improvement.

    Key statistics show that just...

    5% of public companies feel very confident that they are properly secured against a cyberattack.

    41% of boards take on cybersecurity directly rather than allocating it to another body (e.g. audit committee).

    19% of private companies do not discuss cybersecurity with the board.

    (ISACA, 2018)

    Info-Tech Insight

    Metrics help to level the playing field

    Poor alignment between security and the business often stems from difficulties with explaining how security objectives support business goals, which is ultimately a communication problem.

    However, metrics help to facilitate these conversations, as long as the metrics are expressed in practical, relatable terms.

    Security metrics benefit the business

    Executives get just as much out of management metrics as the people running them.

    1. Metrics assuage executives’ fears
      • Metrics help executives (and security leaders) feel more at ease with where the company is security-wise. Metrics help identify areas for improvement and gaps in the organization’s security posture that can be filled. A good metrics program will help identify deficiencies in most areas, even outside the security program, helping to identify what work needs to be done to reduce risk and increase the security posture of the organization.
    2. Metrics answer executives’ questions
      • Numbers either help ease confusion or signify other areas for improvement. Offering quantifiable evidence, in a language that the business can understand, offers better understanding and insight into the information security program. Metrics also help educate on types of threats, staff needed for security, and budget needs to decrease risk based on management’s threat tolerance. Metrics help make an organization more transparent, prepared, and knowledgeable.
    3. Metrics help to continually prove security’s worth
      • Traditionally, the security team has had to fight for a seat at the executive table, with little to no way to communicate with the business. However, the new trend is that the security team is now being invited before they have even asked to join. This trend allows the security team to better communicate on the organization’s security posture, describe threats and vulnerabilities, present a “plan of action,” and get a pulse on the organization’s risk tolerance.

    Common myths make security metrics seem challenging

    Security professionals have the perception that metrics programs are difficult to create. However, this attitude usually stems from one of the following myths. In reality, security metrics are much simpler than they seem at first, and they usually help resolve existing challenges rather than create new ones.

    Myth Truth
    1 There are certain metrics that are important to all organizations, based on maturity, industry, etc. Metrics are indications of change; for a metric to be useful it needs to be tied to a goal, which helps you understand the change you're seeing as either a positive or a negative. Industry and maturity have little bearing here.
    2 Metrics are only worthwhile once a certain maturity level is reached Metrics are a tool to help an organization along the maturity scale. Metrics help organizations measure progress of their goals by helping them see which tactics are and are not working.
    3 Security metrics should focus on specific, technical details (e.g. of systems) Metrics are usually a means of demonstrating, objectively, the state of a security program. That is, they are a means of communicating something. For this reason, it is better that metrics be phrased in easily digestible, non-technical terms (even if they are informed by technical security statistics).

    Tie your metrics to goals to make them worthwhile

    SMART metrics are really SMART goals.

    Specific

    Measurable

    Achievable

    Realistic

    Timebound

    Achievable: What is an achievable metric?

    When we say that a metric is “achievable,” we imply that it is tied to a goal of some kind – the thing we want to achieve.

    How do we set a goal?

    1. Determine what outcome you are trying to achieve.
      • This can be small or large (e.g. I want to determine what existing systems can provide metrics, or I want a 90% pass rate on our monthly phishing tests).
    2. Decide what indicates that you’ve achieved your goal.
      • At what point would you be satisfied with the progress made on the initiative(s) you’re working on? What conditions would indicate victory for you and allow you to move on to another goal?
    3. Develop a key performance indicator (KPI) to measure progress towards that goal.
      • Now that you’ve defined what you’re trying to achieve, find a way to indicate progress in relative or relational terms (e.g. percentage change from last quarter, percentage of implementation completed, ratio of programs in place to those still needing implementation).

    Info-Tech’s security metrics methodology is repeatable and iterative to help boost maturity

    Security Metric Lifecycle

    Start:

    Review current state and decide on priorities.

    Set a SMART goal for improvement.

    Develop an appropriate KPI.

    Use KPI to monitor program improvement.

    Present metrics to the board.

    Revise metrics if necessary.

    Metrics go hand in hand with your security strategy

    A security strategy is ultimately a large goal-setting exercise. You begin by determining your current maturity and how mature you need to be across all areas of information security, i.e. completing a gap analysis.

    As such, linking your metrics program to your security strategy is a great way to get your metrics program up and running – but it’s not the only way.

    Check out the following Info-Tech resource to get started today:

    Build an Information Security Strategy

    The value of security metrics goes beyond simply increasing security

    This blueprint applies to you whether you need to develop a metrics program from scratch or optimize and update your current strategy.

    Value of engaging in security metrics:

    • Increased visibility into your operations.
    • Improved accountability.
    • Better communication with executives as a result of having hard evidence of security performance.
    • Improved security posture through better understanding of what is working and what isn’t within the security program.

    Value of Info-Tech’s security metrics blueprint:

    • Doesn’t overwhelm you and allows you to focus on determining the metrics you need to worry about now without pressuring you to do it all at once.
    • Helps you develop a growth plan as your organization and metrics program mature, so you continue to optimize.
    • Creates effective communication. Prepares you to present the metrics that truly matter to executives rather than confusing them with unnecessary data. Pay attention to metric accuracy and reproducibility. No management wants inconsistent reporting.

    Impact

    Short term: Streamline your program. Based on your organization’s specific requirements and risk profile, figure out which metrics are best for now while also planning for future metrics as your organization matures.

    Long term: Once the program is in place, improvements will come with increased visibility into operations. Investments in security will be encouraged when more evidence is available to executives, contributing to overall improved security posture. Potential opportunities for eventual cost savings also exist as there is more informed security spending and fewer incidents.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked-off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Link Security Metrics to Goals to Boost Maturity – Project Overview

    1. Link Security Metrics to Goals to Boost Maturity 2. Adapt Your Reporting Strategy for Various Metric Types
    Best-Practice Toolkit

    1.1 Review current state and set your goals

    1.2 Develop KPIs and prioritize your goals

    1.3 Implement and monitor the KPI to track goal progress

    2.1 Review best practices for presenting metrics

    2.2 Strategize your presentation based on metric type

    2.3 Tailor presentation to your audience

    2.4 Use your metrics to create a story about risk

    2.5 Revise your metrics

    Guided Implementations
    • Call 1: Setting Goals
    • Call 2: KPI Development
    • Call 1: Best Practices and Reporting Strategy
    • Call 2: Build a Dashboard and Presentation Deck
    Onsite Workshop Module 1: Current State, Initiatives, Goals, and KPIs Module 2: Metrics Reporting

    Phase 1 Outcome:

    • KPI development and populated metrics tracking tool.

    Phase 2 Outcome:

    • Reporting strategy with dashboard and presentation deck.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Current State, Initiatives, and Goals

    • Discuss current state and existing approach to metrics.
    • Review contract metrics already in place (or available).
    • Determine security areas that should be measured.
    • Determine which stakeholders are involved.
    • Review current initiatives to address those risks (security strategy, if in place).
    • Begin developing SMART goals for your initiative roadmap.

    KPI Development

    • Continue SMART goal development.
    • Sort goals into types.
    • Rephrase goals as KPIs and list associated metric(s).
    • Continue KPI development.

    Metrics Prioritization

    • Lay out prioritization criteria.
    • Determine priority metrics (implementation).
    • Determine priority metrics (improvement & organizational trend).

    Metrics Reporting

    • Review metric types and discuss reporting strategies for each.
    • Develop a story about risk.
    • Discuss the use of KPXs and how to scale for less mature programs.

    Offsite Finalization

    • Review and finalization of documents drafted during workshop.
    Deliverables
    1. Gap analysis results
    1. Completed KPI development templates
    1. Prioritized metrics and tool for tracking and presentation.
    1. Key Performance Index tool and presentation materials.
    1. Finalization of completed deliverables

    Phase 1

    Link Security Metrics to Goals to Boost Maturity


    Phase 1

    1.1 Review current state and set your goals

    1.2 Develop KPIs and prioritize your goals

    1.3 Implement and monitor KPIs

    This phase will walk you through the following activities:

    • Current state assessment
    • Setting SMART goals
    • KPI development
    • Goals prioritization
    • KPI implementation

    This phase involves the following participants:

    • Security Team

    Outcomes of this phase

    • Goals-based KPIs
    • Security Metrics Determination and Tracking Tool

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of two to three advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Link Security Metrics to Goals to Boost Maturity

    Proposed Time to Completion: 2-4 weeks

    Step 1.1: Setting Goals

    Start with an analyst kick-off call:

    • Determine current and target maturity for various security programs.
    • Develop SMART Goals.

    Then complete these activities…

    • CMMI Assessment

    Step 1.2 – 1.3: KPI Development

    Review findings with analyst:

    • Prioritize goals
    • Develop KPIs to track progress on goals
    • Track associated metrics

    Then complete these activities…

    • KPI Development

    With these tools & templates:

    • KPI Development Worksheet
    • Security Metrics Determination and Tracking Tool

    Phase 1 Results & Insights:

    • Basic Metrics program

    1.1 Review current state and set your goals

    120 minutes

    Let’s put the security program under the microscope.

    Before program improvement can take place, it is necessary to look at where things are at presently (in terms of maturity) and where we need to get them to.

    In other words, we need to perform a security program gap analysis.

    Info-Tech Best Practice

    The most thorough way of performing this gap analysis is by completing Info-Tech’s Build an Information Security Strategy blueprint, as it will provide you with a prioritized list of initiatives to boost your security program maturity.

    Completing an abbreviated gap analysis...

    • Security Areas
    • Network Security
    • Endpoint Security
    • Vulnerability Management
    • Identity Access Management
    • Incident Management
    • Training & Awareness
    • Compliance, Audit, & Review
    • Risk Management
    • Business Alignment & Governance
    • Data Security
    1. Using the CMMI scale on the next slide, assess your maturity level across the security areas to the left, giving your program a score from 1-5. Record your assessment on a whiteboard.
    2. Zone in on your areas of greatest concern and choose 3 to 5 areas to prioritize for improvement.
    3. Set a SMART goal for improvement, using the criteria on goals slides.

    Use the CMMI scale to contextualize your current maturity

    Use the Capability Maturity Model Integration (CMMI) scale below to help you understand your current level of maturity across the various areas of your security program.

    1. Initial
      • Incident can be managed. Outcomes are unpredictable due to lack of a standard operating procedure.
    2. Repeatable
      • Process in place, but not formally implemented or consistently applied. Outcomes improve but still lack predictability.
    3. Defined
      • Process is formalized and consistently applied. Outcomes become more predictable, due to consistent handling procedure.
    4. Managed
      • Process shows signs of maturity and can be tracked via metrics. Moving towards a predictive approach to incident management.
    5. Optimizing
      • Process reaches a fully reliable level, though improvements still possible. Regularity allows for process to be automated.

    (Adapted from the “CMMI Institute Maturity Model”)

    Base your goals around the five types of metrics

    Choose goals that make sense – even if they seem simple.

    The most effective metrics programs are personalized to reflect the goals of the security team and the business they work for. Using goals-based metrics allows you to make incremental improvements that can be measured and reported on, which makes program maturation a natural process.

    Info-Tech Best Practice

    Before setting a SMART goal, take a moment to consider your maturity for each security area, and which metric type you need to collect first, before moving to more ambitious goals.

    Security Areas

    • Network Security
    • Endpoint Security
    • Vulnerability Management
    • Identity Access Management
    • Incident Management
    • Training & Awareness
    • Compliance, Audit & Review
    • Risk Management
    • Business Alignment & Governance
    • Data Security
    Metric Type Description
    Initial Probe Determines what can be known (i.e. what sources for metrics exist?).
    Baseline Testing Establishes organization’s normal state based on current metrics.
    Implementation Focuses on setting up a series of related processes to increase organizational security (i.e. roll out MFA).
    Improvement Sets a target to be met and then maintained based on organizational risk tolerance.
    Organizational Trends Culls together several metrics to track (sometimes predict) how various trends affect the organization’s overall security. Usually focuses on large-scale issues (e.g. likelihood of a data breach).

    Set SMART goals for your security program

    Specific

    Measurable

    Achievable

    Realistic

    Timebound

    Now that you have determined which security areas you’d like to improve, decide on a goal that meets the SMART criteria.

    Examples of possible goals for various maturity levels:

    1. Perform initial probe to determine number of systems capable of providing metrics by the end of the week.
    2. Take baseline measurements each month for three months to determine organization’s baseline state.
    3. Implement a vulnerability management program to improve baseline state by the end of the quarter.
    4. Improve deployment of critical patches by applying 90% of them within the set window by the end of the year.
    5. Demonstrate how vulnerability management affects broad organizational trends at quarterly report to senior leadership.

    Compare the bolded text in these examples with the metric types on the previous slide

    Record and assess your goals in the Security Metrics Determination and Tracking Tool

    1.1 Security Metrics Determination and Tracking Tool

    Use tab “2. Identify Security Goals” to document and assess your goals.

    To increase visibility into the cost, effort, and value of any given goal, assess them using the following criteria:

    • Initial Cost
    • Ongoing Cost
    • Initial Staffing
    • Ongoing Staffing
    • Alignment w/Business
    • Benefit

    Use the calculated Cost/Effort Rating, Benefit Rating, and Difference Score later in this project to help with goal prioritization.

    Info-Tech Best Practice

    If you have already completed a security strategy with Info-Tech resources, this work may likely have already been done. Consult your Information Security Program Gap Analysis Tool from the Build an Information Security Strategy research.

    1.2 Develop KPIs and prioritize your goals

    There are two paths to success.

    At this time, it is necessary to evaluate the priorities of your security program.

    Option 1: Progress to KPI Development

    • If you would like practice developing KPIs for multiple goals to get used to the process, move to KPI development and then assess which goals you can pursue now based on resources available, saving the rest for later.

    Option 2: Progress to Prioritization of Goals

    • If you are already comfortable with KPI development and do not wish to create extras for later use, then prioritize your goals first and then develop KPIs for them.

    Phase 1 Schematic

    • Gap Analysis
    • Set SMART Goals (You are here.)
      • Develop KPIs
    • Prioritize Goals
    • Implement KPI & Monitor
    • Phase 2

    Develop a key performance indicator (KPI)

    Find out if you’re meeting your goals.

    Terms like “key performance indicator” may make this development practice seem more complicated than it really is. A KPI is just a single metric used to measure success towards a goal. In relational terms (i.e. as a percentage, ratio, etc.) to give it context (e.g. % of improvement over last quarter).

    KPI development is about answering the question: what would indicate that I have achieved my goal?

    To develop a KPI follow these steps:

    1. Review the case study on the following slides to get a sense of how KPIs can start simple and general and get more specific and complex over time.
    2. Using the example to the right, sort your SMART goals from step 1.1 into the various metric types, then determine what success would look like for you. What outcome are you trying to achieve? How will you know when you’ve achieved it?
    3. Fill out the KPI Development Worksheets to create sample KPIs for each of the SMART goals you have created. Ensure that you complete the accompanying KPI Checklist.

    KPIs differ from goal to goal, but their forms follow certain trends

    Metric Type KPI Form
    Initial Probe Progress of probe (e.g. % of systems checked to see if they can supply metrics).
    Baseline Testing What current data shows (e.g. % of systems needing attention).
    Implementation Progress of the implementation (e.g. % of complete vulnerability management program implementation).
    Improvement The threshold or target to be achieved and maintained (e.g. % of incidents responded to within target window).
    Organizational Trends The interplay of several KPIs and how they affect the organization’s risk posture (e.g. assessing the likelihood for a data breach).

    Explore the five metric types

    1. Initial Probe

    Focused on determining how many sources for metrics exist.

    • Question: What am I capable of knowing?
    • Goal: To determine what level of insight we have into our security processes.
    • Possible KPI: % of systems for which metrics are available.
    • Decision: Do we have sufficient resources available to collect metrics?

    2. Baseline Testing

    Focused on gaining initial insights about the state of your security program (what are the measurements?).

    • Question: Does this data suggest areas for improvement?
    • Goal: To create a roadmap for improvement.
    • Possible KPI: % of systems that provide useful metrics to measure improvement.
    • Decision: Is it necessary to acquire tools to increase, enhance, or streamline the metrics-gathering process?

    Info-Tech Insight

    Don't lose hope if you lack resources to move beyond these initial steps. Even if you are struggling to pull data, you can still draw meaningful metrics. The percent or ratio of processes or systems you lack insight into can be very valuable, as it provides a basis to initiate a risk-based discussion with management about the organization's security blind spots.

    Explore the five metric types (cont’d)

    3. Program Implementation

    Focused on developing a basic program to establish basic maturity (e.g. implement an awareness and training program).

    • Question: What needs to be implemented to establish basic maturity?
    • Goal: To begin closing the gap between current and desired maturity.
    • Possible KPI: % of implementation completed.
    • Decision: Have we achieved a formalized and repeatable process?

    4. Improvement

    Focused on attaining operational targets to lower organizational risk.

    • Question: What other related activities could help to support this goal (e.g. regular training sessions)?
    • Goal: To have metrics operate above or below a certain threshold (e.g. lower phishing-test click rate to an average of 10% across the organization)
    • Possible KPI: Phishing click rate %
    • Decision: What other metrics should be tracked to provide insight into KPI fluctuations?

    Info-Tech Insight

    Don't overthink your KPI. In many cases it will simply be your goal rephrased to express a percentage or ratio. In others, like the example above, it makes sense for them to be identical.

    5. Organizational Impact

    Focused on studying several related KPIs (Key Performance Index, or KPX) in an attempt to predict risks.

    • Question: What risks does the organization need to address?
    • Goal: To provide high-level summaries of several metrics that suggest emerging or declining risks.
    • Possible KPI: Likelihood of a given risk (based on the trends of the KPX).
    • Decision: Accept the risk, transfer the risk, mitigate the risk?

    Case study: Healthcare example

    Let’s take a look at KPI development in action.

    Meet Maria, the new CISO at a large hospital that desperately needs security program improvements. Maria’s first move was to learn the true state of the organization’s security. She quickly learned that there was no metrics program in place and that her staff were unaware what, if any, sources were available to pull security metrics from.

    After completing her initial probe into available metrics and then investigating the baseline readings, she determined that her areas of greatest concern were around vulnerability and access management. But she also decided it was time to get a security training and awareness program up and running to help mitigate risks in other areas she can’t deal with right away.

    See examples of Maria’s KPI development on the next four slides...

    Info-Tech Insight

    There is very little variation in the kinds of goals people have around initial probes and baseline testing. Metrics in these areas are virtually always about determining what data sources are available to you and what that data actually shows. The real decisions start in determining what you want to do based on the measures you’re seeing.

    Metric development example: Vulnerability Management

    See examples of Maria’s KPI development on the next four slides...

    Implementation

    Goal: Implement vulnerability management program

    KPI: % increase of insight into existing vulnerabilities

    Associated Metric: # of vulnerability detection methods

    Improvement

    Goal: Improve deployment time for patches

    KPI: % of critical patches fully deployed within target window

    • Associated Metric 1: # of critical vulnerabilities not patched
    • Associated Metric 2: # of patches delayed due to lack of staff
    • Associated Metric X

    Metric development example: Identity Access Management

    Implementation

    Goal: Implement MFA for privileged accounts

    KPI: % of privileged accounts with MFA applied

    Associated Metric: # of privileged accounts

    Improvement

    Goal: Remove all unnecessary privileged accounts

    KPI: % of accounts with unnecessary privileges

    • Associated Metric 1: # of privileged accounts
    • Associated Metric 2: # of necessary privileged accounts
    • Associated Metric X

    Metric development example: Training and Awareness

    Implementation

    Goal: Implement training and awareness program

    KPI: % of organization trained

    Associated Metric: # of departments trained

    Improvement

    Goal: Improve time to report phishing

    KPI: % of phishing cases reported within target window

    • Associated Metric 1: # of phishing tests
    • Associated Metric 2: # of training sessions
    • Associated Metric X

    Metric development example: Key Performance Index

    Organizational Trends

    Goal: Predict Data Breach Likelihood

    • KPX 1: Insider Threat Potential
      • % of phishing cases reported within target window
        • Associated Metrics:
          • # of phishing tests
          • # of training sessions
      • % of critical patches fully deployed within target window
        • Associated Metrics:
          • # of critical vulnerabilities not patched
          • # of patches delayed due to lack of staff
      • % of accounts with unnecessary privileges
        • Associated Metrics:
          • # of privileged accounts
          • # of necessary privileged accounts
    • KPX 2: Data Leakage Issues
      • % of incidents related to unsecured databases
        • Associated Metrics:
          • # of unsecured databases
          • # of business-critical databases
      • % of misclassified data
        • Associated Metrics:
          • # of misclassified data reports
          • # of DLP false positives
      • % of incidents involving data-handling procedure violations.
        • Associated Metrics:
          • # of data processes with SOP
          • # of data processes without SOP
    • KPX 3: Endpoint Vulnerability Issues
      • % of unpatched critical systems
        • Associated Metrics:
          • # of unpatched systems
          • # of missed patches
      • % of incidents related to IoT
        • Associated Metrics:
          • # of IoT devices
          • # of IoT unsecure devices
      • % of incidents related to BYOD
        • Associated Metrics:
          • # of end users doing BYOD
          • # of BYOD incidents

    Develop Goals-Based KPIs

    1.2 120 minutes

    Materials

    • Info-Tech KPI Development Worksheets

    Participants

    • Security Team

    Output

    • List of KPIs for immediate and future use (can be used to populate Info-Tech’s KPI Development Tool).

    It’s your turn.

    Follow the example of the CISO in the previous slides and try developing KPIs for the SMART goals set in step 1.1.

    • To begin, decide if you are starting with implementation or improvement metrics.
    • Enter your goal in the space provided on the left-hand side and work towards the right, assigning a KPI to track progress towards your goal.
    • Use the associated metrics boxes to record what raw data will inform or influence your KPI.
      • Associated metrics are connected to the KPI box with a segmented line. This is because these associated metrics are not absolutely necessary to track progress towards your goal.
      • However, if a KPI starts trending in the wrong direction, these associated metrics would be used to determine where the problem has occurred.
    • If desired, bundle together several related KPIs to create a key performance index (KPX), which is used to forecast the likelihood of certain risks that would have a major business impact (e.g. potential for insider threat, or risk for a data breach).

    Record KPIs and assign them to goals in the Security Metrics Determination and Tracking Tool

    1.2 Security Metrics Determination and Tracking Tool

    Document KPI metadata in the tool and optionally assign them to a goal.

    Tab “3. Identify Goal KPIs” allows you to record each KPI and its accompanying metadata:

    • Source
    • Owner
    • Audience
    • KPI Target
    • Effort to Collect
    • Frequency of Collection
    • Comments

    Optionally, each KPI can be mapped to goals defined on tab “2. Identify Security Goals.”

    Info-Tech Best Practice

    Ensure your metadata is comprehensive, complete, and realistic. A different employee should be able to use only the information outlined in the metadata to continue collecting measurements for the program.

    Complete Info-Tech’s KPI Development Worksheets

    1.2 KPI Development Worksheet

    Use these worksheets to model the maturation of your metrics program.

    Follow the examples contained in this slide deck and practice creating KPIs for:

    • Implementation metrics
    • Improvement metrics
    • Organizational trends metrics

    As well as drafting associated metrics to inform the KPIs you create.

    Info-Tech Best Practice

    Keep your metrics program manageable. This exercise may produce more goals, metrics, and KPIs than you deal with all at once. But that doesn’t mean you can’t save some for future use.

    Build an effort map to prioritize your SMART goals

    1.2 120 minutes

    Materials

    • Whiteboard
    • Sticky notes
    • Laptop

    Participants

    • Security team
    • Other stakeholders

    Output

    • Prioritized list of SMART goals

    An effort map visualizes a cost and benefit analysis. It is a quadrant output that visually shows how your SMART goals were assessed. Use the calculated Cost/Effort Rating and Benefit Rating values from tab “2. Identify Security Goals” of the Security Metrics Determination and Tracking Tool to aid this exercise.

    Steps:

    1. Establish the axes and colors for your effort map:
      1. X-axis (horizontal) - Security benefit
      2. Y-axis (vertical) - Overall cost/effort
      3. Sticky color - Business alignment
    2. Create sticky notes for each SMART goal and place them onto the effort map based on your determined axes.
      • Goal # Example Security Goal - Benefit (1-12) - Cost (1-12)

    The image shows a matric with four quadrants. The X-axis is labelled Low Benefit on the left side and High benefit on the right side. The Y-axis is labelled Low cost at the top and High cost at the bottom. The top left quadrant is labelled Could Dos, the top right quadrant is labelled Must Dos, the lower left quadrant is labelled May Not Dos, and the lower right quadrant is Should Dos. On the right, there are three post-it style notes, the blue one labelled High Alignment, the yellow labelled Medium Alignment, and the pink labelled Low Alignment.

    1.3 Implement and monitor the KPI to track goal progress

    Let’s put your KPI into action!

    Now that you’ve developed KPIs to monitor progress on your goals, it’s time to use them to drive security program maturation by following these steps:

    1. Review the KPI Development Worksheets (completed in step 1.2) for your prioritized list of goals. Be sure that you are able to track all of the associated metrics you have identified.
    2. Track the KPI and associated metrics using Info-Tech’s KPI Development Tool (see following slide).
    3. Update the data as necessary according to your SMART criteria of your goal.

    A Word on Key Risk Indicators...

    The term key risk indicator (KRI) gets used in a few different ways. However, in most cases, KRIs are closely associated with KPIs.

    1. KPIs and KRIs are the same thing
      • A KPI, at its core, is really a measure of risk. Sometimes it is more effective to emphasize that risk rather than performance (i.e. the data shows you’re not meeting your goal).
    2. KRI is KPI going the wrong way
      • After achieving the desired threshold for an improvement goal, our new goal is usually to maintain such a state. When this balance is upset, it indicates that settled risk has once again become active.
    3. KRI as a predictor of emerging risks
      • When organizations reach a highly mature state, they often start assessing how events external to the organization can affect the optimal performance of the organization. They monitor such events or trends and try to predict when the organization is likely to face additional risks.

    Track KPIs in the Security Metrics Determination and Tracking Tool

    1.3 Security Metrics Determination and Tracking Tool

    Once a metric has been measured, you have the option of entering that data into tab “4. Track Metrics” of the Tool.

    Tracking metric data in Info-Tech's tool provides the following data visualizations:

    • Sparklines at the end of each row (on tab “4. Track Metrics”) for a quick sense of metric performance.
    • A metrics dashboard (on tab “5. Graphs”) with three graph options in two color variations for each metric tracked in the tool, and an overall metric program health gauge.

    Info-Tech Best Practice

    Be diligent about measuring and tracking your metrics. Record any potential measurement biases or comments on measurement values to ensure you have a comprehensive record for future use. In the tool, this can be done by adding a comment to a cell with a metric measurement.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Workshops offer an easy way to accelerate your project. While onsite, our analysts will work with you and your team to facilitate the activities outlined in the blueprint.

    Getting key stakeholders together to formalize the program, while getting started on data discovery and classification, allows you to kickstart the overall program.

    In addition, leverage over-the-phone support through Guided Implementations included in advisory memberships to ensure the continuous improvement of the classification program even after the workshop.

    Logan Rohde

    Research Analyst – Security, Risk & Compliance Info-Tech Research Group

    Ian Mulholland

    Senior Research Analyst – Security, Risk & Compliance Info-Tech Research Group

    Call 1-888-670-8889 for more information.

    Phase 2

    Adapt Your Reporting Strategy for Various Metric Types


    Phase 2

    2.1 Review best practices for presenting metrics

    2.2 Strategize your presentation based on metric type

    2.3 Tailor your presentation to your audience

    2.4 Use your metrics to create a story about risk

    2.5 Revise Metrics

    This phase will walk you through the following activities:

    • Develop reporting strategy
    • Use metrics to create a story about risk
    • Metrics revision

    This phase involves the following participants:

    • Security Team

    Outcomes of this phase

    • Metrics Dashboard
    • Metrics Presentation Deck

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of two to three advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Adapt Your Reporting Strategy for Various Metric Types

    Proposed Time to Completion: 2-4 weeks

    Step 2.1 – 2.3: Best Practices and Reporting Strategy

    Start with an analyst kick-off call:

    • Do’s and Don’ts of reporting metrics.
    • Strategize presentation based on metric type.

    Then complete these activities…

    • Strategy development for 3-5 metrics

    Step 2.4 – 2.5: Build a Dashboard and Presentation Deck

    Review findings with analyst:

    • Review strategies for reporting.
    • Compile a Key Performance Index.
    • Revise metrics.

    Then complete these activities…

    • Dashboard creation
    • Presentation development

    With these tools & templates:

    • Security Metrics Determination and Tracking Tool Template
    • Security Metrics KPX Dashboard Tool

    Phase 2 Results & Insights:

    • Completed reporting strategy with presentable dashboard

    2.1 Review best practices for presenting metrics

    Avoid technical details (i.e. raw data) by focusing on the KPI.

    • KPIs add context to understand the behavior and associated risks.

    Put things in terms of risk; it's the language you both understand.

    • This usually means explaining what will happen if not addressed and what you recommend.
    • There are always three options:
      • Address it completely
      • Address it partially
      • Do not address it (i.e. accept the risk)

    Explain why you’re monitoring metrics in terms of the goals you’re hoping to achieve.

    • This sets you up well to explain what you've been doing and why it's important for you to meet your goals.

    Choose between KPI or KRI as the presentation format.

    • Base your decision on whether you are trying to emphasize current success or risk.

    Match presentation with the audience.

    • Board presentations will be short; middle-management ones may be a bit longer.
    • Maximize your results by focusing on the minimum possible information to make sure you sufficiently get your point across.
    • With the board, plan on showing no more than three slides.

    Read between the lines.

    • It can be difficult to get time with the board, so you may find yourself in a trial and error position, so pay attention to cues or suggestions that indicate the board is interested in something.
    • If you can, make an ally to get the inside scoop on what the board cares about.

    Read the news if you’re stuck for content.

    • Board members are likely to have awareness (and interest) in large-scale risks like data breaches and ransomware.

    Present your metrics as a story.

    • Summarize how the security program looks to you and why the metrics lead you to see it this way.

    2.2 Strategize your presentation based on metric type (1 of 5)

    Metric Type: Initial Probe

    Scenario: Implementing your first metrics program.

    • All metrics programs start with determining what measurements you are capable of taking.

    Decisions: Do you have sufficient insight into the program? (i.e. do you need to acquire additional tools to collect metrics?)

    Strategy: If there are no barriers to this (e.g. budget), then focus your presentation on the fact that you are addressing the risk of not knowing what your organization's baseline state is and what potential issues exist but are unknown. This is likely the first phase of an improvement plan, so sketching the overall plan is a good idea too.

    • If budget is an issue, explain the risks associated with not knowing and what you would need to make it happen.

    Possible KPIs:

    • % of project complete.
    • % of systems that provide worthwhile metrics.

    Strategize your presentation based on metric type (2 of 5)

    Metric Type: Baseline Testing

    Scenario: You've taken the metrics to determine what your organization’s normal state is and you're now looking towards addressing your gaps or problem areas.

    Decisions: What needs to be prioritized first and why? Are additional resources required to make this happen?

    Strategy: Explain your impression of the organization's normal state and what you plan to do about it. In other words, what goals are you prioritizing and why? Be sure to note any challenges that may occur along the way (e.g. staffing).

    • If the board doesn't like to open their pocketbook, your best play is to explain what stands to happen (or is happening) if risks are not addressed.

    Possible KPIs:

    • % of goals complete.
    • % of metrics indicating urgent attention needed.

    Strategize your presentation based on metric type (3 of 5)

    Metric Type: Implementation

    Scenario: You are now implementing solutions to address your security priorities.

    Decisions: What, to you, would establish the basis of a program?

    Strategy: Focus on what you're doing to implement a certain security need, why, and what still needs to be done when you’re finished.

    • Example: To establish a training and awareness program, a good first step is to actually hold training sessions with each department. A single lecture is simple but something to build from. A good next step would be to hold regular training sessions or implement monthly phishing tests.

    Possible KPIs:

    • % of implementation complete (e.g. % of departments trained).

    Strategize your presentation based on metric type (4 of 5)

    Metric Type: Improvement

    Scenario: Now that a basic program has been established, you are looking to develop its maturity to boost overall performance (i.e. setting a new development goal).

    Decisions: What is a reasonable target, given the organization's risk tolerance and current state?

    Strategy: Explain that you're now working to tighten up the security program. Note that although things are improving, risk will always remain, so we need to keep it within a threshold that’s proportionate with our risk tolerance.

    • Example: Lower phishing-test click rate to 10% or less. Phishing will always be a risk, and just one slip up can have a huge effect on business (i.e. lost money).

    Possible KPIs:

    • % of staff passing the phishing test.
    • % of employees reporting phishing attempts within time window.

    Strategize your presentation based on metric type (5 of 5)

    Metric Type: Organizational Trends

    Scenario: You've reached a mature state and now how several KPIs being tracked. You begin to look at several KPIs together (i.e. a KPX) to assess the organization's exposure for certain broad risk trends.

    Decisions: Which KPIs can be used together to look at broader risks?

    Strategy: Focus on the overall likelihood of a certain risk and why you've chosen to assess it with your chosen KPIs. Spend some time discussing what factors affect the movement of these KPIs, demonstrating how smaller behaviors create a ripple effect that affects the organization’s exposure to large-scale risks.

    Possible KPX: Insider Threat Risk

    • % of phishing test failures.
    • % of critical patches missed.
    • % of accounts with unnecessary privileges.

    Change your strategy to address security challenges

    Even challenges can elicit useful metrics.

    Not every security program is capable of progressing smoothly through the various metric types. In some cases, it is impossible to move towards goals and metrics for implementation, improvement, or organizational trends because the security program lacks resources.

    Info-Tech Insight

    When your business is suffering from a lack of resources, acquiring these resources automatically becomes the goal that your metrics should be addressing. To do this, focus on what risks are being created because something is missing.

    When your security program is lacking a critical resource, such as staff or technology, your metrics should focus on what security processes are suffering due to this lack. In other words, what critical activities are not getting done?

    KPI Examples:

    • % of critical patches not deployed due to lack of staff.
    • % of budget shortfall to acquire vulnerability scanner.
    • % of systems with unknown risk due to lack of vulnerability scanner.

    2.3 Tailor presentation to your audience

    Metrics come in three forms...

    1. Raw Data

    • Taken from logs or reports, provides values but not context.
    • Useful for those with technical understanding of the organization’s security program.

    2. Management-Level

    • Raw data that has been contextualized and indicates performance of something (i.e. a KPI).
    • Useful for those with familiarity with the overall state of the security program but do not have a hands-on role.

    3. Board-Level

    • KPI with additional context indicating overall effect on the organization.
    • Useful for those removed from the security program but who need to understand the relationship between security, business goals, and cyber risk.

    For a metric to be useful it must...

    1. Be understood by the audience it’s being presented to.
      • Using the criteria on the left, choose which metric form is most appropriate.
    2. Indicate whether or not a certain target or goal is being met.
      • Don’t expect metrics to speak for themselves; explain what the indications and implications are.
    3. Drive some kind of behavioral or strategic change if that target or goal is not being met.
      • Metrics should either affirm that things are where you want them to be or compel you to take action to make an improvement. If not, it is not a worthwhile metric.

    As a general rule, security metrics should become decreasingly technical and increasingly behavior-based as they are presented up the organizational hierarchy.

    "The higher you travel up the corporate chain, the more challenging it becomes to create meaningful security metrics. Security metrics are intimately tied to their underlying technologies, but the last thing the CEO cares about is technical details." – Ben Rothke, Senior Information Security Specialist, Tapad.

    Plan for reporting success

    The future of your security program may depend on this presentation; make it count.

    Reporting metrics is not just another presentation. Rather, it is an opportunity to demonstrate and explain the value of security.

    It is also a chance to correct any misconceptions about what security does or how it works.

    Use the tips on the right to help make your presentation as relatable as possible.

    Info-Tech Insight

    There is a difference between data manipulation and strategic presentation: the goal is not to bend the truth, but to present it in a way that allows you to show the board what they need to see and to explain it in terms familiar to them.

    General Tips for a Successful Presentation

    Avoid jargon; speak in practical terms

    • The board won’t receive your message if they can’t understand you.
    • Explain things as simply as you can; they only need to know enough to make decisions about addressing cyber risk.

    Address compliance

    • Boards are often interested in compliance, so be prepared to talk about it, but clarify that it doesn't equal security.
    • Instead, use compliance as a bridge to discussing areas of the security program that need attention.

    Have solid answers

    • Try to avoid answering questions with the answer, “It depends.”
      • Depends on what?
      • Why?
      • What do you recommend?
    • The board is relying on you for guidance, so be prepared to clarify what the board is asking (you may have to read between the lines to do this).
    • Also address the pain points of board members and have answers to their questions about how to resolve them.

    2.4 Use your metrics to create a story about risk

    Become the narrator of your organization’s security program.

    Security is about managing risk. This is also its primary value to the organization. As such, risk should be the theme of the story you tell.

    "Build a cohesive story that people can understand . . . Raw metrics are valuable from an operations standpoint, but at the executive level, it's about a cohesive story that helps executives understand the value of the security program and keeps the company moving forward. "– Adam Ely, CSO and Co-Founder, Bluebox Security, qtd. by Tenable, 2016

    How to Develop Your Own Story...

    1. Review your security program goals and the metrics you’re using to track progress towards them. Then, decide which metrics best tell this story (i.e. what you’re doing and why).
      • Less is more when presenting metrics, so be realistic about how much your audience can digest in one sitting.
      • Three metrics is usually a safe number; choose the ones that are most representative of your goals.
    2. Explain why you chose the goals you did (i.e. what risks were you addressing?). Then, make an honest assessment of how the security program is doing as far as meeting those goals:
      • What’s going well?
      • What still needs improvement?
      • What about your metrics suggests this?
    3. Address how risks have changed and explain your new recommended course of action.
      • What risks were present when you started?
      • What risks remain despite your progress?
      • How do these risks affect the business operation and what can security do to help?

    Story arc for security metrics

    The following model encapsulates the basic trajectory of all story development.

    Use this model to help you put together your story about risk.

    Introduction: Overall assessment of security program.

    Initial Incident: Determination of the problems and associated risks.

    Rising Action: Creation of goals and metrics to measure progress.

    Climax: Major development indicated by metrics.

    Falling Action: New insights gained about organization’s risks.

    Resolution: Recommendations based on observations.

    Info-Tech Best Practice

    Follow this model to ensure that your metrics presentation follows a coherent storyline that explains how you assessed the problem, why you chose to address it the way you did, what you learned in doing so, and finally what should be done next to boost the security program’s maturity.

    Use a nesting-doll approach when presenting metrics

    Move from high-level to low-level to support your claims

    1. Avoid the temptation to emphasize technical details when presenting metrics. The importance of a metric should be clear from just its name.
    2. This does not mean that technical details should be disregarded entirely. Your digestible, high-level metrics should be a snapshot of what’s taking place on the security ground floor.
    3. With this in mind, we should think of our metrics like a nesting doll, with each metrics level being supported by the one beneath it.

    ...How do you know that?

    Board-Level KPI

    Mgmt.-Level KPI

    Raw Data

    Think of your lower-level metrics as evidence to back up the story you are telling.

    When you’re asked how you arrived at a given conclusion, you know it’s time to go down a level and to explain those results.

    Think of this like showing your work.

    Info-Tech Insight

    This approach is built into the KPX reporting format, but can be used for all metric types by drawing from your associated metrics and goals already achieved.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics Determination and Tracking Tool

    Choose the dashboard tool that makes the most sense for you.

    Info-Tech provides two options for metric dashboards to meet the varying needs of our members.

    If you’re just starting out, you’ll likely be inclined towards the dashboard within the Security Metrics Determination and Tracking Tool (seen here).

    The image shows a screenshot of the Security Metrics Determination and Tracking Tool.

    But if you’ve already got several KPIs to report on, you may prefer the Security Metrics KPX Dashboard Tool, featured on the following slides.

    Info-Tech Best Practice

    Not all graphs will be needed in all cases. When presenting, consider taking screenshots of the most relevant data and displaying them in Info-Tech’s Board-Level Security Metrics Presentation Template.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows a screenshot of the Definitions section of the Security Metrics KPX Dashboard

    1. Start by customizing the definitions on tab 1 to match your organization’s understanding of high, medium, and low risk across the three impact areas (functional, informational, and recoverability).
    2. Next, enter up to 5 business goals that your security program supports.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows a screenshot of tab 2 of the Security Metrics KPX Dashboard.

    1. On tab 2, enter the large-scale risk you are tracking
    2. Proceed by naming each of your KPXs after three broad risks that – to you – contribute to the large-scale risk.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image is the same screenshot from the previous section, of tab 2 of the Security Metrics KPX Dashboard.

    1. Then, add up to five KPIs aimed at managing more granular risks that contribute to the broad risk.
    2. Assess the frequency and impact associated with these more granular risks to determine how likely it is to contribute to the broad risk the KPX is tracking.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image is the same screenshot of tab 2 of the Security Metrics KPX Dashboard.

    1. Repeat as necessary for the other KPXs on tab 2.
    2. Repeat steps 3-7 for up to two more large-scale risks and associated KPXs on tabs 3 and 4.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows a chart titled Business Alignment, with sample Business Goals and KPXs filled in.

    1. If desired, complete the Business Alignment evaluation (located to the right of KPX 2 on tabs 2-4) to demonstrate how well security is supporting business goals.

    "An important key to remember is to be consistent and stick to one framework once you've chosen it. As you meet with the same audiences repeatedly, having the same framework for reference will ensure that your communications become smoother over time." – Caroline Wong, Chief Strategy Officer, Cobalt.io

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows a screenshot of the dashboard on tab 5 of the Security Metrics KPX Dashboard.

    1. Use the dashboard on tab 5 to help you present your security metrics to senior leadership.

    Use one of Info-Tech’s dashboards to present your metrics

    2.4 Security Metrics KPX Dashboard

    Use Info-Tech’s Security Metrics KPX Dashboard to track and show your work.

    The image shows the same screenshot of Tab 2 of the Security Metrics KPX Dashboard that was shown in previous sections.

    Best Practice:

    This tool helps you convert your KPIs into the language of risk by assessing frequency and severity, which helps to make the risk relatable for senior leadership. However, it is still useful to track fluctuations in terms of percentage. To do this, track changes in the frequency, severity, and trend scores from quarter to quarter.

    Customize Info-Tech’s Security Metrics Presentation Template

    2.4 Board-Level Security Metrics Presentation Template

    Use the Board-Level Security Metrics Presentation Template deck to help structure and deliver your metrics presentation to the board.

    To make the dashboard slide, simply copy and paste the charts from the dashboard tool and arrange the images as needed.

    Adapt the status report and business alignment slides to reflect the story about risk that you are telling.

    2.5 Revise your metrics

    What's next?

    Now that you’ve made it through your metrics presentation, it’s important to reassess your goals with feedback from your audience in mind. Use the following workflow.

    The image shows a flowchart titled Metrics-Revision Workflow. The flowchart begins with the question Have you completed your goal? and then works through multiple potential answers.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Workshops offer an easy way to accelerate your project. While onsite, our analysts will work with you and your team to facilitate the activities outlined in the blueprint.

    Getting key stakeholders together to formalize the program, while getting started on data discovery and classification, allows you to kickstart the overall program.

    In addition, leverage over-the-phone support through Guided Implementations included in advisory memberships to ensure the continuous improvement of the classification program even after the workshop.

    Logan Rohde

    Research Analyst – Security, Risk & Compliance Info-Tech Research Group

    Ian Mulholland

    Senior Research Analyst – Security, Risk & Compliance Info-Tech Research Group

    Call 1-888-670-8889 for more information.

    Insight breakdown

    Metrics lead to maturity, not vice versa.

    • Tracking metrics helps you assess progress and regress in your security program, which helps you quantify the maturity gains you’ve made.

    Don't lose hope if you lack resources to move beyond baseline testing.

    • Even if you are struggling to pull data, you can still draw meaningful metrics. The percent or ratio of processes or systems you lack insight into can be very valuable, as it provides a basis to initiate a risk-based discussion with management about the organization's security blind spots.

    The best metrics are tied to goals.

    • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

    Summary of accomplishment

    Knowledge Gained

    • Current maturity assessment of security areas
    • Setting SMART goals
    • Metric types
    • KPI development
    • Goals prioritization
    • Reporting and revision strategies

    Processes Optimized

    • Metrics development
    • Metrics collection
    • Metrics reporting

    Deliverables Completed

    • KPI Development Worksheet
    • Security Metrics Determination and Tracking Tool
    • Security Metrics KPX Dashboard Tool
    • Board-Level Security Metrics Presentation Template

    Research contributors and experts

    Mike Creaney, Senior Security Engineer at Federal Home Loan Bank of Chicago

    Peter Chestna, Director, Enterprise Head of Application Security at BMO Financial Group

    Zane Lackey, Co-Founder / Chief Security Officer at Signal Sciences

    Ben Rothke, Senior Information Security Specialist at Tapad

    Caroline Wong, Chief Strategy Officer at Cobalt.io

    2 anonymous contributors

    Related Info-Tech research

    Build an Information Security Strategy

    Tailor best practices to effectively manage information security.

    Implement a Security Governance and Management Program

    Align security and business objectives to get the greatest benefit from both.

    Bibliography

    Capability Maturity Model Integration (CMMI). ISACA. Carnegie Mellon University.

    Ely, Adam. “Choose Security Metrics That Tell a Story.” Using Security Metrics to Drive Action: 33 Experts Share How to Communicate Security Program Effectiveness to Business Executives and the Board Eds. 2016. Web.

    https://www.ciosummits.com/Online_Assets_Tenable_eBook-_Using_Security_Metrics_to_Drive_Action.pdf

    ISACA. “Board Director Concerns about Cyber and Technology Risk.” CSX. 11 Sep. 2018. Web.

    Rothke, Ben. “CEOs Require Security Metrics with a High-Level Focus.” Using Security Metrics to Drive Action: 33 Experts Share How to Communicate Security Program Effectiveness to Business Executives and the Board Eds. 2016. Web.

    https://www.ciosummits.com/Online_Assets_Tenable_eBook-_Using_Security_Metrics_to_Drive_Action.pdf

    Wong, Caroline. Security Metrics: A Beginner’s Guide. McGraw Hill: New York, 2012.

    Develop a Security Operations Strategy

    • Buy Link or Shortcode: {j2store}264|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $79,249 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
    • The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
    • Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of security technology investments.
    • It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
    • There is limited communication between security functions due to a centralized security operations organizational structure.

    Our Advice

    Critical Insight

    1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
    2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
    3. If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Impact and Result

    • A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
    • This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

    Develop a Security Operations Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should enhance your security operations program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess your current state

    Assess current prevention, detection, analysis, and response capabilities.

    • Develop a Security Operations Strategy – Phase 1: Assess Operational Requirements
    • Security Operations Preliminary Maturity Assessment Tool

    2. Develop maturity initiatives

    Design your optimized state of operations.

    • Develop a Security Operations Strategy – Phase 2: Develop Maturity Initiatives
    • Information Security Requirements Gathering Tool
    • Concept of Operations Maturity Assessment Tool

    3. Define operational interdependencies

    Identify opportunities for collaboration within your security program.

    • Develop a Security Operations Strategy – Phase 3: Define Operational Interdependencies
    • Security Operations RACI Chart & Program Plan
    • Security Operations Program Cadence Schedule Template
    • Security Operations Collaboration Plan
    • Security Operations Metrics Summary Document
    [infographic]

    Workshop: Develop a Security Operations Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Operational Requirements

    The Purpose

    Determine current prevention, detection, analysis, and response capabilities, operational inefficiencies, and opportunities for improvement.

    Key Benefits Achieved

    Determine why you need a sound security operations program.

    Understand Info-Tech’s threat collaboration environment.

    Evaluate your current security operation’s functions and capabilities.

    Activities

    1.1 Understand the benefits of refining your security operations program.

    1.2 Gauge your current prevention, detection, analysis, and response capabilities.

    Outputs

    Security Operations Preliminary Maturity Assessment Tool

    2 Develop Maturity Initiatives

    The Purpose

    Begin developing and prioritizing gap initiatives in order to achieve the optimal state of operations.

    Key Benefits Achieved

    Establish your goals, obligations, scope, and boundaries.

    Assess your current state and define a target state.

    Develop and prioritize gap initiatives.

    Define the cost, effort, alignment, and security benefits of each initiative.

    Develop a security strategy operational roadmap.

    Activities

    2.1 Assess your current security goals, obligations, and scope.

    2.2 Design your ideal target state.

    2.3 Prioritize gap initiatives.

    Outputs

    Information Security Strategy Requirements Gathering Tool

    Security Operations Maturity Assessment Tool

    3 Define Operational Interdependencies

    The Purpose

    Identify opportunities for collaboration.

    Formalize your operational process flows.

    Develop a comprehensive and actionable measurement program.

    Key Benefits Achieved

    Understand the current security operations process flow.

    Define the security operations stakeholders and their respective deliverables.

    Formalize an internal information-sharing and collaboration plan.

    Activities

    3.1 Identify opportunities for collaboration.

    3.2 Formalize a security operations collaboration plan.

    3.3 Define operational roles and responsibilities.

    3.4 Develop a comprehensive measurement program.

    Outputs

    Security Operations RACI & Program Plan Tool

    Security Operations Collaboration Plan

    Security Operations Cadence Schedule Template

    Security Operations Metrics Summary

    Further reading

    INFO-TECH RESEARCH GROUP

    Develop a Security Operations Strategy

    Transition from a security operations center to a threat collaboration environment.

    Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
    © 1997-2017 Info-Tech Research Group Inc.

    ANALYST PERSPECTIVE

    “A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”

    Phot of Edward Gray, Consulting Analyst, Security, Risk & Compliance, Info-Tech Research Group.

    Edward Gray,
    Consulting Analyst, Security, Risk & Compliance
    Info-Tech Research Group



    Our understanding of the problem

    This Research Is Designed For:
    • Chief Information Officer (CIO)
    • Chief Information Security Officer (CISO)
    • Chief Operating Officer (COO)
    • Security / IT Management
    • Security Operations Director / Security Operations Center (SOC)
    • Network Operations Director / Network Operations Center (NOC)
    • Systems Administrator
    • Threat Intelligence Staff
    • Security Operations Staff
    • Security Incident Responders
    • Vulnerability Management Staff
    • Patch Management
    This Research Will Help You:
    • Enhance your security program by implementing and streamlining next-generation security operations processes.
    • Increase organizational situational awareness through active collaboration between core threat teams, enriching internal security events with external threat intelligence and enhancing security controls.
    • Develop a comprehensive threat analysis and dissemination process: align people, process, and technology to scale security to threats.
    • Identify the appropriate technological and infrastructure-based sourcing decisions.
    • Design a step-by-step security operations implementation process.
    • Pursue continuous improvement: build a measurement program that actively evaluates program effectiveness.
    This Research Will Also Assist:
    • Board / Chief Executive Officer
    • Information Owners (Business Directors/VP)
    • Security Governance and Risk Management
    • Fraud Operations
    • Human Resources
    • Legal and Public Relations
    This Research Will Help Them
    • Aid decision making by staying abreast of cyberthreats that could impact the business.
    • Increase visibility into the organization’s threat landscape to identify likely targets or identify exposed vulnerabilities.
    • Ensure the business is compliant with regularity, legal, and/or compliance requirements.
    • Understand the value and return on investment of security operations offerings.

    Executive summary

    Situation

    • Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. These disparate mitigations leave organizations vulnerable to the increasing number of malicious events.
    • Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data, while juggling business, compliance, and consumer obligations.

    Complication

    • There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
    • The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
    • Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
    • It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
    • There is limited communication between security functions due to a centralized security operations organizational structure.

    Resolution

    • A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
    • This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

    Info-Tech Insight

    1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
    2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
    3. If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Data breaches are resulting in major costs across industries

    Horizontal bar chart of 'Per capita cost by industry classification of benchmarked companies', with the highest cost attributed to 'Health', 'Pharmaceutical', 'Financial', 'Energy', and 'Transportation'.

    Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”)

    '% of systems impacted by a data breach', '1% No Impact', '19% 1-10% impacted', '41% 11-30% impacted', '24% 31-50% impacted', '15% more than 50% impacted
    Divider line.
    '% of customers lost from a data breach', '61% Lost <20%', '21% Lost 20-40%', '8% Lost 40-60%', '6% Lost 60-80%', '4% Lost 80-100%'.
    Divider line.
    '% of business opportunity lost from a data breach', '58% Lost <20%', '25% Lost 20-40%', '9% Lost, 40-60%', '5% Lost 60-80%', '4% Lost 80-100%'.
    (Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”)

    Persistent issues

    • Organizational barriers separating prevention, detection, analysis, and response efforts.
      Siloed operations limit collaboration and internal knowledge sharing.
    • Lack of knowledgeable security staff.
      Human capital is transferrable between roles and functions and must be cross-trained to wear multiple hats.
    • Failure to evaluate and improve security operations.
      The effectiveness of operations must be frequently measured and (re)assessed through an iterative system of continuous improvement.
    • Lack of standardization.
      Pre-established use cases and policies outlining tier-1 operational efforts will eliminate ad hoc remediation efforts and streamline operations.
    • Failure to acknowledge the auditor as a customer.
      Many compliance and regulatory obligations require organizations to have comprehensive documentation of their security operations practices.

    60% Of organizations say security operation teams have little understanding of each other’s requirements.

    40% Of executives report that poor coordination leads to excessive labor and IT operational costs.

    38-100% Increase in efficiency after closing operational gaps with collaboration.
    (Source: Forbes, “The Game Plan for Closing the SecOps Gap”)

    The solution

    Bar chart of the 'Benefits of Internal Collaboration' with 'Increased Operational Efficiency' and 'Increased Problem Solving' having the highest percentage.

    “Empower a few administrators with the best information to enable fast, automated responses.”
    – Ismael Valenzuela, IR/Forensics Technical Practice Manager, Foundstone® Services, Intel Security)

    Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations…

    When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime.

    The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization.

    Sources:
    Ponemon. "2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).”
    Syngress. Designing and Building a Security Operations Center.

    Maintain a holistic security operations program

    Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.
    Venn diagram of 'Next-Gen Security Operations' with four intersecting circles: 'Prevent', 'Detect', 'Analyze', and 'Respond'.

    Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis.

    Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs
    Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.

    Info-Tech’s security operations blueprint ties together various initiatives

    Stock image 1.

    Design and Implement a Vulnerability Management Program

    Vulnerability Management
    Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.
    Deliverables
    • Vulnerability Tracking Tool
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template
    • Vulnerability Mitigation Process Template
    Stock image 2.

    Integrate Threat Intelligence Into Your Security Operations

    Threat Intelligence
    Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization.
    • Maturity Assessment Tool
    • Threat Intelligence RACI Tool
    • Management Plan Template
    • Threat Intelligence Policy Template
    • Alert Template
    • Alert and Briefing Cadence Schedule
    Stock image 3.

    Develop Foundational Security Operations Processes

    Operations
    Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.
    • Maturity Assessment Tool
    • Event Prioritization Tool
    • Efficiency Calculator
    • SecOps Policy Template
    • In-House vs. Outsourcing Decision-Making Tool
    • SecOps RACI Tool
    • TCO & ROI Comparison Calculator
    Stock image 4.

    Develop and Implement a Security Incident Management Program

    Incident Response
    Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.
    • Incident Management Policy
    • Maturity Assessment Tool
    • Incident Management RACI Tool
    • Incident Management Plan
    • Incident Runbook Prioritization Tool
    • Various Incident Management Runbooks

    This blueprint will…

    …better protect your organization with an interdependent and collaborative security operations program.

    Phase 01

    Assess your operational requirements.

    Phase 02

    Optimize and further mature your security operations processes

    Phase 3a

    Develop the process flow and specific interaction points between functions

    Phase 3b

    Test your current capabilities with a table top exercise
    Briefly assess your current prevention, detection, analysis, and response capabilities.
    Highlight operational weak spots that should be addressed before progressing.
    Develop a prioritized list of security-focused operational initiatives.
    Conduct a holistic analysis of your operational capabilities.
    Define the operational interaction points between security-focused operational departments.
    Document the results in comprehensive operational interaction agreement.
    Test your operational processes with Info-Tech’s security operations table-top exercise.

    Info-Tech integrates several best practices to create a best-of-breed security framework

    Legend for the 'Information Security Framework' identifying blue best practices as 'In Scope' and white best practices as 'Out of Scope'. Info-Tech's 'Information Security Framework' of best practices with two main categories 'Governance' and 'Management', each with subcategories such as 'Context & Leadership' and 'Prevention', each with a group of best practices color-coded to the associated legend identifying them as 'In Scope' or 'Out of Scope'.

    Benefits of a collaborative and integrated operations program

    Effective security operations management will help you do the following:

    • Improve efficacy
      Develop structured processes to automate activities and increase process consistency across the security program. Expose operational weak points and transition teams from firefighting to an innovator role.
    • Improve threat protection
      Enhance network controls through the hardening of perimeter defenses, an intelligence-driven analysis process, and a streamlined incident remediation process.
    • Improve visibility and information sharing
      Promote both internal and external information sharing to enable good decision making.
    • Create and clarify accountability and responsibility
      Security operations management practices will set a clear level of accountability throughout the security program and ensure role responsibility for all tasks and processes involved in service delivery.
    • Control security costs
      Security operations management is concerned with delivering promised services in the most efficient way possible. Good security operations management practices will provide insight into current costs across the organization and present opportunities for cost savings.
    • Identify opportunities for continuous improvement
      Increased visibility into current performance levels and the ability to accurately identify opportunities for continuous improvement.

    Impact

    Short term:

    • Streamlined security operations program development process.
    • Completed comprehensive list of operational gaps and initiatives.
    • Formalized and structured implementation process.
    • Standardized operational use cases that predefine necessary operational protocol.

    Long term:

    • Enhanced visibility into immediate threat environment.
    • Improved effectiveness of internal defensive controls.
    • Increased operational collaboration between prevention, detection, analysis, and response efforts.
    • Enhanced security pressure posture.
    • Improved communication with executives about relevant security risks to the business.

    Understand the cost of not having a suitable security operations program

    A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).

    Cost Structure Cost Estimation ($) for SMB
    (Small and medium-sized business)
    Cost Estimation ($) for LE
    (Large enterprise)
    Security controls Technology investment: software, hardware, facility, maintenance, etc.
    Cost of process implementation: incident response, CMBD, problem management, etc.
    Cost of resource: salary, training, recruiting, etc.
    $0-300K/year $200K-2M/year
    Security incidents
    (if no security control is in place)
    Explicit cost:
    1. Incident response cost:
      • Remediation costs
      • Productivity: (number of employees impacted) × (hours out) × (burdened hourly rate)
      • Extra professional services
      • Equipment rental, travel expenses, etc.
      • Compliance fine
      • Cost of notifying clients
    2. Revenue loss: direct loss, the impact of permanent loss of data, lost future revenues
    3. Financial performance: credit rating, stock price
      Hidden cost:
      • Reputation, customer loyalty, etc.
    $15K-650K/year $270K-11M/year

    Workshop Overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities
    • Kick-off and introductions.
    • High-level overview of weekly activities and outcomes.
    • Activity: Define workshop objectives and current state of knowledge.
    • Understand the threat collaboration environment.
    • Understand the benefits of an optimized security operations.
    • Activity: Review preliminary maturity level.
    • Activity: Assess current people, processes, and technology capabilities.
    • Activity: Assess workflow capabilities.
    • Activity: Begin deep-dive into maturity assessment tool.
    • Discuss strategies to enhance the analysis process (ticketing, automation, visualization, use cases, etc.).
    • Activity: Design ideal target state.
    • Activity: Identify security gaps.
    • Build initiatives to bridge the gaps.
    • Activity: Estimate the resources needed.
    • Activity: Prioritize gap initiatives.
    • Activity: Develop dashboarding and visualization metrics.
    • Activity: Plan for a transition with the security roadmap and action plan.
    • Activity: Define and assign tier 1, 2 & 3 SOC roles and responsibilities.
    • Activity: Assign roles and responsibilities for each security operations initiative.
    • Activity: Develop a comprehensive measurement program.
    • Activity: Develop specific runbooks for your top-priority incidents (e.g. ransomware).
      • Detect the incident.
      • Analyze the incident.
      • Contain the incident.
      • Eradicate the root cause.
      • Recover from the incident.
      • Conduct post-incident analysis and communication.
    • Activity:Conduct attack campaign simulation.
    • Finalize main deliverables.
    • Schedule feedback call.
    Deliverables
    1. Security Operations Maturity Assessment Tool
    1. Target State and Gap Analysis (Security Operations Maturity Assessment Tool)
    1. Security Operations Role & Process Design
    2. Security Operations RACI Chart
    3. Security Operations Metrics Summary
    4. Security Operations Phishing Process Runbook
    5. Attack Campaign Simulation PowerPoint

    All Final Deliverables

    Develop a Security Operations Strategy

    PHASE 1

    Assess Operational Requirements

    1

    Assess Operational Requirements

    2

    Develop Maturity Initiatives

    3

    Define Interdependencies

    This step will walk you through the following activities:

    • Determine why you need a sound security operations program.
    • Understand Info-Tech’s threat collaboration environment.
    • Evaluate your current security operation’s functions and capabilities.

    Outcomes of this step

    • A defined scope and motive for completing this project.
    • Insight into your current security operations capabilities.
    • A prioritized list of security operations initiatives based on maturity level.

    Info-Tech Insight

    Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.

    Warm-up exercise: Why build a security operations program?

    Estimated time to completion: 30 minutes

    Discussion: Why are we pursuing this project?

    What are the objectives for optimizing and developing sound security operations?

    Stakeholders Required:

    • Key business executives
    • IT leaders
    • Security operations team members

    Resources Required

    • Sticky notes
    • Whiteboard
    • Dry-erase markers
    1. Briefly define the scope of security operations
      What people, processes, and technology fall within the security operations umbrella?
    2. Brainstorm the implications of not acting
      What does the status quo have in store? What are the potential risks?
    3. Define the goals of the project
      Clarify from the outset: what exactly do you want to accomplish from this project?
    4. Prioritize all brainstormed goals
      Classify the goals based on relevant prioritization criteria, e.g. urgency, impact, cost.

    Info-Tech Best Practice

    Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.

    Decentralizing the SOC: Security as a function

    Before you begin, remember that no two security operation programs are the same. While the end goal may be similar, the threat landscape, risk tolerance, and organizational requirements will differ from any other SOC. Determine what your DNA looks like before you begin to protect it.

    Security operations must provide several fundamental functions:
    • Real-time monitoring, detecting, and triaging of data from both internal and external sources.
    • In-depth analysis of indicators and incidents, leveraging malware analysis, correlation and rule tweaking, and forensics and eDiscovery techniques.
    • Network/host scanning and vulnerability patch management.
    • Incident response, remediation, and reporting. Security operations must disseminate appropriate information/intelligence to relevant stakeholders.
    • Comprehensive logging and ticketing capabilities that document and communicate events throughout the threat collaboration environment.
    • Tuning and tweaking of technologies to ingest collected data and enhance the analysis process.
    • Enhance overall organizational situational awareness by reporting on security trends, escalating incidents, and sharing adversary tools, tactics, and procedures.
    Venn diagram of 'Security Operations' with four intersecting circles: 'Prevent', 'Detect', 'Analyze', and 'Respond'.
    At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events.

    Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.

    Understand the levels of security operations

    Take the time to map out what you need and where you should go. Security operations has to be more than just monitoring events – there must be a structured program.

    Foundational Arrow with a plus sign pointing right. Operational Arrow with a plus sign pointing right. Strategic
    • Intrusion Detection Management
    • Active Device and Event Monitoring
    • Log Collection and Retention
    • Reporting and Escalation Management
    • Incident Management
    • Audit Compliance
    • Vendor Management
    • Ticketing Processes
    • Packet Capture and Analysis
    • SIEM
    • Firewall
    • Antivirus
    • Patch Management
    • Event Analysis and Incident Triage
    • Security Log Management
    • Vulnerability Management
    • Host Hardening
    • Static Malware Analysis
    • Identity and Access Management
    • Change Management
    • Endpoint Management
    • Business Continuity Management
    • Encryption Management
    • Cloud Security (if applicable)
    • SIEM with Defined Use Cases
    • Big Data Security Analytics
    • Threat Intelligence
    • Network Flow Analysis
    • VPN Anomaly Detection
    • Dynamic Malware Analysis
    • Use-Case Management
    • Feedback and Continuous Improvement Management
    • Visualization and Dashboarding
    • Knowledge Portal Ticket Documentation
    • Advanced Threat Hunting
    • Control and Process Automation
    • eDiscovery and Forensics
    • Risk Management
    ——Security Operations Capabilities—–›

    Understand security operations: Establish a unified threat collaboration environment

    Stock image 1.

    Design and Implement a Vulnerability Management Program

    Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure.
    • Managing incident escalation and response.
    • Coordinating root-cause analysis and incident gathering.
    • Facilitating post-incident lessons learned.
    • Managing system patching and risk acceptance.
    • Conducting vulnerability assessment and penetration testing.
    • Monitoring in real-time and triaging of events.
    • Escalating events to incident management team.
    • Tuning and tweaking rules and reporting thresholds.
    • Gathering and analyzing external threat data.
    • Liaising with peers, industry, and government.
    • Publishing threat alerts, reports, and briefings.

    Info-Tech Best Practice

    Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.

    Stock image 2.

    Integrate Threat Intelligence Into Your Security Operations

    Stock image 3.

    Develop Foundational Security Operations Processes

    Stock image 4.

    Develop and Implement a Security Incident Management Program

    The threat collaboration environment is comprised of three core elements

    Info-Tech Insight

    The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.

    Three hexes fitting together with the words 'People', 'Process', and 'Technology'. People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components:
    • Who is responsible for each respective threat collaboration environment function?
    • What are the required operational roles, responsibilities, and competencies for each employee?
    • Are there formalized training procedures to onboard new employees?
    • Is there an established knowledge transfer and management program?
    Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself:
    • Are there defined runbooks that clearly outline critical operational procedures and guidelines?
    • Is there a defined escalation protocol to transfer knowledge and share threats internally?
    • Is there a defined reporting procedure to share intelligence externally?
    • Are there formal and accessible policies for each respective security operations function?
    • Is there a defined measurement program to report on the performance of security operations?
    • Is there a continuous improvement program in place for all security operations functions?
    • Is there a defined operational vendor management program?
    Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine:
    • Are the appropriate controls implemented to effectively prevent, detect, analyze, and remediate threats? Is each control documented with an assigned asset owner?
    • Can a solution integrate with existing controls? If so, to what extent?
    • Is there a centralized log aggregation tool such as a SIEM?
    • What is the operational cost to effectively manage each control?
    • Is the control the most up-to-date version? Have the most recent patches and configuration changes been applied? Can it be consolidated with or replaced by another control?

    Conduct a preliminary maturity assessment before tackling this project

    Stock image 1.

    Design and Implement a Vulnerability Management Program

    Sample of Info-Tech's Security Operations Preliminary Maturity Assessment

    At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations.

    Stock image 2.

    Integrate Threat Intelligence Into Your Security Operations

    Stock image 3.

    Develop Foundational Security Operations Processes

    Stock image 4.

    Develop and Implement a Security Incident Management Program

    Assess the current maturity of your security operations program

    Prioritize the component most important to the development of your security operations program.

    Screenshot of a table from the Security Operations Preliminary Maturity Assessment presenting the 'Impact Sub-Weightings' of 'People', 'Process', 'Technology', and 'Policy'.
    Screenshot of a table from the Security Operations Preliminary Maturity Assessment assessing the 'Current State' and 'Target State' of different 'Security Capabilities'.
    Each “security capability” covers a component of the overarching “security function.” Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.) Document any/all comments for future Info-Tech analyst discussions.

    Assign each security capability a reflective and desired maturity score.

    Your current and target state maturity will be determined using the capability maturity model integration (CMMI) scale. Ensure that all participants understand the 1-5 scale.
    Two-way vertical arrow colored blue at the top and green at the bottom. Ad Hoc
    1 Arrow pointing right. Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis.
    2 Arrow pointing right. Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis.
    3 Arrow pointing right. Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed.
    4 Arrow pointing right. Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts.
    5 Arrow pointing right. Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand.
    Optimized

    Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.

    Ensure that your threat collaboration environment is of a sufficient maturity before progressing

    Example report card from the maturity assessment. Functions are color-coded green, yellow, and red. Review the report cards for each of the respective threat collaboration environment functions.
    • A green function indicates that you have exceeded the operational requirements to proceed with the security operations initiative.
    • A yellow function indicates that your maturity score is below the recommended threshold; Info-Tech advises revisiting the attached blueprint. In the instance of a one-off case, the client can proceed with this security operations initiative.
    • A red function indicates that your maturity score is well below the recommended threshold; Info-Tech strongly advises to not proceed with the security operations initiative. Revisit the recommended blueprint and further mature the specific function.

    Are you ready to move on to the next phase?

    Self-Assessment Questions

    • Have you clearly defined the rationale for refining your security operations program?
    • Have you clearly defined and prioritized the goals and outcomes of optimizing your security operations program?
    • Have you assessed your respective people, process, and technological capabilities?
    • Have you completed the Security Operations Preliminary Maturity Assessment Tool?
    • Were all threat collaboration environment functions of a sufficient maturity level?

    If you answered “yes” to the questions, then you are ready to move on to Phase 2: Develop Maturity Initiatives

    Develop a Security Operations Strategy

    PHASE 2

    Develop Maturity Initiatives

    1

    Assess Operational Requirements

    2

    Develop Maturity Initiatives

    3

    Define Interdependencies

    This step will walk you through the following activities:

    • Establish your goals, obligations, scope, and boundaries.
    • Assess your current state and define a target state.
    • Develop and prioritize gap initiatives.
    • Define cost, effort, alignment, and security benefit of each initiative.
    • Develop a security strategy operational roadmap.

    Outcomes of this step

    • A formalized understanding of your business, customer, and regulatory obligations.
    • A comprehensive current and target state assessment.
    • A succinct and consolidated list of gap initiatives that will collectively achieve your target state.
    • A formally documented set of estimated priority variables (cost, effort, business alignment).
    • A fully prioritized security roadmap that is in alignment with business goals and informed by the organization’s needs and limitations.

    Info-Tech Insight

    Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives

    Align your security operations program with corporate goals and obligations

    A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.

    Frame the importance of your security operations program to
    align with that of the decision makers’ over-arching strategy.

    Oftentimes resourcing and funding is dependent on the
    alignment of security initiatives to business objectives.

    Corporate goals and objectives can be categorized into three major buckets:
    1. BUSINESS OBLIGATIONS
      The primary goals and functions of the organization at large. Examples include customer retention, growth, innovation, customer experience, etc.
    2. CONSUMER OBLIGATIONS
      The needs and demands of internal and external stakeholders. Examples include ease of use (external), data protection (external), offsite access (internal), etc.
    3. COMPLIANCE OBLIGATIONS
      The requirements of the organization to comply with mandatory and/or voluntary standards. Examples include HIPAA, PIPEDA, ISO 27001, etc.
    *Do not approach the above list with a security mindset – take a business perspective and align your security efforts accordingly.

    Info-Tech Best Practice

    Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!

    Determine your security operations program scope and boundaries

    It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.

    Ask yourself:
    Where does the onus of responsibility stop?

    The organizational scope and boundaries and can be categorized into four major buckets:
    1. PHYSICAL SCOPE
      The physical locations that the security operations program is responsible for. Examples include office locations, remote access, clients/vendors, etc.
    2. IT SYSTEMS
      The network systems that must be protected by the security operations program. Examples include fully owned systems, IaaS, PaaS, remotely hosted SaaS, etc.
    3. ORGANIZATIONAL SCOPE
      The business units, departments, or divisions that will be affected by the security operations program. Examples include user groups, departments, subsidiaries, etc.
    4. DATA SCOPE
      The data types that the business handles and the privacy/criticality level of each. Examples include top secret, confidential, private, public, etc.

    This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.

    Reference Info-Tech’s security strategy: goals, obligations, and scope activities

    Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.

    Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results.

    GOALS and OBLIGATIONS
    Proceed through each slide and brainstorm the ways that security operations supports business, customer, and compliance needs.

    Goals & Obligations
    Screenshots of slides from the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication.

    PROGRAM SCOPE & BOUNDARIES
    Assess your current organizational environment. Document current IT systems, critical data, physical environments, and departmental divisions.

    If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives:

    • What is the message being delivered by the CEO?
    • What are the main themes of investments and projects?
    • What are the senior leaders measured on?
    Program Scope & Boundaries
    Screenshots of slides from the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication.

    INFO-TECH OPPORTUNITY

    For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.

    Complete the Information Security Requirements Gathering Tool

    On tab 1. Goals and Obligations:
    • Document all business, customer, and compliance obligations. Ensure that each item is reflective of the over-arching business strategy and is not security focused.
    • In the second column, identify the corresponding security initiative that supports the obligation.
    Screenshot from tab 1 of Info-Tech's Information Security Requirements Gathering Tool. Columns are 'Business obligations', 'Security obligations to support the business (optional)', and 'Notes'.
    On tab 2. Scope and Boundaries:
    • Record all details for what is in and out of scope from physical, IT, organizational, and data perspectives.
    • Complete the affiliated columns for a comprehensive scope assessment.
    • As a discussion guide, refer to the considerations slides prior to this in phase 1.3.
    Screenshot from tab 2 of Info-Tech's Information Security Requirements Gathering Tool. Title is 'Physical Scope', Columns are 'Environment Name', 'Highest data criticality here', 'Is this in scope of the security strategy?', 'Are we accountable for security here?', and 'Notes'.
    For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3.

    Info-Tech Best Practice

    A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.

    Conduct a comprehensive security operations maturity assessment

    The following slides will walk you through the process below.

    Define your current and target state

    Self-assess your current security operations capabilities and determine your intended state.

    Create your gap initiatives

    Determine the operational processes that must be completed in order to achieve the target state.

    Prioritize your initiatives

    Define your prioritization criteria (cost, effort, alignment, security benefit) based on your organization

    Build a Gantt chart for your upcoming initiatives
    The final output will be a Gantt to action your prioritized initiatives

    Info-Tech Insight

    Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.

    Optimize your security operations workflow

    Info-Tech consulted various industry experts and consolidated their optimization advice.

    Dashboards: Centralized visibility, threat analytics, and orchestration enable faster threat detection with fewer resources.

    Adding more controls to a network never increases resiliency. Identify technological overlaps and eliminate unnecessary costs.

    Automation: There is shortfall in human capital in contrast to the required tools and processes. Automate the more trivial processes.

    SOCs with 900 employees are just as efficient as those with 35-40. There is an evident tipping point in marginal value.

    There are no plug-and-play technological solutions – each is accompanied by a growing pain and an affiliated human capital cost.

    Planning: Narrow the scope of operations to focus on protecting assets of value.

    Cross-train employees throughout different silos. Enable them to wear multiple hats.

    Practice: None of the processes happen in a vacuum. Make the most of tabletop exercises and other training exercises.

    Define appropriate use cases and explicitly state threat escalation protocol. Focus on automating the tier-1 analyst role.

    Self-assess your current-state capabilities and determine the appropriate target state

    1. Review:
    The heading in blue is the security domain, light blue is the subdomain and white is the specific control.
    2. Determine and Record:
    Ask participants to identify your organization’s current maturity level for each control. Next, determine a target maturity level that meets the requirements of the area (requirements should reflect the goals and obligations defined earlier).
    3.
    In small groups, have participants answer “what is required to achieve the target state?” Not all current/target state gaps will require additional description, explanation, or an associated imitative. You can generate one initiative that may apply to multiple line items.

    Screenshot of a table for assessing the current and target states of capabilities.

    Info-Tech Best Practice

    When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
    Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.

    Consolidate related gap initiatives to simplify and streamline your roadmap

    Identify areas of commonality between gap initiative in order to effectively and efficiently implement your new initiatives.

    Steps:
    1. After reviewing and documenting initiatives for each security control, begin sorting controls by commonality, where resources can be shared, or similar end goals and actions. Begin by copying all initiatives from tab 2. Current State Assessment into tab 5. Initiative List of the Security Operations Maturity Assessment Tool and then consolidating them.
    2. Initiatives Consolidated Initiatives
      Document data classification and handling in AUP —› Document data classification and handling in AUP Keep urgent or exceptional initiatives separate so they can be addressed appropriately.
      Document removable media in AUP —› Define and document an Acceptable Use Policy Other similar or related initiatives can be consolidated into one item.
      Document BYOD and mobile devices in AUP —›
      Document company assets in Acceptable Use Policy (AUP) —›

    3. Review grouped initiatives and identify specific initiatives should be broken out and defined separately.
    4. Record your consolidated gap initiatives in the Security Operations Maturity Assessment Tool, tab 6. Initiative Prioritization.

    Understand your organizational maturity gap

    After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool.

    Automatically built charts and tables provide a clear visualization of your current maturity.

    Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support.

    Screenshot of tabs 3 and 4 from Info-Tech's Security Operations Maturity Assessment Tool. Bar charts titled 'Planning and Direction', 'Vulnerability Management', 'Threat Intelligence', and 'Security Maturity Level Gap Analysis'.

    Info-Tech Best Practice

    Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).

    Define cost, effort, alignment, and security benefit

    Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include:
    1. Define initial cost. One-time, upfront capital investments. The low cut-off would be a project that can be approved with little to no oversight. Whereas the high cut-off would be a project that requires a major approval or a formal capital investment request. Initial cost covers items such as appliance cost, installation, project based consulting fees, etc.
    2. Define ongoing cost. This includes any annually recurring operating expenses that are new budgetary costs, e.g. licensing or rental costs. Do not account for FTE employee costs. Generally speaking you can take 20-25% of initial cost as ongoing cost for maintenance and service.
    3. Define initial staffing in hours. This is total time in hours required to complete a project. Note: It is not total elapsed time, but dedicated time. Consider time required to research, document, implement, review, set up, fine tune, etc. Consider all staff hours required (2 staff at 8 hours means 16 hours total).
    4. Define ongoing staffing in hours. This is the ongoing average hours per week required to support that initiative. This covers all operations, maintenance, review, and support for the initiative. Some initiatives will have a week time commitment (e.g. perform a vulnerability scan using our tool once a week) versus others that may have monthly, quarterly, or annual time commitments that need to averaged out per week (e.g. perform annual security review requiring 0.4 hours/week (20 hours total based on 50 working weeks per year).
    Table relating the four definitions on the left, 'Initial Cost', 'Ongoing Cost (annual)', 'Initial Staffing in Hours', and 'Ongoing Staffing in Hours/Week'. Each row header is a definition and has four sub-rows 'High', 'Medium', 'Low', and 'Zero'.

    Info-Tech Best Practice

    When considering these parameters, aim to use already existing resource allocations.

    For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category.

    Define cost, effort, alignment, and security benefit

    1. Define Alignment with Business. This variable is meant to capture how well the gap initiative aligns with organizational goals and objectives. For example, something with high alignment usually can be tied to a specific organization initiative and will receive senior management support. You can either:
      • Set low, medium, and high based on levels of support the organization will provide (e.g. High – senior management support, Medium – VP/business unit head support, IT support only)
      • Attribute specific corporate goals or initiatives to the gap initiative (e.g. High – directly supports a customer requirement/key contract requirement; Medium – indirectly support customer requirement/key contract OR enables remote workforce; Low – security best practice).
    2. Define Security Benefit. This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative. This can be represented through a variety of factors, such as:
      • Reduces compliance or regulatory risk by meeting a control requirement
      • Reduces availability and operational risk
      • Implements a non-existent control
      • Secures high-criticality data
      • Secures at-risk end users
    Table relating the two definitions on the left, 'Alignment with Business', and 'Security Benefit'. Each row header is a definition and has three sub-rows 'High', 'Medium', and 'Low'.

    Info-Tech Best Practice

    Make sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives.

    Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal.

    Info-Tech Insight

    You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.

    Apply your variable criteria to your initiatives

    Identify easy-win tasks and high-value projects worth fighting for.
    Categorize the Initiative
    Select the gap initiative type from the down list. Each category (Must, Should, Could, and Won’t) is considered to be an “execution wave.” There is also a specific order of operations within each wave. Based on dependencies and order of importance, you will execute on some “must-do” items before others.
    Assign Criteria
    For each gap initiative, evaluate it based on your previously defined parameters for each variable.
    • Cost – initial and ongoing
    • Staffing – initial and ongoing
    • Alignment with business
    • Security benefit
    Overall Cost/Effort Rating
    An automatically generated score between 0 and 12. The higher the score attached to the initiative, the more effort required. The must-do, low-scoring items are quick wins and must be prioritized first.
    Screenshot of a table from Info-Tech's Concept of Operations Maturity Assessment Tool with all of the previous table row headers as column headers.

    A financial services organization defined its target security state and created an execution plan

    CASE STUDY
    Industry: Financial Services | Source: Info-Tech Research Group
    Framework Components
    Security Domains & Accompanied Initiatives
    (A portion of completed domains and initiatives)
    CSC began by creating over 100 gap initiatives across Info-Tech’s seven security domains.
    Current-State Assessment Context & Leadership Compliance, Audit & Review Security Prevention
    Gap Initiatives Created 12
    Initiatives
    14
    Initiatives
    45
    Initiatives
    Gap Initiative Prioritization
    Planned Initiative(s)* Initial Cost Ongoing Cost Initial Staffing Ongoing Staffing
    Document Charter Low - ‹$5K Low - ‹$1K Low - ‹1d Low - ‹2 Hour
    Document RACI Low - ‹$5K Low - ‹$1K Low - ‹1d Low - ‹2 Hour
    Expand IR processes Medium - $5K-$50K Low - ‹$1K High - ›2w Low - ‹2 Hour
    Investigate Threat Intel Low - ‹$5K Low - ‹$1K Medium - 1-10d Low - ‹2 Hour
    CSC’s defined low, medium, and high for cost and staffing are specific to the organization.

    CSC then consolidated its initiatives to create less than 60 concise tasks.

    *Initiatives and variables have been changed or modified to maintain anonymity

    Review your prioritized security roadmap

    Review the final Gantt chart to review the expected start and end dates for your security initiatives as part of your roadmap.

    In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.

    Screenshot of a 'Gantt Chart for Initiatives', a table with planned and actual start times and durations for each initiative, and beside it a roadmap with the dates from the Gantt chart plugged in.
    Review considerations
    • Does this roadmap make sense for our organization?
    • Do we focus too much on one quarter over others?
    • Will the business be going through any significant changes during the upcoming years that will directly impact this project?
    This is a living management document
    • You can use the same process on a per-case basis to decide where this new project falls in the priority list, and then add it to your Gantt chart.
    • As you make progress, check items off of the list, and periodically use this chart to retroactively update your progress towards achieving your overall target state.

    Consult an Info-Tech Analyst

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project.
    Photo of TJ Minichillo, Senior Director – Security, Risk & Compliance, Info-Tech Research Group. TJ Minichillo
    Senior Director – Security, Risk & Compliance
    Info-Tech Research Group
    Edward Gray, Consulting Analyst – Security, Risk & Compliance, Info-Tech Research Group. Edward Gray
    Consulting Analyst – Security, Risk & Compliance
    Info-Tech Research Group
    Photo of Celine Gravelines, Research Manager – Security, Risk & Compliance, Info-Tech Research Group. Celine Gravelines
    Research Manager – Security, Risk & Compliance
    Info-Tech Research Group
    If you are not communicating, then you are not secure.

    Call 1-888-670-8889 or email workshops@infotech.com for more information.

    Are you ready to move on to the next phase?

    Self-Assessment Questions

    • Have you identified your organization’s corporate goals along with your obligations?
    • Have you defined the scope and boundaries of your security program?
    • Have you determined your organization’s risk tolerance level?
    • Have you considered threat types your organization may face?
    • Are the above answers documented in the Security Requirements Gathering Tool?
    • Have you defined your maturity for both your current and target state?
    • Do you have clearly defined initiatives that would bridge the gap between your current and target state?
    • Are each of the initiatives independent, specific, and relevant to the associated control?
    • Have you indicated any dependencies between your initiatives?
    • Have you consolidated your gap initiatives?
    • Have you defined the parameters for each of the prioritization variables (cost, effort, alignment, and security benefit)?
    • Have you applied prioritization parameters to each consolidated initiative?
    • Have you recorded your final prioritized roadmap in the Gantt chart tab?
    • Have you reviewed your final Gantt chart to ensure it aligns to your security requirements?

    If you answered “yes” to the questions, then you are ready to move on to Phase 3: Define Operational Interdependencies

    Develop a Security Operations Strategy

    PHASE 3

    Define Operational Interdependencies

    1

    Assess Operational Requirements

    2

    Develop Maturity Initiatives

    3

    Define Interdependencies

    This step will walk you through the following activities:

    • Understand the current security operations process flow.
    • Define the security operations stakeholders and their respective deliverables.
    • Formalize an internal information sharing and collaboration plan.

    Outcomes of this step

    • A formalized security operations interaction agreement.
    • A security operations service and product catalog.
    • A structured operations collection plan.

    Info-Tech Insight

    If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Tie everything together with collaboration

    If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Define Strategic Needs and Requirements Participate in Information Sharing Communicate Clearly
    • Establish a channel to communicate management needs and requirements and define important workflow activities. Focus on operationalizing those components.
    • Establish a feedback loop to ensure your actions satisfied management’s criteria.
    • Consolidate critical security data within a centralized portal that is accessible throughout the threat collaboration environment, reducing the human capital resources required to manage that data.
    • Participate in external information sharing groups such as ISACs. Intelligence collaboration allows organizations to band together to decrease risk and protect one another from threat actors.
    • Disseminate relevant information in clear and succinct alerts, reports, or briefings.
    • Security operations analysts must be able to translate important technical security issues and provide in-depth strategic insights.
    • Define your audience before presenting information; various stakeholders will interpret information differently. You must present it in a format that appeals to their interests.
    • Be transparent in your communications. Holding back information will only serve to alienate groups and hinder critical business decisions.

    Info-Tech Best Practice

    Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.

    Understand the security operations process flow

    Process standardization and automation is critical to the effectiveness of security operations.

    Process flow for security operations with column headers 'Monitoring', 'Preliminary Analysis (Tier 1)', 'Triage', 'Investigation & Analysis (Tier 2)', 'Response', and 'Advanced Threat Detection (Tier 3)'. All processes begin with elements in the 'Monitoring' column and end up at 'Visualization & Dashboarding'.

    Document your security operations’ capabilities and tasks

    Table of capabilities and tasks for security operations.
    Document your security operations’ functional capabilities and operational tasks to satisfy each capability. What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement. Identify the affiliated product, service, or output generated from the task/capability. Determine your escalation protocol. Who are the stakeholders you will be sharing this information with?
    Capabilities

    The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders.

    Tasks

    The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability.

    Download Info-Tech’s Security Operations RACI Chart & Program Plan.

    Convert your results into actionable process flowcharts

    Map each functional task or capability into a visual process-flow diagram.

    • The title should reflect the respective capability and product output.
    • List all involved stakeholders (inputs and threat escalation protocol) along the left side.
    • Ensure all relevant security control inputs are documented within the body of the process-flow diagram.
    • Map out the respective processes in order to achieve the desired outcome.
    • Segment each process within its own icon and tie that back to the respective input.
    Example of a process flow made with sticky notes.

    Title: Output #1 Example of a process flow diagram with columns 'Stakeholders', 'Input Processes', 'Output Processes', and 'Threat Escalation Protocol'. Processes are mapped by which stakeholder and column they fall to.

    Download Info-Tech’s Security Operations RACI Chart & Program Plan.

    Formalize the opportunities for collaboration within your security operations program

    Security Operations Collaboration Plan

    Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.

    How to customize

    The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components:

    • Security operations program scope and objectives
    • Operational capabilities and outputs on a per function basis
    • A needs and requirements collection plan
    • Escalation protocol and respective information-sharing guidance (i.e. a detailed cadence schedule)
    • A security operations RACI chart
    Sample of Info-Tech's Security Operations Collaboration Plan.

    Info-Tech Best Practice

    Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.

    Assign responsibilities for the threat management process

    Security Operations RACI Chart & Program Plan

    Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.

    How to customize
    • Customize the header fields with applicable stakeholders.
    • Identify stakeholders that are:
      • Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
      • Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.
      • Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).
      • Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.
    Sample of Info-Tech's Security Operations Collaboration Plan.

    Download Info-Tech’s Security Operations RACI Chart & Program Plan.

    Identify security operations consumers and their respective needs and requirements

    Ensure your security operations program is constantly working toward satisfying a consumer need or requirement.

    Internal Consumers External Consumers
    • Business Executives & Management (CIO, CISO, COO):
      • Inform business decisions regarding threats and their association with future financial risk, reputational risk, and continuity of operations.
    • Human Resources:
      • Security operations must directly work with HR to enforce tight device controls, develop processes, and set expectations.
    • Legal:
      • Security operations is responsible to notify the legal department of data breaches and the appropriate course of action.
    • Audit and Compliance:
      • Work with the auditing department to define additional audits or controls that must be measured.
    • Public Relations/Marketing Employees:
      • Employees must be educated on prevalent threats and how to avoid or mitigate them.

    Note: Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product or service offerings.

    • Third-Party Contractors:
      • Identify relevant threats across industries – security operations is responsible for protecting more than just itself.
    • Commercial Vendors:
      • Identify commercial vendors of control failures and opportunities for operational improvement.
    • Suppliers:
      • Provide or maintain a certain level of security delivery.
      • Meet the same level of security that is expected of business units.
    • All End Users:
      • Be notified of any data breaches and potential violations of privacy.

    Info-Tech Best Practice

    “In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)

    Define the stakeholders, their respective outputs, and the underlying need

    Security Operations Program Service & Product Catalog

    Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.

    Action/Output Arrow pointing right. Frequency Arrow pointing right. Stakeholders/Function
    Document the key services and outputs produced by the security operations program. For example:
    • Real-time monitoring
    • Event analysis and incident coordination
    • Malware analysis
    • External information sharing
    • Published alerts, reports, and briefings
    • Metrics
    Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment. Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs.
    • Vulnerability Management
    • Threat Intelligence
    • Tier 1, 2, and 3 Analysts
    • Incident Response
    • MSSP
    • Network Operations
    Remember to include any target-state outputs or services identified in the maturity assessment. Use this exercise as an opportunity to organize your security operations outputs and services.

    Info-Tech Best Practice

    Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.

    Internal information sharing helps to focus operational efforts

    Organizations must share information internally and through secure external information sharing and analysis centers (ISACs).

    Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:

    • Strategic Users — Intelligence enables strategic stakeholders to better understand security trends, minimize risk, and make more educated and informed decisions. The strategic intelligence user often lacks technical security knowledge; bridge the communication gap between security and non-technical decision makers by clearly communicating the underlying value and benefits.
    • Operational Users — Operational users integrate information and indicators directly into their daily operations and as a result have more in-depth knowledge of the technical terms. Reports help to identify escalated alerts that are part of a bigger campaign, provide attribution and context to attacks, identify systems that have been compromised, block malicious URLs or malware signatures in firewalls, IDPS systems, and other gateway products, identify patches, reduce the number of incidents, etc.
    Collaboration includes the exchange of:
    • Contextualized threat indicators, threat actors, TTPs, and campaigns.
    • Attribution of the attack, motives of the attacker, victim profiles, and frequent exploits.
    • Defensive and mitigation strategies.
    • Best-practice incident response procedures.
    • Technical tools to help normalize threat intelligence formats or decode malicious network traffic.
    Collaboration can be achieved through:
    • Manual unstructured exchanges such as alerts, reports, briefings, knowledge portals, or emails.
    • Automated centralized platforms that allow users to privately upload, aggregate, and vet threat intelligence. Current players include commercial, government, and open-source information-sharing and analysis centers.
    Isolation prevents businesses from learning from each others’ mistakes and/or successes.

    Define the routine of your security operations program in a detailed cadence schedule

    Security Operations Program Cadence Schedule Template

    Design your meetings around your security operations program’s outputs and capabilities

    How to customize

    Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following:

    • Activity, output, or topic being discussed.
    • Participants and stakeholders involved.
    • Value and purpose of meeting.
    • Duration and frequency of each meeting.
    • Investment per participant per meeting.
    Sample of Info-Tech's Security Operations Program Cadence Schedule Template.

    Info-Tech Best Practice

    Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.

    Apply a strategic lens to your security operations program

    Frame the importance of optimizing the security operations program to align with that of the decision makers’ overarching strategy.

    Strategies
    1. Bridge the communication gap between security and non-technical decision makers. Communicate concisely in business-friendly terms.
    2. Quantify the ROI for the given project.
    3. Educate stakeholders – if stakeholders do not understand what a security operations program encompasses, it will be hard for them to champion the initiative.
    4. Communicate the implications, value, and benefits of a security operations program.
    5. Frame the opportunity as a competitive advantage, e.g. proactive security measures as a client acquisition strategy.
    6. Address the increasing prevalence of threat actors. Use objective data to demonstrate the impact, e.g. through case studies, recent media headlines, or statistics.

    Defensive Strategy diagram with columns 'Adversaries', 'Defenses', 'Assets', and priority level.
    (Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)

    Info-Tech Best Practice

    Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.

    Example: Align your strategic needs with that of management.

    Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.

    Develop a comprehensive measurement program to evaluate the effectiveness of your security operations

    There are three types of metrics pertaining to security operations:

    1) Operations-focused

    Operations-focused metrics are typically communicated through a centralized visualization such as a dashboard. These metrics guide operational efforts, identifying operational and control weak points while ensuring the appropriate actions are taken to fix them.

    Examples include, but are not limited to:

    • Ticketing metrics (e.g. average ticket resolution rate, ticketing status, number of tickets per queue/analyst).
    • False positive percentage per control.
    • Incident response metrics (e.g. mean time to recovery).
    • CVSS scores per vulnerability.

    2) Business-focused

    The evaluation of operational success from a business perspective.

    Example metrics include:

    • Return on investment.
    • Total cost of ownership (can be segregated by function: prevent, detect, analyze, and respond).
    • Saved costs from mitigated breaches.
    • Security operations budget as a percentage of the IT budget.

    3) Initiative-focused

    The measurement of security operations project progress. These are frequently represented as time, resource, or cost-based metrics.

    Note: Remember to measure end-user feedback. Asking stakeholders about their current expectations via a formal survey is the most effective way to kick-start the continuous improvement process.

    Info-Tech Best Practice

    Operational metrics have limited value beyond security operations – when communicating to management, focus on metrics that are actionable from a business perspective.

    Download Info-Tech’s Security Operations Metrics Summary Document.Sample of Info-Tech's Security Operations Metrics Summary Document.

    Identify the triggers for continual improvement

    Continual Improvement

    • Audits: Check for performance requirements in order to pass major audits.
    • Assessments: Variances in efficiency or effectiveness of metrics when compared to the industry standard.
    • Process maturity: Opportunity to increase efficiency of services and processes.
    • Management reviews: Routine reviews that reveal gaps.
    • Technology advances: For example, new security architecture/controls have been released.
    • Regulations: Compliance to new or changed regulations.
    • New staff or technology: Disruptive technology or new skills that allow for improvement.

    Conduct tabletop exercises with Info-Tech’s onsite workshop

    Assess your security operations capabilities

    Leverage Info-Tech’s Security Operations Tabletop Exercise to guide simulations to validate your operational procedures.

    How to customize
    • Use the templates to document actions and actors.
    • For each new injection, spend three minutes discussing the response as a group. Then spend two minutes documenting each role’s contribution to the response. After the time limit, proceed to the following injection scenario.
    • Review the responses only after completing the entire exercise.
    Sample of Info-Tech's Security Operations Tabletop Exercise.

    This tabletop exercise is available through an onsite workshop as we can help establish and design a tabletop capability for your organization.

    Are you ready to implement your security operations program?

    Self-Assessment Questions

    • Is there a formalized security operations collaboration plan?
    • Are all key stakeholders documented and acknowledged?
    • Have you defined your strategic needs and requirements in a formalized collection plan?
    • Is there an established channel for management to communicate needs and requirements to the security operation leaders?
    • Are all program outputs documented and communicated?
    • Is there an accessible, centralized portal or dashboard that actively aggregates and communicates key information?
    • Is there a formalized threat escalation protocol in order to facilitate both internal and external information sharing?
    • Does your organization actively participate in external information sharing through the use of ISACs?
    • Does your organization actively produce reports, alerts, products, etc. that feed into and influence the output of other functions’ operations?
    • Have you assigned program responsibilities in a detailed RACI chart?
    • Is there a structured cadence schedule for key stakeholders to actively communicate and share information?
    • Have you developed a structured measurement program on a per function basis?
    • Now that you have constructed your ideal security operations program strategy, revisit the question “Are you answering all of your objectives?”

    If you answered “yes” to the questions, then you are ready to implement your security operations program.

    Summary

    Insights

    1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
    2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives
    3. If you are not communicating, then you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Best Practices

    • Have a structured plan of attack. Define your unique threat landscape, as well as business, regulatory, and consumer obligations.
    • Foster both internal and external collaboration.
    • Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.
    • Do not bite off more than you can chew. Identify current people, processes, and technologies that satisfy immediate problems and enable future expansion.
    • Leverage threat intelligence to create a predictive and proactive security operations analysis process.
    • Formalize escalation procedures with logic and incident management flow.
    • Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.
    • Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.
    • Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment
    Protect your organization with an interdependent and collaborative security operations program.

    Bibliography

    “2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Ponemon Institute, June 2016. Web. 10 Nov. 2016.

    Ahmad, Shakeel et al. “10 Tips to Improve Your Security Incident Readiness and Response.” RSA, n.d. Web. 12 Nov. 2016.

    Anderson, Brandie. “ Building, Maturing & Rocking a Security Operations Center.” Hewlett Packard, n.d. Web. 4 Nov. 2016.

    Barnum, Sean. “Standardizing cyber threat intelligence information with the structured threat information expression.” STIX, n.d. Web. 03 Oct. 2016.

    Bidou, Renaud. “Security Operation Center Concepts & Implementation.” IV2-Technologies, n.d. Web. 20 Nov. 2016.

    Bradley, Susan. “Cyber threat intelligence summit.” SANS Institute InfoSec Reading Room, n.d. Web. 03 Oct. 2016.

    “Building a Security Operations Center.” DEF CON Communications, Inc., 2015. Web. 14 Nov. 2016.

    “Building a Successful Security Operations Center.” ArcSight, 2015. Web. 21 Nov. 2016.

    “Building an Intelligence-Driven Security Operations Center.” RSA, June 2014. Web. 25 Nov. 2016.

    Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, 5 July 2013. Web. 25 Aug. 2016.

    “Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” The Network. Cisco, 31 Jan. 2017. Web. 11 Nov. 2017.

    “CITP Training and Education.” Carnegie Mellon University, 2015. Web. 03 Oct. 2016.

    “Creating and Maintaining a SOC.” Intel Security, n.d. Web. 14 Nov. 2016.

    “Cyber Defense.” Mandiant, 2015. Web. 10 Nov. 2016.

    “Cyber Security Operations Center (CSOC).” Northrop Grumman, 2014. Web. 14 Nov. 2016.

    Danyliw, Roman. “Observations of Successful Cyber Security Operations.” Carnegie Mellon, 12 Dec. 2016. Web. 14 Dec. 2016.

    “Designing and Building Security Operations Center.” SearchSecurity. TechTarget, Mar. 2016. Web. 14 Dec. 2016.

    EY. “Managed SOC.” EY, 2015. Web. 14 Nov. 2016.

    Fishbach, Nicholas. “How to Build and Run a Security Operations Center.” Securite.org, n.d. Web. 20 Nov. 2016.

    “Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 12 Feb. 2014. Web.

    Friedman, John, and Mark Bouchard. “Definitive Guide to Cyber Threat Intelligence.” iSIGHT, 2015. Web. 1 June 2015.

    Goldfarb, Joshua. “The Security Operations Hierarchy of Needs.” Securityweek.com, 10 Sept. 2015. Web. 14 Dec. 2016.

    “How Collaboration Can Optimize Security Operations.” Intel, n.d. Web. 2 Nov. 2016.

    Hslatman. “Awesome threat intelligence.” GitHub, 16 Aug. 2016. Web. 03 Oct. 2016.

    “Implementation Framework – Collection Management.” Carnegie Mellon University, 2015. Web.

    “Implementation Framework – Cyber Threat Prioritization.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

    “Intelligent Security Operations Center.” IBM, 25 Feb. 2015. Web. 15 Nov. 2016.

    Joshi Follow , Abhishek. “Best Practices for Security Operations Center.” LinkedIn, 01 Nov. 2015. Web. 14 Nov. 2016.

    Joshi. “Best Practices for a Security Operations Center.” Cybrary, 18 Sept. 2015. Web. 14 Dec. 2016.

    Kelley, Diana and Ron Moritz. “Best Practices for Building a Security Operations Center.” Information Security Today, 2006. Web. 10 Nov. 2016.

    Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. ”Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Carnegie Mellon Software Engineering Institute, Dec. 2003. Carnegie Mellon. Web. 10 Nov. 2016.

    Kindervag , John. “SOC 2.0: Three Key Steps toward the Next-generation Security Operations Center.” SearchSecurity. TechTarget, Dec. 2010. Web. 14 Dec. 2016.

    Kvochko, Elena. “Designing the Next Generation Cyber Security Operations Center.” Forbes Magazine, 14 Mar. 2016. Web. 14 Dec. 2016.

    Lambert, P. “ Security Operations Center: Not Just for Huge Enterprises.” TechRepublic, 31 Jan. 2013. Web. 10 Nov. 2016.

    Lecky, M. and D. Millier. “Re-Thinking Security Operations.” SecTor Security Education Conference. Toronto, 2014.

    Lee, Michael. “Three Elements That Every Advanced Security Operations Center Needs.” CSO | The Resource for Data Security Executives, n.d. Web. 16 Nov. 2016.

    Linch, David and Jason Bergstrom. “Building a Culture of Continuous Improvement in an Age of Disruption.” Deloitte LLP, 2014.

    Lynch, Steve. “Security Operations Center.” InfoSec Institute, 14 May 2015. Web. 14 Dec. 2016.

    Macgregor, Rob. “Diamonds or chains – cyber security updates.” PwC, n.d. Web. 03 Oct. 2016.

    “Make Your Security Operations Center (SOC) More Efficient.” Making Your Data Center Energy Efficient (2011): 213-48. Intel Security. Web. 20 Nov. 2016.

    Makryllos, Gordon. “The Six Pillars of Security Operations.” CSO | The Resource for Data Security Executives, n.d. Web. 14 Nov. 2016.

    Marchany, R. “ Building a Security Operations Center.” Virginia Tech, 2015. Web. 8 Nov. 2016.

    Marty, Raffael. “Dashboards in the Security Operations Center (SOC).” Security Bloggers Network, 15 Jan. 2016. Web. 14 Nov. 2016.

    Minu, Adolphus. “Discovering the Value of Knowledge Portal.” IBM, n.d. Web. 1 Nov. 2016.

    Muniz, J., G. McIntyre, and N. AlFardan. “Introduction to Security Operations and the SOC.” Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press, 29 Oct. 2015. Web. 14 Nov. 2016.

    Muniz, Joseph and Gary McIntyre. “ Security Operations Center.” Cisco, Nov. 2015. Web. 14 Nov. 2016.

    Muniz, Joseph. “5 Steps to Building and Operating an Effective Security Operations Center (SOC).” Cisco, 15 Dec. 2015. Web. 14 Dec. 2016.

    Nathans, David. Designing and Building a Security Operations Center. Syngress, 2015. Print.

    National Institute of Standards and Technology. “SP 800-61 Revision 2: Computer Security Incident Handling Guide.” 2012. Web.

    National Institute of Standards and Technology. “SP 800-83 Revision 1.” 2013. Web.

    National Institute of Standards and Technology. “SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.” 2006. Web.

    F5 Networks. “F5 Security Operations Center.” F5 Networks, 2014. Web. 10 Nov. 2016.

    “Next Generation Security Operations Center.” DTS Solution, n.d. Web. 20 Nov. 2016.

    “Optimizing Security Operations.” Intel, 2015. Web. 4 Nov. 2016.

    Paganini, Pierluigi. “What Is a SOC ( Security Operations Center)?” Security Affairs, 24 May 2016. Web. 14 Dec. 2016.

    Ponemon Institute LLC. “Cyber Security Incident Response: Are we as prepared as we think?” Ponemon, 2014. Web.

    Ponemon Institute LLC. “The Importance of Cyber Threat Intelligence to a Strong Security Posture.” Ponemon, Mar. 2015. Web. 17 Aug. 2016.

    Poputa-Clean, Paul. “Automated defense – using threat intelligence to augment.” SANS Institute InfoSec Reading Room, 15 Jan. 2015. Web.

    Quintagroup. “Knowledge Management Portal Solution.” Quintagroup, n.d. Web.

    Rasche, G. “Guidelines for Planning an Integrated Security Operations Center.” EPRI, Dec. 2013. Web. 25 Nov. 2016.

    Rehman, R. “What It Really Takes to Stand up a SOC.” Rafeeq Rehman – Personal Blog, 27 Aug. 2015. Web. 14 Dec. 2016.

    Rothke, Ben. “Designing and Building Security Operations Center.” RSA Conference, 2015. Web. 14 Nov. 2016.

    Ruks, Martyn and David Chismon. “Threat Intelligence: Collecting, Analysing, Evaluating.” MWR Infosecurity, 2015. Web. 24 Aug. 2016.

    Sadamatsu, Takayoshi. “Practice within Fujitsu of Security Operations Center.” Fujitsu, July 2016. Web. 15 Nov. 2016.

    Sanders, Chris. “Three Useful SOC Dashboards.” Chris Sanders, 24 Oct. 2016. Web. 14 Nov. 2016.

    SANS Institute. “Incident Handler's Handbook.” 2011. Web.

    Schilling, Jeff. “5 Pitfalls to Avoid When Running Your SOC.” Dark Reading, 18 Dec. 2014. Web. 14 Nov. 2016.

    Schinagl, Stef, Keith Schoon, and Ronald Paans. “A Framework for Designing a Security Operations Centre (SOC).” 2015 48th Hawaii International Conference on System Sciences. Computer.org, 2015. Web. 20 Nov. 2016.

    “Security – Next Gen SOC or SOF.” InfoSecAlways.com, 31 Dec. 2013. Web. 14 Nov. 2016.

    “Security Operations Center Dashboard.” Enterprise Dashboard Digest, n.d. Web. 14 Dec. 2016.

    “Security Operations Center Optimization Services.” AT&T, 2015. Web. 5 Nov. 2016.

    “Security Operations Centers — Helping You Get Ahead of Cybercrime Contents.” EY, 2014. Web. 6 Nov. 2016.

    Sheikh, Shah. “DTS Solution - Building a SOC (Security Operations Center).” LinkedIn, 4 May 2013. Web. 20 Nov. 2016.

    Soto, Carlos. “ Security Operations Center (SOC) 101.” Tom's IT Pro, 28 Oct. 2015. Web. 14 Dec. 2016.

    “Standardizing and Automating Security Operations.” National Institute of Standards and Technology, 3 Sept. 2006. Web.

    “Strategy Considerations for Building a Security Operations Center.” IBM, Dec. 2013. Web. 5 Nov. 2016.

    “Summary of Key Findings.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

    “Sustainable Security Operations.” Intel, 2016. Web. 20 Nov. 2016.

    “The Cost of Malware Containment.” Ponemon Institute, Jan. 2015. Web.

    “The Game Plan for Closing the SecOps Gap.” BMC. Forbes Magazine, Jan. 2016. Web. 10 Jan. 2017.

    Veerappa Srinivas, Babu. “Security Operations Centre (SOC) in a Utility Organization.” GIAC, 17 Sept. 2014. Web. 5 Nov. 2016.

    Wang, John. “Anatomy of a Security Operations Center.” NASA, 2015. Web. 2 Nov. 2016.

    Weiss, Errol. “Statement for the Record.” House Financial Services Committee, 1 June 2012. Web. 12 Nov. 2016.

    Wilson, Tim. “SOC 2.0: A Crystal-Ball Glimpse of the Next-Generation Security Operations Center.” Dark Reading, 22 Nov. 2010. Web. 10 Nov. 2016.

    Zimmerman, Carson. “Ten Strategies of a World-Class Cybersecurity Operations Center.” Mitre, 2014. Web. 24 Aug. 2016.

    Start Making Data-Driven People Decisions

    • Buy Link or Shortcode: {j2store}427|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Leadership Development Programs
    • Parent Category Link: /leadership-development-programs
    • Ninety-one percent of IT leaders believe that analytics is important for talent management but 59% use no workforce analytics at all, although those who use analytics are much more effective than those who don't.
    • The higher the level of analytics used, the higher the level of effectiveness of the department as a whole.

    Our Advice

    Critical Insight

    • You don't need advanced metrics and analytics to see a return on people data. Begin by getting a strong foundation in place and showing the ROI on a pilot project.
    • Complex analyses will never make up for inadequate data quality. Spend the time up front to audit and improve data quality if necessary, no matter which stage of analytics proficiency you are at.
    • Ensure you collect and analyze only data that is essential to your decision making. More is not better, and excess data can detract from the overall impact of analytics.

    Impact and Result

    • Build a small-scale foundational pilot, which will allow you to demonstrate feasibility, refine your costs estimate, and show the ROI on people analytics for your budgeting meeting.
    • Drive organizational change incrementally by identifying and communicating with the stakeholders for your people analytics pilot.
    • Choose basic analytics suitable for organizations of all sizes and understand the building blocks of data quality to support more further analytics down the line.

    Start Making Data-Driven People Decisions Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should strategically apply people analytics to your IT talent management.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define the problem and apply the checklist

    From choosing the right data for the right problem to evaluating your progress toward data-driven people decisions, follow these steps to build your foundation to people analytics.

    • Start Making Data-Driven People Decisions – Phase 1: Define the Problem and Apply the Checklist
    • People Analytics Strategy Template
    • Talent Metrics Library
    [infographic]

    Architect Your Big Data Environment

    • Buy Link or Shortcode: {j2store}202|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Big Data
    • Parent Category Link: /big-data
    • Organizations may understand the transformative potential of a big data initiative, but they struggle to make the transition from the awareness of its importance to identifying a concrete use case for a pilot project.
    • The big data ecosystem is crowded and confusing, and a lack of understanding of it may cause paralysis for organizations.

    Our Advice

    Critical Insight

    • Don’t panic, and make use of the resources you already have. The skills, tools, and infrastructure for big data can break any budget quickly, but before making rash decisions, start with the resources you have in-house.
    • Big data as a service (BDaaS) is making big waves. BDaaS removes many of the hurdles associated with implementing a big data strategy and vastly lowers the barrier of entry.

    Impact and Result

    • Follow Info-Tech’s methodology for understanding the types of modern approaches to big data tools, and then determining which approach style makes the most sense for your organization.
    • Based on your big data use case, create a plan for getting started with big data tools that takes into account the backing of the use case, the organization’s priorities, and resourcing available.
    • Put a repeatable framework in place for creating a comprehensive big data tool environment that will help you decide on the necessary tools to help you realize the value from your big data use case and scale for the future.

    Architect Your Big Data Environment Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should find your optimal approach to big data tools, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Plant the foundations of your big data tool architecture

    Identify your big data use case and your current data-related capabilities.

    • Architect Your Big Data Environment – Phase 1: Plant the Foundations of Your Big Data Tool Architecture
    • Big Data Execution Plan Presentation
    • Big Data Architecture Planning Tool

    2. Weigh your big data architecture decision criteria

    Determine your capacity for big data tools, as well as the level of customizability and security needed for your solution to help justify your implementation style decision.

    • Architect Your Big Data Environment – Phase 2: Weigh Your Big Data Architecture Decision Criteria

    3. Determine your approach to implementing big data tools

    Analyze the three big data implementation styles, select your approach, and complete the execution plan for your big data initiative.

    • Architect Your Big Data Environment – Phase 3: Determine Your Approach To Implementing Big Data Tools
    [infographic]

    Maintain an Organized Portfolio

    • Buy Link or Shortcode: {j2store}432|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $3,059 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • All too often, the portfolio of programs and projects looks more like a random heap than a strategically organized and balanced collection of investments that will drive the business forward.
    • Portfolio managers know that with the right kind of information and the right level of process maturity they can get better results through the portfolio; however, organizations often assume (falsely) that the required level of maturity is out of reach from their current state and perpetually delay improvements.

    Our Advice

    Critical Insight

    • The information needed to define clear and usable criteria for organizing the portfolio of programs and projects already exists. Portfolio managers only need to identify the sources of that information and institute processes for regularly reviewing that information in order to define those criteria.
    • Once a portfolio manager has a clear idea of the goals and constraints that shape what ought to be included (or removed) from the portfolio and once these have been translated into clear and usable portfolio criteria, basic portfolio management processes can be instituted to ensure that these criteria are used consistently throughout the various stages of the project lifecycle.
    • Portfolio management frameworks and processes do not need to be built from scratch. Well-known frameworks – such as the one outlined in COBIT 5 APO05 – can be instituted in a way that will allow even low-maturity organizations to start organizing their portfolio.
    • Organizations do not need to grow into portfolio management frameworks to get the benefits of an organized portfolio; instead, they can grow within such frameworks.

    Impact and Result

    • An organized portfolio will ensure that the projects and programs included in it are strategically aligned and can actually be executed within the finite constraints of budgetary and human resource capacity.
    • Portfolio managers are better empowered to make decisions about which projects should be included in the portfolio (and when) and are better empowered to make the very tough decisions about which projects should be removed from the portfolio (i.e. cancelled).
    • Building and maturing a portfolio management framework will more fully integrate the PMO into the broader IT management and governance frameworks, making it a more integral part of strategic decisions and a better business partner in the long run.

    Maintain an Organized Portfolio Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should maintain an organized portfolio of programs and projects, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess the current state of the portfolio and PPM processes

    Analyze the current mix of programs and projects in your portfolio and assess the maturity of your current PPM processes.

    • Maintain an Organized Portfolio – Phase 1: Assess the Current State of the Portfolio and PPM Processes
    • Project Portfolio Organizer
    • COBIT APO05 (Manage Portfolio) Alignment Workbook

    2. Enhance portfolio organization through improved PPM criteria and processes

    Enhance and optimize your portfolio management processes to ensure portfolio criteria are clearly defined and consistently applied across the project lifecycle when making decisions about which projects to include or remove from the portfolio.

    • Maintain an Organized Portfolio – Phase 2: Enhance Portfolio Organization Through Improved PPM Criteria and Processes
    • Portfolio Management Standard Operating Procedures

    3. Implement improved portfolio management practices

    Implement your portfolio management improvement initiatives to ensure long-term sustainable adoption of new PPM practices.

    • Maintain an Organized Portfolio – Phase 3: Implement Improved Portfolio Management Practices
    • Portfolio Management Improvement Roadmap Tool
    [infographic]

    Workshop: Maintain an Organized Portfolio

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Portfolio Mix and Portfolio Process Current State

    The Purpose

    Analyze the current mix of the portfolio to determine how to better organize it according to organizational goals and constraints.

    Assess which PPM processes need to be enhanced to better organize the portfolio.

    Key Benefits Achieved

    An analysis of the existing portfolio of projects (highlighting areas of concern).

    An analysis of the maturity of current PPM processes and their ability to support the maintenance of an organized portfolio.

    Activities

    1.1 Pre-work: Prepare a complete project list.

    1.2 Define existing portfolio categories, criteria, and targets.

    1.3 Analyze the current portfolio mix.

    1.4 Identify areas of concern with current portfolio mix.

    1.5 Review the six COBIT sub-processes for portfolio management (APO05.01-06).

    1.6 Assess the degree to which these sub-processes have been currently achieved at the organization.

    1.7 Assess the degree to which portfolio-supporting IT governance and management processes exist.

    1.8 Perform a gap analysis.

    Outputs

    Analysis of the current portfolio mix

    Assessment of COBIT alignment and gap analysis.

    2 Define Portfolio Target Mix, Criteria, and Roadmap

    The Purpose

    Define clear and usable portfolio criteria.

    Record/design portfolio management processes that will support the consistent use of portfolio criteria at all stages of the project lifecycle.

    Key Benefits Achieved

    Clearly defined and usable portfolio criteria.

    A portfolio management framework that supports the consistent use of the portfolio criteria across all stages of the project lifecycle.

    Activities

    2.1 Identify determinants of the portfolio mix, criteria, and constraints.

    2.2 Define the target mix, portfolio criteria, and portfolio metrics.

    2.3 Identify sources of funding and resourcing.

    2.4 Review and record the portfolio criteria based upon the goals and constraints.

    2.5 Create a PPM improvement roadmap.

    Outputs

    Portfolio criteria

    Portfolio metrics for intake, monitoring, closure, termination, reprioritization, and benefits tracking

    Portfolio Management Improvement Roadmap

    3 Design Improved Portfolio Sub-Processes

    The Purpose

    Ensure that the portfolio criteria are used to guide decision making at each stage of the project lifecycle when making decisions about which projects to include or remove from the portfolio.

    Key Benefits Achieved

    Processes that support decision making based upon the portfolio criteria.

    Processes that ensure the portfolio remains consistently organized according to the portfolio criteria.

    Activities

    3.1 Ensure that the metrics used for each sub-process are based upon the standard portfolio criteria.

    3.2 Establish the roles, accountabilities, and responsibilities for each sub-process needing improvement.

    3.3 Outline the workflow for each sub-process needing improvement.

    Outputs

    A RACI chart for each sub-process

    A workflow for each sub-process

    4 Change Impact Analysis and Stakeholder Engagement Plan

    The Purpose

    Ensure that the portfolio management improvement initiatives are sustainably adopted in the long term.

    Key Benefits Achieved

    Stakeholder engagement.

    Sustainable long-term adoption of the improved portfolio management practices.

    Activities

    4.1 Conduct a change impact analysis.

    4.2 Create a stakeholder engagement plan.

    Outputs

    Change Impact Analysis

    Stakeholder Engagement Plan

    Completed Portfolio Management SOP

    Implement Lean Management Practices That Work

    • Buy Link or Shortcode: {j2store}116|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement
    • Service delivery teams do not measure, or have difficulty demonstrating, the value they provide.
    • There is a lack of continuous improvement.
    • There is low morale within the IT teams leading to low productivity.

    Our Advice

    Critical Insight

    • Create a problem-solving culture. Frequent problem solving is the differentiator between sustaining Lean or falling back to old management methods.
    • Commit to employee growth. Empower teams to problem solve and multiply your organizational effectiveness.

    Impact and Result

    • Apply Lean management principles to IT to create alignment and transparency and drive continuous improvement and customer value.
    • Implement huddles and visual management.
    • Build team capabilities.
    • Focus on customer value.
    • Use metrics and data to make better decisions.
    • Systematically solve problems and improve performance.
    • Develop an operating rhythm to promote adherence to Lean.

    Implement Lean Management Practices That Work Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how a Lean management system can help you increase transparency, demonstrate value, engage your teams and customers, continuously improve, and create alignment.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand Lean concepts

    Understand what a Lean management system is, review Lean philosophies, and examine simple Lean tools and activities.

    • Implement Lean Management Practices That Work – Phase 1: Understand Lean Concepts
    • Lean Management Education Deck

    2. Determine the scope of your implementation

    Understand the implications of the scope of your Lean management program.

    • Implement Lean Management Practices That Work – Phase 2: Determine the Scope of Your Implementation
    • Lean Management Scoping Tool

    3. Design huddle board

    Examine the sections and content to include in your huddle board design.

    • Implement Lean Management Practices That Work – Phase 3: Design Huddle Board
    • Lean Management Huddle Board Template

    4. Design Leader Standard Work and operating rhythm

    Determine the actions required by leaders and the operating rhythm.

    • Implement Lean Management Practices That Work – Phase 4: Design Leader Standard Work and Operating Rhythm
    • Leader Standard Work Tracking Template
    [infographic]

    Workshop: Implement Lean Management Practices That Work

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Lean Concepts

    The Purpose

    Understand Lean management.

    Key Benefits Achieved

    Gain a common understanding of Lean management, the Lean management thought model, Lean philosophies, huddles, visual management, team growth, and voice of customer.

    Activities

    1.1 Define Lean management in your organization.

    1.2 Create training materials.

    Outputs

    Lean management definition

    Customized training materials

    2 Understand Lean Concepts (Continued) and Determine Scope

    The Purpose

    Understand Lean management.

    Determine the scope of your program.

    Key Benefits Achieved

    Understand metrics and performance review.

    Understand problem identification and continuous improvement.

    Understand Kanban.

    Understand Leader Standard Work.

    Define the scope of the Lean management program.

    Activities

    2.1 Develop example operational metrics

    2.2 Simulate problem section.

    2.3 Simulate Kanban.

    2.4 Build scoping tool.

    Outputs

    Understand how to use operational metrics

    Understand problem identification

    Understand Kanban/daily tasks section

    Defined scope for your program

    3 Huddle Board Design and Huddle Facilitation Coaching

    The Purpose

    Design the sections and content for your huddle board.

    Key Benefits Achieved

    Initial huddle board design.

    Activities

    3.1 Design and build each section in your huddle board.

    3.2 Simulate coaching conversations.

    Outputs

    Initial huddle board design

    Understanding of how to conduct a huddle

    4 Design and Build Leader Standard Work

    The Purpose

    Design your Leader Standard Work activities.

    Develop a schedule for executing Leader Standard Work.

    Key Benefits Achieved

    Standard activities identified and documented.

    Sample schedule developed.

    Activities

    4.1 Identify standard activities for leaders.

    4.2 Develop a schedule for executing Leader Standard Work.

    Outputs

    Leader Standard Work activities documented

    Initial schedule for Leader Standard Work activities

    AI Trends 2023

    • Buy Link or Shortcode: {j2store}207|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy

    As AI technologies are constantly evolving, organizations are looking for AI trends and research developments to understand the future applications of AI in their industries.

    Our Advice

    Critical Insight

    • Understanding trends and the focus of current and future AI research helps to define how AI will drive an organization’s new strategic opportunities.
    • Understanding the potential application of AI and its promise can help plan the future investments in AI-powered technologies and systems.

    Impact and Result

    Understanding AI trends and developments enables an organization’s competitive advantage.

    AI Trends 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. AI Trends 2023 – An overview of trends that will continue to drive AI innovation.

    • AI Trends Report 2023
    [infographic]

    Further reading

    AI Trends Report 2023

    The eight trends:

    1. Design for AI
    2. Event-Based Insights
    3. Synthetic Data
    4. Edge AI
    5. AI in Science and Engineering
    6. AI Reasoning
    7. Digital Twin
    8. Combinatorial Optimization
    Challenges that slowed the adoption of AI

    To overcome the challenges, enterprises adopted different strategies

    Data Readiness

    • Lack of unified systems and unified data
    • Data quality issues
    • Lack of the right data required for machine learning
    • Improve data management capabilities, including data governance and data initiatives
    • Create data catalogs
    • Document data and information architecture
    • Solve data-related problems including data quality, privacy, and ethics

    ML Operations Capabilities

    • Lack of tools, technologies, and methodologies to operationalize models created by data scientists
    • Increase availability of cloud platforms, tools, and capabilities
    • Develop and grow machine learning operations (MLOps) tools, platforms, and methodologies to enable model operationalizing and monitoring in production

    Understanding of AI Role and Its Business Value

    • Lack of understanding of AI use cases – how AI/ML can be applied to solve specific business problems
    • Lack of understanding how to define the business value of AI investments
    • Identify AI C-suite toolkits (for example, Empowering AI Leadership from the World Economic Forum, 2022)
    • Document industry use cases
    • Use frameworks and tools to define business value for AI investments

    Design for AI

    Sustainable AI system design needs to consider several aspects: the business application of the system, data, software and hardware, governance, privacy, and security.

    It is important to define from the beginning how AI will be used by and for the application to clearly articulate business value, manage expectations, and set goals for the implementation.

    Design for AI will change how we store and manage data and how we approach the use of data for development and operation of AI systems.

    An AI system design approach should cover all stages of AI lifecycle, from design to maintenance. It should also support and enable iterative development of an AI system.

    To take advantage of different tools and technologies for AI system development, deployment, and monitoring, the design of an AI system should consider software and hardware needs and design for seamless and efficient integrations of all components of the system and with other existing systems within the enterprise.

    AI in Science and Engineering

    AI helps sequence genomes to identify variants in a person’s DNA that indicate genetic disorders. It allows researchers to model and calculate complicated physics processes, to forecast the genesis of the universe’s structure, and to understand planet ecosystem to help advance the climate research. AI drives advances in drug discovery and can assist with molecule synthesis and molecular property identification.

    AI finds application in all areas of science and engineering. The role of AI in science will grow and allow scientists to innovate faster.

    AI will further contribute to scientific understanding by assisting scientists in deriving new insights, generating new ideas and connections, generalizing scientific concepts, and transferring them between areas of scientific research.

    Using synthetic data and combining physical and machine learning models and other advances of AI/ML – such as graphs, use of unstructured data (language models), and computer vision – will accelerate the use of AI in science and engineering.

    Event- and Scenario-Driven AI

    AI-driven signal-gathering systems analyze a continuous stream of data to generate insights and predictions that enable strategic decision modeling and scenario planning by providing understanding of how and what areas of business might be impacted by certain events.

    AI enables the scenario-based approach to drive insights through pattern identification in addition to familiar pattern recognition, helping to understand how events are related.

    A system with anticipatory capabilities requires an event-driven architecture that enables gathering and analyzing different types of data (text, video, images) across multiple channels (social media, transactional systems, news feeds, etc.) for event-driven and event-sequencing modeling.

    ML simulation-based training of the model using advanced techniques under the umbrella of Reinforcement Learning in conjunction with statistically robust Bayesian probabilistic framework will aid in setting up future trends in AI.

    AI Reasoning

    Most of the applications of machine learning and AI today is about predicting future behaviors based on historical data and past behaviors. We can predict what product the customer would most likely buy or the price of a house when it goes on sale.

    Most of the current algorithms use the correlation between different parameters to make a prediction, for example, the correlation between the event and the outcome can look like “When X occurs, we can predict that Y will occur.” This, however, does not translate into “Y occurred because of X.”

    The development of a causal AI that uses causal inference to reason and identify the root cause and the causal relationships between variables without mistaking correlation and causation is still in its early stages but rapidly evolving.

    Some of the algorithms that the researchers are working with are casual graph models and algorithms that are at the intersection of causal inference with decision making and reinforcement learning (Causal Artificial Intelligence Lab, 2022).

    Synthetic Data

    Synthetic data is artificially generated data that mimics the structure of real-life data. It should also have the same mathematical and statistical properties as the real-world data that it is created to replicate.

    Synthetic data is used to train machine learning models when there is not enough real data or the existing data does not meet specific needs. It allows users to remove contextual bias from data sets containing personal data, prevent privacy concerns, and ensure compliance with privacy laws and regulations.

    Another application of synthetic data is solving data-sharing challenges.

    Researchers learned that quite often synthetic data sets outperform real-world data. Recently, a team of researchers at MIT built a synthetic data set of 150,000 video clips capturing human actions and used that data set to train the model. The researchers found that “the synthetically trained models performed even better than models trained on real data for videos that have fewer background objects” (MIT News Office, 2022).

    Today, synthetic data is used in language systems, in training self-driving cars, in improving fraud detection, and in clinical research, just to name a few examples.

    Synthetic data opens the doors for innovation across all industries and applications of AI by enabling access to data for any scenario and technology and business needs.

    Digital Twins

    Digital twins (DT) are virtual replicas of physical objects, devices, people, places, processes, and systems. In Manufacturing, almost every product and manufacturing process can have a complete digital replica of itself thanks to IoT, streaming data, and cheap cloud storage.

    All this data has allowed for complex simulations of, for example, how a piece of equipment will perform over time to predict future failures before they happen, reducing costly maintenance and extending equipment lifetime.

    In addition to predictive maintenance, DT and AI technologies have enabled organizations to design and digitally test complex equipment such as aircraft engines, trains, offshore oil platforms, and wind turbines before physically manufacturing them. This helps to improve product and process quality, manufacturing efficiency, and costs. DT technology also finds applications in architecture, construction, energy, infrastructure industries, and even retail.

    Digital twins combined with the metaverse provide a collaborative and interactive environment with immersive experience and real-time physics capabilities (as an example, Siemens presented an Immersive Digital Twin of a Plant at the Collision 2022 conference).

    Future trends include enabling autonomous behavior of a DT. An advanced DT can replicate itself as it moves into several devices, hence requiring the autonomous property. Such autonomous behavior of the DT will in turn influence the growth and further advancement of AI.

    Edge AI

    A simple definition for edge AI: A combination of edge computing and artificial intelligence, it enables the deployment of AI applications in devices of the physical world, in the field, where the data is located, such as IoT devices, devices on the manufacturing floor, healthcare devices, or a self-driving car.

    Edge AI integrates AI into edge computing devices for quicker and improved data processing and smart automation.

    The main benefits of edge AI include:

    • Real-time data processing capabilities to reduce latency and enable near real-time analytics and insights.
    • Reduced cost and bandwidth requirements as there is no need to transfer data to the cloud for computing.
    • Increased data security as the data is processed locally, on the device, reducing the risk of loss of sensitive data.
    • Improved automation by training machines to perform automated tasks.

    Edge AI is already used in a variety of applications and use cases including computer vision, geospatial intelligence, object detection, drones, and health monitoring devices.

    Combinatorial Optimization

    “Combinatorial optimization is a subfield of mathematical optimization that consists of finding an optimal object from a finite set of objects” (Wikipedia, retrieved December 2022).

    Applications of combinatorial optimization include:

    • Supply chain optimization
    • Scheduling and logistics, for example, vehicle routing where the trucks are making stops for pickup and deliveries
    • Operations optimization

    Classical combinatorial optimization (CO) techniques were widely used in operations research and played a major role in earlier developments of AI.

    The introduction of deep learning algorithms in recent years allowed researchers to combine neural network and conventional optimization algorithms; for example, incorporating neural combinatorial optimization algorithms in the conventional optimization framework. Researchers confirmed that certain combinations of these frameworks and algorithms can provide significant performance improvements.

    The research in this space continues and we look forward to learning how machine learning and AI (backtracking algorithms, reinforcement learning, deep learning, graph attention networks, and others) will be used for solving challenging combinatorial and decision-making problems.

    References

    “AI Can Power Scenario Planning for Real-Time Strategic Insights.” The Wall Street Journal, CFO Journal, content by Deloitte, 7 June 2021. Accessed 11 Dec. 2022.
    Ali Fdal, Omar. “Synthetic Data: 4 Use Cases in Modern Enterprises.” DATAVERSITY, 5 May 2022. Accessed
    11 Dec. 2022.
    Andrews, Gerard. “What Is Synthetic Data?” NVIDIA, 8 June 2021. Accessed 11 Dec. 2022.
    Bareinboim, Elias. “Causal Reinforcement Learning.” Causal AI, 2020. Accessed 11 Dec. 2022.
    Bengio, Yoshua, Andrea Lodi, and Antoine Prouvost. “Machine learning for combinatorial optimization: A methodological tour d’horizon.” European Journal of Operational Research, vol. 290, no. 2, 2021, pp. 405-421, https://doi.org/10.1016/j.ejor.2020.07.063. Accessed 11 Dec. 2022.
    Benjamins, Richard. “Four design principles for developing sustainable AI applications.” Telefónica S.A., 10 Sept. 2018. Accessed on 11 Dec. 2022.
    Blades, Robin. “AI Generates Hypotheses Human Scientists Have Not Thought Of.” Scientific American, 28 October 2021. Accessed 11 Dec. 2022.
    “Combinatorial Optimization.” Wikipedia article, Accessed 11 Dec. 2022.
    Cronholm, Stefan, and Hannes Göbel. “Design Principles for Human-Centred Artificial Intelligence.” University of Borås, Sweden, 11 Aug. 2022. Accessed on 11 Dec. 2022
    Devaux, Elise. “Types of synthetic data and 4 real-life examples.” Statice, 29 May 2022. Accessed 11 Dec. 2022.
    Emmental, Russell. “A Guide to Causal AI.” ITBriefcase, 30 March 2022. Accessed 11 Dec. 2022.
    “Empowering AI Leadership: AI C-Suite Toolkit.” World Economic Forum, 12 Jan. 2022. Accessed 11 Dec 2022.
    Falk, Dan. “How Artificial Intelligence Is Changing Science.” Quanta Magazine, 11 March 2019. Accessed 11 Dec. 2022.
    Fritschle, Matthew J. “The Principles of Designing AI for Humans.” Aumcore, 17 Aug. 2018. Accessed 8 Dec. 2022.
    Garmendia, Andoni I., et al. Neural Combinatorial Optimization: a New Player in the Field.” IEEE, arXiv:2205.01356v1, 3 May 2022. Accessed 11 Dec. 2022.
    Gülen, Kerem. “AI Is Revolutionizing Every Field and Science is no Exception.” Dataconomy Media GmbH, 9 Nov. 9, 2022. Accessed 11 Dec. 2022
    Krenn, Mario, et al. “On scientific understanding with artificial intelligence.” Nature Reviews Physics, vol. 4, 11 Oct. 2022, pp. 761–769. https://doi.org/10.1038/s42254-022-00518-3. Accessed 11 Dec. 2022.
    Laboratory for Information and Decision Systems. “The real promise of synthetic data.” MIT News, 16 Oct. 2020. Accessed 11 Dec. 2022.
    Lecca, Paola. “Machine Learning for Causal Inference in Biological Networks: Perspectives of This Challenge.” Frontiers, 22 Sept. 2021. Accessed 11 Dec. 2022. Mirabella, Lucia. “Digital Twin x Metaverse: real and virtual made easy.” Siemens presentation at Collision 2022 conference, Toronto, Ontario. Accessed 11 Dec. 2022. Mitchum, Rob, and Louise Lerner. “How AI could change science.” University of Chicago News, 1 Oct. 2019. Accessed 11 Dec. 2022.
    Okeke, Franklin. “The benefits of edge AI.” TechRepublic, 22 Sept. 2022, Accessed 11 Dec. 2022.
    Perlmutter, Nathan. “Machine Learning and Combinatorial Optimization Problems.” Crater Labs, 31 July 31, 2019. Accessed 11 Dec. 2022.
    Sampson, Ovetta. “Design Principles for a New AI World.” UX Magazine, 6 Jan. 2022. Accessed 11 Dec. 2022.
    Sgaier, Sema K., Vincent Huang, and Grace Charles. “The Case for Causal AI.” Stanford Social Innovation Review, Summer 2020. Accessed 11 Dec. 2022.
    “Synthetic Data.” Wikipedia article, Accessed 11 Dec. 2022.
    Take, Marius, et al. “Software Design Patterns for AI-Systems.” EMISA Workshop 2021, CEUR-WS.org, Proceedings 30. Accessed 11 Dec. 2022.
    Toews, Rob. “Synthetic Data Is About To Transform Artificial Intelligence.” Forbes, 12 June 2022. Accessed
    11 Dec. 2022.
    Zewe, Adam. “In machine learning, synthetic data can offer real performance improvements.” MIT News Office, 3 Nov. 2022. Accessed 11 Dec. 2022.
    Zhang, Junzhe, and Elias Bareinboim. “Can Humans Be out of the Loop?” Technical Report, Department of Computer Science, Columbia University, NY, June 2022. Accessed 11 Dec. 2022.

    Contributors

    Irina Sedenko Anu Ganesh Amir Feizpour David Glazer Delina Ivanova

    Irina Sedenko

    Advisory Director

    Info-Tech

    Anu Ganesh

    Technical Counselor

    Info-Tech

    Amir Feizpour

    Co-Founder & CEO

    Aggregate Intellect Inc.

    David Glazer

    VP of Analytics

    Kroll

    Delina Ivanova

    Associate Director, Data & Analytics

    HelloFresh

    Usman Lakhani

    DevOps

    WeCloudData

    Consolidate Your Data Centers

    • Buy Link or Shortcode: {j2store}498|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Center & Facilities Strategy
    • Parent Category Link: /data-center-and-facilities-strategy
    • Data center operating costs continue to escalate as organizations struggle with data center sprawl.
    • While data center consolidation is an attractive option to reduce cost and sprawl, the complexity of these projects makes them extremely difficulty to execute.
    • The status quo is also not an option, as budget constraints and the challenges with managing multiple data centers continues to increase.

    Our Advice

    Critical Insight

    • Despite consolidation being an effective way of addressing sprawl, it is often difficult to secure buy-in and funding from the business.
    • Many consolidation projects suffer cost overruns due to unforeseen requirements and hidden interdependencies which could have been mitigated during the planning phase.
    • Organizations that avoid consolidation projects due to their complexity are just deferring the challenge, while costs and inefficiencies continue to increase.

    Impact and Result

    • Successful data center consolidation will have an immediate impact on reducing data center sprawl. Maximize your chances of success by securing buy-in from the business.
    • Avoid cost overruns and unforeseen requirements by engaging with the business at the start of the process. Clearly define business requirements and establish common expectations.
    • While cost improvements often drive data center consolidation, successful projects will also improve scalability, operational efficiency, and data center redundancy.

    Consolidate Your Data Centers Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should perform a data center consolidation, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Discover

    Identify IT infrastructure systems and establish dependency bundles for the current and target sites.

    • Consolidate Your Data Centers – Phase 1: Discover
    • Data Center Consolidation Data Collection Workbook
    • Data Center Consolidation Project Planning and Prioritization Tool

    2. Plan

    Build a strong business case for data center consolidation by leveraging a TCO analysis and incorporating business requirements.

    • Consolidate Your Data Centers – Phase 2: Plan
    • Data Center Consolidation TCO Comparison Tool
    • Data Center Relocation Vendor Statement of Work Evaluation Tool

    3. Execute

    Streamline the move-day process through effective communication and clear delegation of duties.

    • Consolidate Your Data Centers – Phase 3: Execute
    • Communications Plan Template for Data Center Consolidation
    • Data Center Consolidation Executive Presentation
    • Minute-to-Minute Move Day Script (PDF)
    • Minute-to-Minute Move Day Script (Visio)
    • Data Center Relocation Minute-to-Minute Project Planning and Monitoring Tool

    4. Close

    Close the loop on the data center consolidation project by conducting an effective project retrospective.

    • Consolidate Your Data Centers – Phase 4: Close
    • Data Center Relocation QA Team Project Planning and Monitoring Tool
    • Data Center Move Issue Resolution and Change Order Template
    • Data Center Relocation Wrap-up Checklist
    [infographic]

    Reduce Shadow IT With a Service Request Catalog

    • Buy Link or Shortcode: {j2store}302|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $129,999 Average $ Saved
    • member rating average days saved: 35 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Shadow IT: The IT team is regularly surprised to discover new products within the organization, often when following up on help desk tickets or requests for renewals from business users or vendors.
    • Renewal Management: The contracts and asset teams need to be aware of upcoming renewals and have adequate time to review renewals.
    • Over-purchasing: Contracts may be renewed without a clear picture of usage, potentially renewing unused applications.

    Our Advice

    Critical Insight

    There is a direct correlation between service delivery dissatisfaction and increases in shadow IT. Whether the goal is to reduce shadow IT or gain control, improved customer service and fast delivery are key to making lasting changes.

    Impact and Result

    Our blueprint will help you design a service that draws the business to use it. If it is easier for them to buy from IT than it is to find their own supplier, they will use IT.

    A heavy focus on customer service, design optimization, and automation will provide a means for the business to get what they need, when they need it, and provide visibility to IT and security to protect organizational interests.

    This blueprint will help you:

    • Design the request service
    • Design the request catalog
    • Build the request catalog
    • Market the service

    Reduce Shadow IT With a Service Request Catalog Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Reduce Shadow IT With a Service Request Catalog – A step-by-step document that walks you through creation of a request service management program.

    Use this blueprint to create a service request management program that provides immediate value.

    • Reduce Shadow IT With a Service Request Catalog Storyboard

    2. Nonstandard Request Assessment – A template for documenting requirements for vetting and onboarding new applications.

    Use this template to define what information is needed to vet and onboard applications into the IT environment.

    • Nonstandard Request Assessment

    3. Service Request Workflows – A library of workflows used as a starting point for creating and fulfilling requests for applications and equipment.

    Use this library of workflows as a starting point for creating and fulfilling requests for applications and equipment in a service catalog.

    • Service Request Workflows

    4. Application Portfolio – A template to organize applications requested by the business and identify which items are published in the catalog.

    Use this template as a starting point to create an application portfolio and request catalog.

    • Application Portfolio

    5. Reduce Shadow IT With a Service Request Catalog Communications Template – A presentation and communications plan to announce changes to the service and introduce a catalog.

    Use this template to create a presentation and communications plan for launching the new service and service request catalog.

    • Reduce Shadow IT with a Service Request Catalog Communications Template
    [infographic]

    Workshop: Reduce Shadow IT With a Service Request Catalog

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Design the Service

    The Purpose

    Collaborate with the business to determine service model.

    Collaborate with IT teams to build non-standard assessment process.

    Key Benefits Achieved

    Designed a service for service requests, including new product intake.

    Activities

    1.1 Identify challenges and obstacles.

    1.2 Complete customer journey map.

    1.3 Design process for nonstandard assessments.

    Outputs

    Nonstandard process.

    2 Design the Catalog

    The Purpose

    Design the service request catalog management process.

    Key Benefits Achieved

    Ensure the catalog is kept current and is integrated with IT service catalog if applicable.

    Activities

    2.1 Determine what will be listed in the catalog.

    2.2 Determine process to build and maintain the catalog, including roles, responsibilities, and workflows.

    2.3 Define success and determine metrics.

    Outputs

    Catalog scope.

    Catalog design and maintenance plan.

    Defined success metrics

    3 Build and Market the Catalog

    The Purpose

    Determine catalog contents and how requests will be fulfilled.

    Key Benefits Achieved

    Catalog framework and service level agreements will be defined.

    Create communications documents.

    Activities

    3.1 Determine how catalog items will be displayed.

    3.2 Complete application categories for catalog.

    3.3 Create deployment categories and SLAs.

    3.4 Design catalog forms and deployment workflows.

    3.5 Create roadmap.

    3.6 Create communications plan.

    Outputs

    Catalog workflows and SLAs.

    Roadmap.

    Communications deck.

    4 Breakout Groups – Working Sessions

    The Purpose

    Create an applications portfolio.

    Prepare to populate the catalog.

    Key Benefits Achieved

    Portfolio and catalog contents created.

    Activities

    4.1 Using existing application inventory, add applications to portfolio and categorize.

    4.2 Determine which applications should be in the catalog.

    4.3 Determine which applications are packaged and can be easily deployed.

    Outputs

    Application Portfolio.

    List of catalog items.

    Further reading

    Reduce Shadow IT With a Service Request Catalog

    Foster business partnerships with sourcing-as-a-service.

    Analyst Perspective

    Improve the request management process to reduce shadow IT.

    In July 2022, Ivanti conducted a study on the state of the digital employee experience, surveying 10,000 office workers, IT professionals, and C-suite executives. Results of this study indicated that 49% of employees are frustrated by their tools, and 26% of employees were considering quitting their jobs due to unsuitable tech. 42% spent their own money to gain technology to improve their productivity. Despite this, only 21% of IT leaders prioritized user experience when selecting new tools.

    Any organization’s workers are expected to be productive and contribute to operational improvements or customer experience. Yet those workers don’t always have the tools needed to do the job. One option is to give the business greater control, allowing them to choose and acquire the solutions that will make them more productive. Info-Tech's blueprint Embrace Business-Managed Applications takes you down this path.

    However, if the business doesn’t want to manage applications, but just wants have access to better ones, IT is positioned to provide services for application and equipment sourcing that will improve the employee experience while ensuring applications and equipment are fully managed by the asset, service, and security teams.

    Improving the request management and deployment practice can give the business what they need without forcing them to manage license agreements, renewals, and warranties.

    Photo of Sandi Conrad

    Sandi Conrad
    ITIL Managing Professional
    Principal Research Director, IT Infrastructure & Operations,
    Info-Tech Research Group

    Your challenge

    This research is designed to help organizations that are looking to improve request management processes and reduce shadow IT.

    Shadow IT: The IT team is regularly surprised to discover new products within the organization, often when following up on help desk tickets or requests for renewals from business users or vendors.

    Renewal management: The contracts and asset teams need to be aware of upcoming renewals and have adequate time to review renewals.

    Over-purchasing and over-spending: Contracts may be renewed without a clear picture of utilization, potentially renewing unused applications. Applications or equipment may be purchased at retail price where corporate, government, or educational discounts exist.

    Info-Tech Insight

    To increase the visibility of the IT environment, IT needs to transform the request management process to create a service that makes it easier for the business to access the tools they need rather than seeking them outside of the organization.

    609
    Average number of SaaS applications in large enterprises

    40%
    On average, only 60% of provisioned SaaS licenses are used, with the remaining 40% unused.

    — Source: Zylo, SaaS Trends for IT Leaders, 2022

    Common obstacles

    Too many layers of approvals and a lack of IT workers makes it difficult to rethink service request fulfillment.

    Delays: The business may not be getting the applications they need from IT to do their jobs or must wait too long to get the applications approved.

    Denials: Without IT’s support, the business is finding alternative options, including SaaS applications, as they can be bought and used without IT’s input or knowledge.

    Threats: Applications that have not been vetted by security or installed without their knowledge may present additional threats to the organization.

    Access: Self-serve isn’t mature enough to support an applications catalog.

    A diagram that shows the number of SaaS applications being acquired outside of IT is increasing year over year, and that business units are driving the majority of SaaS spend.

    8: average number of applications entering the organization every 30 days

    — Source: Zylo, SaaS Trends for Procurement, 2022

    Info-Tech’s approach

    Improve the request management process to create sourcing-as-a-service for the business.

    • Improve customer service
    • Reduce shadow IT
    • Gain control in a way that keeps the business happy

    1. Design the service

    Collaborate with the business

    Identify the challenges and obstacles

    Gain consensus on priorities

    Design the service

    2. Design the catalog

    Determine catalog scope

    Create a process to build and maintain the catalog

    Define metrics for the request management process

    3. Build the catalog

    Determine descriptions for catalog items

    Create definitions for license types, workflows, and SLAs

    Create application portfolio

    Design catalog forms and workflows

    4. Market the service

    Create a roadmap

    Determine messaging

    Build a communications plan

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Communications Presentation

    Photo of Communications Presentation

    Application Portfolio

    Photo of Application Portfolio

    Visio Library

    Photo of Visio Library

    Nonstandard Request Assessment

    Photo of Nonstandard Request Assessment

    Create a request management process and service catalog to improve delivery of technology to the business

    Identify and Manage Reputational Risk Impacts on Your Organization

    • Buy Link or Shortcode: {j2store}220|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Access to information about companies is more available to consumers than ever. Organizations must implement mechanisms to monitor and manage how information is perceived to avoid potentially disastrous consequences to their brand reputation.

    A negative event could impact your organization's reputation at any given time. Make sure you understand where such events may come from and have a plan to manage the inevitable consequences.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential impact on your organization’s reputation requires efforts from multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how social media can affect your brand.
    • Organizational leadership is often caught unaware during crises, and their response plans lack the flexibility to adjust to significant market upheavals.

    Impact and Result

    • Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

    Identify and Manage Reputational Risk Impacts on Your Organization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and Manage Reputational Risk Impacts on Your Organization Deck – Use the research to better understand the negative impacts of vendor actions on your brand reputation.

    Use this research to identify and quantify the potential reputational impacts caused by vendors. Use Info-Tech's approach to look at the reputational impact from various perspectives to better prepare for issues that may arise.

    • Identify and Manage Reputational Risk Impacts on Your Organization Storyboard

    2. Reputational Risk Impact Tool – Use this tool to help identify and quantify the reputational impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate - possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Reputational Risk Impact Tool
    [infographic]

    Further reading

    Identify and Manage Reputational Risk Impacts on Your Organization

    Brand reputation is the most valuable asset an organization can protect.

    Analyst Perspective

    Organizations must diligently assess and protect their reputations, both in the market and internally.

    Social media, unprecedented access to good and bad information, and consumer reliance on others’ online opinions force organizations to dedicate more resources to protecting their brand reputation than ever before. Perceptions matter, and you should monitor and protect the perception of your organization with as much rigor as possible to ensure your brand remains recognizable and trusted.

    Photo of Frank Sewell, Research Director, Vendor Management, Info-Tech Research Group.

    Frank Sewell
    Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Access to information about companies is more available to consumers than ever. A negative event could impact your organizational reputation at any time. As a result, organizations must implement mechanisms to monitor and manage how information is perceived to avoid potentially disastrous consequences to their brand reputation.

    Make sure you understand where negative events may come from and have a plan to manage the inevitable consequences.

    Common Obstacles

    Identifying and managing a vendor’s potential impact on your organization’s reputation requires efforts from multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how social media can affect your brand.

    Organizational leadership is often caught unaware during crises, and their response plans lack the flexibility to adjust to significant market upheavals.

    Info-Tech’s Approach

    Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

    Info-Tech Insight

    Organizations must evolve their risk assessments to be more adaptive to respond to rapid changes in online media. Ongoing monitoring of social media and the vendors tied to their company is imperative to achieving success and avoiding reputational disasters.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.

    Cube with each multiple colors on each face, similar to a Rubix cube, and individual components of vendor risk branching off of it: 'Financial', 'Reputational', 'Operational', 'Strategic', 'Security', and 'Regulatory & Compliance'.

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    Reputational risk impacts

    Potential losses to the organization due to risks to its reputation and brand

    In this blueprint, we’ll explore reputational risks (risks to the brand reputation of the organization) and their impacts.

    Identify potentially negative events to assess the overall impact on your organization and implement adaptive measures to respond and correct.

    Cube with each multiple colors on each face, similar to a Rubix cube, and the vendor risk component 'Reputational' highlighted.

    Protect your most valuable asset: your brand

    25%

    of a company’s market value is due to reputation (Transmission Private, 2021)

    94%

    of consumers say that a bad review has convinced them to avoid a business (ReviewTrackers, 2022)

    14 hours

    is the average time it takes for a false claim to be corrected on social media (Risk Analysis, 2018)
    Image of an umbrella covering the word 'BRAND' and three arrows approaching from above.

    What is brand recognition?

    And the cost of rebranding

    Brand recognition is the ability of consumers to recognize an identifying characteristic of one company versus a competitor.” (Investopedia)

    Most trademark valuation is based directly on its projected future earning power, based on income history. For a new brand with no history, evaluators must apply experience and common sense to predict the brand's earning potential. They can also use feedback from industry experts, market surveys, and other studies.” (UpCounsel)

    The cost of rebranding for small to medium businesses is about 10 to 20% of the recommended overall marketing budget and can take six to eight months (Ignyte).

    Stock image of a house with a money sign chimney.

    "All we are at our core is our reputation and our brand, and they are intertwined." (Phil Bode, Principal Research Director, Info-Tech Research Group)

    What your vendor associations say about you

    Arrows of multiple colors coalescing in an Earth labelled 'Your Brand', and then a red arrow that reads 'Reputation' points to the terms on the right.

    Bad Customer Reviews

    Breach of Data

    Poor Security Posture

    Negative News Articles

    Public Lawsuits

    Poor Performance

    How a major vendor protects its brand

    An ideal state
    • There is a dedicated brand protection department.
    • All employees are educated annually on brand protection policies and procedures.
    • Brand protection is tied to cybersecurity.
    • The organization actively monitors its brand and reputation through various media formats.
    • The organization has criteria for assessing x-party vendors and holds them accountable through ongoing monitoring and validation of their activities.

    Brand Protection
    Done Right

    Sticker for a '5 Star Rating'.

    Never underestimate the power of local media on your profits

    Info-Tech Insight

    Keep in mind that too much exposure to media can be a negative in that it heightens the awareness of your organization to outside actors. If you do go through a period of increased exposure, make sure to advance your monitoring practices and vigilance.

    Story: Restaurant data breach

    Losing customer faith

    A popular local restaurant’s point of service (POS) machines were breached and the credit card data of their customers over a two-week period was stolen. The restaurant did the right thing: they privately notified the affected people, helped them set up credit monitoring services, and replaced their compromised POS system.

    Unfortunately, the local newspaper got wind of the breach. It published the story, leaving out that the restaurant had already notified affected customers and had replaced their POS machines.

    In response, the restaurant launched a campaign in the local paper and on social media to repair their reputation in the community and reassure people that they could safely transact at their business.

    For at least a month, the restaurant experienced a drastic decrease in revenue as customers either refused to come in to eat or paid only in cash. During this same period the restaurant was spending outside their budget on the advertising.
    Broken trust.

    Story: Monitor your subcontractors

    Trust but verify

    A successful general contractor with a reputation for fairness in their dealings needed a specialist to perform some expert carpentry work for a few of their clients.

    The contractor gave the specialist the clients’ contact information and trusted them to arrange the work.

    Weeks later, the contractor checked in with the clients and received a ton of negative feedback:

    • The specialist called them once and never called back.
    • The specialist refused to do the work as described and wanted to charge extra.
    • The specialist performed work to “fix” the issue but cut corners to lessen their costs.

    As a result, the contractor took extreme measures to regain the clients’ confidence and trust and lost other opportunities in the process.

    Stock image of a sad construction site supervisor.

    You work hard for your reputation. Don’t let others ruin it.

    Don’t forget to look within as well as without

    Stock image of a frustrated desk worker.

    Story: Internal reputation is vital

    Trust works both ways

    An organization’s relatively new IT and InfoSec department leadership have been upgrading the organization's systems and policies as fast as resources allow when the organization encounters a major breach of security.

    Trust in the developing IT and InfoSec departments' leadership wanes throughout the organization as people search for the root cause and blame the systems. This degradation of trust limits the effectiveness of the newly implemented process, procedures, and tools of the departments.

    The new leaders' abilities are called into question, and they must now rigorously defend and justify their decisions and positions to the executives and board.

    It will be some time before the two departments gain their prior trust and respect, and the new leaders face some tough times ahead regaining the organization's confidence.

    How could the new leaders approach the situation to mend their reputations in the wake of this (perhaps unfair) reputational hit?

    It is not enough to identify the potential risks; there must also be adequate controls in place to monitor and manage them

    Stock image of a fingerprint on a computer chip under a blacklight.

    Identify, manage, and monitor reputational risks

    Global markets
    • Organizations need to learn how to assess the likelihood of potential risks in the changing global markets and recognize how their partnerships and subcontracts affect their brand.
    • Now more than ever, organizations need to be mindful of the larger global landscape and how their interactions within various regions can impact their reputation.
    Social media
    • Understanding how to monitor social media activity and online content will give you an edge in the current environment.
    • Changes in social media generally happen faster than companies can recognize them. If you are not actively monitoring those risks, the damage could set in before you even have a chance to respond.
    Global shortages
    • Organizations need to accept that shortages will recur periodically and that preparing for them will significantly increase the success potential of long-term plans.
    • Customers don’t always understand what is happening in the global supply chain and may blame you for poor service if you cannot meet demands as you have in the past.

    Which way is your reputation heading?

    • Do you understand and track items that might affect your reputation?
    • Do you understand the impact they may have on your business?

    Visualization of a Newton's Cradle perpetual motion device, aka clacky balls. The lifted ball is colored green with a smiley face and is labelled 'Your Brand Reputation'. The other four balls are red with a frowny face and are labelled 'Data Breach/ Lawsuit', 'Service Disruption', 'Customer Complaint', and 'Poor Delivery'.

    Identifying and understanding potential risks is essential to adapting to the ever-changing online landscape

    Info-Tech Insight

    Few organizations are good at identifying risks. As a result, almost none realistically plan to monitor, manage, and adapt their plans to mitigate those risks.

    Reputational risks

    Not protecting your brand can have disastrous consequences to your organization

    • Data breaches & lawsuits
    • Poor vendor performance
    • Service disruptions
    • Negative reviews

    Stock image of a smiling person on their phone rating something five stars.

    What to look for in vendors

    Identify potential reputational risk impacts
    • Check online reviews from both customers and employees.
    • Check news sites:
      • Has the vendor been affected by a breach?
      • Is the vendor frequently in the news – good or bad? Greater exposure can cause an uptick in hostile attacks, so make sure the vendor has adequate protections in line with its exposure.
    • Review its financials. Is it prime for an acquisition/bankruptcy or other significant change?
    • Review your contractual protections to ensure that you are made whole in the event something goes wrong. Has anything changed with the vendor that requires you to increase your protections?
    • Has anything changed in the vendor’s market? Is a competitor taking its business, or are its resources stretched on multiple projects due to increased demand?
    Illustration of business people in a city above various icons.

    Assessing Reputational Risk Impacts

    Zigzagging icons and numbers one through 7 alternating sides downward. Review Organizational Strategy
    Understand the organizational strategy to prepare for the “what if” game exercise.
    Identify & Understand Potential Risks
    Play the “what if” game with the right people at the table.
    Create a Risk Profile Packet for Leadership
    Pull all the information together in a presentation document.
    Validate the Risks
    Work with leadership to ensure that the proposed risks are in line with their thoughts.
    Plan to Manage the Risks
    Lower the overall risk potential by putting mitigations in place.
    Communicate the Plan
    It is important not only to have a plan but also to socialize it in the organization for awareness.
    Enact the Plan
    Once the plan is finalized and socialized put it in place with continued monitoring for success.
    (Adapted from Harvard Law School Forum on Corporate Governance)

    Insight Summary

    Reputational risk impacts are often unanticipated, causing catastrophic downstream effects. Continuously monitoring your vendors’ actions in the market can help organizations head off brand disasters before they occur.

    Insight 1

    Understanding how to monitor social media activity and online content will give you an edge in the current environment.

    Do you have dedicated individuals or teams to monitor your organization's online presence? Most organizations review and approve the online content, but many forget the need to have analysts reviewing what others are saying about them.

    Insight 2

    Organizations need to learn how to assess the likelihood of potential risks in the rapidly changing online environments and recognize how their partnerships and subcontractors’ actions can affect their brand.

    For example, do you understand how a simple news article raises your profile for short-term and long-term adverse events?

    Insight 3

    Socialize the risk management process throughout the organization to heighten awareness and enable employees to help protect the company’s reputation.

    Do you include a social media and brand protection policy in your annual education?

    Identify reputational risk

    Who should be included in the discussion?
    • While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make INFORMED decisions.
    • Getting input from your organization's marketing experts will enhance your brand's long-term protection.
    • Involving those who directly manage vendors and understand the market will aid in determining the forward path for relationships with your current vendors and identifying new emerging potential partners.
    • Organizations have a wealth of experience in their marketing departments that can help identify real-world negative scenarios.
    • Include vendor relationship managers to help track what is happening in the media for those vendors.
    Keep in mind: (R=L*I)
    Risk = Likelihood x Impact

    Impact tends to remain the same, while likelihood is a very flexible variable.

    Stock image of a flowchart asking 'Risk?', 'Yes', 'No'.

    Manage and monitor reputational risk impacts

    What can we realistically do about the risks?
    • Re-evaluate corporate policies frequently.
    • Ensure proper protections in contracts:
      • Limit the use of your brand name in the publicity and trademark clauses.
      • Make sure to include security protections for your data in the event of a breach; understand that reputation can rarely be made whole again once trust is breached.
    • Introduce continual risk assessment to monitor the relevant vendor markets.
    • Be adaptable and allow for innovations that arise from the current needs.
      • Capture lessons learned from prior incidents to improve over time and adjust your strategy based on the lessons.
    • Monitor your company’s and associated vendors’ online presence.
    • Track similar companies’ brand reputations to see how yours compares in the market.

    Social media is driving the need for perpetual diligence.

    Organizations need to monitor their brand reputation considering the pace of incidents in the modern age.

    Stock image of a person on a phone that is connected to other people.

    The “what if” game

    1-3 hours

    Input: List of identified potential risk scenarios scored by likelihood and financial impact, List of potential management of the scenarios to reduce the risk

    Output: Comprehensive reputational risk profile on the specific vendor solution

    Materials: Whiteboard/flip charts, Reputational Risk Impact Tool to help drive discussion

    Participants: Vendor Management Coordinator, Organizational Leadership, Operations Experts (SMEs), Legal/Compliance/Risk Manager, Marketing

    Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    1. Break into smaller groups (or if too small, continue as a single group).
    2. Use the Reputational Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potential risk but manage the overall process to keep the discussion on track.
    3. Collect the outputs and ask the subject matter experts for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

    Download the Reputational Risk Impact Tool

    Example: Low reputational risk

    We can see clearly in this example that the contractor suffered minimal impact from the specialist's behavior. Though they did take a hit to their overall reputation with a few customers, they should be able to course-correct with a minimal outlay of effort and almost no loss of revenue.

    Stock image of construction workers.

    Sample table of 'Sample Questions to Ask to Identify Reputational Impacts'. Column headers are 'Score', 'Weight', 'Question', and 'Comments or Notes'. At the bottom the 'Reputational Score' row has a low average score of '1.3' and '%100' total weight in their respective columns.

    Example: High reputational risk

    Note in the example how the tool can represent different weights for each of the criteria depending on your needs.

    Stock image of an older person looking out a window.

    Sample table of 'Sample Questions to Ask to Identify Reputational Impacts'. Column headers are 'Score', 'Weight', 'Question', and 'Comments or Notes'. At the bottom the 'Reputational Score' row has a high average score of '3.1' and '%100' total weight in their respective columns.

    Summary

    Be vigilant and adaptable to change
    • Organizations need to learn how to assess the likelihood of potential risks in the changing global markets and recognize how their partnerships and subcontracts affect their brand.
    • Understanding how to monitor social media activity and online content will give you an edge in the current environment.
    • Bring the right people to the table to outline potential risks to your organization’s brand reputation.
    • Socialize the risk management process throughout the organization to heighten awareness and enable employees to help protect the company’s reputation.
    • Incorporate lessons learned from incidents into your risk management process to build better plans for future issues.
    Stock image of a person's face overlaid with many different images.

    Organizations must evolve their risk assessments to be more adaptive to respond to global factors in the market.

    Ongoing monitoring of online media and the vendors tied to company visibility is imperative to avoiding disaster.

    Bibliography

    "The CEO Reputation Premium: Gaining Advantage in the Engagement Era." Weber Shandwick, March 2015. Accessed June 2022.

    Glidden, Donna. "Don't Underestimate the Need to Protect Your Brand in Publicity Clauses." Info-Tech Research Group, June 2022.

    Greenaway, Jordan. "Managing Reputation Risk: A start-to-finish guide." Transmission Private, July 2020. Accessed June 2022.

    Jagiello, Robert D., and Thomas T. Hills. “Bad News Has Wings: Dread Risk Mediates Social Amplification in Risk Communication.” Risk Analysis, vol. 38, no. 10, 2018, pp. 2193-2207.

    Kenton, Will. "Brand Recognition.” Investopedia, Aug. 2021. Accessed June 2022.

    Lischer, Brian. "How Much Does it Cost to Rebrand Your Company?" Ignyte, October 2017. Accessed June 2022.

    "Powerful Examples of How to Respond to Negative Reviews." ReviewTrackers, 16 Feb. 2022. Accessed June 2022.

    Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012. Web.

    "Valuation of Trademarks: Everything You Need to Know." UpCounsel, 2022. Accessed June 2022.

    Related Info-Tech Research

    Sample of 'Assessing Financial Risk Management'. Identify and Manage Financial Risk Impacts on Your Organization
    • Identifying and managing a vendor’s potential financial impact requires multiple people in the organization across several functions – and those people all need educating on the potential risks.
    • Organizational leadership is often unaware of decisions on organizational risk appetite and tolerance, and they assume there are more protections in place against risk impact than there truly are.
    Sample of 'How to Assess Strategic Risk'. Identify and Manage Strategic Risk Impacts on Your Organization
    • Identifying and managing a vendor’s potential strategic impact requires multiple people in the organization across several functions – and those people all need coaching on the potential changes in the market and how these changes affect strategic plans.
    • Organizational leadership is often caught unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals.
    Research coming soon. Jump Start Your Vendor Management Initiative
    • Vendor management is not “plug and play” – each organization’s vendor management initiative (VMI) needs to fit its culture, environment, and goals. The key is to adapt vendor management principles to fit your needs…not the other way around.
    • All vendors are not of equal importance to an organization. Classifying or segmenting your vendors allows you to focus your efforts on the most important vendors first, allowing your VMI to have the greatest impact possible.

    Research Contributors and Experts

    Frank Sewell

    Research Director
    Info-Tech Research Group

    Donna Glidden

    Research Director
    Info-Tech Research Group

    Steven Jeffery

    Principal Research Director
    Info-Tech Research Group

    Mark Roman

    Managing Partner
    Info-Tech Research Group

    Phil Bode

    Principal Research Director
    Info-Tech Research Group

    Sarah Pletcher

    Executive Advisor
    Info-Tech Research Group

    Scott Bickley

    Practice Lead
    Info-Tech Research Group

    Assess Infrastructure Readiness for Digital Transformation

    • Buy Link or Shortcode: {j2store}300|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    There are many challenges for I&O when it comes to digital transformation, including:

    • Legacy infrastructure technical debt
    • Skills and talent in the IT team
    • A culture that resists change
    • Fear of job loss

    These and many more will hinder your progress, which demonstrates the need to invest in modernizing your infrastructure, investing in training and hiring talent, and cultivating a culture that supports digital transformation.

    Our Advice

    Critical Insight

    By using the framework of culture, competencies, collaboration and capabilities, organizations can create dimensions in their I&O structure in order to shift from traditional infrastructure management to becoming a strategic enabler, driving agility, innovation, and operational excellence though the effective integration of people, process, and technology.

    Impact and Result

    By driving a customer-centric approach, delivering a successful transformation can be tailored to the business goals and drive adoption and engagement. Refining your roadmap through data and analytics will drive this change. Use third-party expertise to guide your transformation and help build that vision of the future.

    Assess Infrastructure Readiness for Digital Transformation Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Infrastructure Readiness for Digital Transformation – Unlock the full potential of your infrastructure with a digital transformation strategy and clear the barriers for success.

  • Be customer centric as opposed to being technology driven.
  • Understanding business needs and pain points is key to delivering solutions.
  • Approach infrastructure digital transformation in iterations and look at this as a journey.
    • Assess Infrastructure Readiness for Digital Transformation Storyboard
    • I&O Digital Transformation Maturity Assessment Tool

    Infographic

    Further reading

    Assess Infrastructure Readiness for Digital Transformation

    Unlock the full potential of your infrastructure with a digital transformation strategy and clear the barriers to success.

    Analyst Perspective

    It’s not just about the technology!

    Many businesses fail in their endeavors to complete a digital transformation, but the reasons are complex, and there are many ways to fail, whether it is people, process, or technology. In fact, according to many surveys, 70% of digital transformations fail, and it’s mainly down to strategy – or the lack thereof.

    A lot of organizations think of digital transformation as just an investment in technology, with no vision of what they are trying to achieve or transform. So, out of the gate, many organizations fail to undergo a meaningful transformation, change their business model, or bring about a culture of digital transformation needed to be seriously competitive in their given market.

    When it comes to I&O leaders who have been given a mandate to drive digital transformation projects, they still must align to the vision and mission of the organization; they must still train and hire staff that will be experts in their field; they must still drive process improvements and align the right technology to meet the needs of a digital transformation.

    John Donovan

    John Donovan

    Principal Research Director, I&O
    Info-Tech Research Group

    Insight summary

    Overarching insight

    Digital transformation requires I&O teams to shift from traditional infrastructure management to becoming a strategic enabler, driving agility, innovation, and operational excellence through effective integration of people, process, and technology.

    Insight 1

    Collaboration is a key component of I&O – Promote strong collaboration between I&O and other business functions. When doing a digital transformation, it is clear that this is a cross-functional effort. Business leaders and IT teams need to align their objectives, prioritize initiatives, and ensure that you are seamlessly integrating technologies with the new business functions.

    Insight 2

    Embrace agility and adaptability as core principles – As the digital landscape continues to evolve, it is paramount that I&O leaders are agile and adaptable to changing business needs, adopting new technology and implementing new innovative solutions. The culture of continuous improvement and openness to experimentation and learning will assist the I&O leaders in their journey.

    Insight 3

    Future-proof your infrastructure and operations – By anticipating emerging technologies and trends, you can proactively plan and organize your team for future needs. By investing in scalable, flexible infrastructure such as cloud services, automation, AI technologies, and continuously upskilling the IT staff, you can stay relevant and forward-looking in the digital space.

    Tactical insight

    An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployment of services.

    Tactical insight

    Having a clear strategy, with leadership commitment along with hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.

    Executive Summary

    Your Challenge

    There are a lot of challenges for I&O when it comes to digital transformation, including:

    • Legacy infrastructure technical debt.
    • Skills and talent in the IT team.
    • A culture that resists change.
    • Fear of job loss.

    These and many more will hinder your progress, which demonstrates the need to invest in modernizing your infrastructure, investing in training and hiring talent, and cultivating a culture that supports digital transformation.

    Common Obstacles

    Many obstacles to digital transformation begin with non-I&O activities, including:

    • Lack of a clear vision and strategy.
    • Siloed organizational structure.
    • Lack of governance and data management.
    • Limited budget and resources.

    By addressing these obstacles, I&O will have a better chance of a successful transformation and delivering the full potential of digital technologies.

    Info-Tech's Approach

    Building a culture of innovation by developing clear goals and creating a vision will be key.

    • Be customer centric as opposed to being technology driven.
    • Understand the business needs and pain points in order to effectively deliver solutions.
    • Approach infrastructure digital transformation in iterations and look at it as a journey.

    By completing the Info-Tech digital readiness questionnaire, you will see where you are in terms of maturity and areas you need to concentrate on.

    Info-Tech Insight

    By driving a customer-centric approach, delivering a successful transformation can be tailored to the business goals and drive adoption and engagement. Refining your roadmap through data and analytics will drive this change. Use third-party expertise to guide your transformation and help build that vision of the future.

    The cost of digital transformation

    The challenges that stand in the way of your success, and what is needed to reverse the risk

    What CIOs are saying about their challenges

    26% of those CIOs surveyed cite resistance to change, with entrenched viewpoints demonstrating a real need for a cultural shift to enhance the digital transformation journey.

    Source: Prophet, 2019.

    70% of digital transformation projects fall short of their objectives – even when their leadership is aligned, often with serious consequences.

    Source: BCG, 2020.

    Having a clear strategy and commitment from leadership, hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.

    Info-Tech Insight

    Cultural change, business alignment, skills training, and setting a clear strategy with KPIs to demonstrate success are all key to being successful in your digital journey.

    Small and medium-sized enterprises

    What business owners and CEOs are saying about their digital transformation

    57% of small business owners feel they must improve their IT infrastructure to optimize their operations.

    Source: SMB Story, 2023.

    64% of CEOs believe driving digital transformation at a rapid pace is critical to attracting and retaining talent and customers.

    Source: KPMG, 2022.

    Info-Tech Insight

    An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployments.

    Beyond Survival

    • Buy Link or Shortcode: {j2store}204|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Big Data
    • Parent Category Link: /big-data
    • Consumer, customer, employee, and partner behavior has changed; new needs have arisen as a result of COVID-19. Entire business models had to be rethought and revised – in real time with no warning.
    • And worse, no one knows when (or even if) the pandemic will end. The world and the economy will continue to be highly uncertain, unpredictable, and vulnerable for some time.
    • Business leaders need to continue experimenting to stay in business, protect employees and supply chains, manage financial obligations, allay consumer and employee fears, rebuild confidence, and protect trust.
    • How do organizations know whether their new business tactics are working?

    Our Advice

    Critical Insight

    • We can learn many lessons from those who have survived and are succeeding.
    • They have one thing in common though – they rely on data and analytics to help people think and know how to respond, evaluate effectiveness of new business tactics, uncover emerging trends to feed innovation, and minimize uncertainty and risk.
    • This mini-blueprint highlights organizations and use cases where data, analytics, and AI deliver tangible business and human value now and in the future.

    Impact and Result

    • Learn from the pandemic survivors and super-achievers so that you too can hit the ground running in the new normal. Even better – go beyond survival, like many of them have done. Create your future by leveraging and scaling up your data and analytics investments. It is not (yet) too late, and Info-Tech can help.

    Beyond Survival Research & Tools

    Beyond Survival

    Use data, analytics, and AI to reimagine the future and thrive in the new normal.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Beyond Survival Storyboard
    [infographic]

    IT Metrics and Dashboards During a Pandemic

    • Buy Link or Shortcode: {j2store}118|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement

    The ways you measure success as a business are based on the typical business environment, but during a crisis like a pandemic, the business environment is rapidly changing or significantly different.

    • How do you assess the scope of the risk?
    • How do you quickly align your team to manage new risks?
    • How do you remain flexible enough to adapt to a rapidly changing situation?

    Our Advice

    Critical Insight

    Measure what you have the data for and focus on managing the impacts to your employees, customers, and suppliers. Be willing to make decisions based on imperfect data. Don’t forget to keep an eye on the long-term objectives and remember that how you act now can reflect on your business for years to come.

    Impact and Result

    Use Info-Tech’s approach to:

    • Quickly assess the risk and identify critical items to manage.
    • Communicate what your decisions are based on so teams can either quickly align or challenge conclusions made from the data.
    • Quickly adjust your measures based on new information or changing circumstances.
    • Use the tools you already have and keep it simple.

    IT Metrics and Dashboards During a Pandemic Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to develop your temporary crisis dashboard.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Consider your organizational goals

    Identify the short-term goals for your organization and reconsider your long-term objectives.

    • Crisis Temporary Measures Dashboard Tool

    2. Build a temporary data collection and dashboard method

    Determine your tool for data collection and your data requirements and collect initial data.

    3. Implement a cadence for review and action

    Determine the appropriate cadence for reviewing the dashboard and action planning.

    [infographic]

    Microsoft Dynamics 365: Understand the Transition to the Cloud

    • Buy Link or Shortcode: {j2store}350|cart{/j2store}
    • member rating overall impact: 8.7/10 Overall Impact
    • member rating average dollars saved: $94,858 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Your on-premises Dynamics CRM or AX needs updating or replacing, and you’re not sure whether to upgrade or transition to the cloud with the new Microsoft Dynamics 365 platform. You’re also uncertain about what the cost might be or if there are savings to be had with a transition to the cloud for your enterprise resource planning system.
    • The new license model, Apps vs. Plans and Dual Use Rights in the cloud, includes confusing terminology and licensing rules that don’t seem to make sense. This makes it difficult to purchase proper licensing that aligns with your current on-premises setup and to maximize your choices in transition licenses.
    • There are different licensing programs for Dynamics 365 in the cloud. You need to decide on the most cost effective program for your company, for now and for the future.
    • Microsoft is constantly pressuring you to move to the cloud, but you don’t understand the why. You're uncertain if there's real value in such a strategic move right now, or if should you wait awhile.

    Our Advice

    Critical Insight

    • Focus on what’s best for you. Do a thorough current state assessment of your hardware and software needs and consider what will be required in the near future (one to four years).
    • Educate yourself. You should have a good understanding of your options from staying on-premises vs. an interim hybrid model vs. a lift and shift to the cloud.
    • Consider the overall picture. There might not be hard cost savings to be realized in the near term, given the potential increase in licensing costs over a CapEx to OpEx savings.

    Impact and Result

    • Understanding the best time to transition, from a licensing perspective, could save you significant dollars over the next one to four years.
    • Planning and effectively mapping your current licenses to the new cloud user model will maximize your current investment into the cloud and fully leverage all available Microsoft incentives in the process.
    • Gaining the knowledge required to make the most informed transition decision, based on best timing, most appropriate licensing program, and maximized cost savings in the near term.
    • Engaging effectively with Microsoft and a competent Dynamics partner for deployment or licensing needs.

    Microsoft Dynamics 365: Understand the Transition to the Cloud Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should learn about Microsoft Dynamics 365 user-based cloud licensing, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Timing

    Review to confirm if you are eligible for Microsoft cloud transition discounts and what is your best time to move to the cloud.

    • Microsoft Dynamics 365: Understand the Transition to the Cloud – Phase 1: Timing
    • Microsoft License Agreement Summary Tool
    • Existing CRM-AX License Summary Worksheet

    2. Licensing

    Begin with a review to understand user-based cloud licensing, then move to mapping your existing licenses to the cloud users and plans.

    • Microsoft Dynamics 365: Understand the Transition to the Cloud – Phase 2: Licensing
    • Microsoft Dynamics 365 On-Premises License Transition Mapping Tool
    • Microsoft Dynamics 365 User License Assignment Tool
    • Microsoft Licensing Programs Brief Overview

    3. Cost review

    Use your cloud mapping activity as well your eligible discounts to estimate your cloud transition licensing costs.

    • Microsoft Dynamics 365: Understand the Transition to the Cloud – Phase 3: Cost Review
    • Microsoft Dynamics 365 Cost Estimator

    4. Analyze and decide

    Start by summarizing your choice license program, decide on the ideal time, then move on to total cost review.

    • Microsoft Dynamics 365: Understand the Transition to the Cloud – Phase 4: Analyze and Decide
    [infographic]

    Workshop: Microsoft Dynamics 365: Understand the Transition to the Cloud

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand What You Own and What You Can Transition to the Cloud

    The Purpose

    Understand what you own and what you can transition to the cloud.

    Learn which new cloud user licenses to transition.

    Key Benefits Achieved

    All your licenses in one summary.

    Eligible transition discounts.

    Mapping of on-premises to cloud users.

    Activities

    1.1 Validate your discount availability.

    1.2 Summarize agreements.

    1.3 Itemize your current license ownership.

    1.4 Review your timing options.

    1.5 Map your on-premises licenses to the cloud-based, user-based model.

    Outputs

    Current agreement summary

    On-premises to cloud user mapping summary

    Understanding of cloud app and plan features

    2 Transition License Cost Estimate and Additional Costs

    The Purpose

    Estimate cloud license costs and other associated expenses.

    Summarize and decide on the best timing, users, and program.

    Key Benefits Achieved

    Good cost estimate of equivalent cloud user-based licenses.

    Understanding of when and how to move your on-premises licensing to the new Dynamics 365 cloud model.

    Activities

    2.1 Estimate cloud user license costs.

    2.2 Calculate additional costs related to license transitions.

    2.3 Review all activities.

    2.4 Summarize and analyze your decision.

    Outputs

    Cloud user licensing cost modeling

    Summary of total costs

    Validation of costs and transition choices

    An informed decision on your Dyn365 timing, licensing, and costs

    Applications Priorities 2023

    • Buy Link or Shortcode: {j2store}186|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Economic, social, and regulatory conditions have changed livelihoods, businesses, and marketplaces. Modern tools and technologies have acted as lifelines by minimizing operating and delivery costs, and in the process, establishing a strong foundation for growth and maturity.
    • These tools and technologies must meet the top business goals of CXOs: ensure service continuity, improve customer experience, and make data-driven decisions.
    • While today’s business applications are good and well received, there is still room for improvement. The average business application satisfaction score among IT leadership was 72% (n=1582, CIO Business Vision).

    Our Advice

    Critical Insight

    • Applications are critical components in any business strategic plan. They can directly influence an organization’s internal and external brand and reputation, such as their uniqueness, competitiveness and innovativeness in the industry
    • Business leaders are continuously looking for innovative ways to better position their application portfolio to satisfy their goals and objectives, i.e., application priorities. Given the scope and costs often involved, these priorities must be carefully crafted to clearly state achievable business outcomes that satisfies the different needs very different customers, stakeholders, and users.
    • Unfortunately, expectations on your applications team have increased while the gap between how stakeholders and applications teams perceive effectiveness remains wide. This points to a need to clarify the requirements to deliver valuable and quality applications and address the pressures challenging your teams.

    Impact and Result

    Learn and explore the technology and practice initiatives in this report to determine which initiatives should be prioritized in your application strategy and align to your business organizational objectives:

    • Optimize the effectiveness of the IT organization.
    • Boost the productivity of the enterprise.
    • Enable business growth through technology.

    Applications Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Applications Priorities Report 2023 – A report that introduces and describes five opportunities to prioritize in your 2023 application strategy.

    In this report, we explore five priorities for emerging and leading-edge technologies and practices that can improve on capabilities needed to meet the ambitions of your organization.

    • Applications Priorities 2023 Report

    Infographic

    Further reading

    Applications Priorities 2023

    Applications are the engine of the business: keep them relevant and modern

    What we are facing today is transforming the ways in which we work, live, and relate to one another. Applications teams and portfolios MUST change to meet this reality.

    Economic, social, and regulatory conditions have changed livelihoods, businesses, and marketplaces. Modern tools and technologies have acted as lifelines by minimizing operating and delivery costs, and in the process, establishing a strong foundation for growth and maturity.

    As organizations continue to strengthen business continuity, disaster recovery, and system resilience, activities to simply "keep the lights on" are not enough. Be pragmatic in the prioritization and planning of your applications initiatives, and use your technologies as a foundation for your growth.

    Your applications must meet the top business goals of your CXOs

    • Ensure service continuity
    • Improve customer experience
    • Make data-driven decisions
    • Maximize stakeholder value
    • Manage risk

    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022, n=568.

    Select and align your applications priorities to your business goals and objectives

    Applications are critical components in any business strategic plan. They can directly influence an organization's internal and external brand and reputation, such as their:

    • Uniqueness, competitiveness, and innovativeness in the industry.
    • Ability to be dynamic, flexible, and responsive to changing expectations, business conditions, and technologies.

    Therefore, business leaders are continuously looking for innovative ways to better position their application portfolios to satisfy their goals and objectives, i.e. applications priorities. Given the scope and costs often involved, these priorities must be carefully crafted to clearly state achievable business outcomes that satisfy
    the different needs of very different customers, stakeholders, and users.

    Today's business applications are good but leave room for improvement

    72%
    Average business application satisfaction score among IT leadership in 1582 organizations.

    Source: CIO Business Vision, August 2021 to July 2022, N=190.

    Five Applications Priorities for 2023

    In this report, we explore five priorities for emerging and leading-edge technologies and practices that can improve on capabilities needed to meet the Ambitions of your organization.

    this is an image of the Five Applications Priorities for which will be addressed in this blueprint.

    Strengthen your foundations to better support your applications priorities

    These key capabilities are imperative to the success of your applications strategy.

    KPI and Metrics

    Easily attainable and insightful measurements to gauge the progress of meeting strategic objectives and goals (KPIs), and the performance of individual teams, practices and processes (metrics).

    BUSINESS ALIGNMENT

    Gain an accurate understanding and interpretation of stakeholder, end-user, and customer expectations and priorities. These define the success of business products and services considering the priorities of individual business units and teams.

    EFFICIENT DELIVERY & SUPPORT PRACTICE

    Software delivery and support roles, processes, and tools are collaborative, well equipped and resourced, and optimized to meet changing stakeholder expectations.

    Data Management & Governance

    Ensuring data is continuously reliable and trustworthy. Data structure and integrations are defined, governed, and monitored.

    Product & Service Ownership

    Complete inventory and rationalization of the product and service portfolio, prioritized backlogs, roadmaps, and clear product and service ownership with good governance. This helps ensure this portfolio is optimized to meet its goals and objectives.

    Strengthen your foundations to better support your applications priorities (cont'd)

    These key capabilities are imperative to the success of your applications strategy.

    Organizational Change Management

    Manage the adoption of new and modified processes and technologies considering reputational, human, and operational concerns.

    IT Operational Management

    Continuous monitoring and upkeep of products and services to assure business continuity, and system reliability, robustness and disaster recovery.

    Architectural Framework

    A set of principles and standards that guides the consistent, sustainable and scalable growth of enterprise technologies. Changes to the architecture are made in collaboration with affected parties, such as security and infrastructure.

    Application Security

    The measures, controls, and tactics at the application layer that prevent vulnerabilities against external and internal threats and ensure compliance to industry and regulatory security frameworks and standards.

    There are many factors that can stand in your team's way

    Expectations on your applications team have increased, while the gap between how stakeholders and applications teams perceive effectiveness remains wide. This points to a need to clarify the requirements to deliver valuable and quality applications and address the pressures challenging your teams.

    1. Attracting and retaining talent
    2. Maximizing the return on technology
    3. Confidently shifting to digital
    4. Addressing competing priorities
    5. Fostering a collaborative culture
    6. Creating high-throughput teams

    CIOs agree that at least some improvement is needed across key IT activities

    A bar graph is depicted which shows the proportion of CIOs who believe that some, or significant improvement is necessary for the following categories: Measure IT Project Success; Align IT Budget; Align IT Project Approval Process; Measure Stakeholder Satisfaction With IT; Define and Align IT Strategy; Understand Business Goals

    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022, n=568.

    Pressure Point 1:
    Attracting and Retaining Talent

    Recent environmental pressures impacted traditional working arrangements and showed more workplace flexibility is often possible. At the same time, many employees' expectations about how, when, and where they choose to work have also evolved. Recruitment and retention are reflections of different sides of the same employee value proposition coin. Organizations that fail to reinvent their approach to attracting and retaining talent by focusing on candidate and employee experience risk turnover, vacancies, and lost opportunities that can negatively impact the bottom line.

    Address the underlying challenges

    • Lack of employee empowerment and few opportunities for learning and development.
    • Poor coworker and manager relationships.
    • Compensation and benefits are inadequate to maintain desired quality of life.
    • Unproductive work environment and conflicting balance of work and life.
    • Unsatisfactory employee experience, including lack of employee recognition
      and transparency of organizational change.

    While workplace flexibility comes with many benefits, longer work hours jeopardize wellbeing.
    62% of organizations reported increased working hours, while 80% reported an increase in flexibility.
    Source: McLean & Company, 2022; n=394.

    Be strategic in how you fill and train key IT skills and capabilities

    • Cybersecurity
    • Big Data/Analytics
    • Technical Architecture
    • DevOps
    • Development
    • Cloud

    Source: Harvey Nash Group, 2021; n=2120.

    Pressure Point 2:
    Maximizing the Return of Technology

    Recent environmental pressures impacted traditional working arrangements and showed more workplace flexibility is often possible. At the same time, many employees' expectations about how, when, and where they choose to work have also evolved. Recruitment and retention are reflections of different sides of the same employee value proposition coin. Organizations that fail to reinvent their approach to attracting and retaining talent by focusing on candidate and employee experience risk turnover, vacancies, and lost opportunities that can negatively impact the bottom line.

    Address the underlying challenges

    • Inability to analyze, propose, justify, and communicate modernization solutions in language the stakeholders understand and in a way that shows they clearly support business priorities and KPIs and mitigate risks.
    • Little interest in documenting and rationalizing products and services through business-IT collaboration.
    • Lack of internal knowledge of the system and loss of vendor support.
    • Undefined, siloed product and service ownership and governance, preventing solutions from working together to collectively deliver more value.
    • Little stakeholder appetite to invest in activities beyond "keeping the lights on."

    Only 64% of applications were identified as effective by end users.
    Effective applications are identified as at least highly important and have high feature and usability satisfaction.
    Source: Application Portfolio Assessment, August 2021 to July 2022; N=315.

    "Regardless of the many definitions of modernization floating around, the one characteristic that we should be striving for is to ensure our applications do an outstanding job of supporting the users and the business in the most effective and efficient manner possible."
    Source: looksoftware.

    Pressure Point 3:
    Confidently Shifting to Digital

    "Going digital" reshapes how the business operates and drives value by optimizing how digital and traditional technologies and tactics work together. This shift often presents significant business and technical risks to business processes, enterprise data, applications, and systems which stakeholders and teams are not aware of or prepared to accommodate.

    Address the underlying challenges

    • Differing perspectives on digital can lead to disjointed transformation initiatives, oversold benefits, and a lack of synergy among digital technologies and processes.
    • Organizations have difficulty adapting to new technologies or rethinking current business models, processes, and ways of working because of the potential human, ethical, and reputational impacts and restrictions from legacy systems.
    • Management lacks a framework to evaluate how their organization manages and governs business value delivery.
    • IT is not equipped or resourced to address these rapidly changing business, customer, and technology needs.
    • The wrong tools and technologies were chosen to support the shift to digital.

    The shift to digital processes is starting, but slowly.
    62% of respondents indicated that 1-20% of their processes were digitized during the past year.
    Source: Tech Trends and Priorities 2023; N=500

    Resistance to change and time/budget constraints are top barriers preventing companies from modernizing their applications.
    Source: Konveyor, 2022; n=600.

    Pressure Point 4:
    Addressing Competing Priorities

    Enterprise products and services are not used, operated, or branded in isolation. The various parties involved may have competing priorities, which often leads to disagreements on when certain business and technology changes should be made and how resources, budget, and other assets should be allocated. Without a broader product vision, portfolio vision, and roadmap, the various dependent or related products and services will not deliver the same level of value as if they were managed collectively.

    Address the underlying challenges

    • Undefined product and service ownership and governance, including escalation procedures when consensus cannot be reached.
    • Lack of a unified and grounded set of value and quality definitions, guiding principles, prioritization standards, and broad visibility across portfolios, business capabilities, and business functions.
    • Distrust between business units and IT teams, which leads to the scaling of unmanaged applications and fragmented changes and projects.
    • Decisions are based on opinions and experiences without supporting data.

    55% of CXOs stated some improvement is necessary in activities to understand business goals.
    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

    CXOs are moderately satisfied with IT's performance as a business partner (average score of 69% among all CXOs). This sentiment is similarly felt among CIOs (64%).
    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

    Pressure Point 5:
    Fostering a Collaborative Culture

    Culture impacts business results, including bottom-line revenue and productivity metrics. Leaders appreciate the impact culture can have on applications initiatives and wish to leverage this. How culture translates from an abstract concept to something that is measurable and actionable is not straightforward. Executives need to clarify how the desired culture will help achieve their applications strategy and need to focus on the items that will have the most impact.

    Address the underlying challenges

    • Broad changes do not consider the unique subcultures, personalities, and behaviors of the various teams and individuals in the organization.
    • Leaders mandate cultural changes without alleviating critical barriers and do not embody the principles of the target state.
    • Bureaucracy and politics restrict changes and encourage the status quo.
    • Industry standards, technologies, and frameworks do not support or cannot be tailored to fit the desired culture.
    • Some teams are deliberately excluded from the scoping, planning, and execution of key product and service delivery and management activities.

    Agile does not solve team culture challenges.
    43% of organizations cited organizational culture as a significant barrier to adopting and scaling Agile practices.
    Source: Digital.ai, 2021.

    "Providing a great employee experience" as the second priority (after recruiting) highlights the emphasis organizations are placing on helping employees adjust after having been forced to change the way work gets done.
    Source: McLean & Company, 2022; N=826.

    Use your applications priorities to help address your pressure points

    Success can be dependent on your ability to navigate around or alleviate your pressure points. Design and market your applications priorities to bring attention to your pressure points and position them as key risk factors to their success.

    Applications Priorities
    Digital Experience (DX) Intelligent Automation Proactive Application Management Multisource Systems Digital Organization as a Platform
    Attracting and Retaining Talent Enhance the employee experience Be transparent and support role changes Shift focus from maintenance to innovation Enable business-managed applications Promote and showcase achievements and successes
    Maximizing the Return on Technology Modernize or extend the use of existing investments Automate applications across multiple business functions Improve the reliability of mission-critical applications Enhance the functionality of existing applications Increase visibility of underused applications
    Confidently Shifting to Digital Prioritize DX in your shift to digital Select the capabilities that will benefit most from automation Prepare applications to support digital tools and technologies Use best-of-breed tools to meet specific digital needs Bring all applications up to a common digital standard
    Addressing Competing Priorities Ground your digital vision, goals, and objectives Recognize and evaluate the architectural impact Rationalize the health of the applications Agree on a common philosophy on system composition Map to a holistic platform vision, goals, and objectives
    Fostering a Collaborative Culture Involve all perspectives in defining and delivering DX Involve the end user in the delivery and testing of the automated process Include the technical perspective in the viability of future applications plans Discuss how applications can work together better in an ecosystem Ensure the platform is configured to meet the individual needs of the users
    Creating High-Throughput Teams Establish delivery principles centered on DX Remove manual, error-prone, and mundane tasks Simplify applications to ease delivery and maintenance Alleviate delivery bottlenecks and issues Abstract the enterprise system to expedite delivery

    Digital Experience (DX)

    PRIORITY 1

    • Deliver Valuable User, Customer, Employee, and Brand Experiences

    Delivering valuable digital experiences requires the adoption of good management, governance, and operational practices to accommodate stakeholder, employee, customer, and end-user expectations of digital experiences (e.g. product management, automation, and iterative delivery). Technologies are chosen based on what best enables, delivers, and supports these expectations.

    Introduction

    Digital transformation is not just about new tools and technologies. It is also about delivering a valuable digital experience

    What is digital experience (DX)?

    Digital experience (DX) refers to the interaction between a user and an organization through digital products and services. Digital products and services are tools, systems, devices, and resources that gather, store, and process data; are continuously modernized; and embody eight key attributes that are described on the following slide. DX is broken down into four distinct perspectives*:

    • Customer Experience – The immediate perceptions of transactions and interactions experienced through a customer's journey in the use of the organization's digital
      products and services.
    • End-User Experience – Users' emotions, beliefs, and physical and psychological responses
      that occur before, during, or after interacting with a digital product or service.
    • Brand Experience – The broader perceptions, emotions, thoughts, feelings and actions the public associate with the organization's brand and reputation or its products and services. Brand experience evolves over time as customers continuously engage with the brand.
    • Employee Experience – The satisfaction and experience of an employee through their journey with the organization, from recruitment and hiring to their departure. How an employee embodies and promotes the organization brand and culture can affect their performance, trust, respect, and drive to innovate and optimize.
    Digital Products and Services
    Customer Experience Brand Experience Employee Experience End-User Experience

    Digital products and services have a common set of attributes

    Digital transformation is not just about new tools and technologies. It is also about delivering a valuable digital experience

    • Digital products and services must keep pace with changing business and end-user needs as well as tightly supporting your maturing business model with continuous modernization. Focus your continuous modernization on the key characteristics that drive business value.
    • Fit for purpose: Functionalities are designed and implemented for the purpose of satisfying the end user's needs and solving their problems.
    • User-centric: End users see the product as rewarding, engaging, intuitive, and emotionally satisfying. They want to come back to it.
    • Adaptable: The product can be quickly tailored to meet changing end-user and technology needs with reusable and customizable components.
    • Accessible: The product is available on demand and on the end user's preferred interface.
      End users have a seamless experience across all devices.
    • Private and secured: The end user's activity and data are protected from unauthorized access.
    • Informative and insightful: The product delivers consumable, accurate, and trustworthy real-time data that is important to the end user.
    • Seamless application connection: The product facilitates direct interactions with one or more other products through an uninterrupted user experience.
    • Relationship and network building: The product enables and promotes the connection and interaction of people.

    The Business Value cycle of continuous modernization.

    Signals

    DX is critical for business growth and maturity, but the organization may not be ready

    A good DX has become a key differentiator that gives organizations an advantage over their competition and peers. Shifts in working environments; employee, customer, and stakeholder expectations; and the advancements in modern technologies have raised the importance of adopting and transitioning to digital processes and tools to stay relevant and responsive to changing business and technology conditions.

    Applications teams are critical to ensuring the successful delivery and operation of these digital processes and tools. However, they are often under-resourced and challenged to meet their DX goals.

    • 7% of both business and IT respondents think IT has the resources needed to keep up with digital transformation initiatives and meet deadlines (Cyara, 2021).
    • 43% of respondents said that the core barrier to digital transformation is a lack of skilled resources (Creatio, 2021).
    A circle graph is shown with 91% of the circle coloured in dark blue, with the number 91% in the centre.

    of organizations stated that at least 1% of processes were shifted from being manually completed to digitally completed in the last year. 29% of organizations stated at least 21% were shifted.

    Source: Tech Trends and Priorities 2023; N=500.

    A circle graph is shown with 98% of the circle coloured in dark blue, with the number 98% in the centre.

    of organizations recognized digital transformation is important for competitive advantage. 94% stated it is important to enhance customer experience, and 91% stated it will have a positive impact on revenue.

    Source: Cyara, 2021.

    Drivers

    Brand and reputation

    Customers are swayed by the innovations and advancements in digital technologies and expect your applications team to deliver and support them. Your leaders recognize the importance of these expectations and are integrating them into their business strategy and brand (how the organization presents itself to its customers, employees and the public). They hope that their actions will improve and shape the company's reputation (public perception of the company) as effective, customer-focused, and forward-thinking.

    Worker productivity

    As you evolve and adopt more complex tools and technology, your stakeholders will expect more from business units and IT teams. Unfortunately, teams employing manual processes and legacy systems will struggle to meet these expectations. Digital products and services promote the simplification of complex operations and applications and help the business and your teams better align operational practices with strategic goals and deliver valuable DX.

    Organization modernization

    Legacy processes, systems, and ways of working are no longer suitable for meeting the strategic digital objectives and DX needs stakeholders expect. They drive up operational costs without increased benefits, impede business growth and innovation, and consume scarce budgets that could be used for other priorities. Shifting to digital tools and technologies will bring these challenges to light and demonstrate how modernization is an integral part of DX success.

    Benefits & Risks

    Benefits

    • Flexibility & Satisfaction
    • Adoption
    • Reliability

    Employees and customers can choose how they want to access, modify, and consume digital products and services. They can be tailored to meet the specific functional needs, behaviors, and habits of the end user.

    The customer, end user, brand, and employee drive selection, design, and delivery of digital products and services. Even the most advanced technologies will fail if key roles do not see the value in their use.

    Digital products and services are delivered with technical quality built into them, ensuring they meet the industry, regulatory, and company standards throughout their lifespan and in various conditions.

    Risks

    • Legacy & Lore
    • Bureaucracy & Politics
    • Process Inefficiencies
    • No Quality Standards

    Some stakeholders may not be willing to change due to their familiarity and comfort of business practices.

    Competing and conflicting priorities of strategic products and services undermine digital transformation and broader modernization efforts.

    Business processes are often burdened by wasteful activities. Digital products and services are only as valuable as the processes they support.

    The performance and support of your digital products and services are hampered due to unmanageable technical debt because of a deliberate decision to bypass or omit quality good practices.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Enhance the employee experience.

    Design the digital processes, tools, and technologies to meet the individual needs of the employee.

    Maximizing the Return on Technology

    Modernize or extend the use of existing investments.

    Drive higher adoption of applications and higher user value and productivity by implementing digital capabilities to the applications that will gain the most.

    Confidently Shifting to Digital

    Prioritize DX in your shift to digital. Include DX as part of your definition of success.

    Your products and services are not valuable if users, customers, and employees do not use them.

    Addressing Competing Priorities

    Ground your digital vision, goals, and objectives

    Establish clear ownership of DX and digital products and services with a cross-functional prioritization framework.

    Fostering a Collaborative Culture

    Involve all perspectives in defining and delivering DX.

    Maintain a committee of owners, stakeholders, and delivery teams to ensure consensus and discuss how to address cross-functional opportunities and risks.

    Creating High-Throughput Teams

    Establish delivery principles centered on DX.

    Enforce guiding principles to streamline and simplify DX delivery, such as plug-and-play architecture and quality standards.

    Recommendations

    Build a digital business strategy

    A digital business strategy clearly articulates the goals and ambitions of the business to adopt digital practices, tools, and technologies. This document:

    • Looks for ways to transform the business by identifying what technologies to embrace, what processes to automate, and what new business models to create.
    • Unifies digital possibilities with your customer experiences.
    • Establishes accountability with the executive leadership.
    • States the importance of cross-functional participation from senior management across the organization.

    Related Research:

    Learn, understand, and empathize with your users, employees, and customers

    • To create a better product, solution, or service, understanding those who use it, their needs, and their context is critical.
    • A great experience design practice can help you balance those goals so that they are in harmony with those of your users.
    • IT leaders must find ways to understand the needs of the business and develop empathy on a much deeper level. This empathy is the foundation for a thriving business partnership.

    Related Research:

    Recommendations

    Center product and service delivery decisions and activities on DX and quality

    User, customer, employee, and brand are integral perspectives on the software development lifecycle (SDLC) and the management and governance practices supporting digital products and services. It ensures quality standards and controls are consistently upheld while maintaining alignment with various needs and priorities. The goal is to come to a consensus on a universal definition and approach to embed quality and DX-thinking throughout the delivery process.

    Related Research:

    Instill collaborative delivery practices

    Today's rapidly scaling and increasingly complex digital products and services create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality. This pressure is further compounded by the competing priorities of individual stakeholders and the nuances among different personas of digital products and services.

    A collaborative delivery practice sets the activities, channels, and relationships needed to deliver a valuable and quality product or service with cross-functional awareness, accountability, and agreement.

    Related Research:

    Recommendations

    Continuously monitor and modernize your digital products and services

    Today's modern digital products and services are tomorrow's shelfware. They gradually lose their value, and the supporting technologies will become obsolete. Modernization is a continuous need.

    Data-driven insights help decision makers decide which products and services to retire, upgrade, retrain on, or maintain to meet the demands of the business.

    Enhancements focusing on critical business capabilities strengthen the case for investment and build trust with all stakeholders.

    Related Research:

    CASE STUDY
    Mastercard in Asia

    Focus on the customer journey

    Chief Marketing Officer M.V. Rajamannar (Raja) wanted to change Mastercard's iconic "Priceless" ad campaign (with the slogan "There are some things money can't buy. For everything else there's Mastercard."). The main reasons were that the campaign relied on one-way communication and targeted end customers, even though Mastercard doesn't issue cards directly to customers; partner banks do. To drive the change in campaign, Raja and his team created a digital engine that leveraged digital and social media. Digital engine is a seven-step process based on insights gleaned from data and real-time optimization.

    1. Emotional spark: Using data to understand customers' passion points, Mastercard builds videos and creatives to ignite an emotional spark and give customers a reason to engage. For example, weeks before New Year's Eve, Mastercard produced a video with Hugh Jackman to encourage customers to submit a story about someone who deeply mattered to them. The authors of the winning story would be flown to reunite with those both distant and dear.
    2. Engagement: Mastercard targets the right audience with a spark video through social media to encourage customers to share their stories.
    3. Offers: To help its partner banks and merchants in driving their business, the company identifies the best offers to match consumers' interests. In the above campaign, Mastercard's Asia-Pacific team found that Singapore was a favorite destination for Indian customers, so they partnered with Singapore's Resorts World Sentosa with an attractive offer.
    4. Real-time optimization: Mastercard optimizes, in real time, a portfolio of several offers through A/B testing and other analysis.
    5. Amplification: Real-time testing provides confidence to Mastercard about the potential success of these offers and encourages its bank and merchant partners to co-market and co-fund these campaigns.
    6. Network effects: A few weeks after consumers submitted their stories about distant loved ones, Mastercard selected winners, produced videos of them surprising their friends and families, and used these videos in social media to encourage sharing.
    7. Incremental transactions: These programs translate into incremental business for banks who issue cards, for merchants where customers spend money, and for Mastercard, which gets a portion of every transaction.

    Source: Harvard Business Review Press

    CASE STUDY
    Mastercard in Asia (cont'd)

    Focus on the customer journey

    1. Emotional Spark
      Drives genuine personal stories
    2. Engagement
      Through Facebook
      and social media
    3. Offers
      From merchants
      and Mastercard assets
    4. Optimization
      Real-time testing of offers and themes
    5. Amplification
      Paid and organic programmatic buying
    6. Network Effects
      Sharing and
      mass engagement
    7. Incremental Transactions
      Win-win for all parties

    CASE STUDY
    Mastercard in Asia (cont'd)

    The Mastercard case highlights important lessons on how to engage customers:

    • Have a broad message. Brands need to connect with consumers over how they live and spend their time. Organizations need to go beyond the brand or product message to become more relevant to consumers' lives. Dove soap was very successful in creating a conversation among consumers with its "Real Beauty" campaign, which focused not on the brand or even the product category, but on how women and society view beauty.
    • Shift from storytelling to story making. To break through the clutter of advertising, companies need to move from storytelling to story making. A broader message that is emotionally engaging allows for a two-way conversation.
    • Be consistent with the brand value. The brand needs to stand for something, and the content should be relevant to and consistent with the image of the brand. Pepsi announced an award of $20 million in grants to individuals, businesses, and nonprofits that promote a new idea to make a positive impact on community. A large number of submissions were about social causes that had nothing to do with Pepsi, and some, like reducing obesity, were in conflict with Pepsi's product.
    • Create engagement that drives business. Too much entertainment in ads may engage customers but detract from both communicating the brand message and increasing sales. Simply measuring the number of video views provides only a partial picture of a program's success.

    Intelligent Automation

    PRIORITY 2

    • Extend Automation Practices with AI and ML

    AI and ML are rapidly growing. Organizations see the value of machines intelligently executing high-performance and dynamic tasks such as driving cars and detecting fraud. Senior leaders see AI and ML as opportunities to extend their business process automation investments.

    Introduction

    Intelligent automation is the next step in your business process automation journey

    What is intelligent automation (IA)?

    Intelligent automation (IA) is the combination of traditional automation technologies, such as business process management (BPM) and robotic process automation (RPA), with AI and ML. The goal is to further streamline and scale decision making across various business processes by:

    • Removing human interactions.
    • Addressing decisions that involve complex variables.
    • Automatically adapting processes to changing conditions.
    • Bridging disparate automation technologies into an integrated end-to-end value delivery pipeline.

    "For IA to succeed, employees must be involved in the transformation journey so they can experience firsthand the benefits of a new way of working and creating business value," (Cognizant).

    What is the difference between IA and hyperautomation?

    "Hyperautomation is the act of automating everything in an organization that can be automated. The intent is to streamline processes across an organization using intelligent automation, which includes AI, RPA and other technologies, to run without human intervention. … Hyperautomation is a business-driven, disciplined approach that organizations use to rapidly identify, vet, and automate as many business and IT processes as possible" (IBM, 2021).

    Note that hyperautomation often enables IA, but teams solely adopting IA do not need to abide to its automation-first principles.

    IA is a combination of various tools and technologies

    What tools and technologies are involved in IA?

    • Artificial intelligence (AI) & Machine Learning (ML) – AI systems perform tasks mimicking human intelligence such as learning from experience and problem solving. AI is making its own decisions without human intervention. Machine learning systems learn from experience and without explicit instructions. They learn patterns from data then analyze and make predictions based on past behavior and the patterns learned. AI is a combination of technologies and can include machine learning.
    • Intelligent Business Process Management System (iBPMS) – Combination of BPM tools with AI and other intelligence capabilities.
    • Robotic Process Automation (RPA) – Robots leveraging an application's UI rather than programmatic access. Automate rules-based, repetitive tasks performed by human workers with AI/ML.
    • Process Mining & Discovery – Process mining involves reading system event logs and application transactions and applying algorithmic analysis to automatically identify and map inferred business processes. Process discovery involves unintrusive virtual agents that sit on a user's desktop and record and monitor how they interact with applications to perform tasks and processes. Algorithms are then used to map and analyze the processes.
    • Intelligent Document Processing – The conversion of physical or unstructured documents into a structured, digital format that can be used in automation solutions. Optical character recognition (OCR) and natural language processing (NPL) are common tools used to enable this capability.
    • Advanced Analytics – The gathering, synthesis, transformation, and delivery of insightful and consumable information that supports data-driven decision making. Data is queried from various disparate sources and can take on a variety of structured and unstructured formats.

    The cycle of IA technologies

    Signals

    Process automation is an executive priority and requires organizational buy-in

    Stakeholders recognize the importance of business process automation and AI and are looking for ways to deliver more value using these technologies.

    • 90% of executives stated automating business workflows post-COVID-19 will ensure business continuity (Kofax, 2022).
    • 88% of executives stated they need to fast-track their end-to-end digital transformation (Kofax, 2022).

    However, the advertised benefits to vendors of enabling these desired automations may not be easily achievable because of:

    • Manual and undocumented business processes.
    • Fragmented and inaccessible systems.
    • Poor data quality, insights, and security.
    • The lack of process governance and management practice.
    A circle graph is shown with 49% of the circle coloured in dark blue, with the number 49% in the centre.

    of CXOs stated staff sufficiency, skill and engagement issues as a minor IT pain point compared to 51% of CIOs stated this issue as a major pain point.

    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

    A circle graph is shown with 36% of the circle coloured in dark blue, with the number 36% in the centre.

    of organizations have already invested in AI or machine learning.

    Source: Tech Trends and Priorities 2023; N=662

    Drivers

    Quality & throughput

    Products and services delivered through an undefined and manual process risk the creation of preventable and catchable defects, security flaws and holes, missing information, and other quality issues. IA solutions consistently reinforce quality standards the same way across all products and services while tailoring outputs to meet an individual's specific needs. Success is dependent on the accurate interpretation and application of quality standards and the user's expectations.

    Worker productivity

    IA removes the tedious, routine, and mundane tasks that distract and restrict employees from doing more valuable, impactful, and cognitively focused activities. Practical insights can also be generated through IA tools that help employees make data-driven decisions, evaluate problems from different angles, and improve the usability and value of the products and services they produce.

    Good process management practices

    Automation magnifies existing inefficiencies of a business process management practice, such as unclear and outdated process documentation and incorrect assumptions. IA reinforces the importance of good business process optimization practices, such as removing waste and inefficiencies in a thoughtful way, choosing the most appropriate automation solution, and configuring the process in the right way to maximize the solution's value.

    Benefits & Risks

    Benefits

    • Documentation
    • Hands-Off
    • Reusability

    All business processes must be mapped and documented to be automated, including business rules, data entities, applications, and control points.

    IA can be configured and orchestrated to automatically execute when certain business, process, or technology conditions are met in an unattended or attended manner.

    IA is applicable in use cases beyond traditional business processes, such as automated testing, quality control, audit, website scraping, integration platform, customer service, and data transfer.

    Risks

    • Data Quality & Bias
    • Ethics
    • Recovery & Security
    • Management

    The accuracy and relevance of the decisions IA makes are dependent on the overall quality of the data
    used to train it.

    Some decisions can have significant reputational, moral, and ethical impacts if made incorrectly.
    The question is whether it is appropriate for a non-human to make that decision.

    IA is composed of technologies that can be compromised or fail. Without the proper monitoring, controls,
    and recovery protocols, impacted IA will generate significant business and IT costs and can potentially harm customers, employees, and the organization.

    Low- and no-code capabilities ease and streamline IA development, which makes it susceptible to becoming unmanageable. Discipline is needed to ensure IA owners are aware of the size and health of the IA portfolio.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Be transparent and support role changes.

    Plan to address the human sentiment with automation (e.g. job security) and the transition of the role to other activities.

    Maximizing the Return on Technology

    Automate applications across multiple business functions.

    Recognize the value opportunities of improving and automating the integration of cross-functional processes.

    Confidently Shifting to Digital

    Maximize the learning of automation fit.

    Select the right capabilities to demonstrate the value of IA while using lessons learned to establish the appropriate support.

    Addressing Competing Priorities

    Recognize automation opportunities with capability maps.

    Use a capability diagram to align strategic IA objectives with tactical and technical IA initiatives.

    Fostering a Collaborative Culture

    Involve the user in the delivery process.

    Maximize automation adoption by ensuring the user finds value in its use before deployment.

    Creating High-Throughput Teams

    Remove manual, error-prone, and mundane tasks.

    Look for ways to improve team throughput by removing wasteful activities, enforcing quality, and automating away tasks driving down productivity.

    Recommendations

    Build your business process automation playbook and practice

    Formalize your business process automation practice with a good toolkit and a repeatable set of tactics and techniques.

    • Clarify the problem being solved with IA.
    • Optimate your processes. Apply good practices to first optimize (opti-) and then automate (-mate) key business processes.
    • Deliver minimum viable automations (MVAs). Maximize the learning of automation solutions and business operational changes through small, strategic automation use cases.

    Related Research:

    Explore the various IA tooling options

    Each IA tool will address a different problem. Which tool to choose is dependent on a variety of factors, such as functional suitability, technology suitability, delivery and support capabilities, alignment to strategic business goals, and the value it is designed to deliver.

    Related Research:

    Recommendations

    Introduce AI and ML thoughtfully and with a plan

    Despite the many promises of AI, organizations are struggling to fully realize its potential. The reasons boil down to a lack of understanding of when these technologies should and shouldn't be used, as well as a fear of the unknown. The plan to adopt AI should include:

    • Understanding of what AI really means in practice.
    • Identifying specific applications of AI in the business.
    • Understanding the type of AI applicable for the situation.

    Related Research:

    Mitigate AI and ML bias

    Biases can be introduced into an IA system at any stage of the development process, from the data you collect, to the way you collect it, to which algorithms are used and what assumptions were made. In most cases, AI and ML bias is a is a social, political, and business problem.

    While bias may not be intentional nor completely prevented or eliminated, early detection, good design, and other proactive preventative steps can be taken to minimize its scope and impact.

    Related Research:

    CASE STUDY
    University Hospitals

    Challenge

    University Hospitals Cleveland (UH) faces the same challenge that every major hospital confronts regarding how to deliver increasingly complex, high-quality healthcare to a diverse population efficiently and economically. In 2017, UH embarked on a value improvement program aiming to improve quality while saving $400 million over a five-year period.

    In emergency department (ED) and inpatient units, leaders found anticipating demand difficult, and consequently units were often over-staffed when demand was low and under-staffed when demand was high. Hospital leaders were uncertain about how to reallocate resources based on capacity needs.

    Solution

    UH turned to Hospital IQ's Census Solution to proactively manage capacity, staff, and flow in the ED and inpatient areas.

    By applying AI, ML, and external data (e.g. weather forecasts) to the hospital's own data (including EMR data and hospital policies), the solution helped UH make two-day census forecasts that managers used to determine whether to open or close in-patient beds and, when necessary, divert low-acuity patients to other hospitals in the system to handle predicted patient volume.

    Source: University Hospitals

    Results

    ED boarding hours have declined by 10% and the hospital has seen a 50% reduction in the number of patients who leave the hospital without
    being seen.

    UH also predicts in advance patients ready for discharge and identifies roadblocks, reducing the average length of stay by 15%. UH is able to better manage staff, reducing overtime and cutting overall labor costs.

    The hospital has also increased staff satisfaction and improved patient safety by closing specific units on weekends and increasing the number of rooms that can be sterilized.

    Proactive Application Management

    PRIORITY 3

    • Strengthen Applications to Prevent and Minimize the Impact of Future Issues

    Application management is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on application management when it becomes a problem. The lack of governance and practice accountability leaves this practice in a chaotic state: politics take over, resources are not strategically allocated, and customers are frustrated. As a result, application management is often reactive and brushed aside for new development.

    Introduction

    What is application management?

    Application management ensures valuable software is successfully delivered and is maintained for continuous and sustainable business operations. It contains a repeatable set of activities needed to rationalize and roadmap products and services while balancing priorities of new features and maintenance tasks.

    Unfortunately, application management is commonly perceived as a practice that solely addresses issues, updates, and incidents. However, application management teams are also tasked with new value delivery that was not part of the original release.

    Why is an effective application maintenance (reactive) practice not good enough?

    Application maintenance is the "process of modifying a software system or its components after delivery to correct faults, improve performance or other attributes, or adapt to a changed environment or business process," (IEEE, 1998). While it is critical to quickly fix defects and issues when they occur, reactively addressing them is more expensive than discovering them early and employing the practices to prevent them.

    Even if an application is working well, its framework, architecture, and technology may not be compatible with the possible upcoming changes stakeholders and vendors may want to undertake. Applications may not be problems now, but they soon can be.

    What motivates proactive application changes?

    This image shows the motivations for proactive application changes, sorted by external and internal sources.

    Proactive application management must be disciplined and applied strategically

    Proactive application management practices are critical to maintaining business continuity. They require continuous review and modification so that applications are resilient and can address current and future scenarios. Depending on the value of the application, its criticality to business operations, and its susceptibility to technology change, a more proactive management approach may be warranted. Stakeholders can then better manage resources and budget according to the needs of specific products.

    Reactive Management

    Run-to-Failure

    Fix and enhance the product when it breaks. In most cases, a plan is in place ahead of a failure, so that the problem can be addressed without significant disruption and costs.

    Preventive

    Regularly inspect and optimize the product to reduce the likelihood that it will fail in the future. Schedule inspections based on a specific timeframe or usage threshold.

    Predictive

    Predict failures before they happen using performance and usage data to alert teams when products are at risk of failure according to specified conditions.

    Reliability and Risk Based

    Analyze all possible failure scenarios for each component of the product and create tailored delivery plans to improve the stability, reliability, and value of each product.

    Proactive Management

    Signals

    Applications begin to degrade as soon as they are used

    Today's applications are tomorrow's shelfware. They gradually lose their value, stability, robustness, and compatibility with other enterprise technologies. The longer these applications are left unattended or simply "keeping the lights on," the more risks they will bring to the application portfolio, such as:

    • Discovery and exploitation of security flaws and gaps.
    • Increasing the lock-in to specific vendor technologies.
    • Inconsistent application performance across various workloads.

    These impacts are further compounded by the continuous work done on a system burdened with technical debt. Technical debt describes the result of avoided costs that, over time, cause ongoing business impacts. Left unaddressed, technical debt can become an existential threat that risks your organization's ability to effectively compete and serve its customers. Unfortunately, most organizations have a significant, growing, unmanageable technical debt portfolio.

    A circle graph is shown with 60% of the circle coloured in dark green, with the number 60% in the centre.

    of respondents stated they saw an increase in perceived change in technical debt during the past three years. A quarter of respondents indicated that it stayed the same.

    Source: McKinsey Digital, 2020.

    US
    $4.35
    Million

    is the average cost of a data breach in 2022. This figure represents a 2.6% increase from last year. The average cost has climbed 12.7% since 2020.

    Source: IBM, 2022; N=537.

    Drivers

    Technical debt

    Historical decisions to meet business demands by deferring key quality, architectural, or other software delivery activities often lead to inefficient and incomplete code, fragile legacy systems, broken processes, data quality problems, and the other contributors to technical debt. The impacts for this challenge is further heightened if organizations are not actively refactoring and updating their applications behind the scenes. Proactive application management is intended to raise awareness of application fragility and prioritize comprehensive refactoring activities alongside new feature development.

    Long-term application value

    Applications are designed, developed, and tested against a specific set of parameters which may become less relevant over time as the business matures, technology changes, and user behaviors and interactions shift. Continuous monitoring of the application system, regular stakeholder and user feedback, and active technology trend research and vendor engagement will reveal tasks to prepare an application for future value opportunities or stability and resilience concerns.

    Security and resiliency

    Innovative approaches to infiltrating and compromising applications are becoming prevailing stakeholder concerns. The loopholes and gaps in existing application security protocols, control points, and end-user training are exploited to gain the trust of unsuspecting users and systems. Proactive application management enforces continuous security reviews to determine whether applications are at risk. The goal is to prevent an incident from happening by hardening or complementing measures already in place.

    Benefits & Risks

    Benefits

    • Consistent Performance
    • Robustness
    • Operating Costs

    Users expect the same level of performance and experience from their applications in all scenarios. A proactive approach ensures the configurations meet the current needs of users and dependent technologies.

    Proactively managed applications are resilient to the latest security concerns and upcoming trends.

    Continuous improvements to the underlying architecture, codebase, and interfaces can minimize the cost to maintain and operate the application, such as the transition to a loosely coupled architecture and the standardization of REST APIs.

    Risks

    • Stakeholder Buy-In
    • Delayed Feature Releases
    • Team Capacity
    • Discipline

    Stakeholders may not see the association between the application's value and its technical quality.

    Updates and enhancements are system changes much like any application function. Depending
    on the priority of these changes, new functions may be pushed off to a future release cycle.

    Applications teams require dedicated capacity to proactively manage applications, but they are often occupied meeting other stakeholder demands.

    Overinvesting in certain application management activities (such as refactoring, re-architecture, and redesign) can create more challenges. Knowing how much to do is important.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Shift focus from maintenance to innovation.

    Work on the most pressing and critical requests first, with a prioritization framework reflecting cross-functional priorities.

    Maximizing the Return on Technology

    Improve the reliability of mission-critical applications.

    Regularly verify and validate applications are up to date with the latest patches and fixes and comply with industry good practices and regulations.

    Confidently Shifting to Digital

    Prepare applications to support digital tools and technologies.

    Focus enhancements on the key components required to support the integration, performance, and security needs of digital.

    Addressing Competing Priorities

    Rationalize the health of the applications.

    Use data-driven, compelling insights to justify the direction and prioritization of applications initiatives.

    Fostering a Collaborative Culture

    Include the technical perspective in the viability of future applications plans.

    Demonstrate how poorly maintained applications impede the team's ability to deliver confidently and quickly.

    Creating High-Throughput Teams

    Simplify applications to ease delivery and maintenance.

    Refactor away application complexities and align the application portfolio to a common quality standard to reduce the effort to deliver and test changes.

    Recommendations

    Reinforce your application maintenance practice

    Maintenance is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on maintenance when it becomes a problem.

    • Justify the necessity of streamlined maintenance.
    • Strengthen triaging and prioritization practices.
    • Establish and govern a repeatable process.

    Ensure product issues, incidents, defects, and change requests are promptly handled to minimize business and IT risks.

    Related Research:

    Build an application management practice

    Apply the appropriate management approaches to maintain business continuity and balance priorities and commitments among maintenance and new development requests.

    This practice serves as the foundation for creating exceptional customer experience by emphasizing cross-functional accountability for business value and product and service quality.

    Related Research:

    Recommendations

    Manage your technical debt

    Technical debt is a type of technical risk, which in turn is business risk. It's up to the business to decide whether to accept technical debt or mitigate it. Create a compelling argument to stakeholders as to why technical debt should be a business priority rather than just an IT one.

    • Define and identify your technical debt.
    • Conduct a business impact analysis.
    • Identify opportunities to better manage technical debt.

    Related Research:

    Gauge your application's health

    Application portfolio management is nearly impossible to perform without an honest and thorough understanding of your portfolio's alignment to business capabilities, business value, total cost of ownership, end-user reception and satisfaction, and technical health.

    Develop data-driven insights to help you decide which applications to retire, upgrade, retrain on, or maintain to meet the demands of the business.

    Related Research:

    Recommendations

    Adopt site reliability engineering (SRE) and DevOps practices

    Site reliability engineering (SRE) is an operational model for running online services more reliably by a team of dedicated reliability-focused engineers.

    DevOps, an operational philosophy promoting development and operations collaboration, can bring the critical insights to make application management practices through SRE more valuable.

    Related Research:

    CASE STUDY
    Government Agency

    Goal

    A government agency needed to implement a disciplined, sustainable application delivery, planning, and management process so their product delivery team could deliver features and changes faster with higher quality. The goal was to ensure change requests, fixes, and new features would relieve requester frustrations, reduce regression issues, and allow work to be done on agreeable and achievable priorities organization-wide. The new model needed to increase practice efficiency and visibility in order to better manage technical debt and focus on value-added solutions.

    Solution

    This organization recognized a number of key challenges that were inhibiting its team's ability to meet its goals:

    • The product backlog had become too long and unmanageable.
    • Delivery resources were not properly allocated to meet the skills and capabilities needed to successfully meet commitments.
    • Quality wasn't defined or enforced, which generated mounting technical debt.
    • There was a lack of clear metrics and defined roles and responsibilities.
    • The business had unrealistic and unachievable expectations.

    Source: Info-Tech Workshop

    Key practices implemented

    • Schedule quarterly business satisfaction surveys.
    • Structure and facilitate regular change advisory board meetings.
    • Define and enforce product quality standards.
    • Standardize a streamlined process with defined roles.
    • Configure management tools to better handle requests.

    Multisource Systems

    PRIORITY 4

    • Manage an Ecosystem Composed of In-House and Outsourced Systems

    Various market and company factors are motivating a review on resource and system sourcing strategies. The right sourcing model provides key skills, resources, and capabilities to meet innovation, time to market, financial, and quality goals of the business. However, organizations struggle with how best to support sourcing partners and to allocate the right number of resources to maximize success.

    Introduction

    A multisource system is an ecosystem of integrated internally and externally developed applications, data, and infrastructure. These technologies can be custom developed, heavily configured vendor solutions, or they may be commercial off-the-shelf (COTS) solutions. These systems can also be developed, supported, and managed by internal staff, in partnership with outsourced contractors, or be completely outsourced. Multisource systems should be configured and orchestrated in a way that maximizes the delivery of specific value drivers for the targeted audience.

    Successfully selecting a sourcing approach is not a simple RFP exercise to choose the lowest cost

    Defining and executing a sourcing approach can be a significant investment and risk because of the close interactions third-party services and partners will have with internal staff, enterprise applications and business capabilities. A careful selection and design is necessary.

    The selection of a sourcing partner is not simple. It involves the detailed inspection and examination of different candidates and matching their fit to the broader vision of the multisource system. In cases where control is critical, technology stack and resource sourcing consolidation to a few vendors and partners is preferred. In other cases, where worker productivity and system flexibility are highly prioritized, a plug-and-play best-of-breed approach is preferred.

    Typical factors involved in sourcing decisions.

    Sourcing needs to be driven by your department and system strategies

    How does the department want to be perceived?

    The image that your applications department and teams want to reflect is frequently dependent on the applications they deliver and support, the resources they are composed of, and the capabilities they provide.

    Therefore, choosing the right sourcing approach should be driven by understanding who the teams are and want to be (e.g. internal builder, an integrator, a plug-in player), what they can or want to do (e.g. custom-develop or implement), and what they can deliver or support (e.g. cloud or on-premises) must be established.

    What value is the system delivering?

    Well-integrated systems are the lifeblood of your organization. They provide the capabilities needed to deliver value to customers, employees, and stakeholders. However, underlying system components may not be sourced under a unified strategy, which can lead to duplicate vendor services and high operational costs.

    The right sourcing approach ensures your partners address key capabilities in your system's delivery and support, and that they are positioned to maximize the value of critical and high-impact components.

    Signals

    Business demand may outpace what vendors can support or offer

    Outsourcing and shifting to a buy-over-build applications strategy are common quick fixes to dealing with capacity and skills gaps. However, these quick fixes often become long-term implementations that are not accounted for in the sourcing selection process. Current application and resource sourcing strategies must be reviewed to ensure that vendor arrangements meet the current and upcoming demands and challenges of the business, customers, and enterprise technologies, such as:

    • Pressure from stakeholders to lower operating costs while maintaining or increasing quality and throughput.
    • Technology lock-in that addresses short-term needs but inhibits long-term growth and maturity.
    • Team capacity and talent acquisition not meeting the needs of the business.
    A circle graph is shown with 42% of the circle coloured in dark brown, with the number 42% in the centre.

    of respondents stated they outsourced software development fully or partly in the last 12 months (2021).

    Source: Coding Sans, 2021.

    A circle graph is shown with 65% of the circle coloured in dark brown, with the number 65% in the centre.

    of respondents stated they were at least somewhat satisfied with the result of outsourcing software development.

    Source: Coding Sans, 2021.

    Drivers

    Business-managed applications

    Employees are implementing and building applications without consulting, notifying, or heeding the advice of IT. IT is often ill-equipped and under-resourced to fight against shadow IT. Instead, organizations are shifting the mindset of "fight shadow IT" to "embrace business-managed applications," using good practices in managing multisource systems. A multisource approach strikes the right balance between user empowerment and centralized control with the solutions and architecture that can best enable it.

    Unique problems to solve

    Point solutions offer features to address unique use cases in uncommon technology environments. However, point solutions are often deployed in siloes with limited integration or overlap with other solutions. The right sourcing strategy accommodates the fragmented nature of point solutions into a broader enterprise system strategy, whether that be:

    • Multisource best of breed – integrate various technologies that provide subsets of the features needed for supporting business functions.
    • Multisource custom – integrate systems built in-house with technologies developed by external organizations.
    • Vendor add-ons and integrations – enhance an existing vendor's offering by using their system add-ons as upgrades, new add-ons, or integrations.

    Vendor services

    Some vendor services in a multisource environment may be redundant, conflicting, or incompatible. Given that multisource systems are regularly changing, it is difficult to identify what services are affected, what would be needed to fill the gap of the removed solution, or which redundant services should be removed.

    A multisource approach motivates the continuous rationalization of your vendor services and partners to determine the right mixture of in-house and outsourced resources, capabilities, and technologies.

    Benefits & Risks

    Benefits

    • Business-Focused Solution
    • Flexibility
    • Cost Optimization

    Multisource systems can be designed to support an employee's ability to select the tools they want and need.

    The environment is architected in a loosely coupled approach to allow applications to be easily added, removed, and modified with minimized impact to other integrated applications.

    Rather than investing in large solutions upfront, applications are adopted when they are needed and are removed when little value is gained. Disciplined application portfolio management is necessary to see the full value of this benefit.

    Risks

    • Manageable Sprawl
    • Policy Adherence
    • Integration & Compatibility

    The increased number and diversity of applications in multisource system environments can overwhelm system managers who do not have an effective application portfolio management practice.

    Fragmented application implementations risk inconsistent adherence to security and other quality policies, especially in situations where IT is not involved.

    Application integration can quickly become tangled, untraceable, and unmanageable because of varying team and vendor preferences for specific integration technologies and techniques.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Enable business-managed applications.

    Create the integrations to enable the easy connection of desired tools to enterprise systems with the appropriate guardrails.

    Maximizing the Return on Technology

    Enhance the functionality of existing applications.

    Complement current application capability gaps with data, features, and services from third-party applications.

    Confidently Shifting to Digital

    Use best-of-breed tools to meet specific digital needs.

    Select the best tools to meet the unique and special functional needs of the digital vision.

    Addressing Competing Priorities

    Agree on a common philosophy on system composition.

    Establish an owner of the multisource system to guide how the system should mature as the organization grows.

    Fostering a Collaborative Culture

    Discuss how applications can work together better in an ecosystem.

    Build committees to discuss how applications can better support each other and drive more value.

    Creating High-Throughput Teams

    Alleviate delivery bottlenecks and issues.

    Leverage third-party sources to fill skills and capacity gaps until a long-term solution can be implemented.

    Recommendations

    Define the goals of your applications department and product vision

    Understanding the applications team's purpose and image is critical in determining how the system they are managing and the skills and capacities they need should be sourced.

    Changing and conflicting definitions of value and goals make it challenging to convey an agreeable strategy of the multisource system. An achievable vision and practical tactics ensure all parties in the multisource system are moving in the same direction.

    Related Research:

    Develop a sourcing partner strategy

    Almost half of all sourcing initiatives do not realize projected savings, and the biggest reason is the choice of partner (Zhang et al., 2018). Making the wrong choice means inferior products, higher costs and the loss of both clients and reputation.

    Choosing the right sourcing partner involves understanding current skills and capacities, finding the right matching partner based on a desired profile, and managing a good working relationship that sees short-term gains and supports long-term goals.

    Related Research:

    Recommendations

    Strengthen enterprise integration practices

    Integration strategies that are focused solely on technology are likely to complicate rather than simplify because little consideration is given on how other systems and processes will be impacted. Enterprise integration needs to bring together business process, applications, and data – in that order.

    Kick-start the process of identifying opportunities for improvement by mapping how applications and data are coordinated to support business activities.

    Related Research:

    Manage your solution architecture and application portfolio

    Haphazardly implementing and integrating applications can generate significant security, performance, and data risks. A well-thought-through solution architecture is essential in laying the architecture quality principles and roadmap on how the multisource system can grow and evolve in a sustainable and maintainable way.

    Good application portfolio management complements the solution architecture as it indicates when low-value and unused applications should be removed to reduce system complexity.

    Related Research:

    Recommendations

    Embrace business-managed applications

    Multisource systems bring a unique opportunity to support the business and end users' desire to implement and develop their own applications. However, traditional models of managing applications may not accommodate the specific IT governance and management practices required to operate business-managed applications:

    • A collaborative and trusting business-IT relationship is key.
    • The role of IT must be reimagined.
    • Business must be accountable for its decisions.

    Related Research:

    CASE STUDY
    Cognizant

    Situation

    • Strives to be primarily an industry-aligned organization that delivers multiple service lines in multiple geographies.
    • Cognizant seeks to carefully consider client culture to create a one-team environment.
    • Value proposition is a consultative approach bringing thought leadership and mutually adding value to the relationship vs. the more traditional order-taker development partner.
    • Wants to share in solution development to facilitate shared successes. Geographic alignment drives knowledge of the client and their challenges, not just about time zone and supportability.
    • Offers one of the largest offshore capabilities in the world, supported by local and nearshore resources to drive local knowledge.
    • Today's clients don't typically want a black box, they are sophisticated and want transparency around the process and solution, to have a partner.
    • Clients do want to know where the work is being delivered from, how it's being done.

    Source: interview with Jay MacIsaac, Cognizant.

    Approach

    • Best relationship comes where teams operate as one.
    • Clients are seeking value, not a development black box.
    • Clients want to have a partner they can engage with, not just an order taker.
    • Want to build a one-team culture with shared goals and deliver business value.
    • Seek a partner that will add to their thinking not echo it.

    Results

    • Cognizant is continuing to deliver double-digit growth and continues to strive for top quartile performance.
    • Growth in the client base has seen the company grow to over 340,000 associates worldwide.

    Digital Organization as a Platform

    PRIORITY 5

    • Create a Common Digital Interface to Access All Products and Services

    A digital platform enables organizations to leverage a flexible, reliable, and scalable foundation to create a valuable DX, ease delivery and management efforts, maximize existing investments, and motivate the broader shift to digital. This approach provides a standard to architect, integrate, configure, and modernize the applications that compose the platform.

    Introduction

    What is digital organization as a platform (DOaaP)?

    Digital organization as a platform (DOaaP) is a collection of integrated digital services, products, applications, and infrastructure that is used as a vehicle to meet and exceed an organization's digital strategies. It often serves as an accessible "place for exchanges of information, goods, or services to occur between producers and consumers as well as the community that interacts
    with said platform" (Watts, 2020).

    DOaaP involves a strategy that paves the way for organizations to be digital. It helps organizations use their assets (e.g. data, processes, products, services) in the most effective ways and become more open to cooperative delivery, usage, and management. This opens opportunities for innovation and cross-department collaborations.

    How is DOaaP described?

    1. Open and Collaborative
      • Open organization: open data, open APIs, transparency, and user participation.
      • Collaboration, co-creation, crowdsourcing, and innovation
    2. Accessible and Connected
      • Digital inclusion
      • Channel ubiquity
      • Integrity and interoperability
      • Digital marketplace
    3. Digital and Programmable
      • Digital identity
      • Policies and processes as code
      • Digital products and services
      • Enabling digital platforms

    Digital organizations follow a common set of principles and practices

    Customer-centricity

    Digital organizations are driven by customer focus, meeting and exceeding customer expectations. It must design its services with a "digital first" principle, providing access through every expected channel and including seamless integration and interoperability with various departments, partners, and third-party services. It also means creating trust in its ability to provide secure services and to keep privacy and ethics as core pillars.

    Leadership, management, and strategies

    Digital leadership brings customer focus to the enterprise and its structures and organizes efficient networks and ecosystems. Accomplishing this means getting rid of silos and a siloed mentality and aligning on a digital vision to design policies and services that are efficient, cost-effective, and provide maximum benefit to the user. Asset sharing, co-creation, and being open and transparent become cornerstones of a digital organization.

    Infrastructure

    Providing digital services across demographics and geographies requires infrastructure, and that in turn requires long-term vision, smart investments, and partnerships with various source partners to create the necessary foundational infrastructure upon which to build digital services.

    Digitization and automation

    Automation and digitization of processes and services, as well as creating digital-first products, lead to increased efficiency and reach of the organization across demographics and geographies. Moreover, by taking a digital-first approach, digital organizations future-proof their services and demonstrate their commitment to stakeholders.

    Enabling platforms

    DOaaP embraces open standards, designing and developing organizational platforms and ecosystems with a cloud-first mindset and sound API strategies. Developer experience must also take center stage, providing the necessary tools and embracing Agile and DevOps practices and culture become prerequisites. Cybersecurity and privacy are central to the digital platform; hence they must be part of the design and development principles and practices.

    Signals

    The business expects support for digital products and services

    Digital transformation continues to be a high-priority initiative for many organizations, and they see DOaaP as an effective way to enable and exploit digital capabilities. However, DOaaP unleashes new strategies, opportunities, and challenges that are elusive or unfamiliar to business leaders. Barriers in current business operating models may limit DOaaP success, such as:

    • Department and functional silos
    • Dispersed, fragmented and poor-quality data
    • Ill-equipped and under-skilled resources to support DOaaP adoption
    • System fragmentation and redundancies
    • Inconsistent integration tactics employed across systems
    • Disjointed user experience leading to low engagement and adoption

    DOaaP is not just about technology, and it is not the sole responsibility of either IT or business. It is the collective responsibility of the organization.

    A circle graph is shown with 47% of the circle coloured in dark blue, with the number 47% in the centre.

    of organizations plan to unlock new value through digital. 50% of organizations are planning major transformation over the next three years.

    Source: Nash Squared, 2022.

    A circle graph is shown with 70% of the circle coloured in dark blue, with the number 70% in the centre.

    of organizations are undertaking digital expansion projects focused on scaling their business with technology. This result is up from 57% in 2021.

    Source: F5 Inc, 2022.

    Drivers

    Unified brand and experience

    Users should have the same experience and perception of a brand no matter what product or service they use. However, fragmented implementation of digital technologies and inconsistent application of design standards makes it difficult to meet this expectation. DOaaP embraces a single design and DX standard for all digital products and services, which creates a consistent perception of your organization's brand and reputation irrespective of what products and services are being used and how they are accessed.

    Accessibility

    Rapid advancement of end-user devices and changes to end-user behaviors and expectations often outpace an organization's ability to meet these requirements. This can make certain organization products and services difficult to find, access and leverage. DOaaP creates an intuitive and searchable interface to all products and services and enables the strategic combination of technologies to collectively deliver more value.

    Justification for modernization

    Many opportunities are left off the table when legacy systems are abstracted away rather than modernized. However, legacy systems may not justify the investment in modernization because their individual value is outweighed by the cost. A DOaaP initiative motivates decision makers to look at the entire system (i.e. modern and legacy) to determine which components need to be brought up to a minimum digital state. The conversation has now changed. Legacy systems should be modernized to increase the collective benefit of the entire DOaaP.

    Benefits & Risks

    Benefits

    • Look & Feel
    • User Adoption
    • Shift to Digital

    A single, modern, customizable interface enables a common look and feel no matter what and how the platform is being accessed.

    Organizations can motivate and encourage the adoption and use of all products and services through the platform and increase the adoption of underused technologies.

    DOaaP motivates and supports the modernization of data, processes, and systems to meet the goals and objectives outlined in the broader digital transformation strategy.

    Risks

    • Data Quality
    • System Stability
    • Ability to Modernize
    • Business Model Change

    Each system may have a different definition of commonly used entities (e.g. customer), which can cause data quality issues when information is shared among these systems.

    DOaaP can stress the performance of underlying systems due to the limitations of some systems to handle increased traffic.

    Some systems cannot be modernized due to cost constraints, business continuity risks, vendor lock-in, legacy and lore, or other blocking factors.

    Limited appetite to make the necessary changes to business operations in order to maximize the value of DOaaP technologies.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent Promote and showcase achievements and successes. Share the valuable and innovative work of your teams across the organization and with the public.
    Maximizing the Return on Technology Increase visibility of underused applications. Promote the adoption and use of all products and services through the platform and use the lessons learned to justify removal, updates or modernizations.
    Confidently Shifting to Digital Bring all applications up to a common digital standard. Define the baseline digital state all applications, data, and processes must be in to maximize the value of the platform.
    Addressing Competing Priorities Map to a holistic platform vision, goals and objectives. Work with relevant stakeholders, teams and end users to agree on a common directive considering all impacted perspectives.
    Fostering a Collaborative Culture Ensure the platform is configured to meet the individual needs of the users. Tailor the interface and capabilities of the platform to address users' functional and personal concerns.
    Creating High-Throughput Teams Abstract the enterprise system to expedite delivery. Use the platform to standardize application system access to simplify platform changes and quicken development and testing.

    Recommendations

    Define your platform vision

    Organizations realize that a digital model is the way to provide more effective services to their customers and end users in a cost-effective, innovative, and engaging fashion. DOaaP is a way to help support this transition.

    However, various platform stakeholders will have different interpretations of and preferences for what this platform is intended to solve, what benefits it is supposed to deliver, and what capabilities it will deliver. A grounded vision is imperative to steer the roadmap and initiatives.

    Related Research:

    Assess and modernize your applications

    Certain applications may not sufficiently support the compatibility, flexibility, and efficiency requirements of DOaaP. While workaround technologies and tactics can be employed to overcome these application challenges, the full value of the DOaaP may not be realized.

    Reviewing the current state of the application portfolio will indicate the functional and value limitations of what DOaaP can provide and an indication of the scope of investment needed to bring applications up to a minimum state.

    Related Research:

    Recommendations

    Understand and evaluate end-user needs

    Technology has reached a point where it's no longer difficult for teams to build functional and valuable digital platforms. Rather, the difficulty lies in creating an interface and platform that people want to use and use frequently.

    While it is important to increase the access and promotion of all products and services, orchestrating and configuring them in a way to deliver a satisfying experience is even more important. Applications teams must first learn about and empathize with the needs of end users.

    Related Research:

    Architect your platform

    Formalizing and constructing DOaaP just for the sake of doing so often results in an initiative that is lengthy and costly and ends up being considered a failure.

    The build and optimization of the platform must be predicated on a thorough understanding of the DOaaP's goals, objectives, and priorities and the business capabilities and process they are meant to support and enable. The appropriate architecture and delivery practices can then be defined and employed.

    Related Research:

    CASE STUDY
    e-Estonia

    Situation

    The digital strategy of Estonia resulted in e-Estonia, with the vision of "creating a society with more transparency, trust, and efficiency." Estonia has addressed the challenge by creating structures, organizations, and a culture of innovation, and then using the speed and efficiency of digital infrastructure, apps, and services. This strategy can reduce or eliminate bureaucracy through transparency and automation.

    Estonia embarked on its journey to making digital a priority in 1994-1996, focusing on a committed investment in infrastructure and digital literacy. With that infrastructure in place, they started providing digital services like an e-banking service (1996), e-tax and mobile parking (2002), and then went full steam ahead with a digital information interoperability platform in 2001, digital identity in 2002, e-health in 2008, and e-prescription in 2010. The government is now strategizing for AI.

    Results

    This image contains the results of the e-Estonia case study results

    Source: e-Estonia

    Practices employed

    The e-Estonia digital government model serves as a reference for governments across the world; this is acknowledged by the various awards it has received, like #2 in "internet freedom," awarded by Freedom House in 2019; #1 on the "digital health index," awarded by the Bertelsmann Foundation in 2019; and #1 on "start-up friendliness," awarded by Index Venture in 2018.

    References

    "15th State of Agile Report." Digital.ai, 2021. Web.
    "2022 HR Trends Report." McLean & Company, 2022.
    "2022: State of Application Strategy Report." F5 Inc, 2022.
    "Are Executives Wearing Rose-Colored Glasses Around Digital Transformation?" Cyara, 2021. Web.
    "Cost of a Data Breach Report 2022." IBM, 2022. Web.
    Dalal, Vishal, et al. "Tech Debt: Reclaiming Tech Equity." McKinsey Digital, Oct. 2020. Web.
    "Differentiating Between Intelligent Automation and Hyperautomation." IBM, 15 October 2021. Web.
    "Digital Leadership Report 2021." Harvey Nash Group, 2021.
    "Digital Leadership Report 2022: The State of Digital." Nash Squared, 2022. Web.
    Gupta, Sunil. "Driving Digital Strategy: A Guide to Reimagining Your Business." Harvard Business Review Press, 2018. Web.
    Haff, Gordon. "State of Application Modernization Report 2022." Konveyor, 2022. Web.
    "IEEE Standard for Software Maintenance: IEEE Std 1219-1998." IEEE Standard for Software Maintenance, 1998. Accessed Dec. 2015.
    "Intelligent Automation." Cognizant, n.d. Web.
    "Kofax 2022: Intelligent Automation Benchmark Study". Kofax, 2021. Web.
    McCann, Leah. "Barco's Virtual Classroom at UCL: A Case Study for the Future of All University Classrooms?" rAVe, 2 July 2020, Web.
    "Proactive Staffing and Patient Prioritization to Decompress ED and Reduce Length of Stay." University Hospitals, 2018. Web.
    "Secrets of Successful Modernization." looksoftware, 2013. Web.
    "State of Software Development." Coding Sans, 2021. Web.
    "The State of Low-Code/No-Code." Creatio, 2021. Web.
    "We Have Built a Digital Society and We Can Show You How." e-Estonia. n.d. Web.
    Zanna. "The 5 Types of Experience Series (1): Brand Experience Is Your Compass." Accelerate in Experience, 9 February 2020. Web.
    Zhang, Y. et al. "Effects of Risks on the Performance of Business Process Outsourcing Projects: The Moderating Roles of Knowledge Management Capabilities." International Journal of Project Management, 2018, vol. 36 no. 4, 627-639.

    Research Contributors and Experts

    This is a picture of Chris Harrington

    Chris Harrington
    Chief Technology Officer
    Carolinas Telco Federal Credit Union

    Chris Harrington is Chief Technology Officer (CTO) of Carolinas Telco Federal Credit Union. Harrington is a proven leader with over 20 years of experience developing and leading information technology and cybersecurity strategies and teams in the financial industry space.

    This is a picture of Benjamin Palacio

    Benjamin Palacio
    Senior Information Technology Analyst County of Placer

    Benjamin Palacio has been working in the application development space since 2007 with a strong focus on system integrations. He has seamlessly integrated applications data across multiple states into a single reporting solution for management teams to evaluate, and he has codeveloped applications to manage billions in federal funding. He is also a CSAC-credentialed IT Executive (CA, USA).

    This is a picture of Scott Rutherford

    Scott Rutherford
    Executive Vice President, Technology
    LGM Financial Services Inc.

    Scott heads the Technology division of LGM Financial Services Inc., a leading provider of warranty and financing products to automotive OEMs and dealerships in Canada. His responsibilities include strategy and execution of data and analytics, applications, and technology operations.

    This is a picture of Robert Willatts

    Robert Willatts
    IT Manager, Enterprise Business Solutions and Project Services
    Town of Newmarket

    Robert is passionate about technology, innovation, and Smart City Initiatives. He makes customer satisfaction as the top priority in every one of his responsibilities and accountabilities as an IT manager, such as developing business applications, implementing and maintaining enterprise applications, and implementing technical solutions. Robert encourages communication, collaboration, and engagement as he leads and guides IT in the Town of Newmarket.

    This is a picture of Randeep Grewal

    Randeep Grewal
    Vice President, Enterprise Applications
    Red Hat

    Randeep has over 25 years of experience in enterprise applications, advanced analytics, enterprise data management, and consulting services, having worked at numerous blue-chip companies. In his most recent role, he is the Vice President of Enterprise Applications at Red Hat. Reporting to the CIO, he is responsible for Red Hat's core business applications with a focus on enterprise transformation, application architecture, engineering, and operational excellence. He previously led the evolution of Red Hat into a data-led company by maturing the enterprise data and analytics function to include data lake, streaming data, data governance, and operationalization of analytics for decision support.

    Prior to Red Hat, Randeep was the director of global services strategy at Lenovo, where he led the strategy using market data to grow Lenovo's services business by over $400 million in three years. Prior to Lenovo, Randeep was the director of advanced analytics at Alliance One and helped build an enterprise data and analytics function. His earlier work includes seven years at SAS, helping SAS become a leader in business analytics, and at KPMG consulting, where he managed services engagements at Fortune 100 companies.

    Identify and Reduce Agile Contract Risk

    • Buy Link or Shortcode: {j2store}232|cart{/j2store}
    • member rating overall impact: 8.0/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Customer maturity levels with Agile are low, with 67% of organizations using Agile for less than five years.
    • Customer competency levels with Agile are also low, with 84% of organizations stating they are below a high level of competency.
    • Contract disputes are the number one or two types of disputes faced by organizations across all industries.

    Our Advice

    Critical Insight

    • Agile contracts require different wording and protections than traditional or waterfall contracts.
    • Agile buzzwords by themselves do not create an Agile contract.
    • There is a delicate balance between being overly prescriptive in an Agile contract and too lax.

    Impact and Result

    • Identify options for Agile contract provisions.
    • Manage Agile contract risk by selecting the appropriate level of protections for an Agile project.
    • Harness the power of Agile development and collaboration with the vendor while preserving contractual flexibility.
    • Focus on the correct contract clauses to manage Agile risk.

    Identify and Reduce Agile Contract Risk Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should treat Agile contracts differently from traditional or waterfall contracts, and review Info-Tech’s methodology, and understand the twelve contract clauses that are different for Agile contracts.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and evaluate options

    Use the information in this blueprint and Info-Tech’s Agile Contract Playbook-Checklist to review and assess your Agile contracts, ensuring that the provisions and protections are suitable for Agile contracts specifically.

    • Agile Contracts Playbook-Checklist
    [infographic]

    Workshop: Identify and Reduce Agile Contract Risk

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify and Evaluate Options

    The Purpose

    To understand Agile-specific contract clauses, to improve risk identification, and to be more effective at negotiating Agile contract terms.

    Key Benefits Achieved

    Increased awareness of how Agile contract provisions are different from traditional or waterfall contracts in 12 key areas.

    Understanding available options.

    Understanding the impact of being too prescriptive.

    Activities

    1.1 Review the Agile Contract Playbook-Checklist.

    1.2 Review 12 contract provisions and reinforce key learnings with exercises.

    Outputs

    Configured Playbook-Checklist as applicable

    Exercise results and debrief

    Data and Analytics Trends 2023

    • Buy Link or Shortcode: {j2store}208|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy

    Data is a unique resource that keeps growing, presenting opportunities along the way. CIOs and IT leaders can use rapidly evolving technologies and capabilities to harness this data and its value for the organization.

    IT leaders must prepare their teams and operations with the right knowledge, capabilities, and strategies to make sure they remain competitive in 2023 and beyond. Nine trends that expand on the three common Vs of data – volume, velocity, and variety – can help guide the way.

    Focus on trends that align with your opportunities and challenges

    The path to becoming more competitive in a data-driven economy differs from one company to the next. IT leaders should use the data and analytics trends that align most with their organizational goals and can lead to positive business outcomes.

    1. Prioritize your investments: Conduct market analysis and prioritize the data and analytics investments that will be critical to your business.
    2. Build a robust strategy: Identify a clear path between your data vision and business outcomes to build a strategy that’s a good fit for your organization.
    3. Inspire practical innovation: Follow a pragmatic approach to implementing trends that range from data gravity and democratization to data monetization and augmented analytics.

    Data and Analytics Trends 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data and Analytics Trends Report 2023 – A report that explores nine data use cases for emerging technologies that can improve on capabilities needed to compete in the data-driven economy.

    Data technologies are rapidly evolving. Understanding data's art of the possible is critical. However, to adapt to these upcoming data trends, a solid data management foundation is required. This report explores nine data trends based on the proven framework of data V's: Volume, Velocity, Variety, Veracity, Value, Virtue, Visualization, Virality, and Viscosity.

    • Data and Analytics Trends Report 2023
    [infographic]

    Further reading

    Data and Analytics Trends Report 2023

    SOONER OR LATER, YOU WILL BE IN THE DATA BUSINESS!

    Nine Data Trends for 2023

    In this report, we explore nine data use cases for emerging technologies that can improve on capabilities needed to compete in the data-driven economy. Use cases combine emerging data trends and modernization of existing capabilities.

    1. VOLUME
      • Data Gravity
    2. VELOCITY
    • Democratizing Real-Time Data
  • VARIETY
    • Augmented Data Management
  • VERACITY
    • Identity Authenticity
  • VALUE
    • Data Monetization
  • VIRTUE
    • Adaptive Data Governance
  • VISUALIZATION
    • AI-Driven Storytelling & Augmented Analytics
  • VIRALITY
    • Data Marketplace
  • VISCOSITY
    • DevOps – DataOps – XOps

    VOLUME

    Data Gravity

    Trend 01 Demand for storage and bandwidth continues to grow

    When organizations begin to prioritize data, they first consider the sheer volume of data, which will influence data system design. Your data systems must consider the existing and growing volume of data by assessing industry initiatives such as digital transformation, Industry 4.0, IoT, consumer digital footprint, etc.

    The largest data center in the world is a citadel in Reno, Nevada, that stretches over 7.2 million square feet!

    Source: Cloudwards, 2022

    IoT devices will generate 79.4 zettabytes of data
    by 2025.

    Source: IDC, 2019

    There were about 97
    zettabytes of data generated worldwide in 2022.

    Source: “Volume of Data,” Statista, 2022

    VOLUME

    Data Gravity

    Data attracts more data and an ecosystem of applications and services

    SharePoint, OneDrive, Google Drive, and Dropbox offer APIs and integration opportunities for developers to enhance their products.

    Social media platforms thought about this early by allowing for an ecosystem of filters, apps, games, and effects that engage their users with little to no additional effort from internal resources.

    The image contains four logos. SharePoint, OneDrive, Google Drive, and Dropbox.

    VOLUME

    Data Gravity

    Focus on data gravity and avoid cloud repatriation

    Data gravity is the tendency of data to attract applications, services, and other data. A growing number of cloud migration decisions will be made based on the data gravity concept. It will become increasingly important in data strategies, with failure potentially resulting in costly cloud repatriations.

    Emerging technologies and capabilities:

    Data Lakehouse, Data Mesh, Data Fabric, Hybrid Data, Cloud Data, Edge Computing

    47%

    Centralized cloud storage going down in 2 years

    22%
    25%

    Hybrid storage (centralized + edge) going up in 2 years

    47%

    Source: CIO, 2022

    VOLUME

    Data Gravity

    What worked for terabytes is ineffective for petabytes

    When compared to on-premises infrastructure, cloud computing is less expensive and easier to implement. However, poor data replication and data gravity can significantly increase cloud costs to the point of failure. Data gravity will help organizations make better cloud migration decisions.

    It is also critical to recognize changes in the industry landscape. The goal of data processing and analytics is to generate the right data for users to act on. In most cases, the user is a human being, but in the case of autonomous driving (AD), the car takes on the role of the user (DXC Technology).

    To avoid cloud repatriation, it will become prudent for all organizations to consider data gravity and the timing of cloud migration.

    The image contains a diagram on data gravity.

    VELOCITY

    Democratizing Real-Time Data

    Trend 02 Real-time analytics presents an important differentiator

    The velocity element of data can be assessed from two standpoints: the speed at which data is being generated and how fast the organization needs to respond to the incoming information through capture, analysis, and use. Traditionally data was processed in a batch format (all at once or in incremental nightly data loads). There is a growing demand to process data continuously using streaming data-processing techniques.

    Emerging technologies and capabilities:

    Edge Computing

    Google announced it has a quantum computer that is 100 million times faster than any classical computer in its lab.

    Source: Science Alert, 2015

    The number of qubits in quantum computers has been increasing dramatically, from 2 qubits in 1998 to 128 qubits in 2019.

    Source: Statista, 2019

    IBM released a 433-qubit quantum chip named Osprey in 2022 and expects to surpass 1,000 qubits with its next chip, Condor, in 2023.

    Source: Nature, 2023

    VELOCITY

    Democratizing Real-Time Data

    Make data accessible to everyone in real time

    • 90% of an organization’s data is replicated or redundant.
    • Build API and web services that allow for live access to data.
    • Most social media platforms, like Twitter and Facebook, have APIs that offer access to incredible amounts of data and insights.

    VELOCITY

    Democratizing Real-Time Data

    Trend in Data Velocity

    Data democratization means data is widely accessible to all stakeholders without bottlenecks or barriers. Success in data democratization comes with ubiquitous real-time analytics. Google highlights a need to address democratization in two different frames:

    1. Democratizing stream analytics for all businesses to ensure real-time data at the company level.
    2. Democratizing stream analytics for all personas and the ability of all users to generate real-time insights.

    Emerging technologies and capabilities:

    Data Lakehouse, Streaming API Ecosystem, Industry 4.0, Zero-Copy Cloning

    Nearly 70% of all new vehicles globally will be connected to the internet by 2023.

    Source: “Connected light-duty vehicles,” Statista, 2022

    VELOCITY

    Democratizing Real-Time Data

    Enable real-time processing with API

    In the past, data democratization has largely translated into a free data set and open data portals. This has allowed the government to freely share data with the public. Also, the data science community has embraced the availability of large data sets such as weather data, stock data, etc. In the future, more focus will be on the combination of IoT and steaming analytics, which will provide better responsiveness and agility.

    Many researchers, media companies, and organizations now have easy access to the Twitter/Facebook API platform to study various aspects of human behavior and sentiments. Large technology companies have already democratized their data using real-time APIs.

    Thousands of sources for open data are available at your local municipalities alone.

    6G will push Wi-Fi connectivity to 1 terabyte per second! This is expected to become commercially available by 2030.

    VARIETY

    Augmented Data Management

    Trend 03 Need to manage unstructured data

    The variety of data types is increasingly diverse. Structured data often comes from relational databases, while unstructured data comes from several sources such as photos, video, text documents, cell phones, etc. The variety of data is where technology can drive business value. However, unstructured data also poses a risk, especially for external data.

    The number of IoT devices could rise to 30.9 billion by 2025.

    Source: “IoT and Non-IoT Connections Worldwide,” Statista, 2022

    The global edge computing market is expected to reach $250.6 billion by 2024.

    Source: “Edge Computing,” Statista, 2022

    Genomics research is expected to generate between 2 and 40 exabytes of data within the next decade.

    Source: NIH, 2022

    VARIETY

    Augmented Data Management

    Employ AI to automate data management

    New tools will enhance many aspects of data management:

    • Data preparation, integration, cataloging, and quality
    • Metadata management
    • Master data management

    Enabling AI-assisted decision-making tools

    The image contains logos of the AI-assisted decision-making tools. Informatica, collibra, OCTOPAI.

    VARIETY

    Augmented Data Management

    Trend in Data Variety

    Augmented data management will enhance or automate data management capabilities by leveraging AI and related advanced techniques. It is quite possible to leverage existing data management tools and techniques, but most experts have recognized that more work and advanced patterns are needed to solve many complex data problems.

    Emerging technologies and capabilities:

    Data Factory, Data Mesh, Data Fabric, Artificial Intelligence, Machine Learning

    VARIETY

    Augmented Data Management

    Data Fabric vs. Data Mesh: The Data Journey continues at an accelerated pace

    Data Fabric

    Data Mesh

    Data fabric is an architecture that facilitates the end-to-end integration of various data pipelines and cloud environments using intelligent and automated systems. It’s a data integration pattern to unify disparate data systems, embed governance, strengthen security and privacy measures, and provide more data accessibility to workers and particularly to business users.

    The data mesh architecture is an approach that aligns data sources by business domains, or functions, with data owners. With data ownership decentralization, data owners can create data products for their respective domains, meaning data consumers, both data scientists and business users, can use a combination of these data products for data analytics and data science.

    More Unstructured Data

    95% of businesses cite the need to manage unstructured data as a problem for their business.

    VERACITY

    Identity Authenticity

    Trend 04 Veracity of data is a true test of your data capabilities

    Data veracity is defined as the accuracy or truthfulness of a data set. More and more data is created in semi-structured and unstructured formats and originates from largely uncontrolled sources (e.g. social media platforms, external sources). The reliability and quality of the data being integrated should be a top concern. The veracity of data is imperative when looking to use data for predictive purposes. For example, energy companies rely heavily on weather patterns to optimize their service outputs, but weather patterns have an element of unpredictability.

    Data quality affects overall labor productivity by as much as 20%, and 30% of operating expenses are due to insufficient data.

    Source: Pragmatic Works, 2017

    Bad data costs up to
    15% to 25% of revenue.

    Source: MIT Sloan Management Review, 2017

    VERACITY

    Identity Authenticity

    Veracity of data is a true test of your data capabilities

    • Stop creating your own identity architectures and instead integrate a tried-and-true platform.
    • Aim for a single source of truth for digital identity.
    • Establish data governance that can withstand scrutiny.
    • Imagine a day in the future where verified accounts on social media platforms are available.
    • Zero-trust architecture should be used.

    VERACITY

    Identity Authenticity

    Trend in Data Veracity

    Veracity is a concept deeply linked to identity. As the value of the data increases, a greater degree of veracity is required: We must provide more proof to open a bank account than to make friends on Facebook. As a result, there is more trust in bank data than in Facebook data. There is also a growing need to protect marginalized communities.

    Emerging technologies and capabilities:

    Zero Trust, Blockchain, Data Governance, IoT, Cybersecurity

    The image contains a screenshot of Info-Tech's blueprint slide on Zero Trust.

    VERACITY

    Identity Authenticity

    The identity discussion is no longer limited to people or organizations. The development of new technologies, such as the IoT phenomenon, will lead to an explosion of objects, from refrigerators to shipping containers, coming online as well. If all these entities start communicating with each other, standards will be needed to establish who or what they are.

    IDENTITY
    IS

    Age

    Gender

    Address

    Fingerprint

    Face

    Voice

    Irises

    IDENTITY
    KNOWS

    Password

    Passphrase

    PIN

    Sequence

    IDENTITY
    HAS

    Access badge

    Smartcard

    Security token

    Mobile phone

    ID document

    IDENTITY
    DOES

    Motor skills

    Handwriting

    Gestures

    Keystrokes

    Applications use

    The IoT market is expected to grow 18% to 14.4 billion in 2022 and 27 billion by 2025.

    Source: IoT Analytics, 2022

    VALUE

    Data Monetization

    Trend 05 Not Many organization know the true value of their data

    Data can be valuable if used effectively or dangerous if mishandled. The rise of the data economy has created significant opportunities but also has its challenges. It has become urgent to understand the value of data, which may vary for stakeholders based on their business model and strategy. Organizations first need to understand ownership of their data by establishing a data strategy, then they must improve data maturity by developing a deeper understanding of data value.

    94% of enterprises say data is essential to business growth.

    Source: Find stack, 2021

    VALUE

    Data Monetization

    Start developing your data business

    • Blockbuster ran its business well, but Netflix transformed the video rental industry overnight!
    • Big players with data are catching up fast.
    • You don’t have to be a giant to monetize data.
    • Data monetization is probably closer than you think.
    • You simply need to find it, catalog it, and deliver it.

    The image contains logos of companies related to data monetization as described in the text above. The companies are Amazon Prime, Netflix, Disney Plus, Blockbuster, and Apple TV.

    VALUE

    Data Monetization

    Trend in Data Value

    Data monetization is the transformation of data into financial value. However, this does not imply selling data alone. Monetary value is produced by using data to improve and upgrade existing and new products and services. Data monetization demands an organization-wide strategy for value development.

    Emerging technologies and capabilities:

    Data Strategy, Data Monetization Strategy, Data Products

    Netflix uses big data to save $1 billion per year on customer retention.

    Source: Logidots, 2021

    VALUE

    Data Monetization

    Data is a strategic asset

    Data is beyond currency, assets, or commodities and needs to be a category
    of its own.

    • Data always outlives people, processes, and technology. They all come and go while data remains.
    • Oil is a limited resource. Data is not. Unlike oil, data is likely to grow over time.
    • Data is likely to outlast all other current popular financial instruments, including currency, assets, or commodities.
    • Data is used internally and externally and can easily be replicated or combined.

    Data monetization is currently in the speculative territory, which is unacceptable. It should instead be guided by sound data management theory.

    VIRTUE

    Adaptive Data Governance

    Trend 06 Five Core Virtues: Resilience, Humility, Grit, Liberal Education, Empathy (Forbes, 2020)

    We have become more and more dependent on data, analytics, and organizational protection policies. Data virtue is about leveraging data securely and ethically. This topic has become more critical with the advent of GDPR, the right to be forgotten, and related regulations. Data governance, which seeks to establish an oversight framework that manages the creation, acquisition, integrity, security, compliance, and quality of data, is essential for any organization that makes decisions about data.

    Cultural obstacles are the greatest barrier to becoming data-driven, according to 91.9% of executives.

    Source: Harvard Business Review, 2022

    Fifty million Facebook profiles were harvested for Cambridge Analytica in a major data breach.

    Source: The Guardian, 2018

    VIRTUE

    Adaptive Data Governance

    Encourage noninvasive and automated data governance

    • Data governance affects the entire organization, not just data.
    • The old model for data governance was slow and clumsy.
    • Adaptive data governance encourages faster decision making and a more collaborative approach to governance.
    • Agile data governance allows for faster and more flexible decision making.
    • Automated data governance will simplify execution across the organization.
    • It is great for compliance, quality, impact tracking, and cross-referencing and offers independence to data users.

    VIRTUE

    Adaptive Data Governance

    Trend in Data Virtue

    Adaptive data governance encourages a flexible approach that allows an organization to employ multiple data governance strategies depending on changing business situations. The other aspect of adaptive data governance is moving away from manual (and often slow) data governance and toward aggressive automation.

    Emerging technologies and capabilities:

    AI-Powered Data Catalog and Metadata Management,
    Automated Data Policy Enforcement

    “To effectively meet the needs and velocity of digital organizations and modern practices, IT governance must be embedded and automated where possible to drive success and value.”

    Source: Valence Howden, Info-Tech Research Group

    “Research reveals that the combination of AI and big data technologies can automate almost 80% of all physical work, 70% of data processing, and 64% of data collection tasks.”

    Source: Forbes, 2021

    VIRTUE

    Data Governance Automation

    Simple and easy Data Governance

    Tools are not the ultimate answer to implementing data governance. You will still need to secure stakeholders' buy-in and engagement in the data process. Data governance automation should be about simplifying the execution of roles and responsibilities.

    “When you can see where your data governance strategy can be improved, it’s time to put in place automation that help to streamline processes.”

    Source: Nintex, 2021

    VISUALIZATION

    AI-Driven Storytelling & Augmented Analytics

    Trend 07 Automated and augmented data storytelling is not that far away

    Today, data storytelling is led by the user. It’s the manual practice of combining narrative with data to deliver insights in a compelling form to assist decision makers in engaging with data and analytics. A story backed by data is more easily consumed and understood than a dashboard, which can be overwhelming. However, manual data storytelling has some major shortcomings.

    Problem # 1: Telling stories on more than just the insights noticed by people

    Problem # 2: Poor data literacy and the limitations of manual self-service

    Problem # 3: Scaling data storytelling across the business

    VISUALIZATION

    AI-Driven Storytelling & Augmented Analytics

    Use AI to enhance data storytelling

    • Tableau, Power BI, and many other applications already use
      AI-driven analytics.
    • Power BI and SharePoint can use AI to generate visuals for any SharePoint list in a matter of seconds.

    VISUALIZATION

    AI-Driven Storytelling & Augmented Analytics

    Trend in Data Visualization

    AI and natural language processing will drive future visualization and data storytelling. These tools and techniques are improving rapidly and are now designed in a streamlined way to guide people in understanding what their data means and how to act on it instead of expecting them to do self-service analysis with dashboards and charts and know what to do next. Ultimately, being able to understand how to translate emotion, tropes, personal interpretation, and experience and how to tell what’s most relevant to each user is the next frontier for augmented and automated analytics

    Emerging technologies and capabilities:

    AI-Powered Data Catalog and Metadata Management,
    Automated Data Policy Enforcement

    VISUALIZATION

    Data Storytelling

    Augmented data storytelling is not that far away

    Emotions are a cornerstone of human intelligence and decision making. Mastering the art of storytelling is not easy.

    Industry experts predict the combination of data storytelling with augmented and automated techniques; these capabilities are more than capable of generating and automating parts of a data story’s creation for end users.

    The next challenge for AI is translating emotion, tropes, personal interpretation, and experience into what is most essential to end users.

    Source: Yellowfin, 2021

    VIRALITY

    Data Marketplace

    Trend 08 Missing data marketplace

    Data virality measures data spread and popularity. However, for data virality to occur, an ecosystem comparable to that of traditional or modern digital marketplaces is required. Organizations must reevaluate their data strategies to ensure investment in appropriate data domains by understanding data virality. Data virality is the exact opposite of dark data.

    Dark data is “all the information companies collect in their regular business processes, don’t use, have no plans to use, but will never throw out.”

    Source: Forbes, 2019

    VIRALITY

    Data Marketplace

    Make data easily accessible

    • Making data accessible to a broader audience is the key to successful virality.
    • Data marketplaces provide a location for you to make your data public.
    • Why do this? Contributing to public data marketplaces builds credibility, just like contributing to public GitHub projects.
    • Big players like Microsoft, Amazon, and Snowflake already do this!
    • Snowflake introduced zero-copy cloning, which allows users to interact with source data without compromising the integrity of the original source.

    The image contains the logos of Microsoft, Amazon, and Snowflake.

    VIRALITY

    Data Marketplace

    Trend in Data Virality

    The data marketplace can be defined as a dynamic marketplace where users decide what has the most value. Companies can gauge which data is most popular based on usage and decide where to invest. Users can shop for data products within the marketplace and then join these products with other ones they’ve created to launch truly powerful data-driven projects.

    Emerging technologies and capabilities:

    AI-Powered Data Catalog and Metadata Management,
    Automated Data Policy Enforcement

    The image contains a screenshot of Info-Tech's Data-as-a-Service (DaaS) Framework.

    “Data is like garbage. You’d better know what you are going to do with it before you collect it.”

    – Mark Twain

    VIRALITY

    Data Marketplace

    Journey from siloed data platforms to dynamic data marketplaces

    Data remains a complex topic due to many missing foundational components and infrastructure. Interoperability, security, quality, discoverability, speed, and ease are some of those missing foundational components that most organizations face daily.

    Data lacks an ecosystem that is comparable to those of traditional assets or commodities. Data must be available in open or closed data marketplaces to measure its value. These data marketplaces are still in their infancy.

    “Data markets are an important component of the data economy that could unleash the full potential of data generated by the digital economy and human activity in general.”

    Source: ITU Journal, 2018

    VISCOSITY

    DevOps – DataOps – XOps

    Trend 09 Increase efficiency by removing bottlenecks

    Compared to water, a fluid with a high viscosity flows more slowly, like honey. Data viscosity measures the resistance to flow in a volume of data. The data resistance may come from other Vs (variety, velocity, etc.).

    VISCOSITY

    DevOps – DataOps – XOps

    Increase efficiency by removing bottlenecks

    Consider XOps for a second. It makes no difference what X is. What's important is matching operational requirements to enterprise capabilities.

    • For example, Operations must meet the demands of Sales – hence SalesOps
      or S&Op.
    • Development resources must meet the demands of Operations – hence DevOps.
    • Finally, Data must also meet the demand of Operations.

    These Operations guys are demanding!!

    VISCOSITY

    DevOps – DataOps – XOps

    Trend in Data Viscosity

    The merger of development (Dev) and IT Operations (Ops) started in software development with the concept of DevOps. Since then, new Ops terms have formed rapidly (AIOps, MLOps, ModelOps, PlatformOps, SalesOps, SecOps, etc.). All these methodologies come from Lean manufacturing principles, which seek to identify waste by focusing on eliminating errors, cycle time, collaboration, and measurement. Buzzwords are distractions, and the focus must be on the underlying goals and principles. XOps goals should include the elimination of errors and improving efficiencies.

    Emerging technologies and capabilities:

    Collaborative Data Management, Automation Tools

    VISCOSITY

    DataOps → Data Observability

    Data observability, a subcomponent of DataOps, is a set of technical practices, cultural norms, and architecture that enables low error rates. Data observability focuses on error rates instead of only measuring data quality at a single point in time.

    Data Quality Dimensions

    • Uniqueness
    • Timeliness
    • Validity
    • Accuracy
    • Consistency

    ERROR RATES

    Lateness: Missing Your SLA

    System Processing Issues

    Code Change That Broke Something

    Data Quality

    What’s next? Go beyond the buzzwords.

    Avoid following trends solely for the sake of following them. It is critical to comprehend the concept and apply it to your industry. Every industry has its own set of problems and opportunities.

    Highlight the data trends (or lack thereof) that have been most beneficial to you in your organizations. Follow Info-Tech’s approach to building a data practice and platform to develop your data capabilities through the establishment of data goals.

    The image contains a screenshot of Info-Tech's Build Your Data Pracrice and Platform.

    Research Authors

    Rajesh Parab Chris Dyck

    Rajesh Parab

    Director, Research & Advisory

    Data and Analytics

    Chris Dyck

    Research Lead

    Data and Analytics

    “Data technologies are rapidly evolving. Understanding what’s possible is critical. Adapting to these upcoming data trends requires a solid data management foundation.”

    – Rajesh Parab

    Contributing Experts

    Carlos Thomas John Walsh

    Carlos Thomas

    Executive Counselor

    Info-Tech Research Group

    John Walsh

    Executive Counselor

    Info-Tech Research Group

    Bibliography

    Bean, Randy. “Why Becoming a Data-Driven Organization Is So Hard.” Harvard Business Review, 24 Feb. 2022. Accessed Oct. 2022.
    Brown, Annie. “Utilizing AI And Big Data To Reduce Costs And Increase Profits In Departments Across An Organization.” Forbes, 13 April 2021.
    Accessed Oct. 2022.
    Burciaga, Aaron. “Five Core Virtues For Data Science And Artificial Intelligence.” Forbes, 27 Feb. 2020. Accessed Aug. 2022.
    Cadwalladr, Carole, and Emma Graham-Harrison. “Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach.”
    The Guardian, 17 March 2018. Accessed Aug. 2022.
    Carlier, Mathilde. “Connected light-duty vehicles as a share of total vehicles in 2023.” Statista, 31 Mar. 2021. Accessed Oct. 2022.
    Carter, Rebekah. “The Ultimate List of Big Data Statistics for 2022.” Findstack, 22 May 2021. Accessed Oct. 2022.
    Castelvecchi, Davide. “Underdog technologies gain ground in quantum-computing race.” Nature, 6 Nov. 2023. Accessed Feb. 2023.
    Clark-Jones, Anthony, et al. “Digital Identity:” UBS, 2016. Accessed Aug 2022.
    “The Cost of Bad Data Infographic.” Pragmatic Works, 25 May 2017. Accessed Oct. 2022.
    Demchenko, Yuri, et al. “Data as Economic Goods: Definitions, Properties, Challenges, Enabling Technologies for Future Data Markets.“ ITU Journal: ICT Discoveries, Special Issue, no. 2, vol. 23, Nov. 2018. Accessed Aug 2022.
    Feldman, Sarah. ”20 Years of Quantum Computing Growth.” Statista, 6 May 2019. Accessed Oct. 2022.
    “Genomic Data Science.” NIH, National Human Genome Research Institute, 5 April 2022. Accessed Oct. 2022.

    Bibliography

    Hasbe, Sudhir, and Ryan Lippert. “The democratization of data and insights: making real-time analytics ubiquitous.” Google Cloud, 15 Jan. 2021.
    Accessed Aug. 2022.
    Helmenstine, Anne. “Viscosity Definition and Examples.” Science Notes, 3 Aug. 2021. Accessed Aug. 2022.
    “How data storytelling and augmented analytics are shaping the future of BI together.” Yellowfin, 19 Aug. 2021. Accessed Aug. 2022.
    “How Netflix Saves $1B Annually using AI?” Logidots, 24 Sept. 2021. Accessed Oct. 2022
    Hui, Kenneth. “The AWS Love/Hate Relationship with Data Gravity.” Cloud Architect Musings, 30 Jan. 2017. Accessed Aug 2022.
    ICD. “The Growth in Connected IoT Devices Is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast.” Business Wire, 18 June 2019. Accessed Oct 2022.
    Internet of Things (IoT) and non-IoT active device connections worldwide from 2010 to 2025” Statista, 27 Nov. 2022. Accessed Nov. 2022.
    Koch, Gunter. “The critical role of data management for autonomous driving development.” DXC Technology, 2021. Accessed Aug. 2022.
    Morris, John. “The Pull of Data Gravity.” CIO, 23 Feb. 2022. Accessed Aug. 2022.
    Nield, David. “Google's Quantum Computer Is 100 Million Times Faster Than Your Laptop.” ScienceAlert, 9 Dec. 2015. Accessed Oct. 2022.
    Redman, Thomas C. “Seizing Opportunity in Data Quality.” MIT Sloan Management Review, 27 Nov. 2017. Accessed Oct. 2022.
    Segovia Domingo, Ana I., and Álvaro Martín Enríquez. “Digital Identity: the current state of affairs.” BBVA Research, 2018. Accessed Aug. 2022.

    Bibliography

    “State of IoT 2022: Number of connected IoT devices growing 18% to 14.4 billion globally.” IOT Analytics, 18 May 2022. Accessed. 14 Nov. 2022.
    Strod, Eran. “Data Observability and Monitoring with DataOps.” DataKitchen, 10 May 2021. Accessed Aug. 2022.
    Sujay Vailshery, Lionel. “Edge computing market value worldwide 2019-2025.” Statista, 25 Feb. 2022. Accessed Oct 2022.
    Sujay Vailshery, Lionel. “IoT and non-IoT connections worldwide 2010-2025.” Statista, 6 Sept. 2022. Accessed Oct. 2022.
    Sumina, Vladimir. “26 Cloud Computing Statistics, Facts & Trends for 2022.” Cloudwards, 7 June 2022. Accessed Oct. 2022.
    Taulli, Tom. “What You Need To Know About Dark Data.” Forbes, 27 Oct. 2019. Accessed Oct. 2022.
    Taylor, Linnet. “What is data justice? The case for connecting digital rights and freedoms globally.“ Big Data & Society, July-Dec 2017. Accessed Aug 2022.
    “Twitter: Data Collection With API Research Paper.” IvyPanda, 28 April 2022. Accessed Aug. 2022.
    “Using governance automation to reduce data risk.” Nintex, 15 Nov. 2021. Accessed Oct. 2022
    “Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025.” Statista, 8 Sept. 2022. Accessed Oct 2022.
    Wang, R. “Monday's Musings: Beyond The Three V's of Big Data – Viscosity and Virality.” Forbes, 27 Feb. 2012. Accessed Aug 2022.
    “What is a data fabric?” IBM, n.d. Accessed Aug 2022.
    Yego, Kip. “Augmented data management: Data fabric versus data mesh.” IBM, 27 April 2022. Accessed Aug 2022.

    Enhance Your Solution Architecture Practices

    • Buy Link or Shortcode: {j2store}157|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $33,359 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • In today’s world, business agility is essential to stay competitive. Quick responses to business needs through efficient development and deployment practices is critical for business value delivery.
    • A mature solution architecture practice is the basic necessity for a business to have technical agility.

    Our Advice

    Critical Insight

    Don’t architect for normal situations. That is a shallow approach and leads to decisions that may seem “right” but will not be able to stand up to system elasticity needs.

    Impact and Result

    • Understand the different parts of a continuous security architecture framework and how they may apply to your decisions.
    • Develop a solution architecture for upcoming work (or if there is a desire to reduce tech debt).

    Enhance Your Solution Architecture Practices Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Solution Architecture Practices Deck – A deck to help you develop an approach for or validate existing solution architecture capability.

    Translate stakeholder objectives into architecture requirements, solutions, and changes. Incorporate architecture quality attributes in decisions to increase your architecture’s life. Evaluate your solution architecture from multiple views to obtain a holistic perspective of the range of issues, risks, and opportunities.

    • Enhance Your Solution Architecture Practices – Phases 1-3

    2. Solution Architecture Template – A template to record the results from the exercises to help you define, detail, and make real your digital product vision.

    Identify and detail the value maps that support the business, and discover the architectural quality attribute that is most important for the value maps. Brainstorm solutions for design decisions for data, security, scalability, and performance.

    • Solution Architecture Template
    [infographic]

    Workshop: Enhance Your Solution Architecture Practices

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Vision and Value Maps

    The Purpose

    Document a vision statement for the solution architecture practice (in general) and/or a specific vision statement, if using a single project as an example.

    Document business architecture and capabilities.

    Decompose capabilities into use cases.

    Key Benefits Achieved

    Provide a great foundation for an actionable vision and goals that people can align to.

    Develop a collaborative understanding of business capabilities.

    Develop a collaborative understanding of use cases and personas that are relevant for the business.

    Activities

    1.1 Develop vision statement.

    1.2 Document list of value stream maps and their associated use cases.

    1.3 Document architectural quality attributes needed for use cases using SRME.

    Outputs

    Solution Architecture Template with sections filled out for vision statement canvas and value maps

    2 Continue Vision and Value Maps, Begin Phase 2

    The Purpose

    Map value stream to required architectural attributes.

    Prioritize architecture decisions.

    Discuss and document data architecture.

    Key Benefits Achieved

    An understanding of architectural attributes needed for value streams.

    Conceptual understanding of data architecture.

    Activities

    2.1 Map value stream to required architectural attributes.

    2.2 Prioritize architecture decisions.

    2.3 Discuss and document data architecture.

    Outputs

    Solution Architecture Template with sections filled out for value stream and architecture attribute mapping; a prioritized list of architecture design decisions; and data architecture

    3 Continue Phase 2, Begin Phase 3

    The Purpose

    Discuss security and threat assessment.

    Discuss resolutions to threats via security architecture decisions.

    Discuss system’s scalability needs.

    Key Benefits Achieved

    Decisions for security architecture.

    Decisions for scalability architecture.

    Activities

    3.1 Discuss security and threat assessment.

    3.2 Discuss resolutions to threats via security architecture decisions.

    3.3 Discuss system’s scalability needs.

    Outputs

    Solution Architecture Template with sections filled out for security architecture and scalability design

    4 Continue Phase 3, Start and Finish Phase 4

    The Purpose

    Discuss performance architecture.

    Compile all the architectural decisions into a solutions architecture list.

    Key Benefits Achieved

    A complete solution architecture.

    A set of principles that will form the foundation of solution architecture practices.

    Activities

    4.1 Discuss performance architecture.

    4.2 Compile all the architectural decisions into a solutions architecture list.

    Outputs

    Solution Architecture Template with sections filled out for performance and a complete solution architecture

    Further reading

    Enhance Your Solution Architecture Practice

    Ensure your software systems solution is architected to reflect stakeholders’ short- and long-term needs.

    Analyst Perspective

    Application architecture is a critical foundation for supporting the growth and evolution of application systems. However, the business is willing to exchange the extension of the architecture’s life with quality best practices for the quick delivery of new or enhanced application functionalities. This trade-off may generate immediate benefits to stakeholders, but it will come with high maintenance and upgrade costs in the future, rendering your system legacy early.

    Technical teams know the importance of implementing quality attributes into architecture but are unable to gain approval for the investments. Overcoming this challenge requires a focus of architectural enhancements on specific problem areas with significant business visibility. Then, demonstrate how quality solutions are vital enablers for supporting valuable application functionalities by tracing these solutions to stakeholder objectives and conducting business and technical risk and impact assessments through multiple business and technical perspectives.

    this is a picture of Andrew Kum-Seun

    Andrew Kum-Seun
    Research Manager, Applications
    Info-Tech Research Group

    Enhance Your Solution Architecture

    Ensure your software systems solution is architected to reflect stakeholders’ short- and long-term needs.

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    • Most organizations have some form of solution architecture; however, it may not accurately and sufficiently support the current and rapidly changing business and technical environments.
    • To enable quick delivery, applications are built and integrated haphazardly, typically omitting architecture quality practices.

    Common Obstacles

    • Failing to involve development and stakeholder perspectives in design can lead to short-lived architecture and critical development, testing, and deployment constraints and risks being omitted.
    • Architects are experiencing little traction implementing solutions to improve architecture quality due to the challenge of tracing these solutions back to the right stakeholder objectives.

    Info-Tech's Approach

    • Translate stakeholder objectives into architecture requirements, solutions, and changes. Incorporate architecture quality attributes in decisions to increase your architecture’s life.
    • Evaluate your solution architecture from multiple views to obtain a holistic perspective of the range of issues, risks, and opportunities.
    • Regularly review and recalibrate your solution architecture so that it accurately reflects and supports current stakeholder needs and technical environments.

    Info-Tech Insight

    Well-received applications can have poor architectural qualities. Functional needs often take precedence over quality architecture. Quality must be baked into design, execution, and decision-making practices to ensure the right tradeoffs are made.

    A badly designed solution architecture is the root of all technical evils

    A well-thought-through and strategically designed solution architecture is essential for the long-term success of any software system, and by extension, the organization because:

    1. It will help achieve quality attribute requirements (security, scalability, performance, usability, resiliency, etc.) for a software system.
    2. It can define and refine architectural guiding principles. A solution architecture is not only important for today but also a vision for the future of the system’s ability to react positively to changing business needs.
    3. It can help build usable (and reusable) services. In a fast-moving environment, the convenience of having pre-made plug-and-play architectural objects reduces the risk incurred from knee-jerk reactions in response to unexpected demands.
    4. It can be used to create a roadmap to an IT future state. Architectural concerns support transition planning activities that can lead to the successful implementation of a strategic IT plan.

    Demand for quick delivery makes teams omit architectural best practices, increasing downstream risks

    In its need for speed, a business often doesn’t see the value in making sure architecture is maintainable, reusable, and scalable. This demand leads to an organizational desire for development practices and the procurement of vendors that favor time-to-market over long-term maintainability. Unfortunately, technical teams are pushed to omit design quality and validation best practices.

    What are the business impacts of omitting architecture design practices?

    Poor quality application architecture impedes business growth opportunities, exposes enterprise systems to risks, and consumes precious IT budgets in maintenance that could otherwise be used for innovation and new projects.

    Previous estimations indicate that roughly 50% of security problems are the result of software design. […] Flaws in the architecture of a software system can have a greater impact on various security concerns in the system, and as a result, give more space and flexibility for malicious users.(Source: IEEE Software)

    Errors in software requirements and software design documents are more frequent than errors in the source code itself according to Computer Finance Magazine. Defects introduced during the requirements and design phase are not only more probable but also more severe and more difficult to remove. (Source: iSixSigma)

    Design a solution architecture that can be successful within the constraints and complexities set before you

    APPLICATION ARCHITECTURE…

    … describes the dependencies, structures, constraints, standards, and development guidelines to successfully deliver functional and long-living applications. This artifact lays the foundation to discuss the enhancement of the use and operations of your systems considering existing complexities.

    Good architecture design practices can give you a number of benefits:

    Lowers maintenance costs by revealing key issues and risks early. The Systems Sciences Institute at IBM has reported that the cost to fix an error found after product release was 4 to 5 times as much as one uncovered during design.(iSixSigma)

    Supports the design and implementation activities by providing key insights for project scheduling, work allocation, cost analysis, risk management, and skills development.(IBM: developerWorks)

    Eliminates unnecessary creativity and activities on the part of designers and implementers, which is achieved by imposing the necessary constraints on what they can do and making it clear that deviation from constraints can break the architecture.(IBM: developerWorks)

    Use Info-Tech’s Continuous Solution Architecture (CSA) Framework for designing adaptable systems

    Solution architecture is not a one-size-fits-all conversation. There are many design considerations and trade-offs to keep in mind as a product or services solution is conceptualized, evaluated, tested, and confirmed. The following is a list of good practices that should inform most architecture design decisions.

    Principle 1: Design your solution to have at least two of everything.

    Principle 2: Include a “kill switch” in your fault-isolation design. You should be able to turn off everything you release.

    Principle 3: If it can be monitored, it should be. Use server and audit logs where possible.

    Principle 4: Asynchronous is better than synchronous. Asynchronous design is more complex but worth the processing efficiency it introduces.

    Principle 5: Stateless over stateful: State data should only be used if necessary.

    Principle 6: Go horizonal (scale out) over vertical (scale up).

    Principle 7: Good architecture comes in small packages.

    Principle 8: Practice just-in-time architecture. Delay finalizing an approach for as long as you can.

    Principle 9: X-ilities over features. Quality of an architecture is the foundation over which features exist. A weak foundation can never be obfuscated through shiny features.

    Principle 10: Architect for products not projects. A product is an ongoing concern, while a project is short lived and therefore only focused on what is. A product mindset forces architects to think about what can or should be.

    Principle 11: Design for rollback: When all else fails, you should be able to stand up the previous best state of the system.

    Principle 12: Test the solution architecture like you test your solution’s features.

    CSA should be used for every step in designing a solution’s architecture

    Solution architecture is a technical response to a business need, and like all complex evolutionary systems, must adapt its design for changing circumstances.

    The triggers for changes to existing solution architectures can come from, at least, three sources:

    1. Changing business goals
    2. Existing backlog of technical debt
    3. Solution architecture roadmap

    A solution’s architecture is cross-cutting and multi-dimensional and at the minimum includes:

    • Product Portfolio Strategy
    • Application Architecture
    • Data Architecture
    • Information Architecture
    • Operational Architecture

    along with several qualitative attributes (also called non-functional requirements).

    This image contains a chart which demonstrates the relationship between changing hanging business goals, Existing backlog of technical debt, Solution architecture roadmap, and Product Portfolio Strategy, Application Architecture, Data Architecture, Information Architecture and, Operational Architecture

    Related Research: Product Portfolio Strategy

    Integrate Portfolios to Create Exceptional Customer Value

    • Define an organizing principle that will structure your projects and applications in a way that matters to your stakeholders.
    • Bridge application and project portfolio data using the organizing principle that matters to communicate with stakeholders across the organization.
    • Create a dashboard that brings together the benefits of both project and application portfolio management to improve visibility and decision making.

    Deliver on Your Digital Portfolio Vision

    • Recognize that a vision is only as good as the data that backs it up. Lay out a comprehensive backlog with quality built in that can be effectively communicated and understood through roadmaps.
    • Your intent is only a dream if it cannot be implemented ; define what goes into a release plan via the release canvas.
    • Define a communication approach that lets everyone know where you are heading.

    Related Research: Data, Information & Integration Architecture

    Build a Data Architecture Roadmap

    • Have a framework in place to identify the appropriate solution for the challenge at hand. Our three-phase practical approach will help you build a custom and modernized data architecture.
    • Identify and prioritize the business drivers in which data architecture changes would create the largest overall benefit and determine the corresponding data architecture tiers that need to be addressed.
    • Discover the best-practice trends, measure your current state, and define the targets for your data architecture tactics.
    • Build a cohesive and personalized roadmap for restructuring your data architecture. Manage your decisions and resulting changes.

    Build a Data Pipeline for Reporting and Analytics

    • Understand your high-level business capabilities and interactions across them – your data repositories and flows should be just a digital reflection thereof.
    • Divide your data world in logical verticals overlaid with various speed data progression lanes, i.e. build your data pipeline – and conquer it one segment at a time.
    • Use the most appropriate database design pattern for a given phase/component in your data pipeline progression.

    Related Research:Operational Architecture

    Optimize Application Release Management

    • Acquire release management ownership. Ensure there is appropriate accountability for the speed and quality of the releases passing through the entire pipeline.
    • A release manager has oversight over the entire release process and facilitates the necessary communication between business stakeholders and various IT roles.
    • Instill holistic thinking. Release management includes all steps required to push release and change requests to production along with the hand-off to Operations and Support. Increase the transparency and visibility of the entire pipeline to ensure local optimizations do not generate bottlenecks in other areas.
    • Standardize and lay a strong release management foundation. Optimize the key areas where you are experiencing the most pain and continually improve.

    Build Your Infrastructure Roadmap

    • Increased communication. More information being shared to more people who need it.
    • Better planning. More accurate information being shared.
    • Reduced lead times. Less due diligence or discovery work required as part of project implementations.
    • Faster delivery times. Less low-value work, freeing up more time for project work.

    Related Research:Security Architecture

    Identify Opportunities to Mature the Security Architecture

    • A right-sized security architecture can be created by assessing the complexity of the IT department, the operations currently underway for security, and the perceived value of a security architecture within the organization. This will bring about a deeper understanding of the organizational infrastructure.
    • Developing a security architecture should also result in a list of opportunities (i.e. initiatives) that an organization can integrate into a roadmap. These initiatives will seek to improve security operations and strengthen the IT department’s understanding of security’s role within the organization.
    • A better understanding of the infrastructure will help to save time on determining the correct technologies required from vendors, and therefore, cut down on the amount of vendor noise.
    • Creating a defensible roadmap will assist with justifying future security spend.

    Key deliverable:

    Solution Architecture Template
    Record the results from the exercises to help you define, detail, and make real your digital product vision.

    Blueprint Deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    This image contains screenshots of the deliverables which will be discussed later in this blueprint

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.

    Guided Implementation

    Our team knows that we need to fix a process, but we need assistance to determine where to focus. some check-ins along the way would help keep us on track

    Workshop

    We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place

    Consulting

    Our team does not have the time or the knowledge to take this project on. we need assistance through the entirety of this project.

    Diagnostics and consistent frameworks are used throughout all four options

    Workshop Overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4
    Exercises
    1. Articulate an architectural vision
    2. Develop dynamic value stream maps
    1. Create a conceptual map between the value stream, use case, and required architectural attribute
    2. Create a prioritized list of architectural attributes
    3. Develop a data architecture that supports transactional and analytical needs
    1. Document security architecture risks and mitigations
    2. Document scalability architecture
    1. Document performance-enhancing architecture
    2. Bring it all together
    Outcomes
    1. Architecture vision
    2. Dynamic value stream maps (including user stories/personas)
    1. List of required architectural attributes
    2. Architectural attributes prioritized
    3. Data architecture design decisions
    1. Security threat and risk analysis
    2. Security design decisions
    3. Scalability design decisions
    1. Performance design decisions
    2. Finalized decisions

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
    This GI is between 8 to 10 calls over the course of approximately four to six months.

    Phase 1 Phase 2 Phase 2
    Call #1:
    Articulate an architectural vision.
    Call #4:
    Continue discussion on value stream mapping and related use cases.
    Call #6:
    Document security design decisions.
    Call #2:
    Discuss value stream mapping and related use cases.
    Call #5:
    • Map the value streams to required architectural attribute.
    • Create a prioritized list of architectural attributes.
    Call #7:
    • Document scalability design decisions.
    • Document performance design decisions.
    Call #3:
    Continue discussion on value stream mapping and related use cases.
    Call #8:
    Bring it all together.

    Phase 1: Visions and Value Maps

    Phase 1

    1.1 Articulate an Architectural Vision
    1.2 Develop Dynamic Value Stream Maps
    1.3 Map Value Streams, Use Cases, and Required Architectural Attributes
    1.4 Create a Prioritized List of Architectural Attributes

    Phase 2

    2.1 Develop a Data Architecture That Supports Transactional and Analytical Needs
    2.2 Document Security Architecture Risks and Mitigations

    Phase 3

    3.1 Document Scalability Architecture
    3.2 Document Performance Enhancing Architecture
    3.3 Combine the Different Architecture Design Decisions Into a Unified Solution Architecture

    This phase will walk you through the following activities:

    • Determine a vision for architecture outcomes
    • Draw dynamic value stream maps
    • Derive architectural design decisions
    • Prioritize design decisions

    This phase involves the following participants:

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect
    • Database Architect
    • Enterprise Architect

    Enhance Your Solution Architecture Practice

    Let’s get this straight: You need an architectural vision

    If you start off by saying I want to architect a system, you’ve already lost. Remember what a vision is for!

    An architectural vision...

    … is your North Star

    Your product vision serves as the single fixed point for product development and delivery.

    … aligns stakeholders

    It gets everyone on the same page.

    … helps focus on meaningful work

    There is no pride in being a rudderless ship. It can also be very expensive.

    And eventually...

    … kick-starts your strategy

    We know where to go, we know who to bring along, and we know the steps to get there. Let’s plan this out.

    An architectural vision is multi-dimensional

    Who is the target customer (or customers)?

    What is the key benefit a customer can get from using our service or product?

    Why should they be engaged with you?

    What makes our service or product better than our competitors?

    (Adapted from Crossing the Chasm)

    Info-Tech Insight

    It doesn’t matter if you are delivering value to internal or external stakeholders, you need a product vision to ensure everyone understands the “why.”

    Use a canvas as the dashboard for your architecture

    The solution architecture canvas provides a single dashboard to quickly define and communicate the most important information about the vision. A canvas is an effective tool for aligning teams and providing an executive summary view.

    This image contains a sample canvas for you to use as the dashboard for your architecture. The sections are: Solution Name, Tracking Info, Vision, Business Goals, Metrics, Personas, and Stakeholders.

    Leverage the solution architecture canvas to state and inform your architecture vision

    This image contains the sample canvas from the previous section, with annotations explaining what to do for each of the headings.

    1.1 Craft a vision statement for your solution’s architecture

    1. Use the product canvas template provided for articulating your solution’s architecture.

    *If needed, remove or add additional data points to fit your purposes.

    There are different statement templates available to help form your product vision statements. Some include:

    • For [our target customer], who [customer’s need], the [product] is a [product category or description] that [unique benefits and selling points]. Unlike [competitors or current methods], our product [main differentiators].
    • We believe (in) a [noun: world, time, state, etc.] where [persona] can [verb: do, make, offer, etc.], for/by/with [benefit/goal].
    • To [verb: empower, unlock, enable, create, etc.] [persona] to [benefit, goal, future state].
    • Our vision is to [verb: build, design, provide] the [goal, future state] to [verb: help, enable, make it easier to...] [persona].

    (Adapted from Crossing the Chasm)

    Download the Solution Architecture Template and document your vision statement.

    Input

    • Business Goals
    • Product Portfolio Vision

    Output

    • Solution Architecture Vision

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • IT Leadership
    • Business Leadership

    Solution Architecture Canvas: Refine your vision statement

    This image contains a screenshot of the canvas from earlier in the blueprint, with only the annotation for Solution Name: Vision, unique value proposition, elevator pitch, or positioning statement.

    Understand your value streams before determining your solution’s architecture

    Business Strategy

    Sets and communicates the direction of the entire organization.

    Value Stream

    Segments, groups, and creates a coherent narrative as to how an organization creates value.

    Business Capability Map

    Decomposes an organization into its component parts to establish a common language across the organization.

    Execution

    Implements the business strategy through capability building or improvement projects.

    Identify your organization’s goals and define the value streams that support them

    Goal

    Revenue Growth

    Value Streams

    Stream 1- Product Purchase
    Stream 2- Customer Acquisition
    stream 3- Product Financing

    There are many techniques that help with constructing value streams and their capabilities.

    Domain-driven design is a technique that can be used for hypothesizing the value maps, their capabilities, and associated solution architecture.

    Read more about domain-driven design here.

    Value streams can be external (deliver value to customers) or internal (support operations)

      External Perspective

    1. Core value streams are mostly externally facing: they deliver value to either an external/internal customer and they tie to the customer perspective of the strategy map.
    • E.g. customer acquisition, product purchase, product delivery

    Internal Perspective

  • Support value streams are internally facing: they provide the foundational support for an organization to operate.
    • E.g. employee recruitment to retirement

    Key Questions to Ask While Evaluating Value Streams

    • Who are your customers?
    • What benefits do we deliver to them?
    • How do we deliver those benefits?
    • How does the customer receive the benefits?
    This image contains an example of value streams. The main headings are: Customer Acquisitions, Product Purchase, Product Delivery, Confirm Order, Product Financing, and Product Release.

    Value streams highlight the what, not the how

    Value chains set a high-level context, but architectural decisions still need to be made to deal with the dynamism of user interaction and their subsequent expectations. User stories (and/or use cases) and themes are great tools for developing such decisions.

    Product Delivery

    1. Order Confirmation
    2. Order Dispatching
    3. Warehouse Management
    4. Fill Order
    5. Ship Order
    6. Deliver Order

    Use Case and User Story Theme: Confirm Order

    This image shows the relationship between confirming the customer's order online, and the Online Buyer, the Online Catalog, the Integrated Payment, and the Inventory Lookup.

    The use case Confirming Customer’s Online Order has four actors:

    1. An Online Buyer who should be provided with a catalog of products to purchase from.
    2. An Online Catalog that is invoked to display its contents on demand.
    3. An Integrated Payment system for accepting an online form of payment (credit card, Bitcoins, etc.) in a secure transaction.
    4. An Inventory Lookup module that confirms there is stock available to satisfy the Online Buyer’s order.

    Info-Tech Insight

    Each use case theme links back to a feature(s) in the product backlog.

    Related Research

    Deliver on Your Digital Portfolio Vision

    • Recognize that a vision is only as good as the data that backs it up. Lay out a comprehensive backlog with quality built in that can be effectively communicated and understood through roadmaps.
    • Your intent is only a dream if it cannot be implemented – define what goes into a release plan via the release canvas.
    • Define a communication approach that lets everyone know where you are heading.

    Document Your Business Architecture

    • Recognize the opportunity for architecture work, analyze the current and target states of your business strategy, and identify and engage the right stakeholders.
    • Model the business in the form of architectural blueprints.
    • Apply business architecture techniques such as strategy maps, value streams, and business capability maps to design usable and accurate blueprints of the business.
    • Drive business architecture forward to promote real value to the organization.
    • Assess your current projects to determine if you are investing in the right capabilities. Conduct business capability assessments to identify opportunities and to prioritize projects.

    1.2 Document dynamic value stream maps

    1. Create value stream maps that support your business objectives.
    • The value stream maps could belong to existing or new business objectives.
  • For each value stream map:
    • Determine use case(s), the actors, and their expected activity.

    *Refer to the next slide for an example of a dynamic value stream map.

    Download the Solution Architecture Template for documentation of dynamic value stream map

    Input

    • Business Goals
    • Some or All Existing Business Processes
    • Some or All Proposed New Business Processes

    Output

    • Dynamic Value Stream Maps for Multiple Use Roles and Use Cases

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect

    Example: Dynamic value stream map

    Loan Provision*

    *Value Stream Name: Usually has the same name as the capability it illustrates.

    Loan Application**; Disbursement of Fund**; Risk Management**; Service Accounts**

    **Value Stream Components: Specific functions that support the successful delivery of a value stream.

    Disbursement of Funds

    This image shows the relationship between depositing the load into the applicant's bank account, and the Applicant's bank, the Loan Applicant, and the Loan Supplier.

    Style #1:

    The use case Disbursement of Funds has three actors:

    1. A Loan Applicant who applied for a loan and got approved for one.
    2. A Loan Supplier who is the source for the funds.
    3. The Applicant’s Bank that has an account into which the funds are deposited.

    Style # 2:

    Loan Provision: Disbursement of Funds
    Use Case Actors Expectation
    Deposit Loan Into Applicant’s Bank Account
    1. Loan Applicant
    2. Loan Supplier
    3. Applicant’s Bank
    1. Should be able to see deposit in bank account
    2. Deposit funds into account
    3. Accept funds into account

    Mid-Phase 1 Checkpoint

    By now, the following items are ideally completed:

    • Mid-Phase 1 Checkpoint

    Start with an investigation of your architecture’s qualitative needs

    Quality attributes can be viewed as the -ilities (e.g. scalability, usability, reliability) that a software system needs to provide. A system not meeting any of its quality attribute requirements will likely not function as required. Examples of quality attributes are:

    1. Slow system response time
    2. Security breaches that result in loss of personal data
    3. A product feature upgrade that is not compatible with previous versions
    Examples of Qualitative Attributes
    Performance Compatibility Usability Reliability Security Maintainability
    • Response Time
    • Resource Utilization
    • System Capacity
    • Interoperability
    • Accessibility
    • User Interface
    • Intuitiveness
    • Availability
    • Fault Tolerance
    • Recoverability
    • Integrity
    • Non-Repudiation
    • Modularity
    • Reusability
    • Modifiability
    • Testability

    Focus on quality attributes that are architecturally significant.

    • Not every system requires every quality attribute.
    • Pay attention to those attributes without which the solution will not be able to satisfy a user’s abstract* expectation.
    • This set can be considered Architecturally Significant Requirements (ASR). ASR concern scenarios have the most impact on the architecture of the software system.
    • ASR are fundamental needs of the system and changing them in the future can be a costly and difficult exercise.

    *Abstract since attributes like performance and reliability are not directly measurable by a user.

    Stimulus Response Measurement Environmental Context

    For applicable use cases: (*Adapted from S Carnegie Mellon University, 2000)

    1. Determine the Stimulus (temporal, external, or internal) that puts stress on the system. For example, a VPN-accessed hospital management system is used for nurses to login at 8am every weekday.
    2. Describe how the system should Respond to the stimulus. For example, the hospital management system should complete a nurse login under 10ms on initiation of the HTTPS request.
    3. Set a Measurement criteria for determining the success of the response to the stimulus. For example, the system should be able to successfully respond to 98% of the HTTPS requests the first time.
    4. Note the environmental context under which the stimulus occurs, including any unusual conditions in effect.
    • The hospital management system needs to respond in under 10ms under typical load or peak load?
    • What is the time variance of peak loads, for example, an e-commerce system during a Black Friday sale?
    • How big is the peak load?

    Info-Tech Insight

    Three out of four is bad. Don’t architect for normal situations because the solution will be fragile and prone to catastrophic failure under unexpected events.
    Read article: Retail sites crash under weight of online Black Friday shoppers.

    Discover and evaluate the qualitative attributes needed for use cases or user stories

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    User Loan Applicant
    Expectations On login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From System System creates a connection to the data source and renders it on the screen in under 10ms.
    Measurement Under Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute Required Required Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.
    Required Attribute # 2: Data Reliability
    • Design Decision: Use event-driven ETL pipelines.
    Required Attribute # 3: Scalability
    • Design Decision: Following Principle # 4 of the CSA (JIT Architecture), delay decision until necessary.

    Use cases developed in Phase 1.2 should be used here. (Adapted from the ATAM Utility Tree Method for Quality Attribute Engineering)

    Reduce technical debt while you are at it

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    UserLoan Applicant
    ExpectationsOn login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From SystemSystem creates a connection to the data source and renders it on the screen in under 10ms.
    MeasurementUnder Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute RequiredRequired Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.

    Required Attribute # 2: Data Reliability

    • Expected is 15ms or less under peak loads, but average latency is 21ms.
    • Design Decision: Use event-driven ETL pipelines.

    Required Attribute # 3: Scalability

    • Data should not be stale and should sync instantaneously, but in some zip codes data synchronization is taking 8 hours.
    • Design Decision: Investigate integrations and flows across application, database, and infrastructure. (Note: A dedicated section for discussing scalability is presented in Phase 2.)

    1.3 Create a conceptual map between the value streams, use cases, and required architectural attributes

    1. For selected use cases completed in Phase 1.2:
    • Map the value stream to its associated use cases.
    • For each use case, list the required architectural quality attributes.

    Download the Solution Architecture Template for mapping value stream components to their required architectural attribute.

    Input

    • Use Cases
    • User Roles
    • Stimulus to System
    • Response From System
    • Response Measurement

    Output

    • List of Architectural Quality Attributes

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Example for Phase 1.3

    Loan Provision

    Loan Application → Disbursement of Funds → Risk Management → Service Accounts

    Value Stream Component Use Case Required Architectural Attribute
    Loan Application UC1: Submit Loan Application
    UC2: Review Loan Application
    UC3: Approve Loan Application
    UCn: ……..
    UC1: Resilience, Data Reliability
    UC2: Data Reliability
    UC3: Scalability, Security, Performance
    UCn: …..
    Disbursement of Funds UC1: Deposit Funds Into Applicant’s Bank Account
    UCn: ……..
    UC1: Performance, Scalability, Data Reliability
    Risk Management ….. …..
    Service Accounts ….. …..

    1.2 Document dynamic value stream maps

    1. Create value stream maps that support your business objectives.
    • The value stream maps could belong to existing or new business objectives.
  • For each value stream map:
    • Determine use case(s), the actors, and their expected activity.

    *Refer to the next slide for an example of a dynamic value stream map.

    Download the Solution Architecture Template for documentation of dynamic value stream map

    Input

    • Business Goals
    • Some or All Existing Business Processes
    • Some or All Proposed New Business Processes

    Output

    • Dynamic Value Stream Maps for Multiple Use Roles and Use Cases

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect

    Example: Dynamic value stream map

    Loan Provision*

    *Value Stream Name: Usually has the same name as the capability it illustrates.

    Loan Application**; Disbursement of Fund**; Risk Management**; Service Accounts**

    **Value Stream Components: Specific functions that support the successful delivery of a value stream.

    Disbursement of Funds

    This image shows the relationship between depositing the load into the applicant's bank account, and the Applicant's bank, the Loan Applicant, and the Loan Supplier.

    Style #1:

    The use case Disbursement of Funds has three actors:

    1. A Loan Applicant who applied for a loan and got approved for one.
    2. A Loan Supplier who is the source for the funds.
    3. The Applicant’s Bank that has an account into which the funds are deposited.

    Style # 2:

    Loan Provision: Disbursement of Funds
    Use Case Actors Expectation
    Deposit Loan Into Applicant’s Bank Account
    1. Loan Applicant
    2. Loan Supplier
    3. Applicant’s Bank
    1. Should be able to see deposit in bank account
    2. Deposit funds into account
    3. Accept funds into account

    Mid-Phase 1 Checkpoint

    By now, the following items are ideally completed:

    • Mid-Phase 1 Checkpoint

    Start with an investigation of your architecture’s qualitative needs

    Quality attributes can be viewed as the -ilities (e.g. scalability, usability, reliability) that a software system needs to provide. A system not meeting any of its quality attribute requirements will likely not function as required. Examples of quality attributes are:

    1. Slow system response time
    2. Security breaches that result in loss of personal data
    3. A product feature upgrade that is not compatible with previous versions
    Examples of Qualitative Attributes
    Performance Compatibility Usability Reliability Security Maintainability
    • Response Time
    • Resource Utilization
    • System Capacity
    • Interoperability
    • Accessibility
    • User Interface
    • Intuitiveness
    • Availability
    • Fault Tolerance
    • Recoverability
    • Integrity
    • Non-Repudiation
    • Modularity
    • Reusability
    • Modifiability
    • Testability

    Focus on quality attributes that are architecturally significant.

    • Not every system requires every quality attribute.
    • Pay attention to those attributes without which the solution will not be able to satisfy a user’s abstract* expectation.
    • This set can be considered Architecturally Significant Requirements (ASR). ASR concern scenarios have the most impact on the architecture of the software system.
    • ASR are fundamental needs of the system and changing them in the future can be a costly and difficult exercise.

    *Abstract since attributes like performance and reliability are not directly measurable by a user.

    Stimulus Response Measurement Environmental Context

    For applicable use cases: (*Adapted from S Carnegie Mellon University, 2000)

    1. Determine the Stimulus (temporal, external, or internal) that puts stress on the system. For example, a VPN-accessed hospital management system is used for nurses to login at 8am every weekday.
    2. Describe how the system should Respond to the stimulus. For example, the hospital management system should complete a nurse login under 10ms on initiation of the HTTPS request.
    3. Set a Measurement criteria for determining the success of the response to the stimulus. For example, the system should be able to successfully respond to 98% of the HTTPS requests the first time.
    4. Note the environmental context under which the stimulus occurs, including any unusual conditions in effect.
    • The hospital management system needs to respond in under 10ms under typical load or peak load?
    • What is the time variance of peak loads, for example, an e-commerce system during a Black Friday sale?
    • How big is the peak load?

    Info-Tech Insight

    Three out of four is bad. Don’t architect for normal situations because the solution will be fragile and prone to catastrophic failure under unexpected events.
    Read article: Retail sites crash under weight of online Black Friday shoppers.

    Discover and evaluate the qualitative attributes needed for use cases or user stories

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    User Loan Applicant
    Expectations On login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From System System creates a connection to the data source and renders it on the screen in under 10ms.
    Measurement Under Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute Required Required Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.
    Required Attribute # 2: Data Reliability
    • Design Decision: Use event-driven ETL pipelines.
    Required Attribute # 3: Scalability
    • Design Decision: Following Principle # 4 of the CSA (JIT Architecture), delay decision until necessary.

    Use cases developed in Phase 1.2 should be used here. (Adapted from the ATAM Utility Tree Method for Quality Attribute Engineering)

    Reduce technical debt while you are at it

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    UserLoan Applicant
    ExpectationsOn login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From SystemSystem creates a connection to the data source and renders it on the screen in under 10ms.
    MeasurementUnder Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute RequiredRequired Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.

    Required Attribute # 2: Data Reliability

    • Expected is 15ms or less under peak loads, but average latency is 21ms.
    • Design Decision: Use event-driven ETL pipelines.

    Required Attribute # 3: Scalability

    • Data should not be stale and should sync instantaneously, but in some zip codes data synchronization is taking 8 hours.
    • Design Decision: Investigate integrations and flows across application, database, and infrastructure. (Note: A dedicated section for discussing scalability is presented in Phase 2.)

    1.3 Create a conceptual map between the value streams, use cases, and required architectural attributes

    1. For selected use cases completed in Phase 1.2:
    • Map the value stream to its associated use cases.
    • For each use case, list the required architectural quality attributes.

    Download the Solution Architecture Template for mapping value stream components to their required architectural attribute.

    Input

    • Use Cases
    • User Roles
    • Stimulus to System
    • Response From System
    • Response Measurement

    Output

    • List of Architectural Quality Attributes

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Prioritize architectural quality attributes to ensure a right-engineered solution

    Trade-offs are inherent in solution architecture. Scaling systems may impact performance and weaken security, while fault-tolerance and redundancy may improve availability but at higher than desired costs. In the end, the best solution is not always perfect, but balanced and right-engineered (versus over- or under-engineered).

    Loan Provision

    Loan Application → Disbursement of Funds → Risk Management → Service Accounts

    1. Map architecture attributes against the value stream components.
    • Use individual use cases to determine which attributes are needed for a value stream component.
    This image contains a screenshot of the table showing the importance of scalability, resiliance, performance, security, and data reliability for loan application, disbursement of funds, risk management, and service accounts.

    In our example, the prioritized list of architectural attributes are:

    • Security (4 votes for Very Important)
    • Data Reliability (2 votes for Very Important)
    • Scalability (1 vote for Very Important and 1 vote for Fairly Important) and finally
    • Resilience (1 vote for Very Important, 0 votes for Fairly Important and 1 vote for Mildly Important)
    • Performance (0 votes for Very Important, 2 votes for Fairly Important)

    1.4 Create a prioritized list of architectural attributes (from 1.3)

    1. Using the tabular structure shown on the previous slide:
    • Map each value stream component against architectural quality attributes.
    • For each mapping, indicate its importance using the green, blue, and yellow color scheme.

    Download the Solution Architecture Template and document the list of architectural attributes by priority.

    Input

    • List of Architectural Attributes From 1.3

    Output

    • Prioritized List of Architectural Attributes

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    End of Phase 1

    At the end of this Phase, you should have completed the following activities:

    • Documented a set of dynamic value stream maps along with selected use cases.
    • Using the SRME framework, identified quality attributes for the system under investigation.
    • Prioritized quality attributes for system use cases.

    Phase 2: Multi-Purpose Data and Security Architecture

    Phase 1

    1.1 Articulate an Architectural Vision
    1.2 Develop Dynamic Value Stream Maps
    1.3 Map Value Streams, Use Cases, and Required Architectural Attributes
    1.4 Create a Prioritized List of Architectural Attributes

    Phase 2

    2.1 Develop a Data Architecture That Supports Transactional and Analytical Needs
    2.2 Document Security Architecture Risks and Mitigations

    Phase 3

    3.1 Document Scalability Architecture
    3.2 Document Performance Enhancing Architecture
    3.3 Combine the Different Architecture Design Decisions Into a Unified Solution Architecture

    This phase will walk you through the following activities:

    • Understand the scalability, performance, resilience, and security needs of the business.

    This phase involves the following participants:

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect
    • Database Architect
    • Enterprise Architect

    Enhance Your Solution Architecture Practice

    Fragmented data environments need something to sew them together

    • A full 93% of enterprises have a multi-cloud strategy, with 87% having a hybrid-cloud environment in place.
    • On average, companies have data stored in 2.2 public and 2.2 private clouds as well as in various on-premises data repositories.
    This image contains a breakdown of the cloud infrastructure, including single cloud versus multi-cloud.

    Source: Flexera

    In addition, companies are faced with:

    • Access and integration challenges (Who is sending the data? Who is getting it? Can we trust them?)
    • Data format challenges as data may differ for each consumer and sender of data
    • Infrastructure challenges as data repositories/processors are spread out over public and private clouds, are on premises, or in multi-cloud and hybrid ecosystems
    • Structured vs. unstructured data

    A robust and reliable integrated data architecture is essential for any organization that aspires to be relevant and impactful in its industry.

    Data’s context and influence on a solution’s architecture cannot be overestimated

    Data used to be the new oil. Now it’s the life force of any organization that has serious aspirations of providing profit-generating products and services to customers. Architectural decisions about managing data have a significant impact on the sustainability of a software system as well as on quality attributes such as security, scalability, performance, and availability.

    Storage and Processing go hand in hand and are the mainstay of any data architecture. Due to their central position of importance, an architecture decision for storage and processing must be well thought through or they become the bottleneck in an otherwise sound system.

    Ingestion refers to a system’s ability to accept data as an input from heterogenous sources, in different formats, and at different intervals.

    Dissemination is the set of architectural design decisions that make a system’s data accessible to external consumers. Major concerns involve security for the data in motion, authorization, data format, concurrent requests for data, etc.

    Orchestration takes care of ensuring data is current and reliable, especially for systems that are decentralized and distributed.

    Data architecture requires alignment with a hybrid data management plan

    Most companies have a combination of data. They have data they own using on-premises data sources and on the cloud. Hybrid data management also includes external data, such as social network feeds, financial data, and legal information amongst many others.

    Data integration architectures have typically been put in one of two major integration patterns:

    Application to Application Integration (or “speed matters”) Analytical Data Integrations (or “send it to me when its all done”)
    • This domain is concerned with ensuring communication between processes.
    • Examples include patterns such as Service-Oriented Architecture, REST, Event Hubs and Enterprise Service Buses.
    • This domain is focused on integrating data from transactional processes towards enterprise business intelligence. It supports activities that require well-managed data to generate evidence-based insights.
    • Examples of this pattern are ELT, enterprise data warehouses, and data marts.

    Sidebar

    Difference between real-time, batch, and streaming data movements

    Real-Time

    • Reacts to data in seconds or even quicker.
    • Real-time systems are hard to implement.

    Batch

    • Batch processing deals with a large volume of data all at once and data-related jobs are typically completed simultaneously in non-stop, sequential order.
    • Batch processing is an efficient and low-cost means of data processing.
    • Execution of batch processing jobs can be controlled manually, providing further control over how the system treats its data assets.
    • Batch processing is only useful if there are no requirements for data to be fresh and current. Real-time systems are suited to processing data that requires these attributes.

    Streaming

    • Stream processing allows almost instantaneous analysis of data as it streams from one device to another.
    • Since data is analyzed quickly, storage may not be a concern (since only computed data is stored while raw data can be dispersed).
    • Streaming requires the flow of data into the system to equal the flow of data computing, otherwise issues of data storage and performance can rise.

    Modern data ingestion and dissemination frameworks keep core data assets current and accessible

    Data ingestion and dissemination frameworks are critical for keeping enterprise data current and relevant.

    Data ingestion/dissemination frameworks capture/share data from/to multiple data sources.

    Factors to consider when designing a data ingestion/dissemination architecture

    What is the mode for data movement?

    • The mode for data movement is directly influenced by the size of data being moved and the downstream requirements for data currency.
    • Data can move in real-time, as a batch, or as a stream.

    What is the ingestion/dissemination architecture deployment strategy?

    • Outside of critical security concerns, hosting on the cloud vs. on premises leads to a lower total cost of ownership (TCO) and a higher return on investment (ROI).

    How many different and disparate data sources are sending/receiving data?

    • Stability comes if there is a good idea about the data sources/recipient and their requirements.

    What are the different formats flowing through?

    • Is the data in the form of data blocks? Is it structured, semi-unstructured, or unstructured?

    What are expected performance SLAs as data flow rate changes?

    • Data change rate is defined as the size of changes occurring every hour. It helps in selecting the appropriate tool for data movement.
    • Performance is a derivative of latency and throughput, and therefore, data on a cloud is going to have higher latency and lower throughput then if it is kept on premises.
    • What is the transfer data size? Are there any file compression and/or file splits applied on the data? What is the average and maximum size of a block object per ingestion/dissemination operation?

    What are the security requirements for the data being stored?

    • The ingestion/dissemination framework should be able to work through a secure tunnel to collect/share data if needed.

    Sensible storage and processing strategy can improve performance and scalability and be cost-effective

    The range of options for data storage is staggering...

    … but that’s a good thing because the range of data formats that organizations must deal with is also richer than in the past.

    Different strokes for different workloads.

    The data processing tool to use may depend upon the workloads the system has to manage.

    Expanding upon the Risk Management use case (as part of the Loan Provision Capability), one of the outputs for risk assessment is a report that conducts a statistical analysis of customer profiles and separates those that are possibly risky. The data for this report is spread out across different data systems and will need to be collected in a master data management storage location. The business and data architecture team have discussed three critical system needs, noted below:

    Data Management Requirements for Risk Management Reporting Data Design Decision
    Needs to query millions of relational records quickly
    • Strong indexing
    • Strong caching
    • Message queue
    Needs a storage space for later retrieval of relational data
    • Data storage that scales as needed
    Needs turnkey geo-replication mechanism with document retrieval in milliseconds
    • Add NoSQL with geo-replication and quick document access

    Keep every core data source on the same page through orchestration

    Data orchestration, at its simplest, is the combination of data integration, data processing, and data concurrency management.

    Data pipeline orchestration is a cross-cutting process that manages the dependencies between your data integration tasks and scheduled data jobs.

    A task or application may periodically fail, and therefore, as a part of our data architecture strategy, there must be provisions for scheduling, rescheduling, replaying, monitoring, retrying, and debugging the entire data pipeline in a holistic way.

    Some of the functionality provided by orchestration frameworks are:

    • Job scheduling
    • Job parametrization
    • SLAs tracking, alerting, and notification
    • Dependency management
    • Error management and retries
    • History and audit
    • Data storage for metadata
    • Log aggregation
    Data Orchestration Has Three Stages
    Organize Transform Publicize
    Organizations may have legacy data that needs to be combined with new data. It’s important for the orchestration tool to understand the data it deals with. Transform the data from different sources into one standard type. Make transformed data easily accessible to stakeholders.

    2.1 Discuss and document data architecture decisions

    1. Using the value maps and associated use cases from Phase 1, determine the data system quality attributes.
    2. Use the sample tabular layout on the next slide or develop one of your own.

    Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Value Maps and Use Cases

    Output

    • Initial Set of Data Design Decisions

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Example: Data Architecture

    Data Management Requirements for Risk Management Reporting Data Design Decision
    Needs to query millions of relational records quickly
    • Strong indexing
    • Strong caching
    • Message queue
    Needs a storage space for later retrieval of relational data
    • Data storage that scales as needed
    Needs turnkey geo-replication mechanism with document retrieval in milliseconds
    • Add NoSQL with geo-replication and quick document access

    There is no free lunch when making the most sensible security architecture decision; tradeoffs are a necessity

    Ensuring that any real system is secure is a complex process involving tradeoffs against other important quality attributes (such as performance and usability). When architecting a system, we must understand:

    • Its security needs.
    • Its security threat landscape.
    • Known mitigations for those threats to ensure that we create a system with sound security fundamentals.

    The first thing to do when determining security architecture is to conduct a threat and risk assessment (TRA).

    This image contains a sample threat and risk assessment. The steps are Understand: Until we thoroughly understand what we are building, we cannot secure it. Structure what you are building, including: System boundary, System structure, Databases, Deployment platform; Analyze: Use techniques like STRIDE and attack trees to analyze what can go wrong and what security problems this will cause; Mitigate: The security technologies to use, to mitigate your concerns, are discussed here. Decisions about using single sign-on (SSO) or role-based access control (RBAC), encryption, digital signatures, or JWT tokens are made. An important part of this step is to consider tradeoffs when implementing security mechanisms; validate: Validation can be done by experimenting with proposed mitigations, peer discussion, or expert interviews.

    Related Research

    Optimize Security Mitigation Effectiveness Using STRIDE

    • Have a clear picture of:
      • Critical data and data flows
      • Organizational threat exposure
      • Security countermeasure deployment and coverage
    • Understand which threats are appropriately mitigated and which are not.
    • Generate a list of initiatives to close security gaps.
    • Create a quantified risk and security model to reassess program and track improvement.
    • Develop measurable information to present to stakeholders.

    The 3A’s of strong security: authentication, authorization, and auditing

    Authentication

    Authentication mechanisms help systems verify that a user is who they claim to be.

    Examples of authentication mechanisms are:

    • Two-Factor Authentication
    • Single Sign-On
    • Multi-Factor Authentication
    • JWT Over OAUTH

    Authorization

    Authorization helps systems limit access to allowed features, once a user has been authenticated.

    Examples of authentication mechanisms are:

    • RBAC
    • Certificate Based
    • Token Based

    Auditing

    Securely recording security events through auditing proves that our security mechanisms are working as intended.

    Auditing is a function where security teams must collaborate with software engineers early and often to ensure the right kind of audit logs are being captured and recorded.

    Info-Tech Insight

    Defects in your application software can compromise privacy and integrity even if cryptographic controls are in place. A security architecture made after thorough TRA does not override security risk introduced due to irresponsible software design.

    Examples of threat and risk assessments using STRIDE and attack trees

    STRIDE is a threat modeling framework and is composed of:

    • Spoofing or impersonation of someone other than oneself
    • Tampering with data and destroying its integrity
    • Repudiation by bypassing system identity controls
    • Information disclosure to unauthorized persons
    • Denial of service that prevents system or parts of it from being used
    • Elevation of privilege so that attackers get rights they should not have
    Example of using STRIDE for a TRA on a solution using a payment system This image contains a sample attack tree.
    Spoofing PayPal Bad actor can send fraudulent payment request for obtaining funds.
    Tampering PayPal Bad actor accesses data base and can resend fraudulent payment request for obtaining funds.
    Repudiation PayPal Customer claims, incorrectly, their account made a payment they did not authorize.
    Disclosure PayPal Private service database has details leaked and made public.
    Denial of Service PayPal Service is made to slow down through creating a load on the network, causing massive build up of requests
    Elevation of Privilege PayPal Bad actor attempts to enter someone else’s account by entering incorrect password a number of times.

    2.2 Document security architecture risks and mitigations

    1. Using STRIDE, attack tree, or any other framework of choice:
    • Conduct a TRA for use cases identified in Phase 1.2
  • For each threat identified through the TRA, think through the implications of using authentication, authorization, and auditing as a security mechanism.
  • Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Dynamic Value Stream Maps

    Output

    • Security Architecture Risks and Mitigations

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • Security Team
    • Application Architect
    • Integration Architect

    Examples of threat and risk assessments using STRIDE

    Example of using STRIDE for a TRA on a solution using a payment system
    Threat System Component Description Quality Attribute Impacted Resolution
    Spoofing PayPal Bad actor can send fraudulent payment request for obtaining funds. Confidentiality Authorization
    Tampering PayPal Bad actor accesses data base and can resend fraudulent payment request for obtaining funds. Integrity Authorization
    Repudiation PayPal Customer claims, incorrectly, their account made a payment they did not authorize. Integrity Authentication and Logging
    Disclosure PayPal Private service database has details leaked and made public. Confidentiality Authorization
    Denial of Service PayPal Service is made to slow down through creating a load on the network, causing massive build up of requests Availability N/A
    Elevation of Privilege PayPal Bad actor attempts to enter someone else’s account by entering incorrect password a number of times. Confidentiality, Integrity, and Availability Authorization

    Phase 3: Upgrade Your System’s Availability

    Phase 1

    1.1 Articulate an Architectural Vision
    1.2 Develop Dynamic Value Stream Maps
    1.3 Map Value Streams, Use Cases, and Required Architectural Attributes
    1.4 Create a Prioritized List of Architectural Attributes

    Phase 2

    2.1 Develop a Data Architecture That Supports Transactional and Analytical Needs
    2.2 Document Security Architecture Risks and Mitigations

    Phase 3

    3.1 Document Scalability Architecture
    3.2 Document Performance Enhancing Architecture
    3.3 Combine the Different Architecture Design Decisions Into a Unified Solution Architecture

    This phase will walk you through the following activities:

    • Examine architecture for scalable and performant system designs
    • Integrate all design decisions made so far into a solution design decision log

    This phase involves the following participants:

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect
    • Database Architect
    • Enterprise Architect

    Enhance Your Solution Architecture Practice

    In a cloud-inspired system architecture, scalability takes center stage as an architectural concern

    Scale and scope of workloads are more important now than they were, perhaps, a decade and half back. Architects realize that scalability is not an afterthought. Not dealing with it at the outset can have serious consequences should an application workload suddenly exceed expectations.

    Scalability is …

    … the ability of a system to handle varying workloads by either increasing or decreasing the computing resources of the system.

    An increased workload could include:

    • Higher transaction volumes
    • A greater number of users

    Architecting for scalability is …

    … not easy since organizations may not be able to accurately judge, outside of known circumstances, when and why workloads may unexpectedly increase.

    A scalable architecture should be planned at the:

    • Application Level
    • Infrastructure Level
    • Database Level

    The right amount and kind of scalability is …

    … balancing the demands of the system with the supply of attributes.

    If demand from system > supply from system:

    • Services and products are not useable and deny value to customers.

    If supply from system > demand from system:

    • Excess resources have been paid for that are not being used.

    When discussing the scalability needs of a system, investigate the following, at a minimum:

    • In case workloads increase due to higher transaction volumes, will the system be able to cope with the additional stress?
    • In situations where workloads increase, will the system be able to support the additional stress without any major modifications being made to the system?
    • Is the cost associated with handling the increased workloads reasonable for the benefit it provides to the business?
    • Assuming the system doesn’t scale, is there any mechanism for graceful degradation?

    Use evidence-based decision making to ensure a cost-effective yet appropriate scaling strategy

    The best input for an effective scaling strategy is previously gathered traffic data mapped to specific circumstances.

    In some cases, either due to lack of monitoring or the business not being sure of its needs, scalability requirements are hard to determine. In such cases, use stated tactical business objectives to design for scalability. For example, the business might state its desire to achieve a target revenue goal. To accommodate this, a certain number of transactions would need to be conducted, assuming a particular conversion rate.

    Scaling strategies can be based on Vertical or Horizontal expansion of resources.
    Pros Cons
    Vertical
    Scale up through use of more powerful but limited number of resources
    • May not require frequent upgrades.
    • Since data is managed through a limited number of resources, it is easier to share and keep current.
    • Costly upfront.
    • Application, database, and infrastructure may not be able to make optimal use of extra processing power.
    • As the new, more powerful resource is provisioned, systems may experience downtime.
    • Lacks redundancy due to limited points of failure.
    • Performance is constrained by the upper limits of the infrastructure involved.
    Horizontal
    Scale out through use of similarly powered but larger quantity of resources
    • Cost-effective upfront.
    • System downtime is minimal, when scaling is being performed.
    • More redundance and fault-tolerance is possible since there are many nodes involved, and therefore, can replace failed nodes.
    • Performance can scale out as more nodes are added.
    • Upgrades may occur more often than in vertical scaling.
    • Increases machine footprints and administrative costs over time.
    • Data may be partitioned on multiple nodes, leading to administrative and data currency challenges.

    Info-Tech Insight

    • Scalability is the one attribute that sparks a lot of trade-off discussions. Scalable solutions may have to compromise on performance, cost, and data reliability.
    • Horizontal scalability is mostly always preferable over vertical scalability.

    Sidebar

    The many flavors of horizontal scaling

    Traffic Shard-ing

    Through this mechanism, incoming traffic is partitioned around a characteristic of the workload flowing in. Examples of partitioning characteristics are user groups, geo-location, and transaction type.

    Beware of:

    • Lack of data currency across shards.

    Copy and Paste

    As the name suggests, clone the compute resources along with the underlying databases. The systems will use a load balancer as the first point of contact between itself and the workload flowing in.

    Beware of:

    • Though this is a highly scalable model, it does introduce risks related to data currency across all databases.
    • In case master database writes are frequent, it could become a bottleneck for the entire system.

    Productization Through Containers

    This involves breaking up the system into specific functions and services and bundling their business rules/databases into deployable containers.

    Beware of:

    • Too many containers introduce the need to orchestrate the distributed architecture that results from a service-oriented approach.

    Start a scalability overview with a look at the database(s)

    To know where to go, you must know where you are. Before introducing architectural changes to database designs, use the right metrics to get an insight into the root cause of the problem(s).

    In a nutshell, the purpose of scaling solutions is to have the technology stack do less work for the most requested services/features or be able to effectively distribute the additional workload across multiple resources.

    For databases, to ensure this happens, consider these techniques:

    • Reuse data through caching on the server and/or the client. This eliminates the need for looking up already accessed data. Examples of caching are:
      • In-memory caching of data
      • Caching database queries
    • Implement good data retrieval techniques like indexes.
    • Divide labor at the database level.
      • Through setting up primary-secondary distribution of data. In such a setup, the primary node is involved in writing data to itself and passes on requests to secondary nodes for fulfillment.
      • Through setting up database shards (either horizontally or vertically).
        • In a horizontal shard, a data table is broken into smaller pieces with the same data model but unique data in it. The sum total of the shared databases contains all the data in the primary data table.
        • In a vertical shard, a data table is broken into smaller pieces, but each piece may have a subset of the data columns. The data’s corresponding columns are put into the table where the column resides.

    Info-Tech Insight

    A non-scalable architecture has more than just technology-related ramifications. Hoping that load balancers or cloud services will manage scalability-related issues is bound to have economic impacts as well.

    Sidebar

    Caching Options

    CSA PRINCIPLE 5 applies to any decision that supports system scalability.
    “X-ilities Over Features”

    Database Caching
    Fetches and stores result of database queries in memory. Subsequent requests to the database for the same queries will investigate the cache before making a connection with the database.
    Tools like Memcached or Redis are used for database caching.

    Precompute Database Caching
    Unlike database caching, this style of caching precomputes results of queries that are popular and frequently used. For example, a database trigger could execute several predetermined queries and have them ready for consumption. The precomputed results may be stored in a database cache.

    Application Object Caching
    Stores computed results in a cache for later retrieval. For data sources, which are not changing frequently and are part of a computation output, application caching will remove the need to connect with a database.

    Proxy Caching
    Caches retrieved web pages on a proxy server and makes them available for the next time the page is requested.

    The intra- and inter-process communication of the systems middle tier can become a bottleneck

    To synchronize or not to synchronize?

    A synchronous request (doing one thing at a time) means that code execution will wait for the request to be responded to before continuing.

    • A synchronous request is a blocking event and until it is completed, all following requests will have to wait for getting their responses.
    • An increasing workload on a synchronous system may impact performance.
    • Synchronous interactions are less costly in terms of design, implementation, and maintenance.
    • Scaling options include:
    1. Vertical scale up
    2. Horizontal scale out of application servers behind a load balancer and a caching technique (to minimize data retrieval roundtrips)
    3. Horizonal scale out of database servers with data partitioning and/or data caching technique

    Use synchronous requests when…

    • Each request to a system sets the necessary precondition for a following request.
    • Data reliability is important, especially in real-time systems.
    • System flows are simple.
    • Tasks that are typically time consuming, such as I/O, data access, pre-loading of assets, are completed quickly.

    Asynchronous requests (doing many things at the same time) do not block the system they are targeting.

    • It is a “fire and forget” mechanism.
    • Execution on a server/processor is triggered by the request, however, additional technical components (callbacks) for checking the state of the execution must be designed and implemented.
    • Asynchronous interactions require additional time to be spent on implementation and testing.
    • With asynchronous interactions, there is no guarantee the request initiated any processing until the callbacks check the status of the executed thread.

    Use asynchronous requests when…

    • Tasks are independent in nature and don’t require inter-task communication.
    • Systems flows need to be efficient.
    • The system is using event-driven techniques for processing.
    • Many I/O tasks are involved.
    • The tasks are long running.

    Sidebar

    Other architectural tactics for inter-process communication

    STATELESS SERVICES VERSUS STATEFUL SERVICES
    • Does not require any additional data, apart from the bits sent through with the request.
    • Without implementing a caching solution, it is impossible to access the previous data trail for a transaction session.
    • In addition to the data sent through with the request, require previous data sent to complete processing.
    • Requires server memory to store the additional state data. With increasing workloads, this could start impacting the server’s performance.
    It is generally accepted that stateless services are better for system scalability, especially if vertical scaling is costly and there is expectation that workloads will increase.
    MICROSERVICES VERSUS SERVERLESS FUNCTIONS
    • Services are designed as small units of code with a single responsibility and are available on demand.
    • A microservices architecture is easily scaled horizontally by adding a load balancer and a caching mechanism.
    • Like microservices, these are small pieces of code designed to fulfill a single purpose.
    • Are provided only through cloud vendors, and therefore, there is no need to worry about provisioning of infrastructure as needs increase.
    • Stateless by design but the life cycle of a serverless function is vendor controlled.
    Serverless function is an evolving technology and tightly controlled by the vendor. As and when vendors make changes to their serverless products, your own systems may need to be modified to make the best use of these upgrades.

    A team that does not measure their system’s scalability is a team bound to get a 5xx HTTP response code

    A critical aspect of any system is its ability to monitor and report on its operational outcomes.

    • Using the principle of continuous testing, every time an architectural change is introduced, a thorough load and stress testing cycle should be executed.
    • Effective logging and use of insightful metrics helps system design teams make data-driven decisions.
    • Using principle of site reliability engineering and predictive analytics, teams can be prepared for any unplanned exaggerated stimulus on the system and proactively set up remedial steps.

    Any system, however well architected, will break one day. Strategically place kill-switches to counter any failures and thoroughly test their functioning before releasing to production.

    • Using Principles 2 and 9 of the CSA, (include kill-switches and architect for x-ilities over features), introduce tactics at the code and higher levels that can be used to put a system in its previous best state in case of failure.
    • Examples of such tactics are:
      • Feature flags for turning on/off code modules that impact x-ilities.
      • Implement design patterns like throttling, autoscaling, and circuit breaking.
      • Writing extensive log messages that bubble up as exceptions/error handling from the code base. *Logging can be a performance drag. Use with caution as even logging code is still code that needs CPU and data storage.

    Performance is a system’s ability to satisfy time-bound expectations

    Performance can also be defined as the ability for a system to achieve its timing requirements, using available resources, under expected full-peak load:

    (International Organization for Standardization, 2011)

    • Performance and scalability are two peas in a pod. They are related to each other but are distinct attributes. Where scalability refers to the ability of a system to initiate multiple simultaneous processes, performance is the system’s ability to complete the processes within a mandated average time period.
    • Degrading performance is one of the first red flags about a system’s ability to scale up to workload demands.
    • Mitigation tactics for performance are very similar to the tactics for scalability.

    System performance needs to be monitored and measured consistently.

    Measurement Category 1: System performance in terms of end-user experience during different load scenarios.

    • Response time/latency: Length of time it takes for an interaction with the system to complete.
    • Turnaround time: Time taken to complete a batch of tasks.
    • Throughput: Amount of workload a system is capable of handling in a unit time period.

    Measurement Category 2: System performance in terms of load managed by computational resources.

    • Resource utilization: The average usage of a resource (like CPU) over a period. Peaks and troughs indicate excess vs. normal load times.
    • Number of concurrent connections: Simultaneous user requests that a resource like a server can successfully deal with at once.
    • Queue time: The turnaround time for a specific interaction or category of interactions to complete.

    Architectural tactics for performance management are the same as those used for system scalability

    Application Layer

    • Using a balanced approach that combines CSA Principle 7 (Good architecture comes in small packages) and Principle 10 (Architect for products, not projects), a microservices architecture based on domain-driven design helps process performance. Microservices use lightweight HTTP protocols and have loose coupling, adding a degree of resilience to the system as well. *An overly-engineered microservices architecture can become an orchestration challenge.
    • The code design must follow standards that support performance. Example of standards is SOLID*.
    • Serverless architectures can run application code from anywhere – for example, from edge servers close to an end user – thereby reducing latency.

    Database Layer

    • Using the right database technologies for persistence. Relational databases have implicit performance bottlenecks (which get exaggerated as data size grows along with indexes), and document store database technologies (key-value or wide-column) can improve performance in high-read environments.
    • Data sources, especially those that are frequently accessed, should ideally be located close to the application servers. Hybrid infrastructures (cloud and on premises mixed) can lead to latency when a cloud-application is accessing on-premises data.
    • Using a data partitioning strategy, especially in a domain-driven design architecture, can improve the performance of a system.

    Performance modeling and continuous testing makes the SRE a happy engineer

    Performance modeling and testing helps architecture teams predict performance risks as the solution is being developed.
    (CSA Principle 12: Test the solution architecture like you test your solution’s features)

    Create a model for your system’s hypothetical performance testing by breaking an end-to-end process or use case into its components. *Use the SIPOC framework for decomposition.

    This image contains an example of modeled performance, showing the latency in the data flowing from different data sources to the processing of the data.

    In the hypothetical example of modeled performance above:

    • The longest period of latency is 15ms.
    • The processing of data takes 30ms, while the baseline was established at 25ms.
    • Average latency in sending back user responses is 21ms – 13ms slower than expected.

    The model helps architects:

    • Get evidence for their assumptions
    • Quantitatively isolate bottlenecks at a granular level

    Model the performance flow once but test it periodically

    Performance testing measures the performance of a software system under normal and abnormal loads.

    Performance testing process should be fully integrated with software development activities and as automated as possible. In a fast-moving Agile environment, teams should attempt to:

    • Shift-left performance testing activities.
    • Use performance testing to pinpoint performance bottlenecks.
    • Take corrective action, as quickly as possible.

    Performance testing techniques

    • Normal load testing: Verifies the system’s behavior under the expected normal load to ensure that its performance requirements are met. Load testing can be used to measure response time, responsiveness, turnaround time, and throughput.
    • Expected maximum load testing: Like the normal load testing process, ensures system meets its performance requirements under expected maximum load.
    • Stress testing: Evaluates system behavior when processing loads beyond the expected maximum.

    *In a real production scenario, a combination of these tests are executed on a regular basis to monitor the performance of the system over a given period.

    3.1-3.2 Discuss and document initial decisions made for architecture scalability and performance

    1. Use the outcomes from either or both Phases 1.3 and 1.4.
    • For each value stream component, list the architecture decisions taken to ensure scalability and performance at client-facing and/or business-rule layers.

    Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Output From Phase 1.3 and/or From Phase 1.4

    Output

    • Initial Set of Design Decisions Made for System Scalability and Performance

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Example: Architecture decisions for scalability and performance

    Value Stream Component Design Decision for User Interface Layer Design Decisions for Middle Processing Layer
    Loan Application Scalability: N/A
    Resilience: Include circuit breaker design in both mobile app and responsive websites.
    Performance: Cache data client.
    Scalability: Scale vertically (up) since loan application processing is very compute intensive.
    Resilience: Set up fail-over replica.
    Performance: Keep servers in the same geo-area.
    Disbursement of Funds *Does not have a user interface Scalability: Scale horizontal when traffic reaches X requests/second.
    Resilience: Create microservices using domain-driven design; include circuit breakers.
    Performance: Set up application cache; synchronous communication since order of data input is important.
    …. …. ….

    3.3 Combine the different architecture design decisions into a unified solution architecture

    Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Output From Phase 1.3 and/or From Phase 1.4
    • Output From Phase 2.1
    • Output From Phase 2.2
    • Output From 3.1 and 3.2

    Output

    • List of Design Decisions for the Solution

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Putting it all together is the bow that finally ties this gift

    This blueprint covered the domains tagged with the yellow star.

    This image contains a screenshot of the solution architecture framework found earlier in this blueprint, with stars next to Data Architecture, Security, Performance, and Stability.

    TRADEOFF ALERT

    The right design decision is never the same for all perspectives. Along with varying opinions, comes the “at odds with each other set” of needs (scalability vs. performance, or access vs. security).

    An evidence-based decision-making approach using a domain-driven design strategy is a good mix of techniques for creating the best (right?) solution architecture.

    This image contains a screenshot of a table that summarizes the themes discussed in this blueprint.

    Summary of accomplishment

    • Gained understanding and clarification of the stakeholder objectives placed on your application architecture.
    • Completed detailed use cases and persona-driven scenario analysis and their architectural needs through SRME.
    • Created a set of design decisions for data, security, scalability, and performance.
    • Merged the different architecture domains dealt with in this blueprint to create a holistic view.

    Bibliography

    Ambysoft Inc. “UML 2 Sequence Diagrams: An Agile Introduction.” Agile Modeling, n.d. Web.

    Bass, Len, Paul Clements, and Rick Kazman. Software Architecture in Practices: Third Edition. Pearson Education, Inc. 2003.

    Eeles, Peter. “The benefits of software architecting.” IBM: developerWorks, 15 May 2006. Web.

    Flexera 2020 State of the Cloud Report. Flexera, 2020. Web. 19 October 2021.

    Furdik, Karol, Gabriel Lukac, Tomas Sabol, and Peter Kostelnik. “The Network Architecture Designed for an Adaptable IoT-based Smart Office Solution.” International Journal of Computer Networks and Communications Security, November 2013. Web.

    Ganzinger, Matthias, and Petra Knaup. “Requirements for data integration platforms in biomedical research networks: a reference model.” PeerJ, 5 February 2015. (https://peerj.com/articles/755/).

    Garlan, David, and Mary Shaw. An Introduction to Software Architecture. CMU-CS-94-166, School of Computer Science Carnegie Mellon University, January 1994.

    Gupta, Arun. “Microservice Design Patterns.” Java Code Geeks, 14 April 2015. Web.

    How, Matt. The Modern Data Warehouse in Azure. O’Reilly, 2020.

    ISO/IEC 17788:2014: Information technology – Cloud computing, International Organization for Standardization, October 2014. Web.

    ISO/IEC 18384-1:2016: Information technology – Reference Architecture for Service Oriented Architecture (SOA RA), International Organization for Standardization, June 2016. Web.

    ISO/IEC 25010:2011(en) Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — System and software quality models. International Organization for Standardization, March 2011. Web.

    Kazman, R., M. Klein, and P. Clements. ATAM: Method for Architecture Evaluation. S Carnegie Mellon University, August 2000. Web.

    Microsoft Developer Network. “Chapter 16: Quality Attributes.” Microsoft Application Architecture Guide. 2nd Ed., 13 January 2010. Web.

    Microsoft Developer Network. “Chapter 2: Key Principles of Software Architecture.” Microsoft Application Architecture Guide. 2nd Ed., 13 January 2010. Web.

    Microsoft Developer Network. “Chapter 3: Architectural Patterns and Styles.” Microsoft Application Architecture Guide. 2nd Ed., 14 January 2010. Web.

    Microsoft Developer Network. “Chapter 5: Layered Application Guidelines.” Microsoft Application Architecture Guide. 2nd Ed., 13 January 2010. Web.

    Mirakhorli, Mehdi. “Common Architecture Weakness Enumeration (CAWE).” IEEE Software, 2016. Web.

    Moore, G. A. Crossing the Chasm, 3rd Edition: Marketing and Selling Disruptive Products to Mainstream Customers (Collins Business Essentials) (3rd ed.). Harper Business, 2014.

    OASIS. “Oasis SOA Reference Model (SOA RM) TC.” OASIS Open, n.d. Web.

    Soni, Mukesh. “Defect Prevention: Reducing Costs and Enhancing Quality.” iSixSigma, n.d. Web.

    The Open Group. TOGAF 8.1.1 Online, Part IV: Resource Base, Developing Architecture Views. TOGAF, 2006. Web.

    The Open Group. Welcome to the TOGAF® Standard, Version 9.2, a standard of The Open Group. TOGAF, 2018. Web.

    Watts, S. “The importance of solid design principles.” BMC Blogs, 15 June 2020. 19 October 2021.

    Young, Charles. “Hexagonal Architecture–The Great Reconciler?” Geeks with Blogs, 20 Dec 2014. Web.

    APPENDIX A

    Techniques to enhance application architecture.

    Consider the numerous solutions to address architecture issues or how they will impact your application architecture

    Many solutions exist for improving the layers of the application stack that may address architecture issues or impact your current architecture. Solutions range from capability changes to full stack replacement.

    Method Description Potential Benefits Risks Related Blueprints
    Business Capabilities:
    Enablement and enhancement
    • Introduce new business capabilities by leveraging unused application functionalities or consolidate redundant business capabilities.
    • Increase value delivery to stakeholders.
    • Lower IT costs through elimination of applications.
    • Increased use of an application could overload current infrastructure.
    • IT cannot authorize business capability changes.
    Use Info-Tech’s Document Your Business Architecture blueprint to gain better understanding of business and IT alignment.
    Removal
    • Remove existing business capabilities that don’t contribute value to the business.
    • Lower operational costs through elimination of unused and irrelevant capabilities.
    • Business capabilities may be seen as relevant or critical by different stakeholder groups.
    • IT cannot authorize business capability changes.
    Use Info-Tech’s Build an Application Rationalization Framework to rationalize your application portfolio.
    Business Process:
    Process integration and consolidation
    • Combine multiple business processes into a single process.
    • Improved utilization of applications in each step of the process.
    • Reduce business costs through efficient business processes.
    • Minimize number of applications required to execute a single process.
    • Significant business disruption if an application goes down and is the primary support for business processes.
    • Organizational pushback if process integration involves multiple business groups.
    Business Process (continued):
    Process automation
    • Automate manual business processing tasks.
    • Reduce manual processing errors.
    • Improve speed of delivery.
    • Significant costs to implement automation.
    • Automation payoffs are not immediate.
    Lean business processes
    • Eliminate redundant steps.
    • Streamline existing processes by focusing on value-driven steps.
    • Improve efficiency of business process through removal of wasteful steps.
    • Increase value delivered at the end of the process.
    • Stakeholder pushback from consistently changing processes.
    • Investment from business is required to fit documentation to the process.
    Outsource the process
    • Outsource a portion of or the entire business process to a third party.
    • Leverage unavailable resources and skills to execute the business process.
    • Loss of control over process.
    • Can be costly to bring the process back into the business if desired in the future.
    Business Process (continued):
    Standardization
    • Implement standards for business processes to improve uniformity and reusability.
    • Consistently apply the same process across multiple business units.
    • Transparency of what is expected from the process.
    • Improve predictability of process execution.
    • Process bottlenecks may occur if a single group is required to sign off on deliverables.
    • Lack of enforcement and maintenance of standards can lead to chaos if left unchecked.
    User Interface:
    Improve user experience (UX)
    • Eliminate end-user emotional, mechanical, and functional friction by improving the experience of using the application.
    • UX encompasses both the interface and the user’s behavior.
    • Increase satisfaction and adoption rate from end users.
    • Increase brand awareness and user retention.
    • UX optimizations are only focused on a few user personas.
    • Current development processes do not accommodate UX assessments
    Code:
    Update coding language
    Translate legacy code into modern coding language.
    • Coding errors in modern languages can have lesser impact on the business processes they support.
    • Modern languages tend to have larger pools of coders to hire.
    • Increase availability of tools to support modern languages.
    • Coding language changes can create incompatibilities with existing infrastructure.
    • Existing coding translation tools do not offer 100% guarantee of legacy function retention.
    Code (continued):
    Open source code
    • Download pre-built code freely available in open source communities.
    • Code is rapidly evolving in the community to meet current business needs.
    • Avoid vendor lock-in from proprietary software
    • Community rules may require divulgence of work done with open source code.
    • Support is primarily provided through community, which may not address specific concerns.
    Update the development toolchain
    • Acquire new or optimize development tools with increased testing, build, and deployment capabilities.
    • Increase developer productivity.
    • Increase speed of delivery and test coverage with automation.
    • Drastic IT overhauls required to implement new tools such as code conversion, data migration, and development process revisions.
    Update source code management
    • Optimize source code management to improve coding governance, versioning, and development collaboration.
    • Ability to easily roll back to previous build versions and promote code to other environments.
    • Enable multi-user development capabilities.
    • Improve conflict management.
    • Some source code management tools cannot support legacy code.
    • Source code management tools may be incompatible with existing development toolchain.
    Data:
    Outsource extraction
    • Outsource your data analysis and extraction to a third party.
    • Lower costs to extract and mine data.
    • Leverage unavailable resources and skills to translate mined data to a usable form.
    • Data security risks associated with off-location storage.
    • Data access and control risks associated with a third party.
    Update data structure
    • Update your data elements, types (e.g. transactional, big data), and formats (e.g. table columns).
    • Standardize on a common data definition throughout the entire organization.
    • Ease data cleansing, mining, analysis, extraction, and management activities.
    • New data structures may be incompatible with other applications.
    • Implementing data management improvements may be costly and difficult to acquire stakeholder buy-in.
    Update data mining and data warehousing tools
    • Optimize how data is extracted and stored.
    • Increase the speed and reliability of the data mined.
    • Perform complex analysis with modern data mining and data warehousing tools.
    • Data warehouses are regularly updated with the latest data.
    • Updating data mining and warehousing tools may create incompatibilities with existing infrastructure and data sets.
    Integration:
    Move from point-to-point to enterprise service bus (ESB)
    • Change your application integration approach from point-to-point to an ESB.
    • Increase the scalability of enterprise services by exposing applications to a centralized middleware.
    • Reduce the number of integration tests to complete with an ESB.
    • Single point of failure can cripple the entire system.
    • Security threats arising from centralized communication node.
    Leverage API integration
    • Leverage application programming interfaces (APIs) to integrate applications.
    • Quicker and more frequent transfers of lightweight data compared to extract, load, transfer (ETL) practices.
    • Increase integration opportunities with other modern applications and infrastructure (including mobile devices).
    • APIs are not as efficient as ETL when handling large data sets.
    • Changing APIs can break compatibility between applications if not versioned properly.

    Master Your Security Incident Response Communications Program

    • Buy Link or Shortcode: {j2store}321|cart{/j2store}
    • member rating overall impact: 8.0/10 Overall Impact
    • member rating average dollars saved: $2,339 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • When a significant security incident is discovered, usually very few details are known for certain. Nevertheless, the organization will need to say something to affected stakeholders.
    • Security incidents tend to be ongoing situations that last considerably longer than other types of crises, making communications a process rather than a one-time event.
    • Effective incident response communications require collaboration from: IT, Legal, PR, and HR – groups that often speak “different languages.”

    Our Advice

    Critical Insight

    • There’s no such thing as successful incident response communications; strive instead for effective communications. There will always be some fallout after a security incident, but it can be effectively mitigated through honesty, transparency, and accountability.
    • Effective external communications begin with effective internal communications. Security Incident Response Team members come from departments that don’t usually work closely with each other. This means they often have different ways of thinking and speaking about issues. Be sure they are familiar with each other before a crisis occurs.
    • You won’t save face by withholding embarrassing details. Lying only makes a bad situation worse, but coming clean and acknowledging shortcomings (and how you’ve fixed them) can go a long way towards restoring stakeholders’ trust.

    Impact and Result

    • Effective and efficient management of security incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities: communications must be integrated into each of these phases.
    • Understand that prior planning helps to take the guesswork out of incident response communications. By preparing for several different types of security incidents, the communications team will get used to working with each other, as well as learning what strategies are and are not effective. Remember, the communications team contains diverse members from various departments, and each may have different ideas about what information is important to release.

    Master Your Security Incident Response Communications Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement a security incident response communications plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Dive into communications planning

    This phase addresses the benefits and challenges of incident response communications and offers advice on how to assemble a communications team and develop a threat escalation protocol.

    • Master Your Security Incident Response Communications Program – Phase 1: Dive Into Communications Planning
    • Security Incident Management Plan

    2. Develop your communications plan

    This phase focuses on creating an internal and external communications plan, managing incident fallout, and conducting a post-incident review.

    • Master Your Security Incident Response Communications Program – Phase 2: Develop Your Communications Plan
    • Security Incident Response Interdepartmental Communications Template
    • Security Incident Communications Policy Template
    • Security Incident Communications Guidelines and Templates
    • Security Incident Metrics Tool
    • Tabletop Exercises Package
    [infographic]

    Prepare for the Upgrade to Windows 11

    • Buy Link or Shortcode: {j2store}166|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Windows 10 is going EOL in 2025.That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Our Advice

    Critical Insight

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system. Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    Impact and Result

    Windows 11 hardware requirements will result in devices that are not eligible for the upgrade. Companies will be left to spend money on replacement devices. Following the Info-Tech guidance will help clients properly budget for hardware replacements before Windows 10 is no longer supported by Microsoft. Eligible devices can be upgraded, but Info-Tech guidance can help clients properly plan the upgrade using the upgrade ring approach.

    Prepare for the Upgrade to Windows 11 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for the Upgrade to Windows 11 Deck – A look into some of the pros and cons of Microsoft’s latest desktop operating system, along with guidance on moving forward with this inevitable upgrade.

    Discover the reason for the release of Windows 11, what you require to be eligible for the upgrade, what features were added or updated, and what features were removed. Our guidance will assist you with a planned and controlled rollout of the Windows 11 upgrade. We also provide guidance on how to approach a device refresh plan if some devices are not eligible for Windows 11. The upgrade is inevitable, but you have time, and you have options.

    • Prepare for the Upgrade to Windows 11 Storyboard

    2. What Are My Options If My Devices Cannot Upgrade to Windows 11? – Build a Windows 11 Device Replacement budget with our Hardware Asset Management Budgeting Tool.

    This tool will help you budget for a hardware asset refresh and to adjust the budget as necessary to accommodate any unexpected changes. The tool can easily be modified to assist in developing and justifying the budget for hardware assets for a Windows 11 project. Follow the instructions on each tab and feel free to play with the HAM budgeting tool to fit your needs.

    • HAM Budgeting Tool
    [infographic]

    Further reading

    Prepare for the Upgrade to Windows 11

    The upgrade is inevitable, but you have time, and you have options.

    Analyst Perspective

    Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    “You hear that Mr. Anderson? That is the sound of inevitability.” ("The Matrix Quotes" )

    The fictitious Agent Smith uttered those words to Keanu Reeves’ character, Neo, in The Matrix in 1999, and while Agent Smith was using them in a very sinister and figurative context, the words could just as easily be applied to the concept of upgrading to the Windows 11 operating system from Microsoft in 2022.

    There have been two common, recurring themes in the media since late 2019. One is the global pandemic and the other is cyber-related crime. Microsoft is not in a position to make an impact on a novel coronavirus, but it does have the global market reach to influence end-user technology and it appears that it has done just that. Windows 11 is a step forward in endpoint security and functionality. It also solidifies the foundation for future innovations in end-user operating systems and how they are delivered. Windows-as-a-Service (WAAS) is the way forward for Microsoft. Windows 10 is living on borrowed time, with a defined end of support date of October 14, 2025. Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    It is inevitable!

    P.J. Ryan

    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Windows 10 is going EOL in 2025. That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft-initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Common Obstacles

    • The difference between Windows 10 and Windows 11 is not clear. Windows 11 looks like Windows 10 with some minor changes, mostly cosmetic. Many online users don’t see the need. Why upgrade? What are the benefits?
    • The cost of upgrading devices just to be eligible for Windows 11 is high.
    • Your end users don’t like change. This is not going to go over well!

    Info-Tech's Approach

    • Spend wisely. Space out your endpoint replacements and upgrades over several years. You do not have to upgrade everything right away.
    • Be patient. Windows 11 contained some bugs when it was initially released. Microsoft fixed most of the issues through monthly quality updates, but you should ensure that you are comfortable with the current level of functionality before you upgrade.
    • Use the upgrade ring approach. Test your applications with a small group first, and then stage the rollout to increasingly larger groups over time.

    Info-Tech Insight

    There is a lot of talk about Windows 11, but this is only an operating system upgrade, and it is not a major one. Understand what is new, what is added, and what is missing. Check your devices to determine how many are eligible and ineligible. Many organizations will have to spend capital on endpoint upgrades. Solid asset management practices will help.

    Insight summary

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    Many organizations will have to spend capital on endpoint upgrades.

    Microsoft now insists that modern hardware is required for Windows 11 for not only security but also for improved stability. That same hardware requirement will mean that many devices that are only three or four years old (as well as older ones) may not be eligible for Windows 11.

    Windows 11 is a virtualization challenge for some providers.

    The hardware requirements for physical devices are also required for virtual devices. The TPM module appears to be the biggest challenge. Oracle VirtualBox and Citrix Hypervisor as well as AWS and Google are unable to support Windows 11 virtual devices as of the time of writing.

    Windows 10 will be supported by Microsoft until October 2025.

    That will remove some of the pressure felt due to the ineligibility of many devices and the need to refresh them. Take your time and plan it out, keeping within budget constraints. Use the upgrade ring approach for systems that are eligible for the Windows 11 upgrade.

    New look and feel, and a center screen taskbar.

    Corners are rounded, some controls look a little different, but overall Windows 11 is not a dramatic shift from Windows 10. It is easier to navigate and find features. Oh, and yes, the taskbar (and start button) is shifted to the center of the screen, but you can move them back to the left if desired.

    The education industry gets extra attention with the release of Windows 11.

    Windows 11 comes with multiple subscription-based education offerings, but it also now includes a new lightweight SE edition that is intended for the K-8 age group. Microsoft also released a Windows 11 Education SE specific laptop, at a very attractive price point. Other manufacturers also offer Windows 11 SE focused devices.

    Why Windows 11?

    Windows 10 was supposed to be the final desktop OS from Microsoft, wasn’t it?

    Maybe. It depends who you ask.

    Jerry Nixon, a Microsoft developer evangelist, gained notoriety when he uttered these words while at a Microsoft presentation as part of Microsoft Ignite in 2015: “Right now we’re releasing Windows 10, and because Windows 10 is the last version of Windows, we’re all still working on Windows 10,” (Hachman). Microsoft never officially made that statement. Interestingly enough, it never denied the comments made by Jerry Nixon either.

    Perhaps Microsoft released a new operating system as a financial grab, a way to make significant revenue?

    Nope.

    Windows 11 is a free upgrade or is included with any new computer purchase.

    Market share challenges?

    Doubtful.

    It’s true that Microsoft's market share of desktop operating systems is dropping while Apple OS X and Google Chrome OS are rising.

    In fact, Microsoft has relinquished over 13% of the market share since 2012 and Apple has almost doubled its market share. BUT:

    Microsoft is still holding 75.12% of the market while Apple is in the number 2 spot with 14.93% (gs.statcounter.com).

    The market share is worth noting for Microsoft but it hardly warrants a new operating system.

    New look and feel?

    Unlikely

    New start button and taskbar orientation, new search window, rounded corners, new visual look on some controls like the volume bar, new startup sound, new Windows logo, – all minor changes. Updates could achieve the same result.

    Security?

    Likely the main reason.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    The features are available on all Windows 11 physical devices, due to the common hardware requirements.

    Windows 11 hardware-based security

    These hardware options and features were available in Windows 10 but not enforced. With Windows 11, they are no longer optional. Below is a description and explanation of the main features.

    Feature What it is How it works
    TPM 2.0 (Trusted Platform Module) Chip TPM is a chip on the motherboard of the computer. It is used to store encryption keys, certificates, and passwords. TPM does this securely with tamper-proof prevention. It can also generate encryption keys and it includes its own unique encryption key that cannot be altered (helpdeskgeek.com). You do not need to enter your password once you setup Windows Hello, so the password is no longer easy to capture and steal. It is set up on a device per device basis, meaning if you go to a different device to sign in, your Windows Hello authentication will not follow you and you must set up your Hello pin or facial recognition again on that particular device. TPM (Trusted Platform Module) can store the credentials used by Windows Hello and encrypt them on the module.
    Windows Hello Windows Hello is an alternative to using a password for authentication. Users can use a pin, a fingerprint, or facial recognition to authenticate.
    Device Encryption Device encryption is only on when your device is off. It scrambles the data on your disk to make it unreadable unless you have the key to unscramble it. If your endpoint is stolen, the contents of the hard drive will remain encrypted and cannot be accessed by anyone unless they can properly authenticate on the device and allow the system to unscramble the encrypted data.
    UEFI Secure Boot Capable UEFI is an acronym for Unified Extensible Firmware Interface. It is an interface between the operating system and the computer firmware. Secure Boot, as part of the firmware interface, ensures that only unchangeable and approved software and drivers are loaded at startup and not any malware that may have infiltrated the system (Lumunge). UEFI, with Secure Boot, references a database containing keys and signatures of drivers and runtime code that is approved as well as forbidden. It will not let the system boot up unless the signature of the driver or run-time code that is trying to execute is approved. This UEFI Secure boot recognition process continues until control is handed over to the operating system.
    Virtualization Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) VBS is security based on virtualization capabilities. It uses the virtualization features of the Windows operating system, specifically the Hyper-V hypervisor, to create and isolate a small chunk of memory that is isolated from the operating system. HVCI checks the integrity of code for violations. The Code Integrity check happens in the isolated virtual area of memory protected by the hypervisor, hence the acronym HVCI (Hypervisor Protected Code Integrity) (Murtaza). In the secure, isolated region of memory created by VBS with the hypervisor, Windows will run checks on the integrity of the code that runs various processes. The isolation protects the stored item from tampering by malware and similar threats. If they run incident free, they are released to the operating system and can run in the standard memory space. If issues are detected, the code will not be released, nor will it run in the standard memory space of the operating system, and damage or compromise will be prevented.

    How do all the hardware-based security features work?

    This scenario explains how a standard boot up and login should happen.

    You turn on your computer. Secure Boot authorizes the processes and UEFI hands over control to the operating system. Windows Hello works with TPM and uses a pin to authenticate the user and the operating systems gives you access to the Windows environment.

    Now imagine the same process with various compromised scenarios.

    You turn on your computer. Secure Boot does not recognize the signature presented to it by the second process in the boot sequence. You will be presented with a “Secure Boot Violation” message and an option to reboot. Your computer remains protected.

    You boot up and get past the secure boot process and UEFI passes control over to the Windows 11 operating system. Windows Hello asks for your pin, but you cannot remember the pin and incorrectly enter it three times before admitting temporary defeat. Windows Hello did not find a matching pin on the TPM and will not let you proceed. You cannot log in but in the eyes of the operating system, it has prevented an unauthorized login attempt.

    You power up your computer, log in without issue, and go about your morning routine of checking email, etc. You are not aware that malware has infiltrated your system and modified a page in system memory to run code and access the operating system kernel. VBS and HVCI check the integrity of that code and detect that it is malicious. The code remains isolated and prevented from running, protecting your system.

    TPM, Hello, UEFI with Secure Boot, VBS and HVCI all work together like a well-oiled machine.

    “Microsoft's rationale for Windows 11's strict official support requirements – including Secure Boot, a TPM 2.0 module, and virtualization support – has always been centered on security rather than raw performance.” – Andrew Cunningham, arstechnica.com

    “Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. These features in combination have been shown to reduce malware by 60% on tested devices.” – Steven J. Vaughan-Nichols, Computerworld

    Can any device upgrade to Windows 11?

    In addition to the security-related hardware requirements listed previously, which may exclude some devices from Windows 11 eligibility, Windows 11 also has a minimum requirement for other hardware components.

    Windows 7 and Windows 10 were publicized as being backward compatible and almost any hardware would be able to run those operating systems. That changed with Windows 11. Microsoft now insists that modern hardware is required for Windows 11 for not only security but also improved stability.

    Software Requirement

    You must be running Windows 10 version 2004 or greater to be eligible for a Windows 11 upgrade (“Windows 11 Requirements”).

    Complete hardware requirements for Windows 11

    • 1 GHz (or faster) compatible 64-bit processor with two or more cores
    • 4 GB RAM
    • 64 GB or more of storage space
    • Compatible with DirectX 12 or later with WDDM 2.0 driver
      • DirectX connects the hardware in your computer with Windows. It allows software to display graphics using the video card or play audio, as long as that software is DirectX compatible. Windows 11 requires version 12 (“What are DirectX 12 compatible graphics”).
      • WDDM is an acronym for Windows Display Driver Model. WDDM is the architecture for the graphics driver for Windows (“Windows Display Driver Model”).
      • Version 2.0 of WDDM is required for Windows 11.
    • 720p display greater than 9" diagonally with 8 bits per color channel
    • UEFI Secure Boot capable
    • TPM 2.0 chip
    • (“Windows 11 Requirements”)

    Windows 11 may challenge your virtual environment

    When Windows 11 was initially released, some IT administrators experienced issues when trying to install or upgrade to Windows 11 in the virtual world.

    The Challenge

    The issues appeared to be centered around the Windows 11 hardware requirements, which must be detected by the Windows 11 pre-install check before the operating system will install.

    The TPM 2.0 chip requirement was indeed a challenge and not offered as a configuration option with Citrix Hypervisor, the free VMware Workstation Player or Oracle VM VirtualBox when Windows 11 was released in October 2021, although it is on the roadmap for Oracle and Citrix Hypervisor. VMware provides alternative products to the free Workstation Player that do support a virtual TPM. Oracle and Citrix reported that the feature would be available in the future and Windows 11 would work on their platforms.

    Short-Term Solutions

    VMware and Microsoft users can add a vTPM hardware type when configuring a virtual Windows 11 machine. Microsoft Azure does offer Windows 11 as an option as a virtual desktop. Citrix Desktop-As-A-Service (DAAS) will connect to Azure, AWS, or Google Cloud and is only limited by the features of the hosting cloud service provider.

    Additional Insight

    According to Microsoft, any VM running Windows 11 must meet the following requirements (“Virtual Machine Support”):

    • It must be a generation 2 VM, and upgrading a generation 1 VM to Windows 11 (in-place) is not possible
    • 64 GB of storage or greater
    • Secure Boot capable with the virtual TPM enabled
    • 4 GB of memory or greater
    • 2 or more virtual processors
    • The CPU of the physical computer that is hosting the VM must meet the Windows 11 (“Windows Processor Requirements”)

    What’s new or updated in Windows 11?

    The following two slides highlight some of the new and updated features in Windows 11.

    Security

    The most important change with Windows 11 is what you cannot see – the security. Windows 11 adds requirements and controls to make the user and device more secure, as described in previous slides.

    Taskbar

    The most prominent change in relation to the look and feel of Windows 11 is the shifting of the taskbar (and Start button) to the center of the screen. Some users may find this more convenient but if you do not and prefer the taskbar and start button back on the left of your screen, you can change it in taskbar settings.

    Updated Apps

    Paint, Photos, Notepad, Media Player, Mail, and other standard Windows apps have been updated with a new look and in some cases minor enhancements.

    User Interface

    The first change users will notice after logging in to Windows 11 is the new user interface – the look and feel. You may not notice the additional colors added to the Windows palette, but you may have thought that the startup sound was different, and the logo also looks different. You would be correct. Other look-and-feel items that changed include the rounded corners on windows, slightly different icons, new wallpapers, and controls for volume and brightness are now a slide bar. File explorer and the settings app also have a new look.

    Microsoft Teams

    Microsoft Teams is now installed on the taskbar by default. Note that this is for a personal Microsoft account only. Teams for Work or School will have to be installed separately if you are using a work or school account.

    What’s new or updated in Windows 11?

    Snap Layouts

    Snap layouts have been enhanced and snap group functionality has been added. This will allow you to quickly snap one window to the side of the screen and open other Windows in the other side. This feature can be accessed by dragging the window you wish to snap to the left or right edge of the screen. The window should then automatically resize to occupy that half of the screen and allow you to select other Windows that are already open to occupy the remaining space on the screen. You can also hover your mouse over the maximize button in the upper right-hand corner of the window. A small screen with multiple snap layouts will appear for your selection. Multiple snapped Windows can be saved as a “Snap Group” that will open together if one of the group windows are snapped in the future.

    Widgets

    Widgets are expanding. Microsoft started the re-introduction of widgets in Windows 10, specifically focusing on the weather. Widgets now include other services such as news, sports, stock prices, and others.

    Android Apps

    Android apps can now run in Windows 11. You will have to use the Amazon store to access and install Android apps, but if it is available in the Amazon store, you can install it on Windows 11.

    Docking

    Docking has improved with Windows 11. Windows knows when you are docked and will minimize apps when you undock so they are not lost. They will appear automatically when you dock again.

    This is not intended to be an inclusive list but does cover some of the more prominent features.

    What’s missing from Windows 11?

    The following features are no longer found in Windows 11:

    • Backward compatibility
      • The introduction of the hardware requirements for Windows 11 removed the backward compatibility (from a hardware perspective) that made the transition from previous versions of Windows to their successor less of a hardware concern. If a computer could run Windows 7, then it could also run Windows 10. That does not automatically mean it can also run Windows 11.
    • Internet Explorer
      • Internet Explorer is no longer installed by default in Windows 11. Microsoft Edge is now the default browser for Windows. Other browsers can also be installed if preferred.
    • Tablet mode
      • Windows 11 does not have a "tablet" mode, but the operating system will maximize the active window and add more space between icons to make selecting them easier if the 2-in-1 hardware detects that you wish to use the device as a tablet (keyboard detached or device opened up beyond 180 degrees, etc.).
    • Semi-annual updates
      • It may take six months or more to realize that semi-annual feature updates are missing. Microsoft moved to an annual feature update schema but continued with monthly quality updates with Windows 11.
    • Specific apps
      • Several applications have been removed (but can be manually added from the Microsoft Store by the user). They include:
        • OneNote for Windows 10
        • 3D Viewer
        • Paint 3D
        • Skype
    • Cortana (by default)
      • Cortana is missing from Windows 11. It is installed but not enabled by default. Users can turn it on if desired.

    Microsoft included a complete list of features that have been removed or deprecated with Windows 11, which can be found here Windows 11 Specs and System Requirements.

    Windows 11 editions

    • Windows 11 is offered in several editions:
      • Windows 11 Home
      • Windows 11 Pro
      • Windows 11 Pro for Workstations
      • Windows 11 Enterprise Windows 11 for Education
      • Windows 11 SE for Education
    • Windows 11 hardware requirements and security features are common throughout all editions.
    • The new look and feel along with all the features mentioned previously are common to all editions as well.
    • Windows Home
      • Standard offering for home users
    • Pro versus Pro for Workstations
      • Windows 11 Pro and Pro for Workstations are both well suited for the business environment with available features such as support for Active Directory or Azure Active Directory, Windows Autopilot, OneDrive for Business, etc.
      • Windows Pro for Workstations is designed for increased demands on the hardware with the higher memory limits (2 TB vs. 6 TB) and processor count (2 CPU vs. 4 CPU).
      • Windows Pro for Workstations also features Resilient File System, Persistent Memory, and SMB Direct. Neither of these features are available in the Windows 11 Pro edition.
      • Windows 11 Pro and Pro for Workstations are both very business focused, although Pro may also be a common choice for non-business users (Home and Education).
    • Enterprise Offerings
      • Enterprise licenses are subscription based and are part of the Microsoft 365 suite of offerings.
      • Windows 11 Enterprise is Windows 11 Pro with some additional addons and functionality in areas such as device management, collaboration, and security services.
      • The level of the Microsoft 365 Enterprise subscription (E3 or E5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the E5 subscription.

    Windows 11 Education Editions

    With the release of a laptop targeted specifically at the education market, Microsoft must be taking notice of the Google Chrome educational market penetration, especially with headlines like these.

    “40 Million Chromebooks in Use in Education” (Thurrott)

    “The Unprecedented Growth of the Chromebook Education Market Share” (Carklin)

    “Chromebooks Gain Market Share as Education Goes Online” (Hruska)

    “Chromebooks Gain Share of Education Market Despite Shortages” (Mandaro)

    “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand” (Duke)

    • Education licenses are subscription based and are part of the Microsoft 365 suite of offerings. Educational pricing is one benefit of the Microsoft 365 Education model.
    • Windows 11 Education is Windows 11 Pro with some additional addons and functionality similar to the Enterprise offerings for Windows 11 in areas such as device management, collaboration, and security services. Windows 11 Education also adds some education specific settings such as Classroom Tools, which allow institutions to add new students and their devices to their own environment with fewer issues, and includes OneNote Class Notebook, Set Up School PCs app, and Take a Test app.
    • The level of the Microsoft 365 Education subscription (A3 or A5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the A5 subscription.
    • Windows 11 SE for Education:
      • A cloud-first edition of Windows 11 specifically designed for the K-8 education market.
      • Windows 11 SE is a light version of Windows 11 that is designed to run on entry-level devices with better performance and security on that hardware.
      • Windows 11 SE requires Intune for Education and only IT admins can install applications.
    • Microsoft and others have come out with Windows SE specific devices at a low price point.
      • The Microsoft Surface Laptop SE comes pre-loaded with Windows 11 SE and can be purchased for US$249.00.
      • Dell, Asus, Acer, Lenovo, and others also offer Windows 11 SE specific devices (“Devices for Education”).

    Initial Reactions

    Below you can find some actual initial reactions to Windows 11.

    Initial reactions are mixed, as is to be expected with any new release of an operating system. The look and feel is new, but it is not a huge departure from the Windows 10 look and feel. Some new features are well received such as the snap feature.

    The shift of the taskbar (and start button) is the most popular topic of discussion online when it comes to Windows 11 reactions. Some love it and some do not. The best part about the shift of the taskbar is that you can adjust it in settings and move it back to its original location.

    The best thing about reactions is that they garner attention, and thanks in part to all the online reactions and comments, Microsoft is continually improving Windows 11 through quality updates and annual feature releases.

    “My 91-year-old Mum has found it easy!” Binns, Paul ITRG

    “It mostly looks quite nice and runs well.” Jmbpiano, Reddit user

    “It makes me feel more like a Mac user.” Chang, Ben Info-Tech

    “At its core, Windows 11 appears to be just Windows 10 with a fresh coat of paint splashed all over it.” Rouse, Rick RicksDailyTips.com

    “Love that I can snap between different page orientations.” Roberts, Jeremy Info-Tech

    “I finally feel like Microsoft is back on track again.” Jawed, Usama Neowin

    “A few of the things that seemed like issues at first have either turned out not to be or have been fixed with patches.” Jmbpiano, Reddit user

    “The new interface is genuinely intuitive, well-designed, and colorful.” House, Brett AnandTech

    “No issues. Have it out on about 50 stations.” Sandrews1313, Reddit User

    “The most striking change is to the Start menu.” Grabham, Dan pocket-lint.com

    How do I upgrade to Windows 11?

    The process is very similar to applying updates in Windows 10.

    • Windows 11 is offered as an upgrade through the standard Windows 10 update procedure. Windows Update will notify you when the Windows 11 upgrade is ready (assuming your device is eligible for Windows 11).
      • Allow the update (upgrade in this case) to proceed, reboot, and your endpoint will come back to life with Windows 11 installed and ready for you.
    • A fresh install can be delivered by downloading the required Windows 11 installation media from the Microsoft Software Download site for Windows 11.
    • Business users can control the timing and schedule of the Windows 11 rollout to corporate endpoints using Microsoft solutions such as WSUS, Configuration Manager, Intune and Endpoint Manager, or by using other endpoint management solutions.
    • WSUS and Configuration Manager will have to sync the product category for Windows 11 to manage the deployment.
    • Windows Update for Business policies will have to use the target version capability rather than using the feature update referrals alone.
    • Organizations using Intune and a Microsoft 365 E3 license will be able to use the Feature Update Deployments page to select Windows 11.
    • Other modern endpoint management solutions may also allow for a controlled deployment.

    Info-Tech Insight

    The upgrade itself may be a simple process but be prepared for the end-user reactions that will follow. Some will love it but others will despise it. It is not an optional upgrade in the long run, so everyone will have to learn to accept it.

    When can I upgrade to Windows 11?

    You can upgrade right now BUT there is no need to rush. Windows 11 was released in October 2021 but that doesn’t mean you have to upgrade everyone right away. Plan this out.

    • Build deployment rings into your Windows 11 upgrade approach: This approach, also referred to as Canary Releases or deployment rings, allows you to ensure that IT can support users if there's a major problem with the upgrade. Instead of disrupting all end users, you are only disrupting a portion of end users.
      • Deploy the initial update to your test environment.
      • After testing is successful or changes have been made, deploy Windows 11 to your pilot group of users.
      • After the pilot group gives you the thumbs up, deploy to the rest of production in phases. Phases are sometimes by office/location, sometimes by department, sometimes by persona (i.e. defer people that don't handle updates well), and usually by a combination of these factors.
      • Increase the size of each ring as you progress.
    • Always back up your data before any upgrade.

    Deployment Ring Example

    Pilot Ring - Individuals from all departments - 10 users

    Ring #1 - Dev, Finance - 20 Users

    Ring #2 - Research - 100 Users

    Ring #3 - Sales, IT, Marketing - 500 Users

    Upgrade your eligible devices and users to Windows 11

    Build Windows 11 Deployment Rings

    Instructions:

    1. Identify who will be in the pilot group. Use individuals instead of user groups.
    2. Identify how many standard rings you need. This number will be based on the total number of employees per office.
    3. Map groups to rings. Define which user groups will be in each ring.
    4. Allow some time to elapse between upgrades. Allow the first group to work with Windows 11 and identify any potential issues that may arise before upgrading the next group.
    5. Track and communicate. Record all information into a spreadsheet like the one on the right. This will aid in communication and tracking.
    Ring Department or Group Total Users Delay Time Before Next Group
    Pilot Ring Individuals from all departments 10 Three weeks
    Ring 1 Dev Finance 20 Two weeks
    Ring 2 Research 100 One week
    Ring 3 Sales, IT Marketing 500 N/A

    What are my options if my devices cannot upgrade to Windows 11?

    Don’t rush out to replace all the ineligible endpoint devices. You have some time to plan this out. Windows 10 will be available and supported by Microsoft until October 2025.

    Use asset management strategies and budget techniques in your Windows 11 upgrade approach:

    • Start with current inventory and determine which devices will not be eligible for upgrade to Windows 11.
    • Prioritize the devices for replacement, taking device age, the role of the user the device supports, and delivery times for remote users into consideration.
    • Take this opportunity to review overall device offerings and end-user compute strategy. This will help decide which devices to offer going forward while improving end-user satisfaction.
    • Determine the cost for replacement devices:
      • Compare vendor offerings using an RFP process.
    • Use the hardware asset management planning spreadsheet on the next slide to budget for the replacements over the coming months leading up to October 2025.

    Leverage Info-Tech research to improve your end-user computing strategy and hardware asset management processes:

    New to End User Computing Strategies? Start with Modernize and Transform Your End-User Computing Strategy.

    New to IT asset management? Use Info-Tech’s Implement Hardware Asset Management blueprint.

    Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    Build a Windows 11 Device Replacement Budget

    The link below will open up a hardware asset management (HAM) budgeting tool. This tool can easily be modified to assist in developing and justifying the budget for hardware assets for the Windows 11 project. The tool will allow you to budget for hardware asset refresh and to adjust the budget as needed to accommodate any changes. Follow the instructions on each tab to complete the tool.

    A sample of a possible Windows 11 budgeting spreadsheet is shown on the right, but feel free to play with the HAM budgeting tool to fit your needs.

    HAM Budgeting Tool

    Windows 11 Replacement Schedule
    2022 2023 2024 2025
    Department Total to replace Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Left to allocate
    Finance 120 20 20 20 10 10 20 20 0
    HR 28 15 13 0
    IT 30 15 15 0
    Research 58 8 15 5 20 5 5 0
    Planning 80 10 15 15 10 15 15 0
    Other 160 5 30 5 15 15 30 30 30 0
    Totals 476 35 38 35 35 35 35 38 35 50 35 35 35 35 0

    Related Info-Tech Research

    Modernize and Transform Your End-User Computing Strategy

    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Implement Hardware Asset Management

    This project will help you analyze the current state of your HAM program, define assets that will need to be managed, and build and involve the ITAM team from the beginning to help embed the change. It will also help you define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

    Bibliography

    aczechowski, et al. “Windows 11 Requirements.” Microsoft, 3 June 2022. Accessed 13 June 2022.

    Binns, Paul. Personal interview. 07 June 2022.

    Butler, Sydney. “What Is Trusted Platform Module (TPM) and How Does It Work?” Help Desk Geek, 5 August 2021. Accessed 18 May 2022.

    Carklin, Nicolette. “The Unprecedented Growth of the Chromebook Education Market Share.” Parallels International GmbH, 26 October 2021. Accessed 19 May 2022.

    Chang, Ben. Personal interview. 26 May 2022.

    Cunningham, Andrew. “Why Windows 11 has such strict hardware requirements, according to Microsoft.” Ars Technica, 27 August 2021. Accessed 19 May 2022.

    Dealnd-Han, et al. “Windows Processor Requirements.” Microsoft, 9 May 2022. Accessed 18 May 2022.

    “Desktop Operating Systems Market Share Worldwide.” Statcounter Globalstats, June 2021–June 2022. Accessed 17 May 2022.

    “Devices for education.” Microsoft, 2022. Accessed 13 June 2022.

    Duke, Kent. “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand.” Android Police, 16 November 2020. Accessed 18 May 2022.

    Grabham, Dan. “Windows 11 first impressions: Our initial thoughts on using Microsoft's new OS.” Pocket-Lint, 24 June 2021. Accessed 3 June 2022.

    Hachman, Mark. “Why is there a Windows 11 if Windows 10 is the last Windows?” PCWorld, 18 June 2021. Accessed 17 May 2022.

    Howse, Brett. “What to Expect with Windows 11: A Day One Hands-On.” Anandtech, 16 November 2020. Accessed 3 June 2022.

    Hruska, Joel. “Chromebooks Gain Market Share as Education Goes Online.” Extremetech, 26 October 2020. Accessed 19 May 2022.

    Jawed, Usama. “I am finally excited about Windows 11 again.” Neowin, 26 February 2022. Accessed 3 June 2022.

    Jmbpiano. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    Lumunge, Erick. “UEFI and Legacy boot.” OpenGenus, n.d. Accessed 18 May 2022.

    Bibliography

    Mandaro, Laura. “Chromebooks Gain Share of Education Market Despite Shortages.” The Information, 9 September 2020. Accessed 19 May 2022.

    Murtaza, Fawad. “What Is Virtualization Based Security in Windows?” Valnet Inc, 24 October 2021. Accessed 17 May 2022.

    Roberts, Jeremy. Personal interview. 27 May 2022.

    Rouse, Rick. “My initial thoughts about Windows 11 (likes and dislikes).” RicksDailyTips.com, 5 September 2021. Accessed 3 June 2022.

    Sandrews1313. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    “The Matrix Quotes." Quotes.net, n.d. Accessed 18 May 2022.

    Thurrott, Paul.” Google: 40 Million Chromebooks in Use in Education.” Thurrott, 21 January 2020. Accessed 18 May 2022.

    Vaughan-Nichols, Steven J. “The real reason for Windows 11.” Computerworld, 6 July 2021, Accessed 19 May 2022.

    “Virtual Machine Support.” Microsoft,3 June 2022. Accessed 13 June 2022.

    “What are DirectX 12 compatible graphics and WDDM 2.x.” Wisecleaner, 20 August 2021. Accessed 19 May 2022.

    “Windows 11 Specs and System Requirements.” Microsoft, 2022. Accessed 13 June 2022.

    “Windows Display Driver Model.” MiniTool, n.d. Accessed 13 June 2022.

    Identify and Manage Security Risk Impacts on Your Organization

    • Buy Link or Shortcode: {j2store}221|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.
    • A new global change will impact your organization at any given time. Ensure that you monitor threats appropriately and that your plans are flexible enough to manage the inevitable consequences.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential security risk impacts on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes could introduce new risks.
    • Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals and surprise incidents.

    Impact and Result

    • Vendor management practices educate organizations on the potential risks from vendors in your market and suggest creative and alternative ways to avoid and manage them.
    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Security Risk Impact Tool.

    Identify and Manage Security Risk Impacts on Your Organization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and Manage Security Risk Impacts on Your Organization Deck – Use the research to better understand the negative impacts of vendor actions on your security.

    Use this research to identify and quantify the potential security impacts caused by vendors. Use Info-Tech’s approach to look at the security impacts from various perspectives to better prepare for issues that may arise.

    • Identify and Manage Security Risk Impacts on Your Organization Storyboard

    2. Security Risk Impact Tool – Use this tool to help identify and quantify the security impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Security Risk Impact Tool
    [infographic]

    Further reading

    Identify and Manage Security Risk Impacts on Your Organization

    Know where the attacks are coming from so you know where to protect.

    Analyst perspective

    It is time to start looking at risk realistically and move away from “trust but verify” toward zero trust.

    Frank Sewell, Research Director, Vendor Management

    Frank Sewell,
    Research Director, Vendor Management
    Info-Tech Research Group

    We are inundated with a barrage of news about security incidents on what seems like a daily basis. In such an environment, it is easy to forget that there are ways to help prevent such things from happening and that they have actual costs if we relax our diligence.

    Most people are aware of defense strategies that help keep their organization safe from direct attack and inside threats. Likewise, they expect their trusted partners to perform the same diligence. Unfortunately, as more organizations use cloud service vendors, the risks with n-party vendors are increasing.

    Over the last few years, we have learned the harsh lesson that downstream attacks affect more businesses than we ever expected as suppliers, manufacturers of base goods and materials, and rising transportation costs affect the global economy.

    “Trust but verify” – while a good concept – should give way to the more effective zero-trust model in favor of knowing it’s not a matter of if an incident happens but when.

    Executive Summary

    Your Challenge

    More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    A new global change will impact your organization at any given time. Ensure that you monitor threats appropriately and that your plans are flexible enough to manage the inevitable consequences.

    Common Obstacles

    Identifying and managing a vendor’s potential security risk impacts on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes could introduce new risks.

    Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals and surprise incidents.

    Info-Tech’s Approach

    Vendor management practices educate organizations on the potential risks from vendors in your market and suggest creative and alternative ways to avoid and manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Security Risk Impact Tool.

    Info-Tech Insight
    Organizations must evolve their security risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of third-party vendor risks and holding those vendors accountable throughout the vendor lifecycle are critical to preventing disastrous impacts.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.

    Multi-blueprint series on vendor risk assessment

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of Scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    Security risk impacts

    Potential losses to the organization due to security incidents

    • In this blueprint we’ll explore security risks, particularly from third-party vendors, and their impacts.
    • Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct security plans.

    The world is constantly changing

    The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

    When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

    Below are some things no one expected to happen in the last few years:

    62% 83% 84%
    Ransomware attacks spiked 62% globally (and 158% in North America alone). 83% of companies increased organizational focus on third-party risk management in 2020. In a 2020 survey, 84% of organizations reported having experienced a third-party incident in the last three years.
    One Trust, 2022 Help Net Security, 2021 Deloitte, 2020

    Identify and manage security risk impacts on your organization

    Identify and manage security risk impacts on your organization

    Due diligence will enable successful outcomes.

    What is third-party risk?

    Third-Party Vendor: Anyone who provides goods or services to a company or individual in exchange for payment transacted with electronic instructions (Law Insider).

    Third-Party Risk: The potential threat presented to organizations’ employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties that provide products and/or services and have access to privileged systems (Awake Security).

    It is essential to know not only who your vendors are but also who their vendors are (n-party vendors). Organizations often overlook that their vendors rely on others to support their business, and those layers can add risk to your organization.

    Identify and manage security risks

    Global Pandemic

    Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their security planning and ongoing monitoring moving forward.

    Vendor Breaches

    The IT market is an ever-shifting environment; more organizations are relying on cloud service vendors, staff augmentation, and other outside resources. Organizations should hold these vendors (and their downstream vendors) to the same levels of security and standards of conduct that they hold their internal resources.

    Resource Shortages

    A lack of resources is often overlooked, but it’s easily recognized as a reason for a security incident. All too often, companies are unwilling to dedicate resources to their vendors’ security risk assessment and ongoing monitoring needs. Only once an incident occurs do companies decide it is time to reprioritize.

    Reduce Manual Repetitive Work With IT Automation

    • Buy Link or Shortcode: {j2store}458|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $34,099 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • IT staff are overwhelmed with manual repetitive work.
    • You have little time for projects.
    • You cannot move as fast as the business wants.

    Our Advice

    Critical Insight

    • Optimize before you automate.
    • Foster an engineering mindset.
    • Build a process to iterate.

    Impact and Result

    • Begin by automating a few tasks with the highest value to score quick wins.
    • Define a process for rolling out automation, leveraging SDLC best practices.
    • Determine metrics and continually track the success of the automation program.

    Reduce Manual Repetitive Work With IT Automation Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why you should reduce manual repetitive work with IT automation.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify automation candidates

    Select the top automation candidates to score some quick wins.

    • Reduce Manual Repetitive Work With IT Automation – Phase 1: Identify Automation Candidates
    • IT Automation Presentation
    • IT Automation Worksheet

    2. Map and optimize process flows

    Map and optimize process flows for each task you wish to automate.

    • Reduce Manual Repetitive Work With IT Automation – Phase 2: Map & Optimize Process Flows

    3. Build a process for managing automation

    Build a process around managing IT automation to drive value over the long term.

    • Reduce Manual Repetitive Work With IT Automation – Phase 3: Build a Process for Managing Automation

    4. Build automation roadmap

    Build a long-term roadmap to enhance your organization's automation capabilities.

    • Reduce Manual Repetitive Work With IT Automation – Phase 4: Build Automation Roadmap
    • IT Automation Roadmap
    [infographic]

    Workshop: Reduce Manual Repetitive Work With IT Automation

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Automation Candidates

    The Purpose

    Identify top candidates for automation.

    Key Benefits Achieved

    Plan to achieve quick wins with automation for early value.

    Activities

    1.1 Identify MRW pain points.

    1.2 Drill down pain points into tasks.

    1.3 Estimate the MRW involved in each task.

    1.4 Rank the tasks based on value and ease.

    1.5 Select top candidates and define metrics.

    1.6 Draft project charters.

    Outputs

    MRW pain points

    MRW tasks

    Estimate of MRW involved in each task

    Ranking of tasks for suitability for automation

    Top candidates for automation & success metrics

    Project charter(s)

    2 Map & Optimize Processes

    The Purpose

    Map and optimize the process flow of the top candidate(s).

    Key Benefits Achieved

    Requirements for automation of the top task(s).

    Activities

    2.1 Map process flows.

    2.2 Review and optimize process flows.

    2.3 Clarify logic and finalize future-state process flows.

    Outputs

    Current-state process flows

    Optimized process flows

    Future-state process flows with complete logic

    3 Build a Process for Managing Automation

    The Purpose

    Develop a lightweight process for rolling out automation and for managing the automation program.

    Key Benefits Achieved

    Ability to measure and to demonstrate success of each task automation, and of the program as a whole.

    Activities

    3.1 Kick off your test plan for each automation.

    3.2 Define process for automation rollout.

    3.3 Define process to manage your automation program.

    3.4 Define metrics to measure success of your automation program.

    Outputs

    Test plan considerations

    Automation rollout process

    Automation program management process

    Automation program metrics

    4 Build Automation Roadmap

    The Purpose

    Build a roadmap to enhance automation capabilities.

    Key Benefits Achieved

    A clear timeline of initiatives that will drive improvement in the automation program to reduce MRW.

    Activities

    4.1 Build a roadmap for next steps.

    Outputs

    IT automation roadmap

    Further reading

    Reduce Manual Repetitive Work With IT Automation

    Free up time for value-adding jobs.

    ANALYST PERSPECTIVE

    Automation cuts both ways.

    Automation can be very, very good, or very, very bad.
    Do it right, and you can make your life a whole lot easier.
    Do it wrong, and you can suffer some serious pain.
    All too often, automation is deployed willy-nilly, without regard to the overall systems or business processes in which it lives.
    IT professionals should follow a disciplined and consistent approach to automation to ensure that they maximize its value for their organization.

    Derek Shank,
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive summary

    Situation

    • IT staff are overwhelmed with manual repetitive work.
    • You have little time for projects.
    • You cannot move as fast as the business wants.

    Complication

    • Automation is simple to say, but hard to implement.
    • Vendors claim automation will solve all your problems.
    • You have no process for managing automation.

    Resolution

    • Begin by automating a few tasks with the highest value to score quick wins.
    • Define a process for rolling out automation, leveraging SDLC best practices.
    • Determine metrics and continually track the success of the automation program.

    Info-Tech Insight

    1. Optimize before you automate.The current way isn’t necessarily the best way.
    2. Foster an engineering mindset.Your team members may not be process engineers, but they should learn to think like one.
    3. Build a process to iterate.Effective automation can't be a one-and-done. Define a lightweight process to manage your program.

    Infrastructure & operations teams are overloaded with work

    • DevOps and digital transformation initiatives demand increased speed.
    • I&O is still tasked with security and compliance and audit.
    • I&O is often overloaded and unable to keep up with demand.

    Manual repetitive work (MRW) sucks up time

    • Manual repetitive work is a fact of life in I&O.
    • DevOps circles refer to this type of work simply as “toil.”
    • Toil is like treading water: it must be done, but it consumes precious energy and effort just to stay in the same place.
    • Some amount of toil is inevitable, but it's important to measure and cap toil, so it does not end up overwhelming your team's whole capacity for engineering work.

    Info-Tech Insight

    Follow our methodology to focus IT automation on reducing toil.

    Manual hand-offs create costly delays

    • Every time there is a hand-off, we lose efficiency and productivity.
    • In addition to the cost of performing manual work itself, we must also consider the impact of lost productivity caused by the delay of waiting for that work to be performed.

    Every queue is a tire fire

    Queues create waste and are extremely damaging. Like a tire fire, once you get started, they’re almost impossible to stamp out!

    Increase queues if you want

    • “More overhead”
    • “Lower quality”
    • “More variability”
    • “Less motivation”
    • “Longer cycle time”
    • “Increased risk”

    (Source: Edwards, citing Donald G. Reinersten: The Principles of Product Development Flow: Second Generation Lean Product Development )

    Increasing complexity makes I&O’s job harder

    Every additional layer of complexity multiplies points of failure. Beyond a certain level of complexity, troubleshooting can become a nightmare.

    Today, Operations is responsible for the outcomes of a full stack of a very complex, software-defined, API-enabled system running on infrastructure they may or may not own.
    – Edwards

    Growing technical debt means an ever-rising workload

    • Enterprises naturally accumulate technical debt.
    • All technology requires care and feeding.
    • I&O cannot control how much technology it’s expected to support.
    • I&O faces a larger and larger workload as technical debt accumulates.

    The systems built under each new technology paradigm never fully replace the systems built under the old paradigms. It’s not uncommon for an enterprise to have an accumulation of systems built over 10-15 years and have no budget, risk appetite, or even a viable path to replace them all. With each shift, who bares [SIC] the brunt of the responsibility for making sure the old and the new hang together? Operations, of course. With each new advance, Operations juggles more complexity and more layers of legacy technologies than ever before.
    – Edwards

    Most IT shops can’t have a dedicated engineering team

    • In most organizations, the team that builds things is best equipped to support them.
    • Often the knowledge to design systems and the knowledge to run those systems naturally co-exists in the same personnel resources.
    • When your I&O team is trying to do engineering work, they can end up frequently interrupted to perform operational tasks.
    A Venn Diagram is depicted which compares People who build things with People who run things. the two circles are almost completely overlapping, indicating the strong connection between the two groups.

    Personnel resources in most IT organizations overlap heavily between “build” and “run.”

    IT operations must become an engineering practice

    • Usually you can’t double your staff or double their hours.
    • IT professionals must become engineers.
    • We do this by automating manual repetitive work and reducing toil.
    Two scenarios are depicted. The first scenario is found at a hypothetical work camp, in which one employee performs the task of manually splitting firewood with an axe. In order to split twice as much firewood, the employee would need to spend twice the time. The second scenario is Engineering Operations. in this scenario, a wood processor is used to automate the task, allowing far more wood to be split in same amount of time.

    Build your Sys Admin an Iron Man suit

    Some CIOs see a Sys Admin and want to replace them with a Roomba. I see a Sys Admin and want to build them an Iron Man suit.
    – Deepak Giridharagopal, CTO, Puppet

    Two Scenarios are depicted. In one, an employee is replaced by automation, represented by a Roomba, reducing costs by laying off a single employee. In the second scenario, the single employee is given automated tools to do their job, represented by an iron-man suit, leading to a 10X boost in employee productivity.

    Use automation to reduce risk

    Consistency

    When we automate, we can make sure we do something the same way every time and produce a consistent result.

    Auditing and Compliance

    We can design an automated execution that will ship logs that provide the context of the action for a detailed audit trail.

    Change

    • Enterprise environments are continually changing.
    • When context changes, so does the procedure.
    • You can update your docs all you want, but you can't make people read them before executing a procedure.
    • When you update the procedure itself, you can make sure it’s executed properly.

    Follow Info-Tech’s approach: Start small and snowball

    • It’s difficult for I&O to get the staffing resources it needs for engineering work.
    • Rather than trying to get buy-in for resources using a “top down” approach, Info-Tech recommends that I&O score some quick wins to build momentum.
    • Show success while giving your team the opportunity to build their engineering chops.

    Because the C-suite relies on upwards communication — often filtered and sanitized by the time it reaches them — executives don’t see the bottlenecks and broken processes that are stalling progress.
    – Andi Mann

    Info-Tech’s methodology employs a targeted approach

    • You aren’t going to automate IT operations end-to-end overnight.
    • In fact, such a large undertaking might be more effort than it’s worth.
    • Info-Tech’s methodology employs a targeted approach to identify which candidates will score some quick wins.
    • We’ll demonstrate success, gain momentum, and then iterate for continual improvement.

    Invest in automation to reap long-term rewards

    • All too often people think of automation like a vacuum cleaner you can buy once and then forget.
    • The reality is you need to perform care and feeding for automation like for any other process or program.
    • To reap the greatest rewards you must continually invest in automation – and invest wisely.

    To get the full ROI on your automation, you need to treat it like an employee. When you hire an employee, you invest in that person. You spend time and resources training and nurturing new employees so they can reach their full potential. The investment in a new employee is no different than your investment in automation.– Edwards

    Measure the success of your automation program

    Example of How to Estimate Dollar Value Impact of Automation
    Metric Timeline Target Value
    Hours of manual repetitive work 12 months 20% reduction $48,000/yr.(1)
    Hours of project capacity 18 months 30% increase $108,000/yr.(2)
    Downtime caused by errors 6 months 50% reduction $62,500/yr.(3)

    1 15 FTEs x 80k/yr.; 20% of time on MRW, reduced by 20%
    2 15 FTEs x 80k/yr.; 30% project capacity, increased by 30%
    3 25k/hr. of downtime.; 5 hours per year of downtime caused by errors

    Automating failover for disaster recovery

    CASE STUDY

    Industry Financial Services
    Source Interview

    Challenge

    An IT infrastructure manager had established DR failover procedures, but these required a lot of manual work to execute. His team lacked the expertise to build automation for the failover.

    Solution

    The manager hired consultants to build scripts that would execute portions of the failover and pause at certain points to report on outcomes and ask the human operator whether to proceed with the next step.

    Results

    The infrastructure team reduced their achievable RTOs as follows:
    Tier 1: 2.5h → 0.5h
    Tier 2: 4h → 1.5h
    Tier 3: 8h → 2.5h
    And now, anyone on the team could execute the entire failover!

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Reduce Manual Repetitive Work With IT Automation – project overview

    1. Select Candidates 2. Map Process Flows 3. Build Process 4. Build Roadmap
    Best-Practice Toolkit

    1.1 Identify MRW pain points

    1.2 Drill down pain points into tasks

    1.3 Estimate the MRW involved in each task

    1.4 Rank the tasks based on value and ease

    1.5 Select top candidates and define metrics

    1.6 Draft project charters

    2.1 Map process flows

    2.2 Review and optimize process flows

    2.3 Clarify logic and finalize future-state process flows

    3.1 Kick off your test plan for each automation

    3.2 Define process for automation rollout

    3.3 Define process to manage your automation program

    3.4 Define metrics to measure success of your automation program

    4.1 Build automation roadmap

    Guided Implementations

    Introduce methodology.

    Review automation candidates.

    Review success metrics.

    Review process flows.

    Review end-to-end process flows.

    Review testing considerations.

    Review automation SDLC.

    Review automation program metrics.

    Review automation roadmap.

    Onsite Workshop Module 1:
    Identify Automation Candidates
    Module 2:
    Map and Optimize Processes
    Module 3:
    Build a Process for Managing Automation
    Module 4:
    Build Automation Roadmap
    Phase 1 Results:
    Automation candidates and success metrics
    Phase 2 Results:
    End-to-end process flows for automation
    Phase 3 Results:
    Automation SDLC process, and automation program management process
    Phase 4 Results:
    Automation roadmap